[PATCH] (Fixed) Support for openvpn --auth option



Hello everybody,

please find attached the second (and fixed) version of my patch to add
support for the --auth option of openvpn to the NetworkManager-openvpn
plugin.  The patch is against NetworkManager-openvpn-0.7.0-16.svn4027
(Fedora 9).

My work was triggered by the fact that I tried (and failed) to get a
"SSL VPN" connection to an Astaro firewall, using Fedora 9.  The logs
showed that Astaro used MD5 HMAC authentication, whereas my Fedora 9
system used SHA1 (the default).  So I started hacking...

The attached patch is sufficient to get a working "SSL VPN" connection 
to an Astaro firewall.

For minimal impact, I choose to implement the --auth option in the
same way as the --cipher option.  Both the "new" --auth and the "old"
--cipher options share the following issues:

o	When a non-default value was saved and you want to switch back
	to "Default" later on, then this change does not get saved and
	the non-default value remains in the config.

	As far as I understand the plugin code, this issue seems to be
	caused by NetworkManager or gconfd, not by the openvpn plugin
	(the hash returned by advanced_dialog_new_hash_from_dialog() does
	not contain the --auth/--cipher value when "Default" was chosen).

	Is this a known issue?  (bugzilla.gnome.org didn't show anything
	similar for NetworkManager)

o	Openvpn supports these options for both static and TLS modes.
	The openvpn plugin for NetworkManager carries the --cipher option
	(and with my patch, the --auth option, too) on the "Certificates
	(TLS)" tab of the "advanced" popup, which is only available when
	using TLS modes and not when using static keys.

	The easiest fix would be to move the popup-menue(s) (GtkComboBox)
	for --cipher (and --auth) to the "General" tab.  A little bit more
	work, but maybe better for future extensions:  Introduce a new
	tab "Encryption" for these options.  What do you think/prefer?


I'm willing to fix the second issue and to do some more research on the
first one if there is a real chance that support for the --auth option
of openvpn gets accepted into the NetworkManager distribution.  ;-)

	Robert

diff -u NetworkManager-openvpn-0.7.0/properties/auth-helpers.c.hmacauth NetworkManager-openvpn-0.7.0/properties/auth-helpers.c
--- NetworkManager-openvpn-0.7.0/properties/auth-helpers.c.hmacauth	2008-08-29 15:30:50.000000000 +0200
+++ NetworkManager-openvpn-0.7.0/properties/auth-helpers.c	2008-11-09 21:35:56.000000000 +0100
@@ -585,6 +585,7 @@
 	NM_OPENVPN_KEY_TAP_DEV,
 	NM_OPENVPN_KEY_PROTO_TCP,
 	NM_OPENVPN_KEY_CIPHER,
+	NM_OPENVPN_KEY_AUTH,
 	NM_OPENVPN_KEY_TA_DIR,
 	NM_OPENVPN_KEY_TA,
 	NULL
@@ -734,6 +735,50 @@
 	g_strfreev (items);
 }
 
+#define HMACAUTH_COL_NAME 0
+#define HMACAUTH_COL_DEFAULT 1
+
+static void
+populate_hmacauth_combo (GtkComboBox *box, const char *hmacauth)
+{
+	GtkListStore *store;
+	GtkTreeIter iter;
+	gboolean active_initialized = FALSE;
+	gchar **item;
+	gchar *items[] = {
+		NM_OPENVPN_AUTH_NONE,
+		NM_OPENVPN_AUTH_MD5,
+		NM_OPENVPN_AUTH_SHA1,
+		NULL
+	};
+
+	store = gtk_list_store_new (2, G_TYPE_STRING, G_TYPE_BOOLEAN);
+	gtk_combo_box_set_model (box, GTK_TREE_MODEL (store));
+
+	/* Add default option which won't pass --auth to openvpn */
+	gtk_list_store_append (store, &iter);
+	gtk_list_store_set (store, &iter,
+	                    HMACAUTH_COL_NAME, _("Default"),
+	                    HMACAUTH_COL_DEFAULT, TRUE, -1);
+
+	/* Add options */
+	for (item = items; *item; item++) {
+		gtk_list_store_append (store, &iter);
+		gtk_list_store_set (store, &iter,
+		                    HMACAUTH_COL_NAME, *item,
+		                    HMACAUTH_COL_DEFAULT, FALSE, -1);
+		if (hmacauth && !strcmp (*item, hmacauth)) {
+			gtk_combo_box_set_active_iter (box, &iter);
+			active_initialized = TRUE;
+		}
+	}
+
+	if (!active_initialized)
+		gtk_combo_box_set_active (box, 0);
+
+	g_object_unref (store);
+}
+
 static void
 tls_auth_toggled_cb (GtkWidget *widget, gpointer user_data)
 {
@@ -840,6 +885,10 @@
 		value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_CIPHER);
 		populate_cipher_combo (GTK_COMBO_BOX (widget), value);
 
