2 * Copyright (C) 2017 Lubomir Rintel
4 * Copyright (C) 2013-2020 Tobias Brunner
5 * Copyright (C) 2008-2009 Martin Willi
6 * HSR Hochschule fuer Technik Rapperswil
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
19 #include "nm_service.h"
22 #include <networking/host.h>
23 #include <utils/identification.h>
24 #include <config/peer_cfg.h>
25 #include <credentials/certificates/x509.h>
30 * Private data of NMStrongswanPlugin
33 /* implements bus listener interface */
35 /* IKE_SA we are listening on */
37 /* backref to public plugin */
38 NMVpnServicePlugin
*plugin
;
39 /* credentials to use for authentication */
41 /* attribute handler for DNS/NBNS server information */
42 nm_handler_t
*handler
;
43 /* name of the connection */
45 } NMStrongswanPluginPrivate
;
47 G_DEFINE_TYPE_WITH_PRIVATE(NMStrongswanPlugin
, nm_strongswan_plugin
, NM_TYPE_VPN_SERVICE_PLUGIN
)
49 #define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
50 ((NMStrongswanPluginPrivate*) \
51 nm_strongswan_plugin_get_instance_private (o))
54 * Convert an address chunk to a GValue
56 static GVariant
*addr_to_variant(chunk_t addr
)
58 GVariantBuilder builder
;
64 return g_variant_new_uint32 (*(uint32_t*)addr
.ptr
);
66 g_variant_builder_init (&builder
, G_VARIANT_TYPE ("ay"));
67 for (i
= 0; i
< addr
.len
; i
++)
69 g_variant_builder_add (&builder
, "y", addr
.ptr
[i
]);
72 return g_variant_builder_end (&builder
);
79 * Convert a host to a GValue
81 static GVariant
*host_to_variant(host_t
*host
)
83 return addr_to_variant(host
->get_address(host
));
87 * Convert enumerated handler chunks to a GValue
89 static GVariant
* handler_to_variant(nm_handler_t
*handler
, char *variant_type
,
90 configuration_attribute_type_t type
)
92 GVariantBuilder builder
;
93 enumerator_t
*enumerator
;
96 g_variant_builder_init (&builder
, G_VARIANT_TYPE (variant_type
));
98 enumerator
= handler
->create_enumerator(handler
, type
);
99 while (enumerator
->enumerate(enumerator
, &chunk
))
101 g_variant_builder_add_value (&builder
, addr_to_variant(*chunk
));
103 enumerator
->destroy(enumerator
);
105 return g_variant_builder_end (&builder
);
109 * Signal IP config to NM, set connection as established
111 static void signal_ip_config(NMVpnServicePlugin
*plugin
,
112 ike_sa_t
*ike_sa
, child_sa_t
*child_sa
)
114 NMStrongswanPlugin
*pub
= (NMStrongswanPlugin
*)plugin
;
115 NMStrongswanPluginPrivate
*priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub
);
116 GVariantBuilder builder
, ip4builder
, ip6builder
;
117 GVariant
*ip4config
, *ip6config
;
118 enumerator_t
*enumerator
;
119 host_t
*me
, *other
, *vip4
= NULL
, *vip6
= NULL
;
120 nm_handler_t
*handler
;
122 g_variant_builder_init (&builder
, G_VARIANT_TYPE_VARDICT
);
123 g_variant_builder_init (&ip4builder
, G_VARIANT_TYPE_VARDICT
);
124 g_variant_builder_init (&ip6builder
, G_VARIANT_TYPE_VARDICT
);
126 handler
= priv
->handler
;
128 /* NM apparently requires to know the gateway */
129 other
= ike_sa
->get_other_host(ike_sa
);
130 g_variant_builder_add (&builder
, "{sv}", NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY
,
131 host_to_variant(other
));
133 /* pass the first virtual IPs we got or use the physical IP */
134 enumerator
= ike_sa
->create_virtual_ip_enumerator(ike_sa
, TRUE
);
135 while (enumerator
->enumerate(enumerator
, &me
))
137 switch (me
->get_family(me
))
153 enumerator
->destroy(enumerator
);
156 me
= ike_sa
->get_my_host(ike_sa
);
157 switch (me
->get_family(me
))
170 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS
,
171 host_to_variant(vip4
));
