2 * Copyright (C) 2008-2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 #include <nm-setting-vpn.h>
17 #include <nm-setting-connection.h>
18 #include "nm_service.h"
21 #include <utils/host.h>
22 #include <utils/identification.h>
23 #include <config/peer_cfg.h>
24 #include <credentials/certificates/x509.h>
28 G_DEFINE_TYPE(NMStrongswanPlugin
, nm_strongswan_plugin
, NM_TYPE_VPN_PLUGIN
)
31 * Private data of NMStrongswanPlugin
34 /* implements bus listener interface */
36 /* IKE_SA we are listening on */
38 /* backref to public plugin */
40 /* credentials to use for authentication */
42 /* attribute handler for DNS/NBNS server information */
43 nm_handler_t
*handler
;
44 /* name of the connection */
46 } NMStrongswanPluginPrivate
;
48 #define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
49 (G_TYPE_INSTANCE_GET_PRIVATE ((o), \
50 NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginPrivate))
53 * convert enumerated handler chunks to a UINT_ARRAY GValue
55 static GValue
* handler_to_val(nm_handler_t
*handler
,
56 configuration_attribute_type_t type
)
60 enumerator_t
*enumerator
;
63 enumerator
= handler
->create_enumerator(handler
, type
);
64 array
= g_array_new (FALSE
, TRUE
, sizeof (guint32
));
65 while (enumerator
->enumerate(enumerator
, &chunk
))
67 g_array_append_val (array
, *(u_int32_t
*)chunk
.ptr
);
69 enumerator
->destroy(enumerator
);
70 val
= g_slice_new0 (GValue
);
71 g_value_init (val
, DBUS_TYPE_G_UINT_ARRAY
);
72 g_value_set_boxed (val
, array
);
78 * signal IPv4 config to NM, set connection as established
80 static void signal_ipv4_config(NMVPNPlugin
*plugin
,
81 ike_sa_t
*ike_sa
, child_sa_t
*child_sa
)
86 nm_handler_t
*handler
;
88 config
= g_hash_table_new(g_str_hash
, g_str_equal
);
89 me
= ike_sa
->get_my_host(ike_sa
);
90 handler
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
)->handler
;
92 /* NM requires a tundev, but netkey does not use one. Passing the physical
93 * interface does not work, as NM fiddles around with it. Passing the
94 * loopback seems to work, though... */
95 val
= g_slice_new0 (GValue
);
96 g_value_init (val
, G_TYPE_STRING
);
97 g_value_set_string (val
, "lo");
98 g_hash_table_insert (config
, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV
, val
);
100 val
= g_slice_new0(GValue
);
101 g_value_init(val
, G_TYPE_UINT
);
102 g_value_set_uint(val
, *(u_int32_t
*)me
->get_address(me
).ptr
);
103 g_hash_table_insert(config
, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS
, val
);
105 val
= g_slice_new0(GValue
);
106 g_value_init(val
, G_TYPE_UINT
);
107 g_value_set_uint(val
, me
->get_address(me
).len
* 8);
108 g_hash_table_insert(config
, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX
, val
);
110 val
= handler_to_val(handler
, INTERNAL_IP4_DNS
);
111 g_hash_table_insert(config
, NM_VPN_PLUGIN_IP4_CONFIG_DNS
, val
);
113 val
= handler_to_val(handler
, INTERNAL_IP4_NBNS
);
114 g_hash_table_insert(config
, NM_VPN_PLUGIN_IP4_CONFIG_NBNS
, val
);
116 handler
->reset(handler
);
118 nm_vpn_plugin_set_ip4_config(plugin
, config
);
122 * signal failure to NM, connecting failed
124 static void signal_failure(NMVPNPlugin
*plugin
, NMVPNPluginFailure failure
)
126 nm_handler_t
*handler
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
)->handler
;
128 handler
->reset(handler
);
130 /* TODO: NM does not handle this failure!? */
131 nm_vpn_plugin_failure(plugin
, failure
);
132 nm_vpn_plugin_set_state(plugin
, NM_VPN_SERVICE_STATE_STOPPED
);
136 * Implementation of listener_t.ike_state_change
138 static bool ike_state_change(listener_t
*listener
, ike_sa_t
*ike_sa
,
139 ike_sa_state_t state
)
141 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
143 if (private->ike_sa
== ike_sa
&& state
== IKE_DESTROYING
)
145 signal_failure(private->plugin
, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED
);
152 * Implementation of listener_t.child_state_change
154 static bool child_state_change(listener_t
*listener
, ike_sa_t
*ike_sa
,
155 child_sa_t
*child_sa
, child_sa_state_t state
)
157 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
159 if (private->ike_sa
== ike_sa
&& state
== CHILD_DESTROYING
)
161 signal_failure(private->plugin
, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED
);
168 * Implementation of listener_t.child_updown
170 static bool child_updown(listener_t
*listener
, ike_sa_t
*ike_sa
,
171 child_sa_t
*child_sa
, bool up
)
173 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
175 if (private->ike_sa
== ike_sa
)
178 { /* disable initiate-failure-detection hooks */
179 private->listener
.ike_state_change
= NULL
;
180 private->listener
.child_state_change
= NULL
;
181 signal_ipv4_config(private->plugin
, ike_sa
, child_sa
);
185 signal_failure(private->plugin
, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED
);
193 * Implementation of listener_t.ike_rekey
195 static bool ike_rekey(listener_t
*listener
, ike_sa_t
*old
, ike_sa_t
*new)
197 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
199 if (private->ike_sa
== old
)
200 { /* follow a rekeyed IKE_SA */
201 private->ike_sa
= new;
207 * Find a certificate for which we have a private key on a smartcard
209 static identification_t
*find_smartcard_key(NMStrongswanPluginPrivate
*priv
,
212 enumerator_t
*enumerator
, *sans
;
213 identification_t
*id
= NULL
;
219 enumerator
= lib
->credmgr
->create_cert_enumerator(lib
->credmgr
,
220 CERT_X509
, KEY_ANY
, NULL
, FALSE
);
221 while (enumerator
->enumerate(enumerator
, &cert
))
223 x509
= (x509_t
*)cert
;
225 /* there might be a lot of certificates, filter them by usage */
226 if ((x509
->get_flags(x509
) & X509_CLIENT_AUTH
) &&
227 !(x509
->get_flags(x509
) & X509_CA
))
229 keyid
= x509
->get_subjectKeyIdentifier(x509
);
232 /* try to find a private key by the certificate keyid */
233 priv
->creds
->set_pin(priv
->creds
, keyid
, pin
);
234 key
= lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
235 KEY_ANY
, BUILD_PKCS11_KEYID
, keyid
, BUILD_END
);
238 /* prefer a more convenient subjectAltName */
239 sans
= x509
->create_subjectAltName_enumerator(x509
);
240 if (!sans
->enumerate(sans
, &id
))
242 id
= cert
->get_subject(cert
);
247 DBG1(DBG_CFG
, "using smartcard certificate '%Y'", id
);
248 priv
->creds
->set_cert_and_key(priv
->creds
,
249 cert
->get_ref(cert
), key
);
255 enumerator
->destroy(enumerator
);
260 * Connect function called from NM via DBUS
262 static gboolean
connect_(NMVPNPlugin
*plugin
, NMConnection
*connection
,
265 NMStrongswanPluginPrivate
*priv
;
266 NMSettingConnection
*conn
;
268 identification_t
*user
= NULL
, *gateway
= NULL
;
269 const char *address
, *str
;
270 bool virtual, encap
, ipcomp
;
272 peer_cfg_t
*peer_cfg
;
273 child_cfg_t
*child_cfg
;
274 traffic_selector_t
*ts
;
277 auth_class_t auth_class
= AUTH_CLASS_EAP
;
278 certificate_t
*cert
= NULL
;
280 bool agent
= FALSE
, smartcard
= FALSE
;
281 lifetime_cfg_t lifetime
= {
283 .life
= 10800 /* 3h */,
284 .rekey
= 10200 /* 2h50min */,
285 .jitter
= 300 /* 5min */
292 priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
293 conn
= NM_SETTING_CONNECTION(nm_connection_get_setting(connection
,
294 NM_TYPE_SETTING_CONNECTION
));
295 vpn
= NM_SETTING_VPN(nm_connection_get_setting(connection
,
296 NM_TYPE_SETTING_VPN
));
301 priv
->name
= strdup(nm_setting_connection_get_id(conn
));
302 DBG1(DBG_CFG
, "received initiate for NetworkManager connection %s",
305 nm_setting_to_string(NM_SETTING(vpn
)));
306 address
= nm_setting_vpn_get_data_item(vpn
, "address");
307 if (!address
|| !*address
)
309 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
310 "Gateway address missing.");
313 str
= nm_setting_vpn_get_data_item(vpn
, "virtual");
314 virtual = str
&& streq(str
, "yes");
315 str
= nm_setting_vpn_get_data_item(vpn
, "encap");
316 encap
= str
&& streq(str
, "yes");
317 str
= nm_setting_vpn_get_data_item(vpn
, "ipcomp");
318 ipcomp
= str
&& streq(str
, "yes");
319 str
= nm_setting_vpn_get_data_item(vpn
, "method");
322 if (streq(str
, "psk"))
324 auth_class
= AUTH_CLASS_PSK
;
326 else if (streq(str
, "agent"))
328 auth_class
= AUTH_CLASS_PUBKEY
;
331 else if (streq(str
, "key"))
333 auth_class
= AUTH_CLASS_PUBKEY
;
335 else if (streq(str
, "smartcard"))
337 auth_class
= AUTH_CLASS_PUBKEY
;
343 * Register credentials
345 priv
->creds
->clear(priv
->creds
);
347 /* gateway/CA cert */
348 str
= nm_setting_vpn_get_data_item(vpn
, "certificate");
351 cert
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
352 BUILD_FROM_FILE
, str
, BUILD_END
);
355 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
356 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
357 "Loading gateway certificate failed.");
360 priv
->creds
->add_certificate(priv
->creds
, cert
);
362 x509
= (x509_t
*)cert
;
363 if (!(x509
->get_flags(x509
) & X509_CA
))
364 { /* For a gateway certificate, we use the cert subject as identity. */
365 gateway
= cert
->get_subject(cert
);
366 gateway
= gateway
->clone(gateway
);
367 DBG1(DBG_CFG
, "using gateway certificate, identity '%Y'", gateway
);
372 /* no certificate defined, fall back to system-wide CA certificates */
373 priv
->creds
->load_ca_dir(priv
->creds
, NM_CA_DIR
);
377 /* If the user configured a CA certificate, we use the IP/DNS
378 * of the gateway as its identity. This identity will be used for
379 * certificate lookup and requires the configured IP/DNS to be
380 * included in the gateway certificate. */
381 gateway
= identification_create_from_string((char*)address
);
382 DBG1(DBG_CFG
, "using CA certificate, gateway identity '%Y'", gateway
);
385 if (auth_class
== AUTH_CLASS_EAP
)
387 /* username/password authentication ... */
388 str
= nm_setting_vpn_get_data_item(vpn
, "user");
391 user
= identification_create_from_string((char*)str
);
392 str
= nm_setting_vpn_get_secret(vpn
, "password");
393 priv
->creds
->set_username_password(priv
->creds
, user
, (char*)str
);
397 if (auth_class
== AUTH_CLASS_PUBKEY
)
403 pin
= (char*)nm_setting_vpn_get_secret(vpn
, "password");
406 user
= find_smartcard_key(priv
, pin
);
410 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
411 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
412 "no usable smartcard certificate found.");
413 gateway
->destroy(gateway
);
417 /* ... or certificate/private key authenitcation */
418 else if ((str
= nm_setting_vpn_get_data_item(vpn
, "usercert")))
420 public_key_t
*public;
421 private_key_t
*private = NULL
;
423 cert
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
424 BUILD_FROM_FILE
, str
, BUILD_END
);
427 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
