nm uses the distributions trusted root CAs if none is explicitly specified
authorMartin Willi <martin@strongswan.org>
Fri, 18 Sep 2009 12:29:50 +0000 (14:29 +0200)
committerMartin Willi <martin@strongswan.org>
Fri, 18 Sep 2009 12:34:27 +0000 (14:34 +0200)
NEWS
configure.in
src/charon/plugins/nm/Makefile.am
src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade
src/charon/plugins/nm/nm_creds.c
src/charon/plugins/nm/nm_creds.h
src/charon/plugins/nm/nm_service.c

diff --git a/NEWS b/NEWS
index b4f452f..56b34bf 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,12 @@ strongswan-4.3.5
   'marginbytes' and 'marginpackets' trigger the rekeying before a SA expires.
   The existing parameter 'rekeyfuzz' affects all margins.
 
+- If no CA/Gateway certificate is specified in the NetworkManager plugin,
+  charon uses a set of trusted root certificates preinstalled by distributions.
+  The directory containing CA certificates can be specified using the
+  --with-nm-ca-dir=path configure option.
+
+
 strongswan-4.3.4
 ----------------
 
index b29e29c..724fd85 100644 (file)
@@ -36,6 +36,7 @@ ARG_WITH_SUBST([piddir],             [/var/run], [set path for PID and UNIX sock
 ARG_WITH_SUBST([ipsecdir],           [${libexecdir%/}/ipsec], [set installation path for ipsec tools])
 ARG_WITH_SUBST([plugindir],          [${ipsecdir%/}/plugins], [set the installation path of plugins])
 ARG_WITH_SUBST([sim-reader],         [${plugindir%/}/libeapsim-file.so], [set library containing the sim_run_alg()/sim_get_triplet() functions for EAP-SIM])
+ARG_WITH_SUBST([nm-ca-dir],          [/usr/share/ca-certificates], [directory the NM plugin uses to look up trusted root certificates])
 ARG_WITH_SUBST([linux-headers],      [\${top_srcdir}/src/include], [set directory of linux header files to use])
 ARG_WITH_SUBST([routing-table],      [220], [set routing table to use for IPsec routes])
 ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
index b74a4e4..56eae6e 100644 (file)
@@ -1,7 +1,8 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${nm_CFLAGS}
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic \
+  -DNM_CA_DIR=\"${nm_ca_dir}\"
 
 plugin_LTLIBRARIES = libstrongswan-nm.la
 libstrongswan_nm_la_SOURCES = \
index fe70bc8..03a94e9 100644 (file)
@@ -81,7 +81,7 @@
                     <child>
                       <widget class="GtkFileChooserButton" id="certificate-button">
                         <property name="visible">True</property>
-                        <property name="tooltip">Gateway or CA certificate to use for gateway authentication.</property>
+                        <property name="tooltip">Gateway or CA certificate to use for gateway authentication. If none is specified, pre-installed CA certificates are used.</property>
                       </widget>
                       <packing>
                         <property name="left_attach">1</property>
index f9b852d..c28b055 100644 (file)
 
 #include "nm_creds.h"
 
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
 #include <daemon.h>
 #include <utils/mutex.h>
+#include <credentials/certificates/x509.h>
 
 typedef struct private_nm_creds_t private_nm_creds_t;
 
@@ -31,9 +36,9 @@ struct private_nm_creds_t {
        nm_creds_t public;
 
        /**
-        * gateway certificate
+        * List of trusted certificates, certificate_t*
         */
-       certificate_t *cert;
+       linked_list_t *certs;
 
        /**
         * User name
@@ -94,6 +99,82 @@ static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this,
 }
 
