[arch-commits] Commit in kdeplasma-applets-plasma-nm/repos (6 files)
Andrea Scarpino
andrea at archlinux.org
Fri Jan 2 15:35:43 UTC 2015
Date: Friday, January 2, 2015 @ 16:35:42
Author: andrea
Revision: 228342
archrelease: copy trunk to staging-i686, staging-x86_64
Added:
kdeplasma-applets-plasma-nm/repos/staging-i686/
kdeplasma-applets-plasma-nm/repos/staging-i686/PKGBUILD
(from rev 228341, kdeplasma-applets-plasma-nm/trunk/PKGBUILD)
kdeplasma-applets-plasma-nm/repos/staging-i686/openconnect7.patch
(from rev 228341, kdeplasma-applets-plasma-nm/trunk/openconnect7.patch)
kdeplasma-applets-plasma-nm/repos/staging-x86_64/
kdeplasma-applets-plasma-nm/repos/staging-x86_64/PKGBUILD
(from rev 228341, kdeplasma-applets-plasma-nm/trunk/PKGBUILD)
kdeplasma-applets-plasma-nm/repos/staging-x86_64/openconnect7.patch
(from rev 228341, kdeplasma-applets-plasma-nm/trunk/openconnect7.patch)
-----------------------------------+
staging-i686/PKGBUILD | 40 ++++
staging-i686/openconnect7.patch | 309 ++++++++++++++++++++++++++++++++++++
staging-x86_64/PKGBUILD | 40 ++++
staging-x86_64/openconnect7.patch | 309 ++++++++++++++++++++++++++++++++++++
4 files changed, 698 insertions(+)
Copied: kdeplasma-applets-plasma-nm/repos/staging-i686/PKGBUILD (from rev 228341, kdeplasma-applets-plasma-nm/trunk/PKGBUILD)
===================================================================
--- staging-i686/PKGBUILD (rev 0)
+++ staging-i686/PKGBUILD 2015-01-02 15:35:42 UTC (rev 228342)
@@ -0,0 +1,40 @@
+# $Id$
+# Maintainer: Andrea Scarpino <andrea at archlinux.org>
+# Contributor: Antonio Rojas < nqn1976 @ gmail.com >
+
+pkgname=kdeplasma-applets-plasma-nm
+pkgver=0.9.3.5
+pkgrel=2
+pkgdesc="Plasma applet written in QML for managing network connections"
+arch=('i686' 'x86_64')
+url="https://projects.kde.org/projects/kde/workspace/plasma-nm"
+license=('GPL')
+depends=('kdebase-workspace' 'libnm-qt')
+makedepends=('cmake' 'automoc4' 'openconnect' 'mobile-broadband-provider-info')
+optdepends=('mobile-broadband-provider-info: Database of mobile broadband service providers'
+ 'openconnect: Cisco AnyConnect VPN plugin')
+conflicts=('kdeplasma-applets-networkmanagement')
+source=("http://download.kde.org/stable/plasma-nm/plasma-nm-${pkgver}.tar.xz"
+ 'openconnect7.patch')
+md5sums=('16f5e711de503fa8e5adeef9922c7c98'
+ '669e568324f059acc8777e82403b1deb')
+
+prepare() {
+ mkdir build
+
+ cd plasma-nm-${pkgver}
+ patch -p1 -i "${srcdir}"/openconnect7.patch
+}
+
+build() {
+ cd build
+ cmake ../plasma-nm-${pkgver} \
+ -DCMAKE_INSTALL_PREFIX=/usr \
+ -DCMAKE_BUILD_TYPE=Release
+ make
+}
+
+package() {
+ cd build
+ make DESTDIR="${pkgdir}" install
+}
Copied: kdeplasma-applets-plasma-nm/repos/staging-i686/openconnect7.patch (from rev 228341, kdeplasma-applets-plasma-nm/trunk/openconnect7.patch)
===================================================================
--- staging-i686/openconnect7.patch (rev 0)
+++ staging-i686/openconnect7.patch 2015-01-02 15:35:42 UTC (rev 228342)
@@ -0,0 +1,309 @@
+From: David Woodhouse <David.Woodhouse at intel.com>
+Date: Wed, 03 Dec 2014 14:10:44 +0000
+Subject: Update OpenConnect support for library version 5
+X-Git-Url: http://quickgit.kde.org/?p=plasma-nm.git&a=commitdiff&h=3e6585fa4dd2fb3d9b59c7704bd3d7ae5b2c4167
+---
+Update OpenConnect support for library version 5
+
+String ownership rules are now very simple: the library never takes ownership
+of a string it's passed. It always takes its *own* copy and is responsible
+for freeing that. Mostly driven by Windows DLL Hell where it's painful to
+allocate in one library and free in another because they might actually be
+using different heaps.
