controller: Add option to force destruction of an IKE_SA
[strongswan.git] / src / charon-nm / nm / nm_service.c
1 /*
2 * Copyright (C) 2017 Lubomir Rintel
3 *
4 * Copyright (C) 2013 Tobias Brunner
5 * Copyright (C) 2008-2009 Martin Willi
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "nm_service.h"
20
21 #include <daemon.h>
22 #include <networking/host.h>
23 #include <utils/identification.h>
24 #include <config/peer_cfg.h>
25 #include <credentials/certificates/x509.h>
26
27 #include <stdio.h>
28
29 G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_SERVICE_PLUGIN)
30
31 /**
32 * Private data of NMStrongswanPlugin
33 */
34 typedef struct {
35 /* implements bus listener interface */
36 listener_t listener;
37 /* IKE_SA we are listening on */
38 ike_sa_t *ike_sa;
39 /* backref to public plugin */
40 NMVpnServicePlugin *plugin;
41 /* credentials to use for authentication */
42 nm_creds_t *creds;
43 /* attribute handler for DNS/NBNS server information */
44 nm_handler_t *handler;
45 /* name of the connection */
46 char *name;
47 } NMStrongswanPluginPrivate;
48
49 #define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
50 (G_TYPE_INSTANCE_GET_PRIVATE ((o), \
51 NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginPrivate))
52
53 /**
54 * convert enumerated handler chunks to a UINT_ARRAY GValue
55 */
56 static GVariant* handler_to_variant(nm_handler_t *handler,
57 configuration_attribute_type_t type)
58 {
59 GVariantBuilder builder;
60 enumerator_t *enumerator;
61 chunk_t chunk;
62
63 g_variant_builder_init (&builder, G_VARIANT_TYPE ("au"));
64
65 enumerator = handler->create_enumerator(handler, type);
66 while (enumerator->enumerate(enumerator, &chunk))
67 {
68 g_variant_builder_add (&builder, "u", *(uint32_t*)chunk.ptr);
69 }
70 enumerator->destroy(enumerator);
71
72 return g_variant_builder_end (&builder);
73 }
74
75 /**
76 * signal IPv4 config to NM, set connection as established
77 */
78 static void signal_ipv4_config(NMVpnServicePlugin *plugin,
79 ike_sa_t *ike_sa, child_sa_t *child_sa)
80 {
81 NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
82 GVariantBuilder builder;
83 enumerator_t *enumerator;
84 host_t *me, *other;
85 nm_handler_t *handler;
86
87 g_variant_builder_init (&builder, G_VARIANT_TYPE_VARDICT);
88
89 handler = priv->handler;
90
91 /* NM apparently requires to know the gateway */
92 other = ike_sa->get_other_host(ike_sa);
93 g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_EXT_GATEWAY,
94 g_variant_new_uint32 (*(uint32_t*)other->get_address(other).ptr));
95
96 /* NM installs this IP address on the interface above, so we use the VIP if
97 * we got one.
