[arch-commits] Commit in kdeplasma-applets-plasma-nm/repos (6 files)

Allan McRae allan at archlinux.org
Tue Dec 8 16:31:10 UTC 2015


    Date: Tuesday, December 8, 2015 @ 17:31:10
  Author: allan
Revision: 253979

archrelease: copy trunk to staging-i686, staging-x86_64

Added:
  kdeplasma-applets-plasma-nm/repos/staging-i686/
  kdeplasma-applets-plasma-nm/repos/staging-i686/PKGBUILD
    (from rev 253978, kdeplasma-applets-plasma-nm/trunk/PKGBUILD)
  kdeplasma-applets-plasma-nm/repos/staging-i686/openconnect7.patch
    (from rev 253978, kdeplasma-applets-plasma-nm/trunk/openconnect7.patch)
  kdeplasma-applets-plasma-nm/repos/staging-x86_64/
  kdeplasma-applets-plasma-nm/repos/staging-x86_64/PKGBUILD
    (from rev 253978, kdeplasma-applets-plasma-nm/trunk/PKGBUILD)
  kdeplasma-applets-plasma-nm/repos/staging-x86_64/openconnect7.patch
    (from rev 253978, kdeplasma-applets-plasma-nm/trunk/openconnect7.patch)

-----------------------------------+
 staging-i686/PKGBUILD             |   35 ++++
 staging-i686/openconnect7.patch   |  309 ++++++++++++++++++++++++++++++++++++
 staging-x86_64/PKGBUILD           |   35 ++++
 staging-x86_64/openconnect7.patch |  309 ++++++++++++++++++++++++++++++++++++
 4 files changed, 688 insertions(+)

Copied: kdeplasma-applets-plasma-nm/repos/staging-i686/PKGBUILD (from rev 253978, kdeplasma-applets-plasma-nm/trunk/PKGBUILD)
===================================================================
--- staging-i686/PKGBUILD	                        (rev 0)
+++ staging-i686/PKGBUILD	2015-12-08 16:31:10 UTC (rev 253979)
@@ -0,0 +1,35 @@
+# $Id$
+# Maintainer: Andrea Scarpino <andrea at archlinux.org>
+# Contributor: Antonio Rojas < arojas at archlinux.org >
+
+pkgname=kdeplasma-applets-plasma-nm
+pkgver=0.9.3.6
+pkgrel=2
+pkgdesc="Plasma applet written in QML for managing network connections"
+arch=('i686' 'x86_64')
+url="https://projects.kde.org/projects/kde/workspace/plasma-nm"
+license=('GPL')
+depends=('kdebase-workspace' 'libnm-qt4')
+makedepends=('cmake' 'automoc4' 'openconnect' 'mobile-broadband-provider-info')
+optdepends=('mobile-broadband-provider-info: Database of mobile broadband service providers'
+            'openconnect: Cisco AnyConnect VPN plugin')
+conflicts=('kdeplasma-applets-networkmanagement')
+source=("http://download.kde.org/stable/plasma-nm/plasma-nm-${pkgver}.tar.xz")
+md5sums=('ab94be59919eca6bf89fc1930cf3dd39')
+
+prepare() {
+  mkdir build
+}
+
+build() {
+  cd build
+  cmake ../plasma-nm-${pkgver} \
+    -DCMAKE_INSTALL_PREFIX=/usr \
+    -DCMAKE_BUILD_TYPE=Release
+  make
+}
+
+package() {
+  cd build
+  make DESTDIR="${pkgdir}" install
+}

Copied: kdeplasma-applets-plasma-nm/repos/staging-i686/openconnect7.patch (from rev 253978, kdeplasma-applets-plasma-nm/trunk/openconnect7.patch)
===================================================================
--- staging-i686/openconnect7.patch	                        (rev 0)
+++ staging-i686/openconnect7.patch	2015-12-08 16:31:10 UTC (rev 253979)
@@ -0,0 +1,309 @@
+From: David Woodhouse <David.Woodhouse at intel.com>
+Date: Wed, 03 Dec 2014 14:10:44 +0000
+Subject: Update OpenConnect support for library version 5
+X-Git-Url: http://quickgit.kde.org/?p=plasma-nm.git&a=commitdiff&h=3e6585fa4dd2fb3d9b59c7704bd3d7ae5b2c4167
+---
+Update OpenConnect support for library version 5
+
+String ownership rules are now very simple: the library never takes ownership
+of a string it's passed. It always takes its *own* copy and is responsible
+for freeing that. Mostly driven by Windows DLL Hell where it's painful to
+allocate in one library and free in another because they might actually be
+using different heaps.
