b096ad0ef5f2fbb1110eaa1e05ba1633451c5e5e
[strongswan.git] / src / charon-nm / nm / nm_service.c
1 /*
2 * Copyright (C) 2017 Lubomir Rintel
3 *
4 * Copyright (C) 2013-2020 Tobias Brunner
5 * Copyright (C) 2008-2009 Martin Willi
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "nm_service.h"
20
21 #include <daemon.h>
22 #include <networking/host.h>
23 #include <utils/identification.h>
24 #include <config/peer_cfg.h>
25 #include <credentials/certificates/x509.h>
26
27 #include <stdio.h>
28
29 /**
30 * Private data of NMStrongswanPlugin
31 */
32 typedef struct {
33 /* implements bus listener interface */
34 listener_t listener;
35 /* IKE_SA we are listening on */
36 ike_sa_t *ike_sa;
37 /* backref to public plugin */
38 NMVpnServicePlugin *plugin;
39 /* credentials to use for authentication */
40 nm_creds_t *creds;
41 /* attribute handler for DNS/NBNS server information */
42 nm_handler_t *handler;
43 /* name of the connection */
44 char *name;
45 } NMStrongswanPluginPrivate;
46
47 G_DEFINE_TYPE_WITH_PRIVATE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_SERVICE_PLUGIN)
48
49 #define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
50 ((NMStrongswanPluginPrivate*) \
51 nm_strongswan_plugin_get_instance_private (o))
52
53 /**
54 * Convert an address chunk to a GValue
55 */
56 static GVariant *addr_to_variant(chunk_t addr)
57 {
58 GVariantBuilder builder;
59 int i;
60
61 switch (addr.len)
62 {
63 case 4:
64 return g_variant_new_uint32 (*(uint32_t*)addr.ptr);
65 case 16:
66 g_variant_builder_init (&builder, G_VARIANT_TYPE ("ay"));
67 for (i = 0; i < addr.len; i++)
68 {
69 g_variant_builder_add (&builder, "y", addr.ptr[i]);
70
71 }
72 return g_variant_builder_end (&builder);
73 default:
74 return NULL;
75 }
76 }
77
78 /**
79 * Convert a host to a GValue
80 */
81 static GVariant *host_to_variant(host_t *host)
82 {
83 return addr_to_variant(host->get_address(host));
84 }
85
86 /**
87 * Convert enumerated handler chunks to a GValue
88 */
89 static GVariant* handler_to_variant(nm_handler_t *handler, char *variant_type,
90 configuration_attribute_type_t type)
91 {
92 GVariantBuilder builder;
93 enumerator_t *enumerator;
94 chunk_t *chunk;
95
96 g_variant_builder_init (&builder, G_VARIANT_TYPE (variant_type));
97
98 enumerator = handler->create_enumerator(handler, type);
99 while (enumerator->enumerate(enumerator, &chunk))
100 {
101 g_variant_builder_add_value (&builder, addr_to_variant(*chunk));
102 }
103 enumerator->destroy(enumerator);
104
105 return g_variant_builder_end (&builder);
106 }
107
108 /**
109 * Signal IP config to NM, set connection as established
110 */
111 static void signal_ip_config(NMVpnServicePlugin *plugin,
112 ike_sa_t *ike_sa, child_sa_t *child_sa)
113 {
114 NMStrongswanPlugin *pub = (NMStrongswanPlugin*)plugin;
115 NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub);
116 GVariantBuilder builder, ip4builder, ip6builder;
117 GVariant *ip4config, *ip6config;
118 enumerator_t *enumerator;
119 host_t *me, *other, *vip4 = NULL, *vip6 = NULL;
120 nm_handler_t *handler;
121
122 g_variant_builder_init (&builder, G_VARIANT_TYPE_VARDICT);
123 g_variant_builder_init (&ip4builder, G_VARIANT_TYPE_VARDICT);
124 g_variant_builder_init (&ip6builder, G_VARIANT_TYPE_VARDICT);
125
126 handler = priv->handler;
127
128 /* NM apparently requires to know the gateway */
129 other = ike_sa->get_other_host(ike_sa);
130 g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY,
131 host_to_variant(other));
132
133 /* pass the first virtual IPs we got or use the physical IP */
