2 * Copyright (C) 2017 Lubomir Rintel
4 * Copyright (C) 2013-2019 Tobias Brunner
5 * Copyright (C) 2008-2009 Martin Willi
6 * HSR Hochschule fuer Technik Rapperswil
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
19 #include "nm_service.h"
22 #include <networking/host.h>
23 #include <utils/identification.h>
24 #include <config/peer_cfg.h>
25 #include <credentials/certificates/x509.h>
29 G_DEFINE_TYPE(NMStrongswanPlugin
, nm_strongswan_plugin
, NM_TYPE_VPN_SERVICE_PLUGIN
)
32 * Private data of NMStrongswanPlugin
35 /* implements bus listener interface */
37 /* IKE_SA we are listening on */
39 /* backref to public plugin */
40 NMVpnServicePlugin
*plugin
;
41 /* credentials to use for authentication */
43 /* attribute handler for DNS/NBNS server information */
44 nm_handler_t
*handler
;
45 /* name of the connection */
47 } NMStrongswanPluginPrivate
;
49 #define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
50 (G_TYPE_INSTANCE_GET_PRIVATE ((o), \
51 NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginPrivate))
54 * Convert an address chunk to a GValue
56 static GVariant
*addr_to_variant(chunk_t addr
)
58 GVariantBuilder builder
;
64 return g_variant_new_uint32 (*(uint32_t*)addr
.ptr
);
66 g_variant_builder_init (&builder
, G_VARIANT_TYPE ("ay"));
67 for (i
= 0; i
< addr
.len
; i
++)
69 g_variant_builder_add (&builder
, "y", addr
.ptr
[i
]);
72 return g_variant_builder_end (&builder
);
79 * Convert a host to a GValue
81 static GVariant
*host_to_variant(host_t
*host
)
83 return addr_to_variant(host
->get_address(host
));
87 * Convert enumerated handler chunks to a GValue
89 static GVariant
* handler_to_variant(nm_handler_t
*handler
, char *variant_type
,
90 configuration_attribute_type_t type
)
92 GVariantBuilder builder
;
93 enumerator_t
*enumerator
;
96 g_variant_builder_init (&builder
, G_VARIANT_TYPE (variant_type
));
98 enumerator
= handler
->create_enumerator(handler
, type
);
99 while (enumerator
->enumerate(enumerator
, &chunk
))
101 g_variant_builder_add_value (&builder
, addr_to_variant(*chunk
));
103 enumerator
->destroy(enumerator
);
105 return g_variant_builder_end (&builder
);
109 * Signal IP config to NM, set connection as established
111 static void signal_ip_config(NMVpnServicePlugin
*plugin
,
112 ike_sa_t
*ike_sa
, child_sa_t
*child_sa
)
114 NMStrongswanPluginPrivate
*priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
115 GVariantBuilder builder
, ip4builder
, ip6builder
;
116 GVariant
*ip4config
, *ip6config
;
117 enumerator_t
*enumerator
;
118 host_t
*me
, *other
, *vip4
= NULL
, *vip6
= NULL
;
119 nm_handler_t
*handler
;
121 g_variant_builder_init (&builder
, G_VARIANT_TYPE_VARDICT
);
122 g_variant_builder_init (&ip4builder
, G_VARIANT_TYPE_VARDICT
);
123 g_variant_builder_init (&ip6builder
, G_VARIANT_TYPE_VARDICT
);
125 handler
= priv
->handler
;
127 /* NM apparently requires to know the gateway */
128 other
= ike_sa
->get_other_host(ike_sa
);
129 g_variant_builder_add (&builder
, "{sv}", NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY
,
130 host_to_variant(other
));
132 /* pass the first virtual IPs we got or use the physical IP */
133 enumerator
= ike_sa
->create_virtual_ip_enumerator(ike_sa
, TRUE
);
134 while (enumerator
->enumerate(enumerator
, &me
))
136 switch (me
->get_family(me
))
152 enumerator
->destroy(enumerator
);
155 me
= ike_sa
->get_my_host(ike_sa
);
156 switch (me
->get_family(me
))
169 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS
,
170 host_to_variant(vip4
));
171 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_PREFIX
,
172 g_variant_new_uint32 (vip4
->get_address(vip4
).len
* 8));
174 /* prevent NM from changing the default route. we set our own route in our
177 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT
,
