diff --git a/.gitignore b/.gitignore index 7646016..32e2252 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ NetworkManager-openvpn-0.8.1.tar.bz2 /NetworkManager-openvpn-1.2.5-dev-45-ga84840b.tar.xz /NetworkManager-openvpn-1.2.6.tar.xz /NetworkManager-openvpn-1.2.8.tar.xz +/NetworkManager-openvpn-1.2.10.tar.xz diff --git a/0001-tls-remote-workaround-rh1421241.patch b/0001-tls-remote-workaround-rh1421241.patch deleted file mode 100644 index 3c74d6b..0000000 --- a/0001-tls-remote-workaround-rh1421241.patch +++ /dev/null @@ -1,471 +0,0 @@ -From 40ee847d32c11d0bc7c1b06fefa9a9ef8e2b0570 Mon Sep 17 00:00:00 2001 -From: Thomas Haller -Date: Mon, 13 Feb 2017 12:30:16 +0100 -Subject: [PATCH 1/4] service: avoid strlen() for checking whether a string is - empty - -Possibly the compiler can optimize it not to evaluate the full string length, -just to verify whether the string is empty. Still, I think it's bad style. - -(cherry picked from commit 2a4a4a49d8b97e3cbe37307f6b6c1053df946ce4) ---- - src/nm-openvpn-service.c | 26 +++++++++++++------------- - 1 file changed, 13 insertions(+), 13 deletions(-) - -diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c -index d7bd29f..d6e36a6 100644 ---- a/src/nm-openvpn-service.c -+++ b/src/nm-openvpn-service.c -@@ -1406,7 +1406,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - - /* Cipher */ - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_CIPHER); -- if (tmp && strlen (tmp)) { -+ if (tmp && tmp[0]) { - add_openvpn_arg (args, "--cipher"); - add_openvpn_arg (args, tmp); - } -@@ -1419,7 +1419,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - - /* Keysize */ - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_KEYSIZE); -- if (tmp && strlen (tmp)) { -+ if (tmp && tmp[0]) { - add_openvpn_arg (args, "--keysize"); - if (!add_openvpn_arg_int (args, tmp)) { - g_set_error (error, -@@ -1440,25 +1440,25 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - - /* TA */ - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA); -- if (tmp && strlen (tmp)) { -+ if (tmp && tmp[0]) { - add_openvpn_arg (args, "--tls-auth"); - add_openvpn_arg_utf8safe (args, tmp); - - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR); -- if (tmp && strlen (tmp)) -+ if (tmp && tmp[0]) - add_openvpn_arg (args, tmp); - } - - /* tls-remote */ - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE); -- if (tmp && strlen (tmp)) { -+ if (tmp && tmp[0]) { - add_openvpn_arg (args, "--tls-remote"); - add_openvpn_arg (args, tmp); - } - - /* verify-x509-name */ - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_VERIFY_X509_NAME); -- if (tmp && strlen (tmp)) { -+ if (tmp && tmp[0]) { - const char *name; - gs_free char *type = NULL; - -@@ -1483,7 +1483,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - - /* remote-cert-tls */ - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_REMOTE_CERT_TLS); -- if (tmp && strlen (tmp)) { -+ if (tmp && tmp[0]) { - add_openvpn_arg (args, "--remote-cert-tls"); - add_openvpn_arg (args, tmp); - } -@@ -1500,7 +1500,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - if (!connection_type_is_tls_mode (connection_type)) { - /* Ignore --reneg-sec option if we are not in TLS mode (as enabled - * by --client below). openvpn will error out otherwise, see bgo#749050. */ -- } else if (tmp && strlen (tmp)) { -+ } else if (tmp && tmp[0]) { - add_openvpn_arg (args, "--reneg-sec"); - if (!add_openvpn_arg_int (args, tmp)) { - g_set_error (error, -@@ -1532,7 +1532,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - - /* TUN MTU size */ - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TUNNEL_MTU); -- if (tmp && strlen (tmp)) { -+ if (tmp && tmp[0]) { - add_openvpn_arg (args, "--tun-mtu"); - if (!add_openvpn_arg_int (args, tmp)) { - g_set_error (error, -@@ -1546,7 +1546,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - - /* fragment size */ - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_FRAGMENT_SIZE); -- if (tmp && strlen (tmp)) { -+ if (tmp && tmp[0]) { - add_openvpn_arg (args, "--fragment"); - if (!add_openvpn_arg_int (args, tmp)) { - g_set_error (error, -@@ -1620,12 +1620,12 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - add_cert_args (args, s_vpn); - } else if (!strcmp (connection_type, NM_OPENVPN_CONTYPE_STATIC_KEY)) { - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY); -- if (tmp && strlen (tmp)) { -+ if (tmp && tmp[0]) { - add_openvpn_arg (args, "--secret"); - add_openvpn_arg_utf8safe (args, tmp); - - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION); -- if (tmp && strlen (tmp)) -+ if (tmp && tmp[0]) - add_openvpn_arg (args, tmp); - } - -@@ -1659,7 +1659,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - add_openvpn_arg (args, "--auth-user-pass"); - - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_CA); -- if (tmp && strlen (tmp)) { -+ if (tmp && tmp[0]) { - add_openvpn_arg (args, "--ca"); - add_openvpn_arg_utf8safe (args, tmp); - } --- -2.9.3 - - -From 1a21babccc3eb77c5b4a2953e7c45aaec670b120 Mon Sep 17 00:00:00 2001 -From: Thomas Haller -Date: Mon, 13 Feb 2017 11:31:40 +0100 -Subject: [PATCH 2/4] service: minor refactoring of nm_find_openvpn() - -And rename to openvpn_binary_find_exepath(). -The prefix "openvpn_binary_" will be used for related functions. - -(cherry picked from commit 05cb6356bb4d27fb1c2ca5f8a7bfdf23fe424f0c) ---- - src/nm-openvpn-service.c | 41 ++++++++++++++++++++--------------------- - 1 file changed, 20 insertions(+), 21 deletions(-) - -diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c -index d6e36a6..d88ed19 100644 ---- a/src/nm-openvpn-service.c -+++ b/src/nm-openvpn-service.c -@@ -188,6 +188,25 @@ _LOGD_enabled (void) - - /*****************************************************************************/ - -+static const char * -+openvpn_binary_find_exepath (void) -+{ -+ static const char *paths[] = { -+ "/usr/sbin/openvpn", -+ "/sbin/openvpn", -+ "/usr/local/sbin/openvpn", -+ }; -+ int i; -+ -+ for (i = 0; i < G_N_ELEMENTS (paths); i++) { -+ if (g_file_test (paths[i], G_FILE_TEST_EXISTS)) -+ return paths[i]; -+ } -+ return NULL; -+} -+ -+/*****************************************************************************/ -+ - static void - pids_pending_data_free (PidsPendingData *pid_data) - { -@@ -886,26 +905,6 @@ connection_type_is_tls_mode (const char *connection_type) - || strcmp (connection_type, NM_OPENVPN_CONTYPE_PASSWORD_TLS) == 0; - } - --static const char * --nm_find_openvpn (void) --{ -- static const char *openvpn_binary_paths[] = { -- "/usr/sbin/openvpn", -- "/sbin/openvpn", -- "/usr/local/sbin/openvpn", -- NULL -- }; -- const char **openvpn_binary = openvpn_binary_paths; -- -- while (*openvpn_binary != NULL) { -- if (g_file_test (*openvpn_binary, G_FILE_TEST_EXISTS)) -- break; -- openvpn_binary++; -- } -- -- return *openvpn_binary; --} -- - static void - add_openvpn_arg (GPtrArray *args, const char *arg) - { -@@ -1154,7 +1153,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - return FALSE; - - /* Find openvpn */ -- openvpn_binary = nm_find_openvpn (); -+ openvpn_binary = openvpn_binary_find_exepath (); - if (!openvpn_binary) { - g_set_error_literal (error, - NM_VPN_PLUGIN_ERROR, --- -2.9.3 - - -From adc7dd5148c12917eee1c2c92ddb605e2ecd6b2c Mon Sep 17 00:00:00 