[network-manager-sstp] Adding an option to configure to enable "extended" tls options
- From: Eivind Næss <eivnaes src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [network-manager-sstp] Adding an option to configure to enable "extended" tls options
- Date: Sun, 20 Mar 2022 21:05:18 +0000 (UTC)
commit 91a4c0a4a2d524bf6370622a2b7bc455395db6db
Author: Eivind Næss <eivnaes yahoo com>
Date: Sun Mar 20 14:02:59 2022 -0700
Adding an option to configure to enable "extended" tls options
These are options not yet supported by pppd version up to and including 2.4.9. These options are
currently available in the upstream (not-released) version of pppd.
Signed-off-by: Eivind Næss <eivnaes yahoo com>
configure.ac | 40 +++++---
properties/advanced-dialog.c | 240 +++++++++++++++++++++++--------------------
properties/nm-sstp-dialog.ui | 4 +-
src/nm-sstp-service.c | 17 ++-
4 files changed, 173 insertions(+), 128 deletions(-)
---
diff --git a/configure.ac b/configure.ac
index ac32627..2f9a020 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,20 +36,20 @@ fi
AC_CHECK_HEADERS(fcntl.h paths.h sys/ioctl.h syslog.h unistd.h)
-#
-# Versions >= 2.4.10 will have pkgconfig support
+dnl
+dnl Versions >= 2.4.10 will have pkgconfig support
PKG_CHECK_EXISTS([pppd],
[AS_VAR_SET([pppd_pkgconfig_support],[yes])])
-#
-# We do require pppd
+dnl
+dnl We do require pppd
AC_CHECK_HEADERS(pppd/pppd.h,,
[AC_MSG_ERROR([pppd.h missing, Hint: apt-get install ppp-dev])])
+dnl
+dnl Check if the version of mppe.h define mppe_keys_xxx() functions, 2.4.9 does not; but 2.4.10 will.
CFLAGS_OLD="$CFLAGS"
CFLAGS="$CFLAGS -Werror"
-#
-# Check if the version of mppe.h define mppe_keys_xxx() functions, 2.4.9 does not; but 2.4.10 will.
AC_CACHE_CHECK([if pppd/mppe.h defines mppe_keys_xyz() functions], ac_cv_working_mppe_h,
[AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[
@@ -67,10 +67,10 @@ if test $ac_cv_working_mppe_h = yes; then
fi
CFLAGS="$CFLAGS_OLD"
-#
-# Versions >= 2.4.9 will have support for the auth notify callback
+dnl
+dnl Support for the auth notify callback in pppd >= 2.4.9
AC_ARG_WITH([pppd-auth-notify-support],
- [AS_HELP_STRING([--with-pppd-auth-notify-support], [is the auth-notifier supported in this pppd
version])])
+ [AS_HELP_STRING([--with-pppd-auth-notify-support], [is the auth-notifier supported by pppd])])
if test x"$with_pppd_auth_notify_support" != xyes; then
if test x"$pppd_pkgconfig_support" == xyes; then # pkgconfig implies pppd > 2.4.9
AS_VAR_SET([with_pppd_auth_notify_support],[yes])
@@ -79,11 +79,26 @@ fi
if test x"$with_pppd_auth_notify_support" == xyes; then
AC_DEFINE(USE_PPPD_AUTH_HOOK,1,[Define if pppd has support for client side authentication complete
notification])
else
- with_pppd_auth_notify_support=no
+ AS_VAR_SET([with_pppd_auth_notify_support],[no])
+fi
+
+dnl
+dnl Enable support for extended tls settings in pppd > 2.4.9
+AC_ARG_WITH([pppd-ext-tls-settings-suppport],
+ [AS_HELP_STRING([--with-pppd-ext-tls-settings-support], [is settings such as pkcs12, tls-verify-method,
tls-verify-key-usage and max-tls-version supported in by pppd])])
+if test x"$with_pppd_ext_tls_settings_support" != xyes; then
+ if test x"$pppd_pkgconfig_support" == xyes; then # pkgconfig implies pppd > 2.4.9
+ AS_VAR_SET([with_pppd_ext_tls_settings_support],[yes])
+ fi
+fi
+if test x"$with_pppd_extended_tls_settings" == xyes; then
+ AC_DEFINE(USE_PPP_EXT_TLS_SETTINGS,1,[Define if pppd has support for extended tls-settings like pkcs12,
