/*
+ * Copyright (C) 2017 Lubomir Rintel
+ *
+ * Copyright (C) 2013-2020 Tobias Brunner
* Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* for more details.
*/
-#include <nm-setting-vpn.h>
-#include <nm-setting-connection.h>
#include "nm_service.h"
#include <daemon.h>
-#include <utils/host.h>
+#include <networking/host.h>
#include <utils/identification.h>
#include <config/peer_cfg.h>
#include <credentials/certificates/x509.h>
#include <stdio.h>
-G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN)
-
/**
* Private data of NMStrongswanPlugin
*/
/* IKE_SA we are listening on */
ike_sa_t *ike_sa;
/* backref to public plugin */
- NMVPNPlugin *plugin;
+ NMVpnServicePlugin *plugin;
/* credentials to use for authentication */
nm_creds_t *creds;
/* attribute handler for DNS/NBNS server information */
char *name;
} NMStrongswanPluginPrivate;
+G_DEFINE_TYPE_WITH_PRIVATE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_SERVICE_PLUGIN)
+
#define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
- (G_TYPE_INSTANCE_GET_PRIVATE ((o), \
- NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginPrivate))
+ ((NMStrongswanPluginPrivate*) \
+ nm_strongswan_plugin_get_instance_private (o))
+
+/**
+ * Convert an address chunk to a GValue
+ */
+static GVariant *addr_to_variant(chunk_t addr)
+{
+ GVariantBuilder builder;
+ int i;
+
+ switch (addr.len)
+ {
+ case 4:
+ return g_variant_new_uint32 (*(uint32_t*)addr.ptr);
+ case 16:
+ g_variant_builder_init (&builder, G_VARIANT_TYPE ("ay"));
+ for (i = 0; i < addr.len; i++)
+ {
+ g_variant_builder_add (&builder, "y", addr.ptr[i]);
+
+ }
+ return g_variant_builder_end (&builder);
+ default:
+ return NULL;
+ }
+}
/**
- * convert enumerated handler chunks to a UINT_ARRAY GValue
+ * Convert a host to a GValue
*/
-static GValue* handler_to_val(nm_handler_t *handler,
+static GVariant *host_to_variant(host_t *host)
+{
+ return addr_to_variant(host->get_address(host));
+}
+
+/**
+ * Convert enumerated handler chunks to a GValue
+ */
+static GVariant* handler_to_variant(nm_handler_t *handler, char *variant_type,
configuration_attribute_type_t type)
{
- GValue *val;
- GArray *array;
+ GVariantBuilder builder;
enumerator_t *enumerator;
- chunk_t chunk;
+ chunk_t *chunk;
+
+ g_variant_builder_init (&builder, G_VARIANT_TYPE (variant_type));
enumerator = handler->create_enumerator(handler, type);
- array = g_array_new (FALSE, TRUE, sizeof (guint32));
while (enumerator->enumerate(enumerator, &chunk))
{
- g_array_append_val (array, *(u_int32_t*)chunk.ptr);
+ g_variant_builder_add_value (&builder, addr_to_variant(*chunk));
}
enumerator->destroy(enumerator);
- val = g_slice_new0 (GValue);
- g_value_init (val, DBUS_TYPE_G_UINT_ARRAY);
- g_value_set_boxed (val, array);
- return val;
+ return g_variant_builder_end (&builder);
}
/**
- * signal IPv4 config to NM, set connection as established
+ * Signal IP config to NM, set connection as established
*/
-static void signal_ipv4_config(NMVPNPlugin *plugin,
- ike_sa_t *ike_sa, child_sa_t *child_sa)
+static void signal_ip_config(NMVpnServicePlugin *plugin,
+ ike_sa_t *ike_sa, child_sa_t *child_sa)
{
- GValue *val;
- GHashTable *config;
- host_t *me;
+ NMStrongswanPlugin *pub = (NMStrongswanPlugin*)plugin;
+ NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub);
+ GVariantBuilder builder, ip4builder, ip6builder;
+ GVariant *ip4config, *ip6config;
+ enumerator_t *enumerator;
+ host_t *me, *other, *vip4 = NULL, *vip6 = NULL;
nm_handler_t *handler;
- config = g_hash_table_new(g_str_hash, g_str_equal);
- me = ike_sa->get_my_host(ike_sa);
- handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
+ g_variant_builder_init (&builder, G_VARIANT_TYPE_VARDICT);
+ g_variant_builder_init (&ip4builder, G_VARIANT_TYPE_VARDICT);
+ g_variant_builder_init (&ip6builder, G_VARIANT_TYPE_VARDICT);
+
+ handler = priv->handler;
- /* NM requires a tundev, but netkey does not use one. Passing an invalid
- * iface makes NM complain, but it accepts it without fiddling on eth0. */
- val = g_slice_new0 (GValue);
- g_value_init (val, G_TYPE_STRING);
- g_value_set_string (val, "none");
- g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
+ /* NM apparently requires to know the gateway */
+ other = ike_sa->get_other_host(ike_sa);
+ g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY,
+ host_to_variant(other));
- val = g_slice_new0(GValue);
