Date: Tuesday, December 8, 2015 @ 17:31:10 Author: allan Revision: 253979
archrelease: copy trunk to staging-i686, staging-x86_64 Added: kdeplasma-applets-plasma-nm/repos/staging-i686/ kdeplasma-applets-plasma-nm/repos/staging-i686/PKGBUILD (from rev 253978, kdeplasma-applets-plasma-nm/trunk/PKGBUILD) kdeplasma-applets-plasma-nm/repos/staging-i686/openconnect7.patch (from rev 253978, kdeplasma-applets-plasma-nm/trunk/openconnect7.patch) kdeplasma-applets-plasma-nm/repos/staging-x86_64/ kdeplasma-applets-plasma-nm/repos/staging-x86_64/PKGBUILD (from rev 253978, kdeplasma-applets-plasma-nm/trunk/PKGBUILD) kdeplasma-applets-plasma-nm/repos/staging-x86_64/openconnect7.patch (from rev 253978, kdeplasma-applets-plasma-nm/trunk/openconnect7.patch) -----------------------------------+ staging-i686/PKGBUILD | 35 ++++ staging-i686/openconnect7.patch | 309 ++++++++++++++++++++++++++++++++++++ staging-x86_64/PKGBUILD | 35 ++++ staging-x86_64/openconnect7.patch | 309 ++++++++++++++++++++++++++++++++++++ 4 files changed, 688 insertions(+) Copied: kdeplasma-applets-plasma-nm/repos/staging-i686/PKGBUILD (from rev 253978, kdeplasma-applets-plasma-nm/trunk/PKGBUILD) =================================================================== --- staging-i686/PKGBUILD (rev 0) +++ staging-i686/PKGBUILD 2015-12-08 16:31:10 UTC (rev 253979) @@ -0,0 +1,35 @@ +# $Id$ +# Maintainer: Andrea Scarpino <and...@archlinux.org> +# Contributor: Antonio Rojas < aro...@archlinux.org > + +pkgname=kdeplasma-applets-plasma-nm +pkgver=0.9.3.6 +pkgrel=2 +pkgdesc="Plasma applet written in QML for managing network connections" +arch=('i686' 'x86_64') +url="https://projects.kde.org/projects/kde/workspace/plasma-nm" +license=('GPL') +depends=('kdebase-workspace' 'libnm-qt4') +makedepends=('cmake' 'automoc4' 'openconnect' 'mobile-broadband-provider-info') +optdepends=('mobile-broadband-provider-info: Database of mobile broadband service providers' + 'openconnect: Cisco AnyConnect VPN plugin') +conflicts=('kdeplasma-applets-networkmanagement') +source=("http://download.kde.org/stable/plasma-nm/plasma-nm-${pkgver}.tar.xz") +md5sums=('ab94be59919eca6bf89fc1930cf3dd39') + +prepare() { + mkdir build +} + +build() { + cd build + cmake ../plasma-nm-${pkgver} \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_BUILD_TYPE=Release + make +} + +package() { + cd build + make DESTDIR="${pkgdir}" install +} Copied: kdeplasma-applets-plasma-nm/repos/staging-i686/openconnect7.patch (from rev 253978, kdeplasma-applets-plasma-nm/trunk/openconnect7.patch) =================================================================== --- staging-i686/openconnect7.patch (rev 0) +++ staging-i686/openconnect7.patch 2015-12-08 16:31:10 UTC (rev 253979) @@ -0,0 +1,309 @@ +From: David Woodhouse <david.woodho...@intel.com> +Date: Wed, 03 Dec 2014 14:10:44 +0000 +Subject: Update OpenConnect support for library version 5 +X-Git-Url: http://quickgit.kde.org/?p=plasma-nm.git&a=commitdiff&h=3e6585fa4dd2fb3d9b59c7704bd3d7ae5b2c4167 +--- +Update OpenConnect support for library version 5 + +String ownership rules are now very simple: the library never takes ownership +of a string it's passed. It always takes its *own* copy and is responsible +for freeing that. Mostly driven by Windows DLL Hell where it's painful to +allocate in one library and free in