[NetworkManager-openvpn] Add tls-version-{min,max} support
- From: Beniamino Galvani <bgalvani src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [NetworkManager-openvpn] Add tls-version-{min,max} support
- Date: Wed, 26 Feb 2020 09:05:45 +0000 (UTC)
commit 1019d90430ee9db655bd115949210b87252236c0
Author: Jean-Christophe Arnu <jc arnu loxodata com>
Date: Tue Jul 30 12:10:09 2019 +0200
Add tls-version-{min,max} support
https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/merge_requests/15
Makefile.am | 1 +
properties/import-export.c | 26 ++++++++++
properties/nm-openvpn-dialog.ui | 90 +++++++++++++++++++++++++++++++++++
properties/nm-openvpn-editor.c | 22 +++++++++
properties/tests/conf/tls3.ovpn | 28 +++++++++++
properties/tests/test-import-export.c | 51 ++++++++++++++++++++
shared/nm-service-defines.h | 2 +
shared/utils.h | 2 +
src/nm-openvpn-service.c | 12 +++++
9 files changed, 234 insertions(+)
---
diff --git a/Makefile.am b/Makefile.am
index 22a2722..972e7a1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -296,6 +296,7 @@ EXTRA_DIST += \
properties/tests/conf/static2.ovpn \
properties/tests/conf/tls.ovpn \
properties/tests/conf/tls2.ovpn \
+ properties/tests/conf/tls3.ovpn \
properties/tests/conf/tun-opts.conf \
properties/tests/conf/proxy-http.ovpn \
properties/tests/conf/httpauthfile \
diff --git a/properties/import-export.c b/properties/import-export.c
index e5bfd46..c555fda 100644
--- a/properties/import-export.c
+++ b/properties/import-export.c
@@ -1206,6 +1206,24 @@ do_import (const char *path, const char *contents, gsize contents_len, GError **
continue;
}
+ if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_VERSION_MIN)){
+ if (!args_params_check_nargs_n (params, 1, &line_error))
+ goto handle_line_error;
+ if (!args_params_check_arg_utf8 (params, 1, NULL, &line_error))
+ goto handle_line_error;
+ setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN, params[1]);
+ continue;
+ }
+
+ if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_VERSION_MAX)){
+ if (!args_params_check_nargs_n (params, 1, &line_error))
+ goto handle_line_error;
+ if (!args_params_check_arg_utf8 (params, 1, NULL, &line_error))
+ goto handle_line_error;
+ setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX, params[1]);
+ continue;
+ }
+
if (NM_IN_STRSET (params[0],
NMV_OVPN_TAG_CA,
NMV_OVPN_TAG_CERT,
@@ -2083,6 +2101,14 @@ do_export_create (NMConnection *connection, const char *path, GError **error)
nm_utils_str_utf8safe_unescape (key, &s_free));
}
+ key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN);
+ if (nmovpn_arg_is_set (key))
+ args_write_line (f, NMV_OVPN_TAG_TLS_VERSION_MIN, key);
+
+ key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX);
+ if (nmovpn_arg_is_set (key))
+ args_write_line (f, NMV_OVPN_TAG_TLS_VERSION_MAX, key);
+
key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_EXTRA_CERTS);
if (nmovpn_arg_is_set (key)) {
gs_free char *s_free = NULL;
diff --git a/properties/nm-openvpn-dialog.ui b/properties/nm-openvpn-dialog.ui
index c54cca1..a9906b5 100644
--- a/properties/nm-openvpn-dialog.ui
+++ b/properties/nm-openvpn-dialog.ui
@@ -2104,6 +2104,96 @@ config: extra-certs <file></property>
<property name="position">3</property>
</packing>
</child>
+ <child>
+ <object class="GtkGrid">
+ <property name="visible">True</property>
+ <property name="can_focus">False</property>
+ <child>
+ <object class="GtkLabel">
+ <property name="visible">True</property>
+ <property name="can_focus">False</property>