tls-verify-method, tls-verify-key-usage, max-tls-version])
+else
+ AS_VAR_SET([with_pppd_ext_tls_settings_support],[no])
fi
-#
-# Specify the path of the pppd plugin directory
+dnl
+dnl Specify the path of the pppd plugin directory
AC_ARG_WITH([pppd-plugin-dir],
[AS_HELP_STRING([--with-pppd-plugin-dir=DIR], [path to the pppd plugins directory])])
if test -n "$with_pppd_plugin_dir" ; then
@@ -222,6 +237,7 @@ echo " --with-gnome=$with_gnome"
echo " --with-libnm-glib=$with_libnm_glib"
echo " --with-pppd-plugin-dir=$PPPD_PLUGIN_DIR"
echo " --with-pppd-auth-notify-support=$with_pppd_auth_notify_support"
+echo " --with-pppd-ext-tls-settings_support=$with_pppd_ext_tls_settings_support"
echo " --with-system-ca-path=$SYSTEM_CA_PATH"
echo " --enable-absolute-paths=$enable_absolute_paths"
echo " --enable-more-warnings=$set_more_warnings"
diff --git a/properties/advanced-dialog.c b/properties/advanced-dialog.c
index 5b906c1..52e1fb8 100644
--- a/properties/advanced-dialog.c
+++ b/properties/advanced-dialog.c
@@ -455,6 +455,136 @@ auth_methods_setup (GtkBuilder *builder, GHashTable *hash)
gtk_widget_set_sensitive (widget, TRUE);
}
+static void
+tls_page_setup(GtkBuilder *builder, GHashTable *hash, gboolean is_tls, gchar *subject)
+{
+ GtkWidget *widget;
+ GtkListStore *store;
+ GtkTreeIter iter;
+ const char *value;
+ int active = -1;
+
+ if (is_tls) {
+ // Use the user-specified value for identity, or extracted subject name if not specified
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_identity"));
+ value = g_hash_table_lookup (hash, NM_SSTP_KEY_TLS_IDENTITY);
+ if (value && strlen (value)) {
+ gtk_entry_set_text (GTK_ENTRY (widget), value);
+ }
+ else if (subject && strlen (subject)) {
+ gtk_entry_set_text (GTK_ENTRY (widget), subject);
+ }
+
+ value = g_hash_table_lookup (hash, NM_SSTP_KEY_TLS_VERIFY_METHOD);
+ store = gtk_list_store_new (2, G_TYPE_STRING, G_TYPE_STRING);
+ gtk_list_store_append (store, &iter);
+ gtk_list_store_set (store, &iter,
+ COL_NAME, _("Don't verify certificate identification"),
+ COL_VALUE, NM_SSTP_VERIFY_MODE_NONE,
+ -1);
+ if (nm_streq0 (value, NM_SSTP_VERIFY_MODE_NONE))
+ active = 0;
+
+ gtk_list_store_append (store, &iter);
+ gtk_list_store_set (store, &iter,
+ COL_NAME, _("Verify subject exactly"),
+ COL_VALUE, NM_SSTP_VERIFY_MODE_SUBJECT,
+ -1);
+ if (nm_streq0 (value, NM_SSTP_VERIFY_MODE_SUBJECT))
+ active = 1;
+
+ gtk_list_store_append (store, &iter);
+ gtk_list_store_set (store, &iter,
+ COL_NAME, _("Verify name exactly"),
+ COL_VALUE, NM_SSTP_VERIFY_MODE_NAME,
+ -1);
+ if (nm_streq0 (value, NM_SSTP_VERIFY_MODE_NAME))
+ active = 2;
+
+ gtk_list_store_append (store, &iter);
+ gtk_list_store_set (store, &iter,
+ COL_NAME, _("Verify name by suffix"),
+ COL_VALUE, NM_SSTP_VERIFY_MODE_NAME_SUFFIX,
+ -1);
+ if (nm_streq0 (value, NM_SSTP_VERIFY_MODE_NAME_SUFFIX))
+ active = 3;
+
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_mode_combo"));
+ gtk_combo_box_set_model (GTK_COMBO_BOX (widget), GTK_TREE_MODEL (store));
+ if (active >= 0)
+ gtk_combo_box_set_active (GTK_COMBO_BOX (widget), active);
+ g_object_unref (store);
+
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_entry"));
+ value = g_hash_table_lookup (hash, NM_SSTP_KEY_TLS_REMOTENAME);
+ if (value && strlen (value)) {
+ gtk_entry_set_text (GTK_ENTRY (widget), value);
+ }
+
+ active = -1;
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_keyusage_check"));
+ gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON(widget), FALSE);