another because they might actually be +using different heaps. + +Also adapt to the changes in server certificate hash handling. We are no +longer supposed to just compare strings, and must call the relevant function +to check a hash against the server's certificate. This gives better matching +and allows libopenconnect to upgrade the hash in future when it becomes +necessary. +--- + + +--- a/vpn/openconnect/CMakeLists.txt ++++ b/vpn/openconnect/CMakeLists.txt +@@ -15,6 +15,8 @@ + + if (${OPENCONNECT_VERSION} VERSION_GREATER ${MINIMUM_OPENCONNECT_VERSION_REQUIRED} OR + ${OPENCONNECT_VERSION} VERSION_EQUAL ${MINIMUM_OPENCONNECT_VERSION_REQUIRED}) ++ ++ include_directories(${OPENCONNECT_INCLUDE_DIRS}) + + set(openconnect_SRCS + openconnectui.cpp + +--- a/vpn/openconnect/openconnectauth.cpp ++++ b/vpn/openconnect/openconnectauth.cpp +@@ -161,7 +161,7 @@ + } + if (!dataMap[NM_OPENCONNECT_KEY_CACERT].isEmpty()) { + const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_CACERT]); +- openconnect_set_cafile(d->vpninfo, strdup(crt.data())); ++ openconnect_set_cafile(d->vpninfo, OC3DUP(crt.data())); + } + if (dataMap[NM_OPENCONNECT_KEY_CSD_ENABLE] == "yes") { + char *wrapper; +@@ -174,12 +174,12 @@ + } + if (!dataMap[NM_OPENCONNECT_KEY_PROXY].isEmpty()) { + const QByteArray proxy = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PROXY]); +- openconnect_set_http_proxy(d->vpninfo, strdup(proxy.data())); ++ openconnect_set_http_proxy(d->vpninfo, OC3DUP(proxy.data())); + } + if (!dataMap[NM_OPENCONNECT_KEY_USERCERT].isEmpty()) { + const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_USERCERT]); + const QByteArray key = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PRIVKEY]); +- openconnect_set_client_cert (d->vpninfo, strdup(crt.data()), strdup(key.data())); ++ openconnect_set_client_cert (d->vpninfo, OC3DUP(crt.data()), OC3DUP(key.data())); + + if (!crt.isEmpty() && dataMap[NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID] == "yes") { + openconnect_passphrase_from_fsid(d->vpninfo); +@@ -276,10 +276,10 @@ + const VPNHost &host = d->hosts.at(i); + if (openconnect_parse_url(d->vpninfo, host.address.toAscii().data())) { + kWarning() << "Failed to parse server URL" << host.address; +- openconnect_set_hostname(d->vpninfo, strdup(host.address.toAscii().data())); ++ openconnect_set_hostname(d->vpninfo, OC3DUP(host.address.toAscii().data())); + } + if (!openconnect_get_urlpath(d->vpninfo) && !host.group.isEmpty()) +- openconnect_set_urlpath(d->vpninfo, strdup(host.group.toAscii().data())); ++ openconnect_set_urlpath(d->vpninfo, OC3DUP(host.group.toAscii().data())); + d->secrets["lasthost"] = host.name; + addFormInfo(QLatin1String("dialog-information"), i18n("Contacting host, please wait...")); + d->worker->start(); +@@ -301,9 +301,13 @@ + secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_COOKIE), QLatin1String(openconnect_get_cookie(d->vpninfo))); + openconnect_clear_cookie(d->vpninfo); + ++#if OPENCONNECT_CHECK_VER(5,0) ++ const char *fingerprint = openconnect_get_peer_cert_hash(d->vpninfo); ++#else + OPENCONNECT_X509 *cert = openconnect_get_peer_cert(d->vpninfo); + char fingerprint[41]; + openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint); ++#endif + secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint)); + secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t")); + secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no"); +@@ -578,14 +582,14 @@ + if (opt->type == OC_FORM_OPT_PASSWORD || opt->type == OC_FORM_OPT_TEXT) { + KLineEdit *le = qobject_cast<KLineEdit*>(widget); + QByteArray text = le->text().toUtf8(); +- opt->value = strdup(text.data()); ++ openconnect_set_option_value(opt, text.data()); + if (opt->type == OC_FORM_OPT_TEXT) { + d->secrets.insert(key,le->text()); + } + } else if (opt->type == OC_FORM_OPT_SELECT) { + KComboBox *cbo = qobject_cast<KComboBox*>(widget); + QByteArray text = cbo->itemData(cbo->currentIndex()).toString().toAscii(); +- opt->value = strdup(text.data()); ++ openconnect_set_option_value(opt, text.data()); + d->secrets.insert(key,cbo->itemData(cbo->currentIndex()).toString()); + } + } + +--- a/vpn/openconnect/openconnectauthworkerthread.cpp ++++ b/vpn/openconnect/openconnectauthworkerthread.cpp +@@ -43,6 +43,20 @@ + class OpenconnectAuthStaticWrapper + { + public: ++#if OPENCONNECT_CHECK_VER(5,0) ++ static int writeNewConfig(void *obj, const char *str, int num) ++ { ++ if (obj) ++ return static_cast<OpenconnectAuthWorkerThread*>(obj)->writeNewConfig(str, num); ++ return -1; ++ } ++ static int validatePeerCert(void *obj, const char *str) ++ { ++ if (obj) ++ return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(NULL, str); ++ return -1; ++ } ++#else + static int writeNewConfig(void *obj, char *str, int num) + { + if (obj) +@@ -55,7 +69,8 @@ + return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(cert, str); + return -1; + } +- static int processAuthForm(void *obj, struct oc_auth_form *form) ++#endif ++ static int processAuthForm(void *obj, struct oc_auth_form *form) + { + if (obj) + return static_cast<OpenconnectAuthWorkerThread*>(obj)->processAuthFormP(form); +@@ -108,7 +123,7 @@ + return m_openconnectInfo; + } + +-int OpenconnectAuthWorkerThread::writeNewConfig(char *buf, int buflen) ++int OpenconnectAuthWorkerThread::writeNewConfig(const char *buf, int buflen) + { + Q_UNUSED(buflen) + if (*m_userDecidedToQuit) +@@ -139,10 +154,16 @@ + } + #endif + +-int OpenconnectAuthWorkerThread::validatePeerCert(OPENCONNECT_X509 *cert, const char *reason) +-{ +- if (*m_userDecidedToQuit) +- return -EINVAL; ++int OpenconnectAuthWorkerThread::validatePeerCert(void *cert, const char *reason) ++{ ++ if (*m_userDecidedToQuit) ++ return -EINVAL; ++ ++#if OPENCONNECT_CHECK_VER(5,0) ++ (void)cert; ++ const char *fingerprint = openconnect_get_peer_cert_hash(m_openconnectInfo); ++ char *details = openconnect_get_peer_cert_details(m_openconnectInfo); ++#else + char fingerprint[41]; + int ret = 0; + +@@ -151,7 +172,7 @@ + return ret; + + char *details = openconnect_get_cert_details(m_openconnectInfo, cert); +- ++#endif + bool accepted = false; + m_mutex->lock(); + QString qFingerprint(fingerprint); +@@ -160,7 +181,7 @@ + emit validatePeerCert(qFingerprint, qCertinfo, qReason, &accepted); + m_waitForUserInput->wait(m_mutex); + m_mutex->unlock(); +- ::free(details); ++ openconnect_free_cert_info(m_openconnectInfo, details); + if (*m_userDecidedToQuit) + return -EINVAL; + + +--- a/vpn/openconnect/openconnectauthworkerthread.h ++++ b/vpn/openconnect/openconnectauthworkerthread.h +@@ -59,6 +59,17 @@ + #define OC_FORM_RESULT_NEWGROUP 2 + #endif + ++#if