rpms/NetworkManager-openconnect/F-10 NetworkManager-openconnect-gwcert.patch, NONE, 1.1
David Woodhouse
dwmw2 at fedoraproject.org
Wed May 27 13:02:32 UTC 2009
Author: dwmw2
Update of /cvs/pkgs/rpms/NetworkManager-openconnect/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv32640
Added Files:
NetworkManager-openconnect-gwcert.patch
Log Message:
add missing patch
NetworkManager-openconnect-gwcert.patch:
--- NEW FILE NetworkManager-openconnect-gwcert.patch ---
commit c4f1f9deb95c95d42d28f1e28881d7a473ad9a20
Author: David Woodhouse <David.Woodhouse at intel.com>
Date: Tue May 26 18:44:25 2009 +0100
Pass server's SSL certificate signature to openconnect as VPN 'secret'.
Since we run openconnect as an unprivileged user, it may not be able to
read the original trust chain and validate the certificate for itself.
But since the auth-dialog has already connected to the server and done
the authentication, it can just give us the known signature for the
certificate the server is using today...
diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c
index a5ef2c3..c4846ff 100644
--- a/src/nm-openconnect-service.c
+++ b/src/nm-openconnect-service.c
@@ -84,6 +84,7 @@ static ValidProperty valid_properties[] = {
static ValidProperty valid_secrets[] = {
{ NM_OPENCONNECT_KEY_COOKIE, G_TYPE_STRING, 0, 0 },
{ NM_OPENCONNECT_KEY_GATEWAY, G_TYPE_STRING, 0, 0 },
+ { NM_OPENCONNECT_KEY_GWCERT, G_TYPE_STRING, 0, 0 },
{ NULL, G_TYPE_NONE, 0, 0 }
};
@@ -258,7 +259,7 @@ nm_openconnect_start_openconnect_binary (NMOPENCONNECTPlugin *plugin,
GPtrArray *openconnect_argv;
GSource *openconnect_watch;
gint stdin_fd;
- const char *props_vpn_gw, *props_cookie, *props_cacert, *props_mtu;
+ const char *props_vpn_gw, *props_cookie, *props_cacert, *props_mtu, *props_gwcert;
/* Find openconnect */
openconnect_binary = openconnect_binary_paths;
@@ -298,6 +299,7 @@ nm_openconnect_start_openconnect_binary (NMOPENCONNECTPlugin *plugin,
"No WebVPN cookie provided.");
return -1;
}
+ props_gwcert = nm_setting_vpn_get_secret (s_vpn, NM_OPENCONNECT_KEY_GWCERT);
props_cacert = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CACERT);
props_mtu = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_MTU);
@@ -305,7 +307,10 @@ nm_openconnect_start_openconnect_binary (NMOPENCONNECTPlugin *plugin,
openconnect_argv = g_ptr_array_new ();
g_ptr_array_add (openconnect_argv, (gpointer) (*openconnect_binary));
- if (props_cacert && strlen(props_cacert)) {
+ if (props_gwcert && strlen(props_gwcert)) {
+ g_ptr_array_add (openconnect_argv, (gpointer) "--servercert");
+ g_ptr_array_add (openconnect_argv, (gpointer) props_gwcert);
+ } else if (props_cacert && strlen(props_cacert)) {
g_ptr_array_add (openconnect_argv, (gpointer) "--cafile");
g_ptr_array_add (openconnect_argv, (gpointer) props_cacert);
}
@@ -413,6 +418,10 @@ real_need_secrets (NMVPNPlugin *plugin,
*setting_name = NM_SETTING_VPN_SETTING_NAME;
return TRUE;
}
+ if (!nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_GWCERT)) {
+ *setting_name = NM_SETTING_VPN_SETTING_NAME;
+ return TRUE;
+ }
return FALSE;
}
diff --git a/src/nm-openconnect-service.h b/src/nm-openconnect-service.h
index 27076cd..98c5026 100644
--- a/src/nm-openconnect-service.h
+++ b/src/nm-openconnect-service.h
@@ -42,6 +42,7 @@
#define NM_OPENCONNECT_KEY_GATEWAY "gateway"
#define NM_OPENCONNECT_KEY_COOKIE "cookie"
+#define NM_OPENCONNECT_KEY_GWCERT "gwcert"
#define NM_OPENCONNECT_KEY_AUTHTYPE "authtype"
#define NM_OPENCONNECT_KEY_USERCERT "usercert"
#define NM_OPENCONNECT_KEY_CACERT "cacert"
More information about the fedora-extras-commits
mailing list