You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
NetworkManager-libreswan/SOURCES/0001-ipsec-conf-escaping-cv...

1692 lines
58 KiB

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

From f9f321fc00f9016569a592140d9e5a24f9c4db01 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Fri, 13 Sep 2024 14:49:12 +0200
Subject: [PATCH 1/6] shared/nm-glib: import newer g_steal_pointer()
The version that's there doesn't work with current glib, still
considering g_steal_pointer() deprecated.
We should probably do a full import, but it's became such a mess
in NetworkManager.git that it's not feasible at this point.
[lkundrak@v3.sk: Backported from 1.24.0]
---
shared/nm-utils/nm-glib.h | 32 +++++++++++++++++---------------
1 file changed, 17 insertions(+), 15 deletions(-)
diff --git a/shared/nm-utils/nm-glib.h b/shared/nm-utils/nm-glib.h
index 770cf0f..1b6487c 100644
--- a/shared/nm-utils/nm-glib.h
+++ b/shared/nm-utils/nm-glib.h
@@ -412,24 +412,26 @@ _nm_g_hash_table_get_keys_as_array (GHashTable *hash_table,
/*****************************************************************************/
-#if !GLIB_CHECK_VERSION(2, 44, 0)
-static inline gpointer
-g_steal_pointer (gpointer pp)
-{
- gpointer *ptr = (gpointer *) pp;
- gpointer ref;
+#define _NM_ENSURE_POINTER(value) \
+ do { \
+ _nm_unused const void *const _unused_for_type_check = 0 ? (value) : NULL; \
+ } while (0)
- ref = *ptr;
- *ptr = NULL;
-
- return ref;
-}
-
-/* type safety */
-#define g_steal_pointer(pp) \
- (0 ? (*(pp)) : (g_steal_pointer) (pp))
+#ifdef g_steal_pointer
+#undef g_steal_pointer
#endif
+#define g_steal_pointer(pp) \
+ ({ \
+ typeof(*(pp)) *const _pp = (pp); \
+ typeof(*_pp) _p = *_pp; \
+ \
+ _NM_ENSURE_POINTER(_p); \
+ \
+ *_pp = NULL; \
+ _p; \
+ })
+
/*****************************************************************************/
static inline gboolean
--
2.46.0
From 72816f82b029063e4d8aaff6703f175da5232293 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Tue, 17 Sep 2024 13:28:58 +0200
Subject: [PATCH 2/6] build: get rid of {properties,src}/libutils.la
Useless build of an extra libraries, just making the build slower and
more complicated. Get rid of then, and just roll src/libutils.la.
[lkundrak@v3.sk: Backported from 1.24.0]
---
Makefile.am | 69 +++++++++++++++++++++--------------------------------
1 file changed, 27 insertions(+), 42 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 29084a9..d46cfcd 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -33,6 +33,26 @@ nmvpnservice_DATA = nm-libreswan-service.name
###############################################################################
+noinst_LTLIBRARIES += shared/libutils.la
+
+shared_libutils_la_SOURCES = \
+ shared/nm-utils/nm-shared-utils.c \
+ shared/nm-utils/nm-shared-utils.h \
+ shared/utils.c \
+ shared/utils.h \
+ shared/nm-service-defines.h
+
+shared_libutils_la_CFLAGS = \
+ -DPREFIX=\""$(prefix)"\" \
+ $(common_CFLAGS) \
+ $(LIBNM_CFLAGS)
+
+shared_libutils_la_LIBADD = \
+ $(GLIB_LIBS) \
+ $(LIBNM_LIBS)
+
+###############################################################################
+
properties/resources.h: properties/gresource.xml
$(AM_V_GEN) $(GLIB_COMPILE_RESOURCES) $< --target=$@ --sourcedir=$(srcdir)/properties --generate-header --internal
@@ -53,10 +73,6 @@ gtk4/%.ui: properties/%.ui
EXTRA_DIST += \
gtk4/nm-libreswan-dialog.ui
-plugin_sources = \
- properties/nm-libreswan-editor-plugin.c \
- properties/nm-libreswan-editor-plugin.h
-
editor_sources = \
properties/nm-libreswan-editor.c \
properties/nm-libreswan-editor.h
@@ -68,23 +84,6 @@ common_CFLAGS = \
###############################################################################
-noinst_LTLIBRARIES += properties/libutils.la
-
-properties_libutils_la_SOURCES = \
- shared/utils.c \
- shared/utils.h \
- shared/nm-utils/nm-vpn-plugin-utils.c \
- shared/nm-utils/nm-vpn-plugin-utils.h \
- shared/nm-utils/nm-shared-utils.c \
- shared/nm-utils/nm-shared-utils.h \
- shared/nm-service-defines.h
-
-properties_libutils_la_CPPFLAGS = \
- -DPREFIX=\""$(prefix)"\" \
- -DNETWORKMANAGER_COMPILATION=NM_NETWORKMANAGER_COMPILATION_LIB_BASE \
- $(common_CFLAGS) \
- $(LIBNM_CFLAGS)
-
plugin_LTLIBRARIES += properties/libnm-vpn-plugin-libreswan.la
properties_libnm_vpn_plugin_libreswan_la_CFLAGS = \
@@ -93,10 +92,13 @@ properties_libnm_vpn_plugin_libreswan_la_CFLAGS = \
$(LIBNM_CFLAGS)
properties_libnm_vpn_plugin_libreswan_la_SOURCES = \
- $(plugin_sources)
+ shared/nm-utils/nm-vpn-plugin-utils.c \
+ shared/nm-utils/nm-vpn-plugin-utils.h \
+ properties/nm-libreswan-editor-plugin.c \
+ properties/nm-libreswan-editor-plugin.h
properties_libnm_vpn_plugin_libreswan_la_LIBADD = \
- properties/libutils.la \
+ shared/libutils.la \
$(LIBNM_LIBS) \
$(DL_LIBS)
@@ -198,7 +200,6 @@ auth_dialog_nm_libreswan_auth_dialog_LDADD = \
src_cppflags = \
-DBINDIR=\"$(bindir)\" \
- -DPREFIX=\""$(prefix)"\" \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DLOCALSTATEDIR=\""$(localstatedir)"\" \
@@ -230,22 +231,6 @@ src/nm-libreswan-helper-service-dbus.h: src/nm-libreswan-helper-service.xml
src/nm-libreswan-helper-service-dbus.c: src/nm-libreswan-helper-service-dbus.h
@true
-noinst_LTLIBRARIES += src/libutils.la
-
-src_libutils_la_SOURCES = \
- shared/nm-utils/nm-shared-utils.c \
- shared/nm-utils/nm-shared-utils.h \
- shared/utils.c \
- shared/utils.h \
- shared/nm-service-defines.h
-
-src_libutils_la_CPPFLAGS = \
- $(src_cppflags)
-
-src_libutils_la_LIBADD = \
- $(GLIB_LIBS) \
- $(LIBNM_LIBS)
-
###############################################################################
libexec_PROGRAMS += src/nm-libreswan-service
@@ -255,7 +240,7 @@ src_nm_libreswan_service_CPPFLAGS = \
src_nm_libreswan_service_LDADD = \
src/libnm-libreswan-helper-service-dbus.la \
- src/libutils.la \
+ shared/libutils.la \
$(GLIB_LIBS) \
$(LIBNM_LIBS) \
$(LIBNL_LIBS) \
@@ -272,7 +257,7 @@ src_nm_libreswan_service_helper_CPPFLAGS = \
src_nm_libreswan_service_helper_LDADD = \
src/libnm-libreswan-helper-service-dbus.la \
- src/libutils.la \
+ shared/libutils.la \
$(GLIB_LIBS) \
$(LIBNM_LIBS)
--
2.46.0
From cf9777bd065ddc40c627e1d994432e95b1e70a82 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Mon, 23 Sep 2024 11:39:22 +0200
Subject: [PATCH 3/6] shared/test-utils: cover config write with unit tests
Test that we generate good configuration for typical IKEv1 and IKEv2
cases.
