2 * Copyright (C) 2017 Lubomir Rintel
4 * Copyright (C) 2013-2019 Tobias Brunner
5 * Copyright (C) 2008-2009 Martin Willi
6 * HSR Hochschule fuer Technik Rapperswil
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
19 #include "nm_service.h"
22 #include <networking/host.h>
23 #include <utils/identification.h>
24 #include <config/peer_cfg.h>
25 #include <credentials/certificates/x509.h>
30 * Private data of NMStrongswanPlugin
33 /* implements bus listener interface */
35 /* IKE_SA we are listening on */
37 /* backref to public plugin */
38 NMVpnServicePlugin
*plugin
;
39 /* credentials to use for authentication */
41 /* attribute handler for DNS/NBNS server information */
42 nm_handler_t
*handler
;
43 /* name of the connection */
45 } NMStrongswanPluginPrivate
;
47 G_DEFINE_TYPE_WITH_PRIVATE(NMStrongswanPlugin
, nm_strongswan_plugin
, NM_TYPE_VPN_SERVICE_PLUGIN
)
49 #define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
50 ((NMStrongswanPluginPrivate*) \
51 nm_strongswan_plugin_get_instance_private (o))
54 * Convert an address chunk to a GValue
56 static GVariant
*addr_to_variant(chunk_t addr
)
58 GVariantBuilder builder
;
64 return g_variant_new_uint32 (*(uint32_t*)addr
.ptr
);
66 g_variant_builder_init (&builder
, G_VARIANT_TYPE ("ay"));
67 for (i
= 0; i
< addr
.len
; i
++)
69 g_variant_builder_add (&builder
, "y", addr
.ptr
[i
]);
72 return g_variant_builder_end (&builder
);
79 * Convert a host to a GValue
81 static GVariant
*host_to_variant(host_t
*host
)
83 return addr_to_variant(host
->get_address(host
));
87 * Convert enumerated handler chunks to a GValue
89 static GVariant
* handler_to_variant(nm_handler_t
*handler
, char *variant_type
,
90 configuration_attribute_type_t type
)
92 GVariantBuilder builder
;
93 enumerator_t
*enumerator
;
96 g_variant_builder_init (&builder
, G_VARIANT_TYPE (variant_type
));
98 enumerator
= handler
->create_enumerator(handler
, type
);
99 while (enumerator
->enumerate(enumerator
, &chunk
))
101 g_variant_builder_add_value (&builder
, addr_to_variant(*chunk
));
103 enumerator
->destroy(enumerator
);
105 return g_variant_builder_end (&builder
);
109 * Signal IP config to NM, set connection as established
111 static void signal_ip_config(NMVpnServicePlugin
*plugin
,
112 ike_sa_t
*ike_sa
, child_sa_t
*child_sa
)
114 NMStrongswanPlugin
*pub
= (NMStrongswanPlugin
*)plugin
;
115 NMStrongswanPluginPrivate
*priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub
);
116 GVariantBuilder builder
, ip4builder
, ip6builder
;
117 GVariant
*ip4config
, *ip6config
;
118 enumerator_t
*enumerator
;
119 host_t
*me
, *other
, *vip4
= NULL
, *vip6
= NULL
;
120 nm_handler_t
*handler
;
122 g_variant_builder_init (&builder
, G_VARIANT_TYPE_VARDICT
);
123 g_variant_builder_init (&ip4builder
, G_VARIANT_TYPE_VARDICT
);
124 g_variant_builder_init (&ip6builder
, G_VARIANT_TYPE_VARDICT
);
126 handler
= priv
->handler
;
128 /* NM apparently requires to know the gateway */
129 other
= ike_sa
->get_other_host(ike_sa
);
130 g_variant_builder_add (&builder
, "{sv}", NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY
,
131 host_to_variant(other
));
133 /* pass the first virtual IPs we got or use the physical IP */
134 enumerator
= ike_sa
->create_virtual_ip_enumerator(ike_sa
, TRUE
);
135 while (enumerator
->enumerate(enumerator
, &me
))
137 switch (me
->get_family(me
))
153 enumerator
->destroy(enumerator
);
156 me
= ike_sa
->get_my_host(ike_sa
);
157 switch (me
->get_family(me
))
170 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS
,
171 host_to_variant(vip4
));
172 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_PREFIX
,
173 g_variant_new_uint32 (vip4
->get_address(vip4
).len
* 8));
175 /* prevent NM from changing the default route. we set our own route in our
