From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 12 Feb 2020 10:39:07 +0000 (+0100)
Subject: nm: Make local identity configurable
X-Git-Tag: 5.8.3dr1~10^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d57d5f510ded1b410a43e99b35482badbea0e263;p=thirdparty%2Fstrongswan.git

nm: Make local identity configurable

For PSK authentication we now use the local identity and not the username
field.
---

diff --git a/src/frontends/gnome/po/de.po b/src/frontends/gnome/po/de.po
index 84a4cd9153..91486faf03 100644
--- a/src/frontends/gnome/po/de.po
+++ b/src/frontends/gnome/po/de.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: NetworkManager-strongswan\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2020-02-07 16:59+0100\n"
+"POT-Creation-Date: 2020-02-12 12:06+0100\n"
 "PO-Revision-Date: 2019-12-18 17:10+0100\n"
 "Last-Translator: Tobias Brunner\n"
 "Language-Team: de <info@strongswan.org>\n"
@@ -25,31 +25,31 @@ msgstr "IPsec/IKEv2 (strongswan)"
 msgid "IPsec with the IKEv2 key exchange protocol."
 msgstr "IPsec mit dem IKEv2 Protokoll."
 
-#: ../properties/nm-strongswan.c:335
+#: ../properties/nm-strongswan.c:366
 msgid "EAP (Username/Password)"
 msgstr "EAP (Benutzername/Passwort)"
 
-#: ../properties/nm-strongswan.c:336
+#: ../properties/nm-strongswan.c:367
 msgid "Certificate"
 msgstr "Zertifikat"
 
-#: ../properties/nm-strongswan.c:337
+#: ../properties/nm-strongswan.c:368
 msgid "EAP-TLS"
 msgstr "EAP-TLS"
 
-#: ../properties/nm-strongswan.c:338
+#: ../properties/nm-strongswan.c:369
 msgid "Pre-shared key"
 msgstr "Pre-shared Key"
 
-#: ../properties/nm-strongswan.c:365
+#: ../properties/nm-strongswan.c:395
 msgid "Certificate/private key"
 msgstr "Zertifikat/Privater SchlÃ¼ssel"
 
-#: ../properties/nm-strongswan.c:366
+#: ../properties/nm-strongswan.c:396
 msgid "Certificate/ssh-agent"
 msgstr "Zertifikat/ssh-agent"
 
-#: ../properties/nm-strongswan.c:367
+#: ../properties/nm-strongswan.c:397
 msgid "Smartcard"
 msgstr "Smartcard"
 
@@ -148,8 +148,10 @@ msgid "_Username:"
 msgstr "_Benutzername:"
 
 #: ../properties/nm-strongswan-dialog.ui.h:20
-msgid "The username (identity) to use for authentication against the server."
-msgstr "Benutzername/IdentitÃ¤t fÃ¼r die Authentisierung gegenÃ¼ber dem Server."
+msgid ""
+"The username (EAP identity) to use for authentication against the server."
+msgstr ""
+"Benutzername/EAP-IdentitÃ¤t fÃ¼r die Authentisierung gegenÃ¼ber dem Server."
 
 #: ../properties/nm-strongswan-dialog.ui.h:21
 msgid "_Password:"
@@ -172,14 +174,32 @@ msgid "_Show password"
 msgstr "Passwort _anzeigen"
 
 #: ../properties/nm-strongswan-dialog.ui.h:25
+msgid "I_dentity:"
+msgstr "I_dentitÃ¤t:"
+
+#: ../properties/nm-strongswan-dialog.ui.h:26
+msgid ""
+"Defaults to the username (EAP), the client certificate's subject DN "
+"(certificate/EAP-TLS), or the IP address (PSK). Custom values may be used if "
+"expected/required by the server."
+msgstr ""
+"Standardwert ist der Benutzername (EAP), die Inhaber-IdentitÃ¤t des "
+"Zertifikats (Zertifikat/EAP-TLS) oder die IP-Adresse (PSK). Eigene Werte "
+"kÃ¶nnen verwendet werden, falls der Server diese erwartet/benÃ¶tigt."
+
+#: ../properties/nm-strongswan-dialog.ui.h:27
+msgid "(Defaults to username, certificate subject or IP address)"
+msgstr "(Standardwert ist der Benutzername, die Zertifikats-ID oder die IP)"
+
+#: ../properties/nm-strongswan-dialog.ui.h:28
 msgid "<b>Options</b>"
 msgstr "<b>Optionen</b>"
 