- g_value_init(val, G_TYPE_UINT);
- g_value_set_uint(val, *(u_int32_t*)me->get_address(me).ptr);
- g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val);
+ /* pass the first virtual IPs we got or use the physical IP */
+ enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
+ while (enumerator->enumerate(enumerator, &me))
+ {
+ switch (me->get_family(me))
+ {
+ case AF_INET:
+ if (!vip4)
+ {
+ vip4 = me;
+ }
+ break;
+ case AF_INET6:
+ if (!vip6)
+ {
+ vip6 = me;
+ }
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ if (!vip4 && !vip6)
+ {
+ me = ike_sa->get_my_host(ike_sa);
+ switch (me->get_family(me))
+ {
+ case AF_INET:
+ vip4 = me;
+ break;
+ case AF_INET6:
+ vip6 = me;
+ break;
+ }
+ }
+
+ if (vip4)
+ {
+ g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS,
+ host_to_variant(vip4));
+ g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_PREFIX,
+ g_variant_new_uint32 (vip4->get_address(vip4).len * 8));
+
+ /* prevent NM from changing the default route. we set our own route in our
+ * own routing table
+ */
+ g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT,
+ g_variant_new_boolean (TRUE));
- val = g_slice_new0(GValue);
- g_value_init(val, G_TYPE_UINT);
- g_value_set_uint(val, me->get_address(me).len * 8);
- g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
+ g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DNS,
+ handler_to_variant(handler, "au", INTERNAL_IP4_DNS));
- val = handler_to_val(handler, INTERNAL_IP4_DNS);
- g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_DNS, val);
+ g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NBNS,
+ handler_to_variant(handler, "au", INTERNAL_IP4_NBNS));
+ }
+
+ if (vip6)
+ {
+ g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_ADDRESS,
+ host_to_variant(vip6));
+ g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_PREFIX,
+ g_variant_new_uint32 (vip6->get_address(vip6).len * 8));
+ g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_NEVER_DEFAULT,
+ g_variant_new_boolean (TRUE));
+ g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_DNS,
+ handler_to_variant(handler, "aay", INTERNAL_IP6_DNS));
+ /* NM_VPN_PLUGIN_IP6_CONFIG_NBNS is not defined */
+ }
+
+ ip4config = g_variant_builder_end (&ip4builder);
+ if (g_variant_n_children (ip4config))
+ {
+ g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP4,
+ g_variant_new_boolean (TRUE));
+ }
+ else
+ {
+ g_variant_unref (ip4config);
+ ip4config = NULL;
+ }
- val = handler_to_val(handler, INTERNAL_IP4_NBNS);
- g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NBNS, val);
+ ip6config = g_variant_builder_end (&ip6builder);
+ if (g_variant_n_children (ip6config))
+ {
+ g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP6,
+ g_variant_new_boolean (TRUE));
+ }
+ else
+ {
+ g_variant_unref (ip6config);
+ ip6config = NULL;
+ }
handler->reset(handler);
- nm_vpn_plugin_set_ip4_config(plugin, config);
+ nm_vpn_service_plugin_set_config (plugin, g_variant_builder_end (&builder));
+ if (ip4config)
+ {
+ nm_vpn_service_plugin_set_ip4_config (plugin, ip4config);
+ }
+ if (ip6config)
+ {
+ nm_vpn_service_plugin_set_ip6_config (plugin, ip6config);
+ }
}
/**
* signal failure to NM, connecting failed
*/
-static void signal_failure(NMVPNPlugin *plugin, NMVPNPluginFailure failure)
+static void signal_failure(NMVpnServicePlugin *plugin, NMVpnPluginFailure failure)
{
- nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
+ NMStrongswanPlugin *pub = (NMStrongswanPlugin*)plugin;
+ nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub)->handler;
handler->reset(handler);
- /* TODO: NM does not handle this failure!? */
- nm_vpn_plugin_failure(plugin, failure);
- nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
+ nm_vpn_service_plugin_failure(plugin, failure);
}
-/**
- * Implementation of listener_t.ike_state_change
- */
-static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa,
- ike_sa_state_t state)
+METHOD(listener_t, ike_state_change, bool,
+ NMStrongswanPluginPrivate *this, ike_sa_t *ike_sa, ike_sa_state_t state)
{
- NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+ if (this->ike_sa == ike_sa && state == IKE_DESTROYING)
+ {
+ signal_failure(this->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
+ }
+ return TRUE;
+}
- if (private->ike_sa == ike_sa && state == IKE_DESTROYING)
+METHOD(listener_t, child_state_change, bool,