178 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT
,
179 g_variant_new_boolean (TRUE
));
181 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DNS
,
182 handler_to_variant(handler
, "au", INTERNAL_IP4_DNS
));
184 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NBNS
,
185 handler_to_variant(handler
, "au", INTERNAL_IP4_NBNS
));
190 g_variant_builder_add (&ip6builder
, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_ADDRESS
,
191 host_to_variant(vip6
));
192 g_variant_builder_add (&ip6builder
, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_PREFIX
,
193 g_variant_new_uint32 (vip6
->get_address(vip6
).len
* 8));
194 g_variant_builder_add (&ip6builder
, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_NEVER_DEFAULT
,
195 g_variant_new_boolean (TRUE
));
196 g_variant_builder_add (&ip6builder
, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_DNS
,
197 handler_to_variant(handler
, "aay", INTERNAL_IP6_DNS
));
198 /* NM_VPN_PLUGIN_IP6_CONFIG_NBNS is not defined */
201 ip4config
= g_variant_builder_end (&ip4builder
);
202 if (g_variant_n_children (ip4config
))
204 g_variant_builder_add (&builder
, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP4
,
205 g_variant_new_boolean (TRUE
));
209 g_variant_unref (ip4config
);
213 ip6config
= g_variant_builder_end (&ip6builder
);
214 if (g_variant_n_children (ip6config
))
216 g_variant_builder_add (&builder
, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP6
,
217 g_variant_new_boolean (TRUE
));
221 g_variant_unref (ip6config
);
225 handler
->reset(handler
);
227 nm_vpn_service_plugin_set_config (plugin
, g_variant_builder_end (&builder
));
230 nm_vpn_service_plugin_set_ip4_config (plugin
, ip4config
);
234 nm_vpn_service_plugin_set_ip6_config (plugin
, ip6config
);
239 * signal failure to NM, connecting failed
241 static void signal_failure(NMVpnServicePlugin
*plugin
, NMVpnPluginFailure failure
)
243 NMStrongswanPlugin
*pub
= (NMStrongswanPlugin
*)plugin
;
244 nm_handler_t
*handler
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub
)->handler
;
246 handler
->reset(handler
);
248 nm_vpn_service_plugin_failure(plugin
, failure
);
252 * Implementation of listener_t.ike_state_change
254 static bool ike_state_change(listener_t
*listener
, ike_sa_t
*ike_sa
,
255 ike_sa_state_t state
)
257 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
259 if (private->ike_sa
== ike_sa
&& state
== IKE_DESTROYING
)
261 signal_failure(private->plugin
, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED
);
268 * Implementation of listener_t.child_state_change
270 static bool child_state_change(listener_t
*listener
, ike_sa_t
*ike_sa
,
271 child_sa_t
*child_sa
, child_sa_state_t state
)
273 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
275 if (private->ike_sa
== ike_sa
&& state
== CHILD_DESTROYING
)
277 signal_failure(private->plugin
, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED
);
284 * Implementation of listener_t.child_updown
286 static bool child_updown(listener_t
*listener
, ike_sa_t
*ike_sa
,
287 child_sa_t
*child_sa
, bool up
)
289 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
291 if (private->ike_sa
== ike_sa
)
294 { /* disable initiate-failure-detection hooks */
295 private->listener
.ike_state_change
= NULL
;
296 private->listener
.child_state_change
= NULL
;
297 signal_ip_config(private->plugin
, ike_sa
, child_sa
);
301 signal_failure(private->plugin
, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED
);
309 * Implementation of listener_t.ike_rekey
311 static bool ike_rekey(listener_t
*listener
, ike_sa_t
*old
, ike_sa_t
*new)
313 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
315 if (private->ike_sa
== old
)
316 { /* follow a rekeyed IKE_SA */
317 private->ike_sa
= new;
323 * Find a certificate for which we have a private key on a smartcard