+
+Also adapt to the changes in server certificate hash handling. We are no
+longer supposed to just compare strings, and must call the relevant function
+to check a hash against the server's certificate. This gives better matching
+and allows libopenconnect to upgrade the hash in future when it becomes
+necessary.
+---
+
+
+--- a/vpn/openconnect/CMakeLists.txt
++++ b/vpn/openconnect/CMakeLists.txt
+@@ -15,6 +15,8 @@
+ 
+     if (${OPENCONNECT_VERSION} VERSION_GREATER ${MINIMUM_OPENCONNECT_VERSION_REQUIRED} OR
+         ${OPENCONNECT_VERSION} VERSION_EQUAL ${MINIMUM_OPENCONNECT_VERSION_REQUIRED})
++
++        include_directories(${OPENCONNECT_INCLUDE_DIRS})
+ 
+         set(openconnect_SRCS
+         openconnectui.cpp
+
+--- a/vpn/openconnect/openconnectauth.cpp
++++ b/vpn/openconnect/openconnectauth.cpp
+@@ -161,7 +161,7 @@
+     }
+     if (!dataMap[NM_OPENCONNECT_KEY_CACERT].isEmpty()) {
+         const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_CACERT]);
+-        openconnect_set_cafile(d->vpninfo, strdup(crt.data()));
++        openconnect_set_cafile(d->vpninfo, OC3DUP(crt.data()));
+     }
+     if (dataMap[NM_OPENCONNECT_KEY_CSD_ENABLE] == "yes") {
+         char *wrapper;
+@@ -174,12 +174,12 @@
+     }
+     if (!dataMap[NM_OPENCONNECT_KEY_PROXY].isEmpty()) {
+         const QByteArray proxy = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PROXY]);
+-        openconnect_set_http_proxy(d->vpninfo, strdup(proxy.data()));
++        openconnect_set_http_proxy(d->vpninfo, OC3DUP(proxy.data()));
+     }
+     if (!dataMap[NM_OPENCONNECT_KEY_USERCERT].isEmpty()) {
+         const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_USERCERT]);
+         const QByteArray key = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PRIVKEY]);
+-        openconnect_set_client_cert (d->vpninfo, strdup(crt.data()), strdup(key.data()));
++        openconnect_set_client_cert (d->vpninfo, OC3DUP(crt.data()), OC3DUP(key.data()));
+ 
+         if (!crt.isEmpty() && dataMap[NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID] == "yes") {
+             openconnect_passphrase_from_fsid(d->vpninfo);
+@@ -276,10 +276,10 @@
+     const VPNHost &host = d->hosts.at(i);
+     if (openconnect_parse_url(d->vpninfo, host.address.toAscii().data())) {
+         kWarning() << "Failed to parse server URL" << host.address;
+-        openconnect_set_hostname(d->vpninfo, strdup(host.address.toAscii().data()));
++        openconnect_set_hostname(d->vpninfo, OC3DUP(host.address.toAscii().data()));
+     }
+     if (!openconnect_get_urlpath(d->vpninfo) && !host.group.isEmpty())
+-        openconnect_set_urlpath(d->vpninfo, strdup(host.group.toAscii().data()));
++        openconnect_set_urlpath(d->vpninfo, OC3DUP(host.group.toAscii().data()));
+     d->secrets["lasthost"] = host.name;
+     addFormInfo(QLatin1String("dialog-information"), i18n("Contacting host, please wait..."));
+     d->worker->start();
+@@ -301,9 +301,13 @@
+     secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_COOKIE), QLatin1String(openconnect_get_cookie(d->vpninfo)));
+     openconnect_clear_cookie(d->vpninfo);
+ 
++#if OPENCONNECT_CHECK_VER(5,0)
++    const char *fingerprint = openconnect_get_peer_cert_hash(d->vpninfo);
++#else
+     OPENCONNECT_X509 *cert = openconnect_get_peer_cert(d->vpninfo);
+     char fingerprint[41];
+     openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint);
++#endif
+     secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint));
+     secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t"));
