You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
NetworkManager-openvpn/0001-tls-remote-workaround-...

472 lines
16 KiB

From 40ee847d32c11d0bc7c1b06fefa9a9ef8e2b0570 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Mon, 13 Feb 2017 12:30:16 +0100
Subject: [PATCH 1/4] service: avoid strlen() for checking whether a string is
empty
Possibly the compiler can optimize it not to evaluate the full string length,
just to verify whether the string is empty. Still, I think it's bad style.
(cherry picked from commit 2a4a4a49d8b97e3cbe37307f6b6c1053df946ce4)
---
src/nm-openvpn-service.c | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index d7bd29f..d6e36a6 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -1406,7 +1406,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
/* Cipher */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_CIPHER);
- if (tmp && strlen (tmp)) {
+ if (tmp && tmp[0]) {
add_openvpn_arg (args, "--cipher");
add_openvpn_arg (args, tmp);
}
@@ -1419,7 +1419,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
/* Keysize */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_KEYSIZE);
- if (tmp && strlen (tmp)) {
+ if (tmp && tmp[0]) {
add_openvpn_arg (args, "--keysize");
if (!add_openvpn_arg_int (args, tmp)) {
g_set_error (error,
@@ -1440,25 +1440,25 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
/* TA */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA);
- if (tmp && strlen (tmp)) {
+ if (tmp && tmp[0]) {
add_openvpn_arg (args, "--tls-auth");
add_openvpn_arg_utf8safe (args, tmp);
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TA_DIR);
- if (tmp && strlen (tmp))
+ if (tmp && tmp[0])
add_openvpn_arg (args, tmp);
}
/* tls-remote */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE);
- if (tmp && strlen (tmp)) {
+ if (tmp && tmp[0]) {
add_openvpn_arg (args, "--tls-remote");
add_openvpn_arg (args, tmp);
}
/* verify-x509-name */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_VERIFY_X509_NAME);
- if (tmp && strlen (tmp)) {
+ if (tmp && tmp[0]) {
const char *name;
gs_free char *type = NULL;
@@ -1483,7 +1483,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
/* remote-cert-tls */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_REMOTE_CERT_TLS);
- if (tmp && strlen (tmp)) {
+ if (tmp && tmp[0]) {
add_openvpn_arg (args, "--remote-cert-tls");
add_openvpn_arg (args, tmp);
}
@@ -1500,7 +1500,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
if (!connection_type_is_tls_mode (connection_type)) {
/* Ignore --reneg-sec option if we are not in TLS mode (as enabled
* by --client below). openvpn will error out otherwise, see bgo#749050. */
- } else if (tmp && strlen (tmp)) {
+ } else if (tmp && tmp[0]) {
add_openvpn_arg (args, "--reneg-sec");
if (!add_openvpn_arg_int (args, tmp)) {
g_set_error (error,
@@ -1532,7 +1532,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
/* TUN MTU size */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TUNNEL_MTU);
- if (tmp && strlen (tmp)) {
+ if (tmp && tmp[0]) {
add_openvpn_arg (args, "--tun-mtu");
if (!add_openvpn_arg_int (args, tmp)) {
g_set_error (error,
@@ -1546,7 +1546,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
/* fragment size */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_FRAGMENT_SIZE);
- if (tmp && strlen (tmp)) {
+ if (tmp && tmp[0]) {
add_openvpn_arg (args, "--fragment");
if (!add_openvpn_arg_int (args, tmp)) {
g_set_error (error,
@@ -1620,12 +1620,12 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
add_cert_args (args, s_vpn);
} else if (!strcmp (connection_type, NM_OPENVPN_CONTYPE_STATIC_KEY)) {
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY);
- if (tmp && strlen (tmp)) {
+ if (tmp && tmp[0]) {
add_openvpn_arg (args, "--secret");
add_openvpn_arg_utf8safe (args, tmp);
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION);
- if (tmp && strlen (tmp))
+ if (tmp && tmp[0])
add_openvpn_arg (args, tmp);
}
@@ -1659,7 +1659,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
add_openvpn_arg (args, "--auth-user-pass");
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_CA);
- if (tmp && strlen (tmp)) {
+ if (tmp && tmp[0]) {
add_openvpn_arg (args, "--ca");
add_openvpn_arg_utf8safe (args, tmp);
}
--
2.9.3
From 1a21babccc3eb77c5b4a2953e7c45aaec670b120 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Mon, 13 Feb 2017 11:31:40 +0100
Subject: [PATCH 2/4] service: minor refactoring of nm_find_openvpn()
And rename to openvpn_binary_find_exepath().
