From eacb9678bfe61867c8b0f378650c9964940c3a32 Mon Sep 17 00:00:00 2001 From: Douglas Kosovic Date: Thu, 27 Feb 2020 08:46:42 +1000 Subject: [PATCH] Patch for user certificate support fix --- NetworkManager-l2tp-1.8.0-usercert.patch | 121 +++++++++++++++++++++++ NetworkManager-l2tp.spec | 9 +- 2 files changed, 128 insertions(+), 2 deletions(-) create mode 100644 NetworkManager-l2tp-1.8.0-usercert.patch diff --git a/NetworkManager-l2tp-1.8.0-usercert.patch b/NetworkManager-l2tp-1.8.0-usercert.patch new file mode 100644 index 0000000..4fd5f21 --- /dev/null +++ b/NetworkManager-l2tp-1.8.0-usercert.patch @@ -0,0 +1,121 @@ +diff --git a/src/nm-l2tp-service.c b/src/nm-l2tp-service.c +index 660bbe0..5ca8617 100644 +--- a/src/nm-l2tp-service.c ++++ b/src/nm-l2tp-service.c +@@ -1117,13 +1117,16 @@ nm_l2tp_config_write (NML2tpPlugin *plugin, + return FALSE; + } + if (tls_need_password) +- value = nm_setting_vpn_get_secret (s_vpn, NM_L2TP_KEY_MACHINE_CERTPASS); ++ value = nm_setting_vpn_get_secret (s_vpn, NM_L2TP_KEY_USER_CERTPASS); + else + value = NULL; + + tls_key_out_filename = g_strdup_printf ("%s/key.pem", rundir); + tls_cert_out_filename = g_strdup_printf ("%s/cert.pem", rundir); +- tls_ca_out_filename = g_strdup_printf ("%s/ca.pem", rundir);; ++ tls_ca_out_filename = g_strdup_printf ("%s/ca.pem", rundir); ++ unlink (tls_key_out_filename); ++ unlink (tls_cert_out_filename); ++ unlink (tls_ca_out_filename); + if (tls_key_fileformat == NM_L2TP_CRYPTO_FILE_FORMAT_PKCS12) { + crypto_pkcs12_to_pem_files (tls_cert_filename, + value, +@@ -1198,20 +1201,29 @@ nm_l2tp_config_write (NML2tpPlugin *plugin, + } + + write_config_option (fd, "need-peer-eap\n"); +- if (tls_key_out_filename) +- write_config_option (fd, "key \"%s\"\n", tls_key_out_filename); +- else ++ if (tls_key_out_filename) { ++ if (g_file_test (tls_key_out_filename, G_FILE_TEST_EXISTS)) { ++ write_config_option (fd, "key \"%s\"\n", tls_key_out_filename); ++ } ++ } else { + write_config_option (fd, "key \"%s\"\n", tls_key_filename); ++ } + +- if (tls_cert_out_filename) +- write_config_option (fd, "cert \"%s\"\n", tls_cert_out_filename); +- else ++ if (tls_cert_out_filename) { ++ if (g_file_test (tls_cert_out_filename, G_FILE_TEST_EXISTS)) { ++ write_config_option (fd, "cert \"%s\"\n", tls_cert_out_filename); ++ } ++ } else { + write_config_option (fd, "cert \"%s\"\n", tls_cert_filename); ++ } + +- if (tls_ca_out_filename) +- write_config_option (fd, "ca \"%s\"\n", tls_ca_filename); +- else if (tls_ca_filename) ++ if (tls_ca_out_filename) { ++ if (g_file_test (tls_ca_out_filename, G_FILE_TEST_EXISTS)) { ++ write_config_option (fd, "ca \"%s\"\n", tls_ca_out_filename); ++ } ++ } else if (tls_ca_filename) { + write_config_option (fd, "ca \"%s\"\n", tls_ca_filename); ++ } + } else { + /* Username; try L2TP specific username first, then generic username */ + value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_USER); +@@ -1529,8 +1541,10 @@ handle_need_secrets (NMDBusL2tpPpp *object, + NML2tpPlugin *self = NM_L2TP_PLUGIN (user_data); + NML2tpPluginPrivate *priv = NM_L2TP_PLUGIN_GET_PRIVATE (self); + NMSettingVpn *s_vpn; ++ NML2tpCryptoFileFormat tls_key_fileformat; + const char *user, *password, *domain, *auth_type, *tls_key_filename; + gchar *username; ++ gchar *key_filename; + gboolean tls_need_password = FALSE; + + remove_timeout_handler (NM_L2TP_PLUGIN (user_data)); +@@ -1541,20 +1555,36 @@ handle_need_secrets (NMDBusL2tpPpp *object, + auth_type = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_USER_AUTH_TYPE); + if (nm_streq0 (auth_type, NM_L2TP_AUTHTYPE_TLS)) { + tls_key_filename = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_USER_KEY); +- crypto_file_format (tls_key_filename, &tls_need_password, NULL); ++ tls_key_fileformat = crypto_file_format (tls_key_filename, &tls_need_password, NULL); ++ ++ switch (tls_key_fileformat) { ++ case NM_L2TP_CRYPTO_FILE_FORMAT_PKCS12 : ++ case NM_L2TP_CRYPTO_FILE_FORMAT_PKCS8_DER : ++ case NM_L2TP_CRYPTO_FILE_FORMAT_RSA_PKEY_DER : ++ case NM_L2TP_CRYPTO_FILE_FORMAT_DSA_PKEY_DER : ++ case NM_L2TP_CRYPTO_FILE_FORMAT_ECDSA_PKEY_DER : ++ key_filename = g_strdup_printf (RUNSTATEDIR"/nm-l2tp-%s/key.pem", priv->uuid); ++ break; + +- if (!tls_need_password) +- return FALSE; ++ default : ++ key_filename = g_strdup (tls_key_filename); ++ } + +- password = nm_setting_vpn_get_secret (s_vpn, NM_L2TP_KEY_USER_CERTPASS); +- if (!password || !strlen (password)) { +- g_dbus_method_invocation_return_error_literal (invocation, +- NM_VPN_PLUGIN_ERROR, +- NM_VPN_PLUGIN_ERROR_INVALID_CONNECTION, +- _("Missing or invalid VPN user certificate password.")); +- return FALSE;; ++ if (!tls_need_password) { ++ nmdbus_l2tp_ppp_complete_need_secrets (object, invocation, key_filename, ""); ++ } else { ++ password = nm_setting_vpn_get_secret (s_vpn, NM_L2TP_KEY_USER_CERTPASS); ++ if (!password || !strlen (password)) { ++ g_dbus_method_invocation_return_error_literal (invocation, ++ NM_VPN_PLUGIN_ERROR, ++ NM_VPN_PLUGIN_ERROR_INVALID_CONNECTION, ++ _("Missing or invalid VPN user certificate password.")); ++ g_free (key_filename); ++ return FALSE;; ++ } ++ nmdbus_l2tp_ppp_complete_need_secrets (object, invocation, key_filename, password); + } +- nmdbus_l2tp_ppp_complete_need_secrets (object, invocation, tls_key_filename, password); ++ g_free (key_filename); + + } else { + /* Username; try L2TP specific username first, then generic username */ diff --git a/NetworkManager-l2tp.spec b/NetworkManager-l2tp.spec index 62b85fc..46fed91 100644 --- a/NetworkManager-l2tp.spec +++ b/NetworkManager-l2tp.spec @@ -7,11 +7,12 @@ Summary: NetworkManager VPN plugin for L2TP and L2TP/IPsec Name: NetworkManager-l2tp Version: 1.8.0 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ URL: https://github.com/nm-l2tp/NetworkManager-l2tp Source: https://github.com/nm-l2tp/NetworkManager-l2tp/releases/download/%{version}/%{name}-%{version}.tar.xz Patch1: NetworkManager-l2tp-1.8.0-libreswan-3.30.patch +Patch2: NetworkManager-l2tp-1.8.0-usercert.patch %global ppp_version %(sed -n 's/^#define\\s*VERSION\\s*"\\([^\\s]*\\)"$/\\1/p' %{_includedir}/pppd/patchlevel.h 2>/dev/null | grep . || echo bad) @@ -56,6 +57,7 @@ IPsec VPN support with the NetworkManager (GNOME files). %prep %setup -q %patch1 -p1 -b .modp1024 +%patch2 -p1 -b .usercert %build if [ ! -f configure ]; then @@ -115,7 +117,10 @@ exit 0 %endif %changelog -* Wed Feb 26 2020 Douglas Kosovic - 1.8.0-1 +* Thu Feb 27 2020 Douglas Kosovic - 1.8.0-5 +- Patch for user certificate support fix + +* Wed Feb 26 2020 Douglas Kosovic - 1.8.0-4 - Patch to support libreswan 3.30 which is no longer built with modp1024 support * Sat Feb 22 2020 Adam Williamson - 1.8.0-3