+     secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no");
+@@ -578,14 +582,14 @@
+             if (opt->type == OC_FORM_OPT_PASSWORD || opt->type == OC_FORM_OPT_TEXT) {
+                 KLineEdit *le = qobject_cast<KLineEdit*>(widget);
+                 QByteArray text = le->text().toUtf8();
+-                opt->value = strdup(text.data());
++                openconnect_set_option_value(opt, text.data());
+                 if (opt->type == OC_FORM_OPT_TEXT) {
+                     d->secrets.insert(key,le->text());
+                 }
+             } else if (opt->type == OC_FORM_OPT_SELECT) {
+                 KComboBox *cbo = qobject_cast<KComboBox*>(widget);
+                 QByteArray text = cbo->itemData(cbo->currentIndex()).toString().toAscii();
+-                opt->value = strdup(text.data());
++                openconnect_set_option_value(opt, text.data());
+                 d->secrets.insert(key,cbo->itemData(cbo->currentIndex()).toString());
+             }
+         }
+
+--- a/vpn/openconnect/openconnectauthworkerthread.cpp
++++ b/vpn/openconnect/openconnectauthworkerthread.cpp
+@@ -43,6 +43,20 @@
+ class OpenconnectAuthStaticWrapper
+ {
+ public:
++#if OPENCONNECT_CHECK_VER(5,0)
++    static int writeNewConfig(void *obj, const char *str, int num)
++    {
++        if (obj)
++            return static_cast<OpenconnectAuthWorkerThread*>(obj)->writeNewConfig(str, num);
++        return -1;
++    }
++    static int validatePeerCert(void *obj, const char *str)
++    {
++        if (obj)
++            return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(NULL, str);
++        return -1;
++    }
++#else
+     static int writeNewConfig(void *obj, char *str, int num)
+     {
+         if (obj)
+@@ -55,7 +69,8 @@
+             return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(cert, str);
+         return -1;
+     }
+-    static int processAuthForm(void *obj, struct oc_auth_form *form)
++#endif
++	static int processAuthForm(void *obj, struct oc_auth_form *form)
+     {
+         if (obj)
+             return static_cast<OpenconnectAuthWorkerThread*>(obj)->processAuthFormP(form);
+@@ -108,7 +123,7 @@
+     return m_openconnectInfo;
+ }
+ 
+-int OpenconnectAuthWorkerThread::writeNewConfig(char *buf, int buflen)
++int OpenconnectAuthWorkerThread::writeNewConfig(const char *buf, int buflen)
+ {
+     Q_UNUSED(buflen)
+     if (*m_userDecidedToQuit)
+@@ -139,10 +154,16 @@
+ }
+ #endif
+ 
+-int OpenconnectAuthWorkerThread::validatePeerCert(OPENCONNECT_X509 *cert, const char *reason)
+-{
+-    if (*m_userDecidedToQuit)
+-        return -EINVAL;
++int OpenconnectAuthWorkerThread::validatePeerCert(void *cert, const char *reason)
++{
++    if (*m_userDecidedToQuit)
++        return -EINVAL;
++
++#if OPENCONNECT_CHECK_VER(5,0)
++    (void)cert;
++    const char *fingerprint = openconnect_get_peer_cert_hash(m_openconnectInfo);
++    char *details = openconnect_get_peer_cert_details(m_openconnectInfo);
++#else
+     char fingerprint[41];
+     int ret = 0;
+ 
+@@ -151,7 +172,7 @@
+         return ret;
+ 
+     char *details = openconnect_get_cert_details(m_openconnectInfo, cert);
+-
++#endif
+     bool accepted = false;
+     m_mutex->lock();
+     QString qFingerprint(fingerprint);
+@@ -160,7 +181,7 @@
+     emit validatePeerCert(qFingerprint, qCertinfo, qReason, &accepted);
+     m_waitForUserInput->wait(m_mutex);
+     m_mutex->unlock();
+-    ::free(details);
++    openconnect_free_cert_info(m_openconnectInfo, details);