The prefix "openvpn_binary_" will be used for related functions.
(cherry picked from commit 05cb6356bb4d27fb1c2ca5f8a7bfdf23fe424f0c)
---
src/nm-openvpn-service.c | 41 ++++++++++++++++++++---------------------
1 file changed, 20 insertions(+), 21 deletions(-)
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index d6e36a6..d88ed19 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -188,6 +188,25 @@ _LOGD_enabled (void)
/*****************************************************************************/
+static const char *
+openvpn_binary_find_exepath (void)
+{
+ static const char *paths[] = {
+ "/usr/sbin/openvpn",
+ "/sbin/openvpn",
+ "/usr/local/sbin/openvpn",
+ };
+ int i;
+
+ for (i = 0; i < G_N_ELEMENTS (paths); i++) {
+ if (g_file_test (paths[i], G_FILE_TEST_EXISTS))
+ return paths[i];
+ }
+ return NULL;
+}
+
+/*****************************************************************************/
+
static void
pids_pending_data_free (PidsPendingData *pid_data)
{
@@ -886,26 +905,6 @@ connection_type_is_tls_mode (const char *connection_type)
|| strcmp (connection_type, NM_OPENVPN_CONTYPE_PASSWORD_TLS) == 0;
}
-static const char *
-nm_find_openvpn (void)
-{
- static const char *openvpn_binary_paths[] = {
- "/usr/sbin/openvpn",
- "/sbin/openvpn",
- "/usr/local/sbin/openvpn",
- NULL
- };
- const char **openvpn_binary = openvpn_binary_paths;
-
- while (*openvpn_binary != NULL) {
- if (g_file_test (*openvpn_binary, G_FILE_TEST_EXISTS))
- break;
- openvpn_binary++;
- }
-
- return *openvpn_binary;
-}
-
static void
add_openvpn_arg (GPtrArray *args, const char *arg)
{
@@ -1154,7 +1153,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
return FALSE;
/* Find openvpn */
- openvpn_binary = nm_find_openvpn ();
+ openvpn_binary = openvpn_binary_find_exepath ();
if (!openvpn_binary) {
g_set_error_literal (error,
NM_VPN_PLUGIN_ERROR,
--
2.9.3
From adc7dd5148c12917eee1c2c92ddb605e2ecd6b2c Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Mon, 13 Feb 2017 12:30:26 +0100
Subject: [PATCH 3/4] service: for OpenVPN 2.4 and newer, handle --tls-remote
option via --verify-x509-name
The tls-remote option got removed from OpenVPN 2.4. This requires users
to fix their existing configurations to use verify-x509-name instead.
Using tls-remote on a recent OpenVPN binary thus fails to establish
the connection, which is an annoyance for the user. Let the plugin
automatically convert the "tls-remote $NAME" option to "verify-x509-name
$NAME name". Note that the two options are not entirely equivalent, thus
the is a chance that this wrongly rejects a server that would have worked
before, or ever worse, that it wronlgy accepts a server that would have
been rejected.
But in most common cases, the workaround should work fine.
The user is still strongly encouraged to update his configuration.
