rpms/NetworkManager-openconnect/devel NetworkManager-openconnect-gwcert.patch, NONE, 1.1 NetworkManager-openconnect.spec, 1.10, 1.11
David Woodhouse
dwmw2 at fedoraproject.org
Wed May 27 12:46:52 UTC 2009
Author: dwmw2
Update of /cvs/pkgs/rpms/NetworkManager-openconnect/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28996
Modified Files:
NetworkManager-openconnect.spec
Added Files:
NetworkManager-openconnect-gwcert.patch
Log Message:
handle gwcert 'secret'
NetworkManager-openconnect-gwcert.patch:
--- NEW FILE NetworkManager-openconnect-gwcert.patch ---
commit c4f1f9deb95c95d42d28f1e28881d7a473ad9a20
Author: David Woodhouse <David.Woodhouse at intel.com>
Date: Tue May 26 18:44:25 2009 +0100
Pass server's SSL certificate signature to openconnect as VPN 'secret'.
Since we run openconnect as an unprivileged user, it may not be able to
read the original trust chain and validate the certificate for itself.
But since the auth-dialog has already connected to the server and done
the authentication, it can just give us the known signature for the
certificate the server is using today...
diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c
index a5ef2c3..c4846ff 100644
--- a/src/nm-openconnect-service.c
+++ b/src/nm-openconnect-service.c
@@ -84,6 +84,7 @@ static ValidProperty valid_properties[] = {
static ValidProperty valid_secrets[] = {
{ NM_OPENCONNECT_KEY_COOKIE, G_TYPE_STRING, 0, 0 },
{ NM_OPENCONNECT_KEY_GATEWAY, G_TYPE_STRING, 0, 0 },
+ { NM_OPENCONNECT_KEY_GWCERT, G_TYPE_STRING, 0, 0 },
{ NULL, G_TYPE_NONE, 0, 0 }
};
@@ -258,7 +259,7 @@ nm_openconnect_start_openconnect_binary (NMOPENCONNECTPlugin *plugin,
GPtrArray *openconnect_argv;
GSource *openconnect_watch;
gint stdin_fd;
- const char *props_vpn_gw, *props_cookie, *props_cacert, *props_mtu;
+ const char *props_vpn_gw, *props_cookie, *props_cacert, *props_mtu, *props_gwcert;
/* Find openconnect */
openconnect_binary = openconnect_binary_paths;
@@ -298,6 +299,7 @@ nm_openconnect_start_openconnect_binary (NMOPENCONNECTPlugin *plugin,
"No WebVPN cookie provided.");
return -1;
}
+ props_gwcert = nm_setting_vpn_get_secret (s_vpn, NM_OPENCONNECT_KEY_GWCERT);
props_cacert = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CACERT);
props_mtu = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_MTU);
@@ -305,7 +307,10 @@ nm_openconnect_start_openconnect_binary (NMOPENCONNECTPlugin *plugin,
openconnect_argv = g_ptr_array_new ();
g_ptr_array_add (openconnect_argv, (gpointer) (*openconnect_binary));
- if (props_cacert && strlen(props_cacert)) {
+ if (props_gwcert && strlen(props_gwcert)) {
+ g_ptr_array_add (openconnect_argv, (gpointer) "--servercert");
+ g_ptr_array_add (openconnect_argv, (gpointer) props_gwcert);
+ } else if (props_cacert && strlen(props_cacert)) {
g_ptr_array_add (openconnect_argv, (gpointer) "--cafile");
g_ptr_array_add (openconnect_argv, (gpointer) props_cacert);
}
@@ -413,6 +418,10 @@ real_need_secrets (NMVPNPlugin *plugin,
*setting_name = NM_SETTING_VPN_SETTING_NAME;
return TRUE;
}
+ if (!nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_GWCERT)) {
+ *setting_name = NM_SETTING_VPN_SETTING_NAME;
+ return TRUE;
+ }
return FALSE;
}
diff --git a/src/nm-openconnect-service.h b/src/nm-openconnect-service.h
index 27076cd..98c5026 100644
--- a/src/nm-openconnect-service.h
+++ b/src/nm-openconnect-service.h
@@ -42,6 +42,7 @@
#define NM_OPENCONNECT_KEY_GATEWAY "gateway"
#define NM_OPENCONNECT_KEY_COOKIE "cookie"
+#define NM_OPENCONNECT_KEY_GWCERT "gwcert"
#define NM_OPENCONNECT_KEY_AUTHTYPE "authtype"
#define NM_OPENCONNECT_KEY_USERCERT "usercert"
#define NM_OPENCONNECT_KEY_CACERT "cacert"
Index: NetworkManager-openconnect.spec
===================================================================
RCS file: /cvs/pkgs/rpms/NetworkManager-openconnect/devel/NetworkManager-openconnect.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -r1.10 -r1.11
--- NetworkManager-openconnect.spec 9 May 2009 16:51:53 -0000 1.10
+++ NetworkManager-openconnect.spec 27 May 2009 12:46:22 -0000 1.11
@@ -8,7 +8,7 @@
Summary: NetworkManager VPN integration for openconnect
Name: NetworkManager-openconnect
Version: 0.7.0.99
-Release: 3%{svn_snapshot}%{?dist}
+Release: 4%{svn_snapshot}%{?dist}
License: GPLv2+
Group: System Environment/Base
URL: http://www.gnome.org/projects/NetworkManager/
@@ -17,6 +17,7 @@ Patch0: NetworkManager-openconnect-up
Patch1: NetworkManager-openconnect-allow-lasthost-autoconnect.patch
Patch2: NetworkManager-openconnect-allow-form-opts.patch
Patch3: NetworkManager-openconnect-mtu.patch
+Patch4: NetworkManager-openconnect-gwcert.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: gtk2-devel >= %{gtk2_version}
@@ -49,6 +50,7 @@ with NetworkManager and the GNOME deskto
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1
%build
%configure --enable-more-warnings=yes
@@ -103,6 +105,10 @@ fi
%{_datadir}/gnome-vpn-properties/openconnect/nm-openconnect-dialog.glade
%changelog
+* Wed May 27 2009 David Woodhouse <David.Woodhouse at intel.com> 1:0.7.0.99-4
+- Handle 'gwcert' as a VPN secret, because openconnect might not be able
+ to read the user's cacert file when it runs as an unprivileged user.
+
* Sat May 9 2009 David Woodhouse <David.Woodhouse at intel.com> 1:0.7.0.99-3
- Accept 'form:*' keys in gconf
- Allow setting of MTU option in gconf
More information about the scm-commits
mailing list