+     if (*m_userDecidedToQuit)
+         return -EINVAL;
+ 
+
+--- a/vpn/openconnect/openconnectauthworkerthread.h
++++ b/vpn/openconnect/openconnectauthworkerthread.h
+@@ -59,6 +59,17 @@
+ #define OC_FORM_RESULT_NEWGROUP	2
+ #endif
+ 
++#if OPENCONNECT_CHECK_VER(4,0)
++#define OC3DUP(x)			(x)
++#else
++#define openconnect_set_option_value(opt, val) do { \
++		struct oc_form_opt *_o = (opt);				\
++		free(_o->value); _o->value = strdup(val);		\
++	} while (0)
++#define openconnect_free_cert_info(v, x) ::free(x)
++#define OC3DUP(x)			strdup(x)
++#endif
++
+ #include <QThread>
+ 
+ class QMutex;
+@@ -85,8 +96,8 @@
+     void run();
+ 
+ private:
+-    int writeNewConfig(char *, int);
+-    int validatePeerCert(OPENCONNECT_X509 *, const char *);
++    int writeNewConfig(const char *, int);
++    int validatePeerCert(void *, const char *);
+     int processAuthFormP(struct oc_auth_form *);
+     void writeProgress(int level, const char *, va_list);
+ 
+
+From: David Woodhouse <David.Woodhouse at intel.com>
+Date: Wed, 03 Dec 2014 14:13:22 +0000
+Subject: Update OpenConnect storage of manually-accepted server certs
+X-Git-Url: http://quickgit.kde.org/?p=plasma-nm.git&a=commitdiff&h=bd557b7b8af86ff4b0350a235ff8232fe6c92c0c
+---
+Update OpenConnect storage of manually-accepted server certs
+
+We shouldn't just be storing the certificate hash; we should remember
+*which* host/port it was accepted for, and only accept it for *that* service.
+
+This matches the change in NetworkManager-openconnect 2dc45e25.
+---
+
+
+--- a/vpn/openconnect/openconnectauth.cpp
++++ b/vpn/openconnect/openconnectauth.cpp
+@@ -66,7 +66,6 @@
+     Ui_OpenconnectAuth ui;
+     NetworkManager::VpnSetting::Ptr setting;
+     struct openconnect_info *vpninfo;
+-    QStringList certificateFingerprints;
+     NMStringMap secrets;
+     QMutex mutex;
+     QWaitCondition workerWaiting;
+@@ -192,10 +191,6 @@
+     Q_D(OpenconnectAuthWidget);
+ 
+     d->secrets = d->setting->secrets();
+-
+-    if (!d->secrets[NM_OPENCONNECT_KEY_GWCERT].isEmpty()) {
+-        d->certificateFingerprints.append(d->secrets[NM_OPENCONNECT_KEY_GWCERT]);
+-    }
+ 
+     if (!d->secrets["xmlconfig"].isEmpty()) {
+         const QByteArray config = QByteArray::fromBase64(d->secrets["xmlconfig"].toAscii());
+@@ -236,11 +231,6 @@
+         d->ui.chkAutoconnect->setChecked(true);
+         QTimer::singleShot(0, this, SLOT(connectHost()));
+     }
+-
+-    if (!d->secrets["certsigs"].isEmpty()) {
+-        d->certificateFingerprints.append(d->secrets["certsigs"].split('\t'));
+-    }
+-    d->certificateFingerprints.removeDuplicates();
+ }
+ 
+ void OpenconnectAuthWidget::acceptDialog()
+@@ -309,7 +299,6 @@
+     openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint);
+ #endif
+     secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint));
+-    secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t"));
+     secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no");
+ 
+     NMStringMap::iterator i = secrets.begin();
+@@ -492,7 +481,16 @@
+ {
+     Q_D(OpenconnectAuthWidget);
+ 
+-    if (!d->certificateFingerprints.contains(fingerprint)) {
++    const QString host = QLatin1String(openconnect_get_hostname(d->vpninfo));
++    const QString port = QString::number(openconnect_get_port(d->vpninfo));
++    const QString key = QString("certificate:%1:%2").arg(host,  port);
++    const QString value = d->secrets.value(key);
++
++#if !OPENCONNECT_CHECK_VER(5,0)
++#define openconnect_check_peer_cert_hash(v,d) strcmp(d, fingerprint.toUtf8().data())