+
+Also adapt to the changes in server certificate hash handling. We are no
+longer supposed to just compare strings, and must call the relevant function
+to check a hash against the server's certificate. This gives better matching
+and allows libopenconnect to upgrade the hash in future when it becomes
+necessary.
+---
+
+
+--- a/vpn/openconnect/CMakeLists.txt
++++ b/vpn/openconnect/CMakeLists.txt
+@@ -15,6 +15,8 @@
+
+ if (${OPENCONNECT_VERSION} VERSION_GREATER ${MINIMUM_OPENCONNECT_VERSION_REQUIRED} OR
+ ${OPENCONNECT_VERSION} VERSION_EQUAL ${MINIMUM_OPENCONNECT_VERSION_REQUIRED})
++
++ include_directories(${OPENCONNECT_INCLUDE_DIRS})
+
+ set(openconnect_SRCS
+ openconnectui.cpp
+
+--- a/vpn/openconnect/openconnectauth.cpp
++++ b/vpn/openconnect/openconnectauth.cpp
+@@ -161,7 +161,7 @@
+ }
+ if (!dataMap[NM_OPENCONNECT_KEY_CACERT].isEmpty()) {
+ const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_CACERT]);
+- openconnect_set_cafile(d->vpninfo, strdup(crt.data()));
++ openconnect_set_cafile(d->vpninfo, OC3DUP(crt.data()));
+ }
+ if (dataMap[NM_OPENCONNECT_KEY_CSD_ENABLE] == "yes") {
+ char *wrapper;
+@@ -174,12 +174,12 @@
+ }
+ if (!dataMap[NM_OPENCONNECT_KEY_PROXY].isEmpty()) {
+ const QByteArray proxy = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PROXY]);
+- openconnect_set_http_proxy(d->vpninfo, strdup(proxy.data()));
++ openconnect_set_http_proxy(d->vpninfo, OC3DUP(proxy.data()));
+ }
+ if (!dataMap[NM_OPENCONNECT_KEY_USERCERT].isEmpty()) {
+ const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_USERCERT]);
+ const QByteArray key = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PRIVKEY]);
+- openconnect_set_client_cert (d->vpninfo, strdup(crt.data()), strdup(key.data()));
++ openconnect_set_client_cert (d->vpninfo, OC3DUP(crt.data()), OC3DUP(key.data()));
+
+ if (!crt.isEmpty() && dataMap[NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID] == "yes") {
+ openconnect_passphrase_from_fsid(d->vpninfo);
+@@ -276,10 +276,10 @@
+ const VPNHost &host = d->hosts.at(i);
+ if (openconnect_parse_url(d->vpninfo, host.address.toAscii().data())) {
+ kWarning() << "Failed to parse server URL" << host.address;
+- openconnect_set_hostname(d->vpninfo, strdup(host.address.toAscii().data()));
++ openconnect_set_hostname(d->vpninfo, OC3DUP(host.address.toAscii().data()));
+ }
+ if (!openconnect_get_urlpath(d->vpninfo) && !host.group.isEmpty())
+- openconnect_set_urlpath(d->vpninfo, strdup(host.group.toAscii().data()));
++ openconnect_set_urlpath(d->vpninfo, OC3DUP(host.group.toAscii().data()));
+ d->secrets["lasthost"] = host.name;
+ addFormInfo(QLatin1String("dialog-information"), i18n("Contacting host, please wait..."));
+ d->worker->start();
+@@ -301,9 +301,13 @@
+ secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_COOKIE), QLatin1String(openconnect_get_cookie(d->vpninfo)));
+ openconnect_clear_cookie(d->vpninfo);
+
++#if OPENCONNECT_CHECK_VER(5,0)
++ const char *fingerprint = openconnect_get_peer_cert_hash(d->vpninfo);
++#else
+ OPENCONNECT_X509 *cert = openconnect_get_peer_cert(d->vpninfo);
+ char fingerprint[41];
+ openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint);
++#endif
+ secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint));
+ secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t"));
+ secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no");
+@@ -578,14 +582,14 @@
+ if (opt->type == OC_FORM_OPT_PASSWORD || opt->type == OC_FORM_OPT_TEXT) {
+ KLineEdit *le = qobject_cast<KLineEdit*>(widget);
+ QByteArray text = le->text().toUtf8();
+- opt->value = strdup(text.data());
++ openconnect_set_option_value(opt, text.data());
+ if (opt->type == OC_FORM_OPT_TEXT) {
+ d->secrets.insert(key,le->text());
+ }
+ } else if (opt->type == OC_FORM_OPT_SELECT) {
+ KComboBox *cbo = qobject_cast<KComboBox*>(widget);
+ QByteArray text = cbo->itemData(cbo->currentIndex()).toString().toAscii();
+- opt->value = strdup(text.data());
++ openconnect_set_option_value(opt, text.data());
+ d->secrets.insert(key,cbo->itemData(cbo->currentIndex()).toString());
+ }
+ }
+
+--- a/vpn/openconnect/openconnectauthworkerthread.cpp
++++ b/vpn/openconnect/openconnectauthworkerthread.cpp
+@@ -43,6 +43,20 @@
+ class OpenconnectAuthStaticWrapper
+ {
+ public:
++#if OPENCONNECT_CHECK_VER(5,0)
++ static int writeNewConfig(void *obj, const char *str, int num)
++ {
++ if (obj)
++ return static_cast<OpenconnectAuthWorkerThread*>(obj)->writeNewConfig(str, num);
++ return -1;
++ }
++ static int validatePeerCert(void *obj, const char *str)
++ {
++ if (obj)
++ return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(NULL, str);
++ return -1;
++ }
++#else
+ static int writeNewConfig(void *obj, char *str, int num)
+ {
+ if (obj)
+@@ -55,7 +69,8 @@
+ return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(cert, str);
+ return -1;
+ }
+- static int processAuthForm(void *obj, struct oc_auth_form *form)
++#endif
++ static int processAuthForm(void *obj, struct oc_auth_form *form)
+ {
+ if (obj)
+ return static_cast<OpenconnectAuthWorkerThread*>(obj)->processAuthFormP(form);
+@@ -108,7 +123,7 @@
+ return m_openconnectInfo;
+ }
+
+-int OpenconnectAuthWorkerThread::writeNewConfig(char *buf, int buflen)
++int OpenconnectAuthWorkerThread::writeNewConfig(const char *buf, int buflen)
+ {
+ Q_UNUSED(buflen)
+ if (*m_userDecidedToQuit)
+@@ -139,10 +154,16 @@
+ }
+ #endif
+
+-int OpenconnectAuthWorkerThread::validatePeerCert(OPENCONNECT_X509 *cert, const char *reason)
+-{
+- if (*m_userDecidedToQuit)
+- return -EINVAL;
++int OpenconnectAuthWorkerThread::validatePeerCert(void *cert, const char *reason)
++{
++ if (*m_userDecidedToQuit)
++ return -EINVAL;
++
++#if OPENCONNECT_CHECK_VER(5,0)
++ (void)cert;
++ const char *fingerprint = openconnect_get_peer_cert_hash(m_openconnectInfo);
++ char *details = openconnect_get_peer_cert_details(m_openconnectInfo);
++#else
+ char fingerprint[41];
+ int ret = 0;
+
+@@ -151,7 +172,7 @@
+ return ret;
+
+ char *details = openconnect_get_cert_details(m_openconnectInfo, cert);
+-
++#endif
+ bool accepted = false;
+ m_mutex->lock();
+ QString qFingerprint(fingerprint);
+@@ -160,7 +181,7 @@
+ emit validatePeerCert(qFingerprint, qCertinfo, qReason, &accepted);
+ m_waitForUserInput->wait(m_mutex);
+ m_mutex->unlock();
+- ::free(details);
++ openconnect_free_cert_info(m_openconnectInfo, details);
+ if (*m_userDecidedToQuit)
+ return -EINVAL;
+
+
+--- a/vpn/openconnect/openconnectauthworkerthread.h
++++ b/vpn/openconnect/openconnectauthworkerthread.h
+@@ -59,6 +59,17 @@
+ #define OC_FORM_RESULT_NEWGROUP 2
+ #endif
+
