Hello community, here is the log from the commit of package plasma-nm5 for openSUSE:Factory checked in at 2014-12-09 09:14:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/plasma-nm5 (Old) and /work/SRC/openSUSE:Factory/.plasma-nm5.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "plasma-nm5" Changes: -------- --- /work/SRC/openSUSE:Factory/plasma-nm5/plasma-nm5.changes 2014-11-13 09:22:29.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.plasma-nm5.new/plasma-nm5.changes 2014-12-09 09:13:51.000000000 +0100 @@ -1,0 +2,13 @@ +Mon Dec 8 09:18:41 UTC 2014 - [email protected] + +- Added 0001-Update-OpenConnect-support-for-library-version-5.patch + and 0002-Update-OpenConnect-storage-of-manually-accepted-serv.patch + from upstream to support building/working with openconnect version 7 + +------------------------------------------------------------------- +Sat Nov 29 17:22:34 UTC 2014 - [email protected] + +- Added 0001-OpenVPN-Add-option-for-server-certificate-verificati.patch, + kde#341069 + +------------------------------------------------------------------- New: ---- 0001-OpenVPN-Add-option-for-server-certificate-verificati.patch 0001-Update-OpenConnect-support-for-library-version-5.patch 0002-Update-OpenConnect-storage-of-manually-accepted-serv.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ plasma-nm5.spec ++++++ --- /var/tmp/diff_new_pack.q8TZwH/_old 2014-12-09 09:13:52.000000000 +0100 +++ /var/tmp/diff_new_pack.q8TZwH/_new 2014-12-09 09:13:52.000000000 +0100 @@ -26,6 +26,12 @@ Url: https://projects.kde.org/projects/playground/network/plasma-nm Source: plasma-nm-%{version}.tar.xz Source99: %{name}-rpmlintrc +# PATCH-FIX-UPSTREAM 0001-OpenVPN-Add-option-for-server-certificate-verificati.patch -- kde#341069 +Patch0: 0001-OpenVPN-Add-option-for-server-certificate-verificati.patch +# PATCH-FIX-UPSTREAM 0001-Update-OpenConnect-support-for-library-version-5.patch +Patch1: 0001-Update-OpenConnect-support-for-library-version-5.patch +# PATCH-FIX-UPSTREAM 0002-Update-OpenConnect-storage-of-manually-accepted-serv.patch +Patch2: 0002-Update-OpenConnect-storage-of-manually-accepted-serv.patch BuildRequires: NetworkManager-devel >= 0.9.8.0 BuildRequires: extra-cmake-modules BuildRequires: fdupes @@ -168,6 +174,9 @@ %prep %setup -q -n plasma-nm-%{version} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 %build %cmake_kf5 -d build -- -DCMAKE_INSTALL_LOCALEDIR=share/locale/kf5 ++++++ 0001-OpenVPN-Add-option-for-server-certificate-verificati.patch ++++++ >From 4fed18f7f75502dac0c03f61d2694c471c140349 Mon Sep 17 00:00:00 2001 From: Jan Grulich <[email protected]> Date: Wed, 26 Nov 2014 13:48:10 +0100 Subject: [PATCH 1/1] OpenVPN: Add option for server certificate verification BUG:341069 (cherry picked from commit f612d1d473805a273812aa9ea2f4c561e338d9a9) Conflicts: vpn/openvpn/openvpnadvanced.ui --- vpn/openvpn/nm-openvpn-service.h | 1 + vpn/openvpn/openvpnadvanced.ui | 343 +++++++++++++++++++++------------- vpn/openvpn/openvpnadvancedwidget.cpp | 14 ++ 3 files changed, 228 insertions(+), 130 deletions(-) diff --git a/vpn/openvpn/nm-openvpn-service.h b/vpn/openvpn/nm-openvpn-service.h index def533ed0d1e9a8e48d3d47dd52c3ee12686d61c..39e22515c84e9e26b61f08714b51a591547d25e9 100644 --- a/vpn/openvpn/nm-openvpn-service.h +++ b/vpn/openvpn/nm-openvpn-service.h @@ -54,6 +54,7 @@ #define NM_OPENVPN_KEY_USERNAME "username" #define NM_OPENVPN_KEY_TAP_DEV "tap-dev" #define NM_OPENVPN_KEY_TLS_REMOTE "tls-remote" +#define NM_OPENVPN_KEY_REMOTE_CERT_TLS "remote-cert-tls" #define NM_OPENVPN_KEY_PASSWORD "password" #define NM_OPENVPN_KEY_CERTPASS "cert-pass" diff --git a/vpn/openvpn/openvpnadvanced.ui b/vpn/openvpn/openvpnadvanced.ui index 3127bce46c8b9935b32714f0e97672feb0af4f9a..65570be0c2cf8bfb2f36b1b5a0e298f86128773a 100644 --- a/vpn/openvpn/openvpnadvanced.ui +++ b/vpn/openvpn/openvpnadvanced.ui @@ -10,8 +10,8 @@ <height>462</height> </rect> </property> - <layout class="QVBoxLayout" name="verticalLayout"> - <item> + <layout class="QGridLayout" name="gridLayout"> + <item row="0" column="0"> <widget class="QTabWidget" name="tabWidget"> <property name="currentIndex"> <number>0</number> @@ -50,7 +50,7 @@ <item> <widget class="QLabel" name="label_8"> <property name="text"> - <string>Tunnel &MTU:</string> + <string>Tunnel MTU:</string> </property> <property name="buddy"> <cstring>sbMtu</cstring> @@ -74,7 +74,7 @@ <item> <widget class="QLabel" name="label_9"> <property name="text"> - <string>UDP fragment si&ze:</string> + <string>UDP fragment size:</string> </property> <property name="buddy"> <cstring>sbUdpFragmentSize</cstring> @@ -199,7 +199,7 @@ <item> <widget class="QLabel" name="label_4"> <property name="text"> - <string>H&MAC Authentication:</string> + <string>HMAC Authentication:</string> </property> <property name="buddy"> <cstring>cboHmac</cstring> @@ -207,7 +207,7 @@ </widget> </item> <item> - <widget class="KComboBox" name="cboHmac"> + <widget class="QComboBox" name="cboHmac"> <property name="sizePolicy"> <sizepolicy hsizetype="Preferred" vsizetype="Fixed"> <horstretch>0</horstretch> @@ -287,13 +287,13 @@ <attribute name="title"> <string>TLS Settings</string> </attribute> - <layout class="QVBoxLayout" name="verticalLayout_9"> + <layout class="QVBoxLayout" name="verticalLayout"> <item> - <layout class="QHBoxLayout" name="horizontalLayout_10"> + <layout class="QHBoxLayout" name="horizontalLayout_3"> <item> <widget class="QLabel" name="label_10"> <property name="text"> - <string>Subject &Match:</string> + <string>Subject Match:</string> </property> <property name="buddy"> <cstring>subjectMatch</cstring> @@ -313,6 +313,44 @@ </layout> </item> <item> + <widget class="QCheckBox" name="chkRemoteCertTls"> + <property name="text"> + <string>Verify peer (server) certificate usage signature</string> + </property> + </widget> + </item> + <item> + <layout class="QHBoxLayout" name="horizontalLayout_4"> + <item> + <widget class="QLabel" name="labelRemoteCertTls"> + <property name="enabled"> + <bool>false</bool> + </property> + <property name="text"> + <string>Remote peer certificate TLS type:</string> + </property> + </widget> + </item> + <item> + <widget class="QComboBox" name="cmbRemoteCertTls"> + <property name="enabled"> + <bool>false</bool> + </property> + <item> + <property name="text"> + <string>Server</string> + </property> + </item> + <item> + <property name="text"> + <string>Client</string> + </property> + </item> + </widget> + </item> + </layout> + </item> + <item> <widget class="QGroupBox" name="useExtraTlsAuth"> <property name="title"> <string>Use additional TLS authentication</string> @@ -323,79 +361,71 @@ <property name="checked"> <bool>false</bool> </property> - <layout class="QVBoxLayout" name="verticalLayout_8"> - <item> - <layout class="QHBoxLayout" name="horizontalLayout_6"> - <item> - <widget