Commit cda869c4 authored by Jan Grulich's avatar Jan Grulich

OpenVPN: Add support for --tls-crypt

BUG:386907
parent 911d84dc
......@@ -64,6 +64,7 @@
#define NM_OPENVPN_KEY_DEV_TYPE "dev-type"
#define NM_OPENVPN_KEY_TUN_IPV6 "tun-ipv6"
#define NM_OPENVPN_KEY_TLS_CIPHER "tls-cipher"
#define NM_OPENVPN_KEY_TLS_CRYPT "tls-crypt"
#define NM_OPENVPN_KEY_TLS_REMOTE "tls-remote"
#define NM_OPENVPN_KEY_VERIFY_X509_NAME "verify-x509-name"
#define NM_OPENVPN_KEY_REMOTE_CERT_TLS "remote-cert-tls"
......
......@@ -6,8 +6,8 @@
<rect>
<x>0</x>
<y>0</y>
<width>554</width>
<height>611</height>
<width>626</width>
<height>624</height>
</rect>
</property>
<layout class="QGridLayout" name="gridLayout">
......@@ -841,16 +841,42 @@ key usage based on RFC3280 TLS rules.</string>
<string>Add an additional layer of HMAC authentication.</string>
</property>
<property name="title">
<string>Use additional TLS authentication</string>
<string/>
</property>
<property name="checkable">
<bool>true</bool>
<bool>false</bool>
</property>
<property name="checked">
<bool>false</bool>
</property>
<layout class="QGridLayout" name="gridLayout_2">
<item row="0" column="0">
<widget class="QLabel" name="label">
<property name="text">
<string>Mode:</string>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QComboBox" name="cboTLSMode">
<item>
<property name="text">
<string>None</string>
</property>
</item>
<item>
<property name="text">
<string>TLS-Auth</string>
</property>
</item>
<item>
<property name="text">
<string>TLS-Crypt</string>
</property>
</item>
</widget>
</item>
<item row="1" column="0">
<widget class="QLabel" name="textLabel4_3">
<property name="toolTip">
<string>Add an additional layer of HMAC authentication on top of the TLS control channel
......@@ -867,15 +893,18 @@ to protect against DoS attacks.</string>
</property>
</widget>
</item>
<item row="0" column="1">
<item row="1" column="1">
<widget class="KUrlRequester" name="kurlTlsAuthKey">
<property name="enabled">
<bool>false</bool>
</property>
<property name="toolTip">
<string>Add an additional layer of HMAC authentication on top of the TLS control channel
to protect against DoS attacks.</string>
</property>
</widget>
</item>
<item row="1" column="0">
<item row="2" column="0">
<widget class="QLabel" name="textLabel1">
<property name="toolTip">
<string>Direction parameter for static key mode.</string>
......@@ -891,8 +920,11 @@ to protect against DoS attacks.</string>
</property>
</widget>
</item>
<item row="1" column="1">
<item row="2" column="1">
<widget class="QComboBox" name="cboDirection">
<property name="enabled">
<bool>false</bool>
</property>
<property name="toolTip">
<string>Direction parameter for static key mode.</string>
</property>
......@@ -913,7 +945,7 @@ to protect against DoS attacks.</string>
</item>
</widget>
</item>
<item row="2" column="1">
<item row="3" column="1">
<spacer name="verticalSpacer">
<property name="orientation">
<enum>Qt::Vertical</enum>
......