++#if OPENCONNECT_CHECK_VER(4,0)
++#define OC3DUP(x) (x)
++#else
++#define openconnect_set_option_value(opt, val) do { \
++ struct oc_form_opt *_o = (opt); \
++ free(_o->value); _o->value = strdup(val); \
++ } while (0)
++#define openconnect_free_cert_info(v, x) ::free(x)
++#define OC3DUP(x) strdup(x)
++#endif
++
+ #include <QThread>
+
+ class QMutex;
+@@ -85,8 +96,8 @@
+ void run();
+
+ private:
+- int writeNewConfig(char *, int);
+- int validatePeerCert(OPENCONNECT_X509 *, const char *);
++ int writeNewConfig(const char *, int);
++ int validatePeerCert(void *, const char *);
+ int processAuthFormP(struct oc_auth_form *);
+ void writeProgress(int level, const char *, va_list);
+
+
+From: David Woodhouse <David.Woodhouse at intel.com>
+Date: Wed, 03 Dec 2014 14:13:22 +0000
+Subject: Update OpenConnect storage of manually-accepted server certs
+X-Git-Url: http://quickgit.kde.org/?p=plasma-nm.git&a=commitdiff&h=bd557b7b8af86ff4b0350a235ff8232fe6c92c0c
+---
+Update OpenConnect storage of manually-accepted server certs
+
+We shouldn't just be storing the certificate hash; we should remember
+*which* host/port it was accepted for, and only accept it for *that* service.
+
+This matches the change in NetworkManager-openconnect 2dc45e25.
+---
+
+
+--- a/vpn/openconnect/openconnectauth.cpp
++++ b/vpn/openconnect/openconnectauth.cpp
+@@ -66,7 +66,6 @@
+ Ui_OpenconnectAuth ui;
+ NetworkManager::VpnSetting::Ptr setting;
+ struct openconnect_info *vpninfo;
+- QStringList certificateFingerprints;
+ NMStringMap secrets;
+ QMutex mutex;
+ QWaitCondition workerWaiting;
+@@ -192,10 +191,6 @@
+ Q_D(OpenconnectAuthWidget);
+
+ d->secrets = d->setting->secrets();
+-
+- if (!d->secrets[NM_OPENCONNECT_KEY_GWCERT].isEmpty()) {
+- d->certificateFingerprints.append(d->secrets[NM_OPENCONNECT_KEY_GWCERT]);
+- }
+
+ if (!d->secrets["xmlconfig"].isEmpty()) {
+ const QByteArray config = QByteArray::fromBase64(d->secrets["xmlconfig"].toAscii());
+@@ -236,11 +231,6 @@
+ d->ui.chkAutoconnect->setChecked(true);
+ QTimer::singleShot(0, this, SLOT(connectHost()));
+ }
+-
+- if (!d->secrets["certsigs"].isEmpty()) {
+- d->certificateFingerprints.append(d->secrets["certsigs"].split('\t'));
+- }
+- d->certificateFingerprints.removeDuplicates();
+ }
+
+ void OpenconnectAuthWidget::acceptDialog()
+@@ -309,7 +299,6 @@
+ openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint);
+ #endif
+ secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint));
+- secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t"));
+ secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no");
+
+ NMStringMap::iterator i = secrets.begin();
+@@ -492,7 +481,16 @@
+ {
+ Q_D(OpenconnectAuthWidget);
+
+- if (!d->certificateFingerprints.contains(fingerprint)) {
++ const QString host = QLatin1String(openconnect_get_hostname(d->vpninfo));
++ const QString port = QString::number(openconnect_get_port(d->vpninfo));
++ const QString key = QString("certificate:%1:%2").arg(host, port);
++ const QString value = d->secrets.value(key);
++
++#if !OPENCONNECT_CHECK_VER(5,0)
++#define openconnect_check_peer_cert_hash(v,d) strcmp(d, fingerprint.toUtf8().data())
++#endif
++
++ if (openconnect_check_peer_cert_hash(d->vpninfo, value.toUtf8().data())) {
+ QWidget *widget = new QWidget();
+ QVBoxLayout *verticalLayout;