178 g_variant_new_boolean (TRUE
));
180 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DNS
,
181 handler_to_variant(handler
, "au", INTERNAL_IP4_DNS
));
183 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NBNS
,
184 handler_to_variant(handler
, "au", INTERNAL_IP4_NBNS
));
189 g_variant_builder_add (&ip6builder
, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_ADDRESS
,
190 host_to_variant(vip6
));
191 g_variant_builder_add (&ip6builder
, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_PREFIX
,
192 g_variant_new_uint32 (vip6
->get_address(vip6
).len
* 8));
193 g_variant_builder_add (&ip6builder
, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_NEVER_DEFAULT
,
194 g_variant_new_boolean (TRUE
));
195 g_variant_builder_add (&ip6builder
, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_DNS
,
196 handler_to_variant(handler
, "aay", INTERNAL_IP6_DNS
));
197 /* NM_VPN_PLUGIN_IP6_CONFIG_NBNS is not defined */
200 ip4config
= g_variant_builder_end (&ip4builder
);
201 if (g_variant_n_children (ip4config
))
203 g_variant_builder_add (&builder
, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP4
,
204 g_variant_new_boolean (TRUE
));
208 g_variant_unref (ip4config
);
212 ip6config
= g_variant_builder_end (&ip6builder
);
213 if (g_variant_n_children (ip6config
))
215 g_variant_builder_add (&builder
, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP6
,
216 g_variant_new_boolean (TRUE
));
220 g_variant_unref (ip6config
);
224 handler
->reset(handler
);
226 nm_vpn_service_plugin_set_config (plugin
, g_variant_builder_end (&builder
));
229 nm_vpn_service_plugin_set_ip4_config (plugin
, ip4config
);
233 nm_vpn_service_plugin_set_ip6_config (plugin
, ip6config
);
238 * signal failure to NM, connecting failed
240 static void signal_failure(NMVpnServicePlugin
*plugin
, NMVpnPluginFailure failure
)
242 nm_handler_t
*handler
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
)->handler
;
244 handler
->reset(handler
);
246 nm_vpn_service_plugin_failure(plugin
, failure
);
250 * Implementation of listener_t.ike_state_change
252 static bool ike_state_change(listener_t
*listener
, ike_sa_t
*ike_sa
,
253 ike_sa_state_t state
)
255 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
257 if (private->ike_sa
== ike_sa
&& state
== IKE_DESTROYING
)
259 signal_failure(private->plugin
, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED
);
266 * Implementation of listener_t.child_state_change
268 static bool child_state_change(listener_t
*listener
, ike_sa_t
*ike_sa
,
269 child_sa_t
*child_sa
, child_sa_state_t state
)
271 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
273 if (private->ike_sa
== ike_sa
&& state
== CHILD_DESTROYING
)
275 signal_failure(private->plugin
, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED
);
282 * Implementation of listener_t.child_updown
284 static bool child_updown(listener_t
*listener
, ike_sa_t
*ike_sa
,
285 child_sa_t
*child_sa
, bool up
)
287 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
289 if (private->ike_sa
== ike_sa
)
292 { /* disable initiate-failure-detection hooks */
293 private->listener
.ike_state_change
= NULL
;
294 private->listener
.child_state_change
= NULL
;
295 signal_ip_config(private->plugin
, ike_sa
, child_sa
);
299 signal_failure(private->plugin
, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED
);
307 * Implementation of listener_t.ike_rekey
309 static bool ike_rekey(listener_t
*listener
, ike_sa_t
*old
, ike_sa_t
*new)
311 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
313 if (private->ike_sa
== old
)
314 { /* follow a rekeyed IKE_SA */
315 private->ike_sa
= new;
321 * Find a certificate for which we have a private key on a smartcard
323 static identification_t
*find_smartcard_key(NMStrongswanPluginPrivate
*priv
,
326 enumerator_t
*enumerator
, *sans
;
327 identification_t
*id
= NULL
;
333 enumerator
= lib
->credmgr
->create_cert_enumerator(lib
->credmgr
,
334 CERT_X509
, KEY_ANY
, NULL
, FALSE
);
335 while (enumerator
->enumerate(enumerator
, &cert
))
337 x509
= (x509_t
*)cert
;
339 /* there might be a lot of certificates, filter them by usage */
340 if ((x509
->get_flags(x509
) & X509_CLIENT_AUTH
) &&
341 !(x509
->get_flags(x509
) & X509_CA
))
343 keyid
= x509
->get_subjectKeyIdentifier(x509
);
346 /* try to find a private key by the certificate keyid */
347 priv
->creds
->set_pin(priv
->creds
, keyid
, pin
);
348 key
= lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
349 KEY_ANY
, BUILD_PKCS11_KEYID
, keyid
, BUILD_END
);
352 /* prefer a more convenient subjectAltName */
353 sans
= x509
->create_subjectAltName_enumerator(x509
);
354 if (!sans
->enumerate(sans
, &id
))
356 id
= cert
->get_subject(cert
);
361 DBG1(DBG_CFG
, "using smartcard certificate '%Y'", id
);
362 priv
->creds
->set_cert_and_key(priv
->creds
,
363 cert
->get_ref(cert
), key
);
369 enumerator
->destroy(enumerator
);
374 * Connect function called from NM via DBUS
376 static gboolean
connect_(NMVpnServicePlugin
*plugin
, NMConnection
*connection
,
379 NMStrongswanPluginPrivate
*priv
;
380 NMSettingConnection
*conn
;
382 enumerator_t
*enumerator
;
383 identification_t
*user
= NULL
, *gateway
= NULL
;
384 const char *address
, *str
;
385 bool virtual, encap
, proposal
;
388 peer_cfg_t
*peer_cfg
;
389 child_cfg_t
*child_cfg
;
390 traffic_selector_t
*ts
;
393 auth_class_t auth_class
= AUTH_CLASS_EAP
;
394 certificate_t
*cert
= NULL
;
396 bool agent
= FALSE
, smartcard
= FALSE
, loose_gateway_id
= FALSE
;
397 peer_cfg_create_t peer
= {
398 .cert_policy
= CERT_SEND_IF_ASKED
,
399 .unique
= UNIQUE_REPLACE
,
401 .rekey_time
= 36000, /* 10h */
402 .jitter_time
= 600, /* 10min */
403 .over_time
= 600, /* 10min */
405 child_cfg_create_t child
= {
408 .life
= 10800 /* 3h */,
409 .rekey
= 10200 /* 2h50min */,
410 .jitter
= 300 /* 5min */
419 priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
420 conn
= NM_SETTING_CONNECTION(nm_connection_get_setting(connection
,
421 NM_TYPE_SETTING_CONNECTION
));
422 vpn
= NM_SETTING_VPN(nm_connection_get_setting(connection
,
423 NM_TYPE_SETTING_VPN
));
428 priv
->name
= strdup(nm_setting_connection_get_id(conn
));
429 DBG1(DBG_CFG
, "received initiate for NetworkManager connection %s",
432 nm_setting_to_string(NM_SETTING(vpn
)));
433 address
= nm_setting_vpn_get_data_item(vpn
, "address");
434 if (!address
|| !*address
)
436 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
437 "Gateway address missing.");
440 str
= nm_setting_vpn_get_data_item(vpn
, "virtual");
441 virtual = streq(str
, "yes");
442 str
= nm_setting_vpn_get_data_item(vpn
, "encap");
443 encap
= streq(str
, "yes");
444 str
= nm_setting_vpn_get_data_item(vpn
, "ipcomp");
445 child
.options
|= streq(str
, "yes") ? OPT_IPCOMP
: 0;
446 str
= nm_setting_vpn_get_data_item(vpn
, "method");
447 if (streq(str
, "psk"))
449 auth_class
= AUTH_CLASS_PSK
;
451 else if (streq(str
, "agent"))
453 auth_class
= AUTH_CLASS_PUBKEY
;
456 else if (streq(str
, "key"))
458 auth_class
= AUTH_CLASS_PUBKEY
;
460 else if (streq(str
, "smartcard"))
462 auth_class
= AUTH_CLASS_PUBKEY
;
467 * Register credentials
469 priv
->creds
->clear(priv
->creds
);
471 /* gateway/CA cert */
472 str
= nm_setting_vpn_get_data_item(vpn
, "certificate");
475 cert
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
476 BUILD_FROM_FILE
, str
, BUILD_END
);
479 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
480 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
481 "Loading gateway certificate failed.");
484 priv
->creds
->add_certificate(priv
->creds
, cert
);
486 x509
= (x509_t
