![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to nm_service.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / charon-nm / nm|
Return to nm_service.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / charon-nm / nm |
1.1 misho 1: /*
2: * Copyright (C) 2017 Lubomir Rintel
3: *
4: * Copyright (C) 2013-2020 Tobias Brunner
5: * Copyright (C) 2008-2009 Martin Willi
6: * HSR Hochschule fuer Technik Rapperswil
7: *
8: * This program is free software; you can redistribute it and/or modify it
9: * under the terms of the GNU General Public License as published by the
10: * Free Software Foundation; either version 2 of the License, or (at your
11: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12: *
13: * This program is distributed in the hope that it will be useful, but
14: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16: * for more details.
17: */
18:
19: #include "nm_service.h"
20:
21: #include <daemon.h>
22: #include <networking/host.h>
23: #include <utils/identification.h>
24: #include <config/peer_cfg.h>
25: #include <credentials/certificates/x509.h>
26:
27: #include <stdio.h>
28:
29: /**
30: * Private data of NMStrongswanPlugin
31: */
32: typedef struct {
33: /* implements bus listener interface */
34: listener_t listener;
35: /* IKE_SA we are listening on */
36: ike_sa_t *ike_sa;
37: /* backref to public plugin */
38: NMVpnServicePlugin *plugin;
39: /* credentials to use for authentication */
40: nm_creds_t *creds;
41: /* attribute handler for DNS/NBNS server information */
42: nm_handler_t *handler;
43: /* name of the connection */
44: char *name;
45: } NMStrongswanPluginPrivate;
46:
47: G_DEFINE_TYPE_WITH_PRIVATE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_SERVICE_PLUGIN)
48:
49: #define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
50: ((NMStrongswanPluginPrivate*) \
51: nm_strongswan_plugin_get_instance_private (o))
52:
53: /**
54: * Convert an address chunk to a GValue
55: */
56: static GVariant *addr_to_variant(chunk_t addr)
57: {
58: GVariantBuilder builder;
59: int i;
60:
61: switch (addr.len)
62: {
63: case 4:
64: return g_variant_new_uint32 (*(uint32_t*)addr.ptr);
65: case 16:
66: g_variant_builder_init (&builder, G_VARIANT_TYPE ("ay"));
67: for (i = 0; i < addr.len; i++)
68: {
69: g_variant_builder_add (&builder, "y", addr.ptr[i]);
70:
71: }
72: return g_variant_builder_end (&builder);
73: default:
74: return NULL;
75: }
76: }
77:
78: /**
79: * Convert a host to a GValue
80: */
81: static GVariant *host_to_variant(host_t *host)
82: {
83: return addr_to_variant(host->get_address(host));
84: }
85:
86: /**
87: * Convert enumerated handler chunks to a GValue
88: */
89: static GVariant* handler_to_variant(nm_handler_t *handler, char *variant_type,
90: configuration_attribute_type_t type)
91: {
92: GVariantBuilder builder;
93: enumerator_t *enumerator;
94: chunk_t *chunk;
95:
96: g_variant_builder_init (&builder, G_VARIANT_TYPE (variant_type));
97:
98: enumerator = handler->create_enumerator(handler, type);
99: while (enumerator->enumerate(enumerator, &chunk))
100: {
101: g_variant_builder_add_value (&builder, addr_to_variant(*chunk));
102: }
103: enumerator->destroy(enumerator);
104:
105: return g_variant_builder_end (&builder);
106: }
107:
108: /**
109: * Signal IP config to NM, set connection as established
110: */
111: static void signal_ip_config(NMVpnServicePlugin *plugin,
112: ike_sa_t *ike_sa, child_sa_t *child_sa)
113: {
114: NMStrongswanPlugin *pub = (NMStrongswanPlugin*)plugin;
115: NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub);
116: GVariantBuilder builder, ip4builder, ip6builder;
117: GVariant *ip4config, *ip6config;
118: enumerator_t *enumerator;
119: host_t *me, *other, *vip4 = NULL, *vip6 = NULL;
120: nm_handler_t *handler;
121:
122: g_variant_builder_init (&builder, G_VARIANT_TYPE_VARDICT);
123: g_variant_builder_init (&ip4builder, G_VARIANT_TYPE_VARDICT);