+ NMStrongswanPluginPrivate *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+ child_sa_state_t state)
+{
+ if (this->ike_sa == ike_sa && state == CHILD_DESTROYING)
{
- signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
- return FALSE;
+ signal_failure(this->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
}
return TRUE;
}
-/**
- * Implementation of listener_t.child_state_change
- */
-static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa,
- child_sa_t *child_sa, child_sa_state_t state)
+METHOD(listener_t, ike_rekey, bool,
+ NMStrongswanPluginPrivate *this, ike_sa_t *old, ike_sa_t *new)
{
- NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+ if (this->ike_sa == old)
+ { /* follow a rekeyed IKE_SA */
+ this->ike_sa = new;
+ }
+ return TRUE;
+}
- if (private->ike_sa == ike_sa && state == CHILD_DESTROYING)
- {
- signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
- return FALSE;
+METHOD(listener_t, ike_reestablish_pre, bool,
+ NMStrongswanPluginPrivate *this, ike_sa_t *old, ike_sa_t *new)
+{
+ if (this->ike_sa == old)
+ { /* ignore child state changes during redirects etc. (task migration) */
+ this->listener.child_state_change = NULL;
}
return TRUE;
}
-/**
- * Implementation of listener_t.child_updown
- */
-static bool child_updown(listener_t *listener, ike_sa_t *ike_sa,
- child_sa_t *child_sa, bool up)
+METHOD(listener_t, ike_reestablish_post, bool,
+ NMStrongswanPluginPrivate *this, ike_sa_t *old, ike_sa_t *new,
+ bool initiated)
{
- NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
+ if (this->ike_sa == old && initiated)
+ { /* if we get redirected during IKE_AUTH we just migrate to the new SA */
+ this->ike_sa = new;
+ /* re-register hooks to detect initiation failures */
+ this->listener.ike_state_change = _ike_state_change;
+ this->listener.child_state_change = _child_state_change;
+ }
+ return TRUE;
+}
- if (private->ike_sa == ike_sa)
+METHOD(listener_t, child_updown, bool,
+ NMStrongswanPluginPrivate *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
+ bool up)
+{
+ if (this->ike_sa == ike_sa)
{
if (up)
{ /* disable initiate-failure-detection hooks */
- private->listener.ike_state_change = NULL;
- private->listener.child_state_change = NULL;
- signal_ipv4_config(private->plugin, ike_sa, child_sa);
+ this->listener.ike_state_change = NULL;
+ this->listener.child_state_change = NULL;
+ signal_ip_config(this->plugin, ike_sa, child_sa);
}
else
{
- signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
- return FALSE;
+ if (ike_sa->has_condition(ike_sa, COND_REAUTHENTICATING))
+ { /* we ignore this during reauthentication */
+ return TRUE;
+ }
+ signal_failure(this->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
}
}
return TRUE;
}
-/**
- * Implementation of listener_t.ike_rekey
- */
-static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new)
-{
- NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
-
- if (private->ike_sa == old)
- { /* follow a rekeyed IKE_SA */
- private->ike_sa = new;
- }
- return TRUE;
-}
-
/**
* Find a certificate for which we have a private key on a smartcard
*/
return id;
}
+/**
+ * Add a client auth config for certificate authentication
+ */
+static bool add_auth_cfg_cert(NMStrongswanPluginPrivate *priv,
+ NMSettingVpn *vpn, peer_cfg_t *peer_cfg,
+ GError **err)
+{
+ identification_t *id = NULL;
+ certificate_t *cert = NULL;
+ auth_cfg_t *auth;
+ const char *str, *method, *cert_source;
+
+ method = nm_setting_vpn_get_data_item(vpn, "method");
+ cert_source = nm_setting_vpn_get_data_item(vpn, "cert-source") ?: method;
+
+ if (streq(cert_source, "smartcard"))
+ {
+ char *pin;
+
+ pin = (char*)nm_setting_vpn_get_secret(vpn, "password");
+ if (pin)
+ {
+ id = find_smartcard_key(priv, pin);
+ }
+ if (!id)
+ {
+ g_set_error(err, NM_VPN_PLUGIN_ERROR,
+ NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+ "No usable smartcard certificate found.");
+ return FALSE;
+ }
+ }
+ /* ... or certificate/private key authentication */
+ else if ((str = nm_setting_vpn_get_data_item(vpn, "usercert")))
+ {
+ public_key_t *public;
+ private_key_t *private = NULL;
+
+ bool agent = streq(cert_source, "agent");
+
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, str, BUILD_END);
+ if (!cert)
+ {
+ g_set_error(err, NM_VPN_PLUGIN_ERROR,
+ NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+ "Loading peer certificate failed.");