[lkundrak@v3.sk: Backported from 1.24.0]
---
Makefile.am | 16 ++++++
shared/test-utils.c | 127 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 143 insertions(+)
create mode 100644 shared/test-utils.c
diff --git a/Makefile.am b/Makefile.am
index d46cfcd..3f4e85c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -21,6 +21,8 @@ libexec_PROGRAMS =
noinst_PROGRAMS =
+TESTS =
+
SUBDIRS = po man
###############################################################################
@@ -51,6 +53,20 @@ shared_libutils_la_LIBADD = \
$(GLIB_LIBS) \
$(LIBNM_LIBS)
+noinst_PROGRAMS += shared/test-utils
+
+TESTS += shared/test-utils
+
+shared_test_utils_SOURCES = shared/test-utils.c
+
+shared_test_utils_CFLAGS = \
+ $(common_CFLAGS) \
+ $(LIBNM_CFLAGS)
+
+shared_test_utils_LDADD = \
+ shared/libutils.la \
+ $(LIBNM_LIBS)
+
###############################################################################
properties/resources.h: properties/gresource.xml
diff --git a/shared/test-utils.c b/shared/test-utils.c
new file mode 100644
index 0000000..82ee933
--- /dev/null
+++ b/shared/test-utils.c
@@ -0,0 +1,127 @@
+#include "nm-default.h"
+
+#include "utils.h"
+
+#include <gio/gfiledescriptorbased.h>
+
+static char *
+_setting_into_ipsec_conf (NMSetting *s_vpn, const char *name, GError **error)
+{
+ gs_unref_object NMConnection *connection = NULL;
+ gs_unref_object GFile *tmp = NULL;
+ GFileIOStream *tmpstream;
+ char buf[4096];
+ gboolean res;
+ gsize count;
+ gint fd;
+
+ connection = nm_simple_connection_new ();
+ nm_connection_add_setting (connection, s_vpn);
+
+ tmp = g_file_new_tmp (NULL, &tmpstream, error);
+ if (tmp == NULL)
+ return NULL;
+
+ res = g_file_delete (tmp, NULL, error);
+ if (res == FALSE)
+ return NULL;
+
+ fd = g_file_descriptor_based_get_fd(G_FILE_DESCRIPTOR_BASED(
+ g_io_stream_get_output_stream(G_IO_STREAM (tmpstream))));
+
+ res = nm_libreswan_config_write (fd, 4, connection,
+ name, NULL,
+ FALSE, TRUE, NULL,
+ error);
+ if (res == FALSE)
+ return NULL;
+
+ res = g_seekable_seek (G_SEEKABLE(tmpstream),
+ 0, G_SEEK_SET, NULL, error);
+ if (res == FALSE)
+ return NULL;
+
+ res = g_input_stream_read_all (
+ g_io_stream_get_input_stream(G_IO_STREAM (tmpstream)),
+ buf,
+ sizeof(buf)-1,
+ &count,
+ NULL,
+ error);
+ if (res == FALSE)
+ return NULL;
+
+ buf[count] = '\0';
+ return g_strdup(buf);
+}
+
+static void
+test_config_write (void)
+{
+ GError *error = NULL;
+ NMSetting *s_vpn;
+ char *str;
+
+ s_vpn = nm_setting_vpn_new ();
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "right", "11.12.13.14");
+ str = _setting_into_ipsec_conf (s_vpn, "con_name", &error);
+ g_assert_no_error (error);
+ g_assert_cmpstr (str, ==,
+ "conn con_name\n"
+ " authby=secret\n"
+ " left=%defaultroute\n"
+ " leftmodecfgclient=yes\n"
+ " right=11.12.13.14\n"
+ " rightmodecfgserver=yes\n"
+ " modecfgpull=yes\n"
+ " rightsubnet=0.0.0.0/0\n"
+ " leftxauthclient=yes\n"
+ " remote-peer-type=cisco\n"
+ " rightxauthserver=yes\n"
+ " ikelifetime=24h\n"
+ " salifetime=24h\n"
+ " rekey=yes\n"
+ " keyingtries=1\n"
+ " ikev2=never\n"
+ " nm-configured=yes\n"
+ " auto=add\n");
+ g_free (str);
+
+ s_vpn = nm_setting_vpn_new ();
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "ikev2", "insist");
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "leftcert", "LibreswanClient");
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "leftid", "%fromcert");
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "right", "11.12.13.14");
+ str = _setting_into_ipsec_conf (s_vpn,
+ "f0008435-07af-4836-a53d-b43e8730e68f",
+ &error);
+ g_assert_no_error (error);
+ g_assert_cmpstr (str, ==,
+ "conn f0008435-07af-4836-a53d-b43e8730e68f\n"
+ " leftid=%fromcert\n"
+ " leftcert=LibreswanClient\n"
+ " leftrsasigkey=%cert\n"
+ " rightrsasigkey=%cert\n"
+ " left=%defaultroute\n"
+ " leftmodecfgclient=yes\n"
+ " right=11.12.13.14\n"
+ " rightmodecfgserver=yes\n"
+ " modecfgpull=yes\n"
+ " rightsubnet=0.0.0.0/0\n"
+ " rekey=yes\n"
+ " keyingtries=1\n"
+ " ikev2=insist\n"
+ " nm-configured=yes\n"
+ " auto=add\n");
+ g_free (str);
+}
+
+int
+main (int argc, char **argv)
+{
+ g_test_init (&argc, &argv, NULL);
+
+ g_test_add_func ("/utils/config/write", test_config_write);
+
+ return g_test_run ();
+}
--
2.46.0
From 2b07bfeec5e67cbdce9b23b7c0648cb0ee55416d Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Sun, 22 Sep 2024 14:20:22 +0200
Subject: [PATCH 4/6] all: rework formatting of ipsec.conf
Simplify the interface and validate each item carefully.
Note this fixes a security issue (CVE-2024-9050), with an "Important"
impact severity, where insufficient validation could lead to injection
of potentialy malicious values into the ipsec.conf snippet we send over
to pluto.
https://issues.redhat.com/browse/RHEL-59565
[lkundrak@v3.sk: Backported from 1.24.0]
---
properties/nm-libreswan-editor-plugin.c | 30 +-
shared/test-utils.c | 97 +----
shared/utils.c | 491 ++++++++++++++----------
shared/utils.h | 28 +-
src/nm-libreswan-service.c | 183 +++++----
5 files changed, 423 insertions(+), 406 deletions(-)
diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
index fe473d1..9393212 100644
--- a/properties/nm-libreswan-editor-plugin.c
+++ b/properties/nm-libreswan-editor-plugin.c
@@ -286,19 +286,11 @@ export_to_file (NMVpnEditorPlugin *self,
{
NMSettingVpn *s_vpn;
gboolean openswan = FALSE;
- int fd, errsv;
gs_free_error GError *local = NULL;
+ gs_free char *ipsec_conf = NULL;
gboolean is_openswan;
int version;
- fd = g_open (path, O_WRONLY | O_CREAT, 0666);
- if (fd == -1) {
- errsv = errno;
- g_set_error (error, NMV_EDITOR_PLUGIN_ERROR, NMV_EDITOR_PLUGIN_ERROR_FAILED,
- _("Cant open file “%s”: %s"), path, g_strerror (errsv));
- return FALSE;
- }
-
s_vpn = nm_connection_get_setting_vpn (connection);
if (s_vpn)
openswan = nm_streq (nm_setting_vpn_get_service_type (s_vpn), NM_VPN_SERVICE_TYPE_OPENSWAN);
@@ -306,24 +298,18 @@ export_to_file (NMVpnEditorPlugin *self,
nm_libreswan_detect_version (nm_libreswan_find_helper_bin ("ipsec", NULL),
&is_openswan, &version, NULL);
- if (!nm_libreswan_config_write (fd,
- version,
- connection,
- nm_connection_get_id (connection),
- NULL,
- openswan,
- TRUE,
- NULL,
- &local)) {
- g_close (fd, NULL);
+ ipsec_conf = nm_libreswan_get_ipsec_conf (version, s_vpn,
+ nm_connection_get_id (connection),
+ NULL, openswan, TRUE, error);
+ if (ipsec_conf == NULL)
+ return FALSE;
+
+ if (!g_file_set_contents (path, ipsec_conf, -1, &local)) {
g_set_error (error, NMV_EDITOR_PLUGIN_ERROR, NMV_EDITOR_PLUGIN_ERROR_FAILED,
_("Error writing to file “%s”: %s"), path, local->message);
return FALSE;
}
- if (!g_close (fd, error))
- return FALSE;
-
return TRUE;
}
diff --git a/shared/test-utils.c b/shared/test-utils.c
index 82ee933..49aa32a 100644
--- a/shared/test-utils.c
+++ b/shared/test-utils.c
@@ -2,117 +2,60 @@
#include "utils.h"
-#include <gio/gfiledescriptorbased.h>
-
-static char *
-_setting_into_ipsec_conf (NMSetting *s_vpn, const char *name, GError **error)
-{
- gs_unref_object NMConnection *connection = NULL;
- gs_unref_object GFile *tmp = NULL;
- GFileIOStream *tmpstream;
- char buf[4096];
- gboolean res;
- gsize count;
- gint fd;
-
- connection = nm_simple_connection_new ();
- nm_connection_add_setting (connection, s_vpn);
-
- tmp = g_file_new_tmp (NULL, &tmpstream, error);
- if (tmp == NULL)
- return NULL;
-
- res = g_file_delete (tmp, NULL, error);
- if (res == FALSE)
- return NULL;
-
- fd = g_file_descriptor_based_get_fd(G_FILE_DESCRIPTOR_BASED(
- g_io_stream_get_output_stream(G_IO_STREAM (tmpstream))));
-
- res = nm_libreswan_config_write (fd, 4, connection,
- name, NULL,
- FALSE, TRUE, NULL,
- error);
- if (res == FALSE)
- return NULL;
-
- res = g_seekable_seek (G_SEEKABLE(tmpstream),
- 0, G_SEEK_SET, NULL, error);
- if (res == FALSE)
- return NULL;
-
- res = g_input_stream_read_all (
- g_io_stream_get_input_stream(G_IO_STREAM (tmpstream)),
- buf,
- sizeof(buf)-1,
- &count,
- NULL,
- error);
- if (res == FALSE)
- return NULL;
-
- buf[count] = '\0';
- return g_strdup(buf);
-}
-
static void
test_config_write (void)
{
GError *error = NULL;
- NMSetting *s_vpn;
+ NMSettingVpn *s_vpn;
char *str;
- s_vpn = nm_setting_vpn_new ();
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "right", "11.12.13.14");
- str = _setting_into_ipsec_conf (s_vpn, "con_name", &error);
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "con_name", NULL, FALSE, TRUE, &error);
g_assert_no_error (error);
g_assert_cmpstr (str, ==,
"conn con_name\n"
+ " ikev2=never\n"
+ " right=11.12.13.14\n"
" authby=secret\n"
" left=%defaultroute\n"
" leftmodecfgclient=yes\n"
- " right=11.12.13.14\n"
- " rightmodecfgserver=yes\n"
- " modecfgpull=yes\n"
" rightsubnet=0.0.0.0/0\n"
" leftxauthclient=yes\n"
" remote-peer-type=cisco\n"
" rightxauthserver=yes\n"
" ikelifetime=24h\n"
" salifetime=24h\n"
- " rekey=yes\n"
" keyingtries=1\n"
- " ikev2=never\n"
- " nm-configured=yes\n"
- " auto=add\n");
+ " rekey=yes\n"
+ " rightmodecfgserver=yes\n"
+ " modecfgpull=yes\n");
g_free (str);
- s_vpn = nm_setting_vpn_new ();
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "ikev2", "insist");
nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "leftcert", "LibreswanClient");
nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "leftid", "%fromcert");
nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "right", "11.12.13.14");
- str = _setting_into_ipsec_conf (s_vpn,
- "f0008435-07af-4836-a53d-b43e8730e68f",
- &error);
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn,
+ "f0008435-07af-4836-a53d-b43e8730e68f",
+ NULL, FALSE, TRUE, &error);
g_assert_no_error (error);
g_assert_cmpstr (str, ==,
"conn f0008435-07af-4836-a53d-b43e8730e68f\n"
+ " ikev2=insist\n"
+ " right=11.12.13.14\n"
" leftid=%fromcert\n"
- " leftcert=LibreswanClient\n"
- " leftrsasigkey=%cert\n"
- " rightrsasigkey=%cert\n"
+ " leftcert=\"LibreswanClient\"\n"
+ " leftrsasigkey=\"%cert\"\n"
+ " rightrsasigkey=\"%cert\"\n"
" left=%defaultroute\n"
" leftmodecfgclient=yes\n"
- " right=11.12.13.14\n"
- " rightmodecfgserver=yes\n"
- " modecfgpull=yes\n"
" rightsubnet=0.0.0.0/0\n"
- " rekey=yes\n"
" keyingtries=1\n"
- " ikev2=insist\n"
- " nm-configured=yes\n"
- " auto=add\n");
+ " rekey=yes\n"
+ " rightmodecfgserver=yes\n"
+ " modecfgpull=yes\n");
g_free (str);
}
diff --git a/shared/utils.c b/shared/utils.c
index 65bc603..2482311 100644
--- a/shared/utils.c
+++ b/shared/utils.c
@@ -30,82 +30,109 @@
#include <string.h>
#include <errno.h>
-gboolean
-write_config_option_newline (int fd,
- gboolean new_line,
- NMDebugWriteFcn debug_write_fcn,
- GError **error,
- const char *format, ...)
+static gboolean
+printable_val (GString *str, const char *val, GError **error)
{
- gs_free char *string = NULL;
const char *p;
- va_list args;
- gsize l;
- int errsv;
- gssize w;
- va_start (args, format);
- string = g_strdup_vprintf (format, args);
- va_end (args);
+ g_return_val_if_fail (val, FALSE);
- if (debug_write_fcn)
- debug_write_fcn (string);
-
- l = strlen (string);
- if (new_line) {
- gs_free char *s = string;
-
- string = g_new (char, l + 1 + 1);
- memcpy (string, s, l);
- string[l] = '\n';
- string[l + 1] = '\0';
- l++;
+ for (p = val; *p != '\0'; p++) {
+ /* Printable characters except " and space allowed. */
+ if (*p != '"' && !g_ascii_isspace (*p) && g_ascii_isprint (*p))
+ continue;
+ g_set_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT,
+ _("Invalid character in '%s'"), val);
+ return FALSE;
}
- p = string;
- while (true) {
- w = write (fd, p, l);
- if (w == l)
- return TRUE;
- if (w > 0) {
- g_assert (w < l);
- p += w;
- l -= w;
- continue;
- }
- if (w == 0) {
- errsv = EIO;
- break;
- }
- errsv = errno;
- if (errsv == EINTR)
- continue;
- break;
- }
- g_set_error (error, NMV_EDITOR_PLUGIN_ERROR, NMV_EDITOR_PLUGIN_ERROR,
- _("Error writing config: %s"), g_strerror (errsv));
- return FALSE;
+ g_string_append (str, val);
+ g_string_append_c (str, '\n');
+ return TRUE;
}
-gboolean
-nm_libreswan_config_write (gint fd,
- int ipsec_version,
- NMConnection *connection,
- const char *con_name,
- const char *leftupdown_script,
- gboolean openswan,
- gboolean trailing_newline,
- NMDebugWriteFcn debug_write_fcn,
- GError **error)
+static gboolean
+string_val (GString *str, const char *val, GError **error)
{
- NMSettingVpn *s_vpn;
- const char *props_username;
- const char *default_username;
+ const char *p;
+
+ g_return_val_if_fail (val, FALSE);
+
+ for (p = val; *p != '\0'; p++) {
+ /* Printable characters except " allowed. */
+ if (*p != '"' && g_ascii_isprint (*p))
+ continue;
+ g_set_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT,
+ _("Invalid character in '%s'"), val);
+ return FALSE;
+ }
+
+ g_string_append_printf (str, "\"%s\"\n", val);
+ return TRUE;
+}
+
+static inline gboolean
+optional_string_val (GString *str, const char *key, const char *val, GError **error)
+{
+ if (val == NULL || val[0] == '\0')
+ return TRUE;
+ g_string_append_c (str, ' ');
+ g_string_append (str, key);
+ g_string_append_c (str, '=');
+
+ if (!string_val (str, val, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "), key);
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+static inline gboolean
+optional_printable_val (GString *str, const char *key, const char *val, GError **error)
+{
+ if (val == NULL || val[0] == '\0')
+ return TRUE;
+
+ g_string_append_c (str, ' ');
+ g_string_append (str, key);
+ g_string_append_c (str, '=');
+
+ if (!printable_val (str, val, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "), key);
+ return FALSE;
+ }
+
+ return TRUE;
+}
+
+
+static inline gboolean
+optional_printable (GString *str, NMSettingVpn *s_vpn, const char *key, GError **error)
+{
+ return optional_printable_val (str,
+ key,
+ nm_setting_vpn_get_data_item (s_vpn, key),
+ error);
+}
+
+char *
+nm_libreswan_get_ipsec_conf (int ipsec_version,
+ NMSettingVpn *s_vpn,
+ const char *con_name,
+ const char *leftupdown_script,
+ gboolean openswan,
+ gboolean trailing_newline,
+ GError **error)
+{
+ nm_auto_free_gstring GString *ipsec_conf = NULL;
+ const char *username;
const char *phase1_alg_str;
const char *phase2_alg_str;
const char *phase1_lifetime_str;
const char *phase2_lifetime_str;
const char *left;
+ const char *right;
const char *leftid;
const char *leftcert;
const char *rightcert;
@@ -116,129 +143,176 @@ nm_libreswan_config_write (gint fd,
const char *remote_network;
const char *ikev2 = NULL;
const char *rightid;
- const char *narrowing;
const char *rekey;
- const char *fragmentation;
- const char *mobike;
const char *pfs;
const char *client_family;
const char *item;
gboolean is_ikev2 = FALSE;
- g_return_val_if_fail (fd > 0, FALSE);
- g_return_val_if_fail (NM_IS_CONNECTION (connection), FALSE);
+ g_return_val_if_fail (NM_IS_SETTING_VPN (s_vpn), FALSE);
g_return_val_if_fail (!error || !*error, FALSE);
g_return_val_if_fail (con_name && *con_name, FALSE);
- s_vpn = nm_connection_get_setting_vpn (connection);
- g_return_val_if_fail (NM_IS_SETTING_VPN (s_vpn), FALSE);
+ ipsec_conf = g_string_sized_new (1024);
+ g_string_append (ipsec_conf, "conn ");
+ if (!printable_val (ipsec_conf, con_name, error)) {
+ g_prefix_error (error, _("Bad connection name: "));
+ return FALSE;
+ }
- is_ikev2 = nm_libreswan_utils_setting_is_ikev2 (s_vpn, &ikev2);
+ if (leftupdown_script) {
+ g_string_append (ipsec_conf, " auto=add\n");
+ g_string_append (ipsec_conf, " nm-configured=yes\n");
+ g_string_append (ipsec_conf, " leftupdown=");
+ if (!string_val (ipsec_conf, leftupdown_script, error))
+ g_return_val_if_reached (FALSE);
+ }
/* When using IKEv1 (default in our plugin), we should ensure that we make
* it explicit to Libreswan (which now defaults to IKEv2): when crypto algorithms
* are not specified ("esp" & "ike") Libreswan will use system-wide crypto
* policies based on the IKE version in place.
*/
+ is_ikev2 = nm_libreswan_utils_setting_is_ikev2 (s_vpn, &ikev2);
if (!ikev2)
ikev2 = NM_LIBRESWAN_IKEV2_NEVER;
+ g_string_append (ipsec_conf, " ikev2=");
+ if (!printable_val (ipsec_conf, ikev2, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "), "ikev2");
+ return FALSE;
+ }
+
+ right = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHT);
+ if (right && right[0] != '\0') {
+ g_string_append (ipsec_conf, " right=");
+ if (!printable_val (ipsec_conf, right, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_RIGHT);
+ return FALSE;
+ }
+ } else {
+ g_set_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT,
+ _("'%s' key needs to be present."), NM_LIBRESWAN_KEY_RIGHT);
+ return FALSE;
+ }
leftid = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTID);
-
-#define WRITE_CHECK_NEWLINE(fd, new_line, debug_write_fcn, error, ...) \
- G_STMT_START { \
- if (!write_config_option_newline ((fd), (new_line), debug_write_fcn, (error), __VA_ARGS__)) \
- return FALSE; \
- } G_STMT_END
-#define WRITE_CHECK(fd, debug_write_fcn, error, ...) WRITE_CHECK_NEWLINE (fd, TRUE, debug_write_fcn, error, __VA_ARGS__)
-
- WRITE_CHECK (fd, debug_write_fcn, error, "conn %s", con_name);
- if (leftid && strlen (leftid)) {
+ if (leftid && leftid[0] != '\0') {
if (!is_ikev2)
- WRITE_CHECK (fd, debug_write_fcn, error, " aggrmode=yes");
+ g_string_append (ipsec_conf, " aggrmode=yes\n");
if ( leftid[0] == '%'
|| leftid[0] == '@'
|| nm_utils_parse_inaddr_bin (AF_UNSPEC, leftid, NULL)) {
- WRITE_CHECK (fd, debug_write_fcn, error, " leftid=%s", leftid);
+ g_string_append (ipsec_conf, " leftid=");
} else
- WRITE_CHECK (fd, debug_write_fcn, error, " leftid=@%s", leftid);
+ g_string_append (ipsec_conf, " leftid=@");
+ if (!printable_val (ipsec_conf, leftid, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_LEFTID);
+ return FALSE;
+ }
}
- item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY);
- if (item && strlen (item))
- WRITE_CHECK (fd, debug_write_fcn, error, " hostaddrfamily=%s", item);
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY, error))
+ return FALSE;
client_family = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY);
- if (client_family && strlen (client_family))
- WRITE_CHECK (fd, debug_write_fcn, error, " clientaddrfamily=%s", client_family);
+ if (client_family && client_family[0] != '\0') {
+ g_string_append (ipsec_conf, " clientaddrfamily=");
+ if (!printable_val (ipsec_conf, client_family, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_CLIENTADDRFAMILY);
+ return FALSE;
+ }
+ }
leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY);
rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY);
leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT);
rightcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT);
authby = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_AUTHBY);
- if (rightcert && strlen (rightcert)) {
- WRITE_CHECK (fd, debug_write_fcn, error, " rightcert=%s", rightcert);
+ if (rightcert && rightcert[0] != '\0') {
+ g_string_append (ipsec_conf, " rightcert=");
+ if (!string_val (ipsec_conf, rightcert, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_RIGHTCERT);
+ return FALSE;
+ }
if (!rightrsasigkey)
rightrsasigkey = "%cert";
}
- if (leftcert && strlen (leftcert)) {
- WRITE_CHECK (fd, debug_write_fcn, error, " leftcert=%s", leftcert);
+ if (leftcert && leftcert[0] != '\0') {
+ g_string_append (ipsec_conf, " leftcert=");
+ if (!string_val (ipsec_conf, leftcert, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_LEFTCERT);
+ return FALSE;
+ }
if (!leftrsasigkey)
leftrsasigkey = "%cert";
if (!rightrsasigkey)
rightrsasigkey = "%cert";
}
- if (leftrsasigkey && strlen (leftrsasigkey))
- WRITE_CHECK (fd, debug_write_fcn, error, " leftrsasigkey=%s", leftrsasigkey);
- if (rightrsasigkey && strlen (rightrsasigkey))
- WRITE_CHECK (fd, debug_write_fcn, error, " rightrsasigkey=%s", rightrsasigkey);
+ if (!optional_string_val (ipsec_conf, NM_LIBRESWAN_KEY_LEFTRSASIGKEY, leftrsasigkey, error))
+ return FALSE;
+ if (!optional_string_val (ipsec_conf, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY, rightrsasigkey, error))
+ return FALSE;
- if (authby && strlen (authby)) {
- WRITE_CHECK (fd, debug_write_fcn, error, " authby=%s", authby);
- } else if ( !(leftrsasigkey && strlen (leftrsasigkey))
- && !(rightrsasigkey && strlen (rightrsasigkey))) {
- WRITE_CHECK (fd, debug_write_fcn, error, " authby=secret");
+ if (authby == NULL || authby[0] == '\0') {
+ if ( !(leftrsasigkey && leftrsasigkey[0] != '\0')
+ && !(rightrsasigkey && rightrsasigkey[0] != '\0')) {
+ authby = "secret";
+ }
}
+ if (!optional_printable_val (ipsec_conf, NM_LIBRESWAN_KEY_AUTHBY, authby, error))
+ return FALSE;
left = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFT);
- if (left && strlen (left))
- WRITE_CHECK (fd, debug_write_fcn, error, " left=%s", left);
- else
- WRITE_CHECK (fd, debug_write_fcn, error, " left=%%defaultroute");
+ if (left == NULL || left[0] == '\0')
+ left = "%defaultroute";
+ g_string_append (ipsec_conf, " left=");
+ if (!printable_val (ipsec_conf, left, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_LEFT);
+ return FALSE;
+ }
item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT);
if (nm_streq0 (item, "no")) {
- WRITE_CHECK (fd, debug_write_fcn, error, " leftmodecfgclient=no");
+ g_string_append (ipsec_conf, " leftmodecfgclient=no\n");
} else {
- WRITE_CHECK (fd, debug_write_fcn, error, " leftmodecfgclient=yes");
+ g_string_append (ipsec_conf, " leftmodecfgclient=yes\n");
}
- if (leftupdown_script)
- WRITE_CHECK (fd, debug_write_fcn, error, " leftupdown=%s", leftupdown_script);
-
- WRITE_CHECK (fd, debug_write_fcn, error, " right=%s", nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHT));
rightid = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTID);
- if (rightid && strlen (rightid)) {
+ if (rightid && rightid[0] != '\0') {
if ( rightid[0] == '@'
|| rightid[0] == '%'
- || nm_utils_parse_inaddr_bin (AF_UNSPEC, rightid, NULL)) {
- WRITE_CHECK (fd, debug_write_fcn, error, " rightid=%s", rightid);
- } else
- WRITE_CHECK (fd, debug_write_fcn, error, " rightid=@%s", rightid);
+ || nm_utils_parse_inaddr_bin (AF_UNSPEC, rightid, NULL)) {
+ g_string_append (ipsec_conf, " rightid=");
+ } else {
+ g_string_append (ipsec_conf, " rightid=@");
+ }
+ if (!printable_val (ipsec_conf, rightid, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_RIGHTID);
+ return FALSE;
+ }
}
- WRITE_CHECK (fd, debug_write_fcn, error, " rightmodecfgserver=yes");
- WRITE_CHECK (fd, debug_write_fcn, error, " modecfgpull=yes");
-
local_network = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LOCALNETWORK);
if (local_network) {
- WRITE_CHECK (fd, debug_write_fcn, error, " leftsubnet=%s", local_network);
+ g_string_append (ipsec_conf, " leftsubnet=");
+ if (!printable_val (ipsec_conf, local_network, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_LOCALNETWORK);
+ return FALSE;
+ }
}
remote_network = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK);
- if (!remote_network || !strlen (remote_network)) {
+ if (!remote_network || remote_network[0] == '\0') {
int addr_family = AF_UNSPEC;
/* Detect the address family of the remote subnet. We use in order:
@@ -259,43 +333,50 @@ nm_libreswan_config_write (gint fd,
}
if (addr_family == AF_INET6) {
- WRITE_CHECK (fd, debug_write_fcn, error, " rightsubnet=::/0");
+ remote_network = "::/0";
} else {
/* For backwards compatibility, if we can't determine the family
* assume it's IPv4. Anyway, in the future we need to stop adding
* the option automatically. */
- WRITE_CHECK (fd, debug_write_fcn, error, " rightsubnet=0.0.0.0/0");
+ remote_network = "0.0.0.0/0";
}
- } else {
- WRITE_CHECK (fd, debug_write_fcn, error, " rightsubnet=%s", remote_network);
+ }
+ g_string_append (ipsec_conf, " rightsubnet=");
+ if (!printable_val (ipsec_conf, remote_network, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_REMOTENETWORK);
+ return FALSE;
}
if (!is_ikev2) {
/* When IKEv1 is in place, we enforce XAUTH: so, use IKE version
* also to check if XAUTH conf options should be passed to Libreswan.
*/
- WRITE_CHECK (fd, debug_write_fcn, error, " leftxauthclient=yes");
+ g_string_append (ipsec_conf, " leftxauthclient=yes\n");
- default_username = nm_setting_vpn_get_user_name (s_vpn);
- props_username = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTXAUTHUSER);
- if (!props_username)
- props_username = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTUSERNAME);
- if (props_username && strlen (props_username))
- WRITE_CHECK (fd, debug_write_fcn, error,
- ipsec_version >= 4 ? " leftusername=%s" : " leftxauthusername=%s",
- props_username);
- else if (default_username && strlen (default_username))
- WRITE_CHECK (fd, debug_write_fcn, error,
- ipsec_version >= 4 ? " leftusername=%s" : " leftxauthusername=%s",
- default_username);
+ username = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTXAUTHUSER);
+ if (username == NULL || username[0] == '\0')
+ username = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTUSERNAME);
+ if (username == NULL || username[0] == '\0')
+ username = nm_setting_vpn_get_user_name (s_vpn);
+ if (username != NULL && username[0] != '\0') {
+ g_string_append (ipsec_conf,
+ ipsec_version >= 4 ?
+ " leftusername=" :
+ " leftxauthusername=");
+ if (!string_val (ipsec_conf, username, error)) {
+ g_prefix_error (error, _("Invalid username: "));
+ return FALSE;
+ }
+ }
- WRITE_CHECK (fd, debug_write_fcn, error,
- ipsec_version >= 4 ? " remote-peer-type=cisco" : " remote_peer_type=cisco");
- WRITE_CHECK (fd, debug_write_fcn, error, " rightxauthserver=yes");
+ g_string_append (ipsec_conf,
+ ipsec_version >= 4 ?
+ " remote-peer-type=cisco\n" :
+ " remote_peer_type=cisco\n");
+ g_string_append (ipsec_conf, " rightxauthserver=yes\n");
}
-
- phase1_alg_str = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_IKE);
/* When the crypto is unspecified, let Libreswan use many sets of crypto
* proposals (just leave the property unset). An exception should be made
* for IKEv1 connections in aggressive mode: there the DH group in the crypto
@@ -304,84 +385,80 @@ nm_libreswan_config_write (gint fd,
* force the best proposal that should be accepted by all obsolete VPN SW/HW
* acting as a remote access VPN server.
*/
- if (phase1_alg_str && strlen (phase1_alg_str))
- WRITE_CHECK (fd, debug_write_fcn, error, " ike=%s", phase1_alg_str);
- else if (!is_ikev2 && leftid)
- WRITE_CHECK (fd, debug_write_fcn, error, " ike=%s", NM_LIBRESWAN_AGGRMODE_DEFAULT_IKE);
+ phase1_alg_str = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_IKE);
+ if (phase1_alg_str == NULL || phase1_alg_str[0] == '\0') {
+ if (!is_ikev2 && leftid)
+ phase1_alg_str = NM_LIBRESWAN_AGGRMODE_DEFAULT_IKE;
+ }
+ if (!optional_string_val (ipsec_conf, NM_LIBRESWAN_KEY_IKE, phase1_alg_str, error))
+ return FALSE;
phase2_alg_str = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_ESP);
- if (phase2_alg_str && strlen (phase2_alg_str))
- WRITE_CHECK (fd, debug_write_fcn, error, " phase2alg=%s", phase2_alg_str);
- else if (!is_ikev2 && leftid)
- WRITE_CHECK (fd, debug_write_fcn, error, " phase2alg=%s", NM_LIBRESWAN_AGGRMODE_DEFAULT_ESP);
+ if (phase2_alg_str == NULL || phase2_alg_str[0] == '\0') {
+ if (!is_ikev2 && leftid)
+ phase2_alg_str = NM_LIBRESWAN_AGGRMODE_DEFAULT_ESP;
+ }
+ if (!optional_string_val (ipsec_conf, "phase2alg", phase2_alg_str, error))
+ return FALSE;
pfs = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_PFS);
if (pfs && !strcmp (pfs, "no"))
- WRITE_CHECK (fd, debug_write_fcn, error, " pfs=no");
+ g_string_append (ipsec_conf, " pfs=no\n");
- phase1_lifetime_str = nm_setting_vpn_get_data_item (s_vpn,
- NM_LIBRESWAN_KEY_IKELIFETIME);
- if (phase1_lifetime_str && strlen (phase1_lifetime_str))
- WRITE_CHECK (fd, debug_write_fcn, error, " ikelifetime=%s", phase1_lifetime_str);
- else if (!is_ikev2)
- WRITE_CHECK (fd, debug_write_fcn, error, " ikelifetime=%s", NM_LIBRESWAN_IKEV1_DEFAULT_LIFETIME);
+ phase1_lifetime_str = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_IKELIFETIME);
+ if (phase1_lifetime_str == NULL || phase1_lifetime_str[0] == '\0') {
+ if (!is_ikev2)
+ phase1_lifetime_str = NM_LIBRESWAN_IKEV1_DEFAULT_LIFETIME;
+ }
+ if (!optional_printable_val (ipsec_conf, NM_LIBRESWAN_KEY_IKELIFETIME, phase1_lifetime_str, error))
+ return FALSE;
- phase2_lifetime_str = nm_setting_vpn_get_data_item (s_vpn,
- NM_LIBRESWAN_KEY_SALIFETIME);
- if (phase2_lifetime_str && strlen (phase2_lifetime_str))
- WRITE_CHECK (fd, debug_write_fcn, error, " salifetime=%s", phase2_lifetime_str);
- else if (!is_ikev2)
- WRITE_CHECK (fd, debug_write_fcn, error, " salifetime=%s", NM_LIBRESWAN_IKEV1_DEFAULT_LIFETIME);
+ phase2_lifetime_str = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_SALIFETIME);
+ if (phase2_lifetime_str == NULL || phase2_lifetime_str[0] == '\0') {
+ if (!is_ikev2)
+ phase2_lifetime_str = NM_LIBRESWAN_IKEV1_DEFAULT_LIFETIME;
+ }
+ if (!optional_printable_val (ipsec_conf, NM_LIBRESWAN_KEY_SALIFETIME, phase2_lifetime_str, error))
+ return FALSE;
rekey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REKEY);
- if (!rekey || !strlen (rekey)) {
- WRITE_CHECK (fd, debug_write_fcn, error, " rekey=yes");
- WRITE_CHECK (fd, debug_write_fcn, error, " keyingtries=1");
- } else
- WRITE_CHECK (fd, debug_write_fcn, error, " rekey=%s", rekey);
+ if (!rekey || rekey[0] == '\0') {
+ g_string_append (ipsec_conf, " keyingtries=1\n");
+ rekey = "yes";
+ }
+ g_string_append (ipsec_conf, " rekey=");
+ if (!printable_val (ipsec_conf, rekey, error)) {
+ g_prefix_error (error, _("Invalid value for '%s': "),
+ NM_LIBRESWAN_KEY_REKEY);
+ return FALSE;
+ }
if (!openswan && g_strcmp0 (nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_VENDOR), "Cisco") == 0)
- WRITE_CHECK (fd, debug_write_fcn, error, " cisco-unity=yes");
+ g_string_append (ipsec_conf, " cisco-unity=yes\n");
- WRITE_CHECK (fd, debug_write_fcn, error, " ikev2=%s", ikev2);
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_NARROWING, error))
+ return FALSE;
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_FRAGMENTATION, error))
+ return FALSE;
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_MOBIKE, error))
+ return FALSE;
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_DPDDELAY, error))
+ return FALSE;
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_DPDTIMEOUT, error))
+ return FALSE;
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_DPDACTION, error))
+ return FALSE;
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_IPSEC_INTERFACE, error))
+ return FALSE;
+ if (!optional_printable (ipsec_conf, s_vpn, NM_LIBRESWAN_KEY_TYPE, error))
+ return FALSE;
- narrowing = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_NARROWING);
- if (narrowing && strlen (narrowing))
- WRITE_CHECK (fd, debug_write_fcn, error, " narrowing=%s", narrowing);
+ g_string_append (ipsec_conf, " rightmodecfgserver=yes\n");
+ g_string_append (ipsec_conf, " modecfgpull=yes");
+ if (trailing_newline)
+ g_string_append_c (ipsec_conf, '\n');
- fragmentation = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_FRAGMENTATION);
- if (fragmentation && strlen (fragmentation))
- WRITE_CHECK (fd, debug_write_fcn, error, " fragmentation=%s", fragmentation);
-
- mobike = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_MOBIKE);
- if (mobike && strlen (mobike))
- WRITE_CHECK (fd, debug_write_fcn, error, " mobike=%s", mobike);
-
- item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDDELAY);
- if (item && strlen (item))
- WRITE_CHECK (fd, debug_write_fcn, error, " dpddelay=%s", item);
-
- item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDTIMEOUT);
- if (item && strlen (item))
- WRITE_CHECK (fd, debug_write_fcn, error, " dpdtimeout=%s", item);
-
- item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_DPDACTION);
- if (item && strlen (item))
- WRITE_CHECK (fd, debug_write_fcn, error, " dpdaction=%s", item);
-
- item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_IPSEC_INTERFACE);
- if (item && strlen (item))
- WRITE_CHECK (fd, debug_write_fcn, error, " ipsec-interface=%s", item);
-
- item = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_TYPE);
- if (item && strlen (item))
- WRITE_CHECK (fd, debug_write_fcn, error, " type=%s", item);
-
- WRITE_CHECK (fd, debug_write_fcn, error, " nm-configured=yes");
-
- WRITE_CHECK_NEWLINE (fd, trailing_newline, debug_write_fcn, error, " auto=add");
-
- return TRUE;
+ return g_string_free (g_steal_pointer (&ipsec_conf), FALSE);
}
static const char *
diff --git a/shared/utils.h b/shared/utils.h
index 7e89841..2e2450c 100644
--- a/shared/utils.h
+++ b/shared/utils.h
@@ -24,27 +24,13 @@
#ifndef __UTILS_H__
#define __UTILS_H__
-typedef void (*NMDebugWriteFcn) (const char *setting);
-
-__attribute__((__format__ (__printf__, 5, 6)))
-gboolean write_config_option_newline (int fd,
- gboolean new_line,
- NMDebugWriteFcn debug_write_fcn,
- GError **error,
- const char *format, ...);
-
-#define write_config_option(fd, debug_write_fcn, error, ...) write_config_option_newline((fd), TRUE, debug_write_fcn, error, __VA_ARGS__)
-
-gboolean
-nm_libreswan_config_write (gint fd,
- int ipsec_version,
- NMConnection *connection,
- const char *con_name,
- const char *leftupdown_script,
- gboolean openswan,
- gboolean trailing_newline,
- NMDebugWriteFcn debug_write_fcn,
- GError **error);
+char *nm_libreswan_get_ipsec_conf (int ipsec_version,
+ NMSettingVpn *s_vpn,
+ const char *con_name,
+ const char *leftupdown_script,
+ gboolean openswan,
+ gboolean trailing_newline,
+ GError **error);
static inline gboolean
nm_libreswan_utils_setting_is_ikev2 (NMSettingVpn *s_vpn, const char **out_ikev2)
diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
index e5956af..35f602c 100644
--- a/src/nm-libreswan-service.c
+++ b/src/nm-libreswan-service.c
@@ -101,12 +101,13 @@ typedef struct {
const char *whack_path;
char *secrets_path;
+ char *ipsec_conf;
+
gboolean openswan;
gboolean interactive;
gboolean pending_auth;
gboolean managed;
gboolean xauth_enabled;
- int version;
GPid pid;
guint watch_id;
@@ -152,12 +153,6 @@ _LOGD_enabled (void)
#define _LOGW(...) _NMLOG(LOG_WARNING, __VA_ARGS__)
#define _LOGE(...) _NMLOG(LOG_EMERG, __VA_ARGS__)
-static void
-_debug_write_option (const char *setting)
-{
- _LOGD ("Config %s", setting);
-}
-
/****************************************************************/
static gboolean pr_cb (GIOChannel *source, GIOCondition condition, gpointer user_data);
@@ -666,9 +661,9 @@ nm_libreswan_config_psk_write (NMSettingVpn *s_vpn,
GError **error)
{
const char *pw_type, *psk, *leftid, *right;
- int fd;
- int errsv;
- gboolean success;
+ gs_free const char *secrets = NULL;
+ mode_t old_mask;
+ gboolean res;
/* Check for ignored group password */
pw_type = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_PSK_INPUT_MODES);
@@ -679,47 +674,32 @@ nm_libreswan_config_psk_write (NMSettingVpn *s_vpn,
if (!psk)
return TRUE;
- /* Write the PSK */
- errno = 0;
- fd = open (secrets_path, O_RDWR|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR);
- if (fd < 0) {
- errsv = errno;
-
- if (errsv == ENOENT) {
- gs_free char *dirname = g_path_get_dirname (secrets_path);
-
- if (!g_file_test (dirname, G_FILE_TEST_IS_DIR)) {
- g_set_error (error,
- NM_VPN_PLUGIN_ERROR,
- NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
- "Failed to open secrets file: no directory %s",
- dirname);
- return FALSE;
- }
- }
-
- g_set_error (error,
- NM_VPN_PLUGIN_ERROR,
- NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
- "Failed to open secrets file: (%d) %s.",
- errsv, g_strerror (errsv));
- return FALSE;
- }
-
leftid = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTID);
if (leftid) {
- success = write_config_option (fd, NULL, error, "@%s: PSK \"%s\"", leftid, psk);
+ if (strchr (leftid, '"') || strchr (leftid, '\n')) {
+ g_set_error_literal (error,
+ NM_VPN_PLUGIN_ERROR,
+ NM_VPN_PLUGIN_ERROR_INVALID_CONNECTION,
+ _("Invalid character in password."));
+ return FALSE;
+ }
+ secrets = g_strdup_printf ("@%s: PSK \"%s\"", leftid, psk);
} else {
right = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHT);
- g_assert (right);
- success = write_config_option (fd, NULL, error, "%s %%any: PSK \"%s\"", right, psk);
+
+ /* nm_libreswan_get_ipsec_conf() in _connect_common should've check these. */
+ g_return_val_if_fail (right != NULL, FALSE);
+ g_return_val_if_fail (strchr (right, '"') == NULL, FALSE);
+ g_return_val_if_fail (strchr (right, '\n') == NULL, FALSE);
+
+ secrets = g_strdup_printf ("%s %%any: PSK \"%s\"", right, psk);
}
- if (!success) {
- g_close (fd, NULL);
- return FALSE;
- }
- return g_close (fd, error);
+
+ old_mask = umask (S_IRWXG | S_IRWXO);
+ res = g_file_set_contents (secrets_path, secrets, -1, error);
+ umask (old_mask);
+ return res;
}
/****************************************************************/
@@ -1766,6 +1746,44 @@ done:
return success ? G_SOURCE_CONTINUE : G_SOURCE_REMOVE;
}
+static gboolean
+write_config (int fd,
+ const char *string,
+ GError **error)
+{
+ const char *p;
+ gsize l;
+ int errsv;
+ gssize w;
+
+ _LOGD ("Config %s", string);
+
+ l = strlen (string);
+ p = string;
+ while (true) {
+ w = write (fd, p, l);
+ if (w == l)
+ return TRUE;
+ if (w > 0) {
+ g_assert (w < l);
+ p += w;
+ l -= w;
+ continue;
+ }
+ if (w == 0) {
+ errsv = EIO;
+ break;
+ }
+ errsv = errno;
+ if (errsv == EINTR)
+ continue;
+ break;
+ }
+ g_set_error (error, NMV_EDITOR_PLUGIN_ERROR, NMV_EDITOR_PLUGIN_ERROR,
+ _("Error writing config: %s"), g_strerror (errsv));
+ return FALSE;
+}
+
static gboolean
connect_step (NMLibreswanPlugin *self, GError **error)
{
@@ -1848,37 +1866,12 @@ connect_step (NMLibreswanPlugin *self, GError **error)
return TRUE;
case CONNECT_STEP_CONFIG_ADD: {
- gboolean trailing_newline;
- gs_free char *bus_name = NULL;
- gs_free char *ifupdown_script = NULL;
if (!do_spawn (self, &priv->pid, &fd, NULL, error, priv->ipsec_path,
"auto", "--replace", "--config", "-", uuid, NULL))
return FALSE;
priv->watch_id = g_child_watch_add (priv->pid, child_watch_cb, self);
- g_object_get (self, NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME, &bus_name, NULL);
-
- /* openswan requires a terminating \n (otherwise it segfaults) while
- * libreswan fails parsing the configuration if you include the \n.
- * WTF?
- */
- trailing_newline = priv->openswan;
-
- ifupdown_script = g_strdup_printf ("\"%s %d %ld %s\"",
- NM_LIBRESWAN_HELPER_PATH,
- LOG_DEBUG,
- (long) getpid (),
- bus_name);
-
- if (!nm_libreswan_config_write (fd,
- priv->version,
- priv->connection,
- uuid,
- ifupdown_script,
- priv->openswan,
- trailing_newline,
- _debug_write_option,
- error)) {
+ if (!write_config (fd, priv->ipsec_conf, error)) {
g_close (fd, NULL);
return FALSE;
}
@@ -1928,19 +1921,31 @@ _connect_common (NMVpnServicePlugin *plugin,
NMSettingVpn *s_vpn;
const char *con_name = nm_connection_get_uuid (connection);
gs_free char *ipsec_banner = NULL;
+ gs_free char *ifupdown_script = NULL;
+ gs_free char *bus_name = NULL;
+ gboolean trailing_newline;
+ int version;
if (_LOGD_enabled ()) {
_LOGD ("connection:");
nm_connection_dump (connection);
}
+ if (priv->connect_step != CONNECT_STEP_FIRST) {
+ g_set_error_literal (error,
+ NM_VPN_PLUGIN_ERROR,
+ NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
+ "Already connecting!");
+ return FALSE;
+ }
+
priv->ipsec_path = nm_libreswan_find_helper_bin ("ipsec", error);
if (!priv->ipsec_path)
return FALSE;
- nm_libreswan_detect_version (priv->ipsec_path, &priv->openswan, &priv->version, &ipsec_banner);
+ nm_libreswan_detect_version (priv->ipsec_path, &priv->openswan, &version, &ipsec_banner);
_LOGD ("ipsec: version banner: %s", ipsec_banner);
- _LOGD ("ipsec: detected version %d (%s)", priv->version, priv->openswan ? "Openswan" : "Libreswan");
+ _LOGD ("ipsec: detected version %d (%s)", version, priv->openswan ? "Openswan" : "Libreswan");
if (!priv->openswan) {
priv->pluto_path = nm_libreswan_find_helper_libexec ("pluto", error);
@@ -1960,13 +1965,31 @@ _connect_common (NMVpnServicePlugin *plugin,
if (!nm_libreswan_secrets_validate (s_vpn, error))
return FALSE;
- if (priv->connect_step != CONNECT_STEP_FIRST) {
- g_set_error_literal (error,
- NM_VPN_PLUGIN_ERROR,
- NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
- "Already connecting!");
+ g_object_get (self, NM_VPN_SERVICE_PLUGIN_DBUS_SERVICE_NAME, &bus_name, NULL);
+
+ ifupdown_script = g_strdup_printf ("%s %d %ld %s",
+ NM_LIBRESWAN_HELPER_PATH,
+ LOG_DEBUG,
+ (long) getpid (),
+ bus_name);
+
+ /* openswan requires a terminating \n (otherwise it segfaults) while
+ * libreswan fails parsing the configuration if you include the \n.
+ * WTF?
+ */
+ trailing_newline = priv->openswan;
+
+ /* Compose the ipsec.conf early, to catch configuration errors before
+ * we initiate the conneciton. */
+ priv->ipsec_conf = nm_libreswan_get_ipsec_conf (version,
+ s_vpn,
+ con_name,
+ ifupdown_script,
+ priv->openswan,
+ trailing_newline,
+ error);
+ if (priv->ipsec_conf == NULL)
return FALSE;
- }
/* XAUTH is not part of the IKEv2 standard and we always enforce it in IKEv1 */
priv->xauth_enabled = !nm_libreswan_utils_setting_is_ikev2 (s_vpn, NULL);
@@ -2141,6 +2164,7 @@ real_disconnect (NMVpnServicePlugin *plugin, GError **error)
priv->watch_id = g_child_watch_add (priv->pid, child_watch_cb, plugin);
g_clear_object (&priv->connection);
+ g_clear_pointer (&priv->ipsec_conf, g_free);
return ret;
}
@@ -2173,6 +2197,7 @@ finalize (GObject *object)
{
NMLibreswanPluginPrivate *priv = NM_LIBRESWAN_PLUGIN_GET_PRIVATE (object);
+ g_clear_pointer (&priv->ipsec_conf, g_free);
delete_secrets_file (NM_LIBRESWAN_PLUGIN (object));
connect_cleanup (NM_LIBRESWAN_PLUGIN (object));
g_clear_object (&priv->connection);
--
2.46.0
From 8cbc188222d6a3dcff7ed937d44415f75e34b503 Mon Sep 17 00:00:00 2001
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Tue, 24 Sep 2024 10:55:02 +0200
Subject: [PATCH 6/6] shared/test-utils: add more test cases
Test ipsec.conf formatting more thoroughly, include negative cases.
[lkundrak@v3.sk: Backported from 1.24.0]
---
shared/test-utils.c | 82 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 82 insertions(+)
diff --git a/shared/test-utils.c b/shared/test-utils.c
index 49aa32a..0a92d2b 100644
--- a/shared/test-utils.c
+++ b/shared/test-utils.c
@@ -2,6 +2,8 @@
#include "utils.h"
+#include "nm-utils/nm-shared-utils.h"
+
static void
test_config_write (void)
{
@@ -57,6 +59,86 @@ test_config_write (void)
" rightmodecfgserver=yes\n"
" modecfgpull=yes\n");
g_free (str);
+
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "ikev2", "insist");
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "leftrsasigkey", "hello");
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "rightrsasigkey", "world");
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "right", "11.12.13.14");
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ g_assert_no_error (error);
+ g_assert_cmpstr (str, ==,
+ "conn conn\n"
+ " ikev2=insist\n"
+ " right=11.12.13.14\n"
+ " leftrsasigkey=\"hello\"\n"
+ " rightrsasigkey=\"world\"\n"
+ " left=%defaultroute\n"
+ " leftmodecfgclient=yes\n"
+ " rightsubnet=0.0.0.0/0\n"
+ " keyingtries=1\n"
+ " rekey=yes\n"
+ " rightmodecfgserver=yes\n"
+ " modecfgpull=yes\n");
+ g_free (str);
+
+
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "right", "11.12.13.14");
+ str = nm_libreswan_get_ipsec_conf (3, s_vpn,
+ "my_con",
+ "/foo/bar/ifupdown hello 123 456",
+ TRUE, FALSE, &error);
+ g_assert_no_error (error);
+ g_assert_cmpstr (str, ==,
+ "conn my_con\n"
+ " auto=add\n"
+ " nm-configured=yes\n"
+ " leftupdown=\"/foo/bar/ifupdown hello 123 456\"\n"
+ " ikev2=never\n"
+ " right=11.12.13.14\n"
+ " authby=secret\n"
+ " left=%defaultroute\n"
+ " leftmodecfgclient=yes\n"
+ " rightsubnet=0.0.0.0/0\n"
+ " leftxauthclient=yes\n"
+ " remote_peer_type=cisco\n"
+ " rightxauthserver=yes\n"
+ " ikelifetime=24h\n"
+ " salifetime=24h\n"
+ " keyingtries=1\n"
+ " rekey=yes\n"
+ " rightmodecfgserver=yes\n"
+ " modecfgpull=yes");
+ g_free (str);
+
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+ g_assert_null (str);
+ g_clear_error (&error);
+
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "right", "11.12.13.14");
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "ikev2", "hello world");
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+ g_assert_null (str);
+ g_clear_error (&error);
+
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "right", "11.12\n13.14");
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+ g_assert_null (str);
+ g_clear_error (&error);
+
+ s_vpn = NM_SETTING_VPN (nm_setting_vpn_new ());
+ nm_setting_vpn_add_data_item (NM_SETTING_VPN(s_vpn), "rightcert", "\"cert\"");
+ str = nm_libreswan_get_ipsec_conf (4, s_vpn, "conn", NULL, FALSE, TRUE, &error);
+ g_assert_error (error, NM_UTILS_ERROR, NM_UTILS_ERROR_INVALID_ARGUMENT);
+ g_assert_null (str);
+ g_clear_error (&error);
}
int
--
2.46.0