[network-manager-openvpn/bg/options: 2/5] service, properties: use dedicated key for --tls-crypt
- From: Beniamino Galvani <bgalvani src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [network-manager-openvpn/bg/options: 2/5] service, properties: use dedicated key for --tls-crypt
- Date: Fri, 12 May 2017 15:37:46 +0000 (UTC)
commit 49fbc2d959977e2fbe7da00fdc45330367af9db3
Author: Beniamino Galvani <bgalvani redhat com>
Date: Thu May 11 17:23:41 2017 +0200
service,properties: use dedicated key for --tls-crypt
Instead of reusing NM_OPENVPN_KEY_TA, add a new key
NM_OPENVPN_KEY_TLS_CRYPT. They are mutually exclusive, but we need
another key to know which one should be used. Previously we used the
direction key to differentiate, but the direction can be omitted.
properties/import-export.c | 31 ++++++----
properties/tests/test-import-export.c | 104 +++++++++++++++++++++++++++++++++
shared/nm-service-defines.h | 1 +
src/nm-openvpn-service.c | 26 +++++---
4 files changed, 141 insertions(+), 21 deletions(-)
---
diff --git a/properties/import-export.c b/properties/import-export.c
index c5cae86..ec3ef05 100644
--- a/properties/import-export.c
+++ b/properties/import-export.c
@@ -1198,11 +1198,13 @@ do_import (const char *path, const char *contents, gsize contents_len, GError **
if (s_direction)
setting_vpn_add_data_item (s_vpn,
NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, s_direction);
have_sk = TRUE;
- } else if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_AUTH, NMV_OVPN_TAG_TLS_CRYPT)) {
+ } else if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_AUTH)) {
setting_vpn_add_data_item_path (s_vpn, NM_OPENVPN_KEY_TA, file);
if (s_direction)
setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, s_direction);
- } else
+ } else if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_CRYPT))
+ setting_vpn_add_data_item_path (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT, file);
+ else
g_assert_not_reached ();
continue;
}
@@ -1406,7 +1408,7 @@ do_import (const char *path, const char *contents, gsize contents_len, GError **
is_base64 = TRUE;
key = NULL;
} else if (nm_streq (token, INLINE_BLOB_TLS_CRYPT))
- key = NM_OPENVPN_KEY_TA;
+ key = NM_OPENVPN_KEY_TLS_CRYPT;
else if (nm_streq (token, INLINE_BLOB_TLS_AUTH)) {
key = NM_OPENVPN_KEY_TA;
can_have_direction = TRUE;
@@ -1939,7 +1941,7 @@ do_export_create (NMConnection *connection, const char *path, GError **error)
if (NM_IN_STRSET (connection_type,
NM_OPENVPN_CONTYPE_TLS,
NM_OPENVPN_CONTYPE_PASSWORD_TLS)) {
- const char *x509_name, *ta_key;
+ const char *x509_name, *key;
args_write_line_setting_value (f, NMV_OVPN_TAG_REMOTE_CERT_TLS, s_vpn,
NM_OPENVPN_KEY_REMOTE_CERT_TLS);
args_write_line_setting_value (f, NMV_OVPN_TAG_NS_CERT_TYPE, s_vpn,
NM_OPENVPN_KEY_NS_CERT_TYPE);
@@ -1960,16 +1962,23 @@ do_export_create (NMConnection *connection, const char *path, GError **error)
args_write_line (f, NMV_OVPN_TAG_VERIFY_X509_NAME, name, type);
}
- ta_key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA);
- if (_arg_is_set (ta_key)) {
+ key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA);
+ if (_arg_is_set (key)) {
gs_free char *s_free = NULL;
- const char *ta_dir = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR);
- const char *tls_type = _arg_is_set (ta_dir) ? NMV_OVPN_TAG_TLS_AUTH :
NMV_OVPN_TAG_TLS_CRYPT;
args_write_line (f,
- tls_type,
- nmv_utils_str_utf8safe_unescape_c (ta_key, &s_free),
- _arg_is_set (ta_dir));
+ NMV_OVPN_TAG_TLS_AUTH,
+ nmv_utils_str_utf8safe_unescape_c (key, &s_free),
+ _arg_is_set (nm_setting_vpn_get_data_item (s_vpn,
NM_OPENVPN_KEY_TA_DIR)));
}
+
+ key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT);