+ return FALSE;
+ }
+ /* try agent */
+ str = nm_setting_vpn_get_secret(vpn, "agent");
+ if (agent && str)
+ {
+ public = cert->get_public_key(cert);
+ if (public)
+ {
+ private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+ public->get_type(public),
+ BUILD_AGENT_SOCKET, str,
+ BUILD_PUBLIC_KEY, public,
+ BUILD_END);
+ public->destroy(public);
+ }
+ if (!private)
+ {
+ g_set_error(err, NM_VPN_PLUGIN_ERROR,
+ NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+ "Connecting to SSH agent failed.");
+ }
+ }
+ /* ... or key file */
+ str = nm_setting_vpn_get_data_item(vpn, "userkey");
+ if (!agent && str)
+ {
+ char *secret;
+
+ secret = (char*)nm_setting_vpn_get_secret(vpn, "password");
+ if (secret)
+ {
+ priv->creds->set_key_password(priv->creds, secret);
+ }
+ private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+ KEY_ANY, BUILD_FROM_FILE, str, BUILD_END);
+ if (!private)
+ {
+ g_set_error(err, NM_VPN_PLUGIN_ERROR,
+ NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+ "Loading private key failed.");
+ }
+ }
+ if (private)
+ {
+ id = cert->get_subject(cert);
+ id = id->clone(id);
+ priv->creds->set_cert_and_key(priv->creds, cert, private);
+ }
+ else
+ {
+ DESTROY_IF(cert);
+ return FALSE;
+ }
+ }
+ else
+ {
+ g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+ "Certificate is missing.");
+ return FALSE;
+ }
+
+ auth = auth_cfg_create();
+ if (streq(method, "eap-tls"))
+ {
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
+ auth->add(auth, AUTH_RULE_EAP_TYPE, EAP_TLS);
+ auth->add(auth, AUTH_RULE_AAA_IDENTITY,
+ identification_create_from_string("%any"));
+ }
+ else
+ {
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ }
+ if (cert)
+ {
+ auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
+ }
+ str = nm_setting_vpn_get_data_item(vpn, "local-identity");
+ if (str)
+ {
+ identification_t *local_id;
+
+ local_id = identification_create_from_string((char*)str);
+ if (local_id)
+ {
+ id->destroy(id);
+ id = local_id;
+ }
+ }
+ auth->add(auth, AUTH_RULE_IDENTITY, id);
+ peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+ return TRUE;
+}
+
+/**
+ * Add a client auth config for username/password authentication
+ */
+static bool add_auth_cfg_pw(NMStrongswanPluginPrivate *priv,
+ NMSettingVpn *vpn, peer_cfg_t *peer_cfg,
+ GError **err)
+{
+ identification_t *user = NULL, *id = NULL;
+ auth_cfg_t *auth;
+ const char *str, *method;
+
+ method = nm_setting_vpn_get_data_item(vpn, "method");
+
+ str = nm_setting_vpn_get_data_item(vpn, "user");
+ if (str)
+ {
+ user = identification_create_from_string((char*)str);
+ }
+ else
+ {
+ user = identification_create_from_string("%any");
+ }
+ str = nm_setting_vpn_get_data_item(vpn, "local-identity");
+ if (str)
+ {
+ id = identification_create_from_string((char*)str);
+ }
+ else
+ {
+ id = user->clone(user);
+ }
+ str = nm_setting_vpn_get_secret(vpn, "password");
+ if (streq(method, "psk"))
+ {
+ if (strlen(str) < 20)
+ {
+ g_set_error(err, NM_VPN_PLUGIN_ERROR,
+ NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+ "Pre-shared key is too short.");
+ user->destroy(user);
+ id->destroy(id);
+ return FALSE;
+ }
+ priv->creds->set_username_password(priv->creds, id, (char*)str);
+ }
+ else
+ {
+ priv->creds->set_username_password(priv->creds, user, (char*)str);
+ }
+
+ auth = auth_cfg_create();
+ auth->add(auth, AUTH_RULE_AUTH_CLASS,
+ streq(method, "psk") ? AUTH_CLASS_PSK : AUTH_CLASS_EAP);
+ /* in case EAP-PEAP or EAP-TTLS is used we currently accept any identity */
+ auth->add(auth, AUTH_RULE_AAA_IDENTITY,
+ identification_create_from_string("%any"));
+ auth->add(auth, AUTH_RULE_EAP_IDENTITY, user);
+ auth->add(auth, AUTH_RULE_IDENTITY, id);
+ peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
+ return TRUE;
+}
+
/**
* Connect function called from NM via DBUS
*/
-static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
+static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
GError **err)
{
+ NMStrongswanPlugin *pub = (NMStrongswanPlugin*)plugin;
NMStrongswanPluginPrivate *priv;
NMSettingConnection *conn;
- NMSettingVPN *vpn;
- identification_t *user = NULL, *gateway = NULL;
- const char *address, *str;
- bool virtual, encap, ipcomp;
+ NMSettingVpn *vpn;
+ enumerator_t *enumerator;
+ identification_t *gateway = NULL;
+ const char *str, *method;
