openvpn: fix secret flags for challenge-response

NetworkManager-openvpn added a new secret property "challenge-response". It's for 2FA authentication so it mustn't be persisted to disk, thus it uses the NOT_SAVED flags. However, this flag is only set on connection creation or modification. Some users were already using this 2FA method that was working partially. This users does not expect having to reimport or edit the connection, and now they can't connect because without the NOT_SAVED flag the first response is saved to the connection, and the next activation fails because that value is not valid anymore. Hacky fix: add the flags when reading the connection from nm-keyfile. We already had the same fix for openconnect.
2024-07-05 17:19:00 +00:00 · 2024-05-27 15:33:16 +02:00 · 2024-05-27 15:33:16 +02:00 · f63ce6055e
commit f63ce6055e
parent b8061dd4f6
1 changed files with 31 additions and 0 deletions
--- a/src/libnm-core-impl/nm-keyfile.c
+++ b/src/libnm-core-impl/nm-keyfile.c
@ -548,6 +548,36 @@ openconnect_fix_secret_flags(NMSetting *setting)
    nm_setting_set_secret_flags(NM_SETTING(s_vpn), NM_OPENCONNECT_KEY_CERTSIGS, flags, NULL);
 }

+#define NM_DBUS_SERVICE_OPENVPN           "org.freedesktop.NetworkManager.openvpn"
+#define NM_OPENVPN_KEY_CHALLENGE_RESPONSE "challenge-response"
+
+static void
+openvpn_fix_secret_flags(NMSetting *setting)
+{
+    NMSettingVpn *s_vpn;
+
+    /* Huge hack.  2FA dynamic challenge was working already, but with some
+     * caveats like being stored in the connection profile overriding the
+     * password. It was fixed by adding a "challenge-response" secret, but
+     * "challenge-response-flags" is only added when the profile is
+     * created or modified. As this is a change that should work out of the box
+     * for already existing profiles, fix it here.
+     */
+
+    if (!NM_IS_SETTING_VPN(setting))
+        return;
+
+    s_vpn = NM_SETTING_VPN(setting);
+
+    if (!nm_streq0(nm_setting_vpn_get_service_type(s_vpn), NM_DBUS_SERVICE_OPENVPN))
+        return;
+
+    nm_setting_set_secret_flags(NM_SETTING(s_vpn),
+                                NM_OPENVPN_KEY_CHALLENGE_RESPONSE,
+                                NM_SETTING_SECRET_FLAG_NOT_SAVED,
+                                NULL);
+}
+
 /*****************************************************************************/

 #define IP_ADDRESS_CHARS "0123456789abcdefABCDEF:.%"
@ -1341,6 +1371,7 @@ read_hash_of_string(KeyfileReaderInfo *info,
            }
        }
        openconnect_fix_secret_flags(setting);
+        openvpn_fix_secret_flags(setting);
        return;
    }