NMSettingVpn *vpn, peer_cfg_t *peer_cfg,
GError **err)
{
- identification_t *user = NULL;
+ identification_t *id = NULL;
certificate_t *cert = NULL;
auth_cfg_t *auth;
const char *str, *method, *cert_source;
pin = (char*)nm_setting_vpn_get_secret(vpn, "password");
if (pin)
{
- user = find_smartcard_key(priv, pin);
+ id = find_smartcard_key(priv, pin);
}
- if (!user)
+ if (!id)
{
g_set_error(err, NM_VPN_PLUGIN_ERROR,
NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
- "no usable smartcard certificate found.");
+ "No usable smartcard certificate found.");
return FALSE;
}
}
}
if (private)
{
- user = cert->get_subject(cert);
- user = user->clone(user);
+ id = cert->get_subject(cert);
+ id = id->clone(id);
priv->creds->set_cert_and_key(priv->creds, cert, private);
}
else
return FALSE;
}
}
+ else
+ {
+ g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+ "Certificate is missing.");
+ return FALSE;
+ }
auth = auth_cfg_create();
if (streq(method, "eap-tls"))
{
auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
}
- auth->add(auth, AUTH_RULE_IDENTITY, user);
+ str = nm_setting_vpn_get_data_item(vpn, "local-identity");
+ if (str)
+ {
+ identification_t *local_id;
+
+ local_id = identification_create_from_string((char*)str);
+ if (local_id)
+ {
+ id->destroy(id);
+ id = local_id;
+ }
+ }
+ auth->add(auth, AUTH_RULE_IDENTITY, id);
peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
return TRUE;
}
NMSettingVpn *vpn, peer_cfg_t *peer_cfg,
GError **err)
{
- identification_t *user = NULL;
+ identification_t *user = NULL, *id = NULL;
auth_cfg_t *auth;
const char *str, *method;
if (str)
{
user = identification_create_from_string((char*)str);
- str = nm_setting_vpn_get_secret(vpn, "password");
- if (streq(method, "psk") && strlen(str) < 20)
+ }
+ else
+ {
+ user = identification_create_from_string("%any");
+ }
+ str = nm_setting_vpn_get_data_item(vpn, "local-identity");
+ if (str)
+ {
+ id = identification_create_from_string((char*)str);
+ }
+ else
+ {
+ id = user->clone(user);
+ }
+ str = nm_setting_vpn_get_secret(vpn, "password");
+ if (streq(method, "psk"))
+ {
+ if (strlen(str) < 20)
{
g_set_error(err, NM_VPN_PLUGIN_ERROR,
NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
"Pre-shared key is too short.");
user->destroy(user);
+ id->destroy(id);
return FALSE;
}
- priv->creds->set_username_password(priv->creds, user, (char*)str);
+ priv->creds->set_username_password(priv->creds, id, (char*)str);
}
else
{
- g_set_error(err, NM_VPN_PLUGIN_ERROR,
- NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
- "Username is missing.");
- return FALSE;
+ priv->creds->set_username_password(priv->creds, user, (char*)str);
}
auth = auth_cfg_create();
/* in case EAP-PEAP or EAP-TTLS is used we currently accept any identity */
auth->add(auth, AUTH_RULE_AAA_IDENTITY,
identification_create_from_string("%any"));
- auth->add(auth, AUTH_RULE_IDENTITY, user);
+ auth->add(auth, AUTH_RULE_EAP_IDENTITY, user);
+ auth->add(auth, AUTH_RULE_IDENTITY, id);
peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
return TRUE;
}
traffic_selector_t *ts;
ike_sa_t *ike_sa;
auth_cfg_t *auth;
- auth_class_t auth_class = AUTH_CLASS_EAP;
certificate_t *cert = NULL;
x509_t *x509;
bool loose_gateway_id = FALSE;
}
auth = auth_cfg_create();
- if (auth_class == AUTH_CLASS_PSK)
+ if (streq(method, "psk"))
{
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
}
enumerator->destroy(enumerator);
charon->controller->terminate_ike(charon->controller, id, FALSE,
controller_cb_empty, NULL, 0);
+
+ /* clear secrets as we are asked for new secrets (where we'd find
+ * the cached secrets from earlier connections) before we clear
+ * them in connect() */
+ priv->creds->clear(priv->creds);
return FALSE;
}
}
projects / thirdparty / strongswan.git / blobdiff