https://bugzilla.gnome.org/show_bug.cgi?id=776045
https://bugzilla.redhat.com/show_bug.cgi?id=1421241
(cherry picked from commit f7421ef277222bd640c432afefc21ef5a98477bc)
---
src/nm-openvpn-service.c | 87 ++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 85 insertions(+), 2 deletions(-)
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index d88ed19..fa59537 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -70,6 +70,13 @@ G_DEFINE_TYPE (NMOpenvpnPlugin, nm_openvpn_plugin, NM_TYPE_VPN_SERVICE_PLUGIN)
#define NM_OPENVPN_PLUGIN_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), NM_TYPE_OPENVPN_PLUGIN, NMOpenvpnPluginPrivate))
+typedef enum {
+ OPENVPN_BINARY_VERSION_INVALID,
+ OPENVPN_BINARY_VERSION_UNKNOWN,
+ OPENVPN_BINARY_VERSION_2_3_OR_OLDER,
+ OPENVPN_BINARY_VERSION_2_4_OR_NEWER,
+} OpenvpnBinaryVersion;
+
typedef struct {
char *default_username;
char *username;
@@ -205,6 +212,64 @@ openvpn_binary_find_exepath (void)
return NULL;
}
+static OpenvpnBinaryVersion
+openvpn_binary_detect_version (const char *exepath)
+{
+ gs_free char *s_stdout = NULL;
+ const char *s;
+ int exit_code;
+ int n;
+
+ g_return_val_if_fail (exepath && exepath[0] == '/', OPENVPN_BINARY_VERSION_UNKNOWN);
+
+ if (!g_spawn_sync (NULL,
+ (char *[]) { (char *) exepath, "--version", NULL },
+ NULL,
+ G_SPAWN_STDERR_TO_DEV_NULL,
+ NULL,
+ NULL,
+ &s_stdout,
+ NULL,
+ &exit_code,
+ NULL))
+ return OPENVPN_BINARY_VERSION_UNKNOWN;
+
+ if ( !WIFEXITED (exit_code)
+ || WEXITSTATUS (exit_code) != 1) {
+ /* expect return code 1 (OPENVPN_EXIT_STATUS_USAGE) */
+ return OPENVPN_BINARY_VERSION_UNKNOWN;
+ }
+
+ /* the output for --version starts with title_string, which starts with PACKAGE_STRING,
+ * which looks like "OpenVPN 2.#...". Do a strict parsing here... */
+ if ( !s_stdout
+ || !g_str_has_prefix (s_stdout, "OpenVPN 2."))
+ return OPENVPN_BINARY_VERSION_UNKNOWN;
+ s = &s_stdout[NM_STRLEN ("OpenVPN 2.")];
+
+ if (!g_ascii_isdigit (s[0]))
+ return OPENVPN_BINARY_VERSION_UNKNOWN;
+
+ n = 0;
+ do {
+ if (n > G_MAXINT / 100)
+ return OPENVPN_BINARY_VERSION_UNKNOWN;
+ n = (n * 10) + (s[0] - '0');
+ } while (g_ascii_isdigit ((++s)[0]));
+
+ if (n <= 3)
+ return OPENVPN_BINARY_VERSION_2_3_OR_OLDER;
+ return OPENVPN_BINARY_VERSION_2_4_OR_NEWER;
+}
+
+static OpenvpnBinaryVersion
+openvpn_binary_detect_version_cached (const char *exepath, OpenvpnBinaryVersion *cached)
+{
+ if (G_UNLIKELY (*cached == OPENVPN_BINARY_VERSION_INVALID))
+ *cached = openvpn_binary_detect_version (exepath);
+ return *cached;
+}
+
/*****************************************************************************/
static void
@@ -1119,12 +1184,14 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
gboolean dev_type_is_tap;
char *stmp;
const char *defport, *proto_tcp;
+ const char *tls_remote = NULL;
const char *nm_openvpn_user, *nm_openvpn_group, *nm_openvpn_chroot;
gs_free char *bus_name = NULL;
NMSettingVpn *s_vpn;
const char *connection_type;
gint64 v_int64;
char sbuf_64[65];
+ OpenvpnBinaryVersion openvpn_binary_version = OPENVPN_BINARY_VERSION_INVALID;
s_vpn = nm_connection_get_setting_vpn (connection);
if (!s_vpn) {
@@ -1451,8 +1518,17 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
/* tls-remote */
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE);
if (tmp && tmp[0]) {
- add_openvpn_arg (args, "--tls-remote");
- add_openvpn_arg (args, tmp);
+ if (openvpn_binary_detect_version_cached (openvpn_binary, &openvpn_binary_version) != OPENVPN_BINARY_VERSION_2_4_OR_NEWER) {
+ _LOGW ("the tls-remote option is deprecated and removed from OpenVPN 2.4. Update your connection to use verify-x509-name");
+ add_openvpn_arg (args, "--tls-remote");
+ add_openvpn_arg (args, tmp);
+ } else {
+ _LOGW ("the tls-remote option is deprecated and removed from OpenVPN 2.4. For compatibility, the plugin uses \"verify-x509-name\" \"%s\" \"name\" instead. Update your connection to use verify-x509-name", tmp);
+ add_openvpn_arg (args, "--verify-x509-name");
+ add_openvpn_arg (args, tmp);
+ add_openvpn_arg (args, "name");
+ }
+ tls_remote = tmp;
}
/* verify-x509-name */
@@ -1461,6 +1537,13 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
const char *name;
gs_free char *type = NULL;
+ if (tls_remote) {
+ g_set_error (error, NM_VPN_PLUGIN_ERROR,
+ NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+ _("Invalid configuration with tls-remote and verify-x509-name."));
+ return FALSE;
+ }
+
name = strchr (tmp, ':');
if (name) {
type = g_strndup (tmp, name - tmp);
--
2.9.3
From 11049e7c888fcc74896b34ea86f09d38a561fc35 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Mon, 13 Feb 2017 12:56:27 +0100
Subject: [PATCH 4/4] properties: discourage use of tls-remote in GUI
Mark the entry as "error" when selecting the deprecated
tls-remote option.
