File tls-version-min-max-option.patch of Package NetworkManager-openvpn
diff --git a/Makefile.am b/Makefile.am
index 27bbec95a912af1a4492807509e421fe1934fcb4..8e1b05aa949fbe5fd844db3d7ebcbff32564a2c3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -296,6 +296,7 @@ EXTRA_DIST += \
properties/tests/conf/static2.ovpn \
properties/tests/conf/tls.ovpn \
properties/tests/conf/tls2.ovpn \
+ properties/tests/conf/tls3.ovpn \
properties/tests/conf/tun-opts.conf \
properties/tests/conf/proxy-http.ovpn \
properties/tests/conf/httpauthfile \
diff --git a/properties/import-export.c b/properties/import-export.c
index 5507ab83537e09bb0b0897fa7f068967b844213c..a780fb3d0f0e8ebfb1e920b18903c22d7cfa13f0 100644
--- a/properties/import-export.c
+++ b/properties/import-export.c
@@ -1205,6 +1205,24 @@ do_import (const char *path, const char *contents, gsize contents_len, GError **
continue;
}
+ if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_VERSION_MIN)){
+ if (!args_params_check_nargs_n (params, 1, &line_error))
+ goto handle_line_error;
+ if (!args_params_check_arg_utf8 (params, 1, NULL, &line_error))
+ goto handle_line_error;
+ setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN, params[1]);
+ continue;
+ }
+
+ if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_VERSION_MAX)){
+ if (!args_params_check_nargs_n (params, 1, &line_error))
+ goto handle_line_error;
+ if (!args_params_check_arg_utf8 (params, 1, NULL, &line_error))
+ goto handle_line_error;
+ setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX, params[1]);
+ continue;
+ }
+
if (NM_IN_STRSET (params[0],
NMV_OVPN_TAG_CA,
NMV_OVPN_TAG_CERT,
@@ -2058,6 +2076,14 @@ do_export_create (NMConnection *connection, const char *path, GError **error)
nm_utils_str_utf8safe_unescape (key, &s_free));
}
+ key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN);
+ if (nmovpn_arg_is_set (key))
+ args_write_line (f, NMV_OVPN_TAG_TLS_VERSION_MIN, key);
+
+ key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX);
+ if (nmovpn_arg_is_set (key))
+ args_write_line (f, NMV_OVPN_TAG_TLS_VERSION_MAX, key);
+
key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_EXTRA_CERTS);
if (nmovpn_arg_is_set (key)) {
gs_free char *s_free = NULL;
diff --git a/properties/nm-openvpn-dialog.ui b/properties/nm-openvpn-dialog.ui
index c54cca14ef3d6909ff62cb7a2516f3511102bf1a..dc4504415114fd3f6b2ac1fb2fc2840f640c2f35 100644
--- a/properties/nm-openvpn-dialog.ui
+++ b/properties/nm-openvpn-dialog.ui
@@ -2479,6 +2479,84 @@ config: connect-timeout <n> | server-poll-timeout <n></property>
<property name="position">1</property>
</packing>
</child>
+ <child>
+ <object class="GtkBox">
+ <property name="visible">True</property>
+ <property name="can_focus">False</property>
+ <child>
+ <object class="GtkLabel" id="tls_version_min_lbl">
+ <property name="visible">True</property>
+ <property name="can_focus">False</property>
+ <property name="label" translatable="yes">TLS _min version: </property>
+ <property name="use_underline">True</property>
+ <property name="mnemonic_widget">tls_version_min</property>
+ <property name="xalign">1</property>
+ </object>
+ <packing>
+ <property name="expand">False</property>
+ <property name="fill">True</property>
+ <property name="position">0</property>
+ </packing>
+ </child>
+ <child>