+		widget = glade_xml_get_widget (xml, "hmacauth_combo");
+		value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_AUTH);
+		populate_hmacauth_combo (GTK_COMBO_BOX (widget), value);
+
 		widget = glade_xml_get_widget (xml, "tls_auth_checkbutton");
 		value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_TA);
 		if (value && strlen (value))
@@ -944,6 +993,20 @@
 			}
 		}
 		
+		widget = glade_xml_get_widget (xml, "hmacauth_combo");
+		model = gtk_combo_box_get_model (GTK_COMBO_BOX (widget));
+		if (gtk_combo_box_get_active_iter (GTK_COMBO_BOX (widget), &iter)) {
+			char *hmacauth = NULL;
+			gboolean is_default = TRUE;
+
+			gtk_tree_model_get (model, &iter,
+			                    HMACAUTH_COL_NAME, &hmacauth,
+			                    HMACAUTH_COL_DEFAULT, &is_default, -1);
+			if (!is_default && hmacauth) {
+				g_hash_table_insert (hash, g_strdup (NM_OPENVPN_KEY_AUTH), g_strdup (hmacauth));
+			}
+		}
+		
 		widget = glade_xml_get_widget (xml, "tls_auth_checkbutton");
 		if (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON (widget))) {
 			char *filename;
diff -u NetworkManager-openvpn-0.7.0/properties/import-export.c.hmacauth NetworkManager-openvpn-0.7.0/properties/import-export.c
--- NetworkManager-openvpn-0.7.0/properties/import-export.c.hmacauth	2008-08-29 15:30:50.000000000 +0200
+++ NetworkManager-openvpn-0.7.0/properties/import-export.c	2008-11-09 21:35:56.000000000 +0100
@@ -55,6 +55,7 @@
 #define SECRET_TAG "secret"
 #define AUTH_USER_PASS_TAG "auth-user-pass"
 #define TLS_AUTH_TAG "tls-auth"
+#define AUTH_TAG "auth"
 
 static gboolean
 handle_path_item (const char *line,
@@ -311,8 +312,24 @@
 			continue;
 		}
 
-		if (!strncmp (*line, AUTH_USER_PASS_TAG, strlen (AUTH_USER_PASS_TAG)))
+		if (!strncmp (*line, AUTH_USER_PASS_TAG, strlen (AUTH_USER_PASS_TAG))) {
 			have_pass = TRUE;
+			continue;
+		}
+
+		if (!strncmp (*line, AUTH_TAG, strlen (AUTH_TAG))) {
+			items = get_args (*line + strlen (AUTH_TAG));
+			if (!items)
+				continue;
+
+			if (g_strv_length (items)) {
+				g_hash_table_insert (s_vpn->data,
+				                     g_strdup (NM_OPENVPN_KEY_AUTH),
+				                     g_strdup (items[0]));
+			}
+			g_strfreev (items);
+			continue;
+		}
 	}
 
 	if (g_hash_table_lookup (s_vpn->data, NM_OPENVPN_KEY_STATIC_KEY))
diff -u NetworkManager-openvpn-0.7.0/properties/nm-openvpn-dialog.glade.hmacauth NetworkManager-openvpn-0.7.0/properties/nm-openvpn-dialog.glade
--- NetworkManager-openvpn-0.7.0/properties/nm-openvpn-dialog.glade.hmacauth	2008-11-09 21:35:56.000000000 +0100
+++ NetworkManager-openvpn-0.7.0/properties/nm-openvpn-dialog.glade	2008-11-09 21:35:56.000000000 +0100
@@ -801,7 +801,7 @@
               <widget class="GtkTable" id="table7">
                 <property name="visible">True</property>
                 <property name="border_width">12</property>
-                <property name="n_rows">3</property>
+                <property name="n_rows">4</property>
                 <property name="n_columns">2</property>
                 <property name="column_spacing">12</property>
                 <property name="row_spacing">6</property>
@@ -884,8 +884,8 @@
                   <packing>
                     <property name="left_attach">1</property>
                     <property name="right_attach">2</property>
-                    <property name="top_attach">2</property>
-                    <property name="bottom_attach">3</property>
+                    <property name="top_attach">3</property>
+                    <property name="bottom_attach">4</property>
                   </packing>
                 </child>
                 <child>
@@ -898,8 +898,8 @@
                   </widget>
                   <packing>
                     <property name="right_attach">2</property>
-                    <property name="top_attach">1</property>
-                    <property name="bottom_attach">2</property>
+                    <property name="top_attach">2</property>
+                    <property name="bottom_attach">3</property>
                   </packing>
                 </child>
                 <child>
@@ -923,6 +923,28 @@
                     <property name="y_options">GTK_EXPAND</property>
                   </packing>
                 </child>
+                <child>
+                  <widget class="GtkComboBox" id="hmacauth_combo">
+                    <property name="visible">True</property>
+                    <property name="items" translatable="yes"> </property>
+                  </widget>
+                  <packing>
+                    <property name="left_attach">1</property>
+                    <property name="right_attach">2</property>
+                    <property name="top_attach">1</property>
+                    <property name="bottom_attach">2</property>
+                  </packing>
+                </child>
+                <child>
+                  <widget class="GtkLabel" id="label21">
+                    <property name="visible">True</property>
+                    <property name="label" translatable="yes">HMAC auth:</property>
+                  </widget>
+                  <packing>
+                    <property name="top_attach">1</property>
+                    <property name="bottom_attach">2</property>
+                  </packing>
+                </child>
               </widget>
               <packing>
                 <property name="position">1</property>
diff -u NetworkManager-openvpn-0.7.0/src/nm-openvpn-service.c.hmacauth NetworkManager-openvpn-0.7.0/src/nm-openvpn-service.c
--- NetworkManager-openvpn-0.7.0/src/nm-openvpn-service.c.hmacauth	2008-08-29 15:30:50.000000000 +0200
+++ NetworkManager-openvpn-0.7.0/src/nm-openvpn-service.c	2008-11-09 21:35:56.000000000 +0100
@@ -83,6 +83,7 @@
 } ValidProperty;
 