*)cert
;
487 if (!(x509
->get_flags(x509
) & X509_CA
))
488 { /* For a gateway certificate, we use the cert subject as identity. */
489 gateway
= cert
->get_subject(cert
);
490 gateway
= gateway
->clone(gateway
);
491 DBG1(DBG_CFG
, "using gateway certificate, identity '%Y'", gateway
);
496 /* no certificate defined, fall back to system-wide CA certificates */
497 priv
->creds
->load_ca_dir(priv
->creds
, lib
->settings
->get_str(
498 lib
->settings
, "charon-nm.ca_dir", NM_CA_DIR
));
502 /* If the user configured a CA certificate, we use the IP/DNS
503 * of the gateway as its identity. This identity will be used for
504 * certificate lookup and requires the configured IP/DNS to be
505 * included in the gateway certificate. */
506 gateway
= identification_create_from_string((char*)address
);
507 DBG1(DBG_CFG
, "using CA certificate, gateway identity '%Y'", gateway
);
508 loose_gateway_id
= TRUE
;
511 if (auth_class
== AUTH_CLASS_EAP
||
512 auth_class
== AUTH_CLASS_PSK
)
514 /* username/password or PSK authentication ... */
515 str
= nm_setting_vpn_get_data_item(vpn
, "user");
518 user
= identification_create_from_string((char*)str
);
519 str
= nm_setting_vpn_get_secret(vpn
, "password");
520 if (auth_class
== AUTH_CLASS_PSK
&&
523 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
524 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
525 "pre-shared key is too short.");
526 gateway
->destroy(gateway
);
530 priv
->creds
->set_username_password(priv
->creds
, user
, (char*)str
);
534 if (auth_class
== AUTH_CLASS_PUBKEY
)
540 pin
= (char*)nm_setting_vpn_get_secret(vpn
, "password");
543 user
= find_smartcard_key(priv
, pin
);
547 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
548 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
549 "no usable smartcard certificate found.");
550 gateway
->destroy(gateway
);
554 /* ... or certificate/private key authenitcation */
555 else if ((str
= nm_setting_vpn_get_data_item(vpn
, "usercert")))
557 public_key_t
*public;
558 private_key_t
*private = NULL
;
560 cert
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
561 BUILD_FROM_FILE
, str
, BUILD_END
);
564 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
565 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
566 "Loading peer certificate failed.");
567 gateway
->destroy(gateway
);
571 str
= nm_setting_vpn_get_secret(vpn
, "agent");
574 public = cert
->get_public_key(cert
);
577 private = lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
578 public->get_type(public),
579 BUILD_AGENT_SOCKET
, str
,
580 BUILD_PUBLIC_KEY
, public,
582 public->destroy(public);
586 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
587 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
588 "Connecting to SSH agent failed.");
591 /* ... or key file */
592 str
= nm_setting_vpn_get_data_item(vpn
, "userkey");
597 secret
= (char*)nm_setting_vpn_get_secret(vpn
, "password");
600 priv
->creds
->set_key_password(priv
->creds
, secret
);
602 private = lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
603 KEY_ANY
, BUILD_FROM_FILE
, str
, BUILD_END
);
606 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
607 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
608 "Loading private key failed.");
613 user
= cert
->get_subject(cert
);
614 user
= user
->clone(user
);
615 priv
->creds
->set_cert_and_key(priv
->creds
, cert
, private);
620 gateway
->destroy(gateway
);
628 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
629 "Configuration parameters missing.");
630 gateway
->destroy(gateway
);
635 * Set up configurations
637 ike_cfg
= ike_cfg_create(IKEV2
, TRUE
, encap
, "%any",
638 charon
->socket
->get_port(charon
->socket
, FALSE
),
639 (char*)address
, IKEV2_UDP_PORT
,
640 FRAGMENTATION_YES
, 0);