124: g_variant_builder_init (&ip6builder, G_VARIANT_TYPE_VARDICT);
125:
126: handler = priv->handler;
127:
128: /* NM apparently requires to know the gateway */
129: other = ike_sa->get_other_host(ike_sa);
130: g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY,
131: host_to_variant(other));
132:
133: /* pass the first virtual IPs we got or use the physical IP */
134: enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
135: while (enumerator->enumerate(enumerator, &me))
136: {
137: switch (me->get_family(me))
138: {
139: case AF_INET:
140: if (!vip4)
141: {
142: vip4 = me;
143: }
144: break;
145: case AF_INET6:
146: if (!vip6)
147: {
148: vip6 = me;
149: }
150: break;
151: }
152: }
153: enumerator->destroy(enumerator);
154: if (!vip4 && !vip6)
155: {
156: me = ike_sa->get_my_host(ike_sa);
157: switch (me->get_family(me))
158: {
159: case AF_INET:
160: vip4 = me;
161: break;
162: case AF_INET6:
163: vip6 = me;
164: break;
165: }
166: }
167:
168: if (vip4)
169: {
170: g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS,
171: host_to_variant(vip4));
172: g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_PREFIX,
173: g_variant_new_uint32 (vip4->get_address(vip4).len * 8));
174:
175: /* prevent NM from changing the default route. we set our own route in our
176: * own routing table
177: */
178: g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT,
179: g_variant_new_boolean (TRUE));
180:
181: g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DNS,
182: handler_to_variant(handler, "au", INTERNAL_IP4_DNS));
183:
184: g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NBNS,
185: handler_to_variant(handler, "au", INTERNAL_IP4_NBNS));
186: }
187:
188: if (vip6)
189: {
190: g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_ADDRESS,
191: host_to_variant(vip6));
192: g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_PREFIX,
193: g_variant_new_uint32 (vip6->get_address(vip6).len * 8));
194: g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_NEVER_DEFAULT,
195: g_variant_new_boolean (TRUE));
196: g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_DNS,
197: handler_to_variant(handler, "aay", INTERNAL_IP6_DNS));
198: /* NM_VPN_PLUGIN_IP6_CONFIG_NBNS is not defined */
199: }
200:
201: ip4config = g_variant_builder_end (&ip4builder);
202: if (g_variant_n_children (ip4config))
203: {
204: g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP4,
205: g_variant_new_boolean (TRUE));
206: }
207: else
208: {
209: g_variant_unref (ip4config);
210: ip4config = NULL;
211: }
212:
213: ip6config = g_variant_builder_end (&ip6builder);
214: if (g_variant_n_children (ip6config))
215: {
216: g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP6,
217: g_variant_new_boolean (TRUE));
218: }
219: else
220: {
221: g_variant_unref (ip6config);
222: ip6config = NULL;
223: }
224:
225: handler->reset(handler);
226:
227: nm_vpn_service_plugin_set_config (plugin, g_variant_builder_end (&builder));
228: if (ip4config)
229: {
230: nm_vpn_service_plugin_set_ip4_config (plugin, ip4config);
231: }
232: if (ip6config)
233: {
234: nm_vpn_service_plugin_set_ip6_config (plugin, ip6config);
235: }
236: }
237:
238: /**
239: * signal failure to NM, connecting failed
240: */
241: static void signal_failure(NMVpnServicePlugin *plugin, NMVpnPluginFailure failure)
242: {
243: NMStrongswanPlugin *pub = (NMStrongswanPlugin*)plugin;
244: nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub)->handler;
245:
246: handler->reset(handler);
247:
248: nm_vpn_service_plugin_failure(plugin, failure);
249: }
250:
251: METHOD(listener_t, ike_state_change, bool,
252: NMStrongswanPluginPrivate *this, ike_sa_t *ike_sa, ike_sa_state_t state)
253: {
254: if (this->ike_sa == ike_sa && state == IKE_DESTROYING)
255: {
256: signal_failure(this->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
257: }
258: return TRUE;
259: }
260:
261: METHOD(listener_t, child_state_change, bool,
262: NMStrongswanPluginPrivate *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
263: child_sa_state_t state)
264: {
265: if (this->ike_sa == ike_sa && state == CHILD_DESTROYING)
266: {
267: signal_failure(this->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
268: }
269: return TRUE;
270: }
271:
272: METHOD(listener_t, ike_rekey, bool,
273: NMStrongswanPluginPrivate *this, ike_sa_t *old, ike_sa_t *new)
274: {
275: if (this->ike_sa == old)
276: { /* follow a rekeyed IKE_SA */
277: this->ike_sa = new;
278: }
279: return TRUE;
280: }
281:
282: METHOD(listener_t, ike_reestablish_pre, bool,
283: NMStrongswanPluginPrivate *this, ike_sa_t *old, ike_sa_t *new)
284: {
285: if (this->ike_sa == old)
286: { /* ignore child state changes during redirects etc. (task migration) */
287: this->listener.child_state_change = NULL;
288: }
289: return TRUE;
290: }
291:
292: METHOD(listener_t, ike_reestablish_post, bool,
293: NMStrongswanPluginPrivate *this, ike_sa_t *old, ike_sa_t *new,
294: bool initiated)
295: {
296: if (this->ike_sa == old && initiated)
297: { /* if we get redirected during IKE_AUTH we just migrate to the new SA */
298: this->ike_sa = new;
299: /* re-register hooks to detect initiation failures */
300: this->listener.ike_state_change = _ike_state_change;
301: this->listener.child_state_change = _child_state_change;
302: }
303: return TRUE;
304: }
305:
306: METHOD(listener_t, child_updown, bool,
307: NMStrongswanPluginPrivate *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
308: bool up)
309: {
310: if (this->ike_sa == ike_sa)
311: {
312: if (up)
313: { /* disable initiate-failure-detection hooks */
314: this->listener.ike_state_change = NULL;
315: this->listener.child_state_change = NULL;
316: signal_ip_config(this->plugin, ike_sa, child_sa);
317: }
318: else
319: {
320: if (ike_sa->has_condition(ike_sa, COND_REAUTHENTICATING))
321: { /* we ignore this during reauthentication */
322: return TRUE;
323: }
324: signal_failure(this->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
325: }
326: }
327: return TRUE;
328: }
329:
330: /**
331: * Find a certificate for which we have a private key on a smartcard
332: */
333: static identification_t *find_smartcard_key(NMStrongswanPluginPrivate *priv,
334: char *pin)
335: {
336: enumerator_t *enumerator, *sans;
337: identification_t *id = NULL;
338: certificate_t *cert;
339: x509_t *x509;
340: private_key_t *key;
341: chunk_t keyid;
342:
343: enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
344: CERT_X509, KEY_ANY, NULL, FALSE);
345: while (enumerator->enumerate(enumerator, &cert))
346: {
347: x509 = (x509_t*)cert;
348:
349: /* there might be a lot of certificates, filter them by usage */
350: if ((x509->get_flags(x509) & X509_CLIENT_AUTH) &&
351: !(x509->get_flags(x509) & X509_CA))
352: {
353: keyid = x509->get_subjectKeyIdentifier(x509);
354: if (keyid.ptr)
355: {
356: /* try to find a private key by the certificate keyid */
357: priv->creds->set_pin(priv->creds, keyid, pin);
358: key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
359: KEY_ANY, BUILD_PKCS11_KEYID, keyid, BUILD_END);
360: if (key)
361: {
362: /* prefer a more convenient subjectAltName */
363: sans = x509->create_subjectAltName_enumerator(x509);
364: if (!sans->enumerate(sans, &id))
365: {
366: id = cert->get_subject(cert);
367: }
368: id = id->clone(id);
369: sans->destroy(sans);
370:
371: DBG1(DBG_CFG, "using smartcard certificate '%Y'", id);
372: priv->creds->set_cert_and_key(priv->creds,
373: cert->get_ref(cert), key);
374: break;
375: }
376: }
377: }
378: }
379: enumerator->destroy(enumerator);
380: return id;
381: }
382:
383: /**
384: * Add a client auth config for certificate authentication
385: */
386: static bool add_auth_cfg_cert(NMStrongswanPluginPrivate *priv,
387: NMSettingVpn *vpn, peer_cfg_t *peer_cfg,
388: GError **err)
389: {
390: identification_t *id = NULL;