OPENCONNECT_CHECK_VER(4,0) ++#define OC3DUP(x) (x) ++#else ++#define openconnect_set_option_value(opt, val) do { \ ++ struct oc_form_opt *_o = (opt); \ ++ free(_o->value); _o->value = strdup(val); \ ++ } while (0) ++#define openconnect_free_cert_info(v, x) ::free(x) ++#define OC3DUP(x) strdup(x) ++#endif ++ + #include <QThread> + + class QMutex; +@@ -85,8 +96,8 @@ + void run(); + + private: +- int writeNewConfig(char *, int); +- int validatePeerCert(OPENCONNECT_X509 *, const char *); ++ int writeNewConfig(const char *, int); ++ int validatePeerCert(void *, const char *); + int processAuthFormP(struct oc_auth_form *); + void writeProgress(int level, const char *, va_list); + + +From: David Woodhouse <david.woodho...@intel.com> +Date: Wed, 03 Dec 2014 14:13:22 +0000 +Subject: Update OpenConnect storage of manually-accepted server certs +X-Git-Url: http://quickgit.kde.org/?p=plasma-nm.git&a=commitdiff&h=bd557b7b8af86ff4b0350a235ff8232fe6c92c0c +--- +Update OpenConnect storage of manually-accepted server certs + +We shouldn't just be storing the certificate hash; we should remember +*which* host/port it was accepted for, and only accept it for *that* service. + +This matches the change in NetworkManager-openconnect 2dc45e25. +--- + + +--- a/vpn/openconnect/openconnectauth.cpp ++++ b/vpn/openconnect/openconnectauth.cpp +@@ -66,7 +66,6 @@ + Ui_OpenconnectAuth ui; + NetworkManager::VpnSetting::Ptr setting; + struct openconnect_info *vpninfo; +- QStringList certificateFingerprints; + NMStringMap secrets; + QMutex mutex; + QWaitCondition workerWaiting; +@@ -192,10 +191,6 @@ + Q_D(OpenconnectAuthWidget); + + d->secrets = d->setting->secrets(); +- +- if (!d->secrets[NM_OPENCONNECT_KEY_GWCERT].isEmpty()) { +- d->certificateFingerprints.append(d->secrets[NM_OPENCONNECT_KEY_GWCERT]); +- } + + if (!d->secrets["xmlconfig"].isEmpty()) { + const QByteArray config = QByteArray::fromBase64(d->secrets["xmlconfig"].toAscii()); +@@ -236,11 +231,6 @@ + d->ui.chkAutoconnect->setChecked(true); + QTimer::singleShot(0, this, SLOT(connectHost())); + } +- +- if (!d->secrets["certsigs"].isEmpty()) { +- d->certificateFingerprints.append(d->secrets["certsigs"].split('\t')); +- } +- d->certificateFingerprints.removeDuplicates(); + } + + void OpenconnectAuthWidget::acceptDialog() +@@ -309,7 +299,6 @@ + openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint); + #endif + secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint)); +- secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t")); + secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no"); + + NMStringMap::iterator i = secrets.begin(); +@@ -492,7 +481,16 @@ + { + Q_D(OpenconnectAuthWidget); + +- if (!d->certificateFingerprints.contains(fingerprint)) { ++ const QString host = QLatin1String(openconnect_get_hostname(d->vpninfo)); ++ const QString port = QString::number(openconnect_get_port(d->vpninfo)); ++ const QString key = QString("certificate:%1:%2").arg(host, port); ++ const QString value = d->secrets.value(key); ++ ++#if !OPENCONNECT_CHECK_VER(5,0) ++#define openconnect_check_peer_cert_hash(v,d) strcmp(d, fingerprint.toUtf8().data()) ++#endif ++ ++ if (openconnect_check_peer_cert_hash(d->vpninfo, value.toUtf8().data())) { + QWidget *widget = new QWidget(); + QVBoxLayout *verticalLayout; + QHBoxLayout *horizontalLayout; +@@ -537,7 +535,6 @@ + dialog.data()->setButtons(KDialog::Yes | KDialog::No); + dialog.data()->setMainWidget(widget); + if(dialog.data()->exec() == KDialog::Yes) { +- d->certificateFingerprints.append(fingerprint); + *accepted = true; + } else { + *accepted = false; +@@ -549,6 +546,8 @@ + } else { + *accepted = true; + } ++ if (*accepted) ++ d->secrets.insert(key, QString(fingerprint)); + d->mutex.lock(); + d->workerWaiting.wakeAll(); + d->mutex.unlock(); + Copied: kdeplasma-applets-plasma-nm/repos/staging-x86_64/PKGBUILD (from rev 253978, kdeplasma-applets-plasma-nm/trunk/PKGBUILD) =================================================================== --- staging-x86_64/PKGBUILD (rev 0) +++ staging-x86_64/PKGBUILD 2015-12-08 16:31:10 UTC (rev 253979) @@ -0,0 +1,35 @@ +# $Id$ +# Maintainer: Andrea Scarpino <and...@archlinux.org> +# Contributor: Antonio Rojas < aro...@archlinux.org > + +pkgname=kdeplasma-applets-plasma-nm +pkgver=0.9.3.6 +pkgrel=2 +pkgdesc="Plasma applet written in QML for managing network connections" +arch=('i686' 'x86_64') +url="https://projects.kde.org/projects/kde/workspace/plasma-nm" +license=('GPL') +depends=('kdebase-workspace' 'libnm-qt4') +makedepends=('cmake' 'automoc4' 'openconnect' 'mobile-broadband-provider-info') +optdepends=('mobile-broadband-provider-info: Database of mobile broadband service providers' + 'openconnect: Cisco AnyConnect VPN plugin') +conflicts=('kdeplasma-applets-networkmanagement') +source=("http://download.kde.org/stable/plasma-nm/plasma-nm-${pkgver}.tar.xz") +md5sums=('ab94be59919eca6bf89fc1930cf3dd39') + +prepare() { + mkdir build +} + +build() { + cd build + cmake ../plasma-nm-${pkgver} \ + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_BUILD_TYPE=Release + make +} + +package() { + cd build + make DESTDIR="${pkgdir}" install +} Copied: kdeplasma-applets-plasma-nm/repos/staging-x86_64/openconnect7.patch (from rev 253978, kdeplasma-applets-plasma-nm/trunk/openconnect7.patch) =================================================================== --- staging-x86_64/openconnect7.patch (rev 0) +++ staging-x86_64/openconnect7.patch 2015-12-08 16:31:10 UTC (rev 253979) @@ -0,0 +1,309 @@ +From: David Woodhouse <david.woodho...@intel.com> +Date: Wed, 03 Dec 2014 14:10:44 +0000 +Subject: Update OpenConnect support for library version 5 +X-Git-Url: http://quickgit.kde.org/?p=plasma-nm.git&a=commitdiff&h=3e6585fa4dd2fb3d9b59c7704bd3d7ae5b2c4167 +--- +Update OpenConnect support for library version 5 + +String ownership rules are now very simple: the library never takes ownership +of a string it's passed. It always takes its *own* copy and is responsible +for freeing that. Mostly driven by Windows DLL Hell where it's painful to +allocate in one library and free in another because they might actually be +using different heaps. + +Also adapt to the changes in server certificate hash handling. We are no +longer supposed to just compare strings, and must call the relevant function +to check a hash against the server's certificate. This gives better matching +and allows libopenconnect to upgrade the hash in future when it becomes +necessary. +--- + + +--- a/vpn/openconnect/CMakeLists.txt ++++ b/vpn/openconnect/CMakeLists.txt +@@ -15,6 +15,8 @@ + + if (${OPENCONNECT_VERSION} VERSION_GREATER ${MINIMUM_OPENCONNECT_VERSION_REQUIRED} OR + ${OPENCONNECT_VERSION} VERSION_EQUAL ${MINIMUM_OPENCONNECT_VERSION_REQUIRED}) ++ ++ include_directories(${OPENCONNECT_INCLUDE_DIRS}) + + set(openconnect_SRCS + openconnectui.cpp + +--- a/vpn/openconnect/openconnectauth.cpp ++++ b/vpn/openconnect/openconnectauth.cpp +@@ -161,7 +161,7 @@ + } + if (!dataMap[NM_OPENCONNECT_KEY_CACERT].isEmpty()) { + const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_CACERT]); +- openconnect_set_cafile(d->vpninfo, strdup(crt.data())); ++ openconnect_set_cafile(d->vpninfo, OC3DUP(crt.data())); + } + if (dataMap[NM_OPENCONNECT_KEY_CSD_ENABLE] == "yes") { + char *wrapper; +@@ -174,12 +174,12 @@ + } + if (!dataMap[NM_OPENCONNECT_KEY_PROXY].isEmpty()) { + const QByteArray proxy = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PROXY]); +- openconnect_set_http_proxy(d->vpninfo, strdup(proxy.data())); ++ openconnect_set_http_proxy(d->vpninfo, OC3DUP(proxy.data())); + } + if (!dataMap[NM_OPENCONNECT_KEY_USERCERT].isEmpty()) { + const QByteArray crt = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_USERCERT]); + const QByteArray key = QFile::encodeName(dataMap[NM_OPENCONNECT_KEY_PRIVKEY]); +- openconnect_set_client_cert (d->vpninfo, strdup(crt.data()), strdup(key.data())); ++ openconnect_set_client_cert (d->vpninfo, OC3DUP(crt.data()), OC3DUP(key.data())); + + if (!crt.isEmpty() && dataMap[NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID] == "yes") { + openconnect_passphrase_from_fsid(d->vpninfo); +@@ -276,10 +276,10 @@ + const VPNHost &host = d->hosts.at(i); + if (openconnect_parse_url(d->vpninfo, host.address.toAscii().data())) { + kWarning() << "Failed to parse server URL" << host.address; +- openconnect_set_hostname(d->vpninfo, strdup(host.address.toAscii().data())); ++ openconnect_set_hostname(d->vpninfo, OC3DUP(host.address.toAscii().data())); + } + if (!openconnect_get_urlpath(d->vpninfo) && !host.group.isEmpty()) +- openconnect_set_urlpath(d->vpninfo, strdup(host.group.toAscii().data())); ++ openconnect_set_urlpath(d->vpninfo, OC3DUP(host.group.toAscii().data())); + d->secrets["lasthost"] = host.name; + addFormInfo(QLatin1String("dialog-information"), i18n("Contacting host, please wait...")); + d->worker->start(); +@@ -301,9 +301,13 @@ + secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_COOKIE), QLatin1String(openconnect_get_cookie(d->vpninfo))); + openconnect_clear_cookie(d->vpninfo); + ++#if OPENCONNECT_CHECK_VER(5,0) ++ const char *fingerprint = openconnect_get_peer_cert_hash(d->vpninfo); ++#else + OPENCONNECT_X509 *cert = openconnect_get_peer_cert(d->vpninfo); + char fingerprint[41]; + openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint); ++#endif + secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint)); + secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t")); + secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no"); +@@ -578,14 +582,14 @@ + if (opt->type == OC_FORM_OPT_PASSWORD || opt->type == OC_FORM_OPT_TEXT) { + KLineEdit *le = qobject_cast<KLineEdit*>(widget); + QByteArray text = le->text().toUtf8(); +- opt->value = strdup(text.data()); ++ openconnect_set_option_value(opt, text.data()); + if (opt->type == OC_FORM_OPT_TEXT) { + d->secrets.insert(key,le->text()); + } + } else if (opt->type == OC_FORM_OPT_SELECT) { + KComboBox *cbo = qobject_cast<KComboBox*>(widget); + QByteArray text = cbo->itemData(cbo->currentIndex()).toString().toAscii(); +- opt->value = strdup(text.data()); ++ openconnect_set_option_value(opt, text.data()); + d->secrets.insert(key,cbo->itemData(cbo->currentIndex()).toString()); + } + } + +--- a/vpn/openconnect/openconnectauthworkerthread.cpp ++++ b/vpn/openconnect/openconnectauthworkerthread.cpp +@@ -43,6 +43,20 @@ + class OpenconnectAuthStaticWrapper + { + public: ++#if OPENCONNECT_CHECK_VER(5,0) ++ static int writeNewConfig(void *obj, const char *str, int num) ++ { ++ if (obj) ++ return static_cast<OpenconnectAuthWorkerThread*>(obj)->writeNewConfig(str, num); ++ return -1; ++ } ++ static int validatePeerCert(void *obj, const char *str) ++ { ++ if (obj) ++ return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(NULL, str); ++ return -1; ++ } ++#else + static int writeNewConfig(void *obj, char *str, int num) + { + if (obj) +@@ -55,7 +69,8 @@ + return static_cast<OpenconnectAuthWorkerThread*>(obj)->validatePeerCert(cert, str); + return -1; + } +- static int processAuthForm(void *obj, struct oc_auth_form *form) ++#endif ++ static int processAuthForm(void *obj, struct oc_auth_form *form) + { + if (obj) + return static_cast<OpenconnectAuthWorkerThread*>(obj)->processAuthFormP(form); +@@ -108,7 +123,7 @@ + return m_openconnectInfo; + } + +-int OpenconnectAuthWorkerThread::writeNewConfig(char *buf, int buflen) ++int OpenconnectAuthWorkerThread::writeNewConfig(const char *buf, int buflen) + { + Q_UNUSED(buflen) + if (*m_userDecidedToQuit) +@@ -139,10 +154,16 @@ + } + #endif + +-int OpenconnectAuthWorkerThread::validatePeerCert(OPENCONNECT_X509 *cert, const char *reason) +-{ +- if (*m_userDecidedToQuit) +- return -EINVAL; ++int OpenconnectAuthWorkerThread::validatePeerCert(void *cert, const char *reason) ++{ ++ if (*m_userDecidedToQuit) ++ return -EINVAL; ++ ++#if OPENCONNECT_CHECK_VER(5,0) ++ (void)cert; ++ const char *fingerprint = openconnect_get_peer_cert_hash(m_openconnectInfo); ++ char *details = openconnect_get_peer_cert_details(m_openconnectInfo); ++#else + char fingerprint[41]; + int ret = 0; + +@@ -151,7 +172,7 @@ + return ret; + + char *details = openconnect_get_cert_details(m_openconnectInfo, cert); +- ++#endif + bool accepted = false; + m_mutex->lock(); + QString qFingerprint(fingerprint); +@@ -160,7 +181,7 @@ + emit validatePeerCert(qFingerprint, qCertinfo, qReason, &accepted); + m_waitForUserInput->wait(m_mutex); + m_mutex->unlock(); +- ::free(details); ++ openconnect_free_cert_info(m_openconnectInfo, details); + if (*m_userDecidedToQuit) + return -EINVAL; + + +--- a/vpn/openconnect/openconnectauthworkerthread.h ++++ b/vpn/openconnect/openconnectauthworkerthread.h +@@ -59,6 +59,17 @@ + #define OC_FORM_RESULT_NEWGROUP 2 + #endif + ++#if OPENCONNECT_CHECK_VER(4,0) ++#define OC3DUP(x) (x) ++#else ++#define openconnect_set_option_value(opt, val) do { \ ++ struct oc_form_opt *_o = (opt); \ ++ free(_o->value); _o->value = strdup(val); \ ++ } while (0) ++#define openconnect_free_cert_info(v, x) ::free(x) ++#define OC3DUP(x) strdup(x) ++#endif ++ + #include <QThread> + + class QMutex; +@@ -85,8 +96,8 @@ + void run(); + + private: +- int writeNewConfig(char *, int); +- int validatePeerCert(OPENCONNECT_X509 *, const char *); ++ int writeNewConfig(const char *, int); ++ int validatePeerCert(void *, const char *); + int processAuthFormP(struct oc_auth_form *); + void writeProgress(int level, const char *, va_list); + + +From: David Woodhouse <david.woodho...