+ if (_arg_is_set (key)) {
+ gs_free char *s_free = NULL;
+ args_write_line (f,
+ NMV_OVPN_TAG_TLS_CRYPT,
+ nmv_utils_str_utf8safe_unescape_c (key, &s_free));
+ }
+
}
proxy_type = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_PROXY_TYPE);
diff --git a/properties/tests/test-import-export.c b/properties/tests/test-import-export.c
index a8ea385..b532759 100644
--- a/properties/tests/test-import-export.c
+++ b/properties/tests/test-import-export.c
@@ -278,6 +278,71 @@ test_tls_import (void)
}
static void
+test_tls_import_2 (void)
+{
+ _CREATE_PLUGIN (plugin);
+ NMConnection *connection;
+ NMSettingConnection *s_con;
+ NMSettingVpn *s_vpn;
+ char *expected_path;
+
+ connection = get_basic_connection (plugin, SRCDIR, "tls2.ovpn");
+ g_assert (connection);
+
+ /* Connection setting */
+ s_con = nm_connection_get_setting_connection (connection);
+ g_assert (s_con);
+ g_assert_cmpstr (nm_setting_connection_get_id (s_con), ==, "tls2");
+ g_assert (!nm_setting_connection_get_uuid (s_con));
+
+ /* VPN setting */
+ s_vpn = nm_connection_get_setting_vpn (connection);
+ g_assert (s_vpn);
+
+ /* Data items */
+ _check_item (s_vpn, NM_OPENVPN_KEY_CONNECTION_TYPE, NM_OPENVPN_CONTYPE_TLS);
+ _check_item (s_vpn, NM_OPENVPN_KEY_DEV, "tun");
+ _check_item (s_vpn, NM_OPENVPN_KEY_PROTO_TCP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_COMP_LZO, "adaptive");
+ _check_item (s_vpn, NM_OPENVPN_KEY_FLOAT, "yes");
+ _check_item (s_vpn, NM_OPENVPN_KEY_RENEG_SECONDS, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE, "173.8.149.245:1194");
+ _check_item (s_vpn, NM_OPENVPN_KEY_PORT, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE, "/CN=myvpn.company.com");
+ _check_item (s_vpn, NM_OPENVPN_KEY_VERIFY_X509_NAME,
+ "subject:C=US, L=Cambridge, CN=GNOME, emailAddress=networkmanager-list gnome org");
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_CERT_TLS, "server");
+
+ expected_path = g_strdup_printf ("%s/keys/mg8.ca", SRCDIR);
+ _check_item (s_vpn, NM_OPENVPN_KEY_CA, expected_path);
+ g_free (expected_path);
+
+ expected_path = g_strdup_printf ("%s/keys/clee.crt", SRCDIR);
+ _check_item (s_vpn, NM_OPENVPN_KEY_CERT, expected_path);
+ g_free (expected_path);
+
+ expected_path = g_strdup_printf ("%s/keys/clee.key", SRCDIR);
+ _check_item (s_vpn, NM_OPENVPN_KEY_KEY, expected_path);
+ g_free (expected_path);
+
+ expected_path = g_strdup_printf ("%s/keys/46.key", SRCDIR);
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT, expected_path);
+ g_free (expected_path);
+
+ /* Secrets */
+ _check_secret (s_vpn, NM_OPENVPN_KEY_PASSWORD, NULL);
+ _check_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS, NULL);
+
+ g_object_unref (connection);
+}
+
+static void
test_file_contents (const char *id,
const char *dir,
NMSettingVpn *s_vpn,
@@ -399,6 +464,42 @@ test_tls_export (void)
g_free (path);
}
+#undef TLS_EXPORTED_NAME
+#define TLS_EXPORTED_NAME "tls2.ovpntest"
+static void
+test_tls_export_2 (void)
+{
+ _CREATE_PLUGIN (plugin);
+ NMConnection *connection;
+ NMConnection *reimported;
+ char *path;
+ gboolean success;
+ GError *error = NULL;
+
+ connection = get_basic_connection (plugin, SRCDIR, "tls2.ovpn");
+ g_assert (connection);
+
+ path = g_build_path ("/", TMPDIR, TLS_EXPORTED_NAME, NULL);
+ success = nm_vpn_editor_plugin_export (plugin, path, connection, &error);
+ g_assert_no_error (error);
+ g_assert (success);
+
+ /* Now re-import it and compare the connections to ensure they are the same */
+ reimported = get_basic_connection (plugin, TMPDIR, TLS_EXPORTED_NAME);
+ (void) unlink (path);
+ g_assert (reimported);
+
+ /* Clear secrets first, since they don't get exported, and thus would
+ * make the connection comparison below fail.
