From: Tobias Brunner Date: Tue, 17 Dec 2019 15:26:34 +0000 (+0100) Subject: charon-nm: Add support for a specific remote identity X-Git-Tag: 5.8.3dr1~14^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=19e64e101d3f4580f43d6e30ae9bc8c1381d4752;p=thirdparty%2Fstrongswan.git charon-nm: Add support for a specific remote identity --- diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c index 5e539b3fe9..fcf79faa0f 100644 --- a/src/charon-nm/nm/nm_service.c +++ b/src/charon-nm/nm/nm_service.c @@ -492,14 +492,6 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, return FALSE; } priv->creds->add_certificate(priv->creds, cert); - - x509 = (x509_t*)cert; - if (!(x509->get_flags(x509) & X509_CA)) - { /* For a gateway certificate, we use the cert subject as identity. */ - gateway = cert->get_subject(cert); - gateway = gateway->clone(gateway); - DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway); - } } else { @@ -507,16 +499,29 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection, priv->creds->load_ca_dir(priv->creds, lib->settings->get_str( lib->settings, "charon-nm.ca_dir", NM_CA_DIR)); } - if (!gateway) + + str = nm_setting_vpn_get_data_item(vpn, "remote-identity"); + if (str) + { + gateway = identification_create_from_string((char*)str); + } + else if (cert) + { + x509 = (x509_t*)cert; + if (!(x509->get_flags(x509) & X509_CA)) + { /* for server certificates, we use the subject as identity */ + gateway = cert->get_subject(cert); + gateway = gateway->clone(gateway); + } + } + if (!gateway || gateway->get_type(gateway) == ID_ANY) { - /* If the user configured a CA certificate, we use the IP/DNS - * of the gateway as its identity. This identity will be used for - * certificate lookup and requires the configured IP/DNS to be - * included in the gateway certificate. */ + /* if the user configured a CA certificate (or an invalid identity), + * we use the IP/hostname of the server */ gateway = identification_create_from_string(ike.remote); - DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway); loose_gateway_id = TRUE; } + DBG1(DBG_CFG, "using gateway identity '%Y'", gateway); if (auth_class == AUTH_CLASS_EAP || auth_class == AUTH_CLASS_PSK)