e69558582b3b91906d8053e09ac7d8307cf9d138
[strongswan.git] / src / charon / plugins / nm / nm_service.c
1 /*
2 * Copyright (C) 2008-2009 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <nm-setting-vpn.h>
17 #include "nm_service.h"
18
19 #include <daemon.h>
20 #include <asn1/pem.h>
21 #include <utils/host.h>
22 #include <utils/identification.h>
23 #include <config/peer_cfg.h>
24 #include <credentials/certificates/x509.h>
25
26 #include <stdio.h>
27
28 #define CONFIG_NAME "NetworkManager"
29
30 G_DEFINE_TYPE(NMStrongswanPlugin, nm_strongswan_plugin, NM_TYPE_VPN_PLUGIN)
31
32 /**
33 * Private data of NMStrongswanPlugin
34 */
35 typedef struct {
36 /* implements bus listener interface */
37 listener_t listener;
38 /* IKE_SA we are listening on */
39 ike_sa_t *ike_sa;
40 /* backref to public plugin */
41 NMVPNPlugin *plugin;
42 /* credentials to use for authentication */
43 nm_creds_t *creds;
44 /* attribute handler for DNS/NBNS server information */
45 nm_handler_t *handler;
46 } NMStrongswanPluginPrivate;
47
48 #define NM_STRONGSWAN_PLUGIN_GET_PRIVATE(o) \
49 (G_TYPE_INSTANCE_GET_PRIVATE ((o), \
50 NM_TYPE_STRONGSWAN_PLUGIN, NMStrongswanPluginPrivate))
51
52 /**
53 * convert enumerated handler chunks to a UINT_ARRAY GValue
54 */
55 static GValue* handler_to_val(nm_handler_t *handler,
56 configuration_attribute_type_t type)
57 {
58 GValue *val;
59 GArray *array;
60 enumerator_t *enumerator;
61 chunk_t chunk;
62
63 enumerator = handler->create_enumerator(handler, type);
64 array = g_array_new (FALSE, TRUE, sizeof (guint32));
65 while (enumerator->enumerate(enumerator, &chunk))
66 {
67 g_array_append_val (array, *(u_int32_t*)chunk.ptr);
68 }
69 enumerator->destroy(enumerator);
70 val = g_slice_new0 (GValue);
71 g_value_init (val, DBUS_TYPE_G_UINT_ARRAY);
72 g_value_set_boxed (val, array);
73
74 return val;
75 }
76
77 /**
78 * signal IPv4 config to NM, set connection as established
79 */
80 static void signal_ipv4_config(NMVPNPlugin *plugin,
81 ike_sa_t *ike_sa, child_sa_t *child_sa)
82 {
83 GValue *val;
84 GHashTable *config;
85 host_t *me, *other;
86 nm_handler_t *handler;
87
88 config = g_hash_table_new(g_str_hash, g_str_equal);
89 me = ike_sa->get_my_host(ike_sa);
90 other = ike_sa->get_other_host(ike_sa);
91 handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
92
93 /* NM requires a tundev, but netkey does not use one. Passing an invalid
94 * iface makes NM complain, but it accepts it without fiddling on eth0. */
95 val = g_slice_new0 (GValue);
96 g_value_init (val, G_TYPE_STRING);
97 g_value_set_string (val, "none");
98 g_hash_table_insert (config, NM_VPN_PLUGIN_IP4_CONFIG_TUNDEV, val);
99
100 val = g_slice_new0(GValue);
101 g_value_init(val, G_TYPE_UINT);
102 g_value_set_uint(val, *(u_int32_t*)me->get_address(me).ptr);
103 g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_ADDRESS, val);
104
105 val = g_slice_new0(GValue);
106 g_value_init(val, G_TYPE_UINT);
107 g_value_set_uint(val, me->get_address(me).len * 8);
108 g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_PREFIX, val);
109
110 val = handler_to_val(handler, INTERNAL_IP4_DNS);
111 g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_DNS, val);
112
113 val = handler_to_val(handler, INTERNAL_IP4_NBNS);
114 g_hash_table_insert(config, NM_VPN_PLUGIN_IP4_CONFIG_NBNS, val);
115
116 handler->reset(handler);
117
118 nm_vpn_plugin_set_ip4_config(plugin, config);
119 }
120
121 /**
122 * signal failure to NM, connecting failed
123 */
124 static void signal_failure(NMVPNPlugin *plugin, NMVPNPluginFailure failure)
125 {
126 nm_handler_t *handler = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler;
127
128 handler->reset(handler);
129
130 /* TODO: NM does not handle this failure!? */
131 nm_vpn_plugin_failure(plugin, failure);
132 nm_vpn_plugin_set_state(plugin, NM_VPN_SERVICE_STATE_STOPPED);
133 }
134
135 /**
136 * Implementation of listener_t.ike_state_change
137 */
138 static bool ike_state_change(listener_t *listener, ike_sa_t *ike_sa,
139 ike_sa_state_t state)
140 {
141 NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
142
143 if (private->ike_sa == ike_sa && state == IKE_DESTROYING)
144 {
145 signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
146 return FALSE;
147 }
148 return TRUE;
149 }
150
151 /**
152 * Implementation of listener_t.child_state_change