++#endif
++  
++    if (openconnect_check_peer_cert_hash(d->vpninfo, value.toUtf8().data())) {
+         QWidget *widget = new QWidget();
+         QVBoxLayout *verticalLayout;
+         QHBoxLayout *horizontalLayout;
+@@ -537,7 +535,6 @@
+         dialog.data()->setButtons(KDialog::Yes | KDialog::No);
+         dialog.data()->setMainWidget(widget);
+         if(dialog.data()->exec() == KDialog::Yes) {
+-            d->certificateFingerprints.append(fingerprint);
+             *accepted = true;
+         } else {
+             *accepted = false;
+@@ -549,6 +546,8 @@
+     } else {
+         *accepted = true;
+     }
++    if (*accepted)
++        d->secrets.insert(key, QString(fingerprint));
+     d->mutex.lock();
+     d->workerWaiting.wakeAll();
+     d->mutex.unlock();
+

Copied: kdeplasma-applets-plasma-nm/repos/staging-x86_64/PKGBUILD (from rev 253978, kdeplasma-applets-plasma-nm/trunk/PKGBUILD)
===================================================================
--- staging-x86_64/PKGBUILD	                        (rev 0)
+++ staging-x86_64/PKGBUILD	2015-12-08 16:31:10 UTC (rev 253979)
@@ -0,0 +1,35 @@
+# $Id$
+# Maintainer: Andrea Scarpino <andrea at archlinux.org>
+# Contributor: Antonio Rojas < arojas at archlinux.org >
+
+pkgname=kdeplasma-applets-plasma-nm
+pkgver=0.9.3.6
+pkgrel=2
+pkgdesc="Plasma applet written in QML for managing network connections"
+arch=('i686' 'x86_64')
+url="https://projects.kde.org/projects/kde/workspace/plasma-nm"
+license=('GPL')
+depends=('kdebase-workspace' 'libnm-qt4')
+makedepends=('cmake' 'automoc4' 'openconnect' 'mobile-broadband-provider-info')
+optdepends=('mobile-broadband-provider-info: Database of mobile broadband service providers'
+            'openconnect: Cisco AnyConnect VPN plugin')
+conflicts=('kdeplasma-applets-networkmanagement')
+source=("http://download.kde.org/stable/plasma-nm/plasma-nm-${pkgver}.tar.xz")
+md5sums=('ab94be59919eca6bf89fc1930cf3dd39')
+
+prepare() {
+  mkdir build
+}
+
+build() {
+  cd build
+  cmake ../plasma-nm-${pkgver} \
+    -DCMAKE_INSTALL_PREFIX=/usr \
+    -DCMAKE_BUILD_TYPE=Release
+  make
+}
+
+package() {
+  cd build
+  make DESTDIR="${pkgdir}" install
+}

Copied: kdeplasma-applets-plasma-nm/repos/staging-x86_64/openconnect7.patch (from rev 253978, kdeplasma-applets-plasma-nm/trunk/openconnect7.patch)
===================================================================
--- staging-x86_64/openconnect7.patch	                        (rev 0)
+++ staging-x86_64/openconnect7.patch	2015-12-08 16:31:10 UTC (rev 253979)
@@ -0,0 +1,309 @@
+From: David Woodhouse <David.Woodhouse at intel.com>
+Date: Wed, 03 Dec 2014 14:10:44 +0000
+Subject: Update OpenConnect support for library version 5
+X-Git-Url: http://quickgit.kde.org/?p=plasma-nm.git&a=commitdiff&h=3e6585fa4dd2fb3d9b59c7704bd3d7ae5b2c4167
+---
+Update OpenConnect support for library version 5
+
+String ownership rules are now very simple: the library never takes ownership
+of a string it's passed. It always takes its *own* copy and is responsible
+for freeing that. Mostly driven by Windows DLL Hell where it's painful to
+allocate in one library and free in another because they might actually be
+using different heaps.
+
+Also adapt to the changes in server certificate hash handling. We are no
+longer supposed to just compare strings, and must call the relevant function
+to check a hash against the server's certificate. This gives better matching
+and allows libopenconnect to upgrade the hash in future when it becomes
+necessary.
