File tls-version-min-max-option.patch of Package NetworkManager-openvpn

diff --git a/Makefile.am b/Makefile.am
index 27bbec95a912af1a4492807509e421fe1934fcb4..8e1b05aa949fbe5fd844db3d7ebcbff32564a2c3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -296,6 +296,7 @@ EXTRA_DIST += \
 	properties/tests/conf/static2.ovpn \
 	properties/tests/conf/tls.ovpn \
 	properties/tests/conf/tls2.ovpn \
+	properties/tests/conf/tls3.ovpn \
 	properties/tests/conf/tun-opts.conf \
 	properties/tests/conf/proxy-http.ovpn \
 	properties/tests/conf/httpauthfile \
diff --git a/properties/import-export.c b/properties/import-export.c
index 5507ab83537e09bb0b0897fa7f068967b844213c..a780fb3d0f0e8ebfb1e920b18903c22d7cfa13f0 100644
--- a/properties/import-export.c
+++ b/properties/import-export.c
@@ -1205,6 +1205,24 @@ do_import (const char *path, const char *contents, gsize contents_len, GError **
 			continue;
 		}
 
+		if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_VERSION_MIN)){
+			if (!args_params_check_nargs_n (params, 1, &line_error))
+				goto handle_line_error;
+			if (!args_params_check_arg_utf8 (params, 1, NULL, &line_error))
+				goto handle_line_error;
+			setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN, params[1]);
+			continue;
+		}
+
+		if (NM_IN_STRSET (params[0], NMV_OVPN_TAG_TLS_VERSION_MAX)){
+			if (!args_params_check_nargs_n (params, 1, &line_error))
+				goto handle_line_error;
+			if (!args_params_check_arg_utf8 (params, 1, NULL, &line_error))
+				goto handle_line_error;
+			setting_vpn_add_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX, params[1]);
+			continue;
+		}
+
 		if (NM_IN_STRSET (params[0],
 		                  NMV_OVPN_TAG_CA,
 		                  NMV_OVPN_TAG_CERT,
@@ -2058,6 +2076,14 @@ do_export_create (NMConnection *connection, const char *path, GError **error)
 			                 nm_utils_str_utf8safe_unescape (key, &s_free));
 		}
 