-#: ../properties/nm-strongswan-dialog.ui.h:26
+#: ../properties/nm-strongswan-dialog.ui.h:29
 msgid "Request an _inner IP address"
 msgstr "_Innere IP-Adresse beziehen"
 
-#: ../properties/nm-strongswan-dialog.ui.h:27
+#: ../properties/nm-strongswan-dialog.ui.h:30
 msgid ""
 "The server may provide addresses from a pool to use for communication in the "
 "VPN. Check to request such an address."
@@ -188,11 +208,11 @@ msgstr ""
 "Kommunikation im dahinterliegenden Netz verwenden kann. Aktivieren, um eine "
 "solche Adresse zu beziehen."
 
-#: ../properties/nm-strongswan-dialog.ui.h:28
+#: ../properties/nm-strongswan-dialog.ui.h:31
 msgid "En_force UDP encapsulation"
 msgstr "Erzwingen einer zusÃ¤tzlichen Einbettung der Datenpakete in _UDP"
 
-#: ../properties/nm-strongswan-dialog.ui.h:29
+#: ../properties/nm-strongswan-dialog.ui.h:32
 msgid ""
 "Some firewalls block ESP traffic. Enforcing UDP capsulation even if no NAT "
 "situation is detected might help in such cases."
@@ -201,11 +221,11 @@ msgstr ""
 "erzwingen einer zustzlichen Einbettung in UDP, auch wenn kein NAT-Router "
 "detektiert wurde, kann in solchen Situationen hilfreich sein."
 
-#: ../properties/nm-strongswan-dialog.ui.h:30
+#: ../properties/nm-strongswan-dialog.ui.h:33
 msgid "Use IP c_ompression"
 msgstr "IP-Pakete k_omprimieren"
 
-#: ../properties/nm-strongswan-dialog.ui.h:31
+#: ../properties/nm-strongswan-dialog.ui.h:34
 msgid ""
 "IPComp compresses raw IP packets before they get encrypted. This saves some "
 "bandwidth, but uses more processing power."
@@ -213,27 +233,27 @@ msgstr ""
 "IPComp komprimiert IP-Pakete, bevor sie verschlÃ¼sselt werden. Diese Option "
 "kann Bandbreite sparen, benÃ¶tigt jedoch zusÃ¤tzliche Rechenleistung."
 
-#: ../properties/nm-strongswan-dialog.ui.h:32
+#: ../properties/nm-strongswan-dialog.ui.h:35
 msgid "<b>Cipher proposals</b>"
 msgstr "<b>Algorithmen</b>"
 
-#: ../properties/nm-strongswan-dialog.ui.h:33
+#: ../properties/nm-strongswan-dialog.ui.h:36
 msgid "_Enable custom proposals"
 msgstr "_Eigene Algorithmen verwenden"
 
-#: ../properties/nm-strongswan-dialog.ui.h:34
+#: ../properties/nm-strongswan-dialog.ui.h:37
 msgid "_IKE:"
 msgstr "_IKE:"
 
-#: ../properties/nm-strongswan-dialog.ui.h:35
+#: ../properties/nm-strongswan-dialog.ui.h:38
 msgid "A list of proposals for IKE separated by \";\""
 msgstr "Eine Liste von Proposals fÃ¼r IKE getrennt mit \";\""
 
-#: ../properties/nm-strongswan-dialog.ui.h:36
+#: ../properties/nm-strongswan-dialog.ui.h:39
 msgid "_ESP:"
 msgstr "_ESP:"
 
-#: ../properties/nm-strongswan-dialog.ui.h:37
+#: ../properties/nm-strongswan-dialog.ui.h:40
 msgid "A list of proposals for ESP separated by \";\""
 msgstr "Eine Liste von Proposals fÃ¼r ESP getrennt mit \";\""
 
