[network-manager-openvpn: 2/6] service, properties: use dedicated key for --tls-crypt
- From: Beniamino Galvani <bgalvani src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [network-manager-openvpn: 2/6] service, properties: use dedicated key for --tls-crypt
- Date: Fri, 12 May 2017 20:55:05 +0000 (UTC)
commit 1a3dc4675eb48be0e13fbbffbe603533b9eea8ba
Author: Beniamino Galvani <bgalvani redhat com>
Date: Thu May 11 17:23:41 2017 +0200
service,properties: use dedicated key for --tls-crypt
Instead of reusing NM_OPENVPN_KEY_TA, add a new key
NM_OPENVPN_KEY_TLS_CRYPT. They are mutually exclusive, but we need
another key to know which one should be used. Previously we used the
direction key to differentiate, but the direction can be omitted.
Makefile.am | 1 +
properties/import-export.c | 31 ++++++----
properties/tests/conf/tls2.ovpn | 26 ++++++++
properties/tests/test-import-export.c | 104 +++++++++++++++++++++++++++++++++
shared/nm-service-defines.h | 1 +
src/nm-openvpn-service.c | 26 +++++---
6 files changed, 168 insertions(+), 21 deletions(-)
---
diff --git a/Makefile.am b/Makefile.am
index 4d39522..7d25642 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -283,6 +283,7 @@ EXTRA_DIST += \
properties/tests/conf/static.key \
properties/tests/conf/static.ovpn \
properties/tests/conf/tls.ovpn \
+ properties/tests/conf/tls2.ovpn \
properties/tests/conf/tun-opts.conf \
properties/tests/conf/proxy-http.ovpn \
properties/tests/conf/httpauthfile \
diff --git a/properties/import-export.c b/properties/import-export.c
index c5cae86..ec3ef05 100644
--- a/properties/import-export.c
+++ b/properties/import-export.c
@@ -1198,11 +1198,13 @@ do_import (const char *path, const char *contents, gsize contents_len, GError **
if (s_direction)
setting_vpn_add_data_item (s_vpn,
NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, s_direction);
have_sk = TRUE;
- } else if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_AUTH, NMV_OVPN_TAG_TLS_CRYPT)) {
+ } else if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_AUTH)) {
setting_vpn_add_data_item_path (s_vpn, NM_OPENVPN_KEY_TA, file);
if (s_direction)
setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, s_direction);
- } else
+ } else if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_CRYPT))
+ setting_vpn_add_data_item_path (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT, file);
+ else
g_assert_not_reached ();
continue;
}
@@ -1406,7 +1408,7 @@ do_import (const char *path, const char *contents, gsize contents_len, GError **
is_base64 = TRUE;
key = NULL;
} else if (nm_streq (token, INLINE_BLOB_TLS_CRYPT))
- key = NM_OPENVPN_KEY_TA;
+ key = NM_OPENVPN_KEY_TLS_CRYPT;
else if (nm_streq (token, INLINE_BLOB_TLS_AUTH)) {
key = NM_OPENVPN_KEY_TA;
can_have_direction = TRUE;
@@ -1939,7 +1941,7 @@ do_export_create (NMConnection *connection, const char *path, GError **error)
if (NM_IN_STRSET (connection_type,
NM_OPENVPN_CONTYPE_TLS,
NM_OPENVPN_CONTYPE_PASSWORD_TLS)) {
- const char *x509_name, *ta_key;
+ const char *x509_name, *key;
args_write_line_setting_value (f, NMV_OVPN_TAG_REMOTE_CERT_TLS, s_vpn,
NM_OPENVPN_KEY_REMOTE_CERT_TLS);
args_write_line_setting_value (f, NMV_OVPN_TAG_NS_CERT_TYPE, s_vpn,
NM_OPENVPN_KEY_NS_CERT_TYPE);
@@ -1960,16 +1962,23 @@ do_export_create (NMConnection *connection, const char *path, GError **error)
args_write_line (f, NMV_OVPN_TAG_VERIFY_X509_NAME, name, type);
}
- ta_key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA);
- if (_arg_is_set (ta_key)) {
+ key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA);
+ if (_arg_is_set (key)) {
gs_free char *s_free = NULL;
- const char *ta_dir = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR);
- const char *tls_type = _arg_is_set (ta_dir) ? NMV_OVPN_TAG_TLS_AUTH :