172 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_PREFIX
,
173 g_variant_new_uint32 (vip4
->get_address(vip4
).len
* 8));
175 /* prevent NM from changing the default route. we set our own route in our
178 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT
,
179 g_variant_new_boolean (TRUE
));
181 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DNS
,
182 handler_to_variant(handler
, "au", INTERNAL_IP4_DNS
));
184 g_variant_builder_add (&ip4builder
, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NBNS
,
185 handler_to_variant(handler
, "au", INTERNAL_IP4_NBNS
));
190 g_variant_builder_add (&ip6builder
, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_ADDRESS
,
191 host_to_variant(vip6
));
192 g_variant_builder_add (&ip6builder
, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_PREFIX
,
193 g_variant_new_uint32 (vip6
->get_address(vip6
).len
* 8));
194 g_variant_builder_add (&ip6builder
, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_NEVER_DEFAULT
,
195 g_variant_new_boolean (TRUE
));
196 g_variant_builder_add (&ip6builder
, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_DNS
,
197 handler_to_variant(handler
, "aay", INTERNAL_IP6_DNS
));
198 /* NM_VPN_PLUGIN_IP6_CONFIG_NBNS is not defined */
201 ip4config
= g_variant_builder_end (&ip4builder
);
202 if (g_variant_n_children (ip4config
))
204 g_variant_builder_add (&builder
, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP4
,
205 g_variant_new_boolean (TRUE
));
209 g_variant_unref (ip4config
);
213 ip6config
= g_variant_builder_end (&ip6builder
);
214 if (g_variant_n_children (ip6config
))
216 g_variant_builder_add (&builder
, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP6
,
217 g_variant_new_boolean (TRUE
));
221 g_variant_unref (ip6config
);
225 handler
->reset(handler
);
227 nm_vpn_service_plugin_set_config (plugin
, g_variant_builder_end (&builder
));
230 nm_vpn_service_plugin_set_ip4_config (plugin
, ip4config
);
234 nm_vpn_service_plugin_set_ip6_config (plugin
, ip6config
);
239 * signal failure to NM, connecting failed
241 static void signal_failure(NMVpnServicePlugin
*plugin
, NMVpnPluginFailure failure
)
243 NMStrongswanPlugin
*pub
= (NMStrongswanPlugin
*)plugin
;
244 nm_handler_t
*handler
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub
)->handler
;
246 handler
->reset(handler
);
248 nm_vpn_service_plugin_failure(plugin
, failure
);
252 * Implementation of listener_t.ike_state_change
254 static bool ike_state_change(listener_t
*listener
, ike_sa_t
*ike_sa
,
255 ike_sa_state_t state
)
257 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
259 if (private->ike_sa
== ike_sa
&& state
== IKE_DESTROYING
)
261 signal_failure(private->plugin
, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED
);
268 * Implementation of listener_t.child_state_change
270 static bool child_state_change(listener_t
*listener
, ike_sa_t
*ike_sa
,
271 child_sa_t
*child_sa
, child_sa_state_t state
)
273 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
275 if (private->ike_sa
== ike_sa
&& state
== CHILD_DESTROYING
)
277 signal_failure(private->plugin
, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED
);
284 * Implementation of listener_t.child_updown
286 static bool child_updown(listener_t
*listener
, ike_sa_t
*ike_sa
,
287 child_sa_t
*child_sa
, bool up
)
289 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
291 if (private->ike_sa
== ike_sa
)
294 { /* disable initiate-failure-detection hooks */
295 private->listener
.ike_state_change
= NULL
;
296 private->listener
.child_state_change
= NULL
;
297 signal_ip_config(private->plugin