class="QLabel" name="textLabel4_3"> - <property name="text"> - <string>Key:</string> - </property> - <property name="wordWrap"> - <bool>false</bool> - </property> - <property name="buddy"> - <cstring>kurlTlsAuthKey</cstring> - </property> - </widget> - </item> + <layout class="QGridLayout" name="gridLayout_2"> + <item row="0" column="0"> + <widget class="QLabel" name="textLabel4_3"> + <property name="text"> + <string>Key:</string> + </property> + <property name="wordWrap"> + <bool>false</bool> + </property> + <property name="buddy"> + <cstring>kurlTlsAuthKey</cstring> + </property> + </widget> + </item> + <item row="0" column="1"> + <widget class="KUrlRequester" name="kurlTlsAuthKey"/> + </item> + <item row="1" column="0"> + <widget class="QLabel" name="textLabel1"> + <property name="text"> + <string>Key Direction:</string> + </property> + <property name="wordWrap"> + <bool>false</bool> + </property> + <property name="buddy"> + <cstring>cboDirection</cstring> + </property> + </widget> + </item> + <item row="1" column="1"> + <widget class="QComboBox" name="cboDirection"> <item> - <widget class="KUrlRequester" name="kurlTlsAuthKey"/> + <property name="text"> + <string comment="like in None setting selected">None</string> + </property> </item> - </layout> - </item> - <item> - <layout class="QHBoxLayout" name="horizontalLayout_4"> <item> - <widget class="QLabel" name="textLabel1"> - <property name="text"> - <string>Key Direction:</string> - </property> - <property name="wordWrap"> - <bool>false</bool> - </property> - <property name="buddy"> - <cstring>cboDirection</cstring> - </property> - </widget> + <property name="text"> + <string>Server (0)</string> + </property> </item> <item> - <widget class="KComboBox" name="cboDirection"> - <item> - <property name="text"> - <string comment="like in None setting selected">None</string> - </property> - </item> - <item> - <property name="text"> - <string>Server (0)</string> - </property> - </item> - <item> - <property name="text"> - <string>Client (1)</string> - </property> - </item> - </widget> + <property name="text"> + <string>Client (1)</string> + </property> </item> - </layout> + </widget> + </item> + <item row="2" column="1"> + <spacer name="verticalSpacer"> + <property name="orientation"> + <enum>Qt::Vertical</enum> + </property> + <property name="sizeHint" stdset="0"> + <size> + <width>20</width> + <height>137</height> + </size> + </property> + </spacer> </item> </layout> </widget> </item> - <item> - <spacer name="verticalSpacer_7"> - <property name="orientation"> - <enum>Qt::Vertical</enum> - </property> - <property name="sizeHint" stdset="0"> - <size> - <width>20</width> - <height>0</height> - </size> - </property> - </spacer> - </item> </layout> </widget> <widget class="QWidget" name="proxyTab"> @@ -420,7 +450,7 @@ </widget> </item> <item row="0" column="1"> - <widget class="KComboBox" name="cmbProxyType"> + <widget class="QComboBox" name="cmbProxyType"> <property name="sizePolicy"> <sizepolicy hsizetype="Expanding" vsizetype="Fixed"> <horstretch>0</horstretch> @@ -453,7 +483,7 @@ <item row="1" column="0"> <widget class="QLabel" name="label_12"> <property name="text"> - <string>Ser&ver Address:</string> + <string>Server Address:</string> </property> <property name="buddy"> <cstring>proxyServerAddress</cstring> @@ -500,7 +530,7 @@ <item row="4" column="0"> <widget