diff --git a/src/frontends/gnome/properties/nm-strongswan-dialog.ui b/src/frontends/gnome/properties/nm-strongswan-dialog.ui
index 004177bd63..c9bd266b99 100644
--- a/src/frontends/gnome/properties/nm-strongswan-dialog.ui
+++ b/src/frontends/gnome/properties/nm-strongswan-dialog.ui
@@ -298,21 +298,21 @@
               </object>
               <packing>
                 <property name="left_attach">0</property>
-                <property name="top_attach">4</property>
+                <property name="top_attach">5</property>
               </packing>
             </child>
             <child>
               <object class="GtkEntry" id="user-entry">
                 <property name="visible">True</property>
                 <property name="can_focus">True</property>
-                <property name="tooltip_text" translatable="yes">The username (identity) to use for authentication against the server.</property>
+                <property name="tooltip_text" translatable="yes">The username (EAP identity) to use for authentication against the server.</property>
                 <property name="hexpand">True</property>
                 <property name="primary_icon_activatable">False</property>
                 <property name="secondary_icon_activatable">False</property>
               </object>
               <packing>
                 <property name="left_attach">1</property>
-                <property name="top_attach">4</property>
+                <property name="top_attach">5</property>
               </packing>
             </child>
             <child>
@@ -325,7 +325,7 @@
               </object>
               <packing>
                 <property name="left_attach">0</property>
-                <property name="top_attach">5</property>
+                <property name="top_attach">6</property>
               </packing>
             </child>
             <child>
@@ -341,7 +341,7 @@
               </object>
               <packing>
                 <property name="left_attach">1</property>
-                <property name="top_attach">5</property>
+                <property name="top_attach">6</property>
               </packing>
             </child>
             <child>
@@ -356,7 +356,35 @@
               </object>
               <packing>
                 <property name="left_attach">1</property>
-                <property name="top_attach">6</property>
+                <property name="top_attach">7</property>
+              </packing>
+            </child>
+            <child>
+              <object class="GtkLabel" id="local-identity-label">
+                <property name="visible">True</property>
+                <property name="can_focus">False</property>
+                <property name="label" translatable="yes">I_dentity:</property>
+                <property name="use_underline">True</property>
+                <property name="xalign">0</property>
+              </object>
+              <packing>
+                <property name="left_attach">0</property>
+                <property name="top_attach">4</property>
+              </packing>
+            </child>
+            <child>
+              <object class="GtkEntry" id="local-identity-entry">
+                <property name="visible">True</property>
+                <property name="can_focus">True</property>
+                <property name="tooltip_text" translatable="yes">Defaults to the username (EAP), the client certificate's subject DN (certificate/EAP-TLS), or the IP address (PSK). Custom values may be used if expected/required by the server.</property>
+                <property name="hexpand">True</property>
+                <property name="primary_icon_activatable">False</property>
+                <property name="secondary_icon_activatable">False</property>
+                <property name="placeholder_text" translatable="yes">(Defaults to username, certificate subject or IP address)</property>
+              </object>
+              <packing>
+                <property name="left_attach">1</property>
+                <property name="top_attach">4</property>
               </packing>
             </child>
             <child>
diff --git a/src/frontends/gnome/properties/nm-strongswan.c b/src/frontends/gnome/properties/nm-strongswan.c
index d84f63ce7d..9aeb274bd9 100644
--- a/src/frontends/gnome/properties/nm-strongswan.c
+++ b/src/frontends/gnome/properties/nm-strongswan.c
@@ -146,10 +146,14 @@ check_validity (StrongswanPluginUiWidget *self, GError **error)
 	return TRUE;
 }
 
-static void update_user_pass_fields (StrongswanPluginUiWidgetPrivate *priv, gboolean enabled)
+static void update_user_field (StrongswanPluginUiWidgetPrivate *priv, gboolean enabled)
 {
 	gtk_widget_set_sensitive (GTK_WIDGET (gtk_builder_get_object (priv->builder, "user-label")), enabled);
 	gtk_widget_set_sensitive (GTK_WIDGET (gtk_builder_get_object (priv->builder, "user-entry")), enabled);
+}
+
+static void update_pass_field (StrongswanPluginUiWidgetPrivate *priv, gboolean enabled)
+{
 	gtk_widget_set_sensitive (GTK_WIDGET (gtk_builder_get_object (priv->builder, "passwd-show")), enabled);
 	gtk_widget_set_sensitive (GTK_WIDGET (gtk_builder_get_object (priv->builder, "passwd-label")), enabled);
 	gtk_widget_set_sensitive (GTK_WIDGET (gtk_builder_get_object (priv->builder, "passwd-entry")), enabled);
@@ -193,15 +197,21 @@ static void update_sensitive (StrongswanPluginUiWidgetPrivate *priv)
 			gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 0);
 			/* FALL */
 		case 0:
-		case 3:
-			update_user_pass_fields (priv, TRUE);
+			update_user_field (priv, TRUE);
+			update_pass_field (priv, TRUE);
 			update_cert_fields (priv, FALSE);
 			break;
 		case 1:
 		case 2:
-			update_user_pass_fields (priv, FALSE);
+			update_user_field (priv, FALSE);
+			update_pass_field (priv, FALSE);
 			update_cert_fields (priv, TRUE);
 			break;
+		case 3:
+			update_user_field (priv, FALSE);
+			update_pass_field (priv, TRUE);
+			update_cert_fields (priv, FALSE);
+			break;
 	}
 