325 static identification_t
*find_smartcard_key(NMStrongswanPluginPrivate
*priv
,
328 enumerator_t
*enumerator
, *sans
;
329 identification_t
*id
= NULL
;
335 enumerator
= lib
->credmgr
->create_cert_enumerator(lib
->credmgr
,
336 CERT_X509
, KEY_ANY
, NULL
, FALSE
);
337 while (enumerator
->enumerate(enumerator
, &cert
))
339 x509
= (x509_t
*)cert
;
341 /* there might be a lot of certificates, filter them by usage */
342 if ((x509
->get_flags(x509
) & X509_CLIENT_AUTH
) &&
343 !(x509
->get_flags(x509
) & X509_CA
))
345 keyid
= x509
->get_subjectKeyIdentifier(x509
);
348 /* try to find a private key by the certificate keyid */
349 priv
->creds
->set_pin(priv
->creds
, keyid
, pin
);
350 key
= lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
351 KEY_ANY
, BUILD_PKCS11_KEYID
, keyid
, BUILD_END
);
354 /* prefer a more convenient subjectAltName */
355 sans
= x509
->create_subjectAltName_enumerator(x509
);
356 if (!sans
->enumerate(sans
, &id
))
358 id
= cert
->get_subject(cert
);
363 DBG1(DBG_CFG
, "using smartcard certificate '%Y'", id
);
364 priv
->creds
->set_cert_and_key(priv
->creds
,
365 cert
->get_ref(cert
), key
);
371 enumerator
->destroy(enumerator
);
376 * Connect function called from NM via DBUS
378 static gboolean
connect_(NMVpnServicePlugin
*plugin
, NMConnection
*connection
,
381 NMStrongswanPlugin
*pub
= (NMStrongswanPlugin
*)plugin
;
382 NMStrongswanPluginPrivate
*priv
;
383 NMSettingConnection
*conn
;
385 enumerator_t
*enumerator
;
386 identification_t
*user
= NULL
, *gateway
= NULL
;
388 bool virtual, proposal
;
391 peer_cfg_t
*peer_cfg
;
392 child_cfg_t
*child_cfg
;
393 traffic_selector_t
*ts
;
396 auth_class_t auth_class
= AUTH_CLASS_EAP
;
397 certificate_t
*cert
= NULL
;
399 bool agent
= FALSE
, smartcard
= FALSE
, loose_gateway_id
= FALSE
;
400 ike_cfg_create_t ike
= {
403 .local_port
= charon
->socket
->get_port(charon
->socket
, FALSE
),
404 .remote_port
= IKEV2_UDP_PORT
,
405 .fragmentation
= FRAGMENTATION_YES
,
407 peer_cfg_create_t peer
= {
408 .cert_policy
= CERT_SEND_IF_ASKED
,
409 .unique
= UNIQUE_REPLACE
,
411 .rekey_time
= 36000, /* 10h */
412 .jitter_time
= 600, /* 10min */
413 .over_time
= 600, /* 10min */
415 child_cfg_create_t child
= {
418 .life
= 10800 /* 3h */,
419 .rekey
= 10200 /* 2h50min */,
420 .jitter
= 300 /* 5min */
429 priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub
);
430 conn
= NM_SETTING_CONNECTION(nm_connection_get_setting(connection
,
431 NM_TYPE_SETTING_CONNECTION
));
432 vpn
= NM_SETTING_VPN(nm_connection_get_setting(connection
,
433 NM_TYPE_SETTING_VPN
));
438 priv
->name
= strdup(nm_setting_connection_get_id(conn
));
439 DBG1(DBG_CFG
, "received initiate for NetworkManager connection %s",
442 nm_setting_to_string(NM_SETTING(vpn
)));
443 ike
.remote
= (char*)nm_setting_vpn_get_data_item(vpn
, "address");
444 if (!ike
.remote
|| !*ike
.remote
)
446 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
447 "Gateway address missing.");
450 str
= nm_setting_vpn_get_data_item(vpn
, "virtual");
451 virtual = streq(str
, "yes");
452 str
= nm_setting_vpn_get_data_item(vpn
, "encap");
453 ike
.force_encap
= streq(str
, "yes");
454 str
= nm_setting_vpn_get_data_item(vpn
, "ipcomp");
455 child
.options
|= streq(str
, "yes") ? OPT_IPCOMP
: 0;
456 str
= nm_setting_vpn_get_data_item(vpn
, "method");
457 if (streq(str
, "psk"))
459 auth_class
= AUTH_CLASS_PSK
;
461 else if (streq(str
, "agent"))
463 auth_class
= AUTH_CLASS_PUBKEY
;
466 else if (streq(str
, "key"))
468 auth_class
= AUTH_CLASS_PUBKEY
;
470 else if (streq(str
, "smartcard"))
472 auth_class
= AUTH_CLASS_PUBKEY
;
477 * Register credentials
479 priv
->creds
->clear(priv
->creds
);
481 /* gateway/CA cert */
482 str
= nm_setting_vpn_get_data_item(vpn
, "certificate");
485 cert
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