428 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
429 "Loading peer certificate failed.");
430 gateway
->destroy(gateway
);
434 str
= nm_setting_vpn_get_secret(vpn
, "agent");
437 public = cert
->get_public_key(cert
);
440 private = lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
441 public->get_type(public),
442 BUILD_AGENT_SOCKET
, str
,
443 BUILD_PUBLIC_KEY
, public,
445 public->destroy(public);
449 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
450 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
451 "Connecting to SSH agent failed.");
454 /* ... or key file */
455 str
= nm_setting_vpn_get_data_item(vpn
, "userkey");
460 secret
= (char*)nm_setting_vpn_get_secret(vpn
, "password");
463 priv
->creds
->set_key_password(priv
->creds
, secret
);
465 private = lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
466 KEY_RSA
, BUILD_FROM_FILE
, str
, BUILD_END
);
469 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
470 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
471 "Loading private key failed.");
476 user
= cert
->get_subject(cert
);
477 user
= user
->clone(user
);
478 priv
->creds
->set_cert_and_key(priv
->creds
, cert
, private);
483 gateway
->destroy(gateway
);
491 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
492 "Configuration parameters missing.");
493 gateway
->destroy(gateway
);
498 * Set up configurations
500 ike_cfg
= ike_cfg_create(TRUE
, encap
, "0.0.0.0", FALSE
,
501 charon
->socket
->get_port(charon
->socket
, FALSE
),
502 (char*)address
, FALSE
, IKEV2_UDP_PORT
);
503 ike_cfg
->add_proposal(ike_cfg
, proposal_create_default(PROTO_IKE
));
504 peer_cfg
= peer_cfg_create(priv
->name
, IKEV2
, ike_cfg
,
505 CERT_SEND_IF_ASKED
, UNIQUE_REPLACE
, 1, /* keyingtries */
506 36000, 0, /* rekey 10h, reauth none */
507 600, 600, /* jitter, over 10min */
508 TRUE
, FALSE
, /* mobike, aggressive */
509 0, 0, /* DPD delay, timeout */
510 FALSE
, NULL
, NULL
); /* mediation */
513 peer_cfg
->add_virtual_ip(peer_cfg
, host_create_from_string("0.0.0.0", 0));
515 auth
= auth_cfg_create();
516 auth
->add(auth
, AUTH_RULE_AUTH_CLASS
, auth_class
);
517 auth
->add(auth
, AUTH_RULE_IDENTITY
, user
);
518 peer_cfg
->add_auth_cfg(peer_cfg
, auth
, TRUE
);
519 auth
= auth_cfg_create();
520 auth
->add(auth
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_PUBKEY
);
521 auth
->add(auth
, AUTH_RULE_IDENTITY
, gateway
);
522 peer_cfg
->add_auth_cfg(peer_cfg
, auth
, FALSE
);
524 child_cfg
= child_cfg_create(priv
->name
, &lifetime
,
525 NULL
, TRUE
, MODE_TUNNEL
, /* updown, hostaccess */
526 ACTION_NONE
, ACTION_NONE
, ACTION_NONE
, ipcomp
,
527 0, 0, NULL
, NULL
, 0);
528 child_cfg
->add_proposal(child_cfg
, proposal_create_default(PROTO_ESP
));
529 ts
= traffic_selector_create_dynamic(0, 0, 65535);
530 child_cfg
->add_traffic_selector(child_cfg
, TRUE
, ts
);
531 ts
= traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE
,
533 "255.255.255.255", 65535);
534 child_cfg
->add_traffic_selector(child_cfg
, FALSE
, ts
);
535 peer_cfg
->add_child_cfg(peer_cfg
, child_cfg
);
540 ike_sa
= charon
->ike_sa_manager
->checkout_by_config(charon
->ike_sa_manager
,
544 peer_cfg
->destroy(peer_cfg
);
545 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
546 "IKE version not supported.");
549 if (!ike_sa
->get_peer_cfg(ike_sa
))
551 ike_sa
->set_peer_cfg(ike_sa
, peer_cfg
);
553 peer_cfg
->destroy(peer_cfg
);
556 * Register listener, enable initiate-failure-detection hooks
558 priv
->ike_sa
= ike_sa
;
559 priv
->listener
.ike_state_change