 /**
+ * CA certificate enumerator data
+ */
+typedef struct {
+       /** ref to credential credential store */
+       private_nm_creds_t *this;
+       /** type of key we are looking for */
+       key_type_t key;
+       /** CA certificate ID */
+       identification_t *id;
+} cert_data_t;
+
+/**
+ * Destroy CA certificate enumerator data
+ */
+static void cert_data_destroy(cert_data_t *data)
+{
+       data->this->lock->unlock(data->this->lock);
+       free(data);
+}
+
+/**
+ * Filter function for certificates enumerator
+ */
+static bool cert_filter(cert_data_t *data, certificate_t **in,
+                                                certificate_t **out)
+{
+       certificate_t *cert = *in;
+       public_key_t *public;
+       chunk_t keyid;
+
+       public = cert->get_public_key(cert);
+       if (!public)
+       {
+               return FALSE;
+       }
+       if (data->key != KEY_ANY && public->get_type(public) != data->key)
+       {
+               public->destroy(public);
+               return FALSE;
+       }
+       if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
+               public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid) &&
+               chunk_equals(keyid, data->id->get_encoding(data->id)))
+       {
+               public->destroy(public);
+               *out = cert;
+               return TRUE;
+       }
+       public->destroy(public);
+       if (data->id && !cert->has_subject(cert, data->id))
+       {
+               return FALSE;
+       }
+       *out = cert;
+       return TRUE;
+}
+
+/**
+ * Create enumerator for trusted certificates
+ */
+static enumerator_t *create_trusted_cert_enumerator(private_nm_creds_t *this,
+                                                                               key_type_t key, identification_t *id)
+{
+       cert_data_t *data = malloc_thing(cert_data_t);
+
+       data->this = this;
+       data->id = id;
+       data->key = key;
+
+       this->lock->read_lock(this->lock);
+       return enumerator_create_filter(
+                                       this->certs->create_enumerator(this->certs),
+                                       (void*)cert_filter, data, (void*)cert_data_destroy);
+}
+
+/**
  * Implements credential_set_t.create_cert_enumerator
  */
 static enumerator_t* create_cert_enumerator(private_nm_creds_t *this,
@@ -105,38 +186,11 @@ static enumerator_t* create_cert_enumerator(private_nm_creds_t *this,
        {
                return create_usercert_enumerator(this, cert, key);
        }
-
-       if (!this->cert)
-       {
-               return NULL;
-       }
-       if (cert != CERT_ANY && cert != this->cert->get_type(this->cert))
-       {
-               return NULL;
-       }
-       if (id && !this->cert->has_subject(this->cert, id))
+       if (cert == CERT_X509 || cert == CERT_ANY)
        {
-               return NULL;
+               return create_trusted_cert_enumerator(this, key, id);
        }
-       if (key != KEY_ANY)
-       {
-               public_key_t *public;
-
-               public = this->cert->get_public_key(this->cert);
-               if (!public)
-               {
-                       return NULL;
-               }
-               if (public->get_type(public) != key)
-               {
-                       public->destroy(public);
-                       return NULL;
-               }
-               public->destroy(public);
-       }
-       this->lock->read_lock(this->lock);
-       return enumerator_create_cleaner(enumerator_create_single(this->cert, NULL),
-                                                                        (void*)this->lock->unlock, this->lock);
+       return NULL;
 }
 
 /**
@@ -240,17 +294,73 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
 }
 
 /**
- * Implementation of nm_creds_t.set_certificate
+ * Implementation of nm_creds_t.add_certificate
  */
-static void set_certificate(private_nm_creds_t *this, certificate_t *cert)
+static void add_certificate(private_nm_creds_t *this, certificate_t *cert)
 {
        this->lock->write_lock(this->lock);
-       DESTROY_IF(this->cert);
-       this->cert = cert;
+       this->certs->insert_last(this->certs, cert);
        this->lock->unlock(this->lock);
 }
 
 /**
+ * Load a certificate file
+ */
+static void load_ca_file(private_nm_creds_t *this, char *file)
+{
+       certificate_t *cert;
+
+       /* We add the CA constraint, as many CAs miss it */
+       cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+                                                         BUILD_FROM_FILE, file, BUILD_END);
+       if (!cert)
+       {
+               DBG1(DBG_CFG, "loading CA certificate '%s' failed", file);
+       }
+       else
+       {
+               DBG2(DBG_CFG, "loaded CA certificate '%Y'", cert->get_subject(cert));
+               x509_t *x509 = (x509_t*)cert;
+               if (!(x509->get_flags(x509) & X509_SELF_SIGNED))
+               {
+                       DBG1(DBG_CFG, "%Y is not self signed", cert->get_subject(cert));
+               }
+               this->certs->insert_last(this->certs, cert);
+       }
+}
+
+/**
+ * Implementation of nm_creds_t.load_ca_dir
+ */
+static void load_ca_dir(private_nm_creds_t *this, char *dir)
+{
+       enumerator_t *enumerator;
+       char *rel, *abs;
+       struct stat st;
+
+       enumerator = enumerator_create_directory(dir);
+       if (enumerator)
+       {
+               while (enumerator->enumerate(enumerator, &rel, &abs, &st))
+               {
+                       /* skip '.', '..' and hidden files */
+                       if (rel[0] != '.')
+                       {
+                               if (S_ISDIR(st.st_mode))
+                               {
+                                       load_ca_dir(this, abs);
+                               }
+                               else if (S_ISREG(st.st_mode))
+                               {
+                                       load_ca_file(this, abs);
+                               }
+                       }
+               }
+               enumerator->destroy(enumerator);
+       }
+}
+
+/**
  * Implementation of nm_creds_t.set_password
  */
 static void set_username_password(private_nm_creds_t *this, identification_t *id,
@@ -283,7 +393,12 @@ static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,
  */
 static void clear(private_nm_creds_t *this)
 {
-       DESTROY_IF(this->cert);
+       certificate_t *cert;
+
+       while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
+       {
+               cert->destroy(cert);
+       }
        DESTROY_IF(this->user);
        free(this->pass);
        DESTROY_IF(this->usercert);
@@ -291,7 +406,6 @@ static void clear(private_nm_creds_t *this)
        this->key = NULL;
        this->usercert = NULL;
        this->pass = NULL;
-       this->cert = NULL;
        this->user = NULL;
 }
 