+---
+
+
+--- a/vpn/openconnect/CMakeLists.txt
++++ b/vpn/openconnect/CMakeLists.txt
+@@ -15,6 +15,8 @@
+ 
+     if (${OPENCONNECT_VERSION} VERSION_GREATER ${MINIMUM_OPENCONNECT_VERSION_REQUIRED} OR
+         ${OPENCONNECT_VERSION} VERSION_EQUAL ${MINIMUM_OPENCONNECT_VERSION_REQUIRED})
++
++        include_directories(${OPENCONNECT_INCLUDE_DIRS})
+ 
+         set(openconnect_SRCS
+         openconnectui.cpp
+
+--- a/vpn/openconnect/openconnectauth.cpp
++++ b/vpn/openconnect/openconnectauth.cpp
+@@ -161,7 +161,7 @@
+     }
+     if (!dataMap[NM_OPENCONNECT_KEY_CACERT].isEmpty()) {
+         const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_CACERT]);
+-        openconnect_set_cafile(d->vpninfo, strdup(crt.data()));
++        openconnect_set_cafile(d->vpninfo, OC3DUP(crt.data()));
+     }
+     if (dataMap[NM_OPENCONNECT_KEY_CSD_ENABLE] == "yes") {
+         char *wrapper;
+@@ -174,12 +174,12 @@
+     }
+     if (!dataMap[NM_OPENCONNECT_KEY_PROXY].isEmpty()) {
+         const QByteArray proxy = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PROXY]);
+-        openconnect_set_http_proxy(d->vpninfo, strdup(proxy.data()));
++        openconnect_set_http_proxy(d->vpninfo, OC3DUP(proxy.data()));
+     }
+     if (!dataMap[NM_OPENCONNECT_KEY_USERCERT].isEmpty()) {
+         const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_USERCERT]);
+         const QByteArray key = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PRIVKEY]);
+-        openconnect_set_client_cert (d->vpninfo, strdup(crt.data()), strdup(key.data()));
++        openconnect_set_client_cert (d->vpninfo, OC3DUP(crt.data()), OC3DUP(key.data()));
+ 
+         if (!crt.isEmpty() && dataMap[NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID] == "yes") {
+             openconnect_passphrase_from_fsid(d->vpninfo);
+@@ -276,10 +276,10 @@
+     const VPNHost &host = d->hosts.at(i);
+     if (openconnect_parse_url(d->vpninfo, host.address.toAscii().data())) {
+         kWarning() << "Failed to parse server URL" << host.address;
+-        openconnect_set_hostname(d->vpninfo, strdup(host.address.toAscii().data()));
++        openconnect_set_hostname(d->vpninfo, OC3DUP(host.address.toAscii().data()));
+     }
+     if (!openconnect_get_urlpath(d->vpninfo) && !host.group.isEmpty())
+-        openconnect_set_urlpath(d->vpninfo, strdup(host.group.toAscii().data()));
++        openconnect_set_urlpath(d->vpninfo, OC3DUP(host.group.toAscii().data()));
+     d->secrets["lasthost"] = host.name;
+     addFormInfo(QLatin1String("dialog-information"), i18n("Contacting host, please wait..."));
+     d->worker->start();
+@@ -301,9 +301,13 @@
+     secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_COOKIE), QLatin1String(openconnect_get_cookie(d->vpninfo)));
+     openconnect_clear_cookie(d->vpninfo);
+ 
++#if OPENCONNECT_CHECK_VER(5,0)
++    const char *fingerprint = openconnect_get_peer_cert_hash(d->vpninfo);
++#else
+     OPENCONNECT_X509 *cert = openconnect_get_peer_cert(d->vpninfo);
+     char fingerprint[41];
+     openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint);
++#endif
+     secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint));
+     secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t"));
+     secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no");
+@@ -578,14 +582,14 @@
+             if (opt->type == OC_FORM_OPT_PASSWORD || opt->type == OC_FORM_OPT_TEXT) {
+                 KLineEdit *le = qobject_cast<KLineEdit*>(widget);
+                 QByteArray text = le->text().toUtf8();
+-                opt->value = strdup(text.data());
++                openconnect_set_option_value(opt, text.data());
+                 if (opt->type == OC_FORM_OPT_TEXT) {
+                     d->secrets.insert(key,le->text());
+                 }
+             } else if (opt->type == OC_FORM_OPT_SELECT) {
+                 KComboBox *cbo = qobject_cast<KComboBox*>(widget);
+                 QByteArray text = cbo->itemData(cbo->currentIndex()).toString().toAscii();
+-                opt->value = strdup(text.data());
++                openconnect_set_option_value(opt, text.data());
+                 d->secrets.insert(key,cbo->itemData(cbo->currentIndex()).toString());
+             }
+         }
+
+--- a/vpn/openconnect/openconnectauthworkerthread.cpp
++++ b/vpn/openconnect/openconnectauthworkerthread.cpp
+@@ -43,6 +43,20 @@
+ class OpenconnectAuthStaticWrapper
+ {
+ public:
++#if OPENCONNECT_CHECK_VER(5,0)
++    static int writeNewConfig(void *obj, const char *str, int num)
++    {
++        if (obj)
++            return static_cast<OpenconnectAuthWorkerThread*>(obj)->writeNewConfig(str, num);
++        return -1;
++    }
++    static int validatePeerCert(void *obj, const char *str)
++    {
++        if (obj)
++            return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(NULL, str);
++        return -1;
++    }
++#else
+     static int writeNewConfig(void *obj, char *str, int num)
+     {
+         if (obj)
+@@ -55,7 +69,8 @@
+             return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(cert, str);
+         return -1;
+     }
+-    static int processAuthForm(void *obj, struct oc_auth_form *form)
++#endif
++	static int processAuthForm(void *obj, struct oc_auth_form *form)
+     {
+         if (obj)
+             return static_cast<OpenconnectAuthWorkerThread*>(obj)->processAuthFormP(form);
+@@ -108,7 +123,7 @@
+     return m_openconnectInfo;
+ }
+ 
+-int OpenconnectAuthWorkerThread::writeNewConfig(char *buf, int buflen)
++int OpenconnectAuthWorkerThread::writeNewConfig(const char *buf, int buflen)
+ {
+     Q_UNUSED(buflen)
+     if (*m_userDecidedToQuit)
+@@ -139,10 +154,16 @@
+ }
+ #endif
+ 
+-int OpenconnectAuthWorkerThread::validatePeerCert(OPENCONNECT_X509 *cert, const char *reason)
+-{
+-    if (*m_userDecidedToQuit)
+-        return -EINVAL;
++int OpenconnectAuthWorkerThread::validatePeerCert(void *cert, const char *reason)
++{
++    if (*m_userDecidedToQuit)
++        return -EINVAL;
++
++#if OPENCONNECT_CHECK_VER(5,0)
++    (void)cert;
++    const char *fingerprint = openconnect_get_peer_cert_hash(m_openconnectInfo);
++    char *details = openconnect_get_peer_cert_details(m_openconnectInfo);
++#else
+     char fingerprint[41];
+     int ret = 0;
+ 
+@@ -151,7 +172,7 @@
+         return ret;
+ 
+     char *details = openconnect_get_cert_details(m_openconnectInfo, cert);
+-
++#endif
+     bool accepted = false;
+     m_mutex->lock();
+     QString qFingerprint(fingerprint);
+@@ -160,7 +181,7 @@
+     emit validatePeerCert(qFingerprint, qCertinfo, qReason, &accepted);
+     m_waitForUserInput->wait(m_mutex);
+     m_mutex->unlock();
+-    ::free(details);
++    openconnect_free_cert_info(m_openconnectInfo, details);
+     if (*m_userDecidedToQuit)
+         return -EINVAL;
+ 
+
+--- a/vpn/openconnect/openconnectauthworkerthread.h
++++ b/vpn/openconnect/openconnectauthworkerthread.h
+@@ -59,6 +59,17 @@
+ #define OC_FORM_RESULT_NEWGROUP	2
+ #endif
+ 
++#if OPENCONNECT_CHECK_VER(4,0)
++#define OC3DUP(x)			(x)
++#else
++#define openconnect_set_option_value(opt, val) do { \
++		struct oc_form_opt *_o = (opt);				\
++		free(_o->value); _o->value = strdup(val);		\
++	} while (0)
++#define openconnect_free_cert_info(v, x) ::free(x)
++#define OC3DUP(x)			strdup(x)
++#endif
++
+ #include <QThread>
+ 
+ class QMutex;
+@@ -85,8 +96,8 @@
+     void run();
+ 
+ private:
+-    int writeNewConfig(char *, int);
+-    int validatePeerCert(OPENCONNECT_X509 *, const char *);
++    int writeNewConfig(const char *, int);
++    int validatePeerCert(void *, const char *);
+     int processAuthFormP(struct oc_auth_form *);
+     void writeProgress(int level, const char *, va_list);
+ 
+
+From: David Woodhouse <David.Woodhouse at intel.com>
+Date: Wed, 03 Dec 2014 14:13:22 +0000
+Subject: Update OpenConnect storage of manually-accepted server certs
+X-Git-Url: http://quickgit.kde.org/?p=plasma-nm.git&a=commitdiff&h=bd557b7b8af86ff4b0350a235ff8232fe6c92c0c
+---
+Update OpenConnect storage of manually-accepted server certs
+
+We shouldn't just be storing the certificate hash; we should remember
+*which* host/port it was accepted for, and only accept it for *that* service.
+
+This matches the change in NetworkManager-openconnect 2dc45e25.
+---
+
+
+--- a/vpn/openconnect/openconnectauth.cpp
++++ b/vpn/openconnect/openconnectauth.cpp
+@@ -66,7 +66,6 @@
+     Ui_OpenconnectAuth ui;
+     NetworkManager::VpnSetting::Ptr setting;
+     struct openconnect_info *vpninfo;
+-    QStringList certificateFingerprints;
+     NMStringMap secrets;
+     QMutex mutex;
+     QWaitCondition workerWaiting;
+@@ -192,10 +191,6 @@
+     Q_D(OpenconnectAuthWidget);
+ 
+     d->secrets = d->setting->secrets();
+-
+-    if (!d->secrets[NM_OPENCONNECT_KEY_GWCERT].isEmpty()) {
+-        d->certificateFingerprints.append(d->secrets[NM_OPENCONNECT_KEY_GWCERT]);
+-    }
+ 
+     if (!d->secrets["xmlconfig"].isEmpty()) {
+         const QByteArray config = QByteArray::fromBase64(d->secrets["xmlconfig"].toAscii());
+@@ -236,11 +231,6 @@
+         d->ui.chkAutoconnect->setChecked(true);
+         QTimer::singleShot(0, this, SLOT(connectHost()));
+     }
+-
+-    if (!d->secrets["certsigs"].isEmpty()) {
+-        d->certificateFingerprints.append(d->secrets["certsigs"].split('\t'));
+-    }
+-    d->certificateFingerprints.removeDuplicates();
+ }
+ 
+ void OpenconnectAuthWidget::acceptDialog()
+@@ -309,7 +299,6 @@
+     openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint);
+ #endif
+     secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint));
+-    secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t"));
+     secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no");
+ 
+     NMStringMap::iterator i = secrets.begin();
+@@ -492,7 +481,16 @@
+ {
+     Q_D(OpenconnectAuthWidget);
+ 
+-    if (!d->certificateFingerprints.contains(fingerprint)) {
++    const QString host = QLatin1String(openconnect_get_hostname(d->vpninfo));
++    const QString port = QString::number(openconnect_get_port(d->vpninfo));
++    const QString key = QString("certificate:%1:%2").arg(host,  port);
++    const QString value = d->secrets.value(key);
++
++#if !OPENCONNECT_CHECK_VER(5,0)
++#define openconnect_check_peer_cert_hash(v,d) strcmp(d, fingerprint.toUtf8().data())
++#endif
++  
++    if (openconnect_check_peer_cert_hash(d->vpninfo, value.toUtf8().data())) {
+         QWidget *widget = new QWidget();
+         QVBoxLayout *verticalLayout;
+         QHBoxLayout *horizontalLayout;
+@@ -537,7 +535,6 @@
+         dialog.data()->setButtons(KDialog::Yes | KDialog::No);
+         dialog.data()->setMainWidget(widget);
+         if(dialog.data()->exec() == KDialog::Yes) {
+-            d->certificateFingerprints.append(fingerprint);
+             *accepted = true;
+         } else {
+             *accepted = false;
+@@ -549,6 +546,8 @@
+     } else {
+         *accepted = true;
+     }
++    if (*accepted)
++        d->secrets.insert(key, QString(fingerprint));
+     d->mutex.lock();
+     d->workerWaiting.wakeAll();
+     d->mutex.unlock();
+



More information about the arch-commits mailing list