+ */
+ remove_secrets (connection);
+ g_assert (nm_connection_compare (connection, reimported, NM_SETTING_COMPARE_FLAG_EXACT));
+
+ g_object_unref (reimported);
+ g_object_unref (connection);
+ g_free (path);
+}
+
static void
test_pkcs12_import (void)
{
@@ -1406,6 +1507,9 @@ int main (int argc, char **argv)
_add_test_func_simple (test_tls_inline_import);
_add_test_func_simple (test_tls_export);
+ _add_test_func_simple (test_tls_import_2);
+ _add_test_func_simple (test_tls_export_2);
+
_add_test_func_simple (test_pkcs12_import);
_add_test_func_simple (test_pkcs12_export);
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index a70201b..86a0233 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -65,6 +65,7 @@
#define NM_OPENVPN_KEY_DEV_TYPE "dev-type"
#define NM_OPENVPN_KEY_TUN_IPV6 "tun-ipv6"
#define NM_OPENVPN_KEY_TLS_CIPHER "tls-cipher"
+#define NM_OPENVPN_KEY_TLS_CRYPT "tls-crypt"
#define NM_OPENVPN_KEY_TLS_REMOTE "tls-remote"
#define NM_OPENVPN_KEY_VERIFY_X509_NAME "verify-x509-name"
#define NM_OPENVPN_KEY_REMOTE_CERT_TLS "remote-cert-tls"
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index acb95a1..c636c9e 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -175,6 +175,7 @@ static const ValidProperty valid_properties[] = {
{ NM_OPENVPN_KEY_DEV_TYPE, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_TUN_IPV6, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_TLS_CIPHER, G_TYPE_STRING, 0, 0, FALSE },
+ { NM_OPENVPN_KEY_TLS_CRYPT, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_TLS_REMOTE, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_VERIFY_X509_NAME, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_REMOTE_CERT_TLS, G_TYPE_STRING, 0, 0, FALSE },
@@ -1576,20 +1577,25 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
}
add_openvpn_arg (args, "--auth-nocache");
- /* TA */
+ /* tls-auth */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA);
if (tmp && tmp[0]) {
- tmp2 = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR);
- if (tmp2 && strlen (tmp2)) {
- add_openvpn_arg (args, "--tls-auth");
- add_openvpn_arg_utf8safe (args, tmp);
- add_openvpn_arg (args, tmp2);
- } else {
- add_openvpn_arg (args, "--tls-crypt");
- add_openvpn_arg_utf8safe (args, tmp);
- }
+ add_openvpn_arg (args, "--tls-auth");
+ add_openvpn_arg_utf8safe (args, tmp);
+
+ tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR);
+ if (tmp && tmp[0])
+ add_openvpn_arg (args, tmp);
+ }
+
+ /* tls-crypt */
+ tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT);
+ if (tmp && tmp[0]) {
+ add_openvpn_arg (args, "--tls-crypt");
+ add_openvpn_arg_utf8safe (args, tmp);
}
+
/* tls-remote */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE);
if (tmp && tmp[0]) {
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