486 BUILD_FROM_FILE
, str
, BUILD_END
);
489 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
490 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
491 "Loading gateway certificate failed.");
494 priv
->creds
->add_certificate(priv
->creds
, cert
);
496 x509
= (x509_t
*)cert
;
497 if (!(x509
->get_flags(x509
) & X509_CA
))
498 { /* For a gateway certificate, we use the cert subject as identity. */
499 gateway
= cert
->get_subject(cert
);
500 gateway
= gateway
->clone(gateway
);
501 DBG1(DBG_CFG
, "using gateway certificate, identity '%Y'", gateway
);
506 /* no certificate defined, fall back to system-wide CA certificates */
507 priv
->creds
->load_ca_dir(priv
->creds
, lib
->settings
->get_str(
508 lib
->settings
, "charon-nm.ca_dir", NM_CA_DIR
));
512 /* If the user configured a CA certificate, we use the IP/DNS
513 * of the gateway as its identity. This identity will be used for
514 * certificate lookup and requires the configured IP/DNS to be
515 * included in the gateway certificate. */
516 gateway
= identification_create_from_string(ike
.remote
);
517 DBG1(DBG_CFG
, "using CA certificate, gateway identity '%Y'", gateway
);
518 loose_gateway_id
= TRUE
;
521 if (auth_class
== AUTH_CLASS_EAP
||
522 auth_class
== AUTH_CLASS_PSK
)
524 /* username/password or PSK authentication ... */
525 str
= nm_setting_vpn_get_data_item(vpn
, "user");
528 user
= identification_create_from_string((char*)str
);
529 str
= nm_setting_vpn_get_secret(vpn
, "password");
530 if (auth_class
== AUTH_CLASS_PSK
&&
533 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
534 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
535 "pre-shared key is too short.");
536 gateway
->destroy(gateway
);
540 priv
->creds
->set_username_password(priv
->creds
, user
, (char*)str
);
544 if (auth_class
== AUTH_CLASS_PUBKEY
)
550 pin
= (char*)nm_setting_vpn_get_secret(vpn
, "password");
553 user
= find_smartcard_key(priv
, pin
);
557 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
558 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
559 "no usable smartcard certificate found.");
560 gateway
->destroy(gateway
);
564 /* ... or certificate/private key authenitcation */
565 else if ((str
= nm_setting_vpn_get_data_item(vpn
, "usercert")))
567 public_key_t
*public;
568 private_key_t
*private = NULL
;
570 cert
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
571 BUILD_FROM_FILE
, str
, BUILD_END
);
574 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
575 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
576 "Loading peer certificate failed.");
577 gateway
->destroy(gateway
);
581 str
= nm_setting_vpn_get_secret(vpn
, "agent");
584 public = cert
->get_public_key(cert
);
587 private = lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
588 public->get_type(public),
589 BUILD_AGENT_SOCKET
, str
,
590 BUILD_PUBLIC_KEY
, public,
592 public->destroy(public);
596 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
597 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
598 "Connecting to SSH agent failed.");
601 /* ... or key file */
602 str
= nm_setting_vpn_get_data_item(vpn
, "userkey");
607 secret
= (char*)nm_setting_vpn_get_secret(vpn
, "password");
610 priv
->creds
->set_key_password(priv
->creds
, secret
);
612 private = lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
613 KEY_ANY
, BUILD_FROM_FILE
, str
, BUILD_END
);
616 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
617 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
618 "Loading private key failed.");
623 user
= cert
->get_subject(cert
);
624 user
= user
->clone(user
);
625 priv
->creds
->set_cert_and_key(priv
->creds
, cert
, private);
630 gateway
->destroy(gateway
);
638 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