+		key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN);
+		if (nmovpn_arg_is_set (key))
+			args_write_line (f, NMV_OVPN_TAG_TLS_VERSION_MIN, key);
+
+		key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX);
+		if (nmovpn_arg_is_set (key))
+			args_write_line (f, NMV_OVPN_TAG_TLS_VERSION_MAX, key);
+
 		key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_EXTRA_CERTS);
 		if (nmovpn_arg_is_set (key)) {
 			gs_free char *s_free = NULL;
diff --git a/properties/nm-openvpn-dialog.ui b/properties/nm-openvpn-dialog.ui
index c54cca14ef3d6909ff62cb7a2516f3511102bf1a..dc4504415114fd3f6b2ac1fb2fc2840f640c2f35 100644
--- a/properties/nm-openvpn-dialog.ui
+++ b/properties/nm-openvpn-dialog.ui
@@ -2479,6 +2479,84 @@ config: connect-timeout &lt;n&gt; | server-poll-timeout &lt;n&gt;</property>
                     <property name="position">1</property>
                   </packing>
                 </child>
+                <child>
+                  <object class="GtkBox">
+                    <property name="visible">True</property>
+                    <property name="can_focus">False</property>
+                    <child>
+                      <object class="GtkLabel" id="tls_version_min_lbl">
+                        <property name="visible">True</property>
+                        <property name="can_focus">False</property>
+                        <property name="label" translatable="yes">TLS _min version: </property>
+                        <property name="use_underline">True</property>
+                        <property name="mnemonic_widget">tls_version_min</property>
+                        <property name="xalign">1</property>
+                      </object>
+                      <packing>
+                        <property name="expand">False</property>
+                        <property name="fill">True</property>
+                        <property name="position">0</property>
+                      </packing>
+                    </child>
+                    <child>
+                      <object class="GtkEntry" id="tls_version_min">
+                        <property name="visible">True</property>
+                        <property name="can_focus">True</property>
+                        <property name="tooltip_text" translatable="yes"> Sets the minimum TLS version we will accept from the peer (default is "1.0").  Examples for version include "1.0", "1.1", or "1.2".  If 'or-highest' is specified and version is not recognized, we will only accept the highest TLS version supported by the local SSL implementation.</property>
+                      </object>
+                      <packing>
+                        <property name="expand">True</property>
+                        <property name="fill">True</property>
+                        <property name="padding">1</property>
+                        <property name="position">1</property>
+                      </packing>
+                    </child>
+                  </object>
+                  <packing>
+                    <property name="expand">False</property>
+                    <property name="fill">True</property>
+                    <property name="position">2</property>
+                  </packing>
+                </child>
+                <child>
+                  <object class="GtkBox">
+                    <property name="visible">True</property>
+                    <property name="can_focus">False</property>
+                    <child>
+                      <object class="GtkLabel" id="tls_version_max_lbl">
+                        <property name="visible">True</property>
+                        <property name="can_focus">False</property>
+                        <property name="label" translatable="yes">TLS ma_x version: </property>
+                        <property name="use_underline">True</property>
+                        <property name="mnemonic_widget">tls_version_max</property>
+                        <property name="xalign">1</property>
+                      </object>
+                      <packing>
+                        <property name="expand">False</property>
+                        <property name="fill">True</property>
+                        <property name="position">0</property>
+                      </packing>
+                    </child>
+                    <child>
+                      <object class="GtkEntry" id="tls_version_max">
+                        <property name="visible">True</property>
+                        <property name="can_focus">True</property>
+                        <property name="tooltip_text" translatable="yes">Set the maximum TLS version we will use (default is the highest version supported).  Examples for version include "1.0", "1.1", or "1.2".</property>
+                      </object>
+                      <packing>
+                        <property name="expand">True</property>
+                        <property name="fill">True</property>
+                        <property name="padding">1</property>
+                        <property name="position">1</property>
+                      </packing>
+                    </child>
+                  </object>
+                  <packing>
+                    <property name="expand">False</property>
+                    <property name="fill">True</property>
+                    <property name="position">3</property>
+                  </packing>
+                </child>
               </object>
               <packing>
                 <property name="position">4</property>
diff --git a/properties/nm-openvpn-editor.c b/properties/nm-openvpn-editor.c
index 5c409b48e40d3a9e5fb44d5c90a863720e4917a1..363d6f74deb8b8945a9e0a8f6697bf3290563d0a 100644
--- a/properties/nm-openvpn-editor.c
+++ b/properties/nm-openvpn-editor.c
@@ -717,6 +717,8 @@ static const char *const advanced_keys[] = {
 	NM_OPENVPN_KEY_TA_DIR,
 	NM_OPENVPN_KEY_TLS_CRYPT,
 	NM_OPENVPN_KEY_TLS_REMOTE,
+	NM_OPENVPN_KEY_TLS_VERSION_MIN,
+	NM_OPENVPN_KEY_TLS_VERSION_MAX,
 	NM_OPENVPN_KEY_TUNNEL_MTU,
 	NM_OPENVPN_KEY_TUN_IPV6,
 	NM_OPENVPN_KEY_VERIFY_X509_NAME,
@@ -1816,6 +1818,17 @@ advanced_dialog_new (GHashTable *hash, const char *contype)
 	_builder_init_optional_spinbutton (builder, "max_routes_checkbutton", "max_routes_spinbutton", !!value,
 	                                   _nm_utils_ascii_str_to_int64 (value, 10, 0, 100000000, 100));
 
+	value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_TLS_VERSION_MIN);
+	if (value && *value) {
+		widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_min"));
+		gtk_entry_set_text (GTK_ENTRY (widget), value);
+	}
+	value = g_hash_table_lookup (hash, NM_OPENVPN_KEY_TLS_VERSION_MAX);
+	if (value && *value) {
+		widget = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_max"));
+		gtk_entry_set_text (GTK_ENTRY (widget), value);
+	}
+
 	return dialog;
 }
 
@@ -2017,6 +2030,15 @@ advanced_dialog_new_hash_from_dialog (GtkWidget *dialog)
 		if (hmacauth)
 			g_hash_table_insert (hash, NM_OPENVPN_KEY_AUTH, hmacauth);
 	}
+	entry = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_min"));
+	value = gtk_entry_get_text (GTK_ENTRY (entry));
+	if (value && *value)
+		g_hash_table_insert (hash, NM_OPENVPN_KEY_TLS_VERSION_MIN, g_strdup (value));
+
+	entry = GTK_WIDGET (gtk_builder_get_object (builder, "tls_version_max"));
+	value = gtk_entry_get_text (GTK_ENTRY (entry));
+	if (value && *value)
+		g_hash_table_insert (hash, NM_OPENVPN_KEY_TLS_VERSION_MAX, g_strdup (value));
 