, ike_sa
, child_sa
);
301 signal_failure(private->plugin
, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED
);
309 * Implementation of listener_t.ike_rekey
311 static bool ike_rekey(listener_t
*listener
, ike_sa_t
*old
, ike_sa_t
*new)
313 NMStrongswanPluginPrivate
*private = (NMStrongswanPluginPrivate
*)listener
;
315 if (private->ike_sa
== old
)
316 { /* follow a rekeyed IKE_SA */
317 private->ike_sa
= new;
323 * Find a certificate for which we have a private key on a smartcard
325 static identification_t
*find_smartcard_key(NMStrongswanPluginPrivate
*priv
,
328 enumerator_t
*enumerator
, *sans
;
329 identification_t
*id
= NULL
;
335 enumerator
= lib
->credmgr
->create_cert_enumerator(lib
->credmgr
,
336 CERT_X509
, KEY_ANY
, NULL
, FALSE
);
337 while (enumerator
->enumerate(enumerator
, &cert
))
339 x509
= (x509_t
*)cert
;
341 /* there might be a lot of certificates, filter them by usage */
342 if ((x509
->get_flags(x509
) & X509_CLIENT_AUTH
) &&
343 !(x509
->get_flags(x509
) & X509_CA
))
345 keyid
= x509
->get_subjectKeyIdentifier(x509
);
348 /* try to find a private key by the certificate keyid */
349 priv
->creds
->set_pin(priv
->creds
, keyid
, pin
);
350 key
= lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
351 KEY_ANY
, BUILD_PKCS11_KEYID
, keyid
, BUILD_END
);
354 /* prefer a more convenient subjectAltName */
355 sans
= x509
->create_subjectAltName_enumerator(x509
);
356 if (!sans
->enumerate(sans
, &id
))
358 id
= cert
->get_subject(cert
);
363 DBG1(DBG_CFG
, "using smartcard certificate '%Y'", id
);
364 priv
->creds
->set_cert_and_key(priv
->creds
,
365 cert
->get_ref(cert
), key
);
371 enumerator
->destroy(enumerator
);
376 * Add a client auth config for certificate authentication
378 static bool add_auth_cfg_cert(NMStrongswanPluginPrivate
*priv
,
379 NMSettingVpn
*vpn
, peer_cfg_t
*peer_cfg
,
382 identification_t
*user
= NULL
;
383 certificate_t
*cert
= NULL
;
385 const char *str
, *method
, *cert_source
;
387 method
= nm_setting_vpn_get_data_item(vpn
, "method");
388 cert_source
= nm_setting_vpn_get_data_item(vpn
, "cert-source") ?: method
;
390 if (streq(cert_source
, "smartcard"))
394 pin
= (char*)nm_setting_vpn_get_secret(vpn
, "password");
397 user
= find_smartcard_key(priv
, pin
);
401 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
402 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
403 "no usable smartcard certificate found.");
407 /* ... or certificate/private key authentication */
408 else if ((str
= nm_setting_vpn_get_data_item(vpn
, "usercert")))
410 public_key_t
*public;
411 private_key_t
*private = NULL
;
413 bool agent
= streq(cert_source
, "agent");
415 cert
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
416 BUILD_FROM_FILE
, str
, BUILD_END
);
419 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
420 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
421 "Loading peer certificate failed.");
425 str
= nm_setting_vpn_get_secret(vpn
, "agent");
428 public = cert
->get_public_key(cert
);
431 private = lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
432 public->get_type(public),
433 BUILD_AGENT_SOCKET
, str
,
434 BUILD_PUBLIC_KEY
, public,
436 public->destroy(public);
440 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
441 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
442 "Connecting to SSH agent failed.");
445 /* ... or key file */
446 str
= nm_setting_vpn_get_data_item(vpn
, "userkey");
451 secret
= (char*)nm_setting_vpn_get_secret(vpn
, "password");
454 priv
->creds
->set_key_password(priv
->creds
, secret
);