NMV_OVPN_TAG_TLS_CRYPT;
args_write_line (f,
- tls_type,
- nmv_utils_str_utf8safe_unescape_c (ta_key, &s_free),
- _arg_is_set (ta_dir));
+ NMV_OVPN_TAG_TLS_AUTH,
+ nmv_utils_str_utf8safe_unescape_c (key, &s_free),
+ _arg_is_set (nm_setting_vpn_get_data_item (s_vpn,
NM_OPENVPN_KEY_TA_DIR)));
}
+
+ key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT);
+ if (_arg_is_set (key)) {
+ gs_free char *s_free = NULL;
+ args_write_line (f,
+ NMV_OVPN_TAG_TLS_CRYPT,
+ nmv_utils_str_utf8safe_unescape_c (key, &s_free));
+ }
+
}
proxy_type = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_PROXY_TYPE);
diff --git a/properties/tests/conf/tls2.ovpn b/properties/tests/conf/tls2.ovpn
new file mode 100644
index 0000000..af21457
--- /dev/null
+++ b/properties/tests/conf/tls2.ovpn
@@ -0,0 +1,26 @@
+remote 173.8.149.245 1194
+resolv-retry infinite
+
+dev tun
+persist-key
+persist-tun
+link-mtu 1400
+proto udp
+nobind
+pull
+tls-client
+
+float
+
+ca keys/mg8.ca
+cert keys/clee.crt
+key keys/clee.key
+
+tls-crypt keys/46.key
+remote-cert-tls server
+tls-remote "/CN=myvpn.company.com"
+verify-x509-name "C=US, L=Cambridge, CN=GNOME, emailAddress=networkmanager-list gnome org" subject
+
+comp-lzo
+verb 3
+
diff --git a/properties/tests/test-import-export.c b/properties/tests/test-import-export.c
index a8ea385..b532759 100644
--- a/properties/tests/test-import-export.c
+++ b/properties/tests/test-import-export.c
@@ -278,6 +278,71 @@ test_tls_import (void)
}
static void
+test_tls_import_2 (void)
+{
+ _CREATE_PLUGIN (plugin);
+ NMConnection *connection;
+ NMSettingConnection *s_con;
+ NMSettingVpn *s_vpn;
+ char *expected_path;
+
+ connection = get_basic_connection (plugin, SRCDIR, "tls2.ovpn");
+ g_assert (connection);
+
+ /* Connection setting */
+ s_con = nm_connection_get_setting_connection (connection);
+ g_assert (s_con);
+ g_assert_cmpstr (nm_setting_connection_get_id (s_con), ==, "tls2");
+ g_assert (!nm_setting_connection_get_uuid (s_con));
+
+ /* VPN setting */
+ s_vpn = nm_connection_get_setting_vpn (connection);
+ g_assert (s_vpn);
+
+ /* Data items */
+ _check_item (s_vpn, NM_OPENVPN_KEY_CONNECTION_TYPE, NM_OPENVPN_CONTYPE_TLS);
+ _check_item (s_vpn, NM_OPENVPN_KEY_DEV, "tun");
+ _check_item (s_vpn, NM_OPENVPN_KEY_PROTO_TCP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_COMP_LZO, "adaptive");
+ _check_item (s_vpn, NM_OPENVPN_KEY_FLOAT, "yes");
+ _check_item (s_vpn, NM_OPENVPN_KEY_RENEG_SECONDS, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE, "173.8.149.245:1194");
+ _check_item (s_vpn, NM_OPENVPN_KEY_PORT, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE, "/CN=myvpn.company.com");
+ _check_item (s_vpn, NM_OPENVPN_KEY_VERIFY_X509_NAME,
+ "subject:C=US, L=Cambridge, CN=GNOME, emailAddress=networkmanager-list gnome org");
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_CERT_TLS, "server");
+
+ expected_path = g_strdup_printf ("%s/keys/mg8.ca", SRCDIR);
+ _check_item (s_vpn, NM_OPENVPN_KEY_CA, expected_path);
+ g_free (expected_path);
+
+ expected_path = g_strdup_printf ("%s/keys/clee.crt", SRCDIR);
+ _check_item (s_vpn, NM_OPENVPN_KEY_CERT, expected_path);
+ g_free (expected_path);
+
+ expected_path = g_strdup_printf ("%s/keys/clee.key", SRCDIR);
+ _check_item (s_vpn, NM_OPENVPN_KEY_KEY, expected_path);
+ g_free (expected_path);
+
+ expected_path = g_strdup_printf ("%s/keys/46.key", SRCDIR);
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT, expected_path);
+ g_free (expected_path);
+
+ /* Secrets */
+ _check_secret (s_vpn, NM_OPENVPN_KEY_PASSWORD, NULL);
+ _check_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS, NULL);
+
+ g_object_unref (connection);
+}
+
+static void
test_file_contents (const char *id,