+ QHBoxLayout *horizontalLayout;
+@@ -537,7 +535,6 @@
+ dialog.data()->setButtons(KDialog::Yes | KDialog::No);
+ dialog.data()->setMainWidget(widget);
+ if(dialog.data()->exec() == KDialog::Yes) {
+- d->certificateFingerprints.append(fingerprint);
+ *accepted = true;
+ } else {
+ *accepted = false;
+@@ -549,6 +546,8 @@
+ } else {
+ *accepted = true;
+ }
++ if (*accepted)
++ d->secrets.insert(key, QString(fingerprint));
+ d->mutex.lock();
+ d->workerWaiting.wakeAll();
+ d->mutex.unlock();
+
Copied: kdeplasma-applets-plasma-nm/repos/staging-x86_64/PKGBUILD (from rev 228341, kdeplasma-applets-plasma-nm/trunk/PKGBUILD)
===================================================================
--- staging-x86_64/PKGBUILD (rev 0)
+++ staging-x86_64/PKGBUILD 2015-01-02 15:35:42 UTC (rev 228342)
@@ -0,0 +1,40 @@
+# $Id$
+# Maintainer: Andrea Scarpino <andrea at archlinux.org>
+# Contributor: Antonio Rojas < nqn1976 @ gmail.com >
+
+pkgname=kdeplasma-applets-plasma-nm
+pkgver=0.9.3.5
+pkgrel=2
+pkgdesc="Plasma applet written in QML for managing network connections"
+arch=('i686' 'x86_64')
+url="https://projects.kde.org/projects/kde/workspace/plasma-nm"
+license=('GPL')
+depends=('kdebase-workspace' 'libnm-qt')
+makedepends=('cmake' 'automoc4' 'openconnect' 'mobile-broadband-provider-info')
+optdepends=('mobile-broadband-provider-info: Database of mobile broadband service providers'
+ 'openconnect: Cisco AnyConnect VPN plugin')
+conflicts=('kdeplasma-applets-networkmanagement')
+source=("http://download.kde.org/stable/plasma-nm/plasma-nm-${pkgver}.tar.xz"
+ 'openconnect7.patch')
+md5sums=('16f5e711de503fa8e5adeef9922c7c98'
+ '669e568324f059acc8777e82403b1deb')
+
+prepare() {
+ mkdir build
+
+ cd plasma-nm-${pkgver}
+ patch -p1 -i "${srcdir}"/openconnect7.patch
+}
+
+build() {
+ cd build
+ cmake ../plasma-nm-${pkgver} \
+ -DCMAKE_INSTALL_PREFIX=/usr \
+ -DCMAKE_BUILD_TYPE=Release
+ make
+}
+
+package() {
+ cd build
+ make DESTDIR="${pkgdir}" install
+}
Copied: kdeplasma-applets-plasma-nm/repos/staging-x86_64/openconnect7.patch (from rev 228341, kdeplasma-applets-plasma-nm/trunk/openconnect7.patch)
===================================================================
--- staging-x86_64/openconnect7.patch (rev 0)
+++ staging-x86_64/openconnect7.patch 2015-01-02 15:35:42 UTC (rev 228342)
@@ -0,0 +1,309 @@
+From: David Woodhouse <David.Woodhouse at intel.com>
+Date: Wed, 03 Dec 2014 14:10:44 +0000
+Subject: Update OpenConnect support for library version 5
+X-Git-Url: http://quickgit.kde.org/?p=plasma-nm.git&a=commitdiff&h=3e6585fa4dd2fb3d9b59c7704bd3d7ae5b2c4167
+---
+Update OpenConnect support for library version 5
+
+String ownership rules are now very simple: the library never takes ownership
+of a string it's passed. It always takes its *own* copy and is responsible
+for freeing that. Mostly driven by Windows DLL Hell where it's painful to
+allocate in one library and free in another because they might actually be
+using different heaps.
+
+Also adapt to the changes in server certificate hash handling. We are no
+longer supposed to just compare strings, and must call the relevant function
+to check a hash against the server's certificate. This gives better matching
+and allows libopenconnect to upgrade the hash in future when it becomes
+necessary.