+ <property name="tooltip_text" translatable="yes">Controls min and max version
allowed for TLS.</property>
+ <property name="halign">start</property>
+ <property name="valign">start</property>
+ <property name="label" translatable="yes">TLS version control</property>
+ </object>
+ <packing>
+ <property name="left_attach">0</property>
+ <property name="top_attach">0</property>
+ </packing>
+ </child>
+ <child>
+ <object class="GtkGrid">
+ <property name="visible">True</property>
+ <property name="can_focus">False</property>
+ <property name="row_spacing">6</property>
+ <property name="column_spacing">12</property>
+ <property name="valign">start</property>
+ <property name="margin_left">24</property>
+ <property name="hexpand">True</property>
+ <child>
+ <object class="GtkLabel" id="tls_version_min_lbl">
+ <property name="visible">True</property>
+ <property name="can_focus">False</property>
+ <property name="label" translatable="yes">TLS _min version: </property>
+ <property name="use_underline">True</property>
+ <property name="xalign">1</property>
+ </object>
+ <packing>
+ <property name="left_attach">0</property>
+ <property name="top_attach">0</property>
+ </packing>
+ </child>
+ <child>
+ <object class="GtkEntry" id="tls_version_min">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="tooltip_text" translatable="yes"> Sets the minimum TLS
version we will accept from the peer (default is "1.0"). Examples for version include "1.0", "1.1", or
"1.2". If 'or-highest' is specified and version is not recognized, we will only accept the highest TLS
version supported by the local SSL implementation.</property>
+ <property name="hexpand">True</property>
+ </object>
+ <packing>
+ <property name="left_attach">1</property>
+ <property name="top_attach">0</property>
+ </packing>
+ </child>
+ <child>
+ <object class="GtkLabel" id="tls_version_max_lbl">
+ <property name="visible">True</property>
+ <property name="can_focus">False</property>
+ <property name="label" translatable="yes">TLS ma_x version: </property>
+ <property name="use_underline">True</property>
+ <property name="xalign">1</property>
+ </object>
+ <packing>
+ <property name="left_attach">0</property>
+ <property name="top_attach">1</property>
+ </packing>
+ </child>
+ <child>
+ <object class="GtkEntry" id="tls_version_max">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="tooltip_text" translatable="yes">Set the maximum TLS version
we will use (default is the highest version supported). Examples for version include "1.0", "1.1", or
"1.2".</property>
+ <property name="hexpand">True</property>
+ </object>
+ <packing>
+ <property name="left_attach">1</property>
+ <property name="top_attach">1</property>
+ </packing>
+ </child>
+ </object>
+ <packing>
+ <property name="left_attach">0</property>
+ <property name="top_attach">1</property>
+ </packing>
+ </child>
+ </object>
+ <packing>
+ <property name="expand">False</property>
+ <property name="fill">True</property>
+ <property name="position">7</property>
+ </packing>
+ </child>
</object>
</child>
</object>
diff --git a/properties/nm-openvpn-editor.c b/properties/nm-openvpn-editor.c
index 870c6de..549ea4b 100644
--- a/properties/nm-openvpn-editor.c
+++ b/properties/nm-openvpn-editor.c
@@ -717,6 +717,8 @@ static const char *const advanced_keys[] = {
NM_OPENVPN_KEY_TA_DIR,
NM_OPENVPN_KEY_TLS_CRYPT,
NM_OPENVPN_KEY_TLS_REMOTE,
+ NM_OPENVPN_KEY_TLS_VERSION_MIN,
+ NM_OPENVPN_KEY_TLS_VERSION_MAX,
NM_OPENVPN_KEY_TUNNEL_MTU,
NM_OPENVPN_KEY_TUN_IPV6,