153 */
154 static bool child_state_change(listener_t *listener, ike_sa_t *ike_sa,
155 child_sa_t *child_sa, child_sa_state_t state)
156 {
157 NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
158
159 if (private->ike_sa == ike_sa && state == IKE_DESTROYING)
160 {
161 signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
162 return FALSE;
163 }
164 return TRUE;
165 }
166
167 /**
168 * Implementation of listener_t.child_updown
169 */
170 static bool child_updown(listener_t *listener, ike_sa_t *ike_sa,
171 child_sa_t *child_sa, bool up)
172 {
173 NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
174
175 if (private->ike_sa == ike_sa)
176 {
177 if (up)
178 { /* disable initiate-failure-detection hooks */
179 private->listener.ike_state_change = NULL;
180 private->listener.child_state_change = NULL;
181 signal_ipv4_config(private->plugin, ike_sa, child_sa);
182 }
183 else
184 {
185 signal_failure(private->plugin, NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
186 return FALSE;
187 }
188 }
189 return TRUE;
190 }
191
192 /**
193 * Implementation of listener_t.ike_rekey
194 */
195 static bool ike_rekey(listener_t *listener, ike_sa_t *old, ike_sa_t *new)
196 {
197 NMStrongswanPluginPrivate *private = (NMStrongswanPluginPrivate*)listener;
198
199 if (private->ike_sa == old)
200 { /* follow a rekeyed IKE_SA */
201 private->ike_sa = new;
202 }
203 return TRUE;
204 }
205
206 /**
207 * Connect function called from NM via DBUS
208 */
209 static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
210 GError **err)
211 {
212 nm_creds_t *creds;
213 NMSettingVPN *settings;
214 listener_t *listener;
215 identification_t *user = NULL, *gateway;
216 const char *address, *str;
217 bool virtual, encap, ipcomp;
218 ike_cfg_t *ike_cfg;
219 peer_cfg_t *peer_cfg;
220 child_cfg_t *child_cfg;
221 traffic_selector_t *ts;
222 ike_sa_t *ike_sa;
223 auth_cfg_t *auth;
224 auth_class_t auth_class = AUTH_CLASS_EAP;
225 certificate_t *cert = NULL;
226 x509_t *x509;
227 bool agent = FALSE;
228
229 /**
230 * Read parameters
231 */
232 settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
233 NM_TYPE_SETTING_VPN));
234
235 DBG4(DBG_CFG, "received NetworkManager connection: %s",
236 nm_setting_to_string(NM_SETTING(settings)));
237 address = nm_setting_vpn_get_data_item(settings, "address");
238 if (!address || !*address)
239 {
240 g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
241 "Gateway address missing.");
242 return FALSE;
243 }
244 str = nm_setting_vpn_get_data_item(settings, "virtual");
245 virtual = str && streq(str, "yes");
246 str = nm_setting_vpn_get_data_item(settings, "encap");
247 encap = str && streq(str, "yes");
248 str = nm_setting_vpn_get_data_item(settings, "ipcomp");
249 ipcomp = str && streq(str, "yes");
250 str = nm_setting_vpn_get_data_item(settings, "method");
251 if (str)
252 {
253 if (streq(str, "psk"))
254 {
255 auth_class = AUTH_CLASS_PSK;
256 }
257 else if (streq(str, "agent"))
258 {
259 auth_class = AUTH_CLASS_PUBKEY;
260 agent = TRUE;
261 }
262 else if (streq(str, "key"))
263 {
264 auth_class = AUTH_CLASS_PUBKEY;
265 }
266 }
267
268 /**
269 * Register credentials
270 */
271 creds = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds;
272 creds->clear(creds);
273
274 /* gateway/CA cert */
275 str = nm_setting_vpn_get_data_item(settings, "certificate");
276 if (str)
277 {
278 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
279 BUILD_FROM_FILE, str, BUILD_END);
280 creds->set_certificate(creds, cert);
281 }
282 if (!cert)
283 {
284 g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
285 "Loading gateway certificate failed.");
286 return FALSE;
287 }
288 x509 = (x509_t*)cert;
289 if (x509->get_flags(x509) & X509_CA)
290 { /* If the user configured a CA certificate, we use the IP/DNS
291 * of the gateway as its identity. This identity will be used for
292 * certificate lookup and requires the configured IP/DNS to be
293 * included in the gateway certificate. */
294 gateway = identification_create_from_string((char*)address);
295 DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
296 }
297 else
298 { /* For a gateway certificate, we use the cert subject as identity. */
299 gateway = cert->get_subject(cert);
300 gateway = gateway->clone(gateway);
301 DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
302 }
303
304 if (auth_class == AUTH_CLASS_EAP)
305 {
306 /* username/password authentication ... */
307 str = nm_setting_vpn_get_data_item(settings, "user");
308 if (str)
309 {
310 user = identification_create_from_string((char*)str);
311 str = nm_setting_vpn_get_secret(settings, "password");
312 creds->set_username_password(creds, user, (char*)str);
313 }
314 }
315
316 if (auth_class == AUTH_CLASS_PUBKEY)
317 {
318 /* ... or certificate/private key authenitcation */
319 str = nm_setting_vpn_get_data_item(settings, "usercert");
320 if (str)
321 {
322 public_key_t *public;
323 private_key_t *private = NULL;
324
325 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
326 BUILD_FROM_FILE, str, BUILD_END);
327 if (!cert)
328 {
329 g_set_error(err, NM_VPN_PLUGIN_ERROR,
330 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
331 "Loading peer certificate failed.");
332 gateway->destroy(gateway);
333 return FALSE;
334 }
335 /* try agent */
336 str = nm_setting_vpn_get_secret(settings, "agent");
337 if (agent && str)
338 {
339 public = cert->get_public_key(cert);
340 if (public)
341 {
342 private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
343 public->get_type(public),
344 BUILD_AGENT_SOCKET, str,
345 BUILD_PUBLIC_KEY, public,
346 BUILD_END);
347 public->destroy(public);
348 }
349 if (!private)
350 {
351 g_set_error(err, NM_VPN_PLUGIN_ERROR,
352 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
353 "Connecting to SSH agent failed.");
354 }
355 }
356 /* ... or key file */
357 str = nm_setting_vpn_get_data_item(settings, "userkey");
358 if (!agent && str)
359 {
360 chunk_t secret, chunk;
361 bool pgp = FALSE;
362
363 secret.ptr = (char*)nm_setting_vpn_get_secret(settings,
364 "password");
365 if (secret.ptr)
366 {
367 secret.len = strlen(secret.ptr);
368 }
369 if (pem_asn1_load_file((char*)str, &secret, &chunk, &pgp))
370 {
371 private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
372 KEY_RSA, BUILD_BLOB_ASN1_DER, chunk, BUILD_END);
373 free(chunk.ptr);
374 }
375 if (!private)
376 {
377 g_set_error(err, NM_VPN_PLUGIN_ERROR,
378 NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
379 "Loading private key failed.");
380 }
381 }
382 if (private)
383 {
384 user = cert->get_subject(cert);
385 user = user->clone(user);
386 creds->set_cert_and_key(creds, cert, private);
387 }
388 else
389 {
390 DESTROY_IF(cert);
391 gateway->destroy(gateway);
392 return FALSE;
393 }
394 }
395 }
396
397 if (!user)
398 {
399 g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
400 "Configuration parameters missing.");
401 gateway->destroy(gateway);
402 return FALSE;
403 }
404
405 /**
406 * Set up configurations
407 */
408 ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", (char*)address);
409 ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
410 peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg,
411 CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
412 36000, 0, /* rekey 10h, reauth none */
413 600, 600, /* jitter, over 10min */
414 TRUE, 0, /* mobike, DPD */
415 virtual ? host_create_from_string("0.0.0.0", 0) : NULL,
416 NULL, FALSE, NULL, NULL); /* pool, mediation */
417 auth = auth_cfg_create();
418 auth->add(auth, AUTH_RULE_AUTH_CLASS, auth_class);
419 auth->add(auth, AUTH_RULE_IDENTITY, user);
420 peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
421 auth = auth_cfg_create();
422 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
423 auth->add(auth, AUTH_RULE_IDENTITY, gateway);
424 peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
425
426 child_cfg = child_cfg_create(CONFIG_NAME,
427 10800, 10200, /* lifetime 3h, rekey 2h50min */
428 300, /* jitter 5min */
429 NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */
430 ACTION_NONE, ACTION_NONE, ipcomp);
431 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
432 ts = traffic_selector_create_dynamic(0, 0, 65535);
433 child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
434 ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
435 "0.0.0.0", 0,
436 "255.255.255.255", 65535);
437 child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
438 peer_cfg->add_child_cfg(peer_cfg, child_cfg);
439
440 /**
441 * Prepare IKE_SA
442 */
443 ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
444 peer_cfg);
445 if (!ike_sa->get_peer_cfg(ike_sa))
446 {
447 ike_sa->set_peer_cfg(ike_sa, peer_cfg);
448 }
449 else
450 {
451 peer_cfg->destroy(peer_cfg);
452 }
453
454 /**
455 * Register listener, enable initiate-failure-detection hooks
456 */
457 NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->ike_sa = ike_sa;
458 listener = &NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->listener;
459 listener->ike_state_change = ike_state_change;
460 listener->child_state_change = child_state_change;
461 charon->bus->add_listener(charon->bus, listener);
462
463 /**
464 * Initiate
465 */
466 if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
467 {
468 charon->bus->remove_listener(charon->bus, listener);
469 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
470
471 g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
472 "Initiating failed.");
473 return FALSE;
474 }
475 charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
476 return TRUE;
477 }
478
479 /**
480 * NeedSecrets called from NM via DBUS
481 */
482 static gboolean need_secrets(NMVPNPlugin *plugin, NMConnection *connection,
483 char **setting_name, GError **error)
484 {
485 NMSettingVPN *settings;
486 const char *method, *path;
487 chunk_t secret = chunk_empty, key;
488 bool pgp = FALSE;
489
490 settings = NM_SETTING_VPN(nm_connection_get_setting(connection,
491 NM_TYPE_SETTING_VPN));
492 method = nm_setting_vpn_get_data_item(settings, "method");
493 if (method)
494 {
495 if (streq(method, "eap"))
496 {
497 if (nm_setting_vpn_get_secret(settings, "password"))
498 {
499 return FALSE;
500 }
501 }
502 else if (streq(method, "agent"))
503 {
504 if (nm_setting_vpn_get_secret(settings, "agent"))
505 {
506 return FALSE;
507 }
508 }
509 else if (streq(method, "key"))
510 {
511 path = nm_setting_vpn_get_data_item(settings, "userkey");
512 if (path)
513 {
514 secret.ptr = (char*)nm_setting_vpn_get_secret(settings, "password");
515 if (secret.ptr)
516 {
517 secret.len = strlen(secret.ptr);
518 }
519 if (pem_asn1_load_file((char*)path, &secret, &key, &pgp))
520 {
521 free(key.ptr);
522 return FALSE;
523 }
524 }
525 }
526 }
527 *setting_name = NM_SETTING_VPN_SETTING_NAME;
528 return TRUE;
529 }
530
531 /**
532 * Disconnect called from NM via DBUS
533 */
534 static gboolean disconnect(NMVPNPlugin *plugin, GError **err)
535 {
536 enumerator_t *enumerator;
537 ike_sa_t *ike_sa;
538 u_int id;
539
540 enumerator = charon->controller->create_ike_sa_enumerator(charon->controller);
541 while (enumerator->enumerate(enumerator, &ike_sa))
542 {
543 if (streq(CONFIG_NAME, ike_sa->get_name(ike_sa)))
544 {
545 id = ike_sa->get_unique_id(ike_sa);
546 enumerator->destroy(enumerator);
547 charon->controller->terminate_ike(charon->controller, id,
548 controller_cb_empty, NULL);
549 return TRUE;
550 }
551 }
552 enumerator->destroy(enumerator);
553
554 g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_GENERAL,
555 "Connection not found.");
556 return FALSE;
557 }
558
559 /**
560 * Initializer
561 */
562 static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
563 {
564 NMStrongswanPluginPrivate *private;
565
566 private = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
567 private->plugin = NM_VPN_PLUGIN(plugin);
568 memset(&private->listener.log, 0, sizeof(listener_t));
569 private->listener.child_updown = child_updown;
570 private->listener.ike_rekey = ike_rekey;
571 }
572
573 /**
574 * Class constructor
575 */
576 static void nm_strongswan_plugin_class_init(
577 NMStrongswanPluginClass *strongswan_class)
578 {
579 NMVPNPluginClass *parent_class = NM_VPN_PLUGIN_CLASS(strongswan_class);
580
581 g_type_class_add_private(G_OBJECT_CLASS(strongswan_class),
582 sizeof(NMStrongswanPluginPrivate));
583 parent_class->connect = connect_;
584 parent_class->need_secrets = need_secrets;
585 parent_class->disconnect = disconnect;
586 }
587
588 /**
589 * Object constructor
590 */
591 NMStrongswanPlugin *nm_strongswan_plugin_new(nm_creds_t *creds,
592 nm_handler_t *handler)
593 {
594 NMStrongswanPlugin *plugin = (NMStrongswanPlugin *)g_object_new (
595 NM_TYPE_STRONGSWAN_PLUGIN,
596 NM_VPN_PLUGIN_DBUS_SERVICE_NAME, NM_DBUS_SERVICE_STRONGSWAN,
597 NULL);
598 if (plugin)
599 {
600 NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->creds = creds;
601 NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin)->handler = handler;
602 }
603 return plugin;
604 }
605