 }
@@ -292,6 +302,9 @@ init_plugin_ui (StrongswanPluginUiWidget *self, NMConnection *connection, GError
 	const char *value, *method;
 
 	settings = NM_SETTING_VPN(nm_connection_get_setting(connection, NM_TYPE_SETTING_VPN));
+
+	method = nm_setting_vpn_get_data_item (settings, "method");
+
 	widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "address-entry"));
 	value = nm_setting_vpn_get_data_item (settings, "address");
 	if (value)
@@ -316,9 +329,19 @@ init_plugin_ui (StrongswanPluginUiWidget *self, NMConnection *connection, GError
 		gtk_entry_set_text (GTK_ENTRY (widget), value);
 	g_signal_connect (G_OBJECT (widget), "changed", G_CALLBACK (settings_changed_cb), self);
 
+	widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "local-identity-entry"));
+	value = nm_setting_vpn_get_data_item (settings, "local-identity");
+	/* fallback to the username for old PSK configs */
+	if (!value && method && g_strcmp0 (method, "psk") == 0)
+		value = nm_setting_vpn_get_data_item (settings, "user");
+	if (value)
+		gtk_entry_set_text (GTK_ENTRY (widget), value);
+	g_signal_connect (G_OBJECT (widget), "changed", G_CALLBACK (settings_changed_cb), self);
+
 	widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "user-entry"));
 	value = nm_setting_vpn_get_data_item (settings, "user");
-	if (value)
+	/* PSK auth now uses local identity, see above */
+	if (value && method && g_strcmp0 (method, "psk") != 0)
 		gtk_entry_set_text (GTK_ENTRY (widget), value);
 	g_signal_connect (G_OBJECT (widget), "changed", G_CALLBACK (settings_changed_cb), self);
 
@@ -336,22 +359,21 @@ init_plugin_ui (StrongswanPluginUiWidget *self, NMConnection *connection, GError
 	gtk_combo_box_text_append_text (GTK_COMBO_BOX_TEXT (widget), _("Certificate"));
 	gtk_combo_box_text_append_text (GTK_COMBO_BOX_TEXT (widget), _("EAP-TLS"));
 	gtk_combo_box_text_append_text (GTK_COMBO_BOX_TEXT (widget), _("Pre-shared key"));
-	method = value = nm_setting_vpn_get_data_item (settings, "method");
-	if (value) {
-		if (g_strcmp0 (value, "eap") == 0) {
+	if (method) {
+		if (g_strcmp0 (method, "eap") == 0) {
 			gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 0);
 		}
-		if (g_strcmp0 (value, "cert") == 0 ||
-			g_strcmp0 (value, "key") == 0 ||
-			g_strcmp0 (value, "agent") == 0 ||
-			g_strcmp0 (value, "smartcard") == 0)
+		if (g_strcmp0 (method, "cert") == 0 ||
+			g_strcmp0 (method, "key") == 0 ||
+			g_strcmp0 (method, "agent") == 0 ||
+			g_strcmp0 (method, "smartcard") == 0)
 		{
 			gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 1);
 		}
-		if (g_strcmp0 (value, "eap-tls") == 0) {
+		if (g_strcmp0 (method, "eap-tls") == 0) {
 			gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 2);
 		}
-		if (g_strcmp0 (value, "psk") == 0) {
+		if (g_strcmp0 (method, "psk") == 0) {
 			gtk_combo_box_set_active (GTK_COMBO_BOX (widget), 3);
 		}
 	}
@@ -583,6 +605,7 @@ update_connection (NMVpnEditor *iface,
 	save_file_chooser (settings, priv->builder, "certificate-button", "certificate");
 	save_entry (settings, priv->builder, "remote-identity-entry", "remote-identity");
 	save_entry (settings, priv->builder, "server-port-entry", "server-port");
+	save_entry (settings, priv->builder, "local-identity-entry", "local-identity");
 
 	widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "method-combo"));
 	switch (gtk_combo_box_get_active (GTK_COMBO_BOX (widget)))
