From: Tobias Brunner Date: Wed, 12 Feb 2020 10:35:53 +0000 (+0100) Subject: charon-nm: Add support for custom local IKE identities X-Git-Tag: 5.8.3dr1~10^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff8f6b15aa5405d627179f9d653103bc6364d69a;p=thirdparty%2Fstrongswan.git charon-nm: Add support for custom local IKE identities --- diff --git a/src/charon-nm/nm/nm_creds.c b/src/charon-nm/nm/nm_creds.c index 2c05ab8816..2660d6f5a4 100644 --- a/src/charon-nm/nm/nm_creds.c +++ b/src/charon-nm/nm/nm_creds.c @@ -285,7 +285,7 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, { goto no_secret; } - if (me && !me->equals(me, this->user)) + if (me && !me->matches(me, this->user)) { goto no_secret; } diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c index ae1a1da79c..1dcadb0411 100644 --- a/src/charon-nm/nm/nm_service.c +++ b/src/charon-nm/nm/nm_service.c @@ -387,7 +387,7 @@ static bool add_auth_cfg_cert(NMStrongswanPluginPrivate *priv, NMSettingVpn *vpn, peer_cfg_t *peer_cfg, GError **err) { - identification_t *user = NULL; + identification_t *id = NULL; certificate_t *cert = NULL; auth_cfg_t *auth; const char *str, *method, *cert_source; @@ -402,13 +402,13 @@ static bool add_auth_cfg_cert(NMStrongswanPluginPrivate *priv, pin = (char*)nm_setting_vpn_get_secret(vpn, "password"); if (pin) { - user = find_smartcard_key(priv, pin); + id = find_smartcard_key(priv, pin); } - if (!user) + if (!id) { g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, - "no usable smartcard certificate found."); + "No usable smartcard certificate found."); return FALSE; } } @@ -472,8 +472,8 @@ static bool add_auth_cfg_cert(NMStrongswanPluginPrivate *priv, } if (private) { - user = cert->get_subject(cert); - user = user->clone(user); + id = cert->get_subject(cert); + id = id->clone(id); priv->creds->set_cert_and_key(priv->creds, cert, private); } else @@ -482,6 +482,12 @@ static bool add_auth_cfg_cert(NMStrongswanPluginPrivate *priv, return FALSE; } } + else + { + g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, + "Certificate is missing."); + return FALSE; + } auth = auth_cfg_create(); if (streq(method, "eap-tls")) @@ -499,7 +505,19 @@ static bool add_auth_cfg_cert(NMStrongswanPluginPrivate *priv, { auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert)); } - auth->add(auth, AUTH_RULE_IDENTITY, user); + str = nm_setting_vpn_get_data_item(vpn, "local-identity"); + if (str) + { + identification_t *local_id; + + local_id = identification_create_from_string((char*)str); + if (local_id) + { + id->destroy(id); + id = local_id; + } + } + auth->add(auth, AUTH_RULE_IDENTITY, id); peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); return TRUE; } @@ -511,7 +529,7 @@ static bool add_auth_cfg_pw(NMStrongswanPluginPrivate *priv, NMSettingVpn *vpn, peer_cfg_t *peer_cfg, GError **err) { - identification_t *user = NULL; + identification_t *user = NULL, *id = NULL; auth_cfg_t *auth; const char *str, *method; @@ -521,23 +539,37 @@ static bool add_auth_cfg_pw(NMStrongswanPluginPrivate *priv, if (str) { user = identification_create_from_string((char*)str); - str = nm_setting_vpn_get_secret(vpn, "password"); - if (streq(method, "psk") && strlen(str) < 20) + } + else + { + user = identification_create_from_string("%any"); + } + str = nm_setting_vpn_get_data_item(vpn, "local-identity"); + if (str) + { + id = identification_create_from_string((char*)str); + } + else + { + id = user->clone(user); + } + str = nm_setting_vpn_get_secret(vpn, "password"); + if (streq(method, "psk")) + { + if (strlen(str) < 20) { g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, "Pre-shared key is too short."); user->destroy(user); + id->destroy(id); return FALSE; } - priv->creds->set_username_password(priv->creds, user, (char*)str); + priv->creds->set_username_password(priv->creds, id, (char*)str); } else { - g_set_error(err, NM_VPN_PLUGIN_ERROR, - NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS, - "Username is missing."); - return FALSE; + priv->creds->set_username_password(priv->creds, user, (char*)str); } auth = auth_cfg_create(); @@ -546,7 +578,8 @@ static bool add_auth_cfg_pw(NMStrongswanPluginPrivate *priv, /* in case EAP-PEAP or EAP-TTLS is used we currently accept any identity */ auth->add(auth, AUTH_RULE_AAA_IDENTITY, identification_create_from_string("%any")); - auth->add(auth, AUTH_RULE_IDENTITY, user); + auth->add(auth, AUTH_RULE_EAP_IDENTITY, user); + auth->add(auth, AUTH_RULE_IDENTITY, id); peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); return TRUE; }