391: certificate_t *cert = NULL;
392: auth_cfg_t *auth;
393: const char *str, *method, *cert_source;
394:
395: method = nm_setting_vpn_get_data_item(vpn, "method");
396: cert_source = nm_setting_vpn_get_data_item(vpn, "cert-source") ?: method;
397:
398: if (streq(cert_source, "smartcard"))
399: {
400: char *pin;
401:
402: pin = (char*)nm_setting_vpn_get_secret(vpn, "password");
403: if (pin)
404: {
405: id = find_smartcard_key(priv, pin);
406: }
407: if (!id)
408: {
409: g_set_error(err, NM_VPN_PLUGIN_ERROR,
410: NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
411: "No usable smartcard certificate found.");
412: return FALSE;
413: }
414: }
415: /* ... or certificate/private key authentication */
416: else if ((str = nm_setting_vpn_get_data_item(vpn, "usercert")))
417: {
418: public_key_t *public;
419: private_key_t *private = NULL;
420:
421: bool agent = streq(cert_source, "agent");
422:
423: cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
424: BUILD_FROM_FILE, str, BUILD_END);
425: if (!cert)
426: {
427: g_set_error(err, NM_VPN_PLUGIN_ERROR,
428: NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
429: "Loading peer certificate failed.");
430: return FALSE;
431: }
432: /* try agent */
433: str = nm_setting_vpn_get_secret(vpn, "agent");
434: if (agent && str)
435: {
436: public = cert->get_public_key(cert);
437: if (public)
438: {
439: private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
440: public->get_type(public),
441: BUILD_AGENT_SOCKET, str,
442: BUILD_PUBLIC_KEY, public,
443: BUILD_END);
444: public->destroy(public);
445: }
446: if (!private)
447: {
448: g_set_error(err, NM_VPN_PLUGIN_ERROR,
449: NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
450: "Connecting to SSH agent failed.");
451: }
452: }
453: /* ... or key file */
454: str = nm_setting_vpn_get_data_item(vpn, "userkey");
455: if (!agent && str)
456: {
457: char *secret;
458:
459: secret = (char*)nm_setting_vpn_get_secret(vpn, "password");
460: if (secret)
461: {
462: priv->creds->set_key_password(priv->creds, secret);
463: }
464: private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
465: KEY_ANY, BUILD_FROM_FILE, str, BUILD_END);
466: if (!private)
467: {
468: g_set_error(err, NM_VPN_PLUGIN_ERROR,
469: NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
470: "Loading private key failed.");
471: }
472: }
473: if (private)
474: {
475: id = cert->get_subject(cert);
476: id = id->clone(id);
477: priv->creds->set_cert_and_key(priv->creds, cert, private);
478: }
479: else
480: {
481: DESTROY_IF(cert);
482: return FALSE;
483: }
484: }
485: else
486: {
487: g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
488: "Certificate is missing.");
489: return FALSE;
490: }
491:
492: auth = auth_cfg_create();
493: if (streq(method, "eap-tls"))
494: {
495: auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
496: auth->add(auth, AUTH_RULE_EAP_TYPE, EAP_TLS);
497: auth->add(auth, AUTH_RULE_AAA_IDENTITY,
498: identification_create_from_string("%any"));
499: }
500: else
501: {
502: auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
503: }
504: if (cert)
505: {
506: auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
507: }
508: str = nm_setting_vpn_get_data_item(vpn, "local-identity");
509: if (str)
510: {
511: identification_t *local_id;
512:
513: local_id = identification_create_from_string((char*)str);
514: if (local_id)
515: {
516: id->destroy(id);
517: id = local_id;
518: }
519: }
520: auth->add(auth, AUTH_RULE_IDENTITY, id);
521: peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
522: return TRUE;
523: }
524:
525: /**
526: * Add a client auth config for username/password authentication
527: */
528: static bool add_auth_cfg_pw(NMStrongswanPluginPrivate *priv,
529: NMSettingVpn *vpn, peer_cfg_t *peer_cfg,
530: GError **err)
531: {
532: identification_t *user = NULL, *id = NULL;
533: auth_cfg_t *auth;
534: const char *str, *method;
535:
536: method = nm_setting_vpn_get_data_item(vpn, "method");
537:
538: str = nm_setting_vpn_get_data_item(vpn, "user");
539: if (str)
540: {
541: user = identification_create_from_string((char*)str);
542: }
543: else
544: {
545: user = identification_create_from_string("%any");
546: }
547: str = nm_setting_vpn_get_data_item(vpn, "local-identity");
548: if (str)
549: {
550: id = identification_create_from_string((char*)str);
551: }
552: else
553: {
554: id = user->clone(user);
555: }
556: str = nm_setting_vpn_get_secret(vpn, "password");
557: if (streq(method, "psk"))
558: {
559: if (strlen(str) < 20)
560: {
561: g_set_error(err, NM_VPN_PLUGIN_ERROR,
562: NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
563: "Pre-shared key is too short.");
564: user->destroy(user);
565: id->destroy(id);
566: return FALSE;
567: }
568: priv->creds->set_username_password(priv->creds, id, (char*)str);
569: }
570: else
571: {
572: priv->creds->set_username_password(priv->creds, user, (char*)str);
573: }
574:
575: auth = auth_cfg_create();
576: auth->add(auth, AUTH_RULE_AUTH_CLASS,
577: streq(method, "psk") ? AUTH_CLASS_PSK : AUTH_CLASS_EAP);
578: /* in case EAP-PEAP or EAP-TTLS is used we currently accept any identity */
579: auth->add(auth, AUTH_RULE_AAA_IDENTITY,
580: identification_create_from_string("%any"));
581: auth->add(auth, AUTH_RULE_EAP_IDENTITY, user);
582: auth->add(auth, AUTH_RULE_IDENTITY, id);
583: peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
584: return TRUE;
585: }
586:
587: /**
588: * Connect function called from NM via DBUS
589: */
590: static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
591: GError **err)
592: {
593: NMStrongswanPlugin *pub = (NMStrongswanPlugin*)plugin;
594: NMStrongswanPluginPrivate *priv;
595: NMSettingConnection *conn;
596: NMSettingVpn *vpn;
597: enumerator_t *enumerator;
598: identification_t *gateway = NULL;
599: const char *str, *method;
600: bool virtual, proposal;
601: proposal_t *prop;
602: ike_cfg_t *ike_cfg;
603: peer_cfg_t *peer_cfg;
604: child_cfg_t *child_cfg;
605: traffic_selector_t *ts;
606: ike_sa_t *ike_sa;
607: auth_cfg_t *auth;
608: certificate_t *cert = NULL;
609: x509_t *x509;
610: bool loose_gateway_id = FALSE;
611: ike_cfg_create_t ike = {
612: .version = IKEV2,
613: .local = "%any",
614: .local_port = charon->socket->get_port(charon->socket, FALSE),
615: .remote_port = IKEV2_UDP_PORT,
616: .fragmentation = FRAGMENTATION_YES,
617: };
618: peer_cfg_create_t peer = {
619: .cert_policy = CERT_SEND_IF_ASKED,
620: .unique = UNIQUE_REPLACE,
621: .keyingtries = 1,
622: .rekey_time = 36000, /* 10h */
623: .jitter_time = 600, /* 10min */
624: .over_time = 600, /* 10min */
625: };
626: child_cfg_create_t child = {
627: .lifetime = {
628: .time = {
629: .life = 10800 /* 3h */,
630: .rekey = 10200 /* 2h50min */,
631: .jitter = 300 /* 5min */
632: },
633: },
634: .mode = MODE_TUNNEL,
635: };
636:
637: /**
638: * Read parameters
639: */
640: priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub);
641: conn = NM_SETTING_CONNECTION(nm_connection_get_setting(connection,
642: NM_TYPE_SETTING_CONNECTION));
643: vpn = NM_SETTING_VPN(nm_connection_get_setting(connection,
644: NM_TYPE_SETTING_VPN));
645: if (priv->name)
646: {
647: free(priv->name);
648: }
649: priv->name = strdup(nm_setting_connection_get_id(conn));
650: DBG1(DBG_CFG, "received initiate for NetworkManager connection %s",
651: priv->name);
652: DBG4(DBG_CFG, "%s",
653: nm_setting_to_string(NM_SETTING(vpn)));
654: ike.remote = (char*)nm_setting_vpn_get_data_item(vpn, "address");
655: if (!ike.remote || !*ike.remote)
656: {
657: g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
658: "Gateway address missing.");
659: return FALSE;
660: }
661: str = nm_setting_vpn_get_data_item(vpn, "server-port");
662: if (str && strlen(str))
663: {
664: ike.remote_port = settings_value_as_int((char*)str, ike.remote_port);
665: }
666: str = nm_setting_vpn_get_data_item(vpn, "virtual");
667: virtual = streq(str, "yes");
668: str = nm_setting_vpn_get_data_item(vpn, "encap");
669: ike.force_encap = streq(str, "yes");
670: str = nm_setting_vpn_get_data_item(vpn, "ipcomp");
671: child.options |= streq(str, "yes") ? OPT_IPCOMP : 0;
672:
673: /**
674: * Register credentials
675: */
676: priv->creds->clear(priv->creds);
677:
678: /* gateway/CA cert */
679: str = nm_setting_vpn_get_data_item(vpn, "certificate");
680: if (str)
681: {
682: cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
683: BUILD_FROM_FILE, str, BUILD_END);
684: if (!cert)
685: {
686: g_set_error(err, NM_VPN_PLUGIN_ERROR,
687: NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
688: "Loading gateway certificate failed.");
689: return FALSE;
690: }
691: priv->creds->add_certificate(priv->creds, cert);
692: }
693: else
694: {
695: /* no certificate defined, fall back to system-wide CA certificates */
696: priv->creds->load_ca_dir(priv->creds, lib->settings->get_str(
697: lib->settings, "charon-nm.ca_dir", NM_CA_DIR));
698: }
699:
700: str = nm_setting_vpn_get_data_item(vpn, "remote-identity");
701: if (str)
702: {
703: gateway = identification_create_from_string((char*)str);
704: }
705: else if (cert)
706: {
707: x509 = (x509_t*)cert;
708: if (!(x509->get_flags(x509) & X509_CA))
709: { /* for server certificates, we use the subject as identity */
710: gateway = cert->get_subject(cert);
711: gateway = gateway->clone(gateway);
712: }
713: }
714: if (!gateway || gateway->get_type(gateway) == ID_ANY)
715: {
716: /* if the user configured a CA certificate (or an invalid identity),
717: * we use the IP/hostname of the server */
718: gateway = identification_create_from_string(ike.remote);
719: loose_gateway_id = TRUE;
720: }
721: DBG1(DBG_CFG, "using gateway identity '%Y'", gateway);
722:
723: /**
724: * Set up configurations
725: */
726: ike_cfg = ike_cfg_create(&ike);
727:
728: str = nm_setting_vpn_get_data_item(vpn, "proposal");
729: proposal = streq(str, "yes");
730: str = nm_setting_vpn_get_data_item(vpn, "ike");
731: if (proposal && str && strlen(str))
732: {
733: enumerator = enumerator_create_token(str, ";", "");
734: while (enumerator->enumerate(enumerator, &str))
735: {
736: prop = proposal_create_from_string(PROTO_IKE, str);
737: if (!prop)
738: {
739: g_set_error(err, NM_VPN_PLUGIN_ERROR,
740: NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
741: "Invalid IKE proposal.");
742: enumerator->destroy(enumerator);
743: ike_cfg->destroy(ike_cfg);
744: gateway->destroy(gateway);
745: return FALSE;
746: }
747: ike_cfg->add_proposal(ike_cfg, prop);
748: }
749: enumerator->destroy(enumerator);
750: }
751: else
752: {
753: ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
754: ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
755: }
756:
757: peer_cfg = peer_cfg_create(priv->name, ike_cfg, &peer);
758: if (virtual)
759: {
760: peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET));
761: peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET6));
762: }
763:
764: method = nm_setting_vpn_get_data_item(vpn, "method");
765: if (streq(method, "cert") ||
766: streq(method, "eap-tls") ||
767: streq(method, "key") ||
768: streq(method, "agent") ||
769: streq(method, "smartcard"))
770: {
771: if (!add_auth_cfg_cert (priv, vpn, peer_cfg, err))
772: {
773: peer_cfg->destroy(peer_cfg);
774: ike_cfg->destroy(ike_cfg);
775: gateway->destroy(gateway);
776: return FALSE;
777: }
778: }
779: else if (streq(method, "eap") ||
780: streq(method, "psk"))
781: {
782: if (!add_auth_cfg_pw(priv, vpn, peer_cfg, err))
783: {
784: peer_cfg->destroy(peer_cfg);
785: ike_cfg->destroy(ike_cfg);
786: gateway->destroy(gateway);
787: return FALSE;
788: }
789: }
790: else
791: {
792: g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
793: "Configuration parameters missing.");
794: peer_cfg->destroy(peer_cfg);