This is to make it more apparent to the user that he
should avoid this setting.
(cherry picked from commit 1c2986b8881b3b28d493f66cc804da12712cc2a7)
---
properties/auth-helpers.c | 14 ++++++++++++--
properties/import-export.c | 2 +-
properties/nm-openvpn-dialog.ui | 2 ++
3 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/properties/auth-helpers.c b/properties/auth-helpers.c
index 4d1e1ce..2f880dd 100644
--- a/properties/auth-helpers.c
+++ b/properties/auth-helpers.c
@@ -1211,7 +1211,7 @@ populate_tls_remote_mode_entry_combo (GtkEntry* entry, GtkComboBox *box,
gtk_list_store_append (store, &iter);
gtk_list_store_set (store, &iter,
- TLS_REMOTE_MODE_COL_NAME, _("Verify subject partially (legacy mode)"),
+ TLS_REMOTE_MODE_COL_NAME, _("Verify subject partially (legacy mode, strongly discouraged)"),
TLS_REMOTE_MODE_COL_VALUE, TLS_REMOTE_MODE_LEGACY,
-1);
@@ -1250,6 +1250,7 @@ tls_remote_changed (GtkWidget *widget, gpointer user_data)
GtkWidget *entry, *combo, *ok_button;
GtkTreeIter iter;
gboolean entry_enabled = TRUE, entry_has_error = FALSE;
+ gboolean legacy_tls_remote = FALSE;
entry = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_entry"));
combo = GTK_WIDGET (gtk_builder_get_object (builder, "tls_remote_mode_combo"));
@@ -1272,6 +1273,7 @@ tls_remote_changed (GtkWidget *widget, gpointer user_data)
entry_enabled = TRUE;
entry_has_error = !subject || !subject[0];
+ legacy_tls_remote = nm_streq (tls_remote_mode, TLS_REMOTE_MODE_LEGACY);
}
}
@@ -1280,9 +1282,17 @@ tls_remote_changed (GtkWidget *widget, gpointer user_data)
widget_set_error (entry);
gtk_widget_set_sensitive (ok_button, FALSE);
} else {
- widget_unset_error (entry);
+ if (legacy_tls_remote) {
+ /* selecting tls-remote is not an error, but strongly discouraged. I wish
+ * there would be a warning-class as well. Anyway, mark the widget as
+ * erroneous, although this doesn't make the connection invalid (which
+ * is an ugly inconsistency). */
+ widget_set_error (entry);
+ } else
+ widget_unset_error (entry);
gtk_widget_set_sensitive (ok_button, TRUE);
}
+
}
static void
diff --git a/properties/import-export.c b/properties/import-export.c
index 1993026..7b42e0b 100644
--- a/properties/import-export.c
+++ b/properties/import-export.c
@@ -1256,7 +1256,7 @@ do_import (const char *path, const char *contents, gsize contents_len, GError **
}
if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_VERIFY_X509_NAME)) {
- const char *type = "subject";
+ const char *type = NM_OPENVPN_VERIFY_X509_NAME_TYPE_SUBJECT;
gs_free char *item = NULL;
if (!args_params_check_nargs_minmax (params, 1, 2, &line_error))
diff --git a/properties/nm-openvpn-dialog.ui b/properties/nm-openvpn-dialog.ui
index b2ca176..5558b70 100644
--- a/properties/nm-openvpn-dialog.ui
+++ b/properties/nm-openvpn-dialog.ui
@@ -1918,6 +1918,8 @@ When enabled, connection will only succeed if the server certificate matches som
Matching can either apply to the whole certificate subject (all the fields),
or just the Common Name (CN field).
+The legacy option tls-remote is deprecated and removed from OpenVPN 2.4 and newer. Do not use it anymore.
+
config: verify-x509-name subject-or-name [mode]
config (legacy mode): tls-remote subject-or-name</property>
<property name="model">model9</property>
--
2.9.3