642 str
= nm_setting_vpn_get_data_item(vpn
, "proposal");
643 proposal
= streq(str
, "yes");
644 str
= nm_setting_vpn_get_data_item(vpn
, "ike");
645 if (proposal
&& str
&& strlen(str
))
647 enumerator
= enumerator_create_token(str
, ";", "");
648 while (enumerator
->enumerate(enumerator
, &str
))
650 prop
= proposal_create_from_string(PROTO_IKE
, str
);
653 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
654 NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
655 "Invalid IKE proposal.");
656 enumerator
->destroy(enumerator
);
657 ike_cfg
->destroy(ike_cfg
);
658 gateway
->destroy(gateway
);
662 ike_cfg
->add_proposal(ike_cfg
, prop
);
664 enumerator
->destroy(enumerator
);
668 ike_cfg
->add_proposal(ike_cfg
, proposal_create_default(PROTO_IKE
));
669 ike_cfg
->add_proposal(ike_cfg
, proposal_create_default_aead(PROTO_IKE
));
672 peer_cfg
= peer_cfg_create(priv
->name
, ike_cfg
, &peer
);
675 peer_cfg
->add_virtual_ip(peer_cfg
, host_create_any(AF_INET
));
676 peer_cfg
->add_virtual_ip(peer_cfg
, host_create_any(AF_INET6
));
678 auth
= auth_cfg_create();
679 auth
->add(auth
, AUTH_RULE_AUTH_CLASS
, auth_class
);
680 auth
->add(auth
, AUTH_RULE_IDENTITY
, user
);
681 peer_cfg
->add_auth_cfg(peer_cfg
, auth
, TRUE
);
682 auth
= auth_cfg_create();
683 if (auth_class
== AUTH_CLASS_PSK
)
685 auth
->add(auth
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_PSK
);
689 auth
->add(auth
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_PUBKEY
);
691 auth
->add(auth
, AUTH_RULE_IDENTITY
, gateway
);
692 auth
->add(auth
, AUTH_RULE_IDENTITY_LOOSE
, loose_gateway_id
);
693 peer_cfg
->add_auth_cfg(peer_cfg
, auth
, FALSE
);
695 child_cfg
= child_cfg_create(priv
->name
, &child
);
696 str
= nm_setting_vpn_get_data_item(vpn
, "esp");
697 if (proposal
&& str
&& strlen(str
))
699 enumerator
= enumerator_create_token(str
, ";", "");
700 while (enumerator
->enumerate(enumerator
, &str
))
702 prop
= proposal_create_from_string(PROTO_ESP
, str
);
705 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
706 NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
707 "Invalid ESP proposal.");
708 enumerator
->destroy(enumerator
);
709 child_cfg
->destroy(child_cfg
);
710 peer_cfg
->destroy(peer_cfg
);
713 child_cfg
->add_proposal(child_cfg
, prop
);
715 enumerator
->destroy(enumerator
);
719 child_cfg
->add_proposal(child_cfg
, proposal_create_default(PROTO_ESP
));
720 child_cfg
->add_proposal(child_cfg
, proposal_create_default_aead(PROTO_ESP
));
722 ts
= traffic_selector_create_dynamic(0, 0, 65535);
723 child_cfg
->add_traffic_selector(child_cfg
, TRUE
, ts
);
724 ts
= traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
725 child_cfg
->add_traffic_selector(child_cfg
, FALSE
, ts
);
726 ts
= traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
727 child_cfg
->add_traffic_selector(child_cfg
, FALSE
, ts
);
728 peer_cfg
->add_child_cfg(peer_cfg
, child_cfg
);
733 ike_sa
= charon
->ike_sa_manager
->checkout_by_config(charon
->ike_sa_manager
,
737 peer_cfg
->destroy(peer_cfg
);
738 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
739 "IKE version not supported.");
742 if (!ike_sa
->get_peer_cfg(ike_sa
))
744 ike_sa
->set_peer_cfg(ike_sa
, peer_cfg
);
746 peer_cfg
->destroy(peer_cfg
);
749 * Register listener, enable initiate-failure-detection hooks
751 priv
->ike_sa
= ike_sa
;
752 priv
->listener
.ike_state_change
= ike_state_change
;
753 priv
->listener
.child_state_change
= child_state_change
;
754 charon
->bus
->add_listener(charon
->bus
, &priv
->listener
);
759 child_cfg
->get_ref(child_cfg
);
760 if (ike_sa
->initiate(ike_sa
, child_cfg
, 0, NULL
, NULL
) != SUCCESS
)
762 charon
->bus
->remove_listener(charon
->bus
, &priv
->listener
);
763 charon
->ike_sa_manager
->checkin_and_destroy(charon