+ <object class="GtkEntry" id="tls_version_min">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="tooltip_text" translatable="yes"> Sets the minimum TLS version we will accept from the peer (default is "1.0"). Examples for version include "1.0", "1.1", or "1.2". If 'or-highest' is specified and version is not recognized, we will only accept the highest TLS version supported by the local SSL implementation.</property>
+ </object>
+ <packing>
+ <property name="expand">True</property>
+ <property name="fill">True</property>
+ <property name="padding">1</property>
+ <property name="position">1</property>
+ </packing>
+ </child>
+ </object>
+ <packing>
+ <property name="expand">False</property>
+ <property name="fill">True</property>
+ <property name="position">2</property>
+ </packing>
+ </child>
+ <child>
+ <object class="GtkBox">
+ <property name="visible">True</property>
+ <property name="can_focus">False</property>
+ <child>
+ <object class="GtkLabel" id="tls_version_max_lbl">
+ <property name="visible">True</property>
+ <property name="can_focus">False</property>
+ <property name="label" translatable="yes">TLS ma_x version: </property>
+ <property name="use_underline">True</property>
+ <property name="mnemonic_widget">tls_version_max</property>
+ <property name="xalign">1</property>
+ </object>
+ <packing>
+ <property name="expand">False</property>
+ <property name="fill">True</property>
+ <property name="position">0</property>
+ </packing>
+ </child>
+ <child>
+ <object class="GtkEntry" id="tls_version_max">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="tooltip_text" translatable="yes">Set the maximum TLS version we will use (default is the highest version supported). Examples for version include "1.0", "1.1", or "1.2".</property>
+ </object>
+ <packing>
+ <property name="expand">True</property>
+ <property name="fill">True</property>
+ <property name="padding">1</property>
+ <property name="position">1</property>
+ </packing>
+ </child>
+ </object>
+ <packing>
+ <property name="expand">False</property>
+ <property name="fill">True</property>
+ <property name="position">3</property>
+ </packing>
+ </child>
</object>
<packing>
<property name="position">4</property>
diff --git a/properties/nm-openvpn-editor.c b/properties/nm-openvpn-editor.c
index 5c409b48e40d3a9e5fb44d5c90a863720e4917a1..363d6f74deb8b8945a9e0a8f6697bf3290563d0a 100644
--- a/properties/nm-openvpn-editor.c
+++ b/properties/nm-openvpn-editor.c
@@ -717,6 +717,8 @@ static const char *const advanced_keys[] = {
NM_OPENVPN_KEY_TA_DIR,
NM_OPENVPN_KEY_TLS_CRYPT,
NM_OPENVPN_KEY_TLS_REMOTE,
+ NM_OPENVPN_KEY_TLS_VERSION_MIN,
+ NM_OPENVPN_KEY_TLS_VERSION_MAX,
NM_OPENVPN_KEY_TUNNEL_MTU,
NM_OPENVPN_KEY_TUN_IPV6,
NM_OPENVPN_KEY_VERIFY_X509_NAME,
@@ -1816,6 +1818,17 @@ advanced_dialog_new (GHashTable *hash, const char *contype)
_builder_init_optional_spinbutton (builder, "max_routes_checkbutton", "max_routes_spinbutton", !!value,
_nm_utils_ascii_str_to_int64 (value, 10, 0, 100000000, 100));
+ value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_TLS_VERSION_MIN);
+ if (value && *value) {
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_min"));
+ gtk_entry_set_text (GTK_ENTRY (widget), value);
+ }
+ value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_TLS_VERSION_MAX);
+ if (value && *value) {
+ widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_max"));
+ gtk_entry_set_text (GTK_ENTRY (widget), value);
+ }
+
return dialog;
}
@@ -2017,6 +2030,15 @@ advanced_dialog_new_hash_from_dialog (GtkWidget *dialog)
if (hmacauth)
g_hash_table_insert (hash, NM_OPENVPN_KEY_AUTH, hmacauth);
}
+ entry = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_min"));
+ value = gtk_entry_get_text (GTK_ENTRY (entry));
+ if (value && *value)
+ g_hash_table_insert (hash, NM_OPENVPN_KEY_TLS_VERSION_MIN, g_strdup (value));
+
+ entry = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_max"));
+ value = gtk_entry_get_text (GTK_ENTRY (entry));
+ if (value && *value)
+ g_hash_table_insert (hash, NM_OPENVPN_KEY_TLS_VERSION_MAX, g_strdup (value));
contype = g_object_get_data (G_OBJECT (dialog), "connection-type");
if ( !strcmp (contype, NM_OPENVPN_CONTYPE_TLS)
diff --git a/properties/tests/conf/tls3.ovpn b/properties/tests/conf/tls3.ovpn
new file mode 100644
index 0000000000000000000000000000000000000000..5dd45ba87e27fd44daafad020fec63cb484b46ec
--- /dev/null
+++ b/properties/tests/conf/tls3.ovpn
@@ -0,0 +1,28 @@
+remote 173.8.149.245 1194
+resolv-retry infinite
+
+dev tun
+persist-key
+persist-tun
+link-mtu 1400
+proto udp
+nobind
+pull
+tls-client
+
+float
+
+ca keys/mg8.ca
+cert keys/clee.crt
+key keys/clee.key
+
+tls-crypt keys/46.key
+remote-cert-tls server
+tls-remote "/CN=myvpn.company.com"
+verify-x509-name "C=US, L=Cambridge, CN=GNOME, emailAddress=networkmanager-list@gnome.org" subject
+
+comp-lzo
+verb 3
+
+tls-version-min 1.0
+tls-version-max 1.2
\ No newline at end of file
diff --git a/properties/tests/test-import-export.c b/properties/tests/test-import-export.c
index 8d0a6352fef551ac2621e7afa7f6f6c80954e1fd..5d9201f3f8253c8f01583224adc9a0429493575d 100644
--- a/properties/tests/test-import-export.c
+++ b/properties/tests/test-import-export.c
@@ -379,6 +379,54 @@ test_tls_import_2 (void)
_check_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS, NULL);
}
+static void
+test_tls_import_3 (void)
+{
+ _CREATE_PLUGIN (plugin);
+ gs_unref_object NMConnection *connection = NULL;
+ NMSettingConnection *s_con;
+ NMSettingVpn *s_vpn;
+
+ connection = get_basic_connection (plugin, SRCDIR, "tls3.ovpn");
+
+ s_con = _get_setting_connection (connection);
+ g_assert_cmpstr (nm_setting_connection_get_id (s_con), ==, "tls3");
+ g_assert (!nm_setting_connection_get_uuid (s_con));
+
+ s_vpn = _get_setting_vpn (connection);
+
+ _check_item (s_vpn, NM_OPENVPN_KEY_CONNECTION_TYPE, NM_OPENVPN_CONTYPE_TLS);
+ _check_item (s_vpn, NM_OPENVPN_KEY_DEV, "tun");
+ _check_item (s_vpn, NM_OPENVPN_KEY_PROTO_TCP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_COMP_LZO, "adaptive");
+ _check_item (s_vpn, NM_OPENVPN_KEY_FLOAT, "yes");
+ _check_item (s_vpn, NM_OPENVPN_KEY_RENEG_SECONDS, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE, "173.8.149.245:1194");
+ _check_item (s_vpn, NM_OPENVPN_KEY_PORT, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE, "/CN=myvpn.company.com");
+ _check_item (s_vpn, NM_OPENVPN_KEY_VERIFY_X509_NAME,
+ "subject:C=US, L=Cambridge, CN=GNOME, emailAddress=networkmanager-list@gnome.org");
+ _check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_CERT_TLS, "server");
+
+ _check_item (s_vpn, NM_OPENVPN_KEY_CA, SRCDIR"/keys/mg8.ca");
+ _check_item (s_vpn, NM_OPENVPN_KEY_CERT, SRCDIR"/keys/clee.crt");
