version 1.1.1.1, 2020/06/03 09:46:44
|
version 1.1.1.2, 2021/03/17 00:20:08
|
Line 23
|
Line 23
|
#include <utils/identification.h> |
#include <utils/identification.h> |
#include <config/peer_cfg.h> |
#include <config/peer_cfg.h> |
#include <credentials/certificates/x509.h> |
#include <credentials/certificates/x509.h> |
|
#include <networking/tun_device.h> |
|
|
#include <stdio.h> |
#include <stdio.h> |
|
|
Line 40 typedef struct {
|
Line 41 typedef struct {
|
nm_creds_t *creds; |
nm_creds_t *creds; |
/* attribute handler for DNS/NBNS server information */ |
/* attribute handler for DNS/NBNS server information */ |
nm_handler_t *handler; |
nm_handler_t *handler; |
|
/* dummy TUN device */ |
|
tun_device_t *tun; |
/* name of the connection */ |
/* name of the connection */ |
char *name; |
char *name; |
} NMStrongswanPluginPrivate; |
} NMStrongswanPluginPrivate; |
Line 128 static void signal_ip_config(NMVpnServicePlugin *plugi
|
Line 131 static void signal_ip_config(NMVpnServicePlugin *plugi
|
/* NM apparently requires to know the gateway */ |
/* NM apparently requires to know the gateway */ |
other = ike_sa->get_other_host(ike_sa); |
other = ike_sa->get_other_host(ike_sa); |
g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY, |
g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY, |
host_to_variant(other)); | host_to_variant(other)); |
|
|
|
/* systemd-resolved requires a device to properly install DNS servers, but |
|
* Netkey does not use one. Passing the physical interface is not ideal, |
|
* as NM fiddles around with it and systemd-resolved likes a separate |
|
* device. So we pass a dummy TUN device along for NM etc. to play with... |
|
*/ |
|
if (priv->tun) |
|
{ |
|
g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_TUNDEV, |
|
g_variant_new_string (priv->tun->get_name(priv->tun))); |
|
} |
|
|
/* pass the first virtual IPs we got or use the physical IP */ |
/* pass the first virtual IPs we got or use the physical IP */ |
enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE); |
enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE); |
while (enumerator->enumerate(enumerator, &me)) |
while (enumerator->enumerate(enumerator, &me)) |
Line 307 METHOD(listener_t, child_updown, bool,
|
Line 321 METHOD(listener_t, child_updown, bool,
|
NMStrongswanPluginPrivate *this, ike_sa_t *ike_sa, child_sa_t *child_sa, |
NMStrongswanPluginPrivate *this, ike_sa_t *ike_sa, child_sa_t *child_sa, |
bool up) |
bool up) |
{ |
{ |
if (this->ike_sa == ike_sa) | if (this->ike_sa == ike_sa && up) |
{ |
{ |
if (up) | /* disable initiate-failure-detection hooks */ |
{ /* disable initiate-failure-detection hooks */ | this->listener.ike_state_change = NULL; |
this->listener.ike_state_change = NULL; | this->listener.child_state_change = NULL; |
this->listener.child_state_change = NULL; | signal_ip_config(this->plugin, ike_sa, child_sa); |
signal_ip_config(this->plugin, ike_sa, child_sa); | |
} | |
else | |
{ | |
if (ike_sa->has_condition(ike_sa, COND_REAUTHENTICATING)) | |
{ /* we ignore this during reauthentication */ | |
return TRUE; | |
} | |
signal_failure(this->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED); | |
} | |
} |
} |
return TRUE; |
return TRUE; |
} |
} |
Line 618 static gboolean connect_(NMVpnServicePlugin *plugin, N