+ value = g_hash_table_lookup (hash, NM_SSTP_KEY_TLS_VERIFY_KEY_USAGE);
+ if (value && !strcmp (value, "yes"))
+ gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON(widget), TRUE);
+
+#ifndef USE_PPP_EXT_TLS_SETTINGS
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "vbox_tls_validation"));
+ gtk_widget_set_sensitive(widget, FALSE);
+#endif
+
+ value = g_hash_table_lookup (hash, NM_SSTP_KEY_TLS_MAX_VERSION);
+ store = gtk_list_store_new (2, G_TYPE_STRING, G_TYPE_STRING);
+ gtk_list_store_append (store, &iter);
+ gtk_list_store_set (store, &iter,
+ COL_NAME, "TLS 1.0",
+ COL_VALUE, NM_SSTP_TLS_1_0_SUPPORT,
+ -1);
+ if (nm_streq0 (value, NM_SSTP_TLS_1_0_SUPPORT))
+ active = 0;
+
+ gtk_list_store_append (store, &iter);
+ gtk_list_store_set (store, &iter,
+ COL_NAME, "TLS 1.1",
+ COL_VALUE, NM_SSTP_TLS_1_1_SUPPORT,
+ -1);
+ if (nm_streq0 (value, NM_SSTP_TLS_1_1_SUPPORT))
+ active = 1;
+
+ gtk_list_store_append (store, &iter);
+ gtk_list_store_set (store, &iter,
+ COL_NAME, _("TLS 1.2 (Default)"),
+ COL_VALUE, NM_SSTP_TLS_1_2_SUPPORT,
+ -1);
+ if (nm_streq0 (value, NM_SSTP_TLS_1_2_SUPPORT))
+ active = 2;
+
+ gtk_list_store_append (store, &iter);
+ gtk_list_store_set (store, &iter,
+ COL_NAME, _("TLS 1.3"),
+ COL_VALUE, NM_SSTP_TLS_1_3_SUPPORT,
+ -1);
+ if (nm_streq0 (value, NM_SSTP_TLS_1_3_SUPPORT))
+ active = 3;
+
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_max_combo"));
+ gtk_combo_box_set_model (GTK_COMBO_BOX (widget), GTK_TREE_MODEL (store));
+ if (active > 0)
+ gtk_combo_box_set_active (GTK_COMBO_BOX (widget), active);
+ g_object_unref (store);
+
+#ifndef USE_PPP_EXT_TLS_SETTINGS
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "vbox_tls_version"));
+ gtk_widget_set_sensitive(widget, FALSE);
+#endif
+
+ } else {
+ // Desensitize the child widgets of alignment_tls if not TLS
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "alignment_tls"));
+ gtk_widget_set_sensitive(widget, is_tls);
+ }
+}
+
static void
checkbox_toggled_update_widget_cb (GtkWidget *check, gpointer user_data)
{
@@ -473,12 +603,8 @@ advanced_dialog_new (GHashTable *hash, gboolean is_tls, gchar *subject)
const char *value;
const char *value2;
gboolean mppe = FALSE;
- int active = -1;
GError *error = NULL;
NMSettingSecretFlags pw_flags;
- GtkListStore *store;
- GtkTreeIter iter;
-
g_return_val_if_fail (hash != NULL, NULL);
@@ -591,111 +717,7 @@ advanced_dialog_new (GHashTable *hash, gboolean is_tls, gchar *subject)
handle_mppe_changed (widget, TRUE, builder);
g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (mppe_toggled_cb), builder);
- // Use the user-specified value for identity, or extracted subject name if not specified
- widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_identity"));
- value = g_hash_table_lookup (hash, NM_SSTP_KEY_TLS_IDENTITY);
- if (value && strlen (value)) {
- gtk_entry_set_text (GTK_ENTRY (widget), value);
- }
- else if (subject && strlen (subject)) {
- gtk_entry_set_text (GTK_ENTRY (widget), subject);
- }
-
- value = g_hash_table_lookup (hash, NM_SSTP_KEY_TLS_VERIFY_METHOD);
- store = gtk_list_store_new (2, G_TYPE_STRING, G_TYPE_STRING);
- gtk_list_store_append (store, &iter);
- gtk_list_store_set (store, &iter,
- COL_NAME, _("Don't verify certificate identification"),
- COL_VALUE, NM_SSTP_VERIFY_MODE_NONE,
- -1);
- if (nm_streq0 (value, NM_SSTP_VERIFY_MODE_NONE))
- active = 0;
-
- gtk_list_store_append (store, &iter);
- gtk_list_store_set (store, &iter,
- COL_NAME, _("Verify subject exactly"),