+ bool virtual, proposal;
+ proposal_t *prop;
ike_cfg_t *ike_cfg;
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
traffic_selector_t *ts;
ike_sa_t *ike_sa;
auth_cfg_t *auth;
- auth_class_t auth_class = AUTH_CLASS_EAP;
certificate_t *cert = NULL;
x509_t *x509;
- bool agent = FALSE, smartcard = FALSE;
- lifetime_cfg_t lifetime = {
- .time = {
- .life = 10800 /* 3h */,
- .rekey = 10200 /* 2h50min */,
- .jitter = 300 /* 5min */
- }
+ bool loose_gateway_id = FALSE;
+ ike_cfg_create_t ike = {
+ .version = IKEV2,
+ .local = "%any",
+ .local_port = charon->socket->get_port(charon->socket, FALSE),
+ .remote_port = IKEV2_UDP_PORT,
+ .fragmentation = FRAGMENTATION_YES,
+ };
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_SEND_IF_ASKED,
+ .unique = UNIQUE_REPLACE,
+ .keyingtries = 1,
+ .rekey_time = 36000, /* 10h */
+ .jitter_time = 600, /* 10min */
+ .over_time = 600, /* 10min */
+ };
+ child_cfg_create_t child = {
+ .lifetime = {
+ .time = {
+ .life = 10800 /* 3h */,
+ .rekey = 10200 /* 2h50min */,
+ .jitter = 300 /* 5min */
+ },
+ },
+ .mode = MODE_TUNNEL,
};
/**
* Read parameters
*/
- priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+ priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub);
conn = NM_SETTING_CONNECTION(nm_connection_get_setting(connection,
NM_TYPE_SETTING_CONNECTION));
vpn = NM_SETTING_VPN(nm_connection_get_setting(connection,
priv->name);
DBG4(DBG_CFG, "%s",
nm_setting_to_string(NM_SETTING(vpn)));
- address = nm_setting_vpn_get_data_item(vpn, "address");
- if (!address || !*address)
+ ike.remote = (char*)nm_setting_vpn_get_data_item(vpn, "address");
+ if (!ike.remote || !*ike.remote)
{
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
"Gateway address missing.");
return FALSE;
}
+ str = nm_setting_vpn_get_data_item(vpn, "server-port");
+ if (str && strlen(str))
+ {
+ ike.remote_port = settings_value_as_int((char*)str, ike.remote_port);
+ }
str = nm_setting_vpn_get_data_item(vpn, "virtual");
- virtual = str && streq(str, "yes");
+ virtual = streq(str, "yes");
str = nm_setting_vpn_get_data_item(vpn, "encap");
- encap = str && streq(str, "yes");
+ ike.force_encap = streq(str, "yes");
str = nm_setting_vpn_get_data_item(vpn, "ipcomp");
- ipcomp = str && streq(str, "yes");
- str = nm_setting_vpn_get_data_item(vpn, "method");
- if (str)
- {
- if (streq(str, "psk"))
- {
- auth_class = AUTH_CLASS_PSK;
- }
- else if (streq(str, "agent"))
- {
- auth_class = AUTH_CLASS_PUBKEY;
- agent = TRUE;
- }
- else if (streq(str, "key"))
- {
- auth_class = AUTH_CLASS_PUBKEY;
- }
- else if (streq(str, "smartcard"))
- {
- auth_class = AUTH_CLASS_PUBKEY;
- smartcard = TRUE;
- }
- }
+ child.options |= streq(str, "yes") ? OPT_IPCOMP : 0;
/**
* Register credentials
return FALSE;
}
priv->creds->add_certificate(priv->creds, cert);
-
- x509 = (x509_t*)cert;
- if (!(x509->get_flags(x509) & X509_CA))
- { /* For a gateway certificate, we use the cert subject as identity. */
- gateway = cert->get_subject(cert);
- gateway = gateway->clone(gateway);
- DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
- }
}
else
{
/* no certificate defined, fall back to system-wide CA certificates */
- priv->creds->load_ca_dir(priv->creds, NM_CA_DIR);
+ priv->creds->load_ca_dir(priv->creds, lib->settings->get_str(
+ lib->settings, "charon-nm.ca_dir", NM_CA_DIR));
}
- if (!gateway)
+
+ str = nm_setting_vpn_get_data_item(vpn, "remote-identity");
+ if (str)
{
- /* If the user configured a CA certificate, we use the IP/DNS
- * of the gateway as its identity. This identity will be used for
- * certificate lookup and requires the configured IP/DNS to be
- * included in the gateway certificate. */
- gateway = identification_create_from_string((char*)address);
- DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
+ gateway = identification_create_from_string((char*)str);
}
-
- if (auth_class == AUTH_CLASS_EAP)
+ else if (cert)
{
- /* username/password authentication ... */
- str = nm_setting_vpn_get_data_item(vpn, "user");
- if (str)
- {
- user = identification_create_from_string((char*)str);
- str = nm_setting_vpn_get_secret(vpn, "password");
- priv->creds->set_username_password(priv->creds, user, (char*)str);
+ x509 = (x509_t*)cert;
+ if (!(x509->get_flags(x509) & X509_CA))
+ { /* for server certificates, we use the subject as identity */
+ gateway = cert->get_subject(cert);
+ gateway = gateway->clone(gateway);
