nm uses the distributions trusted root CAs if none is explicitly specified
This commit is contained in:
parent
d245f5cf33
commit
85af7a89c6
6
NEWS
6
NEWS
|
@ -22,6 +22,12 @@ strongswan-4.3.5
|
|||
'marginbytes' and 'marginpackets' trigger the rekeying before a SA expires.
|
||||
The existing parameter 'rekeyfuzz' affects all margins.
|
||||
|
||||
- If no CA/Gateway certificate is specified in the NetworkManager plugin,
|
||||
charon uses a set of trusted root certificates preinstalled by distributions.
|
||||
The directory containing CA certificates can be specified using the
|
||||
--with-nm-ca-dir=path configure option.
|
||||
|
||||
|
||||
strongswan-4.3.4
|
||||
----------------
|
||||
|
||||
|
|
|
@ -36,6 +36,7 @@ ARG_WITH_SUBST([piddir], [/var/run], [set path for PID and UNIX sock
|
|||
ARG_WITH_SUBST([ipsecdir], [${libexecdir%/}/ipsec], [set installation path for ipsec tools])
|
||||
ARG_WITH_SUBST([plugindir], [${ipsecdir%/}/plugins], [set the installation path of plugins])
|
||||
ARG_WITH_SUBST([sim-reader], [${plugindir%/}/libeapsim-file.so], [set library containing the sim_run_alg()/sim_get_triplet() functions for EAP-SIM])
|
||||
ARG_WITH_SUBST([nm-ca-dir], [/usr/share/ca-certificates], [directory the NM plugin uses to look up trusted root certificates])
|
||||
ARG_WITH_SUBST([linux-headers], [\${top_srcdir}/src/include], [set directory of linux header files to use])
|
||||
ARG_WITH_SUBST([routing-table], [220], [set routing table to use for IPsec routes])
|
||||
ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table])
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
|
||||
INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${nm_CFLAGS}
|
||||
|
||||
AM_CFLAGS = -rdynamic
|
||||
AM_CFLAGS = -rdynamic \
|
||||
-DNM_CA_DIR=\"${nm_ca_dir}\"
|
||||
|
||||
plugin_LTLIBRARIES = libstrongswan-nm.la
|
||||
libstrongswan_nm_la_SOURCES = \
|
||||
|
|
|
@ -81,7 +81,7 @@
|
|||
<child>
|
||||
<widget class="GtkFileChooserButton" id="certificate-button">
|
||||
<property name="visible">True</property>
|
||||
<property name="tooltip">Gateway or CA certificate to use for gateway authentication.</property>
|
||||
<property name="tooltip">Gateway or CA certificate to use for gateway authentication. If none is specified, pre-installed CA certificates are used.</property>
|
||||
</widget>
|
||||
<packing>
|
||||
<property name="left_attach">1</property>
|
||||
|
|
|
@ -15,8 +15,13 @@
|
|||
|
||||
#include "nm_creds.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <daemon.h>
|
||||
#include <utils/mutex.h>
|
||||
#include <credentials/certificates/x509.h>
|
||||
|
||||
typedef struct private_nm_creds_t private_nm_creds_t;
|
||||
|
||||
|
@ -31,9 +36,9 @@ struct private_nm_creds_t {
|
|||
nm_creds_t public;
|
||||
|
||||
/**
|
||||
* gateway certificate
|
||||
* List of trusted certificates, certificate_t*
|
||||
*/
|
||||
certificate_t *cert;
|
||||
linked_list_t *certs;
|
||||
|
||||
/**
|
||||
* User name
|
||||
|
@ -93,6 +98,82 @@ static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this,
|
|||
(void*)this->lock->unlock, this->lock);
|
||||
}
|
||||
|
||||
/**
|
||||
* CA certificate enumerator data
|
||||
*/
|
||||
typedef struct {
|
||||
/** ref to credential credential store */
|
||||
private_nm_creds_t *this;
|
||||
/** type of key we are looking for */
|
||||
key_type_t key;
|
||||
/** CA certificate ID */
|
||||
identification_t *id;
|
||||
} cert_data_t;
|
||||
|
||||
/**
|
||||
* Destroy CA certificate enumerator data
|
||||
*/
|
||||
static void cert_data_destroy(cert_data_t *data)