+---
+
+
+--- a/vpn/openconnect/CMakeLists.txt
++++ b/vpn/openconnect/CMakeLists.txt
+@@ -15,6 +15,8 @@
+
+ if (${OPENCONNECT_VERSION} VERSION_GREATER ${MINIMUM_OPENCONNECT_VERSION_REQUIRED} OR
+ ${OPENCONNECT_VERSION} VERSION_EQUAL ${MINIMUM_OPENCONNECT_VERSION_REQUIRED})
++
++ include_directories(${OPENCONNECT_INCLUDE_DIRS})
+
+ set(openconnect_SRCS
+ openconnectui.cpp
+
+--- a/vpn/openconnect/openconnectauth.cpp
++++ b/vpn/openconnect/openconnectauth.cpp
+@@ -161,7 +161,7 @@
+ }
+ if (!dataMap[NM_OPENCONNECT_KEY_CACERT].isEmpty()) {
+ const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_CACERT]);
+- openconnect_set_cafile(d->vpninfo, strdup(crt.data()));
++ openconnect_set_cafile(d->vpninfo, OC3DUP(crt.data()));
+ }
+ if (dataMap[NM_OPENCONNECT_KEY_CSD_ENABLE] == "yes") {
+ char *wrapper;
+@@ -174,12 +174,12 @@
+ }
+ if (!dataMap[NM_OPENCONNECT_KEY_PROXY].isEmpty()) {
+ const QByteArray proxy = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PROXY]);
+- openconnect_set_http_proxy(d->vpninfo, strdup(proxy.data()));
++ openconnect_set_http_proxy(d->vpninfo, OC3DUP(proxy.data()));
+ }
+ if (!dataMap[NM_OPENCONNECT_KEY_USERCERT].isEmpty()) {
+ const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_USERCERT]);
+ const QByteArray key = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PRIVKEY]);
+- openconnect_set_client_cert (d->vpninfo, strdup(crt.data()), strdup(key.data()));
++ openconnect_set_client_cert (d->vpninfo, OC3DUP(crt.data()), OC3DUP(key.data()));
+
+ if (!crt.isEmpty() && dataMap[NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID] == "yes") {
+ openconnect_passphrase_from_fsid(d->vpninfo);
+@@ -276,10 +276,10 @@
+ const VPNHost &host = d->hosts.at(i);
+ if (openconnect_parse_url(d->vpninfo, host.address.toAscii().data())) {
+ kWarning() << "Failed to parse server URL" << host.address;
+- openconnect_set_hostname(d->vpninfo, strdup(host.address.toAscii().data()));
++ openconnect_set_hostname(d->vpninfo, OC3DUP(host.address.toAscii().data()));
+ }
+ if (!openconnect_get_urlpath(d->vpninfo) && !host.group.isEmpty())
+- openconnect_set_urlpath(d->vpninfo, strdup(host.group.toAscii().data()));
++ openconnect_set_urlpath(d->vpninfo, OC3DUP(host.group.toAscii().data()));
+ d->secrets["lasthost"] = host.name;
+ addFormInfo(QLatin1String("dialog-information"), i18n("Contacting host, please wait..."));
+ d->worker->start();
+@@ -301,9 +301,13 @@
+ secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_COOKIE), QLatin1String(openconnect_get_cookie(d->vpninfo)));
+ openconnect_clear_cookie(d->vpninfo);
+
++#if OPENCONNECT_CHECK_VER(5,0)
++ const char *fingerprint = openconnect_get_peer_cert_hash(d->vpninfo);
++#else
+ OPENCONNECT_X509 *cert = openconnect_get_peer_cert(d->vpninfo);
+ char fingerprint[41];
+ openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint);
++#endif
+ secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint));
+ secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t"));
+ secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no");
+@@ -578,14 +582,14 @@
+ if (opt->type == OC_FORM_OPT_PASSWORD || opt->type == OC_FORM_OPT_TEXT) {
+ KLineEdit *le = qobject_cast<KLineEdit*>(widget);
+ QByteArray text = le->text().toUtf8();
+- opt->value = strdup(text.data());
++ openconnect_set_option_value(opt, text.data());
+ if (opt->type == OC_FORM_OPT_TEXT) {
+ d->secrets.insert(key,le->text());
+ }
+ } else if (opt->type == OC_FORM_OPT_SELECT) {
+ KComboBox *cbo = qobject_cast<KComboBox*>(widget);
+ QByteArray text = cbo->itemData(cbo->currentIndex()).toString().toAscii();
+- opt->value = strdup(text.data());
++ openconnect_set_option_value(opt, text.data());
+ d->secrets.insert(key,cbo->itemData(cbo->currentIndex()).toString());