}
}
+ if (!gateway || gateway->get_type(gateway) == ID_ANY)
+ {
+ /* if the user configured a CA certificate (or an invalid identity),
+ * we use the IP/hostname of the server */
+ gateway = identification_create_from_string(ike.remote);
+ loose_gateway_id = TRUE;
+ }
+ DBG1(DBG_CFG, "using gateway identity '%Y'", gateway);
- if (auth_class == AUTH_CLASS_PUBKEY)
+ /**
+ * Set up configurations
+ */
+ ike_cfg = ike_cfg_create(&ike);
+
+ str = nm_setting_vpn_get_data_item(vpn, "proposal");
+ proposal = streq(str, "yes");
+ str = nm_setting_vpn_get_data_item(vpn, "ike");
+ if (proposal && str && strlen(str))
{
- if (smartcard)
+ enumerator = enumerator_create_token(str, ";", "");
+ while (enumerator->enumerate(enumerator, &str))
{
- char *pin;
-
- pin = (char*)nm_setting_vpn_get_secret(vpn, "password");
- if (pin)
- {
- user = find_smartcard_key(priv, pin);
- }
- if (!user)
+ prop = proposal_create_from_string(PROTO_IKE, str);
+ if (!prop)
{
g_set_error(err, NM_VPN_PLUGIN_ERROR,
- NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
- "no usable smartcard certificate found.");
+ NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
+ "Invalid IKE proposal.");
+ enumerator->destroy(enumerator);
+ ike_cfg->destroy(ike_cfg);
gateway->destroy(gateway);
return FALSE;
}
+ ike_cfg->add_proposal(ike_cfg, prop);
}
- /* ... or certificate/private key authenitcation */
- else if ((str = nm_setting_vpn_get_data_item(vpn, "usercert")))
- {
- public_key_t *public;
- private_key_t *private = NULL;
+ enumerator->destroy(enumerator);
+ }
+ else
+ {
+ ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+ ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
+ }
- cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
- BUILD_FROM_FILE, str, BUILD_END);
- if (!cert)
- {
- g_set_error(err, NM_VPN_PLUGIN_ERROR,
- NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
- "Loading peer certificate failed.");
- gateway->destroy(gateway);
- return FALSE;
- }
- /* try agent */
- str = nm_setting_vpn_get_secret(vpn, "agent");
- if (agent && str)
- {
- public = cert->get_public_key(cert);
- if (public)
- {
- private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
- public->get_type(public),
- BUILD_AGENT_SOCKET, str,
- BUILD_PUBLIC_KEY, public,
- BUILD_END);
- public->destroy(public);
- }
- if (!private)
- {
- g_set_error(err, NM_VPN_PLUGIN_ERROR,
- NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
- "Connecting to SSH agent failed.");
- }
- }
- /* ... or key file */
- str = nm_setting_vpn_get_data_item(vpn, "userkey");
- if (!agent && str)
- {
- char *secret;
+ peer_cfg = peer_cfg_create(priv->name, ike_cfg, &peer);
+ if (virtual)
+ {
+ peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET));
+ peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET6));
+ }
- secret = (char*)nm_setting_vpn_get_secret(vpn, "password");
- if (secret)
- {
- priv->creds->set_key_password(priv->creds, secret);
- }
- private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
- KEY_RSA, BUILD_FROM_FILE, str, BUILD_END);
- if (!private)
- {
- g_set_error(err, NM_VPN_PLUGIN_ERROR,
- NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
- "Loading private key failed.");
- }
- }
- if (private)
- {
- user = cert->get_subject(cert);
- user = user->clone(user);
- priv->creds->set_cert_and_key(priv->creds, cert, private);
- }
- else
- {
- DESTROY_IF(cert);
- gateway->destroy(gateway);
- return FALSE;
- }
+ method = nm_setting_vpn_get_data_item(vpn, "method");
+ if (streq(method, "cert") ||
+ streq(method, "eap-tls") ||
+ streq(method, "key") ||
+ streq(method, "agent") ||
+ streq(method, "smartcard"))
+ {
+ if (!add_auth_cfg_cert (priv, vpn, peer_cfg, err))
+ {
+ peer_cfg->destroy(peer_cfg);
+ ike_cfg->destroy(ike_cfg);
+ gateway->destroy(gateway);
+ return FALSE;
}
}
-
- if (!user)
+ else if (streq(method, "eap") ||
+ streq(method, "psk"))
+ {
+ if (!add_auth_cfg_pw(priv, vpn, peer_cfg, err))
+ {
+ peer_cfg->destroy(peer_cfg);
+ ike_cfg->destroy(ike_cfg);
+ gateway->destroy(gateway);
+ return FALSE;
+ }
+ }
+ else
{
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
"Configuration parameters missing.");
+ peer_cfg->destroy(peer_cfg);
+ ike_cfg->destroy(ike_cfg);
gateway->destroy(gateway);
return FALSE;
}
- /**
- * Set up configurations
- */
- ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", FALSE, IKEV2_UDP_PORT,