134 enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
135 while (enumerator->enumerate(enumerator, &me))
136 {
137 switch (me->get_family(me))
138 {
139 case AF_INET:
140 if (!vip4)
141 {
142 vip4 = me;
143 }
144 break;
145 case AF_INET6:
146 if (!vip6)
147 {
148 vip6 = me;
149 }
150 break;
151 }
152 }
153 enumerator->destroy(enumerator);
154 if (!vip4 && !vip6)
155 {
156 me = ike_sa->get_my_host(ike_sa);
157 switch (me->get_family(me))
158 {
159 case AF_INET:
160 vip4 = me;
161 break;
162 case AF_INET6:
163 vip6 = me;
164 break;
165 }
166 }
167
168 if (vip4)
169 {
170 g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS,
171 host_to_variant(vip4));
172 g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_PREFIX,
173 g_variant_new_uint32 (vip4->get_address(vip4).len * 8));
174
175 /* prevent NM from changing the default route. we set our own route in our
176 * own routing table
177 */
178 g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NEVER_DEFAULT,
179 g_variant_new_boolean (TRUE));
180
181 g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_DNS,
182 handler_to_variant(handler, "au", INTERNAL_IP4_DNS));
183
184 g_variant_builder_add (&ip4builder, "{sv}", NM_VPN_PLUGIN_IP4_CONFIG_NBNS,
185 handler_to_variant(handler, "au", INTERNAL_IP4_NBNS));
186 }
187
188 if (vip6)
189 {
190 g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_ADDRESS,
191 host_to_variant(vip6));
192 g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_PREFIX,
193 g_variant_new_uint32 (vip6->get_address(vip6).len * 8));
194 g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_NEVER_DEFAULT,
195 g_variant_new_boolean (TRUE));
196 g_variant_builder_add (&ip6builder, "{sv}", NM_VPN_PLUGIN_IP6_CONFIG_DNS,
197 handler_to_variant(handler, "aay", INTERNAL_IP6_DNS));
198 /* NM_VPN_PLUGIN_IP6_CONFIG_NBNS is not defined */
199 }
200
201 ip4config = g_variant_builder_end (&ip4builder);
202 if (g_variant_n_children (ip4config))
203 {
204 g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP4,
205 g_variant_new_boolean (TRUE));
206 }
207 else
208 {
209 g_variant_unref (ip4config);
210 ip4config = NULL;
211 }
212
213 ip6config = g_variant_builder_end (&ip6builder);
214 if (g_variant_n_children (ip6config))
215 {
216 g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_HAS_IP6,
217 g_variant_new_boolean (TRUE));
218 }
219 else
220 {
221 g_variant_unref (ip6config);
222 ip6config = NULL;
223 }
224
225 handler->reset(handler);
226
227 nm_vpn_service_plugin_set_config (plugin, g_variant_builder_end (&builder));
228 if (ip4config)
229 {
230 nm_vpn_service_plugin_set_ip4_config (plugin, ip4config);
231 }
232 if (ip6config)
233 {
234 nm_vpn_service_plugin_set_ip6_config (plugin, ip6config);
235 }
236 }
237
238 /**
239 * signal failure to NM, connecting failed
240 */
241 static void signal_failure(NMVpnServicePlugin *plugin, NMVpnPluginFailure failure)
242 {
243 NMStrongswanPlugin *pub = (NMStrongswanPlugin*)plugin;
244 nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub)->handler;
245
246 handler->reset(handler);
247
248 nm_vpn_service_plugin_failure(plugin, failure);
249 }
250
251 /**
252 * Implementation of listener_t.ike_state_change
253 */
254 static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa,
255 ike_sa_state_t state)
256 {
257 NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
258
259 if (private->ike_sa == ike_sa && state == IKE_DESTROYING)
260 {
261 signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
262 return FALSE;
263 }
264 return TRUE;
265 }
266
267 /**