 	contype = g_object_get_data (G_OBJECT (dialog), "connection-type");
 	if (   !strcmp (contype, NM_OPENVPN_CONTYPE_TLS)
diff --git a/properties/tests/conf/tls3.ovpn b/properties/tests/conf/tls3.ovpn
new file mode 100644
index 0000000000000000000000000000000000000000..5dd45ba87e27fd44daafad020fec63cb484b46ec
--- /dev/null
+++ b/properties/tests/conf/tls3.ovpn
@@ -0,0 +1,28 @@
+remote 173.8.149.245 1194
+resolv-retry infinite
+
+dev tun
+persist-key
+persist-tun
+link-mtu 1400
+proto udp
+nobind
+pull
+tls-client
+
+float
+
+ca keys/mg8.ca
+cert keys/clee.crt
+key keys/clee.key
+
+tls-crypt keys/46.key
+remote-cert-tls server
+tls-remote "/CN=myvpn.company.com"
+verify-x509-name "C=US, L=Cambridge, CN=GNOME, emailAddress=networkmanager-list@gnome.org" subject
+
+comp-lzo
+verb 3
+
+tls-version-min 1.0
+tls-version-max 1.2
\ No newline at end of file
diff --git a/properties/tests/test-import-export.c b/properties/tests/test-import-export.c
index 8d0a6352fef551ac2621e7afa7f6f6c80954e1fd..5d9201f3f8253c8f01583224adc9a0429493575d 100644
--- a/properties/tests/test-import-export.c
+++ b/properties/tests/test-import-export.c
@@ -379,6 +379,54 @@ test_tls_import_2 (void)
 	_check_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS, NULL);
 }
 
+static void
+test_tls_import_3 (void)
+{
+	_CREATE_PLUGIN (plugin);
+	gs_unref_object NMConnection *connection = NULL;
+	NMSettingConnection *s_con;
+	NMSettingVpn *s_vpn;
+
+	connection = get_basic_connection (plugin, SRCDIR, "tls3.ovpn");
+
+	s_con = _get_setting_connection (connection);
+	g_assert_cmpstr (nm_setting_connection_get_id (s_con), ==, "tls3");
+	g_assert (!nm_setting_connection_get_uuid (s_con));
+
+	s_vpn = _get_setting_vpn (connection);
+
+	_check_item (s_vpn, NM_OPENVPN_KEY_CONNECTION_TYPE, NM_OPENVPN_CONTYPE_TLS);
+	_check_item (s_vpn, NM_OPENVPN_KEY_DEV, "tun");
+	_check_item (s_vpn, NM_OPENVPN_KEY_PROTO_TCP, NULL);
+	_check_item (s_vpn, NM_OPENVPN_KEY_COMP_LZO, "adaptive");
+	_check_item (s_vpn, NM_OPENVPN_KEY_FLOAT, "yes");
+	_check_item (s_vpn, NM_OPENVPN_KEY_RENEG_SECONDS, NULL);
+	_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE, "173.8.149.245:1194");
+	_check_item (s_vpn, NM_OPENVPN_KEY_PORT, NULL);
+	_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY, NULL);
+	_check_item (s_vpn, NM_OPENVPN_KEY_STATIC_KEY_DIRECTION, NULL);
+	_check_item (s_vpn, NM_OPENVPN_KEY_CIPHER, NULL);
+	_check_item (s_vpn, NM_OPENVPN_KEY_LOCAL_IP, NULL);
+	_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_IP, NULL);
+	_check_item (s_vpn, NM_OPENVPN_KEY_AUTH, NULL);
+	_check_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE, "/CN=myvpn.company.com");
+	_check_item (s_vpn, NM_OPENVPN_KEY_VERIFY_X509_NAME,
+	             "subject:C=US, L=Cambridge, CN=GNOME, emailAddress=networkmanager-list@gnome.org");
+	_check_item (s_vpn, NM_OPENVPN_KEY_REMOTE_CERT_TLS, "server");
+
+	_check_item (s_vpn, NM_OPENVPN_KEY_CA,        SRCDIR"/keys/mg8.ca");
+	_check_item (s_vpn, NM_OPENVPN_KEY_CERT,      SRCDIR"/keys/clee.crt");
+	_check_item (s_vpn, NM_OPENVPN_KEY_KEY,       SRCDIR"/keys/clee.key");
+	_check_item (s_vpn, NM_OPENVPN_KEY_TLS_CRYPT, SRCDIR"/keys/46.key");
+
+	_check_secret (s_vpn, NM_OPENVPN_KEY_PASSWORD, NULL);
+	_check_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS, NULL);
+
+	_check_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN, "1.0");
+	_check_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX, "1.2");
+
+}
+
 static void
 test_file_contents (const char *id,
                     const char *dir,
@@ -1041,6 +1089,9 @@ int main (int argc, char **argv)
 	_add_test_func_simple (test_tls_import_2);
 	_add_test_func ("tls2-export", test_export_compare, "tls2.ovpn", "tls2.ovpntest");
 