+ }
+ }
+
+--- a/vpn/openconnect/openconnectauthworkerthread.cpp
++++ b/vpn/openconnect/openconnectauthworkerthread.cpp
+@@ -43,6 +43,20 @@
+ class OpenconnectAuthStaticWrapper
+ {
+ public:
++#if OPENCONNECT_CHECK_VER(5,0)
++ static int writeNewConfig(void *obj, const char *str, int num)
++ {
++ if (obj)
++ return static_cast<OpenconnectAuthWorkerThread*>(obj)->writeNewConfig(str, num);
++ return -1;
++ }
++ static int validatePeerCert(void *obj, const char *str)
++ {
++ if (obj)
++ return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(NULL, str);
++ return -1;
++ }
++#else
+ static int writeNewConfig(void *obj, char *str, int num)
+ {
+ if (obj)
+@@ -55,7 +69,8 @@
+ return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(cert, str);
+ return -1;
+ }
+- static int processAuthForm(void *obj, struct oc_auth_form *form)
++#endif
++ static int processAuthForm(void *obj, struct oc_auth_form *form)
+ {
+ if (obj)
+ return static_cast<OpenconnectAuthWorkerThread*>(obj)->processAuthFormP(form);
+@@ -108,7 +123,7 @@
+ return m_openconnectInfo;
+ }
+
+-int OpenconnectAuthWorkerThread::writeNewConfig(char *buf, int buflen)
++int OpenconnectAuthWorkerThread::writeNewConfig(const char *buf, int buflen)
+ {
+ Q_UNUSED(buflen)
+ if (*m_userDecidedToQuit)
+@@ -139,10 +154,16 @@
+ }
+ #endif
+
+-int OpenconnectAuthWorkerThread::validatePeerCert(OPENCONNECT_X509 *cert, const char *reason)
+-{
+- if (*m_userDecidedToQuit)
+- return -EINVAL;
++int OpenconnectAuthWorkerThread::validatePeerCert(void *cert, const char *reason)
++{
++ if (*m_userDecidedToQuit)
++ return -EINVAL;
++
++#if OPENCONNECT_CHECK_VER(5,0)
++ (void)cert;
++ const char *fingerprint = openconnect_get_peer_cert_hash(m_openconnectInfo);
++ char *details = openconnect_get_peer_cert_details(m_openconnectInfo);
++#else
+ char fingerprint[41];
+ int ret = 0;
+
+@@ -151,7 +172,7 @@
+ return ret;
+
+ char *details = openconnect_get_cert_details(m_openconnectInfo, cert);
+-
++#endif
+ bool accepted = false;
+ m_mutex->lock();
+ QString qFingerprint(fingerprint);
+@@ -160,7 +181,7 @@
+ emit validatePeerCert(qFingerprint, qCertinfo, qReason, &accepted);
+ m_waitForUserInput->wait(m_mutex);
+ m_mutex->unlock();
+- ::free(details);
++ openconnect_free_cert_info(m_openconnectInfo, details);
+ if (*m_userDecidedToQuit)
+ return -EINVAL;
+
+
+--- a/vpn/openconnect/openconnectauthworkerthread.h
++++ b/vpn/openconnect/openconnectauthworkerthread.h
+@@ -59,6 +59,17 @@
+ #define OC_FORM_RESULT_NEWGROUP 2
+ #endif
+
++#if OPENCONNECT_CHECK_VER(4,0)
++#define OC3DUP(x) (x)
++#else
++#define openconnect_set_option_value(opt, val) do { \
++ struct oc_form_opt *_o = (opt); \
++ free(_o->value); _o->value = strdup(val); \
++ } while (0)
++#define openconnect_free_cert_info(v, x) ::free(x)
++#define OC3DUP(x) strdup(x)
++#endif
++
+ #include <QThread>
+
+ class QMutex;
+@@ -85,8 +96,8 @@
+ void run();
+
+ private:
+- int writeNewConfig(char *, int);
+- int validatePeerCert(OPENCONNECT_X509 *, const char *);
++ int writeNewConfig(const char *, int);
++ int validatePeerCert(void *, const char *);
+ int processAuthFormP(struct oc_auth_form *);
+ void writeProgress(int level, const char *, va_list);
+
+
+From: David Woodhouse <David.Woodhouse at intel.com>
+Date: Wed, 03 Dec 2014 14:13:22 +0000
+Subject: Update OpenConnect storage of manually-accepted server certs
+X-Git-Url: http://quickgit.kde.org/?p=plasma-nm.git&a=commitdiff&h=bd557b7b8af86ff4b0350a235ff8232fe6c92c0c
+---
+Update OpenConnect storage of manually-accepted server certs
+
+We shouldn't just be storing the certificate hash; we should remember
+*which* host/port it was accepted for, and only accept it for *that* service.