456 private = lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
457 KEY_ANY
, BUILD_FROM_FILE
, str
, BUILD_END
);
460 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
461 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
462 "Loading private key failed.");
467 user
= cert
->get_subject(cert
);
468 user
= user
->clone(user
);
469 priv
->creds
->set_cert_and_key(priv
->creds
, cert
, private);
478 auth
= auth_cfg_create();
479 if (streq(method
, "eap-tls"))
481 auth
->add(auth
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_EAP
);
482 auth
->add(auth
, AUTH_RULE_EAP_TYPE
, EAP_TLS
);
483 auth
->add(auth
, AUTH_RULE_AAA_IDENTITY
,
484 identification_create_from_string("%any"));
488 auth
->add(auth
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_PUBKEY
);
492 auth
->add(auth
, AUTH_RULE_SUBJECT_CERT
, cert
->get_ref(cert
));
494 auth
->add(auth
, AUTH_RULE_IDENTITY
, user
);
495 peer_cfg
->add_auth_cfg(peer_cfg
, auth
, TRUE
);
500 * Add a client auth config for username/password authentication
502 static bool add_auth_cfg_pw(NMStrongswanPluginPrivate
*priv
,
503 NMSettingVpn
*vpn
, peer_cfg_t
*peer_cfg
,
506 identification_t
*user
= NULL
;
508 const char *str
, *method
;
510 method
= nm_setting_vpn_get_data_item(vpn
, "method");
512 str
= nm_setting_vpn_get_data_item(vpn
, "user");
515 user
= identification_create_from_string((char*)str
);
516 str
= nm_setting_vpn_get_secret(vpn
, "password");
517 if (streq(method
, "psk") && strlen(str
) < 20)
519 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
520 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
521 "Pre-shared key is too short.");
525 priv
->creds
->set_username_password(priv
->creds
, user
, (char*)str
);
529 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
530 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
531 "Username is missing.");
535 auth
= auth_cfg_create();
536 auth
->add(auth
, AUTH_RULE_AUTH_CLASS
,
537 streq(method
, "psk") ? AUTH_CLASS_PSK
: AUTH_CLASS_EAP
);
538 /* in case EAP-PEAP or EAP-TTLS is used we currently accept any identity */
539 auth
->add(auth
, AUTH_RULE_AAA_IDENTITY
,
540 identification_create_from_string("%any"));
541 auth
->add(auth
, AUTH_RULE_IDENTITY
, user
);
542 peer_cfg
->add_auth_cfg(peer_cfg
, auth
, TRUE
);
547 * Connect function called from NM via DBUS
549 static gboolean
connect_(NMVpnServicePlugin
*plugin
, NMConnection
*connection
,
552 NMStrongswanPlugin
*pub
= (NMStrongswanPlugin
*)plugin
;
553 NMStrongswanPluginPrivate
*priv
;
554 NMSettingConnection
*conn
;
556 enumerator_t
*enumerator
;
557 identification_t
*gateway
= NULL
;
558 const char *str
, *method
;
559 bool virtual, proposal
;
562 peer_cfg_t
*peer_cfg
;
563 child_cfg_t
*child_cfg
;
564 traffic_selector_t
*ts
;
567 auth_class_t auth_class
= AUTH_CLASS_EAP
;
568 certificate_t
*cert
= NULL
;
570 bool loose_gateway_id
= FALSE
;
571 ike_cfg_create_t ike
= {
574 .local_port
= charon
->socket
->get_port(charon
->socket
, FALSE
),
575 .remote_port
= IKEV2_UDP_PORT
,
576 .fragmentation
= FRAGMENTATION_YES
,
578 peer_cfg_create_t peer
= {
579 .cert_policy
= CERT_SEND_IF_ASKED
,
580 .unique
= UNIQUE_REPLACE
,
582 .rekey_time
= 36000, /* 10h */
583 .jitter_time
= 600, /* 10min */
584 .over_time
= 600, /* 10min */
586 child_cfg_create_t child
= {
589 .life
= 10800 /* 3h */,
590 .rekey
= 10200 /* 2h50min */,
591 .jitter
= 300 /* 5min */
600 priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub
);
601 conn
= NM_SETTING_CONNECTION(nm_connection_get_setting(connection
,
602 NM_TYPE_SETTING_CONNECTION
));
603 vpn
= NM_SETTING_VPN(nm_connection_get_setting(connection