|
||||
{
|
||||
data->this->lock->unlock(data->this->lock);
|
||||
free(data);
|
||||
}
|
||||
|
||||
/**
|
||||
* Filter function for certificates enumerator
|
||||
*/
|
||||
static bool cert_filter(cert_data_t *data, certificate_t **in,
|
||||
certificate_t **out)
|
||||
{
|
||||
certificate_t *cert = *in;
|
||||
public_key_t *public;
|
||||
chunk_t keyid;
|
||||
|
||||
public = cert->get_public_key(cert);
|
||||
if (!public)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
if (data->key != KEY_ANY && public->get_type(public) != data->key)
|
||||
{
|
||||
public->destroy(public);
|
||||
return FALSE;
|
||||
}
|
||||
if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
|
||||
public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid) &&
|
||||
chunk_equals(keyid, data->id->get_encoding(data->id)))
|
||||
{
|
||||
public->destroy(public);
|
||||
*out = cert;
|
||||
return TRUE;
|
||||
}
|
||||
public->destroy(public);
|
||||
if (data->id && !cert->has_subject(cert, data->id))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
*out = cert;
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Create enumerator for trusted certificates
|
||||
*/
|
||||
static enumerator_t *create_trusted_cert_enumerator(private_nm_creds_t *this,
|
||||
key_type_t key, identification_t *id)
|
||||
{
|
||||
cert_data_t *data = malloc_thing(cert_data_t);
|
||||
|
||||
data->this = this;
|
||||
data->id = id;
|
||||
data->key = key;
|
||||
|
||||
this->lock->read_lock(this->lock);
|
||||
return enumerator_create_filter(
|
||||
this->certs->create_enumerator(this->certs),
|
||||
(void*)cert_filter, data, (void*)cert_data_destroy);
|
||||
}
|
||||
|
||||
/**
|
||||
* Implements credential_set_t.create_cert_enumerator
|
||||
*/
|
||||
|
@ -105,38 +186,11 @@ static enumerator_t* create_cert_enumerator(private_nm_creds_t *this,
|
|||
{
|
||||
return create_usercert_enumerator(this, cert, key);
|
||||
}
|
||||
|
||||
if (!this->cert)
|
||||
if (cert == CERT_X509 || cert == CERT_ANY)
|
||||
{
|
||||
return NULL;
|
||||
return create_trusted_cert_enumerator(this, key, id);
|
||||
}
|
||||
if (cert != CERT_ANY && cert != this->cert->get_type(this->cert))
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
if (id && !this->cert->has_subject(this->cert, id))
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
if (key != KEY_ANY)
|
||||
{
|
||||
public_key_t *public;
|
||||
|
||||
public = this->cert->get_public_key(this->cert);
|
||||
if (!public)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
if (public->get_type(public) != key)
|
||||
{
|
||||
public->destroy(public);
|
||||
return NULL;
|
||||
}
|
||||
public->destroy(public);
|
||||
}
|
||||
this->lock->read_lock(this->lock);
|
||||
return enumerator_create_cleaner(enumerator_create_single(this->cert, NULL),
|
||||
(void*)this->lock->unlock, this->lock);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -240,16 +294,72 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
|
|||
}
|
||||
|
||||
/**
|
||||
* Implementation of nm_creds_t.set_certificate
|
||||
* Implementation of nm_creds_t.add_certificate
|
||||
*/
|
||||
static void set_certificate(private_nm_creds_t *this, certificate_t *cert)
|
||||
static void add_certificate(private_nm_creds_t *this, certificate_t *cert)
|
||||
{
|
||||
this->lock->write_lock(this->lock);
|
||||
DESTROY_IF(this->cert);
|
||||
this->cert = cert;
|
||||
this->certs->insert_last(this->certs, cert);
|
||||
this->lock->unlock(this->lock);
|
||||
}
|
||||
|
||||
/**
|
||||
* Load a certificate file