98 */
99 enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
100 if (!enumerator->enumerate(enumerator, &me))
101 {
102 me = ike_sa->get_my_host(ike_sa);
103 }
104 enumerator->destroy(enumerator);
105 g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS,
106 g_variant_new_uint32 (*(uint32_t*)other->get_address(me).ptr));
107
108 g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_PREFIX,
109 g_variant_new_uint32 (me->get_address(me).len * 8));
110
111 /* prevent NM from changing the default route. we set our own route in our
112 * own routing table
113 */
114 g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT,
115 g_variant_new_boolean (TRUE));
116
117
118 g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DNS,
119 handler_to_variant(handler, INTERNAL_IP4_DNS));
120
121 g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NBNS,
122 handler_to_variant(handler, INTERNAL_IP4_NBNS));
123
124 handler->reset(handler);
125
126 nm_vpn_service_plugin_set_ip4_config(plugin, g_variant_builder_end (&builder));
127 }
128
129 /**
130 * signal failure to NM, connecting failed
131 */
132 static void signal_failure(NMVpnServicePlugin *plugin, NMVpnPluginFailure failure)
133 {
134 nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
135
136 handler->reset(handler);
137
138 nm_vpn_service_plugin_failure(plugin, failure);
139 }
140
141 /**
142 * Implementation of listener_t.ike_state_change
143 */
144 static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa,
145 ike_sa_state_t state)
146 {
147 NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
148
149 if (private->ike_sa == ike_sa && state == IKE_DESTROYING)
150 {
151 signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
152 return FALSE;
153 }
154 return TRUE;
155 }
156
157 /**
158 * Implementation of listener_t.child_state_change
159 */
160 static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa,
161 child_sa_t *child_sa, child_sa_state_t state)
162 {
163 NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
164
165 if (private->ike_sa == ike_sa && state == CHILD_DESTROYING)
166 {
167 signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
168 return FALSE;
169 }
170 return TRUE;
171 }
172
173 /**
174 * Implementation of listener_t.child_updown
175 */
176 static bool child_updown(listener_t *listener, ike_sa_t *ike_sa,
177 child_sa_t *child_sa, bool up)
178 {
179 NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
180
181 if (private->ike_sa == ike_sa)
182 {
183 if (up)
184 { /* disable initiate-failure-detection hooks */
185 private->listener.ike_state_change = NULL;
186 private->listener.child_state_change = NULL;
187 signal_ipv4_config(private->plugin, ike_sa, child_sa);
188 }
189 else
190 {
191 signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
192 return FALSE;
193 }
194 }
195 return TRUE;
196 }
197
198 /**
199 * Implementation of listener_t.ike_rekey
200 */
201 static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new)
202 {
203 NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
204
205 if (private->ike_sa == old)
206 { /* follow a rekeyed IKE_SA */
207 private->ike_sa = new;
208 }
209 return TRUE;
210 }
211
212 /**
213 * Find a certificate for which we have a private key on a smartcard
214 */
215 static identification_t *find_smartcard_key(NMStrongswanPluginPrivate *priv,
216 char *pin)
217 {
218 enumerator_t *enumerator, *sans;
219 identification_t *id = NULL;
220 certificate_t *cert;
221 x509_t *x509;
222 private_key_t *key;
223 chunk_t keyid;
224
225 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
226 CERT_X509, KEY_ANY, NULL, FALSE);
227 while (enumerator->enumerate(enumerator, &cert))
228 {
229 x509 = (x509_t*)cert;
230
231 /* there might be a lot of certificates, filter them by usage */
232 if ((x509->get_flags(x509) & X509_CLIENT_AUTH) &&
233 !(x509->get_flags(x509) & X509_CA))
234 {
235 keyid = x509->get_subjectKeyIdentifier(x509);
236 if (keyid.ptr)
237 {
238 /* try to find a private key by the certificate keyid */
239 priv->creds->set_pin(priv->creds, keyid, pin);
240 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