- COL_VALUE, NM_SSTP_VERIFY_MODE_SUBJECT,
- -1);
- if (nm_streq0 (value, NM_SSTP_VERIFY_MODE_SUBJECT))
- active = 1;
-
- gtk_list_store_append (store, &iter);
- gtk_list_store_set (store, &iter,
- COL_NAME, _("Verify name exactly"),
- COL_VALUE, NM_SSTP_VERIFY_MODE_NAME,
- -1);
- if (nm_streq0 (value, NM_SSTP_VERIFY_MODE_NAME))
- active = 2;
-
- gtk_list_store_append (store, &iter);
- gtk_list_store_set (store, &iter,
- COL_NAME, _("Verify name by suffix"),
- COL_VALUE, NM_SSTP_VERIFY_MODE_NAME_SUFFIX,
- -1);
- if (nm_streq0 (value, NM_SSTP_VERIFY_MODE_NAME_SUFFIX))
- active = 3;
-
- widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_mode_combo"));
- gtk_combo_box_set_model (GTK_COMBO_BOX (widget), GTK_TREE_MODEL (store));
- if (active >= 0)
- gtk_combo_box_set_active (GTK_COMBO_BOX (widget), active);
- g_object_unref (store);
-
- widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_entry"));
- value = g_hash_table_lookup (hash, NM_SSTP_KEY_TLS_REMOTENAME);
- if (value && strlen (value)) {
- gtk_entry_set_text (GTK_ENTRY (widget), value);
- }
-
- active = -1;
- widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_keyusage_check"));
- gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON(widget), FALSE);
- value = g_hash_table_lookup (hash, NM_SSTP_KEY_TLS_VERIFY_KEY_USAGE);
- if (value && !strcmp (value, "yes"))
- gtk_toggle_button_set_active (GTK_TOGGLE_BUTTON(widget), TRUE);
-
- value = g_hash_table_lookup (hash, NM_SSTP_KEY_TLS_MAX_VERSION);
- store = gtk_list_store_new (2, G_TYPE_STRING, G_TYPE_STRING);
- gtk_list_store_append (store, &iter);
- gtk_list_store_set (store, &iter,
- COL_NAME, "TLS 1.0",
- COL_VALUE, NM_SSTP_TLS_1_0_SUPPORT,
- -1);
- if (nm_streq0 (value, NM_SSTP_TLS_1_0_SUPPORT))
- active = 0;
-
- gtk_list_store_append (store, &iter);
- gtk_list_store_set (store, &iter,
- COL_NAME, "TLS 1.1",
- COL_VALUE, NM_SSTP_TLS_1_1_SUPPORT,
- -1);
- if (nm_streq0 (value, NM_SSTP_TLS_1_1_SUPPORT))
- active = 1;
-
- gtk_list_store_append (store, &iter);
- gtk_list_store_set (store, &iter,
- COL_NAME, _("TLS 1.2 (Default)"),
- COL_VALUE, NM_SSTP_TLS_1_2_SUPPORT,
- -1);
- if (nm_streq0 (value, NM_SSTP_TLS_1_2_SUPPORT))
- active = 2;
-
- gtk_list_store_append (store, &iter);
- gtk_list_store_set (store, &iter,
- COL_NAME, _("TLS 1.3"),
- COL_VALUE, NM_SSTP_TLS_1_3_SUPPORT,
- -1);
- if (nm_streq0 (value, NM_SSTP_TLS_1_3_SUPPORT))
- active = 3;
-
- widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_max_combo"));
- gtk_combo_box_set_model (GTK_COMBO_BOX (widget), GTK_TREE_MODEL (store));
- if (active > 0)
- gtk_combo_box_set_active (GTK_COMBO_BOX (widget), active);
- g_object_unref (store);
-
- widget = GTK_WIDGET (gtk_builder_get_object (builder, "alignment_tls"));
- gtk_widget_set_sensitive(widget, is_tls);
+ tls_page_setup (builder, hash, is_tls, subject);
value = g_hash_table_lookup (hash, NM_SSTP_KEY_PROXY_SERVER);
value2 = g_hash_table_lookup (hash, NM_SSTP_KEY_PROXY_PORT);
diff --git a/properties/nm-sstp-dialog.ui b/properties/nm-sstp-dialog.ui
index 5859347..5ba834b 100644
--- a/properties/nm-sstp-dialog.ui
+++ b/properties/nm-sstp-dialog.ui
@@ -1236,7 +1236,7 @@ By default, this will be populated, when correct password for certificate is sup
</packing>
</child>
<child>
- <object class="GtkBox" id="vbox10">
+ <object class="GtkBox" id="vbox_tls_validation">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="orientation">vertical</property>
@@ -1367,7 +1367,7 @@ or just the Common Name (CN field).