@@ -301,6 +415,7 @@ static void clear(private_nm_creds_t *this)
 static void destroy(private_nm_creds_t *this)
 {
        clear(this);
+       this->certs->destroy(this->certs);
        this->lock->destroy(this->lock);
        free(this);
 }
@@ -317,7 +432,8 @@ nm_creds_t *nm_creds_create()
        this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
        this->public.set.create_cdp_enumerator = (void*)return_null;
        this->public.set.cache_cert = (void*)nop;
-       this->public.set_certificate = (void(*)(nm_creds_t*, certificate_t *cert))set_certificate;
+       this->public.add_certificate = (void(*)(nm_creds_t*, certificate_t *cert))add_certificate;
+       this->public.load_ca_dir = (void(*)(nm_creds_t*, char *dir))load_ca_dir;
        this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password;
        this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key;
        this->public.clear = (void(*)(nm_creds_t*))clear;
@@ -325,7 +441,7 @@ nm_creds_t *nm_creds_create()
 
        this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 
-       this->cert = NULL;
+       this->certs = linked_list_create();
        this->user = NULL;
        this->pass = NULL;
        this->usercert = NULL;
index 754fe53..b55cff3 100644 (file)
@@ -37,11 +37,18 @@ struct nm_creds_t {
        credential_set_t set;
 
        /**
-        * Set the trusted gateway certificate to serve by this set.
+        * Add a trusted gateway certificate to serve by this set.
         *
         * @param cert          certificate to serve
         */
-       void (*set_certificate)(nm_creds_t *this, certificate_t *cert);
+       void (*add_certificate)(nm_creds_t *this, certificate_t *cert);
+
+       /**
+        * Load CA certificates recursively from a directory.
+        *
+        * @param dir           directory to PEM encoded CA certificates
+        */
+       void (*load_ca_dir)(nm_creds_t *this, char *dir);
 
        /**
         * Set the username/password for authentication.
index 412a97f..04c7b2b 100644 (file)
@@ -212,7 +212,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        NMStrongswanPluginPrivate *priv;
        NMSettingConnection *conn;
        NMSettingVPN *vpn;
-       identification_t *user = NULL, *gateway;
+       identification_t *user = NULL, *gateway = NULL;
        const char *address, *str;
        bool virtual, encap, ipcomp;
        ike_cfg_t *ike_cfg;
@@ -292,29 +292,37 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        {
                cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
                                                                  BUILD_FROM_FILE, str, BUILD_END);
-               priv->creds->set_certificate(priv->creds, cert);
+               if (!cert)
+               {
+                       g_set_error(err, NM_VPN_PLUGIN_ERROR,
+                                               NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+                                               "Loading gateway certificate failed.");
+                       return FALSE;
+               }
+               priv->creds->add_certificate(priv->creds, cert);
+
+               x509 = (x509_t*)cert;
+               if (!(x509->get_flags(x509) & X509_CA))
+               {       /* For a gateway certificate, we use the cert subject as identity. */
+                       gateway = cert->get_subject(cert);
+                       gateway = gateway->clone(gateway);
+                       DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
+               }
        }
-       if (!cert)
+       else
        {
-               g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-                                       "Loading gateway certificate failed.");
-               return FALSE;
+               /* no certificate defined, fall back to system-wide CA certificates */
+               priv->creds->load_ca_dir(priv->creds, NM_CA_DIR);
        }
-       x509 = (x509_t*)cert;
-       if (x509->get_flags(x509) & X509_CA)
-       {       /* If the user configured a CA certificate, we use the IP/DNS
+       if (!gateway)
+       {
+               /* If the user configured a CA certificate, we use the IP/DNS
                 * of the gateway as its identity. This identity will be used for
                 * certificate lookup and requires the configured IP/DNS to be
                 * included in the gateway certificate. */
                gateway = identification_create_from_string((char*)address);
                DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
        }
-       else
-       {       /* For a gateway certificate, we use the cert subject as identity. */
-               gateway = cert->get_subject(cert);
-               gateway = gateway->clone(gateway);
-               DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
-       }
 
        if (auth_class == AUTH_CLASS_EAP)
        {