268 * Implementation of listener_t.child_state_change
269 */
270 static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa,
271 child_sa_t *child_sa, child_sa_state_t state)
272 {
273 NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
274
275 if (private->ike_sa == ike_sa && state == CHILD_DESTROYING)
276 {
277 signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
278 return FALSE;
279 }
280 return TRUE;
281 }
282
283 /**
284 * Implementation of listener_t.child_updown
285 */
286 static bool child_updown(listener_t *listener, ike_sa_t *ike_sa,
287 child_sa_t *child_sa, bool up)
288 {
289 NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
290
291 if (private->ike_sa == ike_sa)
292 {
293 if (up)
294 { /* disable initiate-failure-detection hooks */
295 private->listener.ike_state_change = NULL;
296 private->listener.child_state_change = NULL;
297 signal_ip_config(private->plugin, ike_sa, child_sa);
298 }
299 else
300 {
301 signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
302 return FALSE;
303 }
304 }
305 return TRUE;
306 }
307
308 /**
309 * Implementation of listener_t.ike_rekey
310 */
311 static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new)
312 {
313 NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
314
315 if (private->ike_sa == old)
316 { /* follow a rekeyed IKE_SA */
317 private->ike_sa = new;
318 }
319 return TRUE;
320 }
321
322 /**
323 * Find a certificate for which we have a private key on a smartcard
324 */
325 static identification_t *find_smartcard_key(NMStrongswanPluginPrivate *priv,
326 char *pin)
327 {
328 enumerator_t *enumerator, *sans;
329 identification_t *id = NULL;
330 certificate_t *cert;
331 x509_t *x509;
332 private_key_t *key;
333 chunk_t keyid;
334
335 enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
336 CERT_X509, KEY_ANY, NULL, FALSE);
337 while (enumerator->enumerate(enumerator, &cert))
338 {
339 x509 = (x509_t*)cert;
340
341 /* there might be a lot of certificates, filter them by usage */
342 if ((x509->get_flags(x509) & X509_CLIENT_AUTH) &&
343 !(x509->get_flags(x509) & X509_CA))
344 {
345 keyid = x509->get_subjectKeyIdentifier(x509);
346 if (keyid.ptr)
347 {
348 /* try to find a private key by the certificate keyid */
349 priv->creds->set_pin(priv->creds, keyid, pin);
350 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
351 KEY_ANY, BUILD_PKCS11_KEYID, keyid, BUILD_END);
352 if (key)
353 {
354 /* prefer a more convenient subjectAltName */
355 sans = x509->create_subjectAltName_enumerator(x509);
356 if (!sans->enumerate(sans, &id))
357 {
358 id = cert->get_subject(cert);
359 }
360 id = id->clone(id);
361 sans->destroy(sans);
362
363 DBG1(DBG_CFG, "using smartcard certificate '%Y'", id);
364 priv->creds->set_cert_and_key(priv->creds,
365 cert->get_ref(cert), key);
366 break;
367 }
368 }
369 }
370 }
371 enumerator->destroy(enumerator);
372 return id;
373 }
374
375 /**
376 * Add a client auth config for certificate authentication
377 */
378 static bool add_auth_cfg_cert(NMStrongswanPluginPrivate *priv,
379 NMSettingVpn *vpn, peer_cfg_t *peer_cfg,
380 GError **err)
381 {
382 identification_t *user = NULL;
383 certificate_t *cert = NULL;
384 auth_cfg_t *auth;
385 const char *str, *method, *cert_source;
386
387 method = nm_setting_vpn_get_data_item(vpn, "method");
388 cert_source = nm_setting_vpn_get_data_item(vpn, "cert-source") ?: method;
389
390 if (streq(cert_source, "smartcard"))
391 {
392 char *pin;
393
394 pin = (char*)nm_setting_vpn_get_secret(vpn, "password");
395 if (pin)
396 {
397 user = find_smartcard_key(priv, pin);
398 }
399 if (!user)
400 {
401 g_set_error(err, NM_VPN_PLUGIN_ERROR,
402 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
403 "no usable smartcard certificate found.");
404 return FALSE;
405 }
406 }
407 /* ... or certificate/private key authentication */
408 else if ((str = nm_setting_vpn_get_data_item(vpn, "usercert")))
409 {
410 public_key_t *public;
411 private_key_t *private = NULL;
412
413 bool agent = streq(cert_source, "agent");
414
415 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
416 BUILD_FROM_FILE, str, BUILD_END);
417 if (!cert)
418 {
419 g_set_error(err, NM_VPN_PLUGIN_ERROR,
420 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
421 "Loading peer certificate failed.");
422 return FALSE;
423 }
424 /* try agent */
425 str = nm_setting_vpn_get_secret(vpn, "agent");
426 if (agent && str)
427 {
428 public = cert->get_public_key(cert);
429 if (public)
430 {
431 private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
432 public->get_type(public),
433 BUILD_AGENT_SOCKET, str,
434 BUILD_PUBLIC_KEY, public,
435 BUILD_END);
436 public->destroy(public);
437 }
438 if (!private)
439 {
440 g_set_error(err, NM_VPN_PLUGIN_ERROR,
441 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
442 "Connecting to SSH agent failed.");
443 }
444 }
445 /* ... or key file */
446 str = nm_setting_vpn_get_data_item(vpn, "userkey");
447 if (!agent && str)
448 {
449 char *secret;
450
451 secret = (char*)nm_setting_vpn_get_secret(vpn, "password");
452 if (secret)
453 {
454 priv->creds->set_key_password(priv->creds, secret);
455 }
456 private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
457 KEY_ANY, BUILD_FROM_FILE, str, BUILD_END);
458 if (!private)
459 {
460 g_set_error(err, NM_VPN_PLUGIN_ERROR,
461 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
462 "Loading private key failed.");
463 }
464 }
465 if (private)
466 {
467 user = cert->get_subject(cert);
468 user = user->clone(user);
469 priv->creds->set_cert_and_key(priv->creds, cert, private);
470 }
471 else
472 {
473 DESTROY_IF(cert);
474 return FALSE;
475 }
476 }
477
478 auth = auth_cfg_create();
479 if (streq(method, "eap-tls"))
480 {
481 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
482 auth->add(auth, AUTH_RULE_EAP_TYPE, EAP_TLS);
483 auth->add(auth, AUTH_RULE_AAA_IDENTITY,
484 identification_create_from_string("%any"));
485 }
486 else
487 {
488 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
489 }
490 if (cert)
491 {
492 auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert));
493 }
494 auth->add(auth, AUTH_RULE_IDENTITY, user);
495 peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
496 return TRUE;
497 }
498
499 /**
500 * Add a client auth config for username/password authentication
501 */
502 static bool add_auth_cfg_pw(NMStrongswanPluginPrivate *priv,
503 NMSettingVpn *vpn, peer_cfg_t *peer_cfg,
504 GError **err)
505 {
506 identification_t *user = NULL;
507 auth_cfg_t *auth;
508 const char *str, *method;
509
510 method = nm_setting_vpn_get_data_item(vpn, "method");
511
512 str = nm_setting_vpn_get_data_item(vpn, "user");
513 if (str)
514 {
515 user = identification_create_from_string((char*)str);
516 str = nm_setting_vpn_get_secret(vpn, "password");
517 if (streq(method, "psk") && strlen(str) < 20)
518 {
519 g_set_error(err, NM_VPN_PLUGIN_ERROR,
520 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
521 "Pre-shared key is too short.");
522 user->destroy(user);
523 return FALSE;
524 }
525 priv->creds->set_username_password(priv->creds, user, (char*)str);
526 }
527 else
528 {
529 g_set_error(err, NM_VPN_PLUGIN_ERROR,
530 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
531 "Username is missing.");
532 return FALSE;
533 }
534
535 auth = auth_cfg_create();
536 auth->add(auth, AUTH_RULE_AUTH_CLASS,
537 streq(method, "psk") ? AUTH_CLASS_PSK : AUTH_CLASS_EAP);
538 /* in case EAP-PEAP or EAP-TTLS is used we currently accept any identity */
539 auth->add(auth, AUTH_RULE_AAA_IDENTITY,
540 identification_create_from_string("%any"));
541 auth->add(auth, AUTH_RULE_IDENTITY, user);
542 peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
543 return TRUE;
544 }
545
546 /**
547 * Connect function called from NM via DBUS
548 */
549 static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
550 GError **err)
551 {
552 NMStrongswanPlugin *pub = (NMStrongswanPlugin*)plugin;
553 NMStrongswanPluginPrivate *priv;
554 NMSettingConnection *conn;
555 NMSettingVpn *vpn;
556 enumerator_t *enumerator;
557 identification_t *gateway = NULL;
558 const char *str, *method;
559 bool virtual, proposal;
560 proposal_t *prop;
561 ike_cfg_t *ike_cfg;
562 peer_cfg_t *peer_cfg;
563 child_cfg_t *child_cfg;
564 traffic_selector_t *ts;
565 ike_sa_t *ike_sa;
566 auth_cfg_t *auth;
567 auth_class_t auth_class = AUTH_CLASS_EAP;
568 certificate_t *cert = NULL;
569 x509_t *x509;
570 bool loose_gateway_id = FALSE;
571 ike_cfg_create_t ike = {
572 .version = IKEV2,
573 .local = "%any",
574 .local_port = charon->socket->get_port(charon->socket, FALSE),
575 .remote_port = IKEV2_UDP_PORT,
576 .fragmentation = FRAGMENTATION_YES,
577 };
578 peer_cfg_create_t peer = {
579 .cert_policy = CERT_SEND_IF_ASKED,
580 .unique = UNIQUE_REPLACE,
581 .keyingtries = 1,
582 .rekey_time = 36000, /* 10h */
583 .jitter_time = 600, /* 10min */
584 .over_time = 600, /* 10min */
585 };
586 child_cfg_create_t child = {
587 .lifetime = {
588 .time = {
589 .life = 10800 /* 3h */,
590 .rekey = 10200 /* 2h50min */,
591 .jitter = 300 /* 5min */
592 },
593 },
594 .mode = MODE_TUNNEL,
595 };
596
597 /**
598 * Read parameters
599 */
600 priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(pub);
601 conn = NM_SETTING_CONNECTION(nm_connection_get_setting(connection,
602 NM_TYPE_SETTING_CONNECTION));
603 vpn = NM_SETTING_VPN(nm_connection_get_setting(connection,
604 NM_TYPE_SETTING_VPN));
605 if (priv->name)
606 {
607 free(priv->name);
608 }
609 priv->name = strdup(nm_setting_connection_get_id(conn));
610 DBG1(DBG_CFG, "received initiate for NetworkManager connection %s",
611 priv->name);
612 DBG4(DBG_CFG, "%s",
613 nm_setting_to_string(NM_SETTING(vpn)));
614 ike.remote = (char*)nm_setting_vpn_get_data_item(vpn, "address");
615 if (!ike.remote || !*ike.remote)
616 {
617 g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
618 "Gateway address missing.");
619 return FALSE;
620 }
621 str = nm_setting_vpn_get_data_item(vpn, "server-port");
622 if (str && strlen(str))
623 {
624 ike.remote_port = settings_value_as_int((char*)str, ike.remote_port);
625 }
626 str = nm_setting_vpn_get_data_item(vpn, "virtual");
627 virtual = streq(str, "yes");
628 str = nm_setting_vpn_get_data_item(vpn, "encap");
629 ike.force_encap = streq(str, "yes");
630 str = nm_setting_vpn_get_data_item(vpn, "ipcomp");
631 child.options |= streq(str, "yes") ? OPT_IPCOMP : 0;
632
633 /**
634 * Register credentials
635 */
636 priv->creds->clear(priv->creds);
637
638 /* gateway/CA cert */
639 str = nm_setting_vpn_get_data_item(vpn, "certificate");
640 if (str)
641 {
642 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
643 BUILD_FROM_FILE, str, BUILD_END);
644 if (!cert)
645 {
