From 86eace12c63ed451b3368ff503c0500e8863fe55 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Mon, 27 Feb 2017 16:18:27 +0100 Subject: [PATCH] Workaround removed tls-remote option with Openvpn 2.4 (rh#1421241) --- 0001-comp-lzo-no-fix-rh1355688 | 136 ------ 0001-tls-remote-workaround-rh1421241.patch | 471 +++++++++++++++++++++ NetworkManager-openvpn.spec | 9 +- 3 files changed, 477 insertions(+), 139 deletions(-) delete mode 100644 0001-comp-lzo-no-fix-rh1355688 create mode 100644 0001-tls-remote-workaround-rh1421241.patch diff --git a/0001-comp-lzo-no-fix-rh1355688 b/0001-comp-lzo-no-fix-rh1355688 deleted file mode 100644 index 1300891..0000000 --- a/0001-comp-lzo-no-fix-rh1355688 +++ /dev/null @@ -1,136 +0,0 @@ -From 4ecbe9f176b6d29aa51bf7800d0495e1c949f5bc Mon Sep 17 00:00:00 2001 -From: Thomas Haller -Date: Thu, 11 Aug 2016 14:38:53 +0200 -Subject: [PATCH 1/1] fix recent change in behavior for "comp-lzo=no" setting - -openvpn supports 4 different ways for --comp-lzo: - 1) no --comp-lzo option - 2) --comp-lzo yes - 3) --comp-lzo [adaptive] - 4) --comp-lzo no - -Before commit 2ecf18c25a7bee7f0122d9d666a7e11cd8b55ea3, nm-openvpn -only supported 1) and 2). Those were expressed in NM's connection -by either omitting the comp-lzo setting or setting "comp-lzo=yes". - -Arguably due to a bug, old plasma-nm would configure connections with -comp-lzo=no to mean 1), so after update of nm-openvpn to 2ecf18c2 those -connections changed to mean 4), which broke some existing configurations. -That was later attemted to be fixed in plasma-nm by commit [1], which -however only affects new connections and cannot fix existing connections -for users. - -Ultimatley, the "comp-lzo=no" setting is spoiled due to that. - -The fix is to add a new setting "comp-lzo=no-by-default" which shall -have the meaning 4) and pass "--comp-lzo no" to openvpn. A connection -with "comp-lzo=no" is again treated as 1). - -This fixes old connections that were created by old plasma-nm before commit -[1] by restoring the old meaning. - -This however now breaks users of recent nm-openvpn which were deliberately setting -"comp-lzo=no" to mean option 4), most notably users of recent plasma-nm (since -commit [1]). Users of the properties plugin for nm-connection-editor/gnome-control-center -are anyway unable to configure "comp-lzo=no" in the UI, so probably isn't a real -issue for many users. - -plasma-nm bugs: - [1] https://quickgit.kde.org/?p=plasma-nm.git&a=commit&h=31bcd5f2cffd1c19fbd10ab0f4172f2d82eff194 - https://bugs.kde.org/show_bug.cgi?id=365816 - https://bugzilla.redhat.com/show_bug.cgi?id=1365663 - -https://bugzilla.gnome.org/show_bug.cgi?id=769177 -https://bugzilla.redhat.com/show_bug.cgi?id=1355688 -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833166 -(cherry picked from commit 62bdd278d69cc396479af9d05a0b776d5ad386bf) ---- - properties/auth-helpers.c | 5 ++++- - properties/import-export.c | 14 ++++++++++++-- - src/nm-openvpn-service.c | 24 ++++++++++++++++++++++++ - 3 files changed, 40 insertions(+), 3 deletions(-) - -diff --git a/properties/auth-helpers.c b/properties/auth-helpers.c -index 85985c8..7244df1 100644 ---- a/properties/auth-helpers.c -+++ b/properties/auth-helpers.c -@@ -2010,7 +2010,10 @@ advanced_dialog_new_hash_from_dialog (GtkWidget *dialog, GError **error) - if (gtk_toggle_button_get_active (GTK_TOGGLE_BUTTON (widget))) { - /* we only have a checkbox, which we either map to "--comp-lzo yes" or - * no "--comp-lzo" flag. In the UI, we cannot express "--comp-lzo [adaptive]" -- * or "--comp-lzo no". */ -+ * or "--comp-lzo no". -+ * -+ * Note that "--comp-lzo no" must be encoded as "comp-lzo=no-by-default" (bgo#769177). -+ */ - g_hash_table_insert (hash, g_strdup (NM_OPENVPN_KEY_COMP_LZO), g_strdup ("yes")); - } - -diff --git a/properties/import-export.c b/properties/import-export.c -index 90b4631..ddb1cd3 100644 ---- a/properties/import-export.c -+++ b/properties/import-export.c -@@ -951,13 +951,23 @@ do_import (const char *path, const char *contents, gsize contents_len, GError ** - } - - if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_COMP_LZO)) { -+ const char *v; -+ - if (!args_params_check_nargs_minmax (params, 0, 1, &line_error)) - goto handle_line_error; -- if (!NM_IN_STRSET (params[1], NULL, "no", "yes", "adaptive")) { -+ -+ v = params[1] ?: "adaptive"; -+ -+ if (nm_streq (v, "no")) { -+ /* old plasma-nm used to set "comp-lzo=no" to mean unset, thus it spoiled -+ * to "no" option to be used in the connection. Workaround that, by instead -+ * using "no-by-default" (bgo#769177). */ -+ v = "no-by-default"; -+ } else if (!NM_IN_STRSET (v, "yes", "adaptive")) { - line_error = g_strdup_printf (_("unsupported comp-lzo argument")); - goto handle_line_error; - } -- setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_COMP_LZO, params[1] ?: "adaptive"); -+ setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_COMP_LZO, v); - continue; - } - -diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c -index e5a1aa9..9238a45 100644 ---- a/src/nm-openvpn-service.c -+++ b/src/nm-openvpn-service.c -@@ -1250,6 +1250,30 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, - } - - tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_COMP_LZO); -+ -+ /* openvpn understands 4 different modes for --comp-lzo, which have -+ * different meaning: -+ * 1) no --comp-lzo option -+ * 2) --comp-lzo yes -+ * 3) --comp-lzo [adaptive] -+ * 4) --comp-lzo no -+ * -+ * In the past, nm-openvpn only supported 1) and 2) by having no -+ * comp-lzo connection setting or "comp-lzo=yes", respectively. -+ * -+ * However, old plasma-nm would set "comp-lzo=no" in the connection -+ * to mean 1). Thus, "comp-lzo=no" is spoiled to mean 4) in order -+ * to preserve backward compatibily. -+ * We use instead a special value "no-by-default" to express "no". -+ * -+ * See bgo#769177 -+ */ -+ if (NM_IN_STRSET (tmp, "no")) { -+ /* means no --comp-lzo option. */ -+ tmp = NULL; -+ } else if (NM_IN_STRSET (tmp, "no-by-default")) -+ tmp = "no"; -+ - if (NM_IN_STRSET (tmp, "yes", "no", "adaptive")) { - add_openvpn_arg (args, "--comp-lzo"); - add_openvpn_arg (args, tmp); --- -2.7.4 - diff --git a/0001-tls-remote-workaround-rh1421241.patch b/0001-tls-remote-workaround-rh1421241.patch new file mode 100644 index 0000000..3c74d6b --- /dev/null +++ b/0001-tls-remote-workaround-rh1421241.patch @@ -0,0 +1,471 @@ +From 40ee847d32c11d0bc7c1b06fefa9a9ef8e2b0570 Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Mon, 13 Feb 2017 12:30:16 +0100 +Subject: [PATCH 1/4] service: avoid strlen() for checking whether a string is + empty + +Possibly the compiler can optimize it not to evaluate the full string length, +just to verify whether the string is empty. Still, I think it's bad style. + +(cherry picked from commit 2a4a4a49d8b97e3cbe37307f6b6c1053df946ce4) +--- + src/nm-openvpn-service.