class="QLabel" name="label_14"> <property name="text"> - <string>Proxy Userna&me:</string> + <string>Proxy Username:</string> </property> <property name="buddy"> <cstring>proxyUsername</cstring> @@ -544,7 +574,7 @@ </widget> </item> <item> - <widget class="KComboBox" name="proxyPasswordStorage"> + <widget class="QComboBox" name="proxyPasswordStorage"> <item> <property name="text"> <string>Store</string> @@ -568,7 +598,7 @@ </widget> </widget> </item> - <item> + <item row="1" column="0"> <widget class="QDialogButtonBox" name="buttonBox"> <property name="standardButtons"> <set>QDialogButtonBox::Cancel|QDialogButtonBox::Ok</set> @@ -578,12 +608,7 @@ </layout> </widget> <customwidgets> - <customwidget> - <class>KComboBox</class> - <extends>QComboBox</extends> - <header>kcombobox.h</header> - </customwidget> - <customwidget> + <customwidget> <class>KUrlRequester</class> <extends>QWidget</extends> <header>kurlrequester.h</header> @@ -603,6 +628,8 @@ <tabstop>cboCipher</tabstop> <tabstop>cboHmac</tabstop> <tabstop>subjectMatch</tabstop> + <tabstop>chkRemoteCertTls</tabstop> + <tabstop>cmbRemoteCertTls</tabstop> <tabstop>useExtraTlsAuth</tabstop> <tabstop>kurlTlsAuthKey</tabstop> <tabstop>cboDirection</tabstop> @@ -611,9 +638,9 @@ <tabstop>sbProxyPort</tabstop> <tabstop>chkProxyRetry</tabstop> <tabstop>proxyUsername</tabstop> - <tabstop>chkProxyShowPassword</tabstop> <tabstop>proxyPassword</tabstop> <tabstop>proxyPasswordStorage</tabstop> + <tabstop>chkProxyShowPassword</tabstop> </tabstops> <resources/> <connections> @@ -633,5 +660,37 @@ </hint> </hints> </connection> + <connection> + <sender>chkRemoteCertTls</sender> + <signal>toggled(bool)</signal> + <receiver>cmbRemoteCertTls</receiver> + <slot>setEnabled(bool)</slot> + <hints> + <hint type="sourcelabel"> + <x>281</x> + <y>94</y> + </hint> + <hint type="destinationlabel"> + <x>414</x> + <y>127</y> + </hint> + </hints> + </connection> + <connection> + <sender>chkRemoteCertTls</sender> + <signal>toggled(bool)</signal> + <receiver>labelRemoteCertTls</receiver> + <slot>setEnabled(bool)</slot> + <hints> + <hint type="sourcelabel"> + <x>281</x> + <y>94</y> + </hint> + <hint type="destinationlabel"> + <x>148</x> + <y>127</y> + </hint> + </hints> + </connection> </connections> </ui> diff --git a/vpn/openvpn/openvpnadvancedwidget.cpp b/vpn/openvpn/openvpnadvancedwidget.cpp index a88f93106b832920e4f7b2b9ea68ddf476f3b5d0..4ddbd7dab45843832d4414bd9fdae6cef181a192 100644 --- a/vpn/openvpn/openvpnadvancedwidget.cpp +++ b/vpn/openvpn/openvpnadvancedwidget.cpp @@ -211,6 +211,15 @@ void OpenVpnAdvancedWidget::loadConfig() if (dataMap.contains(NM_OPENVPN_KEY_TLS_REMOTE)) { m_ui->subjectMatch->setText(dataMap[NM_OPENVPN_KEY_TLS_REMOTE]); } + + if (dataMap.contains(NM_OPENVPN_KEY_REMOTE_CERT_TLS)) { + const QString remoteCertTls = dataMap[NM_OPENVPN_KEY_REMOTE_CERT_TLS]; + m_ui->chkRemoteCertTls->setChecked(true); + m_ui->labelRemoteCertTls->setEnabled(true); + m_ui->cmbRemoteCertTls->setEnabled(true); + m_ui->cmbRemoteCertTls->setCurrentIndex(remoteCertTls == QLatin1String("server") ? 