[NetworkManager-openvpn] Add support for OpenVPN's --data-ciphers
- From: Thomas Haller <thaller src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [NetworkManager-openvpn] Add support for OpenVPN's --data-ciphers
- Date: Mon, 3 Oct 2022 19:59:35 +0000 (UTC)
commit 963b71a83ee18728bb3707945b327cff137b2b57
Author: Gard Spreemann <gspr nonempty org>
Date: Tue Jun 21 12:59:26 2022 +0200
Add support for OpenVPN's --data-ciphers
It used to be the case that OpenVPN added the cipher from --cipher to
the ones provided by --data-ciphers. As of OpenVPN 2.6, that is no
longer the case.
This patch adds rudamentary support for OpenVPN's --data-ciphers. The
argument is treated exactly like the "cipher" field in a connection's
.data, and thus passes a "data-ciphers" field in .data directly on to
OpenVPN's --data-ciphers. This may not be appropriate in a GUI/TUI, as
--data-ciphers is a colon-separated list, but is here treated as an
opaque string.
The patch has only been lightly tested: It compiles and works with a
connection that needed "data-ciphers = AES-128-CBC", and that was
broken with only "cipher = AES-128-CBC" when upgrading to OpenVPN 2.6.
https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/merge_requests/46
properties/import-export.c | 11 +++++++++++
properties/tests/test-import-export.c | 12 ++++++++++++
shared/nm-service-defines.h | 1 +
shared/utils.h | 1 +
src/nm-openvpn-service.c | 3 +++
5 files changed, 28 insertions(+)
---
diff --git a/properties/import-export.c b/properties/import-export.c
index db453e9..9659cb8 100644
--- a/properties/import-export.c
+++ b/properties/import-export.c
@@ -1363,6 +1363,15 @@ do_import (const char *path, const char *contents, gsize contents_len, GError **
continue;
}
+ if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_DATA_CIPHERS)) {
+ if (!args_params_check_nargs_n (params, 1, &line_error))
+ goto handle_line_error;
+ if (!args_params_check_arg_utf8 (params, 1, NULL, &line_error))
+ goto handle_line_error;
+ setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, params[1]);
+ continue;
+ }
+
if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_CIPHER)) {
if (!args_params_check_nargs_n (params, 1, &line_error))
goto handle_line_error;
@@ -2106,6 +2115,8 @@ do_export_create (NMConnection *connection, const char *path, GError **error)
args_write_line_setting_value (f, NMV_OVPN_TAG_CIPHER, s_vpn, NM_OPENVPN_KEY_CIPHER);
+ args_write_line_setting_value (f, NMV_OVPN_TAG_DATA_CIPHERS, s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS);
+
args_write_line_setting_value (f, NMV_OVPN_TAG_TLS_CIPHER, s_vpn, NM_OPENVPN_KEY_TLS_CIPHER);
args_write_line_setting_value_int (f, NMV_OVPN_TAG_KEYSIZE, s_vpn, NM_OPENVPN_KEY_KEYSIZE);
diff --git a/properties/tests/test-import-export.c b/properties/tests/test-import-export.c
index 7f585d0..fc7cd72 100644
--- a/properties/tests/test-import-export.c
+++ b/properties/tests/test-import-export.c
@@ -221,6 +221,7 @@ test_password_import (void)
_check_item (s_vpn, NM_OPENVPN_KEY_TA, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, "AES-256-CBC");
+ _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
@@ -314,6 +315,7 @@ test_tls_import (void)
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
@@ -361,6 +363,7 @@ test_tls_import_2 (void)
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
@@ -405,6 +408,7 @@ test_tls_import_3 (void)
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
@@ -453,6 +457,7 @@ test_tls_import_4 (void)
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
@@ -525,6 +530,7 @@ test_tls_inline_import (void)
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
@@ -577,6 +583,7 @@ test_pkcs12_import (void)
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
@@ -618,6 +625,7 @@ test_pkcs12_with_ca_import (void)
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
@@ -686,6 +694,7 @@ test_static_key_import (gconstpointer test_data)
_check_item (s_vpn, NM_OPENVPN_KEY_TA, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, "10.8.0.2");
_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, "10.8.0.1");
_check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
@@ -797,6 +806,7 @@ test_proxy_http_import (void)
_check_item (s_vpn, NM_OPENVPN_KEY_TA, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, "AES-256-CBC");
+ _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
@@ -861,6 +871,7 @@ test_proxy_http_with_auth_import (void)
_check_item (s_vpn, NM_OPENVPN_KEY_TA, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, "AES-256-CBC");
+ _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
@@ -899,6 +910,7 @@ test_proxy_socks_import (void)
_check_item (s_vpn, NM_OPENVPN_KEY_TA, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_TA_DIR, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, "AES-256-CBC");
+ _check_item (s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
_check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index c63c255..5055fc2 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -41,6 +41,7 @@
#define NM_OPENVPN_KEY_CONNECT_TIMEOUT "connect-timeout"
#define NM_OPENVPN_KEY_CRL_VERIFY_FILE "crl-verify-file"
#define NM_OPENVPN_KEY_CRL_VERIFY_DIR "crl-verify-dir"
+#define NM_OPENVPN_KEY_DATA_CIPHERS "data-ciphers"
#define NM_OPENVPN_KEY_DEV "dev"
#define NM_OPENVPN_KEY_DEV_TYPE "dev-type"
#define NM_OPENVPN_KEY_EXTRA_CERTS "extra-certs"
diff --git a/shared/utils.h b/shared/utils.h
index 216b708..d5a33ea 100644
--- a/shared/utils.h
+++ b/shared/utils.h
@@ -37,6 +37,7 @@
#define NMV_OVPN_TAG_COMPRESS "compress"
#define NMV_OVPN_TAG_CONNECT_TIMEOUT "connect-timeout"
#define NMV_OVPN_TAG_CRL_VERIFY "crl-verify"
+#define NMV_OVPN_TAG_DATA_CIPHERS "data-ciphers"
#define NMV_OVPN_TAG_DEV "dev"
#define NMV_OVPN_TAG_DEV_TYPE "dev-type"
#define NMV_OVPN_TAG_EXTRA_CERTS "extra-certs"
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index aeb0cdb..7fac66b 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -144,6 +144,7 @@ static const ValidProperty valid_properties[] = {
{ NM_OPENVPN_KEY_CONNECTION_TYPE, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_CRL_VERIFY_FILE, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_CRL_VERIFY_DIR, G_TYPE_STRING, 0, 0, FALSE },
+ { NM_OPENVPN_KEY_DATA_CIPHERS, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_EXTRA_CERTS, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_FLOAT, G_TYPE_BOOLEAN, 0, 0, FALSE },
{ NM_OPENVPN_KEY_NCP_DISABLE, G_TYPE_BOOLEAN, 0, 0, FALSE },
@@ -1673,6 +1674,8 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
args_add_vpn_data (args, s_vpn, NM_OPENVPN_KEY_CIPHER, "--cipher");
+ args_add_vpn_data (args, s_vpn, NM_OPENVPN_KEY_DATA_CIPHERS, "--data-ciphers");
+
args_add_vpn_data (args, s_vpn, NM_OPENVPN_KEY_TLS_CIPHER, "--tls-cipher");
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_KEYSIZE);
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]