NM_OPENVPN_KEY_VERIFY_X509_NAME,
@@ -1816,6 +1818,17 @@ advanced_dialog_new (GHashTable *hash, const char *contype)
_builder_init_optional_spinbutton (builder, "max_routes_checkbutton", "max_routes_spinbutton",
!!value,
_nm_utils_ascii_str_to_int64 (value, 10, 0, 100000000, 100));
+ value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_TLS_VERSION_MIN);
+ if (value && *value) {
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_min"));
+ gtk_entry_set_text (GTK_ENTRY (widget), value);
+ }
+ value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_TLS_VERSION_MAX);
+ if (value && *value) {
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_max"));
+ gtk_entry_set_text (GTK_ENTRY (widget), value);
+ }
+
return dialog;
}
@@ -2017,6 +2030,15 @@ advanced_dialog_new_hash_from_dialog (GtkWidget *dialog)
if (hmacauth)
g_hash_table_insert (hash, NM_OPENVPN_KEY_AUTH, hmacauth);
}
+ entry = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_min"));
+ value = gtk_entry_get_text (GTK_ENTRY (entry));
+ if (value && *value)
+ g_hash_table_insert (hash, NM_OPENVPN_KEY_TLS_VERSION_MIN, g_strdup (value));
+
+ entry = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_max"));
+ value = gtk_entry_get_text (GTK_ENTRY (entry));
+ if (value && *value)
+ g_hash_table_insert (hash, NM_OPENVPN_KEY_TLS_VERSION_MAX, g_strdup (value));
contype = g_object_get_data (G_OBJECT (dialog), "connection-type");
if ( !strcmp (contype, NM_OPENVPN_CONTYPE_TLS)
diff --git a/properties/tests/conf/tls3.ovpn b/properties/tests/conf/tls3.ovpn
new file mode 100644
index 0000000..5dd45ba
--- /dev/null
+++ b/properties/tests/conf/tls3.ovpn
@@ -0,0 +1,28 @@
+remote 173.8.149.245 1194
+resolv-retry infinite
+
+dev tun
+persist-key
+persist-tun
+link-mtu 1400
+proto udp
+nobind
+pull
+tls-client
+
+float
+
+ca keys/mg8.ca
+cert keys/clee.crt
+key keys/clee.key
+
+tls-crypt keys/46.key
+remote-cert-tls server
+tls-remote "/CN=myvpn.company.com"
+verify-x509-name "C=US, L=Cambridge, CN=GNOME, emailAddress=networkmanager-list gnome org" subject
+
+comp-lzo
+verb 3
+
+tls-version-min 1.0
+tls-version-max 1.2
\ No newline at end of file
diff --git a/properties/tests/test-import-export.c b/properties/tests/test-import-export.c
index 09fb224..36ec84f 100644
--- a/properties/tests/test-import-export.c
+++ b/properties/tests/test-import-export.c
@@ -379,6 +379,54 @@ test_tls_import_2 (void)
_check_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS, NULL);
}
+static void
+test_tls_import_3 (void)
+{
+ _CREATE_PLUGIN (plugin);
+ gs_unref_object NMConnection *connection = NULL;
+ NMSettingConnection *s_con;
+ NMSettingVpn *s_vpn;
+
+ connection = get_basic_connection (plugin, SRCDIR, "tls3.ovpn");
+
+ s_con = _get_setting_connection (connection);
+ g_assert_cmpstr (nm_setting_connection_get_id (s_con), ==, "tls3");
+ g_assert (!nm_setting_connection_get_uuid (s_con));
+
+ s_vpn = _get_setting_vpn (connection);
+
+ _check_item (s_vpn, NM_OPENVPN_KEY_CONNECTION_TYPE, NM_OPENVPN_CONTYPE_TLS);
+ _check_item (s_vpn, NM_OPENVPN_KEY_DEV, "tun");
+ _check_item (s_vpn, NM_OPENVPN_KEY_PROTO_TCP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_COMP_LZO, "adaptive");
+ _check_item (s_vpn, NM_OPENVPN_KEY_FLOAT, "yes");
+ _check_item (s_vpn, NM_OPENVPN_KEY_RENEG_SECONDS, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE, "173.8.149.245:1194");
+ _check_item (s_vpn, NM_OPENVPN_KEY_PORT, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE, "/CN=myvpn.company.com");