 static ValidProperty valid_properties[] = {
+	{ NM_OPENVPN_KEY_AUTH,                 G_TYPE_STRING, 0, 0, FALSE },
 	{ NM_OPENVPN_KEY_CA,                   G_TYPE_STRING, 0, 0, FALSE },
 	{ NM_OPENVPN_KEY_CERT,                 G_TYPE_STRING, 0, 0, FALSE },
 	{ NM_OPENVPN_KEY_CIPHER,               G_TYPE_STRING, 0, 0, FALSE },
@@ -437,6 +438,18 @@
 	nm_vpn_plugin_set_state (plugin, NM_VPN_SERVICE_STATE_STOPPED);
 }
 
+static gboolean
+validate_auth (const char *auth)
+{
+	if (auth) {
+		if (   !strcmp (auth, NM_OPENVPN_AUTH_NONE)
+		    || !strcmp (auth, NM_OPENVPN_AUTH_MD5)
+		    || !strcmp (auth, NM_OPENVPN_AUTH_SHA1))
+			return TRUE;
+	}
+	return FALSE;
+}
+
 static const char *
 get_connection_type (GHashTable *properties)
 {
@@ -514,7 +527,7 @@
                                  GError **error)
 {
 	NMOpenvpnPluginPrivate *priv = NM_OPENVPN_PLUGIN_GET_PRIVATE (plugin);
-	const char *openvpn_binary, *connection_type, *tmp;
+	const char *openvpn_binary, *auth, *connection_type, *tmp;
 	GPtrArray *args;
 	GSource *openvpn_watch;
 	GPid pid;
@@ -530,6 +543,18 @@
 		return FALSE;
 	}
 
+	auth = g_hash_table_lookup (properties, NM_OPENVPN_KEY_AUTH);
+	if (auth) {
+		if (!validate_auth(auth)) {
+			g_set_error (error,
+			             NM_VPN_PLUGIN_ERROR,
+			             NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+			             "%s",
+			             "Invalid HMAC auth.");
+			return FALSE;
+		}
+	}
+
 	connection_type = get_connection_type (properties);
 	if (!connection_type) {
 		g_set_error (error,
@@ -596,6 +621,12 @@
 		add_openvpn_arg (args, tmp);
 	}
 
+	/* Auth */
+	if (auth) {
+		add_openvpn_arg (args, "--auth");
+		add_openvpn_arg (args, auth);
+	}
+
 	/* TA */
 	tmp = g_hash_table_lookup (properties, NM_OPENVPN_KEY_TA);
 	if (tmp && strlen (tmp)) {
diff -u NetworkManager-openvpn-0.7.0/src/nm-openvpn-service.h.hmacauth NetworkManager-openvpn-0.7.0/src/nm-openvpn-service.h
--- NetworkManager-openvpn-0.7.0/src/nm-openvpn-service.h.hmacauth	2008-08-29 15:30:50.000000000 +0200
+++ NetworkManager-openvpn-0.7.0/src/nm-openvpn-service.h	2008-11-09 21:35:56.000000000 +0100
@@ -38,6 +38,7 @@
 #define NM_DBUS_INTERFACE_OPENVPN  "org.freedesktop.NetworkManager.openvpn"
 #define NM_DBUS_PATH_OPENVPN       "/org/freedesktop/NetworkManager/openvpn"
 
+#define NM_OPENVPN_KEY_AUTH "auth"
 #define NM_OPENVPN_KEY_CA "ca"
 #define NM_OPENVPN_KEY_CERT "cert"
 #define NM_OPENVPN_KEY_CIPHER "cipher"
@@ -63,6 +64,10 @@
  */
 #define NM_OPENVPN_KEY_NOSECRET "no-secret"
 
+#define NM_OPENVPN_AUTH_NONE "none"
+#define NM_OPENVPN_AUTH_MD5  "MD5"
+#define NM_OPENVPN_AUTH_SHA1 "SHA1"
+
 #define NM_OPENVPN_CONTYPE_TLS          "tls"
 #define NM_OPENVPN_CONTYPE_STATIC_KEY   "static-key"
 #define NM_OPENVPN_CONTYPE_PASSWORD     "password"


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]