Hi Beniamino et al, networkmanager-openvpn doesn't currently handle <tls-auth> blobs correctly. I've modified networkmanager-openvpn to support this functionality and fixed two minor bugs in the process. I'd be thrilled if you could comment on the patch.
a presto, Matthias
>From b78c8887fe4b69a30404ce7dbef0b866743b12f5 Mon Sep 17 00:00:00 2001 From: Matthias Berndt <[email protected]> Date: Fri, 22 Jan 2016 00:54:59 +0100 Subject: [PATCH] handle tls-auth blobs correctly --- properties/import-export.c | 45 +++++++++++++++++++++++++++++++++++++-------- 1 file changed, 37 insertions(+), 8 deletions(-) diff --git a/properties/import-export.c b/properties/import-export.c index d624b52..cbc8952 100644 --- a/properties/import-export.c +++ b/properties/import-export.c @@ -105,6 +105,9 @@ #define RPORT_TAG "rport " #define SECRET_TAG "secret " #define TLS_AUTH_TAG "tls-auth " +#define TLS_AUTH_BLOB_START_TAG "<tls-auth>" +#define TLS_AUTH_BLOB_END_TAG "</tls-auth>" +#define KEY_DIRECTION_TAG "key-direction " #define TLS_CLIENT_TAG "tls-client" #define TLS_REMOTE_TAG "tls-remote " #define REMOTE_CERT_TLS_TAG "remote-cert-tls " @@ -192,21 +195,28 @@ handle_path_item (const char *line, return TRUE; } +static void +handle_direction (const char *tag, const char *key, char *leftover, NMSettingVpn *s_vpn); + #define CERT_BEGIN "-----BEGIN CERTIFICATE-----" #define CERT_END "-----END CERTIFICATE-----" #define PRIV_KEY_BEGIN "-----BEGIN PRIVATE KEY-----" #define PRIV_KEY_END "-----END PRIVATE KEY-----" #define RSA_PRIV_KEY_BEGIN "-----BEGIN RSA PRIVATE KEY-----" #define RSA_PRIV_KEY_END "-----END RSA PRIVATE KEY-----" +#define STATIC_KEY_BEGIN "-----BEGIN OpenVPN Static key V1-----" +#define STATIC_KEY_END "-----END OpenVPN Static key V1-----" static gboolean handle_blob_item (const char ***line, const char *key, NMSettingVpn *s_vpn, const char *name, - GError **error) + GError **error, + char *last_seen_key_direction) { gboolean success = FALSE; + const char *key_direction_tag = NULL; const char *blob_mark_start, *blob_mark_end; const char *blob_mark_start2 = NULL, *blob_mark_end2 = NULL; const char *start_tag, *end_tag; @@ -222,7 +232,7 @@ handle_blob_item (const char ***line, p++; \ if (!*p) \ goto finish; \ - } while (!*p[0]); \ + } while (*p[0] == '\0' || *p[0] == '#' || *p[0] == ';'); \ } G_STMT_END if (!strcmp (key, NM_OPENVPN_KEY_CA)) { @@ -235,6 +245,12 @@ handle_blob_item (const char ***line, end_tag = CERT_BLOB_END_TAG; blob_mark_start = CERT_BEGIN; blob_mark_end = CERT_END; + } else if (!strcmp (key, NM_OPENVPN_KEY_TA)) { + start_tag = TLS_AUTH_BLOB_START_TAG; + end_tag = TLS_AUTH_BLOB_END_TAG; + blob_mark_start = STATIC_KEY_BEGIN; + blob_mark_end = STATIC_KEY_END; + key_direction_tag = "tls-auth"; } else if (!strcmp (key, NM_OPENVPN_KEY_KEY)) { start_tag = KEY_BLOB_START_TAG; end_tag = KEY_BLOB_END_TAG; @@ -244,10 +260,10 @@ handle_blob_item (const char ***line, blob_mark_end2 = RSA_PRIV_KEY_END; } else g_return_val_if_reached (FALSE); - p = *line; if (strncmp (*p, start_tag, strlen (start_tag))) goto finish; + NEXT_LINE; if (blob_mark_start2 && !strcmp (*p, blob_mark_start2)) { @@ -292,14 +308,19 @@ handle_blob_item (const char ***line, goto finish; nm_setting_vpn_add_data_item (s_vpn, key, path); - + if (key_direction_tag) + handle_direction(key_direction_tag, + NM_OPENVPN_KEY_TA_DIR, + last_seen_key_direction, + s_vpn); finish: - line = &p; + *line = p; g_free (filename); g_free (dirname); g_free (path); if (in_file) g_string_free (in_file, TRUE); + return success; } @@ -507,6 +528,7 @@ do_import (const char *path, const char *contents, GError **error) char *new_contents = NULL; gboolean http_proxy = FALSE, socks_proxy = FALSE, proxy_set = FALSE; int nitems; + char *last_seen_key_direction = NULL; connection = nm_simple_connection_new (); s_con = NM_SETTING_CONNECTION (nm_setting_connection_new ()); @@ -578,6 +600,10 @@ do_import (const char *path, const char *contents, GError **error) continue; } + if (!strncmp(*line, KEY_DIRECTION_TAG, strlen (KEY_DIRECTION_TAG))) { + last_seen_key_direction = *line + strlen(KEY_DIRECTION_TAG); + } + if (!strncmp (*line, DEV_TAG, strlen (DEV_TAG))) { items = get_args (*line + strlen (DEV_TAG), &nitems); if (nitems == 1) { @@ -859,13 +885,16 @@ do_import (const char *path, const char *contents, GError **error) if (handle_path_item (*line, KEY_TAG, NM_OPENVPN_KEY_KEY, s_vpn, default_path, NULL)) continue; - if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_CA, s_vpn, basename, NULL)) + if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_CA, s_vpn, basename, NULL, last_seen_key_direction)) + continue; + + if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_CERT, s_vpn, basename, NULL, last_seen_key_direction)) continue; - if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_CERT, s_vpn, basename, NULL)) + if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_KEY, s_vpn, basename, NULL, last_seen_key_direction)) continue; - if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_KEY, s_vpn, basename, NULL)) + if (handle_blob_item ((const char ***)&line, NM_OPENVPN_KEY_TA, s_vpn, basename, NULL, last_seen_key_direction)) continue; if (handle_path_item (*line, SECRET_TAG, NM_OPENVPN_KEY_STATIC_KEY, -- 2.5.0
_______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
