Compatibility with both secret and non-secret PSK

joanbm · dkosovic · commit de7cf07c9d24 · 2021-10-05T22:04:58.000+10:00
Issue: #78 This restores compatibility with legacy L2TP VPNs with the PSK stored as a non-secret and also migrates the PSK to a secret when editing the connection
diff --git a/auth-dialog/main.c b/auth-dialog/main.c
@@ -378,6 +378,8 @@ get_existing_passwords (GHashTable *vpn_data,
 			*out_psk = g_strdup (g_hash_table_lookup (existing_secrets, NM_L2TP_KEY_IPSEC_PSK));
 			if (!*out_psk)
 				*out_psk = keyring_lookup_secret (vpn_uuid, NM_L2TP_KEY_IPSEC_PSK);
+			if (!*out_psk) /* For legacy purposes, the PSK can also be specified as a non-secret */
+				*out_psk = g_strdup (g_hash_table_lookup (vpn_data, NM_L2TP_KEY_IPSEC_PSK));
 		}
 	}
 
diff --git a/properties/ipsec-dialog.c b/properties/ipsec-dialog.c
@@ -11,6 +11,7 @@
 #include "nm-l2tp-editor.h"
 
 #include "nm-utils/nm-shared-utils.h"
+#include "nm-utils/nm-secret-utils.h"
 #include "shared/nm-l2tp-crypto-openssl.h"
 #include "shared/utils.h"
 
@@ -69,7 +70,7 @@ ipsec_dialog_new_hash_from_connection (NMConnection *connection,
 	nm_setting_vpn_foreach_data_item (s_vpn, hash_copy_value, hash);
 
 	/* IPSEC PSK is special */
-	secret = nm_setting_vpn_get_secret (s_vpn, NM_L2TP_KEY_IPSEC_PSK);
+	secret = nm_setting_vpn_get_secret_or_legacy_data_item (s_vpn, NM_L2TP_KEY_IPSEC_PSK);
 	if (secret) {
 		g_hash_table_insert (hash,
 		                     g_strdup (NM_L2TP_KEY_IPSEC_PSK),
diff --git a/properties/nm-l2tp-editor.c b/properties/nm-l2tp-editor.c
@@ -739,10 +739,15 @@ copy_hash_pair (gpointer key, gpointer data, gpointer user_data)
 	g_return_if_fail (value && value[0]);
 
 	/* IPsec PSK and certificate password is a secret, not a data item */
-	if (!strcmp (key, NM_L2TP_KEY_IPSEC_PSK) || !strcmp (key, NM_L2TP_KEY_MACHINE_CERTPASS))
+	if (!strcmp (key, NM_L2TP_KEY_IPSEC_PSK)) {
+		/* Migrate legacy non-secret PSK data items to VPN secret */
+		nm_setting_vpn_remove_data_item (s_vpn, (const char *) key);
 		nm_setting_vpn_add_secret (s_vpn, (const char *) key, value);
-	else
+	} else if (!strcmp (key, NM_L2TP_KEY_MACHINE_CERTPASS)) {
+		nm_setting_vpn_add_secret (s_vpn, (const char *) key, value);
+	} else {
 		nm_setting_vpn_add_data_item (s_vpn, (const char *) key, value);
+	}
 }
 
 static char *
diff --git a/shared/nm-utils/nm-secret-utils.h b/shared/nm-utils/nm-secret-utils.h
@@ -133,4 +133,14 @@ GBytes *nm_secret_buf_to_gbytes_take (NMSecretBuf *secret, gssize actual_len);
 
 /*****************************************************************************/
 
+static inline const char *nm_setting_vpn_get_secret_or_legacy_data_item
+	(NMSettingVpn *setting, const char *key) {
+	const char *value = nm_setting_vpn_get_secret (setting, key);
+	if (!value)
+		value = nm_setting_vpn_get_data_item (setting, key);
+	return value;
+}
+
+/*****************************************************************************/
+
 #endif /* __NM_SECRET_UTILS_H__ */
diff --git a/src/nm-l2tp-service.c b/src/nm-l2tp-service.c
@@ -39,6 +39,7 @@
 #include "nm-ppp-status.h"
 #include "nm-l2tp-pppd-service-dbus.h"
 #include "nm-utils/nm-shared-utils.h"
+#include "nm-utils/nm-secret-utils.h"
 #include "nm-utils/nm-vpn-plugin-macros.h"
 #include "shared/utils.h"
 #include "nm-l2tp-crypto-nss.h"
@@ -183,6 +184,8 @@ static const ValidProperty valid_properties[] = {
 	{ NM_L2TP_KEY_IPSEC_ENABLE,             G_TYPE_BOOLEAN, FALSE },
 	{ NM_L2TP_KEY_IPSEC_REMOTE_ID,          G_TYPE_STRING, FALSE },
 	{ NM_L2TP_KEY_IPSEC_GATEWAY_ID,         G_TYPE_STRING, FALSE },
+	/* For legacy purposes, the PSK can also be specified as a non-secret */
+	{ NM_L2TP_KEY_IPSEC_PSK,                G_TYPE_STRING, FALSE },
 	{ NM_L2TP_KEY_IPSEC_IKE,                G_TYPE_STRING, FALSE },
 	{ NM_L2TP_KEY_IPSEC_ESP,                G_TYPE_STRING, FALSE },
 	{ NM_L2TP_KEY_IPSEC_IKELIFETIME,        G_TYPE_UINT, FALSE },
@@ -747,7 +750,7 @@ nm_l2tp_config_write (NML2tpPlugin *plugin,
 					}
 				}
 
-				value = nm_setting_vpn_get_secret (s_vpn, NM_L2TP_KEY_IPSEC_PSK);
+				value = nm_setting_vpn_get_secret_or_legacy_data_item (s_vpn, NM_L2TP_KEY_IPSEC_PSK);
 				if (!value) value="";
 
 				if (g_str_has_prefix (value, "0s")) {
@@ -1966,7 +1969,7 @@ real_need_secrets (NMVpnServicePlugin *plugin,
 			need_secrets = TRUE;
 
 		/* Don't need the PSK if we already have one */
-		if (need_secrets && nm_setting_vpn_get_secret (NM_SETTING_VPN (s_vpn), NM_L2TP_KEY_IPSEC_PSK)) {
+		if (need_secrets && nm_setting_vpn_get_secret_or_legacy_data_item (NM_SETTING_VPN (s_vpn), NM_L2TP_KEY_IPSEC_PSK)) {
 				need_secrets = FALSE;
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -378,6 +378,8 @@ get_existing_passwords (GHashTable *vpn_data,`
`378`	`378`	`*out_psk = g_strdup (g_hash_table_lookup (existing_secrets, NM_L2TP_KEY_IPSEC_PSK));`
`379`	`379`	`if (!*out_psk)`
`380`	`380`	`*out_psk = keyring_lookup_secret (vpn_uuid, NM_L2TP_KEY_IPSEC_PSK);`
	`381`	`+ if (!out_psk) / For legacy purposes, the PSK can also be specified as a non-secret */`
	`382`	`+ *out_psk = g_strdup (g_hash_table_lookup (vpn_data, NM_L2TP_KEY_IPSEC_PSK));`
`381`	`383`	`}`
`382`	`384`	`}`
`383`	`385`