- (char*)address, FALSE, IKEV2_UDP_PORT);
- ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
- peer_cfg = peer_cfg_create(priv->name, IKEV2, ike_cfg,
- CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
- 36000, 0, /* rekey 10h, reauth none */
- 600, 600, /* jitter, over 10min */
- TRUE, FALSE, /* mobike, aggressive */
- 0, 0, /* DPD delay, timeout */
- virtual ? host_create_from_string("0.0.0.0", 0) : NULL,
- NULL, FALSE, NULL, NULL); /* pool, mediation */
auth = auth_cfg_create();
- auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_class);
- auth->add(auth, AUTH_RULE_IDENTITY, user);
- peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
- auth = auth_cfg_create();
- auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ if (streq(method, "psk"))
+ {
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+ }
+ else
+ {
+ auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
+ }
auth->add(auth, AUTH_RULE_IDENTITY, gateway);
+ auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, loose_gateway_id);
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
- child_cfg = child_cfg_create(priv->name, &lifetime,
- NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
- ACTION_NONE, ACTION_NONE, ACTION_NONE, ipcomp,
- 0, 0, NULL, NULL, 0);
- child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+ child_cfg = child_cfg_create(priv->name, &child);
+ str = nm_setting_vpn_get_data_item(vpn, "esp");
+ if (proposal && str && strlen(str))
+ {
+ enumerator = enumerator_create_token(str, ";", "");
+ while (enumerator->enumerate(enumerator, &str))
+ {
+ prop = proposal_create_from_string(PROTO_ESP, str);
+ if (!prop)
+ {
+ g_set_error(err, NM_VPN_PLUGIN_ERROR,
+ NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
+ "Invalid ESP proposal.");
+ enumerator->destroy(enumerator);
+ child_cfg->destroy(child_cfg);
+ peer_cfg->destroy(peer_cfg);
+ return FALSE;
+ }
+ child_cfg->add_proposal(child_cfg, prop);
+ }
+ enumerator->destroy(enumerator);
+ }
+ else
+ {
+ child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+ child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
+ }
ts = traffic_selector_create_dynamic(0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
- ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
- "0.0.0.0", 0,
- "255.255.255.255", 65535);
+ ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
+ child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
+ ts = traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
peer_cfg->add_child_cfg(peer_cfg, child_cfg);
* Register listener, enable initiate-failure-detection hooks
*/
priv->ike_sa = ike_sa;
- priv->listener.ike_state_change = ike_state_change;
- priv->listener.child_state_change = child_state_change;
- charon->bus->add_listener(charon->bus, &priv->listener);
+ priv->listener.ike_state_change = _ike_state_change;
+ priv->listener.child_state_change = _child_state_change;
/**
* Initiate
child_cfg->get_ref(child_cfg);
if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
{
- charon->bus->remove_listener(charon->bus, &priv->listener);
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
/**
* NeedSecrets called from NM via DBUS
*/
-static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
- char **setting_name, GError **error)
+static gboolean need_secrets(NMVpnServicePlugin *plugin, NMConnection *connection,
+ const char **setting_name, GError **error)
{
- NMSettingVPN *settings;
- const char *method, *path;
+ NMSettingVpn *settings;
+ const char *method, *cert_source, *path;
+ bool need_secret = FALSE;
settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
NM_TYPE_SETTING_VPN));
method = nm_setting_vpn_get_data_item(settings, "method");
if (method)
{
- if (streq(method, "eap"))
+ if (streq(method, "cert") ||
+ streq(method, "eap-tls") ||
+ streq(method, "key") ||
+ streq(method, "agent") ||
+ streq(method, "smartcard"))
{
- if (nm_setting_vpn_get_secret(settings, "password"))
+ cert_source = nm_setting_vpn_get_data_item(settings, "cert-source");
+ if (!cert_source)
{
- return FALSE;
+ cert_source = method;
}
- }
- else if (streq(method, "agent"))
- {
- if (nm_setting_vpn_get_secret(settings, "agent"))
+ if (streq(cert_source, "agent"))
{
- return FALSE;
+ need_secret = !nm_setting_vpn_get_secret(settings, "agent");
}
- }
- else if (streq(method, "key"))