,
604 NM_TYPE_SETTING_VPN
));
609 priv
->name
= strdup(nm_setting_connection_get_id(conn
));
610 DBG1(DBG_CFG
, "received initiate for NetworkManager connection %s",
613 nm_setting_to_string(NM_SETTING(vpn
)));
614 ike
.remote
= (char*)nm_setting_vpn_get_data_item(vpn
, "address");
615 if (!ike
.remote
|| !*ike
.remote
)
617 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
618 "Gateway address missing.");
621 str
= nm_setting_vpn_get_data_item(vpn
, "server-port");
622 if (str
&& strlen(str
))
624 ike
.remote_port
= settings_value_as_int((char*)str
, ike
.remote_port
);
626 str
= nm_setting_vpn_get_data_item(vpn
, "virtual");
627 virtual = streq(str
, "yes");
628 str
= nm_setting_vpn_get_data_item(vpn
, "encap");
629 ike
.force_encap
= streq(str
, "yes");
630 str
= nm_setting_vpn_get_data_item(vpn
, "ipcomp");
631 child
.options
|= streq(str
, "yes") ? OPT_IPCOMP
: 0;
634 * Register credentials
636 priv
->creds
->clear(priv
->creds
);
638 /* gateway/CA cert */
639 str
= nm_setting_vpn_get_data_item(vpn
, "certificate");
642 cert
= lib
->creds
->create(lib
->creds
, CRED_CERTIFICATE
, CERT_X509
,
643 BUILD_FROM_FILE
, str
, BUILD_END
);
646 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
647 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
648 "Loading gateway certificate failed.");
651 priv
->creds
->add_certificate(priv
->creds
, cert
);
655 /* no certificate defined, fall back to system-wide CA certificates */
656 priv
->creds
->load_ca_dir(priv
->creds
, lib
->settings
->get_str(
657 lib
->settings
, "charon-nm.ca_dir", NM_CA_DIR
));
660 str
= nm_setting_vpn_get_data_item(vpn
, "remote-identity");
663 gateway
= identification_create_from_string((char*)str
);
667 x509
= (x509_t
*)cert
;
668 if (!(x509
->get_flags(x509
) & X509_CA
))
669 { /* for server certificates, we use the subject as identity */
670 gateway
= cert
->get_subject(cert
);
671 gateway
= gateway
->clone(gateway
);
674 if (!gateway
|| gateway
->get_type(gateway
) == ID_ANY
)
676 /* if the user configured a CA certificate (or an invalid identity),
677 * we use the IP/hostname of the server */
678 gateway
= identification_create_from_string(ike
.remote
);
679 loose_gateway_id
= TRUE
;
681 DBG1(DBG_CFG
, "using gateway identity '%Y'", gateway
);
684 * Set up configurations
686 ike_cfg
= ike_cfg_create(&ike
);
688 str
= nm_setting_vpn_get_data_item(vpn
, "proposal");
689 proposal
= streq(str
, "yes");
690 str
= nm_setting_vpn_get_data_item(vpn
, "ike");
691 if (proposal
&& str
&& strlen(str
))
693 enumerator
= enumerator_create_token(str
, ";", "");
694 while (enumerator
->enumerate(enumerator
, &str
))
696 prop
= proposal_create_from_string(PROTO_IKE
, str
);
699 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
700 NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
701 "Invalid IKE proposal.");
702 enumerator
->destroy(enumerator
);
703 ike_cfg
->destroy(ike_cfg
);
704 gateway
->destroy(gateway
);
707 ike_cfg
->add_proposal(ike_cfg
, prop
);
709 enumerator
->destroy(enumerator
);
713 ike_cfg
->add_proposal(ike_cfg
, proposal_create_default(PROTO_IKE
));
714 ike_cfg
->add_proposal(ike_cfg
, proposal_create_default_aead(PROTO_IKE
));
717 peer_cfg
= peer_cfg_create(priv
->name
, ike_cfg
, &peer
);
720 peer_cfg
->add_virtual_ip(peer_cfg
, host_create_any(AF_INET
));
721 peer_cfg
->add_virtual_ip(peer_cfg
, host_create_any(AF_INET6
));
724 method
= nm_setting_vpn_get_data_item(vpn
, "method");
725 if (streq(method
, "cert") ||
726 streq(method
, "eap-tls") ||
727 streq(method
, "key") ||
728 streq(method
, "agent") ||
729 streq(method
, "smartcard"))
731 if (!add_auth_cfg_cert (priv
, vpn
, peer_cfg
, err
))
733 peer_cfg
->destroy(peer_cfg
);
734 ike_cfg
->destroy(ike_cfg
);
735 gateway
->destroy(gateway
);
739 else if (streq(method
, "eap") ||
740 streq(method
, "psk"))
742 if (!add_auth_cfg_pw(priv
, vpn
, peer_cfg
, err
))
744 peer_cfg
->destroy(peer_cfg
);
745 ike_cfg
->destroy(ike_cfg
);
746 gateway
->destroy(gateway
);
752 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS
,
753 "Configuration parameters missing.");
754 peer_cfg
->destroy(peer_cfg
);
755 ike_cfg
->destroy(ike_cfg
);
756 gateway
->destroy(gateway
);
760 auth
= auth_cfg_create();
761 if (auth_class
== AUTH_CLASS_PSK
)
763 auth
->add(auth
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_PSK
);
767 auth
->add(auth
, AUTH_RULE_AUTH_CLASS
, AUTH_CLASS_PUBKEY
);
769 auth
->add(auth
, AUTH_RULE_IDENTITY
, gateway
);
770 auth
->add(auth
, AUTH_RULE_IDENTITY_LOOSE
, loose_gateway_id
);
771 peer_cfg
->add_auth_cfg(peer_cfg
, auth
, FALSE
);
773 child_cfg
= child_cfg_create(priv
->name
, &child
);
774 str
= nm_setting_vpn_get_data_item(vpn
, "esp");
775 if (proposal
&& str
&& strlen(str
))
777 enumerator
= enumerator_create_token(str
, ";", "");
778 while (enumerator
->enumerate(enumerator
, &str
))
780 prop
= proposal_create_from_string(PROTO_ESP
, str
);
783 g_set_error(err
, NM_VPN_PLUGIN_ERROR
,
784 NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
785 "Invalid ESP proposal.");
786 enumerator
->destroy(enumerator
);
787 child_cfg
->destroy(child_cfg
);
788 peer_cfg
->destroy(peer_cfg
);
791 child_cfg
->add_proposal(child_cfg
, prop
);
793 enumerator
->destroy(enumerator
);
797 child_cfg
->add_proposal(child_cfg
, proposal_create_default(PROTO_ESP
));
798 child_cfg
->add_proposal(child_cfg
, proposal_create_default_aead(PROTO_ESP
));
800 ts
= traffic_selector_create_dynamic(0, 0, 65535);
801 child_cfg
->add_traffic_selector(child_cfg
, TRUE
, ts
);
802 ts
= traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
803 child_cfg
->add_traffic_selector(child_cfg
, FALSE
, ts
);
804 ts
= traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
805 child_cfg
->add_traffic_selector(child_cfg
, FALSE
, ts
);
806 peer_cfg
->add_child_cfg(peer_cfg
, child_cfg
);
811 ike_sa
= charon
->ike_sa_manager
->checkout_by_config(charon
->ike_sa_manager
,
815 peer_cfg
->destroy(peer_cfg
);
816 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
817 "IKE version not supported.");
820 if (!ike_sa
->get_peer_cfg(ike_sa
))
822 ike_sa
->set_peer_cfg(ike_sa
, peer_cfg
);
824 peer_cfg
->destroy(peer_cfg
);
827 * Register listener, enable initiate-failure-detection hooks
829 priv
->ike_sa
= ike_sa
;
830 priv
->listener
.ike_state_change
= ike_state_change
;
831 priv
->listener
.child_state_change
= child_state_change
;
832 charon
->bus
->add_listener(charon
->bus
, &priv
->listener
);
837 child_cfg
->get_ref(child_cfg
);
838 if (ike_sa
->initiate(ike_sa
, child_cfg
, 0, NULL
, NULL
) != SUCCESS
)
840 charon
->bus
->remove_listener(charon
->bus
, &priv
->listener
);
841 charon
->ike_sa_manager
->checkin_and_destroy(charon
->ike_sa_manager
, ike_sa
);
843 g_set_error(err
, NM_VPN_PLUGIN_ERROR
, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED
,
844 "Initiating failed.");
847 charon
->ike_sa_manager
->checkin(charon
->ike_sa_manager
, ike_sa
);
852 * NeedSecrets called from NM via DBUS
854 static gboolean
need_secrets(NMVpnServicePlugin
*plugin
, NMConnection
*connection
,
855 const char **setting_name
, GError
**error
)
857 NMSettingVpn
*settings
;
858 const char *method