|
||||
*/
|
||||
static void load_ca_file(private_nm_creds_t *this, char *file)
|
||||
{
|
||||
certificate_t *cert;
|
||||
|
||||
/* We add the CA constraint, as many CAs miss it */
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||
BUILD_FROM_FILE, file, BUILD_END);
|
||||
if (!cert)
|
||||
{
|
||||
DBG1(DBG_CFG, "loading CA certificate '%s' failed", file);
|
||||
}
|
||||
else
|
||||
{
|
||||
DBG2(DBG_CFG, "loaded CA certificate '%Y'", cert->get_subject(cert));
|
||||
x509_t *x509 = (x509_t*)cert;
|
||||
if (!(x509->get_flags(x509) & X509_SELF_SIGNED))
|
||||
{
|
||||
DBG1(DBG_CFG, "%Y is not self signed", cert->get_subject(cert));
|
||||
}
|
||||
this->certs->insert_last(this->certs, cert);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of nm_creds_t.load_ca_dir
|
||||
*/
|
||||
static void load_ca_dir(private_nm_creds_t *this, char *dir)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
char *rel, *abs;
|
||||
struct stat st;
|
||||
|
||||
enumerator = enumerator_create_directory(dir);
|
||||
if (enumerator)
|
||||
{
|
||||
while (enumerator->enumerate(enumerator, &rel, &abs, &st))
|
||||
{
|
||||
/* skip '.', '..' and hidden files */
|
||||
if (rel[0] != '.')
|
||||
{
|
||||
if (S_ISDIR(st.st_mode))
|
||||
{
|
||||
load_ca_dir(this, abs);
|
||||
}
|
||||
else if (S_ISREG(st.st_mode))
|
||||
{
|
||||
load_ca_file(this, abs);
|
||||
}
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of nm_creds_t.set_password
|
||||
*/
|
||||
|
@ -283,7 +393,12 @@ static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,
|
|||
*/
|
||||
static void clear(private_nm_creds_t *this)
|
||||
{
|
||||
DESTROY_IF(this->cert);
|
||||
certificate_t *cert;
|
||||
|
||||
while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
|
||||
{
|
||||
cert->destroy(cert);
|
||||
}
|
||||
DESTROY_IF(this->user);
|
||||
free(this->pass);
|
||||
DESTROY_IF(this->usercert);
|
||||
|
@ -291,7 +406,6 @@ static void clear(private_nm_creds_t *this)
|
|||
this->key = NULL;
|
||||
this->usercert = NULL;
|
||||
this->pass = NULL;
|
||||
this->cert = NULL;
|
||||
this->user = NULL;
|
||||
}
|
||||
|
||||
|
@ -301,6 +415,7 @@ static void clear(private_nm_creds_t *this)
|
|||
static void destroy(private_nm_creds_t *this)
|
||||
{
|
||||
clear(this);
|
||||
this->certs->destroy(this->certs);
|
||||
this->lock->destroy(this->lock);
|
||||
free(this);
|
||||
}
|
||||
|
@ -317,7 +432,8 @@ nm_creds_t *nm_creds_create()
|
|||
this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
|
||||
this->public.set.create_cdp_enumerator = (void*)return_null;
|
||||
this->public.set.cache_cert = (void*)nop;
|
||||
this->public.set_certificate = (void(*)(nm_creds_t*, certificate_t *cert))set_certificate;
|
||||
this->public.add_certificate = (void(*)(nm_creds_t*, certificate_t *cert))add_certificate;
|
||||
this->public.load_ca_dir = (void(*)(nm_creds_t*, char *dir))load_ca_dir;
|
||||
this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password;
|
||||
this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key;
|
||||
this->public.clear = (void(*)(nm_creds_t*))clear;
|
||||
|
@ -325,7 +441,7 @@ nm_creds_t *nm_creds_create()
|
|||
|
||||
this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
|
||||
|
||||
this->cert = NULL;
|
||||
this->certs = linked_list_create();
|
||||
this->user = NULL;
|
||||
this->pass = NULL;
|
||||
this->usercert = NULL;
|
||||
|
|
|
@ -37,11 +37,18 @@ struct nm_creds_t {
|
|||
credential_set_t set;
|
||||
|
||||
/**
|
||||
* Set the trusted gateway certificate to serve by this set.