</packing>
</child>
<child>
- <object class="GtkBox" id="vbox15">
+ <object class="GtkBox" id="vbox_tls_version">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="orientation">vertical</property>
diff --git a/src/nm-sstp-service.c b/src/nm-sstp-service.c
index c444a31..993a786 100644
--- a/src/nm-sstp-service.c
+++ b/src/nm-sstp-service.c
@@ -713,8 +713,10 @@ construct_pppd_args (NMSstpPlugin *plugin,
value = nm_setting_vpn_get_data_item (s_vpn, NM_SSTP_KEY_TLS_USER_CERT);
if (value && *value) {
-
+#ifdef USE_PPP_EXT_TLS_SETTINGS
+ // "pkcs12" is only available in pppd > 2.4.9
is_pkcs12 = nm_utils_file_is_pkcs12 (value);
+#endif // USE_PPP_EXT_TLS_SETTINGS
g_ptr_array_add (args, (gpointer) g_strdup (is_pkcs12 ? "pkcs12" : "cert"));
args_add_utf8safe_str (args, value);
}
@@ -737,23 +739,27 @@ construct_pppd_args (NMSstpPlugin *plugin,
args_add_utf8safe_str(args, g_strdup (SYSTEM_CA_PATH));
}
- value = nm_setting_vpn_get_data_item (s_vpn, NM_SSTP_KEY_TLS_MAX_VERSION);
+ value = nm_setting_vpn_get_data_item (s_vpn, NM_SSTP_KEY_CRL_REVOCATION_FILE);
if (value && *value) {
- g_ptr_array_add (args, (gpointer) g_strdup ("max-tls-version"));
+ g_ptr_array_add (args, (gpointer) g_strdup ("crl"));
g_ptr_array_add (args, g_strdup (value));
}
- value = nm_setting_vpn_get_data_item (s_vpn, NM_SSTP_KEY_CRL_REVOCATION_FILE);
+#ifdef USE_PPP_EXT_TLS_SETTINGS
+ // "max-tls-version" is only in pppd > 2.4.9
+ value = nm_setting_vpn_get_data_item (s_vpn, NM_SSTP_KEY_TLS_MAX_VERSION);
if (value && *value) {
- g_ptr_array_add (args, (gpointer) g_strdup ("crl"));
+ g_ptr_array_add (args, (gpointer) g_strdup ("max-tls-version"));
g_ptr_array_add (args, g_strdup (value));
}
+ // "tls-verify-key-usage" is only in pppd > 2.4.9
value = nm_setting_vpn_get_data_item (s_vpn, NM_SSTP_KEY_TLS_VERIFY_KEY_USAGE);
if (value && *value) {
g_ptr_array_add (args, (gpointer) g_strdup ("tls-verify-key-usage"));
}
+ // "tls-verify-method" is only in pppd > 2.4.9
value = nm_setting_vpn_get_data_item (s_vpn, NM_SSTP_KEY_TLS_VERIFY_METHOD);
if (value && *value) {
@@ -769,6 +775,7 @@ construct_pppd_args (NMSstpPlugin *plugin,
g_ptr_array_add (args, g_strdup (remote));
}
}
+#endif // USE_PPP_EXT_TLS_SETTINGS
g_ptr_array_add (args, (gpointer) g_strdup ("need-peer-eap"));
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