795: ike_cfg->destroy(ike_cfg);
796: gateway->destroy(gateway);
797: return FALSE;
798: }
799:
800: auth = auth_cfg_create();
801: if (streq(method, "psk"))
802: {
803: auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
804: }
805: else
806: {
807: auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
808: }
809: auth->add(auth, AUTH_RULE_IDENTITY, gateway);
810: auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, loose_gateway_id);
811: peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
812:
813: child_cfg = child_cfg_create(priv->name, &child);
814: str = nm_setting_vpn_get_data_item(vpn, "esp");
815: if (proposal && str && strlen(str))
816: {
817: enumerator = enumerator_create_token(str, ";", "");
818: while (enumerator->enumerate(enumerator, &str))
819: {
820: prop = proposal_create_from_string(PROTO_ESP, str);
821: if (!prop)
822: {
823: g_set_error(err, NM_VPN_PLUGIN_ERROR,
824: NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
825: "Invalid ESP proposal.");
826: enumerator->destroy(enumerator);
827: child_cfg->destroy(child_cfg);
828: peer_cfg->destroy(peer_cfg);
829: return FALSE;
830: }
831: child_cfg->add_proposal(child_cfg, prop);
832: }
833: enumerator->destroy(enumerator);
834: }
835: else
836: {
837: child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
838: child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
839: }
840: ts = traffic_selector_create_dynamic(0, 0, 65535);
841: child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
842: ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
843: child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
844: ts = traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
845: child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
846: peer_cfg->add_child_cfg(peer_cfg, child_cfg);
847:
848: /**
849: * Prepare IKE_SA
850: */
851: ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
852: peer_cfg);
853: if (!ike_sa)
854: {
855: peer_cfg->destroy(peer_cfg);
856: g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
857: "IKE version not supported.");
858: return FALSE;
859: }
860: if (!ike_sa->get_peer_cfg(ike_sa))
861: {
862: ike_sa->set_peer_cfg(ike_sa, peer_cfg);
863: }
864: peer_cfg->destroy(peer_cfg);
865:
866: /**
867: * Register listener, enable initiate-failure-detection hooks
868: */
869: priv->ike_sa = ike_sa;
870: priv->listener.ike_state_change = _ike_state_change;
871: priv->listener.child_state_change = _child_state_change;
872:
873: /**
874: * Initiate
875: */
876: child_cfg->get_ref(child_cfg);
877: if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
878: {
879: charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
880:
881: g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
882: "Initiating failed.");
883: return FALSE;
884: }
885: charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
886: return TRUE;
887: }
888:
889: /**
890: * NeedSecrets called from NM via DBUS
891: */
892: static gboolean need_secrets(NMVpnServicePlugin *plugin, NMConnection *connection,
893: const char **setting_name, GError **error)
894: {
895: NMSettingVpn *settings;
896: const char *method, *cert_source, *path;
897: bool need_secret = FALSE;
898:
899: settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
900: NM_TYPE_SETTING_VPN));
901: method = nm_setting_vpn_get_data_item(settings, "method");
902: if (method)
903: {
904: if (streq(method, "cert") ||
905: streq(method, "eap-tls") ||
906: streq(method, "key") ||
907: streq(method, "agent") ||
908: streq(method, "smartcard"))
909: {
910: cert_source = nm_setting_vpn_get_data_item(settings, "cert-source");
911: if (!cert_source)
912: {
913: cert_source = method;
914: }
915: if (streq(cert_source, "agent"))
916: {
917: need_secret = !nm_setting_vpn_get_secret(settings, "agent");
918: }
919: else if (streq(cert_source, "smartcard"))
920: {
921: need_secret = !nm_setting_vpn_get_secret(settings, "password");