|
Line 622 static gboolean connect_(NMVpnServicePlugin *plugin, N
|
peer_cfg_create_t peer = { |
peer_cfg_create_t peer = { |
.cert_policy = CERT_SEND_IF_ASKED, |
.cert_policy = CERT_SEND_IF_ASKED, |
.unique = UNIQUE_REPLACE, |
.unique = UNIQUE_REPLACE, |
.keyingtries = 1, |
|
.rekey_time = 36000, /* 10h */ |
.rekey_time = 36000, /* 10h */ |
.jitter_time = 600, /* 10min */ |
.jitter_time = 600, /* 10min */ |
.over_time = 600, /* 10min */ |
.over_time = 600, /* 10min */ |
Line 632 static gboolean connect_(NMVpnServicePlugin *plugin, N
|
Line 635 static gboolean connect_(NMVpnServicePlugin *plugin, N
|
}, |
}, |
}, |
}, |
.mode = MODE_TUNNEL, |
.mode = MODE_TUNNEL, |
|
.dpd_action = ACTION_RESTART, |
|
.close_action = ACTION_RESTART, |
}; |
}; |
|
|
/** |
/** |
Line 651 static gboolean connect_(NMVpnServicePlugin *plugin, N
|
Line 656 static gboolean connect_(NMVpnServicePlugin *plugin, N
|
priv->name); |
priv->name); |
DBG4(DBG_CFG, "%s", |
DBG4(DBG_CFG, "%s", |
nm_setting_to_string(NM_SETTING(vpn))); |
nm_setting_to_string(NM_SETTING(vpn))); |
|
if (!priv->tun) |
|
{ |
|
DBG1(DBG_CFG, "failed to create dummy TUN device, might affect DNS " |
|
"server installation negatively"); |
|
} |
ike.remote = (char*)nm_setting_vpn_get_data_item(vpn, "address"); |
ike.remote = (char*)nm_setting_vpn_get_data_item(vpn, "address"); |
if (!ike.remote || !*ike.remote) |
if (!ike.remote || !*ike.remote) |
{ |
{ |
Line 834 static gboolean connect_(NMVpnServicePlugin *plugin, N
|
Line 844 static gboolean connect_(NMVpnServicePlugin *plugin, N
|
} |
} |
else |
else |
{ |
{ |
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); |
|
child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); |
child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); |
|
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); |
} |
} |
ts = traffic_selector_create_dynamic(0, 0, 65535); |
ts = traffic_selector_create_dynamic(0, 0, 65535); |
child_cfg->add_traffic_selector(child_cfg, TRUE, ts); |
child_cfg->add_traffic_selector(child_cfg, TRUE, ts); |
ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535); | str = nm_setting_vpn_get_data_item(vpn, "remote-ts"); |
child_cfg->add_traffic_selector(child_cfg, FALSE, ts); | if (str && strlen(str)) |
ts = traffic_selector_create_from_cidr("::/0", 0, 0, 65535); | { |
child_cfg->add_traffic_selector(child_cfg, FALSE, ts); | enumerator = enumerator_create_token(str, ";", ""); |
| while (enumerator->enumerate(enumerator, &str)) |
| { |
| ts = traffic_selector_create_from_cidr((char*)str, 0, 0, 65535); |
| if (!ts) |
| { |
| g_set_error(err, NM_VPN_PLUGIN_ERROR, |
| NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED, |
| "Invalid remote traffic selector."); |
| enumerator->destroy(enumerator); |
| child_cfg->destroy(child_cfg); |
| peer_cfg->destroy(peer_cfg); |
| return FALSE; |
| } |
| child_cfg->add_traffic_selector(child_cfg, FALSE, ts); |
| } |
| enumerator->destroy(enumerator); |
| } |
| else |
| { |
| ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535); |
| child_cfg->add_traffic_selector(child_cfg, FALSE, ts); |
| ts = traffic_selector_create_from_cidr("::/0", 0, 0, 65535); |
| child_cfg->add_traffic_selector(child_cfg, FALSE, ts); |
| } |