646 g_set_error(err, NM_VPN_PLUGIN_ERROR,
647 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
648 "Loading gateway certificate failed.");
649 return FALSE;
650 }
651 priv->creds->add_certificate(priv->creds, cert);
652 }
653 else
654 {
655 /* no certificate defined, fall back to system-wide CA certificates */
656 priv->creds->load_ca_dir(priv->creds, lib->settings->get_str(
657 lib->settings, "charon-nm.ca_dir", NM_CA_DIR));
658 }
659
660 str = nm_setting_vpn_get_data_item(vpn, "remote-identity");
661 if (str)
662 {
663 gateway = identification_create_from_string((char*)str);
664 }
665 else if (cert)
666 {
667 x509 = (x509_t*)cert;
668 if (!(x509->get_flags(x509) & X509_CA))
669 { /* for server certificates, we use the subject as identity */
670 gateway = cert->get_subject(cert);
671 gateway = gateway->clone(gateway);
672 }
673 }
674 if (!gateway || gateway->get_type(gateway) == ID_ANY)
675 {
676 /* if the user configured a CA certificate (or an invalid identity),
677 * we use the IP/hostname of the server */
678 gateway = identification_create_from_string(ike.remote);
679 loose_gateway_id = TRUE;
680 }
681 DBG1(DBG_CFG, "using gateway identity '%Y'", gateway);
682
683 /**
684 * Set up configurations
685 */
686 ike_cfg = ike_cfg_create(&ike);
687
688 str = nm_setting_vpn_get_data_item(vpn, "proposal");
689 proposal = streq(str, "yes");
690 str = nm_setting_vpn_get_data_item(vpn, "ike");
691 if (proposal && str && strlen(str))
692 {
693 enumerator = enumerator_create_token(str, ";", "");
694 while (enumerator->enumerate(enumerator, &str))
695 {
696 prop = proposal_create_from_string(PROTO_IKE, str);
697 if (!prop)
698 {
699 g_set_error(err, NM_VPN_PLUGIN_ERROR,
700 NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
701 "Invalid IKE proposal.");
702 enumerator->destroy(enumerator);
703 ike_cfg->destroy(ike_cfg);
704 gateway->destroy(gateway);
705 return FALSE;
706 }
707 ike_cfg->add_proposal(ike_cfg, prop);
708 }
709 enumerator->destroy(enumerator);
710 }
711 else
712 {
713 ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
714 ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
715 }
716
717 peer_cfg = peer_cfg_create(priv->name, ike_cfg, &peer);
718 if (virtual)
719 {
720 peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET));
721 peer_cfg->add_virtual_ip(peer_cfg, host_create_any(AF_INET6));
722 }
723
724 method = nm_setting_vpn_get_data_item(vpn, "method");
725 if (streq(method, "cert") ||
726 streq(method, "eap-tls") ||
727 streq(method, "key") ||
728 streq(method, "agent") ||
729 streq(method, "smartcard"))
730 {
731 if (!add_auth_cfg_cert (priv, vpn, peer_cfg, err))
732 {
733 peer_cfg->destroy(peer_cfg);
734 ike_cfg->destroy(ike_cfg);
735 gateway->destroy(gateway);
736 return FALSE;
737 }
738 }
739 else if (streq(method, "eap") ||
740 streq(method, "psk"))
741 {
742 if (!add_auth_cfg_pw(priv, vpn, peer_cfg, err))
743 {
744 peer_cfg->destroy(peer_cfg);
745 ike_cfg->destroy(ike_cfg);
746 gateway->destroy(gateway);
747 return FALSE;
748 }
749 }
750 else
751 {
752 g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
753 "Configuration parameters missing.");
754 peer_cfg->destroy(peer_cfg);
755 ike_cfg->destroy(ike_cfg);
756 gateway->destroy(gateway);
757 return FALSE;
758 }
759
760 auth = auth_cfg_create();
761 if (auth_class == AUTH_CLASS_PSK)
762 {
763 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
764 }
765 else
766 {
767 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
768 }
769 auth->add(auth, AUTH_RULE_IDENTITY, gateway);