241 KEY_ANY, BUILD_PKCS11_KEYID, keyid, BUILD_END);
242 if (key)
243 {
244 /* prefer a more convenient subjectAltName */
245 sans = x509->create_subjectAltName_enumerator(x509);
246 if (!sans->enumerate(sans, &id))
247 {
248 id = cert->get_subject(cert);
249 }
250 id = id->clone(id);
251 sans->destroy(sans);
252
253 DBG1(DBG_CFG, "using smartcard certificate '%Y'", id);
254 priv->creds->set_cert_and_key(priv->creds,
255 cert->get_ref(cert), key);
256 break;
257 }
258 }
259 }
260 }
261 enumerator->destroy(enumerator);
262 return id;
263 }
264
265 /**
266 * Connect function called from NM via DBUS
267 */
268 static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
269 GError **err)
270 {
271 NMStrongswanPluginPrivate *priv;
272 NMSettingConnection *conn;
273 NMSettingVpn *vpn;
274 enumerator_t *enumerator;
275 identification_t *user = NULL, *gateway = NULL;
276 const char *address, *str;
277 bool virtual, encap, proposal;
278 proposal_t *prop;
279 ike_cfg_t *ike_cfg;
280 peer_cfg_t *peer_cfg;
281 child_cfg_t *child_cfg;
282 traffic_selector_t *ts;
283 ike_sa_t *ike_sa;
284 auth_cfg_t *auth;
285 auth_class_t auth_class = AUTH_CLASS_EAP;
286 certificate_t *cert = NULL;
287 x509_t *x509;
288 bool agent = FALSE, smartcard = FALSE, loose_gateway_id = FALSE;
289 peer_cfg_create_t peer = {
290 .cert_policy = CERT_SEND_IF_ASKED,
291 .unique = UNIQUE_REPLACE,
292 .keyingtries = 1,
293 .rekey_time = 36000, /* 10h */
294 .jitter_time = 600, /* 10min */
295 .over_time = 600, /* 10min */
296 };
297 child_cfg_create_t child = {
298 .lifetime = {
299 .time = {
300 .life = 10800 /* 3h */,
301 .rekey = 10200 /* 2h50min */,
302 .jitter = 300 /* 5min */
303 },
304 },
305 .mode = MODE_TUNNEL,
306 };
307
308 /**
309 * Read parameters
310 */
311 priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
312 conn = NM_SETTING_CONNECTION(nm_connection_get_setting(connection,
313 NM_TYPE_SETTING_CONNECTION));
314 vpn = NM_SETTING_VPN(nm_connection_get_setting(connection,
315 NM_TYPE_SETTING_VPN));
316 if (priv->name)
317 {
318 free(priv->name);
319 }
320 priv->name = strdup(nm_setting_connection_get_id(conn));
321 DBG1(DBG_CFG, "received initiate for NetworkManager connection %s",
322 priv->name);
323 DBG4(DBG_CFG, "%s",
324 nm_setting_to_string(NM_SETTING(vpn)));
325 address = nm_setting_vpn_get_data_item(vpn, "address");
326 if (!address || !*address)
327 {
328 g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
329 "Gateway address missing.");
330 return FALSE;
331 }
332 str = nm_setting_vpn_get_data_item(vpn, "virtual");
333 virtual = streq(str, "yes");
334 str = nm_setting_vpn_get_data_item(vpn, "encap");
335 encap = streq(str, "yes");
336 str = nm_setting_vpn_get_data_item(vpn, "ipcomp");
337 child.options |= streq(str, "yes") ? OPT_IPCOMP : 0;
338 str = nm_setting_vpn_get_data_item(vpn, "method");
339 if (streq(str, "psk"))
340 {
341 auth_class = AUTH_CLASS_PSK;
342 }
343 else if (streq(str, "agent"))
344 {
345 auth_class = AUTH_CLASS_PUBKEY;
346 agent = TRUE;
347 }
348 else if (streq(str, "key"))
349 {
350 auth_class = AUTH_CLASS_PUBKEY;
351 }
352 else if (streq(str, "smartcard"))
353 {
354 auth_class = AUTH_CLASS_PUBKEY;
355 smartcard = TRUE;
356 }
357
358 /**
359 * Register credentials
360 */
361 priv->creds->clear(priv->creds);
362
363 /* gateway/CA cert */
364 str = nm_setting_vpn_get_data_item(vpn, "certificate");
365 if (str)
366 {
367 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
368 BUILD_FROM_FILE, str, BUILD_END);
369 if (!cert)
370 {
371 g_set_error(err, NM_VPN_PLUGIN_ERROR,
372 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
373 "Loading gateway certificate failed.");
374 return FALSE;
375 }
376 priv->creds->add_certificate(priv->creds, cert);
377
378 x509 = (x509_t*)cert;
379 if (!(x509->get_flags(x509) & X509_CA))
380 { /* For a gateway certificate, we use the cert subject as identity. */
381 gateway = cert->get_subject(cert);
382 gateway = gateway->clone(gateway);
383 DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
384 }
385 }
386 else
387 {
388 /* no certificate defined, fall back to system-wide CA certificates */
389 priv->creds->load_ca_dir(priv->creds, lib->settings->get_str(
390 lib->settings, "charon-nm.ca_dir", NM_CA_DIR));
391 }
392 if (!gateway)
393 {
394 /* If the user configured a CA certificate, we use the IP/DNS
395 * of the gateway as its identity. This identity will be used for
396 * certificate lookup and requires the configured IP/DNS to be
397 * included in the gateway certificate. */
398 gateway = identification_create_from_string((char*)address);
399 DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
400 loose_gateway_id = TRUE;
401 }
402
403 if (auth_class == AUTH_CLASS_EAP ||
404 auth_class == AUTH_CLASS_PSK)
405 {
406 /* username/password or PSK authentication ... */
407 str = nm_setting_vpn_get_data_item(vpn, "user");
408 if (str)
409 {
410 user = identification_create_from_string((char*)str);
411 str = nm_setting_vpn_get_secret(vpn, "password");
412 if (auth_class == AUTH_CLASS_PSK &&
413 strlen(str) < 20)
414 {
415 g_set_error(err, NM_VPN_PLUGIN_ERROR,
416 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
417 "pre-shared key is too short.");
418 gateway->destroy(gateway);
419 user->destroy(user);
420 return FALSE;
421 }
422 priv->creds->set_username_password(priv->creds, user, (char*)str);
423 }
424 }
425
426 if (auth_class == AUTH_CLASS_PUBKEY)
427 {
428 if (smartcard)
429 {
430 char *pin;
431
432 pin = (char*)nm_setting_vpn_get_secret(vpn, "password");
433 if (pin)
434 {
435 user = find_smartcard_key(priv, pin);
436 }
437 if (!user)
438 {
439 g_set_error(err, NM_VPN_PLUGIN_ERROR,
440 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
441 "no usable smartcard certificate found.");
442 gateway->destroy(gateway);
443 return FALSE;
444 }
445 }
446 /* ... or certificate/private key authenitcation */
447 else if ((str = nm_setting_vpn_get_data_item(vpn, "usercert")))
448 {
449 public_key_t *public;
450 private_key_t *private = NULL;
451
452 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
453 BUILD_FROM_FILE, str, BUILD_END);
454 if (!cert)
455 {
456 g_set_error(err, NM_VPN_PLUGIN_ERROR,
457 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
458 "Loading peer certificate failed.");
459 gateway->destroy(gateway);
460 return FALSE;
461 }
462 /* try agent */
463 str = nm_setting_vpn_get_secret(vpn, "agent");
464 if (agent && str)
465 {
466 public = cert->get_public_key(cert);
467 if (public)
468 {
469 private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
470 public->get_type(public),
471 BUILD_AGENT_SOCKET, str,
472 BUILD_PUBLIC_KEY, public,
473 BUILD_END);
474 public->destroy(public);
475 }
476 if (!private)
477 {
478 g_set_error(err, NM_VPN_PLUGIN_ERROR,
479 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
480 "Connecting to SSH agent failed.");
481 }
482 }
483 /* ... or key file */
484 str = nm_setting_vpn_get_data_item(vpn, "userkey");
485 if (!agent && str)
486 {
487 char *secret;
488
489 secret = (char*)nm_setting_vpn_get_secret(vpn, "password");
490 if (secret)
491 {
492 priv->creds->set_key_password(priv->creds, secret);
493 }
494 private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
495 KEY_ANY, BUILD_FROM_FILE, str, BUILD_END);
496 if (!private)
497 {
498 g_set_error(err, NM_VPN_PLUGIN_ERROR,
499 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
500 "Loading private key failed.");
501 }
502 }
503 if (private)
504 {
505 user = cert->get_subject(cert);
506 user = user->clone(user);
507 priv->creds->set_cert_and_key(priv->creds, cert, private);
508 }
509 else
510 {
511 DESTROY_IF(cert);
512 gateway->destroy(gateway);
513 return FALSE;
514 }
515 }
516 }
517
518 if (!user)
519 {
520 g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
521 "Configuration parameters missing.");
522 gateway->destroy(gateway);
523 return FALSE;
524 }
525
526 /**
527 * Set up configurations
528 */
529 ike_cfg = ike_cfg_create(IKEV2, TRUE, encap, "0.0.0.0",
530 charon->socket->get_port(charon->socket, FALSE),
531 (char*)address, IKEV2_UDP_PORT,
532 FRAGMENTATION_YES, 0);
533
534 str = nm_setting_vpn_get_data_item(vpn, "proposal");
535 proposal = streq(str, "yes");