const char *dir,
NMSettingVpn *s_vpn,
@@ -399,6 +464,42 @@ test_tls_export (void)
g_free (path);
}
+#undef TLS_EXPORTED_NAME
+#define TLS_EXPORTED_NAME "tls2.ovpntest"
+static void
+test_tls_export_2 (void)
+{
+ _CREATE_PLUGIN (plugin);
+ NMConnection *connection;
+ NMConnection *reimported;
+ char *path;
+ gboolean success;
+ GError *error = NULL;
+
+ connection = get_basic_connection (plugin, SRCDIR, "tls2.ovpn");
+ g_assert (connection);
+
+ path = g_build_path ("/", TMPDIR, TLS_EXPORTED_NAME, NULL);
+ success = nm_vpn_editor_plugin_export (plugin, path, connection, &error);
+ g_assert_no_error (error);
+ g_assert (success);
+
+ /* Now re-import it and compare the connections to ensure they are the same */
+ reimported = get_basic_connection (plugin, TMPDIR, TLS_EXPORTED_NAME);
+ (void) unlink (path);
+ g_assert (reimported);
+
+ /* Clear secrets first, since they don't get exported, and thus would
+ * make the connection comparison below fail.
+ */
+ remove_secrets (connection);
+ g_assert (nm_connection_compare (connection, reimported, NM_SETTING_COMPARE_FLAG_EXACT));
+
+ g_object_unref (reimported);
+ g_object_unref (connection);
+ g_free (path);
+}
+
static void
test_pkcs12_import (void)
{
@@ -1406,6 +1507,9 @@ int main (int argc, char **argv)
_add_test_func_simple (test_tls_inline_import);
_add_test_func_simple (test_tls_export);
+ _add_test_func_simple (test_tls_import_2);
+ _add_test_func_simple (test_tls_export_2);
+
_add_test_func_simple (test_pkcs12_import);
_add_test_func_simple (test_pkcs12_export);
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index a70201b..86a0233 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -65,6 +65,7 @@
#define NM_OPENVPN_KEY_DEV_TYPE "dev-type"
#define NM_OPENVPN_KEY_TUN_IPV6 "tun-ipv6"
#define NM_OPENVPN_KEY_TLS_CIPHER "tls-cipher"
+#define NM_OPENVPN_KEY_TLS_CRYPT "tls-crypt"
#define NM_OPENVPN_KEY_TLS_REMOTE "tls-remote"
#define NM_OPENVPN_KEY_VERIFY_X509_NAME "verify-x509-name"
#define NM_OPENVPN_KEY_REMOTE_CERT_TLS "remote-cert-tls"
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index acb95a1..c636c9e 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -175,6 +175,7 @@ static const ValidProperty valid_properties[] = {
{ NM_OPENVPN_KEY_DEV_TYPE, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_TUN_IPV6, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_TLS_CIPHER, G_TYPE_STRING, 0, 0, FALSE },
+ { NM_OPENVPN_KEY_TLS_CRYPT, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_TLS_REMOTE, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_VERIFY_X509_NAME, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_REMOTE_CERT_TLS, G_TYPE_STRING, 0, 0, FALSE },
@@ -1576,20 +1577,25 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
}
add_openvpn_arg (args, "--auth-nocache");
- /* TA */
+ /* tls-auth */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA);
if (tmp && tmp[0]) {
- tmp2 = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR);
- if (tmp2 && strlen (tmp2)) {
- add_openvpn_arg (args, "--tls-auth");
- add_openvpn_arg_utf8safe (args, tmp);
- add_openvpn_arg (args, tmp2);
- } else {
- add_openvpn_arg (args, "--tls-crypt");
- add_openvpn_arg_utf8safe (args, tmp);
- }
+ add_openvpn_arg (args, "--tls-auth");
+ add_openvpn_arg_utf8safe (args, tmp);
+
+ tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR);
+ if (tmp && tmp[0])
+ add_openvpn_arg (args, tmp);
+ }
+
+ /* tls-crypt */
+ tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT);
+ if (tmp && tmp[0]) {
+ add_openvpn_arg (args, "--tls-crypt");
+ add_openvpn_arg_utf8safe (args, tmp);
}
+
/* tls-remote */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE);
if (tmp && tmp[0]) {
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