770 auth->add(auth, AUTH_RULE_IDENTITY_LOOSE, loose_gateway_id);
771 peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
772
773 child_cfg = child_cfg_create(priv->name, &child);
774 str = nm_setting_vpn_get_data_item(vpn, "esp");
775 if (proposal && str && strlen(str))
776 {
777 enumerator = enumerator_create_token(str, ";", "");
778 while (enumerator->enumerate(enumerator, &str))
779 {
780 prop = proposal_create_from_string(PROTO_ESP, str);
781 if (!prop)
782 {
783 g_set_error(err, NM_VPN_PLUGIN_ERROR,
784 NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
785 "Invalid ESP proposal.");
786 enumerator->destroy(enumerator);
787 child_cfg->destroy(child_cfg);
788 peer_cfg->destroy(peer_cfg);
789 return FALSE;
790 }
791 child_cfg->add_proposal(child_cfg, prop);
792 }
793 enumerator->destroy(enumerator);
794 }
795 else
796 {
797 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
798 child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
799 }
800 ts = traffic_selector_create_dynamic(0, 0, 65535);
801 child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
802 ts = traffic_selector_create_from_cidr("0.0.0.0/0", 0, 0, 65535);
803 child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
804 ts = traffic_selector_create_from_cidr("::/0", 0, 0, 65535);
805 child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
806 peer_cfg->add_child_cfg(peer_cfg, child_cfg);
807
808 /**
809 * Prepare IKE_SA
810 */
811 ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
812 peer_cfg);
813 if (!ike_sa)
814 {
815 peer_cfg->destroy(peer_cfg);
816 g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
817 "IKE version not supported.");
818 return FALSE;
819 }
820 if (!ike_sa->get_peer_cfg(ike_sa))
821 {
822 ike_sa->set_peer_cfg(ike_sa, peer_cfg);
823 }
824 peer_cfg->destroy(peer_cfg);
825
826 /**
827 * Register listener, enable initiate-failure-detection hooks
828 */
829 priv->ike_sa = ike_sa;
830 priv->listener.ike_state_change = ike_state_change;
831 priv->listener.child_state_change = child_state_change;
832 charon->bus->add_listener(charon->bus, &priv->listener);
833
834 /**
835 * Initiate
836 */
837 child_cfg->get_ref(child_cfg);
838 if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
839 {
840 charon->bus->remove_listener(charon->bus, &priv->listener);
841 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
842
843 g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
844 "Initiating failed.");
845 return FALSE;
846 }
847 charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
848 return TRUE;
849 }
850
851 /**
852 * NeedSecrets called from NM via DBUS
853 */
854 static gboolean need_secrets(NMVpnServicePlugin *plugin, NMConnection *connection,
855 const char **setting_name, GError **error)
856 {
857 NMSettingVpn *settings;
858 const char *method, *cert_source, *path;
859 bool need_secret = FALSE;
860
861 settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
862 NM_TYPE_SETTING_VPN));
863 method = nm_setting_vpn_get_data_item(settings, "method");
864 if (method)
865 {
866 if (streq(method, "cert") ||
867 streq(method, "eap-tls") ||
868 streq(method, "key") ||
869 streq(method, "agent") ||
870 streq(method, "smartcard"))
871 {
872 cert_source = nm_setting_vpn_get_data_item(settings, "cert-source");
873 if (!cert_source)
874 {
875 cert_source = method;
876 }
877 if (streq(cert_source, "agent"))
878 {
879 need_secret = !nm_setting_vpn_get_secret(settings, "agent");
880 }
881 else if (streq(cert_source, "smartcard"))
882 {
883 need_secret = !nm_setting_vpn_get_secret(settings, "password");