2001 -From: Thomas Haller -Date: Mon, 13 Feb 2017 12:30:26 +0100 -Subject: [PATCH 3/4] service: for OpenVPN 2.4 and newer, handle --tls-remote - option via --verify-x509-name - -The tls-remote option got removed from OpenVPN 2.4. This requires users -to fix their existing configurations to use verify-x509-name instead. - -Using tls-remote on a recent OpenVPN binary thus fails to establish -the connection, which is an annoyance for the user. Let the plugin -automatically convert the "tls-remote $NAME" option to "verify-x509-name -$NAME name". Note that the two options are not entirely equivalent, thus -the is a chance that this wrongly rejects a server that would have worked -before, or ever worse, that it wronlgy accepts a server that would have -been rejected. - -But in most common cases, the workaround should work fine. -The user is still strongly encouraged to update his configuration. - -https://bugzilla.gnome.org/show_bug.cgi?id=776045 -https://bugzilla.redhat.com/show_bug.cgi?id=1421241 -(cherry picked from commit f7421ef277222bd640c432afefc21ef5a98477bc) ---- - src/nm-openvpn-service.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 85 insertions(+), 2 deletions(-) - -diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c -index d88ed19..fa59537 100644 ---- a/src/nm-openvpn-service.c -+++ b/src/nm-openvpn-service.c -@@ -70,6 +70,13 @@ G_DEFINE_TYPE (NMOpenvpnPlugin, nm_openvpn_plugin, NM_TYPE_VPN_SERVICE_PLUGIN) - - #define NM_OPENVPN_PLUGIN_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_OPENVPN_PLUGIN, NMOpenvpnPluginPrivate)) - -+typedef enum { -+ OPENVPN_BINARY_VERSION_INVALID, -+ OPENVPN_BINARY_VERSION_UNKNOWN, -+ OPENVPN_BINARY_VERSION_2_3_OR_OLDER, -+ OPENVPN_BINARY_VERSION_2_4_OR_NEWER, -+} OpenvpnBinaryVersion; -+ - typedef struct { - char *default_username; - char *username; -@@ -205,6 +212,64 @@ openvpn_binary_find_exepath (void) - return NULL; - } - -+static OpenvpnBinaryVersion -+openvpn_binary_detect_version (const char *exepath) -+{ -+ gs_free char *s_stdout = NULL; -+ const char *s; -+ int exit_code; -+ int n; -+ -+ g_return_val_if_fail (exepath && exepath[0] == '/', OPENVPN_BINARY_VERSION_UNKNOWN); -+ -+ if (!g_spawn_sync (NULL, -+ (char *[]) { (char *) exepath, "--version", NULL }, -+ NULL, -+ G_SPAWN_STDERR_TO_DEV_NULL, -+ NULL, -+ NULL, -+ &s_stdout, -+ NULL, -+ &exit_code, -+ NULL)) -+ return OPENVPN_BINARY_VERSION_UNKNOWN; -+ -+ if ( !WIFEXITED (exit_code) -+ || WEXITSTATUS (exit_code) != 1) { -+ /* expect return code 1 (OPENVPN_EXIT_STATUS_USAGE) */ -+ return OPENVPN_BINARY_VERSION_UNKNOWN; -+ } -+ -+ /* the output for --version starts with title_string, which starts with PACKAGE_STRING, -+ * which looks like "OpenVPN 2.#...". Do a strict parsing here... */ -+ if ( !s_stdout -+ || !g_str_has_prefix (s_stdout, "OpenVPN 2.")) -+ return OPENVPN_BINARY_VERSION_UNKNOWN; -+ s = &s_stdout[NM_STRLEN ("OpenVPN 2.")]; -+ -+ if (!g_ascii_isdigit (s[0])) -+ return OPENVPN_BINARY_VERSION_UNKNOWN; -+ -+ n = 0; -+ do { -+ if (n > G_MAXINT / 100) -+ return OPENVPN_BINARY_VERSION_UNKNOWN; -+ n = (n * 10) + (s[0] - '0'); -+ } while (g_ascii_isdigit ((++s)[0])); -+ -+ if (n <= 3) -+ return OPENVPN_BINARY_VERSION_2_3_OR_OLDER; -+ return OPENVPN_BINARY_VERSION_2_4_OR_NEWER; -+} -+ -+static OpenvpnBinaryVersion -+openvpn_binary_detect_version_cached (const char *exepath, OpenvpnBinaryVersion *cached) -+{ -+ if (G_UNLIKELY (*cached == OPENVPN_BINARY_VERSION_INVALID)) -+ *cached = openvpn_binary_detect_version (exepath); -+ return *cached; -+} -+ - /*****************************************************************************/ - - static