922: }
923: else
924: {
925: need_secret = TRUE;
926: path = nm_setting_vpn_get_data_item(settings, "userkey");
927: if (path)
928: {
929: private_key_t *key;
930:
931: /* try to load/decrypt the private key */
932: key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
933: KEY_ANY, BUILD_FROM_FILE, path, BUILD_END);
934: if (key)
935: {
936: key->destroy(key);
937: need_secret = FALSE;
938: }
939: else if (nm_setting_vpn_get_secret(settings, "password"))
940: {
941: need_secret = FALSE;
942: }
943: }
944: }
945: }
946: else if (streq(method, "eap") ||
947: streq(method, "psk"))
948: {
949: need_secret = !nm_setting_vpn_get_secret(settings, "password");
950: }
951: }
952: *setting_name = NM_SETTING_VPN_SETTING_NAME;
953: return need_secret;
954: }
955:
956: /**
957: * The actual disconnection
958: */
959: static gboolean do_disconnect(gpointer plugin)
960: {
961: NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
962: enumerator_t *enumerator;
963: ike_sa_t *ike_sa;
964: u_int id;
965:
966: /* our ike_sa pointer might be invalid, lookup sa */
967: enumerator = charon->controller->create_ike_sa_enumerator(
968: charon->controller, TRUE);
969: while (enumerator->enumerate(enumerator, &ike_sa))
970: {
971: if (priv->ike_sa == ike_sa)
972: {
973: id = ike_sa->get_unique_id(ike_sa);
974: enumerator->destroy(enumerator);
975: charon->controller->terminate_ike(charon->controller, id, FALSE,
976: controller_cb_empty, NULL, 0);
977: return FALSE;
978: }
979: }
980: enumerator->destroy(enumerator);
981:
982: g_debug("Connection not found.");
983: return FALSE;
984: }
985:
986: /**
987: * Disconnect called from NM via DBUS
988: */
989: static gboolean disconnect(NMVpnServicePlugin *plugin, GError **err)
990: {
991: /* enqueue the actual disconnection, because we may be called in
992: * response to a listener_t callback and the SA enumeration would
993: * possibly deadlock. */
994: g_idle_add(do_disconnect, plugin);
995:
996: return TRUE;
997: }
998:
999: /**
1000: * Initializer
1001: */
1002: static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
1003: {
1004: NMStrongswanPluginPrivate *priv;
1005:
1006: priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
1007: priv->plugin = NM_VPN_SERVICE_PLUGIN(plugin);
1008: memset(&priv->listener, 0, sizeof(listener_t));
1009: priv->listener.child_updown = _child_updown;
1010: priv->listener.ike_rekey = _ike_rekey;
1011: priv->listener.ike_reestablish_pre = _ike_reestablish_pre;
1012: priv->listener.ike_reestablish_post = _ike_reestablish_post;
1013: charon->bus->add_listener(charon->bus, &priv->listener);
1014: priv->name = NULL;
1015: }
1016:
1017: /**
1018: * Class constructor
1019: */
1020: static void nm_strongswan_plugin_class_init(
1021: NMStrongswanPluginClass *strongswan_class)
1022: {
1023: NMVpnServicePluginClass *parent_class = NM_VPN_SERVICE_PLUGIN_CLASS(strongswan_class);
1024:
1025: parent_class->connect = connect_;
1026: parent_class->need_secrets = need_secrets;
1027: parent_class->disconnect = disconnect;
1028: }
1029:
1030: /**
1031: * Object constructor
1032: */
1033: NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
1034: nm_handler_t *handler)
1035: {
1036: GError *error = NULL;
1037:
1038: NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_initable_new (
1039: NM_TYPE_STRONGSWAN_PLUGIN,
1040: NULL,
1041: &error,
1042: NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME, NM_DBUS_SERVICE_STRONGSWAN,
1043: NULL);
1044:
1045: if (plugin)
1046: {
1047: NMStrongswanPluginPrivate *priv;
1048:
1049: /* the rest of the initialization happened in _init above */
1050: priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
1051: priv->creds = creds;
1052: priv->handler = handler;
1053: }
1054: else
1055: {
1056: g_warning ("Failed to initialize a plugin instance: %s", error->message);
1057: g_error_free (error);
1058: }
1059:
1060: return plugin;
1061: }