+ _check_item (s_vpn, NM_OPENVPN_KEY_KEY, SRCDIR"/keys/clee.key");
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT, SRCDIR"/keys/46.key");
+
+ _check_secret (s_vpn, NM_OPENVPN_KEY_PASSWORD, NULL);
+ _check_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS, NULL);
+
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN, "1.0");
+ _check_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX, "1.2");
+
+}
+
static void
test_file_contents (const char *id,
const char *dir,
@@ -1041,6 +1089,9 @@ int main (int argc, char **argv)
_add_test_func_simple (test_tls_import_2);
_add_test_func ("tls2-export", test_export_compare, "tls2.ovpn", "tls2.ovpntest");
+ _add_test_func_simple (test_tls_import_3);
+ _add_test_func ("tls3-export", test_export_compare, "tls3.ovpn", "tls3.ovpntest");
+
_add_test_func_simple (test_pkcs12_import);
_add_test_func ("pkcs12-export", test_export_compare, "pkcs12.ovpn", "pkcs12.ovpntest");
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index c0fb72491705b809c8c825415f984aa6babbd1a4..e5810c1367072e947a33b24c7539ee43b7e89147 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -73,6 +73,8 @@
#define NM_OPENVPN_KEY_TLS_CIPHER "tls-cipher"
#define NM_OPENVPN_KEY_TLS_CRYPT "tls-crypt"
#define NM_OPENVPN_KEY_TLS_REMOTE "tls-remote"
+#define NM_OPENVPN_KEY_TLS_VERSION_MIN "tls-version-min"
+#define NM_OPENVPN_KEY_TLS_VERSION_MAX "tls-version-max"
#define NM_OPENVPN_KEY_TUNNEL_MTU "tunnel-mtu"
#define NM_OPENVPN_KEY_TUN_IPV6 "tun-ipv6"
#define NM_OPENVPN_KEY_USERNAME "username"
diff --git a/shared/utils.h b/shared/utils.h
index e3f30be86e962de52007854c6a5478c222f3802e..a32c098d2f0c627c75528a1ee4b0b869099fdff5 100644
--- a/shared/utils.h
+++ b/shared/utils.h
@@ -75,6 +75,8 @@
#define NMV_OVPN_TAG_TLS_CLIENT "tls-client"
#define NMV_OVPN_TAG_TLS_CRYPT "tls-crypt"
#define NMV_OVPN_TAG_TLS_REMOTE "tls-remote"
+#define NMV_OVPN_TAG_TLS_VERSION_MIN "tls-version-min"
+#define NMV_OVPN_TAG_TLS_VERSION_MAX "tls-version-max"
#define NMV_OVPN_TAG_TOPOLOGY "topology"
#define NMV_OVPN_TAG_TUN_IPV6 "tun-ipv6"
#define NMV_OVPN_TAG_TUN_MTU "tun-mtu"
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index 59b64ebfc95ee0a124289139d12fa13101ac9d53..357371497e8c486fa1ebb6220855e28f568d2e08 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -193,6 +193,8 @@ static const ValidProperty valid_properties[] = {
{ NM_OPENVPN_KEY_CERTPASS_FLAGS, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_NOSECRET, G_TYPE_STRING, 0, 0, FALSE },
{ NM_OPENVPN_KEY_HTTP_PROXY_PASSWORD_FLAGS, G_TYPE_STRING, 0, 0, FALSE },
+ { NM_OPENVPN_KEY_TLS_VERSION_MIN, G_TYPE_STRING, 0, 0, FALSE },
+ { NM_OPENVPN_KEY_TLS_VERSION_MAX, G_TYPE_STRING, 0, 0, FALSE },
{ NULL, G_TYPE_NONE, FALSE }
};
@@ -1652,6 +1654,16 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
args_add_strv (args, "--tls-crypt");
args_add_utf8safe_str (args, tmp);
}
+ tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN);
+ if (nmovpn_arg_is_set (tmp)) {
+ args_add_strv (args, "--tls-version-min");
+ args_add_strv (args, tmp);
+ }
+ tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX);
+ if (nmovpn_arg_is_set (tmp)) {
+ args_add_strv (args, "--tls-version-max");
+ args_add_strv (args, tmp);
+ }
tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_EXTRA_CERTS);
if (nmovpn_arg_is_set (tmp)) {