+	_add_test_func_simple (test_tls_import_3);
+	_add_test_func ("tls3-export", test_export_compare, "tls3.ovpn", "tls3.ovpntest");
+
 	_add_test_func_simple (test_pkcs12_import);
 	_add_test_func ("pkcs12-export", test_export_compare, "pkcs12.ovpn", "pkcs12.ovpntest");
 
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index c0fb72491705b809c8c825415f984aa6babbd1a4..e5810c1367072e947a33b24c7539ee43b7e89147 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -73,6 +73,8 @@
 #define NM_OPENVPN_KEY_TLS_CIPHER                "tls-cipher"
 #define NM_OPENVPN_KEY_TLS_CRYPT                 "tls-crypt"
 #define NM_OPENVPN_KEY_TLS_REMOTE                "tls-remote"
+#define NM_OPENVPN_KEY_TLS_VERSION_MIN           "tls-version-min"
+#define NM_OPENVPN_KEY_TLS_VERSION_MAX           "tls-version-max"
 #define NM_OPENVPN_KEY_TUNNEL_MTU                "tunnel-mtu"
 #define NM_OPENVPN_KEY_TUN_IPV6                  "tun-ipv6"
 #define NM_OPENVPN_KEY_USERNAME                  "username"
diff --git a/shared/utils.h b/shared/utils.h
index e3f30be86e962de52007854c6a5478c222f3802e..a32c098d2f0c627c75528a1ee4b0b869099fdff5 100644
--- a/shared/utils.h
+++ b/shared/utils.h
@@ -75,6 +75,8 @@
 #define NMV_OVPN_TAG_TLS_CLIENT         "tls-client"
 #define NMV_OVPN_TAG_TLS_CRYPT          "tls-crypt"
 #define NMV_OVPN_TAG_TLS_REMOTE         "tls-remote"
+#define NMV_OVPN_TAG_TLS_VERSION_MIN    "tls-version-min"
+#define NMV_OVPN_TAG_TLS_VERSION_MAX    "tls-version-max"
 #define NMV_OVPN_TAG_TOPOLOGY           "topology"
 #define NMV_OVPN_TAG_TUN_IPV6           "tun-ipv6"
 #define NMV_OVPN_TAG_TUN_MTU            "tun-mtu"
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index 59b64ebfc95ee0a124289139d12fa13101ac9d53..357371497e8c486fa1ebb6220855e28f568d2e08 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -193,6 +193,8 @@ static const ValidProperty valid_properties[] = {
 	{ NM_OPENVPN_KEY_CERTPASS_FLAGS,            G_TYPE_STRING, 0, 0, FALSE },
 	{ NM_OPENVPN_KEY_NOSECRET,                  G_TYPE_STRING, 0, 0, FALSE },
 	{ NM_OPENVPN_KEY_HTTP_PROXY_PASSWORD_FLAGS, G_TYPE_STRING, 0, 0, FALSE },
+	{ NM_OPENVPN_KEY_TLS_VERSION_MIN,           G_TYPE_STRING, 0, 0, FALSE },
+	{ NM_OPENVPN_KEY_TLS_VERSION_MAX,           G_TYPE_STRING, 0, 0, FALSE },
 	{ NULL,                                     G_TYPE_NONE, FALSE }
 };
 
@@ -1652,6 +1654,16 @@ nm_openvpn_start_openvpn_binary (NMOpenvpnPlugin *plugin,
 		args_add_strv (args, "--tls-crypt");
 		args_add_utf8safe_str (args, tmp);
 	}
+	tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MIN);
+	if (nmovpn_arg_is_set (tmp)) {
+		args_add_strv (args, "--tls-version-min");
+		args_add_strv (args, tmp);
+	}
+	tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_VERSION_MAX);
+	if (nmovpn_arg_is_set (tmp)) {
+		args_add_strv (args, "--tls-version-max");
+		args_add_strv (args, tmp);
+	}
 
 	tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_EXTRA_CERTS);
 	if (nmovpn_arg_is_set (tmp)) {

openSUSE Build Service is sponsored by