enforce DN of configured gateway certificate
authorMartin Willi <martin@strongswan.org>
Mon, 25 Aug 2008 07:50:21 +0000 (07:50 -0000)
committerMartin Willi <martin@strongswan.org>
Mon, 25 Aug 2008 07:50:21 +0000 (07:50 -0000)
src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade
src/charon/plugins/nm/nm_service.c

index bffc88e..5a1b176 100644 (file)
                     <property name="column_spacing">6</property>
                     <property name="row_spacing">6</property>
                     <child>
-                      <widget class="GtkFileChooserButton" id="certificate-button">
-                        <property name="visible">True</property>
-                        <property name="tooltip_text">Gateway or CA certificate to use for gateway authentication.</property>
-                      </widget>
-                      <packing>
-                        <property name="left_attach">1</property>
-                        <property name="right_attach">2</property>
-                        <property name="top_attach">1</property>
-                        <property name="bottom_attach">2</property>
-                      </packing>
-                    </child>
-                    <child>
-                      <widget class="GtkLabel" id="certificate-label">
+                      <widget class="GtkLabel" id="address-label">
                         <property name="visible">True</property>
                         <property name="xalign">0</property>
-                        <property name="label" translatable="yes">_Certificate:</property>
+                        <property name="label" translatable="yes">_Address:</property>
                         <property name="use_underline">True</property>
-                        <property name="mnemonic_widget">certificate-button</property>
+                        <property name="mnemonic_widget">address-entry</property>
                       </widget>
                       <packing>
-                        <property name="top_attach">1</property>
-                        <property name="bottom_attach">2</property>
                         <property name="x_options">GTK_FILL</property>
                         <property name="y_options"></property>
                       </packing>
                       </packing>
                     </child>
                     <child>
-                      <widget class="GtkLabel" id="address-label">
+                      <widget class="GtkLabel" id="certificate-label">
                         <property name="visible">True</property>
                         <property name="xalign">0</property>
-                        <property name="label" translatable="yes">_Address:</property>
+                        <property name="label" translatable="yes">_Certificate:</property>
                         <property name="use_underline">True</property>
-                        <property name="mnemonic_widget">address-entry</property>
+                        <property name="mnemonic_widget">certificate-button</property>
                       </widget>
                       <packing>
+                        <property name="top_attach">1</property>
+                        <property name="bottom_attach">2</property>
                         <property name="x_options">GTK_FILL</property>
                         <property name="y_options"></property>
                       </packing>
                     </child>
+                    <child>
+                      <widget class="GtkFileChooserButton" id="certificate-button">
+                        <property name="visible">True</property>
+                        <property name="tooltip_text">Gateway certificate to use for gateway authentication.</property>
+                      </widget>
+                      <packing>
+                        <property name="left_attach">1</property>
+                        <property name="right_attach">2</property>
+                        <property name="top_attach">1</property>
+                        <property name="bottom_attach">2</property>
+                      </packing>
+                    </child>
                   </widget>
                 </child>
               </widget>
                     <property name="column_spacing">6</property>
                     <property name="row_spacing">6</property>
                     <child>
-                      <widget class="GtkLabel" id="user-label">
-                        <property name="visible">True</property>
-                        <property name="xalign">0</property>
-                        <property name="label" translatable="yes">_Username:</property>
-                        <property name="use_underline">True</property>
-                        <property name="mnemonic_widget">user-entry</property>
-                      </widget>
-                      <packing>
-                        <property name="x_options">GTK_FILL</property>
-                        <property name="y_options"></property>
-                      </packing>
-                    </child>
-                    <child>
-                      <widget class="GtkComboBox" id="method-combo">
+                      <widget class="GtkEntry" id="user-entry">
                         <property name="visible">True</property>
+                        <property name="can_focus">True</property>
                         <property name="has_tooltip">True</property>
-                        <property name="tooltip_text">Authentication Method to use for authentication against the Gateway. </property>
-                        <property name="items"></property>
+                        <property name="tooltip_text">The username (identity) to use for authentication against the gateway.</property>
                       </widget>
                       <packing>
                         <property name="left_attach">1</property>
                         <property name="right_attach">2</property>
-                        <property name="top_attach">1</property>
-                        <property name="bottom_attach">2</property>
+                        <property name="y_options"></property>
                       </packing>
                     </child>
                     <child>
                       </packing>
                     </child>
                     <child>
-                      <widget class="GtkEntry" id="user-entry">
+                      <widget class="GtkComboBox" id="method-combo">
                         <property name="visible">True</property>
-                        <property name="can_focus">True</property>
                         <property name="has_tooltip">True</property>
-                        <property name="tooltip_text">The username (identity) to use for authentication against the gateway.</property>
+                        <property name="tooltip_text">Authentication Method to use for authentication against the Gateway. </property>
+                        <property name="items"></property>
                       </widget>
                       <packing>
                         <property name="left_attach">1</property>
                         <property name="right_attach">2</property>
+                        <property name="top_attach">1</property>
+                        <property name="bottom_attach">2</property>
+                      </packing>
+                    </child>
+                    <child>
+                      <widget class="GtkLabel" id="user-label">
+                        <property name="visible">True</property>
+                        <property name="xalign">0</property>
+                        <property name="label" translatable="yes">_Username:</property>
+                        <property name="use_underline">True</property>
+                        <property name="mnemonic_widget">user-entry</property>
+                      </widget>
+                      <packing>
+                        <property name="x_options">GTK_FILL</property>
                         <property name="y_options"></property>
                       </packing>
                     </child>
index 9f617b8..37db6e0 100644 (file)
@@ -163,7 +163,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 {
        nm_creds_t *creds;
        NMSettingVPN *settings;
-       identification_t *user = NULL;
+       identification_t *user = NULL, *gateway;
        char *address, *str;
        bool virtual, encap, ipcomp;
        ike_cfg_t *ike_cfg;
@@ -173,6 +173,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        ike_sa_t *ike_sa;
        auth_info_t *auth;
        auth_class_t auth_class = AUTH_CLASS_EAP;
+       certificate_t *cert = NULL;
        
        /**
         * Read parameters
@@ -229,12 +230,17 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
        str = g_hash_table_lookup(settings->data, "certificate");
        if (str)
        {
-               certificate_t *cert;
-               
                cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
                                                                  BUILD_FROM_FILE, str, BUILD_END);
                creds->set_certificate(creds, cert);
        }
+       if (!cert)
+       {
+               g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+                                   "Loading certificate failed.");
+               return FALSE;
+       }
+       gateway = cert->get_subject(cert);
        str = g_hash_table_lookup(settings->data, "password");
        if (str)
        {
@@ -246,8 +252,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
         */
        ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", address);
        ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
-       peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg, user,
-                                       identification_create_from_encoding(ID_ANY, chunk_empty),
+       peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg,
+                                       user, gateway->clone(gateway),
                                        CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
                                        18000, 0, /* rekey 5h, reauth none */
                                        600, 600, /* jitter, over 10min */