@intel.com> +Date: Wed, 03 Dec 2014 14:13:22 +0000 +Subject: Update OpenConnect storage of manually-accepted server certs +X-Git-Url: http://quickgit.kde.org/?p=plasma-nm.git&a=commitdiff&h=bd557b7b8af86ff4b0350a235ff8232fe6c92c0c +--- +Update OpenConnect storage of manually-accepted server certs + +We shouldn't just be storing the certificate hash; we should remember +*which* host/port it was accepted for, and only accept it for *that* service. + +This matches the change in NetworkManager-openconnect 2dc45e25. +--- + + +--- a/vpn/openconnect/openconnectauth.cpp ++++ b/vpn/openconnect/openconnectauth.cpp +@@ -66,7 +66,6 @@ + Ui_OpenconnectAuth ui; + NetworkManager::VpnSetting::Ptr setting; + struct openconnect_info *vpninfo; +- QStringList certificateFingerprints; + NMStringMap secrets; + QMutex mutex; + QWaitCondition workerWaiting; +@@ -192,10 +191,6 @@ + Q_D(OpenconnectAuthWidget); + + d->secrets = d->setting->secrets(); +- +- if (!d->secrets[NM_OPENCONNECT_KEY_GWCERT].isEmpty()) { +- d->certificateFingerprints.append(d->secrets[NM_OPENCONNECT_KEY_GWCERT]); +- } + + if (!d->secrets["xmlconfig"].isEmpty()) { + const QByteArray config = QByteArray::fromBase64(d->secrets["xmlconfig"].toAscii()); +@@ -236,11 +231,6 @@ + d->ui.chkAutoconnect->setChecked(true); + QTimer::singleShot(0, this, SLOT(connectHost())); + } +- +- if (!d->secrets["certsigs"].isEmpty()) { +- d->certificateFingerprints.append(d->secrets["certsigs"].split('\t')); +- } +- d->certificateFingerprints.removeDuplicates(); + } + + void OpenconnectAuthWidget::acceptDialog() +@@ -309,7 +299,6 @@ + openconnect_get_cert_sha1(d->vpninfo, cert, fingerprint); + #endif + secrets.insert(QLatin1String(NM_OPENCONNECT_KEY_GWCERT), QLatin1String(fingerprint)); +- secrets.insert(QLatin1String("certsigs"), d->certificateFingerprints.join("\t")); + secrets.insert(QLatin1String("autoconnect"), d->ui.chkAutoconnect->isChecked() ? "yes" : "no"); + + NMStringMap::iterator i = secrets.begin(); +@@ -492,7 +481,16 @@ + { + Q_D(OpenconnectAuthWidget); + +- if (!d->certificateFingerprints.contains(fingerprint)) { ++ const QString host = QLatin1String(openconnect_get_hostname(d->vpninfo)); ++ const QString port = QString::number(openconnect_get_port(d->vpninfo)); ++ const QString key = QString("certificate:%1:%2").arg(host, port); ++ const QString value = d->secrets.value(key); ++ ++#if !OPENCONNECT_CHECK_VER(5,0) ++#define openconnect_check_peer_cert_hash(v,d) strcmp(d, fingerprint.toUtf8().data()) ++#endif ++ ++ if (openconnect_check_peer_cert_hash(d->vpninfo, value.toUtf8().data())) { + QWidget *widget = new QWidget(); + QVBoxLayout *verticalLayout; + QHBoxLayout *horizontalLayout; +@@ -537,7 +535,6 @@ + dialog.data()->setButtons(KDialog::Yes | KDialog::No); + dialog.data()->setMainWidget(widget); + if(dialog.data()->exec() == KDialog::Yes) { +- d->certificateFingerprints.append(fingerprint); + *accepted = true; + } else { + *accepted = false; +@@ -549,6 +546,8 @@ + } else { + *accepted = true; + } ++ if (*accepted) ++ d->secrets.insert(key, QString(fingerprint)); + d->mutex.lock(); + d->workerWaiting.wakeAll(); + d->mutex.unlock(); +