rpms/NetworkManager-openconnect/devel NetworkManager-openconnect-gwcert.patch, NONE, 1.1 NetworkManager-openconnect.spec, 1.10, 1.11

David Woodhouse dwmw2 at fedoraproject.org
Wed May 27 12:46:52 UTC 2009 

Author: dwmw2

Update of /cvs/pkgs/rpms/NetworkManager-openconnect/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28996

Modified Files:
	NetworkManager-openconnect.spec 
Added Files:
	NetworkManager-openconnect-gwcert.patch 
Log Message:
handle gwcert 'secret'

NetworkManager-openconnect-gwcert.patch:

--- NEW FILE NetworkManager-openconnect-gwcert.patch ---
commit c4f1f9deb95c95d42d28f1e28881d7a473ad9a20
Author: David Woodhouse <David.Woodhouse at intel.com>
Date:   Tue May 26 18:44:25 2009 +0100

    Pass server's SSL certificate signature to openconnect as VPN 'secret'.
    
    Since we run openconnect as an unprivileged user, it may not be able to
    read the original trust chain and validate the certificate for itself.
    But since the auth-dialog has already connected to the server and done
    the authentication, it can just give us the known signature for the
    certificate the server is using today...

diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c
index a5ef2c3..c4846ff 100644
--- a/src/nm-openconnect-service.c
+++ b/src/nm-openconnect-service.c
@@ -84,6 +84,7 @@ static ValidProperty valid_properties[] = {
 static ValidProperty valid_secrets[] = {
 	{ NM_OPENCONNECT_KEY_COOKIE,  G_TYPE_STRING, 0, 0 },
 	{ NM_OPENCONNECT_KEY_GATEWAY, G_TYPE_STRING, 0, 0 },
+	{ NM_OPENCONNECT_KEY_GWCERT,  G_TYPE_STRING, 0, 0 },
 	{ NULL,                       G_TYPE_NONE, 0, 0 }
 };
 
@@ -258,7 +259,7 @@ nm_openconnect_start_openconnect_binary (NMOPENCONNECTPlugin *plugin,
 	GPtrArray *openconnect_argv;
 	GSource *openconnect_watch;
 	gint	stdin_fd;
-	const char *props_vpn_gw, *props_cookie, *props_cacert, *props_mtu;
+	const char *props_vpn_gw, *props_cookie, *props_cacert, *props_mtu, *props_gwcert;
 	
 	/* Find openconnect */
 	openconnect_binary = openconnect_binary_paths;
@@ -298,6 +299,7 @@ nm_openconnect_start_openconnect_binary (NMOPENCONNECTPlugin *plugin,
 		             "No WebVPN cookie provided.");
 		return -1;
 	}
+	props_gwcert = nm_setting_vpn_get_secret (s_vpn, NM_OPENCONNECT_KEY_GWCERT);
 
 	props_cacert = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CACERT);
 	props_mtu = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_MTU);
@@ -305,7 +307,10 @@ nm_openconnect_start_openconnect_binary (NMOPENCONNECTPlugin *plugin,
 	openconnect_argv = g_ptr_array_new ();
 	g_ptr_array_add (openconnect_argv, (gpointer) (*openconnect_binary));
 
-	if (props_cacert && strlen(props_cacert)) {
+	if (props_gwcert && strlen(props_gwcert)) {
+		g_ptr_array_add (openconnect_argv, (gpointer) "--servercert");
+		g_ptr_array_add (openconnect_argv, (gpointer) props_gwcert);
+	} else if (props_cacert && strlen(props_cacert)) {
 		g_ptr_array_add (openconnect_argv, (gpointer) "--cafile");
 		g_ptr_array_add (openconnect_argv, (gpointer) props_cacert);
 	}
@@ -413,6 +418,10 @@ real_need_secrets (NMVPNPlugin *plugin,
 		*setting_name = NM_SETTING_VPN_SETTING_NAME;
 		return TRUE;
 	}
+	if (!nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_GWCERT)) {
+		*setting_name = NM_SETTING_VPN_SETTING_NAME;
+		return TRUE;
+	}
 	return FALSE;
 }
 
diff --git a/src/nm-openconnect-service.h b/src/nm-openconnect-service.h
index 27076cd..98c5026 100644
--- a/src/nm-openconnect-service.h
+++ b/src/nm-openconnect-service.h
@@ -42,6 +42,7 @@
 
 #define NM_OPENCONNECT_KEY_GATEWAY "gateway"
 #define NM_OPENCONNECT_KEY_COOKIE "cookie"
+#define NM_OPENCONNECT_KEY_GWCERT "gwcert"
 #define NM_OPENCONNECT_KEY_AUTHTYPE "authtype"
 #define NM_OPENCONNECT_KEY_USERCERT "usercert"
 #define NM_OPENCONNECT_KEY_CACERT "cacert"


Index: NetworkManager-openconnect.spec
===================================================================
RCS file: /cvs/pkgs/rpms/NetworkManager-openconnect/devel/NetworkManager-openconnect.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -p -r1.10 -r1.11
--- NetworkManager-openconnect.spec	9 May 2009 16:51:53 -0000	1.10
+++ NetworkManager-openconnect.spec	27 May 2009 12:46:22 -0000	1.11
@@ -8,7 +8,7 @@
 Summary:   NetworkManager VPN integration for openconnect
 Name:      NetworkManager-openconnect
 Version:   0.7.0.99
-Release:   3%{svn_snapshot}%{?dist}
+Release:   4%{svn_snapshot}%{?dist}
 License:   GPLv2+
 Group:     System Environment/Base
 URL:       http://www.gnome.org/projects/NetworkManager/
@@ -17,6 +17,7 @@ Patch0:	   NetworkManager-openconnect-up
 Patch1:	   NetworkManager-openconnect-allow-lasthost-autoconnect.patch
 Patch2:	   NetworkManager-openconnect-allow-form-opts.patch
 Patch3:	   NetworkManager-openconnect-mtu.patch
+Patch4:	   NetworkManager-openconnect-gwcert.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 
 BuildRequires: gtk2-devel             >= %{gtk2_version}
@@ -49,6 +50,7 @@ with NetworkManager and the GNOME deskto
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 %build
 %configure --enable-more-warnings=yes
@@ -103,6 +105,10 @@ fi
 %{_datadir}/gnome-vpn-properties/openconnect/nm-openconnect-dialog.glade
 
 %changelog
+* Wed May 27 2009 David Woodhouse <David.Woodhouse at intel.com> 1:0.7.0.99-4
+- Handle 'gwcert' as a VPN secret, because openconnect might not be able
+  to read the user's cacert file when it runs as an unprivileged user.
+
 * Sat May  9 2009 David Woodhouse <David.Woodhouse at intel.com> 1:0.7.0.99-3
 - Accept 'form:*' keys in gconf
 - Allow setting of MTU option in gconf

More information about the scm-commits mailing list