0 : 1); + } + m_ui->useExtraTlsAuth->setChecked(!dataMap[NM_OPENVPN_KEY_TA].isEmpty()); m_ui->kurlTlsAuthKey->setUrl(QUrl::fromLocalFile(dataMap[NM_OPENVPN_KEY_TA]) ); if (dataMap.contains(NM_OPENVPN_KEY_TA_DIR)) { @@ -323,6 +332,11 @@ NetworkManager::VpnSetting::Ptr OpenVpnAdvancedWidget::setting() const if (!m_ui->subjectMatch->text().isEmpty()) { data.insert(QLatin1String(NM_OPENVPN_KEY_TLS_REMOTE), m_ui->subjectMatch->text()); } + + if (m_ui->chkRemoteCertTls->isChecked()) { + data.insert(QLatin1String(NM_OPENVPN_KEY_REMOTE_CERT_TLS), m_ui->cmbRemoteCertTls->currentText().toLower()); + } + if (m_ui->useExtraTlsAuth->isChecked()) { QUrl tlsAuthKeyUrl = m_ui->kurlTlsAuthKey->url(); if (!tlsAuthKeyUrl.isEmpty()) { -- 2.1.3 ++++++ 0001-Update-OpenConnect-support-for-library-version-5.patch ++++++ >From d26992b059208d3fff6df318fd56382fb10ddf3c Mon Sep 17 00:00:00 2001 From: David Woodhouse <[email protected]> Date: Wed, 3 Dec 2014 15:10:44 +0100 Subject: [PATCH 1/2] Update OpenConnect support for library version 5 String ownership rules are now very simple: the library never takes ownership of a string it's passed. It always takes its *own* copy and is responsible for freeing that. Mostly driven by Windows DLL Hell where it's painful to allocate in one library and free in another because they might actually be using different heaps. Also adapt to the changes in server certificate hash handling. We are no longer supposed to just compare strings, and must call the relevant function to check a hash against the server's certificate. This gives better matching and allows libopenconnect to upgrade the hash in future when it becomes necessary. (cherry picked from commit aa9c54b3a0d4eea528929fb78b12d45428c98d9f) Conflicts: vpn/openconnect/openconnectauth.cpp --- vpn/openconnect/CMakeLists.txt | 2 ++ vpn/openconnect/openconnectauth.cpp | 24 ++++++++++++------- vpn/openconnect/openconnectauthworkerthread.cpp | 31 +++++++++++++++++++++---- vpn/openconnect/openconnectauthworkerthread.h | 15 ++++++++++-- 4 files changed, 56 insertions(+), 16 deletions(-) diff --git a/vpn/openconnect/CMakeLists.txt b/vpn/openconnect/CMakeLists.txt index b19f1f9c4c26157d50dd19419c4950c559fd9891..0d82ea8da65d2bea61976d7421cc9a6018d1dc3a 100644 --- a/vpn/openconnect/CMakeLists.txt +++ b/vpn/openconnect/CMakeLists.txt @@ -26,6 +26,8 @@ if (OPENCONNECT_FOUND) if (${OPENCONNECT_VERSION} VERSION_GREATER ${MINIMUM_OPENCONNECT_VERSION_REQUIRED} OR ${OPENCONNECT_VERSION} VERSION_EQUAL ${MINIMUM_OPENCONNECT_VERSION_REQUIRED}) + include_directories(${OPENCONNECT_INCLUDE_DIRS}) + set(openconnect_SRCS openconnectui.cpp openconnectwidget.cpp diff --git a/vpn/openconnect/openconnectauth.cpp b/vpn/openconnect/openconnectauth.cpp index dd737b6f7da7d23d5115ac5201e772c9b32fa17d..c155cd1bc2099623337d1cff12bde10fc7b431bd 100644 --- a/vpn/openconnect/openconnectauth.cpp +++ b/vpn/openconnect/openconnectauth.cpp @@ -165,7 +165,7 @@ void OpenconnectAuthWidget::readConfig() } if (!dataMap[NM_OPENCONNECT_KEY_CACERT].isEmpty()) { const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_CACERT]); - openconnect_set_cafile(d->vpninfo, strdup(crt.data())); + openconnect_set_cafile(d->vpninfo, OC3DUP(crt.data())); } if (dataMap[NM_OPENCONNECT_KEY_CSD_ENABLE] == "yes") { char *wrapper; @@ -178,12 +178,12 @@ void OpenconnectAuthWidget::readConfig() } if (!dataMap[NM_OPENCONNECT_KEY_PROXY].isEmpty()) { const QByteArray proxy = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PROXY]); - openconnect_set_http_proxy(d->vpninfo, strdup(proxy.data())); + openconnect_set_http_proxy(d->vpninfo, OC3DUP(proxy.data())); } if (!dataMap[NM_OPENCONNECT_KEY_USERCERT].isEmpty()) { const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_USERCERT]); const QByteArray key = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PRIVKEY]); - openconnect_set_client_cert (d->vpninfo, strdup(crt.data()), strdup(key.data())); + openconnect_set_client_cert (d->vpninfo, OC3DUP(crt.data()), OC3DUP(key.data())); if (!crt.isEmpty() && dataMap[NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID] == "yes") { openconnect_passphrase_from_fsid(d->vpninfo); @@ -280,10 +280,10 @@ void OpenconnectAuthWidget::connectHost() const VPNHost &host = d->hosts.at(i); if (openconnect_parse_url(d->vpninfo, host.address.toAscii().data())) { qWarning() << "Failed to parse server URL" << host.address; - openconnect_set_hostname(d->vpninfo, strdup(host.address.toAscii().data())); + openconnect_set_hostname(d->vpninfo, OC3DUP(host.address.toAscii().data())); } if (!openconnect_get_urlpath(d->vpninfo) && !host.group.isEmpty()) - openconnect_set_urlpath(d->vpninfo, strdup(host.group.toAscii().data())); + openconnect_set_urlpath(d->vpninfo, OC3DUP(host.group.toAscii().data())); d->secrets["lasthost"] = host.name; addFormInfo(QLatin1String("dialog-information"), i18n("Contacting host, please wait...")); d->worker->start(); @@ -305,9 +305,13 @@ QVariantMap OpenconnectAuthWidget::setting(bool agentOwned) const secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_COOKIE), QLatin1String(openconnect_get_cookie(d->vpninfo))); openconnect_clear_cookie(d->vpninfo); +#if OPENCONNECT_CHECK_VER(5,0) + const char *fingerprint = openconnect_get_peer_cert_hash(d->vpninfo); +#else OPENCONNECT_X509 *cert = openconnect_get_peer_cert(d->vpninfo); char fingerprint[41]; openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint); +#endif secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint)); secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t")); secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no"); @@ -581,14 +585,16 @@ void OpenconnectAuthWidget::formLoginClicked() const QString key = QString("form:%1:%2").arg(QLatin1String(form->auth_id)).arg(QLatin1String(opt->name)); if (opt->type == OC_FORM_OPT_PASSWORD || opt->type == OC_FORM_OPT_TEXT) { QLineEdit *le = qobject_cast<QLineEdit*>(widget); - opt->value = qstrdup(le->text().toUtf8().constData()); - if (opt->type == OC_FORM_OPT_PASSWORD) { + QByteArray text = le->text().toUtf8(); + openconnect_set_option_value(opt, text.data()); + if (opt->type == OC_FORM_OPT_TEXT) { d->secrets.insert(key,le->text()); } } else if (opt->type == OC_FORM_OPT_SELECT) { QComboBox *cbo = qobject_cast<QComboBox*>(widget); - opt->value = qstrdup(cbo->currentData().toString().toUtf8().constData()); - d->secrets.insert(key, cbo->currentData().toString()); + QByteArray text = cbo->itemData(cbo->currentIndex()).toString().toAscii(); + openconnect_set_option_value(opt, text.data()); + d->secrets.insert(key,cbo->itemData(cbo->currentIndex()).toString()); } } } diff --git a/vpn/openconnect/openconnectauthworkerthread.cpp b/vpn/openconnect/openconnectauthworkerthread.cpp index cf130dad4fe3271b7771e3ad9aefae3297ad99e3..63ff2378726effd4f546fc3626fcbfc7697f2d18 100644 --- a/vpn/openconnect/openconnectauthworkerthread.cpp +++ b/vpn/openconnect/openconnectauthworkerthread.cpp @@ -43,6 +43,20 @@ extern "C" class OpenconnectAuthStaticWrapper { public: +#if OPENCONNECT_CHECK_VER(5,0) + static int writeNewConfig(void *obj, const char *str, int num) + { + if (obj) + return static_cast<OpenconnectAuthWorkerThread*>(obj)->writeNewConfig(str, num); + return -1; + } + static int validatePeerCert(void *obj, const char *str) + { + if (obj) + return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(NULL, str); + return -1; + } +#else static int writeNewConfig(void *obj, char *str, int num) { if (obj) @@ -55,7 +69,8 @@ public: return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(cert, str); return -1; } - static int processAuthForm(void *obj, struct oc_auth_form *form) +#endif + static int processAuthForm(void *obj, struct oc_auth_form *form) { if (obj) return static_cast<OpenconnectAuthWorkerThread*>(obj)->processAuthFormP(form); @@ -108,7 +123,7 @@ struct openconnect_info* OpenconnectAuthWorkerThread::getOpenconnectInfo() return m_openconnectInfo; } -int OpenconnectAuthWorkerThread::writeNewConfig(char *buf, int buflen) +int OpenconnectAuthWorkerThread::writeNewConfig(const char *buf, int buflen) { Q_UNUSED(buflen) if (*m_userDecidedToQuit) @@ -139,10 +154,16 @@ static char *openconnect_get_cert_details(struct openconnect_info *vpninfo, } #endif -int OpenconnectAuthWorkerThread::validatePeerCert(OPENCONNECT_X509 *cert, const char *reason) +int OpenconnectAuthWorkerThread::validatePeerCert(void *cert, const char *reason) { if (*m_userDecidedToQuit) return -EINVAL; + +#if OPENCONNECT_CHECK_VER(5,0) + (void)cert; + const char *fingerprint = openconnect_get_peer_cert_hash(m_openconnectInfo); + char *details = openconnect_get_peer_cert_details(m_openconnectInfo); +#else char fingerprint[41]; int ret = 0; @@ -151,7 +172,7 @@ int OpenconnectAuthWorkerThread::validatePeerCert(OPENCONNECT_X509 *cert, const return ret; char *details = openconnect_get_cert_details(m_openconnectInfo, cert); - +#endif bool accepted = false; m_mutex->lock(); QString qFingerprint(fingerprint); @@ -160,7 +181,7 @@ int OpenconnectAuthWorkerThread::validatePeerCert(OPENCONNECT_X509 *cert, const emit validatePeerCert(qFingerprint, qCertinfo, qReason, &accepted); m_waitForUserInput->wait(m_mutex); m_mutex->unlock(); - ::free(details); + openconnect_free_cert_info(m_openconnectInfo, details); if (*m_userDecidedToQuit) return -EINVAL; diff --git a/vpn/openconnect/openconnectauthworkerthread.h b/vpn/openconnect/openconnectauthworkerthread.h index f6992c2616a240ee0f75f9d0049ffaa30e7b0e92..455b685cd18a6d3083ee9a406ab198ba6212e094 100644 --- a/vpn/openconnect/openconnectauthworkerthread.h +++ b/vpn/openconnect/openconnectauthworkerthread.h @@ -59,6 +59,17 @@ struct x509_st; #define OC_FORM_RESULT_NEWGROUP 2 #endif +#if OPENCONNECT_CHECK_VER(4,0) +#define OC3DUP(x) (x) +#else +#define openconnect_set_option_value(opt, val) do { \ + struct oc_form_opt *_o = (opt); \ + free(_o->value); _o->value = strdup(val); \ + } while (0) +#define openconnect_free_cert_info(v, x) ::free(x) +#define OC3DUP(x) strdup(x) +#endif + #include <QThread> class QMutex; @@ -85,8 +96,8 @@ protected: void run(); private: - int writeNewConfig(char *, int); - int validatePeerCert(OPENCONNECT_X509 *, const char *); + int writeNewConfig(const char *, int); + int validatePeerCert(void *, const char *); int processAuthFormP(struct oc_auth_form *); void writeProgress(int level, const char *, va_list); -- 2.2.0 ++++++ 0002-Update-OpenConnect-storage-of-manually-accepted-serv.patch ++++++ >From 06000699c71de9dc1e3bee7cf1418686f1f01fad Mon Sep 17 00:00:00 2001 From: David Woodhouse <[email protected]> Date: Wed, 3 Dec 2014 15:13:22 +0100 