639 "Configuration parameters missing.");
640 gateway
->destroy(gateway
);
645 * Set up configurations
647 ike_cfg
= ike_cfg_create(&ike
);
649 str
= nm_setting_vpn_get_data_item(vpn
, "proposal");
650 proposal
= streq(str
, "yes");
651 str
= nm_setting_vpn_get_data_item(vpn
, "ike");
652 if (proposal
&& str
&& strlen(str
))
654 enumerator
= enumerator_create_token(str
, ";", "");
655 while (enumerator
->enumerate(enumerator
, &str
))
657 prop
= proposal_create_from_string(PROTO_IKE
, str
);
660 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
661 NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
662 "Invalid IKE proposal.");
663 enumerator
->destroy(enumerator
);
664 ike_cfg
->destroy(ike_cfg
);
665 gateway
->destroy(gateway
);
669 ike_cfg
->add_proposal(ike_cfg
, prop
);
671 enumerator
->destroy(enumerator
);
675 ike_cfg
->add_proposal(ike_cfg
, proposal_create_default(PROTO_IKE
));
676 ike_cfg
->add_proposal(ike_cfg
, proposal_create_default_aead(PROTO_IKE
));
679 peer_cfg
= peer_cfg_create(priv
->name
, ike_cfg
, &peer
);
682 peer_cfg
->add_virtual_ip(peer_cfg
, host_create_any(AF_INET
));
683 peer_cfg
->add_virtual_ip(peer_cfg
, host_create_any(AF_INET6
));
685 auth
= auth_cfg_create();
686 auth
->add(auth
, AUTH_RULE_AUTH_CLASS
, auth_class
);
687 auth
->add(auth
, AUTH_RULE_IDENTITY
, user
);
688 peer_cfg
->add_auth_cfg(peer_cfg
, auth
, TRUE
);
689 auth
= auth_cfg_create();
690 if (auth_class
== AUTH_CLASS_PSK
)
692 auth
->add(auth
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_PSK
);
696 auth
->add(auth
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_PUBKEY
);
698 auth
->add(auth
, AUTH_RULE_IDENTITY
, gateway
);
699 auth
->add(auth
, AUTH_RULE_IDENTITY_LOOSE
, loose_gateway_id
);
700 peer_cfg
->add_auth_cfg(peer_cfg
, auth
, FALSE
);
702 child_cfg
= child_cfg_create(priv
->name
, &child
);
703 str
= nm_setting_vpn_get_data_item(vpn
, "esp");
704 if (proposal
&& str
&& strlen(str
))
706 enumerator
= enumerator_create_token(str
, ";", "");
707 while (enumerator
->enumerate(enumerator
, &str
))
709 prop
= proposal_create_from_string(PROTO_ESP
, str
);
712 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
713 NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
714 "Invalid ESP proposal.");
715 enumerator
->destroy(enumerator
);
716 child_cfg
->destroy(child_cfg
);
717 peer_cfg
->destroy(peer_cfg
);
720 child_cfg
->add_proposal(child_cfg
, prop
);
722 enumerator
->destroy(enumerator
);
726 child_cfg
->add_proposal(child_cfg
, proposal_create_default(PROTO_ESP
));
727 child_cfg
->add_proposal(child_cfg
, proposal_create_default_aead(PROTO_ESP
));
729 ts
= traffic_selector_create_dynamic(0, 0, 65535);
730 child_cfg
->add_traffic_selector(child_cfg
, TRUE
, ts
);
731 ts
= traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
732 child_cfg
->add_traffic_selector(child_cfg
, FALSE
, ts
);
733 ts
= traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
734 child_cfg
->add_traffic_selector(child_cfg
, FALSE
, ts
);
735 peer_cfg
->add_child_cfg(peer_cfg
, child_cfg
);
740 ike_sa
= charon
->ike_sa_manager
->checkout_by_config(charon
->ike_sa_manager
,
744 peer_cfg
->destroy(peer_cfg
);
745 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
746 "IKE version not supported.");
749 if (!ike_sa
->get_peer_cfg(ike_sa
))
751 ike_sa
->set_peer_cfg(ike_sa
, peer_cfg
);
753 peer_cfg
->destroy(peer_cfg
);
756 * Register listener, enable initiate-failure-detection hooks
758 priv
->ike_sa
= ike_sa
;
759 priv
->listener
.ike_state_change
= ike_state_change
;
760 priv
->listener
.child_state_change
= child_state_change
;
761 charon
->bus
->add_listener(charon
->bus
, &priv
->listener
);
766 child_cfg
->get_ref(child_cfg
);
767 if (ike_sa
->initiate(ike_sa
, child_cfg
, 0, NULL
, NULL
) != SUCCESS
)
769 charon