- {
- path = nm_setting_vpn_get_data_item(settings, "userkey");
- if (path)
+ else if (streq(cert_source, "smartcard"))
{
- private_key_t *key;
-
- /* try to load/decrypt the private key */
- key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
- KEY_RSA, BUILD_FROM_FILE, path, BUILD_END);
- if (key)
+ need_secret = !nm_setting_vpn_get_secret(settings, "password");
+ }
+ else
+ {
+ need_secret = TRUE;
+ path = nm_setting_vpn_get_data_item(settings, "userkey");
+ if (path)
{
- key->destroy(key);
- return FALSE;
+ private_key_t *key;
+
+ /* try to load/decrypt the private key */
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
+ KEY_ANY, BUILD_FROM_FILE, path, BUILD_END);
+ if (key)
+ {
+ key->destroy(key);
+ need_secret = FALSE;
+ }
+ else if (nm_setting_vpn_get_secret(settings, "password"))
+ {
+ need_secret = FALSE;
+ }
}
}
}
- else if streq(method, "smartcard")
+ else if (streq(method, "eap") ||
+ streq(method, "psk"))
{
- if (nm_setting_vpn_get_secret(settings, "password"))
- {
- return FALSE;
- }
+ need_secret = !nm_setting_vpn_get_secret(settings, "password");
}
}
*setting_name = NM_SETTING_VPN_SETTING_NAME;
- return TRUE;
+ return need_secret;
}
/**
- * Disconnect called from NM via DBUS
+ * The actual disconnection
*/
-static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
+static gboolean do_disconnect(gpointer plugin)
{
NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
enumerator_t *enumerator;
{
id = ike_sa->get_unique_id(ike_sa);
enumerator->destroy(enumerator);
- charon->controller->terminate_ike(charon->controller, id,
+ charon->controller->terminate_ike(charon->controller, id, FALSE,
controller_cb_empty, NULL, 0);
- return TRUE;
+
+ /* clear secrets as we are asked for new secrets (where we'd find
+ * the cached secrets from earlier connections) before we clear
+ * them in connect() */
+ priv->creds->clear(priv->creds);
+ return FALSE;
}
}
enumerator->destroy(enumerator);
- g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_GENERAL,
- "Connection not found.");
+ g_debug("Connection not found.");
return FALSE;
}
+/**
+ * Disconnect called from NM via DBUS
+ */
+static gboolean disconnect(NMVpnServicePlugin *plugin, GError **err)
+{
+ /* enqueue the actual disconnection, because we may be called in
+ * response to a listener_t callback and the SA enumeration would
+ * possibly deadlock. */
+ g_idle_add(do_disconnect, plugin);
+
+ return TRUE;
+}
+
/**
* Initializer
*/
NMStrongswanPluginPrivate *priv;
priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
- priv->plugin = NM_VPN_PLUGIN(plugin);
+ priv->plugin = NM_VPN_SERVICE_PLUGIN(plugin);
memset(&priv->listener, 0, sizeof(listener_t));
- priv->listener.child_updown = child_updown;
- priv->listener.ike_rekey = ike_rekey;
+ priv->listener.child_updown = _child_updown;
+ priv->listener.ike_rekey = _ike_rekey;
+ priv->listener.ike_reestablish_pre = _ike_reestablish_pre;
+ priv->listener.ike_reestablish_post = _ike_reestablish_post;
+ charon->bus->add_listener(charon->bus, &priv->listener);
+ priv->name = NULL;
}
/**
static void nm_strongswan_plugin_class_init(
NMStrongswanPluginClass *strongswan_class)
{
- NMVPNPluginClass *parent_class = NM_VPN_PLUGIN_CLASS(strongswan_class);
+ NMVpnServicePluginClass *parent_class = NM_VPN_SERVICE_PLUGIN_CLASS(strongswan_class);
- g_type_class_add_private(G_OBJECT_CLASS(strongswan_class),
- sizeof(NMStrongswanPluginPrivate));
parent_class->connect = connect_;
parent_class->need_secrets = need_secrets;
parent_class->disconnect = disconnect;
NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
nm_handler_t *handler)
{
- NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_object_new (
+ GError *error = NULL;
+
+ NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_initable_new (
NM_TYPE_STRONGSWAN_PLUGIN,
- NM_VPN_PLUGIN_DBUS_SERVICE_NAME, NM_DBUS_SERVICE_STRONGSWAN,
+ NULL,
+ &error,
+ NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME, NM_DBUS_SERVICE_STRONGSWAN,
NULL);
+
if (plugin)
{
NMStrongswanPluginPrivate *priv;
+ /* the rest of the initialization happened in _init above */
priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
priv->creds = creds;
priv->handler = handler;
- priv->name = NULL;
}
+ else
+ {
+ g_warning ("Failed to initialize a plugin instance: %s", error->message);
+ g_error_free (error);
+ }
+
return plugin;
}
-