peer_cfg->add_child_cfg(peer_cfg, child_cfg); |
peer_cfg->add_child_cfg(peer_cfg, child_cfg); |
|
|
/** |
/** |
Line 850 static gboolean connect_(NMVpnServicePlugin *plugin, N
|
Line 884 static gboolean connect_(NMVpnServicePlugin *plugin, N
|
*/ |
*/ |
ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, |
ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, |
peer_cfg); |
peer_cfg); |
|
peer_cfg->destroy(peer_cfg); |
if (!ike_sa) |
if (!ike_sa) |
{ |
{ |
peer_cfg->destroy(peer_cfg); |
|
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED, |
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED, |
"IKE version not supported."); |
"IKE version not supported."); |
return FALSE; |
return FALSE; |
} |
} |
if (!ike_sa->get_peer_cfg(ike_sa)) |
|
{ |
|
ike_sa->set_peer_cfg(ike_sa, peer_cfg); |
|
} |
|
peer_cfg->destroy(peer_cfg); |
|
|
|
/** |
/** |
* Register listener, enable initiate-failure-detection hooks |
* Register listener, enable initiate-failure-detection hooks |
Line 974 static gboolean do_disconnect(gpointer plugin)
|
Line 1003 static gboolean do_disconnect(gpointer plugin)
|
enumerator->destroy(enumerator); |
enumerator->destroy(enumerator); |
charon->controller->terminate_ike(charon->controller, id, FALSE, |
charon->controller->terminate_ike(charon->controller, id, FALSE, |
controller_cb_empty, NULL, 0); |
controller_cb_empty, NULL, 0); |
|
|
|
/* clear secrets as we are asked for new secrets (where we'd find |
|
* the cached secrets from earlier connections) before we clear |
|
* them in connect() */ |
|
priv->creds->clear(priv->creds); |
return FALSE; |
return FALSE; |
} |
} |
} |
} |
Line 1011 static void nm_strongswan_plugin_init(NMStrongswanPlug
|
Line 1045 static void nm_strongswan_plugin_init(NMStrongswanPlug
|
priv->listener.ike_reestablish_pre = _ike_reestablish_pre; |
priv->listener.ike_reestablish_pre = _ike_reestablish_pre; |
priv->listener.ike_reestablish_post = _ike_reestablish_post; |
priv->listener.ike_reestablish_post = _ike_reestablish_post; |
charon->bus->add_listener(charon->bus, &priv->listener); |
charon->bus->add_listener(charon->bus, &priv->listener); |
|
priv->tun = tun_device_create(NULL); |
priv->name = NULL; |
priv->name = NULL; |
} |
} |
|
|
/** |
/** |
|
* Destructor |
|
*/ |
|
static void nm_strongswan_plugin_dispose(GObject *obj) |
|
{ |
|
NMStrongswanPlugin *plugin; |
|
NMStrongswanPluginPrivate *priv; |
|
|
|
plugin = NM_STRONGSWAN_PLUGIN(obj); |
|
priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin); |
|
if (priv->tun) |
|
{ |
|
priv->tun->destroy(priv->tun); |
|
priv->tun = NULL; |
|
} |
|
G_OBJECT_CLASS (nm_strongswan_plugin_parent_class)->dispose (obj); |
|
} |
|
|
|
/** |
* Class constructor |
* Class constructor |
*/ |
*/ |
static void nm_strongswan_plugin_class_init( |
static void nm_strongswan_plugin_class_init( |
Line 1025 static void nm_strongswan_plugin_class_init(
|
Line 1078 static void nm_strongswan_plugin_class_init(
|
parent_class->connect = connect_; |
parent_class->connect = connect_; |
parent_class->need_secrets = need_secrets; |
parent_class->need_secrets = need_secrets; |
parent_class->disconnect = disconnect; |
parent_class->disconnect = disconnect; |
|
G_OBJECT_CLASS(strongswan_class)->dispose = nm_strongswan_plugin_dispose; |
} |
} |
|
|
/** |
/** |