[NetworkManager-openvpn/th/auth-validation: 1/2] service: pass "--auth" parameter directly to openvpn without validation



commit ded921cbdc1391bf54b19258d8160ff624eb9060
Author: Thomas Haller <thaller redhat com>
Date:   Thu Sep 27 08:45:06 2018 +0200

    service: pass "--auth" parameter directly to openvpn without validation
    
    The "auth" parameter is the digest that openvpn directly passes
    to the crypto library (openssl or mbedtls). It really depends
    on what the crypto library supports. For example, openssl
    is fine with both "SHA1" and lower case "sha1".
    
    Don't do any validation of the parameter, just pass it to openvpn.
    Before, a lower case value like "sha1" would have been rejected.
    There is no need for the plugin to understand and validate the
    selected auth parameter.
    
    https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/issues/8

 src/nm-openvpn-service.c | 35 ++++++-----------------------------
 1 file changed, 6 insertions(+), 29 deletions(-)
---
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index 7a04258..46bce99 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -227,20 +227,6 @@ _LOGD_enabled (void)
 
 /*****************************************************************************/
 
-static gboolean
-validate_auth (const char *auth)
-{
-       return NM_IN_STRSET (auth, NM_OPENVPN_AUTH_NONE,
-                                  NM_OPENVPN_AUTH_RSA_MD4,
-                                  NM_OPENVPN_AUTH_MD5,
-                                  NM_OPENVPN_AUTH_SHA1,
-                                  NM_OPENVPN_AUTH_SHA224,
-                                  NM_OPENVPN_AUTH_SHA256,
-                                  NM_OPENVPN_AUTH_SHA384,
-                                  NM_OPENVPN_AUTH_SHA512,
-                                  NM_OPENVPN_AUTH_RIPEMD160);
-}
-
 static gboolean
 validate_connection_type (const char *ctype)
 {
@@ -1009,7 +995,8 @@ handle_management_socket (NMOpenvpnPlugin *plugin,
 {
        NMOpenvpnPluginPrivate *priv = NM_OPENVPN_PLUGIN_GET_PRIVATE (plugin);
        gboolean again = TRUE;
-       char *str = NULL, *auth = NULL;
+       char *str = NULL;
+       char *auth;
        const char *message = NULL;
 
        g_assert (out_failure);
@@ -1326,7 +1313,7 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
                                  GError **error)
 {
        NMOpenvpnPluginPrivate *priv = NM_OPENVPN_PLUGIN_GET_PRIVATE (plugin);
-       const char *openvpn_binary, *auth, *tmp, *tmp2, *tmp3, *tmp4;
+       const char *openvpn_binary, *tmp, *tmp2, *tmp3, *tmp4;
        gs_unref_ptrarray GPtrArray *args = NULL;
        GPid pid;
        gboolean dev_type_is_tap;
@@ -1377,17 +1364,6 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
                return FALSE;
        }
 
-       auth = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_AUTH);
-       if (auth) {
-               if (!validate_auth (auth)) {
-                       g_set_error_literal (error,
-                                            NM_VPN_PLUGIN_ERROR,
-                                            NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-                                            _("Invalid HMAC auth."));
-                       return FALSE;
-               }
-       }
-
        args = g_ptr_array_new_with_free_func (g_free);
 
        args_add_strv (args, openvpn_binary);
@@ -1651,8 +1627,9 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
                }
        }
 
-       if (auth)
-               args_add_strv (args, "--auth", auth);
+       tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_AUTH);
+       if (tmp)
+               args_add_strv (args, "--auth", tmp);
 
        args_add_strv (args, "--auth-nocache");
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]