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c +index d7bd29f..d6e36a6 100644 +--- a/src/nm-openvpn-service.c ++++ b/src/nm-openvpn-service.c +@@ -1406,7 +1406,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + + /* Cipher */ + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_CIPHER); +- if (tmp && strlen (tmp)) { ++ if (tmp && tmp[0]) { + add_openvpn_arg (args, "--cipher"); + add_openvpn_arg (args, tmp); + } +@@ -1419,7 +1419,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + + /* Keysize */ + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_KEYSIZE); +- if (tmp && strlen (tmp)) { ++ if (tmp && tmp[0]) { + add_openvpn_arg (args, "--keysize"); + if (!add_openvpn_arg_int (args, tmp)) { + g_set_error (error, +@@ -1440,25 +1440,25 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + + /* TA */ + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA); +- if (tmp && strlen (tmp)) { ++ if (tmp && tmp[0]) { + add_openvpn_arg (args, "--tls-auth"); + add_openvpn_arg_utf8safe (args, tmp); + + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR); +- if (tmp && strlen (tmp)) ++ if (tmp && tmp[0]) + add_openvpn_arg (args, tmp); + } + + /* tls-remote */ + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE); +- if (tmp && strlen (tmp)) { ++ if (tmp && tmp[0]) { + add_openvpn_arg (args, "--tls-remote"); + add_openvpn_arg (args, tmp); + } + + /* verify-x509-name */ + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_VERIFY_X509_NAME); +- if (tmp && strlen (tmp)) { ++ if (tmp && tmp[0]) { + const char *name; + gs_free char *type = NULL; + +@@ -1483,7 +1483,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + + /* remote-cert-tls */ + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_REMOTE_CERT_TLS); +- if (tmp && strlen (tmp)) { ++ if (tmp && tmp[0]) { + add_openvpn_arg (args, "--remote-cert-tls"); + add_openvpn_arg (args, tmp); + } +@@ -1500,7 +1500,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + if (!connection_type_is_tls_mode (connection_type)) { + /* Ignore --reneg-sec option if we are not in TLS mode (as enabled + * by --client below). openvpn will error out otherwise, see bgo#749050. */ +- } else if (tmp && strlen (tmp)) { ++ } else if (tmp && tmp[0]) { + add_openvpn_arg (args, "--reneg-sec"); + if (!add_openvpn_arg_int (args, tmp)) { + g_set_error (error, +@@ -1532,7 +1532,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + + /* TUN MTU size */ + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TUNNEL_MTU); +- if (tmp && strlen (tmp)) { ++ if (tmp && tmp[0]) { + add_openvpn_arg (args, "--tun-mtu"); + if (!add_openvpn_arg_int (args, tmp)) { + g_set_error (error, +@@ -1546,7 +1546,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + + /* fragment size */ + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_FRAGMENT_SIZE); +- if (tmp && strlen (tmp)) { ++ if (tmp && tmp[0]) { + add_openvpn_arg (args, "--fragment"); + if (!add_openvpn_arg_int (args, tmp)) { + g_set_error (error, +@@ -1620,12 +1620,12 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + add_cert_args (args, s_vpn); + } else if (!strcmp (connection_type, NM_OPENVPN_CONTYPE_STATIC_KEY)) { + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY); +- if (tmp && strlen (tmp)) { ++ if (tmp && tmp[0]) { + add_openvpn_arg (args, "--secret"); + add_openvpn_arg_utf8safe (args, tmp); + + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION); +- if (tmp && strlen (tmp)) ++ if (tmp && tmp[0]) + add_openvpn_arg (args, tmp); + } + +@@ -1659,7 +1659,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + add_openvpn_arg (args, "--auth-user-pass"); + + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_CA); +- if (tmp && strlen (tmp)) { ++ if (tmp && tmp[0]) { + add_openvpn_arg (args, "--ca"); + add_openvpn_arg_utf8safe (args, tmp); + } +-- +2.9.3 + + +From 1a21babccc3eb77c5b4a2953e7c45aaec670b120 Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Mon, 13 Feb 2017 11:31:40 +0100 +Subject: [PATCH 2/4] service: minor refactoring of nm_find_openvpn() + +And rename to openvpn_binary_find_exepath(). +The prefix "openvpn_binary_" will be used for related functions. + +(cherry picked from commit 05cb6356bb4d27fb1c2ca5f8a7bfdf23fe424f0c) +--- + src/nm-openvpn-service.c | 41 ++++++++++++++++++++--------------------- + 1 file changed, 20 insertions(+), 21 deletions(-) + +diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c +index d6e36a6..d88ed19 100644 +--- a/src/nm-openvpn-service.c ++++ b/src/nm-openvpn-service.c +@@ -188,6 +188,25 @@ _LOGD_enabled (void) + + /*****************************************************************************/ + ++static const char * ++openvpn_binary_find_exepath (void) ++{ ++ static const char *paths[] = { ++ "/usr/sbin/openvpn", ++ "/sbin/openvpn", ++ "/usr/local/sbin/openvpn", ++ }; ++ int i; ++ ++ for (i = 0; i < G_N_ELEMENTS (paths); i++) { ++ if (g_file_test (paths[i], G_FILE_TEST_EXISTS)) ++ return paths[i]; ++ } ++ return NULL; ++} ++ ++/*****************************************************************************/ ++ + static void + pids_pending_data_free (PidsPendingData *pid_data) + { +@@ -886,26 +905,6 @@ connection_type_is_tls_mode (const char *connection_type) + || strcmp (connection_type, NM_OPENVPN_CONTYPE_PASSWORD_TLS) == 0; + } + +-static const char * +-nm_find_openvpn (void) +-{ +- static const char *openvpn_binary_paths[] = { +- "/usr/sbin/openvpn", +- "/sbin/openvpn", +- "/usr/local/sbin/openvpn", +- NULL +- }; +- const char **openvpn_binary = openvpn_binary_paths; +- +- while (*openvpn_binary != NULL) { +- if (g_file_test (*openvpn_binary, G_FILE_TEST_EXISTS)) +- break; +- openvpn_binary++; +- } +- +- return *openvpn_binary; +-} +- + static void + add_openvpn_arg (GPtrArray *args, const char *arg) + { +@@ -1154,7 +1153,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + return FALSE; + + /* Find openvpn */ +- openvpn_binary = nm_find_openvpn (); ++ openvpn_binary = openvpn_binary_find_exepath (); + if (!openvpn_binary) { + g_set_error_literal (error, + NM_VPN_PLUGIN_ERROR, +-- +2.9.3 + + +From adc7dd5148c12917eee1c2c92ddb605e2ecd6b2c Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Mon, 13 Feb 2017 12:30:26 +0100 +Subject: [PATCH 3/4] service: for OpenVPN 2.4 and newer, handle --tls-remote + option via --verify-x509-name + +The tls-remote option got removed from OpenVPN 2.4. This requires users +to fix their existing configurations to use verify-x509-name instead. + +Using tls-remote on