[NetworkManager-openvpn/bg/tls-min-or-highest: 12/12] all: support tls-min "or-highest"
- From: Beniamino Galvani <bgalvani src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [NetworkManager-openvpn/bg/tls-min-or-highest: 12/12] all: support tls-min "or-highest"
- Date: Tue, 12 Jul 2022 16:39:47 +0000 (UTC)
commit 19e9795ef33c49083795917627367818ceb9dfc0
Author: Beniamino Galvani <bgalvani redhat com>
Date: Wed Jul 6 12:07:41 2022 +0200
all: support tls-min "or-highest"
Support the "or-highest" keyword in:
tls-version-min $version ['or-highest']
https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/90
https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/merge_requests/51
properties/import-export.c | 18 +++++++++++++++---
properties/nm-openvpn-dialog.ui | 17 ++++++++++++++++-
properties/nm-openvpn-editor.c | 12 ++++++++++++
properties/tests/conf/tls4.ovpn | 2 +-
properties/tests/test-import-export.c | 1 +
shared/nm-service-defines.h | 1 +
src/nm-openvpn-service.c | 6 +++++-
7 files changed, 51 insertions(+), 6 deletions(-)
---
diff --git a/properties/import-export.c b/properties/import-export.c
index c3ace34..11db39e 100644
--- a/properties/import-export.c
+++ b/properties/import-export.c
@@ -1244,11 +1244,19 @@ do_import (const char *path, const char *contents, gsize contents_len, GError **
}
if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_VERSION_MIN)) {
- if (!args_params_check_nargs_n (params, 1, &line_error))
+ if (!args_params_check_nargs_minmax (params, 1, 2, &line_error))
goto handle_line_error;
if (!args_params_check_arg_utf8 (params, 1, NULL, &line_error))
goto handle_line_error;
setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN, params[1]);
+ if (params[2]) {
+ if (nm_streq (params[2], "or-highest")) {
+ setting_vpn_add_data_item (s_vpn,
NM_OPENVPN_KEY_TLS_VERSION_MIN_OR_HIGHEST, "yes");
+ } else {
+ line_error = g_strdup_printf (_("invalid keyword ā%sā in
tls-version-min"), params[2]);
+ goto handle_line_error;
+ }
+ }
continue;
}
@@ -2213,8 +2221,12 @@ do_export_create (NMConnection *connection, const char *path, GError **error)
}
key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN);
- if (nmovpn_arg_is_set (key))
- args_write_line (f, NMV_OVPN_TAG_TLS_VERSION_MIN, key);
+ if (nmovpn_arg_is_set (key)) {
+ const char *or_highest = nm_setting_vpn_get_data_item (s_vpn,
NM_OPENVPN_KEY_TLS_VERSION_MIN_OR_HIGHEST);
+
+ args_write_line (f, NMV_OVPN_TAG_TLS_VERSION_MIN, key,
+ nm_streq0 (or_highest, "yes") ? "or-highest" : NULL);
+ }
key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX);
if (nmovpn_arg_is_set (key))
diff --git a/properties/nm-openvpn-dialog.ui b/properties/nm-openvpn-dialog.ui
index b9dd646..24d36f5 100644
--- a/properties/nm-openvpn-dialog.ui
+++ b/properties/nm-openvpn-dialog.ui
@@ -2330,7 +2330,7 @@ config: extra-certs <file></property>
<object class="GtkEntry" id="tls_version_min">
<property name="visible">True</property>
<property name="can_focus">True</property>
- <property name="tooltip_text" translatable="yes"> Sets the minimum TLS version
we will accept from the peer (default is "1.0"). Examples for version include "1.0", "1.1", or "1.2". If
'or-highest' is specified and version is not recognized, we will only accept the highest TLS version
supported by the local SSL implementation.</property>
+ <property name="tooltip_text" translatable="yes"> Sets the minimum TLS version
we will accept from the peer (default is "1.0"). Examples for version include "1.0", "1.1", or
"1.2".</property>
<property name="hexpand">True</property>
</object>
<packing>
@@ -2363,6 +2363,21 @@ config: extra-certs <file></property>
<property name="top_attach">1</property>
</packing>
</child>
+ <child>
+ <object class="GtkCheckButton" id="tls_version_min_or_highest">
+ <property name="label" translatable="yes">_or highest</property>
+ <property name="visible">True</property>
+ <property name="can-focus">True</property>
+ <property name="tooltip_text" translatable="yes">If set and version is not
recognized, we will only accept the highest TLS version supported by the local SSL implementation.</property>
+ <property name="receives-default">False</property>
+ <property name="use-underline">True</property>
+ <property name="draw_indicator">True</property>
+ </object>
+ <packing>
+ <property name="left_attach">2</property>