->bus
->remove_listener(charon
->bus
, &priv
->listener
);
770 charon
->ike_sa_manager
->checkin_and_destroy(charon
->ike_sa_manager
, ike_sa
);
772 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
773 "Initiating failed.");
776 charon
->ike_sa_manager
->checkin(charon
->ike_sa_manager
, ike_sa
);
781 * NeedSecrets called from NM via DBUS
783 static gboolean
need_secrets(NMVpnServicePlugin
*plugin
, NMConnection
*connection
,
784 const char **setting_name
, GError
**error
)
786 NMSettingVpn
*settings
;
787 const char *method
, *path
;
789 settings
= NM_SETTING_VPN(nm_connection_get_setting(connection
,
790 NM_TYPE_SETTING_VPN
));
791 method
= nm_setting_vpn_get_data_item(settings
, "method");
794 if (streq(method
, "eap") || streq(method
, "psk"))
796 if (nm_setting_vpn_get_secret(settings
, "password"))
801 else if (streq(method
, "agent"))
803 if (nm_setting_vpn_get_secret(settings
, "agent"))
808 else if (streq(method
, "key"))
810 path
= nm_setting_vpn_get_data_item(settings
, "userkey");
815 /* try to load/decrypt the private key */
816 key
= lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
817 KEY_ANY
, BUILD_FROM_FILE
, path
, BUILD_END
);
823 else if (nm_setting_vpn_get_secret(settings
, "password"))
829 else if (streq(method
, "smartcard"))
831 if (nm_setting_vpn_get_secret(settings
, "password"))
837 *setting_name
= NM_SETTING_VPN_SETTING_NAME
;
842 * The actual disconnection
844 static gboolean
do_disconnect(gpointer plugin
)
846 NMStrongswanPluginPrivate
*priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
847 enumerator_t
*enumerator
;
851 /* our ike_sa pointer might be invalid, lookup sa */
852 enumerator
= charon
->controller
->create_ike_sa_enumerator(
853 charon
->controller
, TRUE
);
854 while (enumerator
->enumerate(enumerator
, &ike_sa
))
856 if (priv
->ike_sa
== ike_sa
)
858 id
= ike_sa
->get_unique_id(ike_sa
);
859 enumerator
->destroy(enumerator
);
860 charon
->controller
->terminate_ike(charon
->controller
, id
, FALSE
,
861 controller_cb_empty
, NULL
, 0);
865 enumerator
->destroy(enumerator
);
867 g_debug("Connection not found.");
872 * Disconnect called from NM via DBUS
874 static gboolean
disconnect(NMVpnServicePlugin
*plugin
, GError
**err
)
876 /* enqueue the actual disconnection, because we may be called in
877 * response to a listener_t callback and the SA enumeration would
878 * possibly deadlock. */
879 g_idle_add(do_disconnect
, plugin
);
887 static void nm_strongswan_plugin_init(NMStrongswanPlugin
*plugin
)
889 NMStrongswanPluginPrivate
*priv
;
891 priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
892 priv
->plugin
= NM_VPN_SERVICE_PLUGIN(plugin
);
893 memset(&priv
->listener
, 0, sizeof(listener_t
));
894 priv
->listener
.child_updown
= child_updown
;
895 priv
->listener
.ike_rekey
= ike_rekey
;
902 static void nm_strongswan_plugin_class_init(
903 NMStrongswanPluginClass
*strongswan_class
)
905 NMVpnServicePluginClass
*parent_class
= NM_VPN_SERVICE_PLUGIN_CLASS(strongswan_class
);
907 parent_class
->connect
= connect_
;
908 parent_class
->need_secrets
= need_secrets
;
909 parent_class
->disconnect
= disconnect
;
915 NMStrongswanPlugin
*nm_strongswan_plugin_new(nm_creds_t
*creds
,
916 nm_handler_t
*handler
)
918 GError
*error
= NULL
;
920 NMStrongswanPlugin
*plugin
= (NMStrongswanPlugin
*)g_initable_new (
921 NM_TYPE_STRONGSWAN_PLUGIN
,
924 NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME
, NM_DBUS_SERVICE_STRONGSWAN
,
929 NMStrongswanPluginPrivate
*priv
;
931 /* the rest of the initialization happened in _init above */
932 priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
934 priv
->handler
= handler
;
938 g_warning ("Failed to initialize a plugin instance: %s", error
->message
);
939 g_error_free (error
);
projects / thirdparty / strongswan.git / blob