a recent OpenVPN binary thus fails to establish +the connection, which is an annoyance for the user. Let the plugin +automatically convert the "tls-remote $NAME" option to "verify-x509-name +$NAME name". Note that the two options are not entirely equivalent, thus +the is a chance that this wrongly rejects a server that would have worked +before, or ever worse, that it wronlgy accepts a server that would have +been rejected. + +But in most common cases, the workaround should work fine. +The user is still strongly encouraged to update his configuration. + +https://bugzilla.gnome.org/show_bug.cgi?id=776045 +https://bugzilla.redhat.com/show_bug.cgi?id=1421241 +(cherry picked from commit f7421ef277222bd640c432afefc21ef5a98477bc) +--- + src/nm-openvpn-service.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 85 insertions(+), 2 deletions(-) + +diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c +index d88ed19..fa59537 100644 +--- a/src/nm-openvpn-service.c ++++ b/src/nm-openvpn-service.c +@@ -70,6 +70,13 @@ G_DEFINE_TYPE (NMOpenvpnPlugin, nm_openvpn_plugin, NM_TYPE_VPN_SERVICE_PLUGIN) + + #define NM_OPENVPN_PLUGIN_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_OPENVPN_PLUGIN, NMOpenvpnPluginPrivate)) + ++typedef enum { ++ OPENVPN_BINARY_VERSION_INVALID, ++ OPENVPN_BINARY_VERSION_UNKNOWN, ++ OPENVPN_BINARY_VERSION_2_3_OR_OLDER, ++ OPENVPN_BINARY_VERSION_2_4_OR_NEWER, ++} OpenvpnBinaryVersion; ++ + typedef struct { + char *default_username; + char *username; +@@ -205,6 +212,64 @@ openvpn_binary_find_exepath (void) + return NULL; + } + ++static OpenvpnBinaryVersion ++openvpn_binary_detect_version (const char *exepath) ++{ ++ gs_free char *s_stdout = NULL; ++ const char *s; ++ int exit_code; ++ int n; ++ ++ g_return_val_if_fail (exepath && exepath[0] == '/', OPENVPN_BINARY_VERSION_UNKNOWN); ++ ++ if (!g_spawn_sync (NULL, ++ (char *[]) { (char *) exepath, "--version", NULL }, ++ NULL, ++ G_SPAWN_STDERR_TO_DEV_NULL, ++ NULL, ++ NULL, ++ &s_stdout, ++ NULL, ++ &exit_code, ++ NULL)) ++ return OPENVPN_BINARY_VERSION_UNKNOWN; ++ ++ if ( !WIFEXITED (exit_code) ++ || WEXITSTATUS (exit_code) != 1) { ++ /* expect return code 1 (OPENVPN_EXIT_STATUS_USAGE) */ ++ return OPENVPN_BINARY_VERSION_UNKNOWN; ++ } ++ ++ /* the output for --version starts with title_string, which starts with PACKAGE_STRING, ++ * which looks like "OpenVPN 2.#...". Do a strict parsing here... */ ++ if ( !s_stdout ++ || !g_str_has_prefix (s_stdout, "OpenVPN 2.")) ++ return OPENVPN_BINARY_VERSION_UNKNOWN; ++ s = &s_stdout[NM_STRLEN ("OpenVPN 2.")]; ++ ++ if (!g_ascii_isdigit (s[0])) ++ return OPENVPN_BINARY_VERSION_UNKNOWN; ++ ++ n = 0; ++ do { ++ if (n > G_MAXINT / 100) ++ return OPENVPN_BINARY_VERSION_UNKNOWN; ++ n = (n * 10) + (s[0] - '0'); ++ } while (g_ascii_isdigit ((++s)[0])); ++ ++ if (n <= 3) ++ return OPENVPN_BINARY_VERSION_2_3_OR_OLDER; ++ return OPENVPN_BINARY_VERSION_2_4_OR_NEWER; ++} ++ ++static OpenvpnBinaryVersion ++openvpn_binary_detect_version_cached (const char *exepath, OpenvpnBinaryVersion *cached) ++{ ++ if (G_UNLIKELY (*cached == OPENVPN_BINARY_VERSION_INVALID)) ++ *cached = openvpn_binary_detect_version (exepath); ++ return *cached; ++} ++ + /*****************************************************************************/ + + static void +@@ -1119,12 +1184,14 