->ike_sa_manager
, ike_sa
);
765 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
766 "Initiating failed.");
769 charon
->ike_sa_manager
->checkin(charon
->ike_sa_manager
, ike_sa
);
774 * NeedSecrets called from NM via DBUS
776 static gboolean
need_secrets(NMVpnServicePlugin
*plugin
, NMConnection
*connection
,
777 const char **setting_name
, GError
**error
)
779 NMSettingVpn
*settings
;
780 const char *method
, *path
;
782 settings
= NM_SETTING_VPN(nm_connection_get_setting(connection
,
783 NM_TYPE_SETTING_VPN
));
784 method
= nm_setting_vpn_get_data_item(settings
, "method");
787 if (streq(method
, "eap") || streq(method
, "psk"))
789 if (nm_setting_vpn_get_secret(settings
, "password"))
794 else if (streq(method
, "agent"))
796 if (nm_setting_vpn_get_secret(settings
, "agent"))
801 else if (streq(method
, "key"))
803 path
= nm_setting_vpn_get_data_item(settings
, "userkey");
808 /* try to load/decrypt the private key */
809 key
= lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
810 KEY_ANY
, BUILD_FROM_FILE
, path
, BUILD_END
);
816 else if (nm_setting_vpn_get_secret(settings
, "password"))
822 else if (streq(method
, "smartcard"))
824 if (nm_setting_vpn_get_secret(settings
, "password"))
830 *setting_name
= NM_SETTING_VPN_SETTING_NAME
;
835 * The actual disconnection
837 static gboolean
do_disconnect(gpointer plugin
)
839 NMStrongswanPluginPrivate
*priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
840 enumerator_t
*enumerator
;
844 /* our ike_sa pointer might be invalid, lookup sa */
845 enumerator
= charon
->controller
->create_ike_sa_enumerator(
846 charon
->controller
, TRUE
);
847 while (enumerator
->enumerate(enumerator
, &ike_sa
))
849 if (priv
->ike_sa
== ike_sa
)
851 id
= ike_sa
->get_unique_id(ike_sa
);
852 enumerator
->destroy(enumerator
);
853 charon
->controller
->terminate_ike(charon
->controller
, id
, FALSE
,
854 controller_cb_empty
, NULL
, 0);
858 enumerator
->destroy(enumerator
);
860 g_debug("Connection not found.");
865 * Disconnect called from NM via DBUS
867 static gboolean
disconnect(NMVpnServicePlugin
*plugin
, GError
**err
)
869 /* enqueue the actual disconnection, because we may be called in
870 * response to a listener_t callback and the SA enumeration would
871 * possibly deadlock. */
872 g_idle_add(do_disconnect
, plugin
);
880 static void nm_strongswan_plugin_init(NMStrongswanPlugin
*plugin
)
882 NMStrongswanPluginPrivate
*priv
;
884 priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
885 priv
->plugin
= NM_VPN_SERVICE_PLUGIN(plugin
);
886 memset(&priv
->listener
, 0, sizeof(listener_t
));
887 priv
->listener
.child_updown
= child_updown
;
888 priv
->listener
.ike_rekey
= ike_rekey
;
895 static void nm_strongswan_plugin_class_init(
896 NMStrongswanPluginClass
*strongswan_class
)
898 NMVpnServicePluginClass
*parent_class
= NM_VPN_SERVICE_PLUGIN_CLASS(strongswan_class
);
900 g_type_class_add_private(G_OBJECT_CLASS(strongswan_class
),
901 sizeof(NMStrongswanPluginPrivate
));
902 parent_class
->connect
= connect_
;
903 parent_class
->need_secrets
= need_secrets
;
904 parent_class
->disconnect
= disconnect
;
910 NMStrongswanPlugin
*nm_strongswan_plugin_new(nm_creds_t
*creds
,
911 nm_handler_t
*handler
)
913 GError
*error
= NULL
;
915 NMStrongswanPlugin
*plugin
= (NMStrongswanPlugin
*)g_initable_new (
916 NM_TYPE_STRONGSWAN_PLUGIN
,
919 NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME
, NM_DBUS_SERVICE_STRONGSWAN
,
924 NMStrongswanPluginPrivate
*priv
;
926 /* the rest of the initialization happened in _init above */
927 priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
929 priv
->handler
= handler
;
933 g_warning ("Failed to initialize a plugin instance: %s", error
->message
);
934 g_error_free (error
);
projects / thirdparty / strongswan.git / blob