= ike_state_change
;
560 priv
->listener
.child_state_change
= child_state_change
;
561 charon
->bus
->add_listener(charon
->bus
, &priv
->listener
);
566 child_cfg
->get_ref(child_cfg
);
567 if (ike_sa
->initiate(ike_sa
, child_cfg
, 0, NULL
, NULL
) != SUCCESS
)
569 charon
->bus
->remove_listener(charon
->bus
, &priv
->listener
);
570 charon
->ike_sa_manager
->checkin_and_destroy(charon
->ike_sa_manager
, ike_sa
);
572 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
573 "Initiating failed.");
576 charon
->ike_sa_manager
->checkin(charon
->ike_sa_manager
, ike_sa
);
581 * NeedSecrets called from NM via DBUS
583 static gboolean
need_secrets(NMVPNPlugin
*plugin
, NMConnection
*connection
,
584 char **setting_name
, GError
**error
)
586 NMSettingVPN
*settings
;
587 const char *method
, *path
;
589 settings
= NM_SETTING_VPN(nm_connection_get_setting(connection
,
590 NM_TYPE_SETTING_VPN
));
591 method
= nm_setting_vpn_get_data_item(settings
, "method");
594 if (streq(method
, "eap"))
596 if (nm_setting_vpn_get_secret(settings
, "password"))
601 else if (streq(method
, "agent"))
603 if (nm_setting_vpn_get_secret(settings
, "agent"))
608 else if (streq(method
, "key"))
610 path
= nm_setting_vpn_get_data_item(settings
, "userkey");
615 /* try to load/decrypt the private key */
616 key
= lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
617 KEY_RSA
, BUILD_FROM_FILE
, path
, BUILD_END
);
625 else if streq(method
, "smartcard")
627 if (nm_setting_vpn_get_secret(settings
, "password"))
633 *setting_name
= NM_SETTING_VPN_SETTING_NAME
;
638 * Disconnect called from NM via DBUS
640 static gboolean
disconnect(NMVPNPlugin
*plugin
, GError
**err
)
642 NMStrongswanPluginPrivate
*priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
643 enumerator_t
*enumerator
;
647 /* our ike_sa pointer might be invalid, lookup sa */
648 enumerator
= charon
->controller
->create_ike_sa_enumerator(
649 charon
->controller
, TRUE
);
650 while (enumerator
->enumerate(enumerator
, &ike_sa
))
652 if (priv
->ike_sa
== ike_sa
)
654 id
= ike_sa
->get_unique_id(ike_sa
);
655 enumerator
->destroy(enumerator
);
656 charon
->controller
->terminate_ike(charon
->controller
, id
,
657 controller_cb_empty
, NULL
, 0);
661 enumerator
->destroy(enumerator
);
663 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_GENERAL
,
664 "Connection not found.");
671 static void nm_strongswan_plugin_init(NMStrongswanPlugin
*plugin
)
673 NMStrongswanPluginPrivate
*priv
;
675 priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
676 priv
->plugin
= NM_VPN_PLUGIN(plugin
);
677 memset(&priv
->listener
, 0, sizeof(listener_t
));
678 priv
->listener
.child_updown
= child_updown
;
679 priv
->listener
.ike_rekey
= ike_rekey
;
685 static void nm_strongswan_plugin_class_init(
686 NMStrongswanPluginClass
*strongswan_class
)
688 NMVPNPluginClass
*parent_class
= NM_VPN_PLUGIN_CLASS(strongswan_class
);
690 g_type_class_add_private(G_OBJECT_CLASS(strongswan_class
),
691 sizeof(NMStrongswanPluginPrivate
));
692 parent_class
->connect
= connect_
;
693 parent_class
->need_secrets
= need_secrets
;
694 parent_class
->disconnect
= disconnect
;
700 NMStrongswanPlugin
*nm_strongswan_plugin_new(nm_creds_t
*creds
,
701 nm_handler_t
*handler
)
703 NMStrongswanPlugin
*plugin
= (NMStrongswanPlugin
*)g_object_new (
704 NM_TYPE_STRONGSWAN_PLUGIN
,
705 NM_VPN_PLUGIN_DBUS_SERVICE_NAME
, NM_DBUS_SERVICE_STRONGSWAN
,
709 NMStrongswanPluginPrivate
*priv
;
711 priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
713 priv
->handler
= handler
;