+ <property name="top_attach">0</property>
+ </packing>
+ </child>
</object>
<packing>
<property name="left_attach">0</property>
diff --git a/properties/nm-openvpn-editor.c b/properties/nm-openvpn-editor.c
index 274b823..64978f2 100644
--- a/properties/nm-openvpn-editor.c
+++ b/properties/nm-openvpn-editor.c
@@ -812,6 +812,7 @@ static const char *const advanced_keys[] = {
NM_OPENVPN_KEY_TLS_CRYPT_V2,
NM_OPENVPN_KEY_TLS_REMOTE,
NM_OPENVPN_KEY_TLS_VERSION_MIN,
+ NM_OPENVPN_KEY_TLS_VERSION_MIN_OR_HIGHEST,
NM_OPENVPN_KEY_TLS_VERSION_MAX,
NM_OPENVPN_KEY_TUNNEL_MTU,
NM_OPENVPN_KEY_TUN_IPV6,
@@ -1956,6 +1957,10 @@ advanced_dialog_new (GHashTable *hash, const char *contype)
if (value && *value) {
widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_min"));
gtk_editable_set_text (GTK_EDITABLE (widget), value);
+
+ value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_TLS_VERSION_MIN_OR_HIGHEST);
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_min_or_highest"));
+ gtk_check_button_set_active(GTK_CHECK_BUTTON (widget), nm_streq0 (value, "yes"));
}
value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_TLS_VERSION_MAX);
if (value && *value) {
@@ -2190,6 +2195,13 @@ advanced_dialog_new_hash_from_dialog (GtkWidget *dialog)
if (value && *value)
g_hash_table_insert (hash, NM_OPENVPN_KEY_TLS_VERSION_MIN, g_strdup (value));
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_min_or_highest"));
+ if (gtk_check_button_get_active (GTK_CHECK_BUTTON(widget))) {
+ g_hash_table_insert (hash, NM_OPENVPN_KEY_TLS_VERSION_MIN_OR_HIGHEST, g_strdup ("yes"));
+ } else {
+ g_hash_table_remove (hash, NM_OPENVPN_KEY_TLS_VERSION_MIN_OR_HIGHEST);
+ }
+
entry = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_max"));
value = gtk_editable_get_text (GTK_EDITABLE (entry));
if (value && *value)
diff --git a/properties/tests/conf/tls4.ovpn b/properties/tests/conf/tls4.ovpn
index d6ab2bf..99d6588 100644
--- a/properties/tests/conf/tls4.ovpn
+++ b/properties/tests/conf/tls4.ovpn
@@ -24,5 +24,5 @@ verify-x509-name "C=US, L=Cambridge, CN=GNOME, emailAddress=networkmanager-list@
comp-lzo
verb 3
-tls-version-min 1.0
+tls-version-min 1.0 or-highest
tls-version-max 1.2
diff --git a/properties/tests/test-import-export.c b/properties/tests/test-import-export.c
index 9db42d0..3fd6412 100644
--- a/properties/tests/test-import-export.c
+++ b/properties/tests/test-import-export.c
@@ -470,6 +470,7 @@ test_tls_import_4 (void)
_check_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN, "1.0");
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN_OR_HIGHEST, "yes");
_check_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX, "1.2");
}
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index 44a83f6..bd12ec3 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -80,6 +80,7 @@
#define NM_OPENVPN_KEY_TLS_CRYPT_V2 "tls-crypt-v2"
#define NM_OPENVPN_KEY_TLS_REMOTE "tls-remote"
#define NM_OPENVPN_KEY_TLS_VERSION_MIN "tls-version-min"
+#define NM_OPENVPN_KEY_TLS_VERSION_MIN_OR_HIGHEST "tls-version-min-or-highest"
#define NM_OPENVPN_KEY_TLS_VERSION_MAX "tls-version-max"
#define NM_OPENVPN_KEY_TUNNEL_MTU "tunnel-mtu"
#define NM_OPENVPN_KEY_TUN_IPV6 "tun-ipv6"
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index af57227..3731e89 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -197,6 +197,7 @@ static const ValidProperty valid_properties[] = {
{ NM_OPENVPN_KEY_NOSECRET, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_HTTP_PROXY_PASSWORD_FLAGS, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_TLS_VERSION_MIN, G_TYPE_STRING, 0, 0, FALSE },
+ { NM_OPENVPN_KEY_TLS_VERSION_MIN_OR_HIGHEST,G_TYPE_BOOLEAN, 0, 0, FALSE },
{ NM_OPENVPN_KEY_TLS_VERSION_MAX, G_TYPE_STRING, 0, 0, FALSE },
{ NULL, G_TYPE_NONE, FALSE }
};
@@ -1726,8 +1727,11 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
}
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN);
if (nmovpn_arg_is_set (tmp)) {
+ const char *or_highest = nm_setting_vpn_get_data_item (s_vpn,
NM_OPENVPN_KEY_TLS_VERSION_MIN_OR_HIGHEST);
+
args_add_strv (args, "--tls-version-min");
- args_add_strv (args, tmp);
+ args_add_strv0 (args, tmp, nm_streq0(or_highest, "yes") ? "or-highest" : NULL);
+
}
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX);
if (nmovpn_arg_is_set (tmp)) {
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