void -@@ -1119,12 +1184,14 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - gboolean dev_type_is_tap; - char *stmp; - const char *defport, *proto_tcp; -+ const char *tls_remote = NULL; - const char *nm_openvpn_user, *nm_openvpn_group, *nm_openvpn_chroot; - gs_free char *bus_name = NULL; - NMSettingVpn *s_vpn; - const char *connection_type; - gint64 v_int64; - char sbuf_64[65]; -+ OpenvpnBinaryVersion openvpn_binary_version = OPENVPN_BINARY_VERSION_INVALID; - - s_vpn = nm_connection_get_setting_vpn (connection); - if (!s_vpn) { -@@ -1451,8 +1518,17 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - /* tls-remote */ - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE); - if (tmp && tmp[0]) { -- add_openvpn_arg (args, "--tls-remote"); -- add_openvpn_arg (args, tmp); -+ if (openvpn_binary_detect_version_cached (openvpn_binary, &openvpn_binary_version) != OPENVPN_BINARY_VERSION_2_4_OR_NEWER) { -+ _LOGW ("the tls-remote option is deprecated and removed from OpenVPN 2.4. Update your connection to use verify-x509-name"); -+ add_openvpn_arg (args, "--tls-remote"); -+ add_openvpn_arg (args, tmp); -+ } else { -+ _LOGW ("the tls-remote option is deprecated and removed from OpenVPN 2.4. For compatibility, the plugin uses \"verify-x509-name\" \"%s\" \"name\" instead. Update your connection to use verify-x509-name", tmp); -+ add_openvpn_arg (args, "--verify-x509-name"); -+ add_openvpn_arg (args, tmp); -+ add_openvpn_arg (args, "name"); -+ } -+ tls_remote = tmp; - } - - /* verify-x509-name */ -@@ -1461,6 +1537,13 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - const char *name; - gs_free char *type = NULL; - -+ if (tls_remote) { -+ g_set_error (error, NM_VPN_PLUGIN_ERROR, -+ NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, -+ _("Invalid configuration with tls-remote and verify-x509-name.")); -+ return FALSE; -+ } -+ - name = strchr (tmp, ':'); - if (name) { - type = g_strndup (tmp, name - tmp); --- -2.9.3 - - -From 11049e7c888fcc74896b34ea86f09d38a561fc35 Mon Sep 17 00:00:00 2001 -From: Thomas Haller -Date: Mon, 13 Feb 2017 12:56:27 +0100 -Subject: [PATCH 4/4] properties: discourage use of tls-remote in GUI - -Mark the entry as "error" when selecting the deprecated -tls-remote option. - -This is to make it more apparent to the user that he -should avoid this setting. - -(cherry picked from commit 1c2986b8881b3b28d493f66cc804da12712cc2a7) ---- - properties/auth-helpers.c | 14 ++++++++++++-- - properties/import-export.c | 2 +- - properties/nm-openvpn-dialog.ui | 2 ++ - 3 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/properties/auth-helpers.c b/properties/auth-helpers.c -index 4d1e1ce..2f880dd 100644 ---- a/properties/auth-helpers.c -+++ b/properties/auth-helpers.c -@@ -1211,7 +1211,7 @@ populate_tls_remote_mode_entry_combo (GtkEntry* entry, GtkComboBox *box, - - gtk_list_store_append (store, &iter); - gtk_list_store_set (store, &iter, -- TLS_REMOTE_MODE_COL_NAME, _("Verify subject partially (legacy mode)"), -+ TLS_REMOTE_MODE_COL_NAME, _("Verify subject partially (legacy mode, strongly discouraged)"), - TLS_REMOTE_MODE_COL_VALUE, TLS_REMOTE_MODE_LEGACY, - -1); - -@@ -1250,6 +1250,7 @@ tls_remote_changed (GtkWidget *widget, gpointer user_data) - GtkWidget *entry, *combo, *ok_button; - GtkTreeIter iter; - gboolean entry_enabled = TRUE, entry_has_error = FALSE; -+ gboolean legacy_tls_remote = FALSE; - - entry = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_entry")); - combo = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_mode_combo")); -@@ -1272,6 +1273,7 @@ tls_remote_changed (GtkWidget *widget, gpointer user_data) - - entry_enabled = TRUE; - entry_has_error = !subject || !subject[0]; -+ legacy_tls_remote = nm_streq (tls_remote_mode, TLS_REMOTE_MODE_LEGACY); - } - } - -@@ -1280,9 +1282,17 @@ tls_remote_changed (GtkWidget *widget, gpointer user_data) - widget_set_error (entry); - gtk_widget_set_sensitive (ok_button, FALSE); - } else { -- widget_unset_error (entry); -+ if (legacy_tls_remote) { -+ /* selecting tls-remote is not an error, but strongly discouraged. I wish -+ * there would be a warning-class as well. Anyway, mark the widget as -+ * erroneous, although this doesn't make the connection invalid (which -+ * is an ugly inconsistency). */ -+ widget_set_error (entry); -+ } else -+ widget_unset_error (entry); - gtk_widget_set_sensitive (ok_button, TRUE); - } -+ - } - - static void -diff --git a/properties/import-export.c b/properties/import-export.c -index 1993026..7b42e0b 100644 ---- a/properties/import-export.c -+++ b/properties/import-export.c -@@ -1256,7 +1256,7 @@ do_import (const char *path, const char *contents, gsize contents_len, GError ** - } - - if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_VERIFY_X509_NAME)) { -- const char *type = "subject"; -+ const char *type = NM_OPENVPN_VERIFY_X509_NAME_TYPE_SUBJECT; - gs_free char *item = NULL; - - if (!args_params_check_nargs_minmax (params, 1, 2, &line_error)) -diff --git a/properties/nm-openvpn-dialog.ui b/properties/nm-openvpn-dialog.ui -index b2ca176..5558b70 100644 ---- a/properties/nm-openvpn-dialog.ui -+++ b/properties/nm-openvpn-dialog.ui -@@ -1918,6 +1918,8 @@ When enabled, connection will only succeed if the server certificate matches som - Matching can either apply to the whole certificate subject (all the fields), - or just the Common Name (CN field). - -+The legacy option tls-remote is deprecated and removed from OpenVPN 2.4 and newer. Do not use it anymore. -+ - config: verify-x509-name subject-or-name [mode] - config (legacy mode): tls-remote subject-or-name - model9 --- -2.9.3 - diff --git a/NetworkManager-openvpn.spec b/NetworkManager-openvpn.spec index a46a5e4..1037f8e 100644 --- a/NetworkManager-openvpn.spec +++ b/NetworkManager-openvpn.spec @@ -1,15 +1,13 @@ Summary: NetworkManager VPN plugin for OpenVPN Name: NetworkManager-openvpn Epoch: 1 -Version: 1.2.8 -Release: 2%{?dist} +Version: 1.2.10 +Release: 1%{?dist} License: GPLv2+ URL: http://www.gnome.org/projects/NetworkManager/ Group: System Environment/Base Source0: https://download.gnome.org/sources/NetworkManager-openvpn/1.2/%{name}-%{version}.tar.xz -Patch1: 0001-tls-remote-workaround-rh1421241.patch - BuildRequires: gtk3-devel BuildRequires: NetworkManager-devel BuildRequires: NetworkManager-glib-devel >= 1:1.2.0 @@ -49,8 +47,6 @@ the OpenVPN server with NetworkManager (GNOME files). %prep %setup -q -%patch1 -p1 - %build if [ ! -f configure ]; then ./autogen.sh @@ -97,6 +93,9 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la %{_datadir}/appdata/network-manager-openvpn.metainfo.xml %changelog +* Wed May 17 2017 Lubomir Rintel - 1.2.10-1 +- Update to 1.2.10 release + * Mon Feb 27 2017 Thomas Haller - 1:1.2.8-2 - Workaround removed tls-remote option with Openvpn 2.4 (rh#1421241) diff --git a/sources b/sources index ed5d81b..0e55c75 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (NetworkManager-openvpn-1.2.8.tar.xz) = e6d64106cd93f91d292a6b2346dc31317e1056d2bbaf09a376c84ffaaa8fd584f92999865bdf52531b44de7ae144e1ae9271b9efc564d99f8569b0d059ab8019 +SHA512 (NetworkManager-openvpn-1.2.10.tar.xz) = d597e8b3d2935c6874a283d2a036c511e1f3625aed7f5e6fbf5c77d3c3f5f6d170b19fe69202d74b2b1ac6d47d3704d3177598fd1889a19003fed98416ea6521