Subject: [PATCH 2/2] Update OpenConnect storage of manually-accepted server certs We shouldn't just be storing the certificate hash; we should remember *which* host/port it was accepted for, and only accept it for *that* service. This matches the change in NetworkManager-openconnect 2dc45e25. (cherry picked from commit 2d428c2548facf3d58fbd3d5a7c3790548823266) --- vpn/openconnect/openconnectauth.cpp | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/vpn/openconnect/openconnectauth.cpp b/vpn/openconnect/openconnectauth.cpp index c155cd1bc2099623337d1cff12bde10fc7b431bd..fbb1a87a7a7c958bf4b8e6113bec23bfca4241cd 100644 --- a/vpn/openconnect/openconnectauth.cpp +++ b/vpn/openconnect/openconnectauth.cpp @@ -70,7 +70,6 @@ public: Ui_OpenconnectAuth ui; NetworkManager::VpnSetting::Ptr setting; struct openconnect_info *vpninfo; - QStringList certificateFingerprints; NMStringMap secrets; QMutex mutex; QWaitCondition workerWaiting; @@ -197,10 +196,6 @@ void OpenconnectAuthWidget::readSecrets() d->secrets = d->setting->secrets(); - if (!d->secrets[NM_OPENCONNECT_KEY_GWCERT].isEmpty()) { - d->certificateFingerprints.append(d->secrets[NM_OPENCONNECT_KEY_GWCERT]); - } - if (!d->secrets["xmlconfig"].isEmpty()) { const QByteArray config = QByteArray::fromBase64(d->secrets["xmlconfig"].toAscii()); @@ -240,11 +235,6 @@ void OpenconnectAuthWidget::readSecrets() d->ui.chkAutoconnect->setChecked(true); QTimer::singleShot(0, this, SLOT(connectHost())); } - - if (!d->secrets["certsigs"].isEmpty()) { - d->certificateFingerprints.append(d->secrets["certsigs"].split('\t')); - } - d->certificateFingerprints.removeDuplicates(); } void OpenconnectAuthWidget::acceptDialog() @@ -313,7 +303,6 @@ QVariantMap OpenconnectAuthWidget::setting(bool agentOwned) const openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint); #endif secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint)); - secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t")); secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no"); NMStringMap::iterator i = secrets.begin(); @@ -491,7 +480,16 @@ void OpenconnectAuthWidget::validatePeerCert(const QString &fingerprint, { Q_D(OpenconnectAuthWidget); - if (!d->certificateFingerprints.contains(fingerprint)) { + const QString host = QLatin1String(openconnect_get_hostname(d->vpninfo)); + const QString port = QString::number(openconnect_get_port(d->vpninfo)); + const QString key = QString("certificate:%1:%2").arg(host, port); + const QString value = d->secrets.value(key); + +#if !OPENCONNECT_CHECK_VER(5,0) +#define openconnect_check_peer_cert_hash(v,d) strcmp(d, fingerprint.toUtf8().data()) +#endif + + if (openconnect_check_peer_cert_hash(d->vpninfo, value.toUtf8().data())) { QWidget *widget = new QWidget(); QVBoxLayout *verticalLayout; QHBoxLayout *horizontalLayout; @@ -541,7 +539,6 @@ void OpenconnectAuthWidget::validatePeerCert(const QString &fingerprint, dialog->layout()->addWidget(buttons); if(dialog.data()->exec() == QDialog::Accepted) { - d->certificateFingerprints.append(fingerprint); *accepted = true; } else { *accepted = false; @@ -553,6 +550,8 @@ void OpenconnectAuthWidget::validatePeerCert(const QString &fingerprint, } else { *accepted = true; } + if (*accepted) + d->secrets.insert(key, QString(fingerprint)); d->mutex.lock(); d->workerWaiting.wakeAll(); d->mutex.unlock(); -- 2.2.0 -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