+ _check_item (s_vpn, NM_OPENVPN_KEY_VERIFY_X509_NAME,
+ "subject:C=US, L=Cambridge, CN=GNOME, emailAddress=networkmanager-list gnome org");
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_CERT_TLS, "server");
+
+ _check_item (s_vpn, NM_OPENVPN_KEY_CA, SRCDIR"/keys/mg8.ca");
+ _check_item (s_vpn, NM_OPENVPN_KEY_CERT, SRCDIR"/keys/clee.crt");
+ _check_item (s_vpn, NM_OPENVPN_KEY_KEY, SRCDIR"/keys/clee.key");
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT, SRCDIR"/keys/46.key");
+
+ _check_secret (s_vpn, NM_OPENVPN_KEY_PASSWORD, NULL);
+ _check_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS, NULL);
+
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN, "1.0");
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX, "1.2");
+
+}
+
static void
test_file_contents (const char *id,
const char *dir,
@@ -1043,6 +1091,9 @@ int main (int argc, char **argv)
_add_test_func_simple (test_tls_import_2);
_add_test_func ("tls2-export", test_export_compare, "tls2.ovpn", "tls2.ovpntest");
+ _add_test_func_simple (test_tls_import_3);
+ _add_test_func ("tls3-export", test_export_compare, "tls3.ovpn", "tls3.ovpntest");
+
_add_test_func_simple (test_pkcs12_import);
_add_test_func ("pkcs12-export", test_export_compare, "pkcs12.ovpn", "pkcs12.ovpntest");
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index c0fb724..e5810c1 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -73,6 +73,8 @@
#define NM_OPENVPN_KEY_TLS_CIPHER "tls-cipher"
#define NM_OPENVPN_KEY_TLS_CRYPT "tls-crypt"
#define NM_OPENVPN_KEY_TLS_REMOTE "tls-remote"
+#define NM_OPENVPN_KEY_TLS_VERSION_MIN "tls-version-min"
+#define NM_OPENVPN_KEY_TLS_VERSION_MAX "tls-version-max"
#define NM_OPENVPN_KEY_TUNNEL_MTU "tunnel-mtu"
#define NM_OPENVPN_KEY_TUN_IPV6 "tun-ipv6"
#define NM_OPENVPN_KEY_USERNAME "username"
diff --git a/shared/utils.h b/shared/utils.h
index e3f30be..a32c098 100644
--- a/shared/utils.h
+++ b/shared/utils.h
@@ -75,6 +75,8 @@
#define NMV_OVPN_TAG_TLS_CLIENT "tls-client"
#define NMV_OVPN_TAG_TLS_CRYPT "tls-crypt"
#define NMV_OVPN_TAG_TLS_REMOTE "tls-remote"
+#define NMV_OVPN_TAG_TLS_VERSION_MIN "tls-version-min"
+#define NMV_OVPN_TAG_TLS_VERSION_MAX "tls-version-max"
#define NMV_OVPN_TAG_TOPOLOGY "topology"
#define NMV_OVPN_TAG_TUN_IPV6 "tun-ipv6"
#define NMV_OVPN_TAG_TUN_MTU "tun-mtu"
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index 59b64eb..3573714 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -193,6 +193,8 @@ static const ValidProperty valid_properties[] = {
{ NM_OPENVPN_KEY_CERTPASS_FLAGS, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_NOSECRET, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_HTTP_PROXY_PASSWORD_FLAGS, G_TYPE_STRING, 0, 0, FALSE },
+ { NM_OPENVPN_KEY_TLS_VERSION_MIN, G_TYPE_STRING, 0, 0, FALSE },
+ { NM_OPENVPN_KEY_TLS_VERSION_MAX, G_TYPE_STRING, 0, 0, FALSE },
{ NULL, G_TYPE_NONE, FALSE }
};
@@ -1652,6 +1654,16 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
args_add_strv (args, "--tls-crypt");
args_add_utf8safe_str (args, tmp);
}
+ tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN);
+ if (nmovpn_arg_is_set (tmp)) {
+ args_add_strv (args, "--tls-version-min");
+ args_add_strv (args, tmp);
+ }
+ tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX);
+ if (nmovpn_arg_is_set (tmp)) {
+ args_add_strv (args, "--tls-version-max");
+ args_add_strv (args, tmp);
+ }
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_EXTRA_CERTS);
if (nmovpn_arg_is_set (tmp)) {
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