......@@ -74,6 +74,18 @@ OpenVpnAdvancedWidget::OpenVpnAdvancedWidget(const NetworkManager::VpnSetting::P
connect(m_ui->cbCertCheck, static_cast<void (QComboBox::*)(int)>(&QComboBox::currentIndexChanged), this, &OpenVpnAdvancedWidget::certCheckTypeChanged);
connect(m_ui->cmbProxyType, static_cast<void (QComboBox::*)(int)>(&QComboBox::currentIndexChanged), this, &OpenVpnAdvancedWidget::proxyTypeChanged);
connect(m_ui->cboTLSMode, static_cast<void (QComboBox::*)(int)>(&QComboBox::currentIndexChanged), this, [this] (int index) {
if (index == 0) {
m_ui->kurlTlsAuthKey->setDisabled(true);
m_ui->cboDirection->setDisabled(true);
} else if (index == 1) { // TLS-Auth
m_ui->kurlTlsAuthKey->setEnabled(true);
m_ui->cboDirection->setEnabled(true);
} else { // TLS-Crypt
m_ui->kurlTlsAuthKey->setEnabled(true);
m_ui->cboDirection->setDisabled(true);
}
});
// start openVPN process and get its cipher list
const QString openVpnBinary = QStandardPaths::findExecutable("openvpn", QStringList() << "/sbin" << "/usr/sbin");
......@@ -396,11 +408,19 @@ void OpenVpnAdvancedWidget::loadConfig()
m_ui->cmbNsCertType->setCurrentIndex(remoteCertTls == QLatin1String(NM_OPENVPN_NS_CERT_TYPE_SERVER) ? 0 : 1);
}
m_ui->useExtraTlsAuth->setChecked(!dataMap[QLatin1String(NM_OPENVPN_KEY_TA)].isEmpty());
m_ui->kurlTlsAuthKey->setUrl(QUrl::fromLocalFile(dataMap[QLatin1String(NM_OPENVPN_KEY_TA)]));
if (dataMap.contains(QLatin1String(NM_OPENVPN_KEY_TA_DIR))) {
const uint tlsAuthDirection = dataMap[QLatin1String(NM_OPENVPN_KEY_TA_DIR)].toUInt();
m_ui->cboDirection->setCurrentIndex(tlsAuthDirection + 1);
const QString openvpnKeyTa = dataMap[QLatin1String(NM_OPENVPN_KEY_TA)];
const QString openvpnKeyTlsCrypt = dataMap[QLatin1String(NM_OPENVPN_KEY_TLS_CRYPT)];
if (!openvpnKeyTlsCrypt.isEmpty()) {
m_ui->cboTLSMode->setCurrentIndex(2); // TLS-Crypt
m_ui->kurlTlsAuthKey->setUrl(QUrl::fromLocalFile(openvpnKeyTlsCrypt));
} else if (!openvpnKeyTa.isEmpty()) {
m_ui->cboTLSMode->setCurrentIndex(1); // TLS-Auth
m_ui->kurlTlsAuthKey->setUrl(QUrl::fromLocalFile(openvpnKeyTa));
if (dataMap.contains(QLatin1String(NM_OPENVPN_KEY_TA_DIR))) {
const uint tlsAuthDirection = dataMap[QLatin1String(NM_OPENVPN_KEY_TA_DIR)].toUInt();
m_ui->cboDirection->setCurrentIndex(tlsAuthDirection + 1);
}
}
// Proxies
......@@ -581,7 +601,7 @@ NetworkManager::VpnSetting::Ptr OpenVpnAdvancedWidget::setting() const
}
}
if (m_ui->useExtraTlsAuth->isChecked()) {
if (m_ui->cboTLSMode->currentIndex() == 1) { // TLS-Auth
QUrl tlsAuthKeyUrl = m_ui->kurlTlsAuthKey->url();
if (!tlsAuthKeyUrl.isEmpty()) {
data.insert(QLatin1String(NM_OPENVPN_KEY_TA), tlsAuthKeyUrl.path());
......@@ -589,6 +609,11 @@ NetworkManager::VpnSetting::Ptr OpenVpnAdvancedWidget::setting() const
if (m_ui->cboDirection->currentIndex() > 0) {
data.insert(QLatin1String(NM_OPENVPN_KEY_TA_DIR), QString::number(m_ui->cboDirection->currentIndex() - 1));
}
} else if (m_ui->cboTLSMode->currentIndex() == 2) { // TLS-Crypt
QUrl tlsCryptKeyUrl = m_ui->kurlTlsAuthKey->url();
if (!tlsCryptKeyUrl.isEmpty()) {
data.insert(QLatin1String(NM_OPENVPN_KEY_TLS_CRYPT), tlsCryptKeyUrl.path());
}
}
// Proxies
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment