cs10
imports/cs10/NetworkManager-libreswan-1.2.24-2.el10
parent
ad3ae5c1ea
commit
837849db16
@ -1 +1 @@
|
||||
7f62450f66f2a21789fd6cfebbf3355ae99553ea SOURCES/NetworkManager-libreswan-1.2.22.tar.xz
|
||||
b18b3e3cad755c612e576829aabc8303c8950071 SOURCES/NetworkManager-libreswan-1.2.24.tar.xz
|
||||
|
@ -1 +1 @@
|
||||
SOURCES/NetworkManager-libreswan-1.2.22.tar.xz
|
||||
SOURCES/NetworkManager-libreswan-1.2.24.tar.xz
|
||||
|
@ -1,81 +0,0 @@
|
||||
From 4957f0123c109df05885b2c85bfabc8f7311fe62 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
|
||||
Date: Mon, 9 Sep 2024 12:25:58 +0200
|
||||
Subject: [PATCH] editor: connect stuff_changed_cb from populate_widget
|
||||
|
||||
There is no need to do it in 2 different steps, we always have to
|
||||
connect it after creating the widget. Let's do it all together so no
|
||||
developer forgets.
|
||||
---
|
||||
properties/nm-libreswan-editor.c | 47 --------------------------------
|
||||
1 file changed, 47 deletions(-)
|
||||
|
||||
diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c
|
||||
index b03d2fe..5687dc7 100644
|
||||
--- a/properties/nm-libreswan-editor.c
|
||||
+++ b/properties/nm-libreswan-editor.c
|
||||
@@ -351,27 +351,6 @@ populate_widget (LibreswanEditor *self,
|
||||
}
|
||||
gtk_combo_box_set_active (GTK_COMBO_BOX (widget), idx);
|
||||
}
|
||||
-}
|
||||
-
|
||||
-
|
||||
-/* Init the widget on the basis of its actual type.
|
||||
- * widget_name: the name of the widget
|
||||
- * key_name: the name of the key where the config value is stored
|
||||
- * alt_key_name:alternative name of the key
|
||||
- * match_value: used only for toggle_button and combo_box widgets; when matched
|
||||
- * in the former it will set the toggle button as active, in the latter
|
||||
- * will be used as a match for enabling the third index of possible values
|
||||
- * (a three-valued logic value is expected: "no", "yes" or "match_value").
|
||||
- */
|
||||
-static void
|
||||
-hook_stuff_changed_cb (LibreswanEditor *self,
|
||||
- const char *widget_name)
|
||||
-{
|
||||
- LibreswanEditorPrivate *priv = LIBRESWAN_EDITOR_GET_PRIVATE (self);
|
||||
- GtkWidget *widget;
|
||||
-
|
||||
- widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, widget_name));
|
||||
- g_return_if_fail (widget);
|
||||
|
||||
g_signal_connect (G_OBJECT (widget),
|
||||
GTK_IS_CHECK_BUTTON (widget) ? "toggled" : "changed",
|
||||
@@ -471,33 +450,7 @@ init_editor_plugin (LibreswanEditor *self,
|
||||
populate_widget (self, "group_entry", NM_LIBRESWAN_KEY_LEFTID, NULL, NULL);
|
||||
populate_widget (self, "cert_entry", NM_LIBRESWAN_KEY_LEFTCERT, NULL, NULL);
|
||||
populate_widget (self, "remoteid_entry", NM_LIBRESWAN_KEY_RIGHTID, NULL, NULL);
|
||||
- hook_stuff_changed_cb (self, "gateway_entry");
|
||||
- hook_stuff_changed_cb (self, "user_entry");
|
||||
- hook_stuff_changed_cb (self, "group_entry");
|
||||
- hook_stuff_changed_cb (self, "cert_entry");
|
||||
- hook_stuff_changed_cb (self, "remoteid_entry");
|
||||
-
|
||||
- /* Advanced Dialog */
|
||||
populate_adv_dialog (self);
|
||||
- hook_stuff_changed_cb (self, "domain_entry");
|
||||
- hook_stuff_changed_cb (self, "phase1_entry");
|
||||
- hook_stuff_changed_cb (self, "phase2_entry");
|
||||
- hook_stuff_changed_cb (self, "phase1_lifetime_entry");
|
||||
- hook_stuff_changed_cb (self, "phase2_lifetime_entry");
|
||||
- hook_stuff_changed_cb (self, "rekey_checkbutton");
|
||||
- hook_stuff_changed_cb (self, "pfs_checkbutton");
|
||||
- hook_stuff_changed_cb (self, "local_network_entry");
|
||||
- hook_stuff_changed_cb (self, "remote_network_entry");
|
||||
- hook_stuff_changed_cb (self, "narrowing_checkbutton");
|
||||
- hook_stuff_changed_cb (self, "fragmentation_combo");
|
||||
- hook_stuff_changed_cb (self, "mobike_combo");
|
||||
- hook_stuff_changed_cb (self, "dpd_delay_entry");
|
||||
- hook_stuff_changed_cb (self, "dpd_timeout_entry");
|
||||
- hook_stuff_changed_cb (self, "dpd_action_combo");
|
||||
- hook_stuff_changed_cb (self, "ipsec_interface_entry");
|
||||
- hook_stuff_changed_cb (self, "authby_entry");
|
||||
- hook_stuff_changed_cb (self, "disable_modecfgclient_checkbutton");
|
||||
- hook_stuff_changed_cb (self, "remote_cert_entry");
|
||||
|
||||
priv->advanced_dialog = GTK_WIDGET (gtk_builder_get_object (priv->builder, "libreswan-advanced-dialog"));
|
||||
g_return_val_if_fail (priv->advanced_dialog != NULL, FALSE);
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,182 +0,0 @@
|
||||
From 95517f4dd6de399f4608c63f48658228ac902c93 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
|
||||
Date: Mon, 9 Sep 2024 11:47:57 +0200
|
||||
Subject: [PATCH] properties: add require-id-on-certificate
|
||||
|
||||
From `man ipsec.conf`:
|
||||
|
||||
require-id-on-certificate:
|
||||
When using certificates, check whether the IKE peer ID is present as
|
||||
a subjectAltName (SAN) on the peer certificate. Accepted values are
|
||||
yes (the default) or no. This check should only be disabled when
|
||||
intentionally using certificates that do not have their peer ID specified
|
||||
as a SAN on the certificate. These certificates violate RFC 4945 Section
|
||||
3.1 and are normally rejected to prevent a compromised host from assuming
|
||||
the IKE identity of another host. The SAN limits the IDs that the
|
||||
peer is able to assume.
|
||||
---
|
||||
properties/nm-libreswan-dialog.ui | 26 +++++++++++++++++++++++++
|
||||
properties/nm-libreswan-editor-plugin.c | 2 ++
|
||||
properties/nm-libreswan-editor.c | 9 +++++++++
|
||||
shared/nm-service-defines.h | 1 +
|
||||
shared/utils.c | 5 +++++
|
||||
src/nm-libreswan-service.c | 1 +
|
||||
6 files changed, 44 insertions(+)
|
||||
|
||||
diff --git a/properties/nm-libreswan-dialog.ui b/properties/nm-libreswan-dialog.ui
|
||||
index b682895..17a7171 100644
|
||||
--- a/properties/nm-libreswan-dialog.ui
|
||||
+++ b/properties/nm-libreswan-dialog.ui
|
||||
@@ -1222,6 +1222,32 @@ config: authby <value>
|
||||
<property name="top_attach">0</property>
|
||||
</packing>
|
||||
</child>
|
||||
+ <child>
|
||||
+ <object class="GtkLabel" id="require_id_on_certificate_label">
|
||||
+ <property name="visible">True</property>
|
||||
+ <property name="can_focus">False</property>
|
||||
+ <property name="label" translatable="yes">Don't require remote certificate name</property>
|
||||
+ <property name="use_underline">True</property>
|
||||
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
|
||||
+ <property name="xalign">1</property>
|
||||
+ </object>
|
||||
+ <packing>
|
||||
+ <property name="left_attach">0</property>
|
||||
+ <property name="top_attach">1</property>
|
||||
+ </packing>
|
||||
+ </child>
|
||||
+ <child>
|
||||
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
|
||||
+ <property name="visible">True</property>
|
||||
+ <property name="can_focus">True</property>
|
||||
+ <property name="receives_default">False</property>
|
||||
+ <property name="draw_indicator">True</property>
|
||||
+ </object>
|
||||
+ <packing>
|
||||
+ <property name="left_attach">1</property>
|
||||
+ <property name="top_attach">1</property>
|
||||
+ </packing>
|
||||
+ </child>
|
||||
</object>
|
||||
</child>
|
||||
</object>
|
||||
diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
|
||||
index fe473d1..7aa528e 100644
|
||||
--- a/properties/nm-libreswan-editor-plugin.c
|
||||
+++ b/properties/nm-libreswan-editor-plugin.c
|
||||
@@ -214,6 +214,8 @@ import_from_file (NMVpnEditorPlugin *self,
|
||||
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY, str + NM_STRLEN("hostaddrfamily="));
|
||||
else if (g_str_has_prefix (str, "clientaddrfamily="))
|
||||
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, str + NM_STRLEN("clientaddrfamily="));
|
||||
+ else if (g_str_has_prefix (str, "require-id-on-certificate="))
|
||||
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, str + NM_STRLEN("require-id-on-certificate="));
|
||||
else if (g_str_has_prefix (str, "rightsubnet=")) {
|
||||
if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0"))
|
||||
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]);
|
||||
diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c
|
||||
index 5687dc7..b350819 100644
|
||||
--- a/properties/nm-libreswan-editor.c
|
||||
+++ b/properties/nm-libreswan-editor.c
|
||||
@@ -379,6 +379,7 @@ populate_adv_dialog (LibreswanEditor *self)
|
||||
populate_widget (self, "authby_entry", NM_LIBRESWAN_KEY_AUTHBY, NULL, NULL);
|
||||
populate_widget (self, "disable_modecfgclient_checkbutton", NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT, NULL, "no");
|
||||
populate_widget (self, "remote_cert_entry", NM_LIBRESWAN_KEY_RIGHTCERT, NULL, NULL);
|
||||
+ populate_widget (self, "require_id_on_certificate_checkbutton", NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, NULL, "no");
|
||||
}
|
||||
|
||||
static gboolean
|
||||
@@ -642,6 +643,14 @@ update_adv_settings (LibreswanEditor *self, NMSettingVpn *s_vpn)
|
||||
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT, str);
|
||||
else
|
||||
nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT);
|
||||
+
|
||||
+ /* Disable Require ID on certificate */
|
||||
+ widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "require_id_on_certificate_checkbutton"));
|
||||
+ if (gtk_check_button_get_active (GTK_CHECK_BUTTON (widget)))
|
||||
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, "no");
|
||||
+ else
|
||||
+ nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
|
||||
+
|
||||
}
|
||||
|
||||
static gboolean
|
||||
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
|
||||
index 167b837..5f523bd 100644
|
||||
--- a/shared/nm-service-defines.h
|
||||
+++ b/shared/nm-service-defines.h
|
||||
@@ -73,6 +73,7 @@
|
||||
#define NM_LIBRESWAN_KEY_TYPE "type"
|
||||
#define NM_LIBRESWAN_KEY_HOSTADDRFAMILY "hostaddrfamily"
|
||||
#define NM_LIBRESWAN_KEY_CLIENTADDRFAMILY "clientaddrfamily"
|
||||
+#define NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE "require-id-on-certificate"
|
||||
|
||||
#define NM_LIBRESWAN_IKEV2_NO "no"
|
||||
#define NM_LIBRESWAN_IKEV2_NEVER "never"
|
||||
diff --git a/shared/utils.c b/shared/utils.c
|
||||
index 65bc603..9394099 100644
|
||||
--- a/shared/utils.c
|
||||
+++ b/shared/utils.c
|
||||
@@ -122,6 +122,7 @@ nm_libreswan_config_write (gint fd,
|
||||
const char *mobike;
|
||||
const char *pfs;
|
||||
const char *client_family;
|
||||
+ const char *require_id_on_certificate;
|
||||
const char *item;
|
||||
gboolean is_ikev2 = FALSE;
|
||||
|
||||
@@ -173,6 +174,10 @@ nm_libreswan_config_write (gint fd,
|
||||
if (client_family && strlen (client_family))
|
||||
WRITE_CHECK (fd, debug_write_fcn, error, " clientaddrfamily=%s", client_family);
|
||||
|
||||
+ require_id_on_certificate = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
|
||||
+ if (require_id_on_certificate && strlen (require_id_on_certificate))
|
||||
+ WRITE_CHECK (fd, debug_write_fcn, error, " require-id-on-certificate=%s", require_id_on_certificate);
|
||||
+
|
||||
leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY);
|
||||
rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY);
|
||||
leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT);
|
||||
diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
|
||||
index e5956af..984e991 100644
|
||||
--- a/src/nm-libreswan-service.c
|
||||
+++ b/src/nm-libreswan-service.c
|
||||
@@ -274,6 +274,7 @@ static ValidProperty valid_properties[] = {
|
||||
{ NM_LIBRESWAN_KEY_TYPE, G_TYPE_STRING, 0, 0 },
|
||||
{ NM_LIBRESWAN_KEY_HOSTADDRFAMILY, G_TYPE_STRING, 0, 0 },
|
||||
{ NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, G_TYPE_STRING, 0, 0 },
|
||||
+ { NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, G_TYPE_STRING, 0, 0 },
|
||||
/* Ignored option for internal use */
|
||||
{ NM_LIBRESWAN_KEY_PSK_INPUT_MODES, G_TYPE_NONE, 0, 0 },
|
||||
{ NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, G_TYPE_NONE, 0, 0 },
|
||||
--- a/gtk4/nm-libreswan-dialog.ui
|
||||
+++ b/gtk4/nm-libreswan-dialog.ui
|
||||
@@ -979,6 +979,27 @@
|
||||
</layout>
|
||||
</object>
|
||||
</child>
|
||||
+ <child>
|
||||
+ <object class="GtkLabel" id="require_id_on_certificate_label">
|
||||
+ <property name="label" translatable="1">Don't require remote certificate name</property>
|
||||
+ <property name="use_underline">1</property>
|
||||
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
|
||||
+ <property name="xalign">1</property>
|
||||
+ <layout>
|
||||
+ <property name="column">0</property>
|
||||
+ <property name="row">1</property>
|
||||
+ </layout>
|
||||
+ </object>
|
||||
+ </child>
|
||||
+ <child>
|
||||
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
|
||||
+ <property name="focusable">1</property>
|
||||
+ <layout>
|
||||
+ <property name="column">1</property>
|
||||
+ <property name="row">1</property>
|
||||
+ </layout>
|
||||
+ </object>
|
||||
+ </child>
|
||||
</object>
|
||||
</child>
|
||||
</object>
|
||||
--
|
||||
2.44.0
|
||||
|
Loading…
Reference in new issue