884 }
885 else
886 {
887 need_secret = TRUE;
888 path = nm_setting_vpn_get_data_item(settings, "userkey");
889 if (path)
890 {
891 private_key_t *key;
892
893 /* try to load/decrypt the private key */
894 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
895 KEY_ANY, BUILD_FROM_FILE, path, BUILD_END);
896 if (key)
897 {
898 key->destroy(key);
899 need_secret = FALSE;
900 }
901 else if (nm_setting_vpn_get_secret(settings, "password"))
902 {
903 need_secret = FALSE;
904 }
905 }
906 }
907 }
908 else if (streq(method, "eap") ||
909 streq(method, "psk"))
910 {
911 need_secret = !nm_setting_vpn_get_secret(settings, "password");
912 }
913 }
914 *setting_name = NM_SETTING_VPN_SETTING_NAME;
915 return need_secret;
916 }
917
918 /**
919 * The actual disconnection
920 */
921 static gboolean do_disconnect(gpointer plugin)
922 {
923 NMStrongswanPluginPrivate *priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
924 enumerator_t *enumerator;
925 ike_sa_t *ike_sa;
926 u_int id;
927
928 /* our ike_sa pointer might be invalid, lookup sa */
929 enumerator = charon->controller->create_ike_sa_enumerator(
930 charon->controller, TRUE);
931 while (enumerator->enumerate(enumerator, &ike_sa))
932 {
933 if (priv->ike_sa == ike_sa)
934 {
935 id = ike_sa->get_unique_id(ike_sa);
936 enumerator->destroy(enumerator);
937 charon->controller->terminate_ike(charon->controller, id, FALSE,
938 controller_cb_empty, NULL, 0);
939 return FALSE;
940 }
941 }
942 enumerator->destroy(enumerator);
943
944 g_debug("Connection not found.");
945 return FALSE;
946 }
947
948 /**
949 * Disconnect called from NM via DBUS
950 */
951 static gboolean disconnect(NMVpnServicePlugin *plugin, GError **err)
952 {
953 /* enqueue the actual disconnection, because we may be called in
954 * response to a listener_t callback and the SA enumeration would
955 * possibly deadlock. */
956 g_idle_add(do_disconnect, plugin);
957
958 return TRUE;
959 }
960
961 /**
962 * Initializer
963 */
964 static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
965 {
966 NMStrongswanPluginPrivate *priv;
967
968 priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
969 priv->plugin = NM_VPN_SERVICE_PLUGIN(plugin);
970 memset(&priv->listener, 0, sizeof(listener_t));
971 priv->listener.child_updown = child_updown;
972 priv->listener.ike_rekey = ike_rekey;
973 priv->name = NULL;
974 }
975
976 /**
977 * Class constructor
978 */
979 static void nm_strongswan_plugin_class_init(
980 NMStrongswanPluginClass *strongswan_class)
981 {
982 NMVpnServicePluginClass *parent_class = NM_VPN_SERVICE_PLUGIN_CLASS(strongswan_class);
983
984 parent_class->connect = connect_;
985 parent_class->need_secrets = need_secrets;
986 parent_class->disconnect = disconnect;
987 }
988
989 /**
990 * Object constructor
991 */
992 NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
993 nm_handler_t *handler)
994 {
995 GError *error = NULL;
996
997 NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_initable_new (
998 NM_TYPE_STRONGSWAN_PLUGIN,
999 NULL,
1000 &error,
1001 NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME, NM_DBUS_SERVICE_STRONGSWAN,
1002 NULL);
1003
1004 if (plugin)
1005 {
1006 NMStrongswanPluginPrivate *priv;
1007
1008 /* the rest of the initialization happened in _init above */
1009 priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
1010 priv->creds = creds;
1011 priv->handler = handler;
1012 }
1013 else
1014 {
1015 g_warning ("Failed to initialize a plugin instance: %s", error->message);
1016 g_error_free (error);
1017 }
1018
1019 return plugin;
1020 }