|
||||
* Add a trusted gateway certificate to serve by this set.
|
||||
*
|
||||
* @param cert certificate to serve
|
||||
*/
|
||||
void (*set_certificate)(nm_creds_t *this, certificate_t *cert);
|
||||
void (*add_certificate)(nm_creds_t *this, certificate_t *cert);
|
||||
|
||||
/**
|
||||
* Load CA certificates recursively from a directory.
|
||||
*
|
||||
* @param dir directory to PEM encoded CA certificates
|
||||
*/
|
||||
void (*load_ca_dir)(nm_creds_t *this, char *dir);
|
||||
|
||||
/**
|
||||
* Set the username/password for authentication.
|
||||
|
|
|
@ -212,7 +212,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
|
|||
NMStrongswanPluginPrivate *priv;
|
||||
NMSettingConnection *conn;
|
||||
NMSettingVPN *vpn;
|
||||
identification_t *user = NULL, *gateway;
|
||||
identification_t *user = NULL, *gateway = NULL;
|
||||
const char *address, *str;
|
||||
bool virtual, encap, ipcomp;
|
||||
ike_cfg_t *ike_cfg;
|
||||
|
@ -292,29 +292,37 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
|
|||
{
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||
BUILD_FROM_FILE, str, BUILD_END);
|
||||
priv->creds->set_certificate(priv->creds, cert);
|
||||
if (!cert)
|
||||
{
|
||||
g_set_error(err, NM_VPN_PLUGIN_ERROR,
|
||||
NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
|
||||
"Loading gateway certificate failed.");
|
||||
return FALSE;
|
||||
}
|
||||
priv->creds->add_certificate(priv->creds, cert);
|
||||
|
||||
x509 = (x509_t*)cert;
|
||||
if (!(x509->get_flags(x509) & X509_CA))
|
||||
{ /* For a gateway certificate, we use the cert subject as identity. */
|
||||
gateway = cert->get_subject(cert);
|
||||
gateway = gateway->clone(gateway);
|
||||
DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
|
||||
}
|
||||
}
|
||||
if (!cert)
|
||||
else
|
||||
{
|
||||
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
|
||||
"Loading gateway certificate failed.");
|
||||
return FALSE;
|
||||
/* no certificate defined, fall back to system-wide CA certificates */
|
||||
priv->creds->load_ca_dir(priv->creds, NM_CA_DIR);
|
||||
}
|
||||
x509 = (x509_t*)cert;
|
||||
if (x509->get_flags(x509) & X509_CA)
|
||||
{ /* If the user configured a CA certificate, we use the IP/DNS
|
||||
if (!gateway)
|
||||
{
|
||||
/* If the user configured a CA certificate, we use the IP/DNS
|
||||
* of the gateway as its identity. This identity will be used for
|
||||
* certificate lookup and requires the configured IP/DNS to be
|
||||
* included in the gateway certificate. */
|
||||
gateway = identification_create_from_string((char*)address);
|
||||
DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
|
||||
}
|
||||
else
|
||||
{ /* For a gateway certificate, we use the cert subject as identity. */
|
||||
gateway = cert->get_subject(cert);
|
||||
gateway = gateway->clone(gateway);
|
||||
DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
|
||||
}
|
||||
|
||||
if (auth_class == AUTH_CLASS_EAP)
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue