enforce DN of configured gateway certificate
This commit is contained in:
Martin Willi
parent
7945c90adb
commit
a88aae3df6
|
|
@ -37,28 +37,14 @@
|
|||
<property name="column_spacing">6</property>
|
||||
<property name="row_spacing">6</property>
|
||||
<child>
|
||||
<widget class="GtkFileChooserButton" id="certificate-button">
|
||||
<property name="visible">True</property>
|
||||
<property name="tooltip_text">Gateway or CA certificate to use for gateway authentication.</property>
|
||||
</widget>
|
||||
<packing>
|
||||
<property name="left_attach">1</property>
|
||||
<property name="right_attach">2</property>
|
||||
<property name="top_attach">1</property>
|
||||
<property name="bottom_attach">2</property>
|
||||
</packing>
|
||||
</child>
|
||||
<child>
|
||||
<widget class="GtkLabel" id="certificate-label">
|
||||
<widget class="GtkLabel" id="address-label">
|
||||
<property name="visible">True</property>
|
||||
<property name="xalign">0</property>
|
||||
<property name="label" translatable="yes">_Certificate:</property>
|
||||
<property name="label" translatable="yes">_Address:</property>
|
||||
<property name="use_underline">True</property>
|
||||
<property name="mnemonic_widget">certificate-button</property>
|
||||
<property name="mnemonic_widget">address-entry</property>
|
||||
</widget>
|
||||
<packing>
|
||||
<property name="top_attach">1</property>
|
||||
<property name="bottom_attach">2</property>
|
||||
<property name="x_options">GTK_FILL</property>
|
||||
<property name="y_options"></property>
|
||||
</packing>
|
||||
|
|
@ -77,18 +63,32 @@
|
|||
</packing>
|
||||
</child>
|
||||
<child>
|
||||
<widget class="GtkLabel" id="address-label">
|
||||
<widget class="GtkLabel" id="certificate-label">
|
||||
<property name="visible">True</property>
|
||||
<property name="xalign">0</property>
|
||||
<property name="label" translatable="yes">_Address:</property>
|
||||
<property name="label" translatable="yes">_Certificate:</property>
|
||||
<property name="use_underline">True</property>
|
||||
<property name="mnemonic_widget">address-entry</property>
|
||||
<property name="mnemonic_widget">certificate-button</property>
|
||||
</widget>
|
||||
<packing>
|
||||
<property name="top_attach">1</property>
|
||||
<property name="bottom_attach">2</property>
|
||||
<property name="x_options">GTK_FILL</property>
|
||||
<property name="y_options"></property>
|
||||
</packing>
|
||||
</child>
|
||||
<child>
|
||||
<widget class="GtkFileChooserButton" id="certificate-button">
|
||||
<property name="visible">True</property>
|
||||
<property name="tooltip_text">Gateway certificate to use for gateway authentication.</property>
|
||||
</widget>
|
||||
<packing>
|
||||
<property name="left_attach">1</property>
|
||||
<property name="right_attach">2</property>
|
||||
<property name="top_attach">1</property>
|
||||
<property name="bottom_attach">2</property>
|
||||
</packing>
|
||||
</child>
|
||||
</widget>
|
||||
</child>
|
||||
</widget>
|
||||
|
|
@ -129,14 +129,29 @@
|
|||
<property name="column_spacing">6</property>
|
||||
<property name="row_spacing">6</property>
|
||||
<child>
|
||||
<widget class="GtkLabel" id="user-label">
|
||||
<widget class="GtkEntry" id="user-entry">
|
||||
<property name="visible">True</property>
|
||||
<property name="xalign">0</property>
|
||||
<property name="label" translatable="yes">_Username:</property>
|
||||
<property name="use_underline">True</property>
|
||||
<property name="mnemonic_widget">user-entry</property>
|
||||
<property name="can_focus">True</property>
|
||||
<property name="has_tooltip">True</property>
|
||||
<property name="tooltip_text">The username (identity) to use for authentication against the gateway.</property>
|
||||
</widget>
|
||||
<packing>
|
||||
<property name="left_attach">1</property>
|
||||
<property name="right_attach">2</property>
|
||||
<property name="y_options"></property>
|
||||
</packing>
|
||||
</child>