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + gboolean dev_type_is_tap; + char *stmp; + const char *defport, *proto_tcp; ++ const char *tls_remote = NULL; + const char *nm_openvpn_user, *nm_openvpn_group, *nm_openvpn_chroot; + gs_free char *bus_name = NULL; + NMSettingVpn *s_vpn; + const char *connection_type; + gint64 v_int64; + char sbuf_64[65]; ++ OpenvpnBinaryVersion openvpn_binary_version = OPENVPN_BINARY_VERSION_INVALID; + + s_vpn = nm_connection_get_setting_vpn (connection); + if (!s_vpn) { +@@ -1451,8 +1518,17 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + /* tls-remote */ + tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE); + if (tmp && tmp[0]) { +- add_openvpn_arg (args, "--tls-remote"); +- add_openvpn_arg (args, tmp); ++ if (openvpn_binary_detect_version_cached (openvpn_binary, &openvpn_binary_version) != OPENVPN_BINARY_VERSION_2_4_OR_NEWER) { ++ _LOGW ("the tls-remote option is deprecated and removed from OpenVPN 2.4. Update your connection to use verify-x509-name"); ++ add_openvpn_arg (args, "--tls-remote"); ++ add_openvpn_arg (args, tmp); ++ } else { ++ _LOGW ("the tls-remote option is deprecated and removed from OpenVPN 2.4. For compatibility, the plugin uses \"verify-x509-name\" \"%s\" \"name\" instead. Update your connection to use verify-x509-name", tmp); ++ add_openvpn_arg (args, "--verify-x509-name"); ++ add_openvpn_arg (args, tmp); ++ add_openvpn_arg (args, "name"); ++ } ++ tls_remote = tmp; + } + + /* verify-x509-name */ +@@ -1461,6 +1537,13 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin, + const char *name; + gs_free char *type = NULL; + ++ if (tls_remote) { ++ g_set_error (error, NM_VPN_PLUGIN_ERROR, ++ NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, ++ _("Invalid configuration with tls-remote and verify-x509-name.")); ++ return FALSE; ++ } ++ + name = strchr (tmp, ':'); + if (name) { + type = g_strndup (tmp, name - tmp); +-- +2.9.3 + + +From 11049e7c888fcc74896b34ea86f09d38a561fc35 Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Mon, 13 Feb 2017 12:56:27 +0100 +Subject: [PATCH 4/4] properties: discourage use of tls-remote in GUI + +Mark the entry as "error" when selecting the deprecated +tls-remote option. + +This is to make it more apparent to the user that he +should avoid this setting. + +(cherry picked from commit 1c2986b8881b3b28d493f66cc804da12712cc2a7) +--- + properties/auth-helpers.c | 14 ++++++++++++-- + properties/import-export.c | 2 +- + properties/nm-openvpn-dialog.ui | 2 ++ + 3 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/properties/auth-helpers.c b/properties/auth-helpers.c +index 4d1e1ce..2f880dd 100644 +--- a/properties/auth-helpers.c ++++ b/properties/auth-helpers.c +@@ -1211,7 +1211,7 @@ populate_tls_remote_mode_entry_combo (GtkEntry* entry, GtkComboBox *box, + + gtk_list_store_append (store, &iter); + gtk_list_store_set (store, &iter, +- TLS_REMOTE_MODE_COL_NAME, _("Verify subject partially (legacy mode)"), ++ TLS_REMOTE_MODE_COL_NAME, _("Verify subject partially (legacy mode, strongly discouraged)"), + TLS_REMOTE_MODE_COL_VALUE, TLS_REMOTE_MODE_LEGACY, + -1); + +@@ -1250,6 +1250,7 @@ tls_remote_changed (GtkWidget *widget, gpointer user_data) + GtkWidget *entry, *combo, *ok_button; + GtkTreeIter iter; + gboolean entry_enabled = TRUE, entry_has_error = FALSE; ++ gboolean legacy_tls_remote = FALSE; + + entry = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_entry")); + combo = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_mode_combo")); +@@ -1272,6 +1273,7 @@ tls_remote_changed (GtkWidget *widget, gpointer user_data) + + entry_enabled = TRUE; + entry_has_error = !subject || !subject[0]; ++ legacy_tls_remote = nm_streq (tls_remote_mode, TLS_REMOTE_MODE_LEGACY); + } + } + +@@ -1280,9 +1282,17 @@ tls_remote_changed (GtkWidget *widget, gpointer user_data) + widget_set_error (entry); + gtk_widget_set_sensitive (ok_button, FALSE); + } else { +- widget_unset_error (entry); ++ if (legacy_tls_remote) { ++ /* selecting tls-remote is not an error, but strongly discouraged. I wish ++ * there would be a warning-class as well. Anyway, mark the widget as ++ * erroneous, although this doesn't make the connection invalid (which ++ * is an ugly inconsistency). */ ++ widget_set_error (entry); ++ } else ++ widget_unset_error (entry); + gtk_widget_set_sensitive (ok_button, TRUE); + } ++ + } + + static void +diff --git a/properties/import-export.c b/properties/import-export.c +index 1993026..7b42e0b 100644 +--- a/properties/import-export.c ++++ b/properties/import-export.c +@@ -1256,7 +1256,7 @@ do_import (const char *path, const char *contents, gsize contents_len, GError ** + } + + if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_VERIFY_X509_NAME)) { +- const char *type = "subject"; ++ const char *type = NM_OPENVPN_VERIFY_X509_NAME_TYPE_SUBJECT; + gs_free char *item = NULL; + + if (!args_params_check_nargs_minmax (params, 1, 2, &line_error)) +diff --git a/properties/nm-openvpn-dialog.ui b/properties/nm-openvpn-dialog.ui +index b2ca176..5558b70 100644 +--- a/properties/nm-openvpn-dialog.ui ++++ b/properties/nm-openvpn-dialog.ui +@@ -1918,6 +1918,8 @@ When enabled, connection will only succeed if the server certificate matches som + Matching can either apply to the whole certificate subject (all the fields), + or just the Common Name (CN field). + ++The legacy option tls-remote is deprecated and removed from OpenVPN 2.4 and newer. Do not use it anymore. ++ + config: verify-x509-name subject-or-name [mode] + config (legacy mode): tls-remote subject-or-name + model9 +-- +2.9.3 + diff --git a/NetworkManager-openvpn.spec b/NetworkManager-openvpn.spec index adb90c8..a46a5e4 100644 --- a/NetworkManager-openvpn.spec +++ b/NetworkManager-openvpn.spec @@ -2,13 +2,13 @@ Summary: NetworkManager VPN plugin for OpenVPN Name: NetworkManager-openvpn Epoch: 1 Version: 1.2.8 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ URL: http://www.gnome.org/projects/NetworkManager/ Group: System Environment/Base Source0: https://download.gnome.org/sources/NetworkManager-openvpn/1.2/%{name}-%{version}.tar.xz -#Patch1: 0001-xxx.patch +Patch1: 0001-tls-remote-workaround-rh1421241.patch BuildRequires: gtk3-devel BuildRequires: NetworkManager-devel @@ -49,7 +49,7 @@ the OpenVPN server with NetworkManager (GNOME files). %prep %setup -q -#%patch1 -p1 +%patch1 -p1 %build if [ ! -f configure ]; then @@ -97,6 +97,9 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la %{_datadir}/appdata/network-manager-openvpn.metainfo.xml %changelog +* Mon Feb 27 2017 Thomas Haller - 1:1.2.8-2 +- Workaround removed tls-remote option with Openvpn 2.4 (rh#1421241) + * Fri Feb 10 2017 Jon Ciesla - 1:1.2.8-1 - 1.2.8