, *cert_source
, *path
;
859 bool need_secret
= FALSE
;
861 settings
= NM_SETTING_VPN(nm_connection_get_setting(connection
,
862 NM_TYPE_SETTING_VPN
));
863 method
= nm_setting_vpn_get_data_item(settings
, "method");
866 if (streq(method
, "cert") ||
867 streq(method
, "eap-tls") ||
868 streq(method
, "key") ||
869 streq(method
, "agent") ||
870 streq(method
, "smartcard"))
872 cert_source
= nm_setting_vpn_get_data_item(settings
, "cert-source");
875 cert_source
= method
;
877 if (streq(cert_source
, "agent"))
879 need_secret
= !nm_setting_vpn_get_secret(settings
, "agent");
881 else if (streq(cert_source
, "smartcard"))
883 need_secret
= !nm_setting_vpn_get_secret(settings
, "password");
888 path
= nm_setting_vpn_get_data_item(settings
, "userkey");
893 /* try to load/decrypt the private key */
894 key
= lib
->creds
->create(lib
->creds
, CRED_PRIVATE_KEY
,
895 KEY_ANY
, BUILD_FROM_FILE
, path
, BUILD_END
);
901 else if (nm_setting_vpn_get_secret(settings
, "password"))
908 else if (streq(method
, "eap") ||
909 streq(method
, "psk"))
911 need_secret
= !nm_setting_vpn_get_secret(settings
, "password");
914 *setting_name
= NM_SETTING_VPN_SETTING_NAME
;
919 * The actual disconnection
921 static gboolean
do_disconnect(gpointer plugin
)
923 NMStrongswanPluginPrivate
*priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
924 enumerator_t
*enumerator
;
928 /* our ike_sa pointer might be invalid, lookup sa */
929 enumerator
= charon
->controller
->create_ike_sa_enumerator(
930 charon
->controller
, TRUE
);
931 while (enumerator
->enumerate(enumerator
, &ike_sa
))
933 if (priv
->ike_sa
== ike_sa
)
935 id
= ike_sa
->get_unique_id(ike_sa
);
936 enumerator
->destroy(enumerator
);
937 charon
->controller
->terminate_ike(charon
->controller
, id
, FALSE
,
938 controller_cb_empty
, NULL
, 0);
942 enumerator
->destroy(enumerator
);
944 g_debug("Connection not found.");
949 * Disconnect called from NM via DBUS
951 static gboolean
disconnect(NMVpnServicePlugin
*plugin
, GError
**err
)
953 /* enqueue the actual disconnection, because we may be called in
954 * response to a listener_t callback and the SA enumeration would
955 * possibly deadlock. */
956 g_idle_add(do_disconnect
, plugin
);
964 static void nm_strongswan_plugin_init(NMStrongswanPlugin
*plugin
)
966 NMStrongswanPluginPrivate
*priv
;
968 priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
969 priv
->plugin
= NM_VPN_SERVICE_PLUGIN(plugin
);
970 memset(&priv
->listener
, 0, sizeof(listener_t
));
971 priv
->listener
.child_updown
= child_updown
;
972 priv
->listener
.ike_rekey
= ike_rekey
;
979 static void nm_strongswan_plugin_class_init(
980 NMStrongswanPluginClass
*strongswan_class
)
982 NMVpnServicePluginClass
*parent_class
= NM_VPN_SERVICE_PLUGIN_CLASS(strongswan_class
);
984 parent_class
->connect
= connect_
;
985 parent_class
->need_secrets
= need_secrets
;
986 parent_class
->disconnect
= disconnect
;
992 NMStrongswanPlugin
*nm_strongswan_plugin_new(nm_creds_t
*creds
,
993 nm_handler_t
*handler
)
995 GError
*error
= NULL
;
997 NMStrongswanPlugin
*plugin
= (NMStrongswanPlugin
*)g_initable_new (
998 NM_TYPE_STRONGSWAN_PLUGIN
,
1001 NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME
, NM_DBUS_SERVICE_STRONGSWAN
,
1006 NMStrongswanPluginPrivate
*priv
;
1008 /* the rest of the initialization happened in _init above */
1009 priv
= NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin
);
1010 priv
->creds
= creds
;
1011 priv
->handler
= handler
;
1015 g_warning ("Failed to initialize a plugin instance: %s", error
->message
);
1016 g_error_free (error
);