|
||||
<child>
|
||||
<widget class="GtkLabel" id="method-label">
|
||||
<property name="visible">True</property>
|
||||
<property name="xalign">0</property>
|
||||
<property name="label" translatable="yes">_Method:</property>
|
||||
<property name="use_underline">True</property>
|
||||
<property name="mnemonic_widget">method-combo</property>
|
||||
</widget>
|
||||
<packing>
|
||||
<property name="top_attach">1</property>
|
||||
<property name="bottom_attach">2</property>
|
||||
<property name="x_options">GTK_FILL</property>
|
||||
<property name="y_options"></property>
|
||||
</packing>
|
||||
|
|
@ -156,33 +171,18 @@
|
|||
</packing>
|
||||
</child>
|
||||
<child>
|
||||
<widget class="GtkLabel" id="method-label">
|
||||
<widget class="GtkLabel" id="user-label">
|
||||
<property name="visible">True</property>
|
||||
<property name="xalign">0</property>
|
||||
<property name="label" translatable="yes">_Method:</property>
|
||||
<property name="label" translatable="yes">_Username:</property>
|
||||
<property name="use_underline">True</property>
|
||||
<property name="mnemonic_widget">method-combo</property>
|
||||
<property name="mnemonic_widget">user-entry</property>
|
||||
</widget>
|
||||
<packing>
|
||||
<property name="top_attach">1</property>
|
||||
<property name="bottom_attach">2</property>
|
||||
<property name="x_options">GTK_FILL</property>
|
||||
<property name="y_options"></property>
|
||||
</packing>
|
||||
</child>
|
||||
<child>
|
||||
<widget class="GtkEntry" id="user-entry">
|
||||
<property name="visible">True</property>
|
||||
<property name="can_focus">True</property>
|
||||
<property name="has_tooltip">True</property>
|
||||
<property name="tooltip_text">The username (identity) to use for authentication against the gateway.</property>
|
||||
</widget>
|
||||
<packing>
|
||||
<property name="left_attach">1</property>
|
||||
<property name="right_attach">2</property>
|
||||
<property name="y_options"></property>
|
||||
</packing>
|
||||
</child>
|
||||
</widget>
|
||||
</child>
|
||||
</widget>
|
||||
|
|
|
|||
|
|
@ -163,7 +163,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
|
|||
{
|
||||
nm_creds_t *creds;
|
||||
NMSettingVPN *settings;
|
||||
identification_t *user = NULL;
|
||||
identification_t *user = NULL, *gateway;
|
||||
char *address, *str;
|
||||
bool virtual, encap, ipcomp;
|
||||
ike_cfg_t *ike_cfg;
|
||||
|
|
@ -173,6 +173,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
|
|||
ike_sa_t *ike_sa;
|
||||
auth_info_t *auth;
|
||||
auth_class_t auth_class = AUTH_CLASS_EAP;
|
||||
certificate_t *cert = NULL;
|
||||
|
||||
/**
|
||||
* Read parameters
|
||||
|
|
@ -229,12 +230,17 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
|
|||
str = g_hash_table_lookup(settings->data, "certificate");
|
||||
if (str)
|
||||
{
|
||||
certificate_t *cert;
|
||||
|
||||
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
|
||||
BUILD_FROM_FILE, str, BUILD_END);
|
||||
creds->set_certificate(creds, cert);
|
||||
}
|
||||
if (!cert)
|
||||
{
|
||||
g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
|
||||
"Loading certificate failed.");
|
||||
return FALSE;
|
||||
}
|
||||
gateway = cert->get_subject(cert);
|
||||
str = g_hash_table_lookup(settings->data, "password");
|
||||
if (str)
|
||||
{
|
||||
|
|
@ -246,8 +252,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
|
|||
*/
|
||||
ike_cfg = ike_cfg_create(TRUE, encap, "0.0.0.0", address);
|
||||
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
|
||||
peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg, user,
|
||||
identification_create_from_encoding(ID_ANY, chunk_empty),
|
||||
peer_cfg = peer_cfg_create(CONFIG_NAME, 2, ike_cfg,
|
||||
user, gateway->clone(gateway),
|
||||
CERT_SEND_IF_ASKED, UNIQUE_REPLACE, 1, /* keyingtries */
|
||||
18000, 0, /* rekey 5h, reauth none */
|
||||
600, 600, /* jitter, over 10min */
|
||||
|
|
|
|||
Loading…
Reference in New Issue