+
+This matches the change in NetworkManager-openconnect 2dc45e25.
+---
+
+
+--- a/vpn/openconnect/openconnectauth.cpp
++++ b/vpn/openconnect/openconnectauth.cpp
+@@ -66,7 +66,6 @@
+ Ui_OpenconnectAuth ui;
+ NetworkManager::VpnSetting::Ptr setting;
+ struct openconnect_info *vpninfo;
+- QStringList certificateFingerprints;
+ NMStringMap secrets;
+ QMutex mutex;
+ QWaitCondition workerWaiting;
+@@ -192,10 +191,6 @@
+ Q_D(OpenconnectAuthWidget);
+
+ d->secrets = d->setting->secrets();
+-
+- if (!d->secrets[NM_OPENCONNECT_KEY_GWCERT].isEmpty()) {
+- d->certificateFingerprints.append(d->secrets[NM_OPENCONNECT_KEY_GWCERT]);
+- }
+
+ if (!d->secrets["xmlconfig"].isEmpty()) {
+ const QByteArray config = QByteArray::fromBase64(d->secrets["xmlconfig"].toAscii());
+@@ -236,11 +231,6 @@
+ d->ui.chkAutoconnect->setChecked(true);
+ QTimer::singleShot(0, this, SLOT(connectHost()));
+ }
+-
+- if (!d->secrets["certsigs"].isEmpty()) {
+- d->certificateFingerprints.append(d->secrets["certsigs"].split('\t'));
+- }
+- d->certificateFingerprints.removeDuplicates();
+ }
+
+ void OpenconnectAuthWidget::acceptDialog()
+@@ -309,7 +299,6 @@
+ openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint);
+ #endif
+ secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint));
+- secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t"));
+ secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no");
+
+ NMStringMap::iterator i = secrets.begin();
+@@ -492,7 +481,16 @@
+ {
+ Q_D(OpenconnectAuthWidget);
+
+- if (!d->certificateFingerprints.contains(fingerprint)) {
++ const QString host = QLatin1String(openconnect_get_hostname(d->vpninfo));
++ const QString port = QString::number(openconnect_get_port(d->vpninfo));
++ const QString key = QString("certificate:%1:%2").arg(host, port);
++ const QString value = d->secrets.value(key);
++
++#if !OPENCONNECT_CHECK_VER(5,0)
++#define openconnect_check_peer_cert_hash(v,d) strcmp(d, fingerprint.toUtf8().data())
++#endif
++
++ if (openconnect_check_peer_cert_hash(d->vpninfo, value.toUtf8().data())) {
+ QWidget *widget = new QWidget();
+ QVBoxLayout *verticalLayout;
+ QHBoxLayout *horizontalLayout;
+@@ -537,7 +535,6 @@
+ dialog.data()->setButtons(KDialog::Yes | KDialog::No);
+ dialog.data()->setMainWidget(widget);
+ if(dialog.data()->exec() == KDialog::Yes) {
+- d->certificateFingerprints.append(fingerprint);
+ *accepted = true;
+ } else {
+ *accepted = false;
+@@ -549,6 +546,8 @@
+ } else {
+ *accepted = true;
+ }
++ if (*accepted)
++ d->secrets.insert(key, QString(fingerprint));
+ d->mutex.lock();
+ d->workerWaiting.wakeAll();
+ d->mutex.unlock();
+
More information about the arch-commits
mailing list