536 str = nm_setting_vpn_get_data_item(vpn, "ike");
537 if (proposal && str && strlen(str))
538 {
539 enumerator = enumerator_create_token(str, ";", "");
540 while (enumerator->enumerate(enumerator, &str))
541 {
542 prop = proposal_create_from_string(PROTO_IKE, str);
543 if (!prop)
544 {
545 g_set_error(err, NM_VPN_PLUGIN_ERROR,
546 NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
547 "Invalid IKE proposal.");
548 enumerator->destroy(enumerator);
549 ike_cfg->destroy(ike_cfg);
550 gateway->destroy(gateway);
551 user->destroy(user);
552 return FALSE;
553 }
554 ike_cfg->add_proposal(ike_cfg, prop);
555 }
556 enumerator->destroy(enumerator);
557 }
558 else
559 {
560 ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
561 ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
562 }
563
564 peer_cfg = peer_cfg_create(priv->name, ike_cfg, &peer);
565 if (virtual)
566 {
567 peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
568 }
569 auth = auth_cfg_create();
570 auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_class);
571 auth->add(auth, AUTH_RULE_IDENTITY, user);
572 peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
573 auth = auth_cfg_create();
574 if (auth_class == AUTH_CLASS_PSK)
575 {
576 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
577 }
578 else
579 {
580 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
581 }
582 auth->add(auth, AUTH_RULE_IDENTITY, gateway);
583 auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, loose_gateway_id);
584 peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
585
586 child_cfg = child_cfg_create(priv->name, &child);
587 str = nm_setting_vpn_get_data_item(vpn, "esp");
588 if (proposal && str && strlen(str))
589 {
590 enumerator = enumerator_create_token(str, ";", "");
591 while (enumerator->enumerate(enumerator, &str))
592 {
593 prop = proposal_create_from_string(PROTO_ESP, str);
594 if (!prop)
595 {
596 g_set_error(err, NM_VPN_PLUGIN_ERROR,
597 NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
598 "Invalid ESP proposal.");
599 enumerator->destroy(enumerator);
600 child_cfg->destroy(child_cfg);
601 peer_cfg->destroy(peer_cfg);
602 return FALSE;
603 }
604 child_cfg->add_proposal(child_cfg, prop);
605 }
606 enumerator->destroy(enumerator);
607 }
608 else
609 {
610 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
611 child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
612 }
613 ts = traffic_selector_create_dynamic(0, 0, 65535);
614 child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
615 ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
616 "0.0.0.0", 0,
617 "255.255.255.255", 65535);
618 child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
619 peer_cfg->add_child_cfg(peer_cfg, child_cfg);
620
621 /**
622 * Prepare IKE_SA
623 */
624 ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
625 peer_cfg);
626 if (!ike_sa)
627 {
628 peer_cfg->destroy(peer_cfg);
629 g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
630 "IKE version not supported.");
631 return FALSE;
632 }
633 if (!ike_sa->get_peer_cfg(ike_sa))
634 {
635 ike_sa->set_peer_cfg(ike_sa, peer_cfg);
636 }
637 peer_cfg->destroy(peer_cfg);
638
639 /**
640 * Register listener, enable initiate-failure-detection hooks
641 */
642 priv->ike_sa = ike_sa;
643 priv->listener.ike_state_change = ike_state_change;
644 priv->listener.child_state_change = child_state_change;
645 charon->bus->add_listener(charon->bus, &priv->listener);
646
647 /**
648 * Initiate
649 */
650 child_cfg->get_ref(child_cfg);
651 if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
652 {
653 charon->bus->remove_listener(charon->bus, &priv->listener);
654 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
655
656 g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
657 "Initiating failed.");
658 return FALSE;
659 }
660 charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
661 return TRUE;
662 }
663
664 /**
665 * NeedSecrets called from NM via DBUS
666 */
667 static gboolean need_secrets(NMVpnServicePlugin *plugin, NMConnection *connection,
668 const char **setting_name, GError **error)
669 {
670 NMSettingVpn *settings;
671 const char *method, *path;
672
673 settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
674 NM_TYPE_SETTING_VPN));
675 method = nm_setting_vpn_get_data_item(settings, "method");
676 if (method)
677 {
678 if (streq(method, "eap") || streq(method, "psk"))
679 {
680 if (nm_setting_vpn_get_secret(settings, "password"))
681 {
682 return FALSE;
683 }
684 }
685 else if (streq(method, "agent"))
686 {
687 if (nm_setting_vpn_get_secret(settings, "agent"))
688 {
689 return FALSE;
690 }
691 }
692 else if (streq(method, "key"))
693 {
694 path = nm_setting_vpn_get_data_item(settings, "userkey");
695 if (path)
696 {
697 private_key_t *key;
698
699 /* try to load/decrypt the private key */
700 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
701 KEY_RSA, BUILD_FROM_FILE, path, BUILD_END);
702 if (key)
703 {
704 key->destroy(key);
705 return FALSE;
706 }
707 else if (nm_setting_vpn_get_secret(settings, "password"))
708 {
709 return FALSE;
710 }
711 }
712 }
713 else if (streq(method, "smartcard"))
714 {
715 if (nm_setting_vpn_get_secret(settings, "password"))
716 {
717 return FALSE;
718 }
719 }
720 }
721 *setting_name = NM_SETTING_VPN_SETTING_NAME;
722 return TRUE;
723 }
724
725 /**
726 * The actual disconnection
727 */
728 static gboolean do_disconnect(gpointer plugin)
729 {
730 NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
731 enumerator_t *enumerator;
732 ike_sa_t *ike_sa;
733 u_int id;
734
735 /* our ike_sa pointer might be invalid, lookup sa */
736 enumerator = charon->controller->create_ike_sa_enumerator(
737 charon->controller, TRUE);
738 while (enumerator->enumerate(enumerator, &ike_sa))
739 {
740 if (priv->ike_sa == ike_sa)
741 {
742 id = ike_sa->get_unique_id(ike_sa);
743 enumerator->destroy(enumerator);
744 charon->controller->terminate_ike(charon->controller, id, FALSE,
745 controller_cb_empty, NULL, 0);
746 return FALSE;
747 }
748 }
749 enumerator->destroy(enumerator);
750
751 g_debug("Connection not found.");
752 return FALSE;
753 }
754
755 /**
756 * Disconnect called from NM via DBUS
757 */
758 static gboolean disconnect(NMVpnServicePlugin *plugin, GError **err)
759 {
760 /* enqueue the actual disconnection, because we may be called in
761 * response to a listener_t callback and the SA enumeration would
762 * possibly deadlock. */
763 g_idle_add(do_disconnect, plugin);
764
765 return TRUE;
766 }
767
768 /**
769 * Initializer
770 */
771 static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
772 {
773 NMStrongswanPluginPrivate *priv;
774
775 priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
776 priv->plugin = NM_VPN_SERVICE_PLUGIN(plugin);
777 memset(&priv->listener, 0, sizeof(listener_t));
778 priv->listener.child_updown = child_updown;
779 priv->listener.ike_rekey = ike_rekey;
780 priv->name = NULL;
781 }
782
783 /**
784 * Class constructor
785 */
786 static void nm_strongswan_plugin_class_init(
787 NMStrongswanPluginClass *strongswan_class)
788 {
789 NMVpnServicePluginClass *parent_class = NM_VPN_SERVICE_PLUGIN_CLASS(strongswan_class);
790
791 g_type_class_add_private(G_OBJECT_CLASS(strongswan_class),
792 sizeof(NMStrongswanPluginPrivate));
793 parent_class->connect = connect_;
794 parent_class->need_secrets = need_secrets;
795 parent_class->disconnect = disconnect;
796 }
797
798 /**
799 * Object constructor
800 */
801 NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
802 nm_handler_t *handler)
803 {
804 GError *error = NULL;
805
806 NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_initable_new (
807 NM_TYPE_STRONGSWAN_PLUGIN,
808 NULL,
809 &error,
810 NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME, NM_DBUS_SERVICE_STRONGSWAN,
811 NULL);
812
813 if (plugin)
814 {
815 NMStrongswanPluginPrivate *priv;
816
817 /* the rest of the initialization happened in _init above */
818 priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
819 priv->creds = creds;
820 priv->handler = handler;
821 }
822 else
823 {
824 g_warning ("Failed to initialize a plugin instance: %s", error->message);
825 g_error_free (error);
826 }
827
828 return plugin;
829 }