From c4daad927ecab9fa47b9d541c3d3ffcabf23411f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= Date: Thu, 12 Sep 2024 12:02:21 +0200 Subject: [PATCH] Support require-id-on-certificate Resolves: RHEL-50696 --- ...tuff_changed_cb-from-populate_widget.patch | 81 ++++++++ ...erties-add-require-id-on-certificate.patch | 182 ++++++++++++++++++ NetworkManager-libreswan.spec | 14 +- 3 files changed, 275 insertions(+), 2 deletions(-) create mode 100644 1001-editor-connect-stuff_changed_cb-from-populate_widget.patch create mode 100644 1002-properties-add-require-id-on-certificate.patch diff --git a/1001-editor-connect-stuff_changed_cb-from-populate_widget.patch b/1001-editor-connect-stuff_changed_cb-from-populate_widget.patch new file mode 100644 index 0000000..4bdd793 --- /dev/null +++ b/1001-editor-connect-stuff_changed_cb-from-populate_widget.patch @@ -0,0 +1,81 @@ +From 4957f0123c109df05885b2c85bfabc8f7311fe62 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= +Date: Mon, 9 Sep 2024 12:25:58 +0200 +Subject: [PATCH] editor: connect stuff_changed_cb from populate_widget + +There is no need to do it in 2 different steps, we always have to +connect it after creating the widget. Let's do it all together so no +developer forgets. +--- + properties/nm-libreswan-editor.c | 47 -------------------------------- + 1 file changed, 47 deletions(-) + +diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c +index b03d2fe..5687dc7 100644 +--- a/properties/nm-libreswan-editor.c ++++ b/properties/nm-libreswan-editor.c +@@ -351,27 +351,6 @@ populate_widget (LibreswanEditor *self, + } + gtk_combo_box_set_active (GTK_COMBO_BOX (widget), idx); + } +-} +- +- +-/* Init the widget on the basis of its actual type. +- * widget_name: the name of the widget +- * key_name: the name of the key where the config value is stored +- * alt_key_name:alternative name of the key +- * match_value: used only for toggle_button and combo_box widgets; when matched +- * in the former it will set the toggle button as active, in the latter +- * will be used as a match for enabling the third index of possible values +- * (a three-valued logic value is expected: "no", "yes" or "match_value"). +- */ +-static void +-hook_stuff_changed_cb (LibreswanEditor *self, +- const char *widget_name) +-{ +- LibreswanEditorPrivate *priv = LIBRESWAN_EDITOR_GET_PRIVATE (self); +- GtkWidget *widget; +- +- widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, widget_name)); +- g_return_if_fail (widget); + + g_signal_connect (G_OBJECT (widget), + GTK_IS_CHECK_BUTTON (widget) ? "toggled" : "changed", +@@ -471,33 +450,7 @@ init_editor_plugin (LibreswanEditor *self, + populate_widget (self, "group_entry", NM_LIBRESWAN_KEY_LEFTID, NULL, NULL); + populate_widget (self, "cert_entry", NM_LIBRESWAN_KEY_LEFTCERT, NULL, NULL); + populate_widget (self, "remoteid_entry", NM_LIBRESWAN_KEY_RIGHTID, NULL, NULL); +- hook_stuff_changed_cb (self, "gateway_entry"); +- hook_stuff_changed_cb (self, "user_entry"); +- hook_stuff_changed_cb (self, "group_entry"); +- hook_stuff_changed_cb (self, "cert_entry"); +- hook_stuff_changed_cb (self, "remoteid_entry"); +- +- /* Advanced Dialog */ + populate_adv_dialog (self); +- hook_stuff_changed_cb (self, "domain_entry"); +- hook_stuff_changed_cb (self, "phase1_entry"); +- hook_stuff_changed_cb (self, "phase2_entry"); +- hook_stuff_changed_cb (self, "phase1_lifetime_entry"); +- hook_stuff_changed_cb (self, "phase2_lifetime_entry"); +- hook_stuff_changed_cb (self, "rekey_checkbutton"); +- hook_stuff_changed_cb (self, "pfs_checkbutton"); +- hook_stuff_changed_cb (self, "local_network_entry"); +- hook_stuff_changed_cb (self, "remote_network_entry"); +- hook_stuff_changed_cb (self, "narrowing_checkbutton"); +- hook_stuff_changed_cb (self, "fragmentation_combo"); +- hook_stuff_changed_cb (self, "mobike_combo"); +- hook_stuff_changed_cb (self, "dpd_delay_entry"); +- hook_stuff_changed_cb (self, "dpd_timeout_entry"); +- hook_stuff_changed_cb (self, "dpd_action_combo"); +- hook_stuff_changed_cb (self, "ipsec_interface_entry"); +- hook_stuff_changed_cb (self, "authby_entry"); +- hook_stuff_changed_cb (self, "disable_modecfgclient_checkbutton"); +- hook_stuff_changed_cb (self, "remote_cert_entry"); + + priv->advanced_dialog = GTK_WIDGET (gtk_builder_get_object (priv->builder, "libreswan-advanced-dialog")); + g_return_val_if_fail (priv->advanced_dialog != NULL, FALSE); +-- +2.44.0 + diff --git a/1002-properties-add-require-id-on-certificate.patch b/1002-properties-add-require-id-on-certificate.patch new file mode 100644 index 0000000..7c33e5a --- /dev/null +++ b/1002-properties-add-require-id-on-certificate.patch @@ -0,0 +1,182 @@ +From 95517f4dd6de399f4608c63f48658228ac902c93 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= +Date: Mon, 9 Sep 2024 11:47:57 +0200 +Subject: [PATCH] properties: add require-id-on-certificate + +From `man ipsec.conf`: + +require-id-on-certificate: + When using certificates, check whether the IKE peer ID is present as + a subjectAltName (SAN) on the peer certificate. Accepted values are + yes (the default) or no. This check should only be disabled when + intentionally using certificates that do not have their peer ID specified + as a SAN on the certificate. These certificates violate RFC 4945 Section + 3.1 and are normally rejected to prevent a compromised host from assuming + the IKE identity of another host. The SAN limits the IDs that the + peer is able to assume. +--- + properties/nm-libreswan-dialog.ui | 26 +++++++++++++++++++++++++ + properties/nm-libreswan-editor-plugin.c | 2 ++ + properties/nm-libreswan-editor.c | 9 +++++++++ + shared/nm-service-defines.h | 1 + + shared/utils.c | 5 +++++ + src/nm-libreswan-service.c | 1 + + 6 files changed, 44 insertions(+) + +diff --git a/properties/nm-libreswan-dialog.ui b/properties/nm-libreswan-dialog.ui +index b682895..17a7171 100644 +--- a/properties/nm-libreswan-dialog.ui ++++ b/properties/nm-libreswan-dialog.ui +@@ -1222,6 +1222,32 @@ config: authby <value> + 0 + + ++ ++ ++ True ++ False ++ Don't require remote certificate name ++ True ++ require_id_on_certificate_checkbutton ++ 1 ++ ++ ++ 0 ++ 1 ++ ++ ++ ++ ++ True ++ True ++ False ++ True ++ ++ ++ 1 ++ 1 ++ ++ + + + +diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c +index fe473d1..7aa528e 100644 +--- a/properties/nm-libreswan-editor-plugin.c ++++ b/properties/nm-libreswan-editor-plugin.c +@@ -214,6 +214,8 @@ import_from_file (NMVpnEditorPlugin *self, + nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY, str + NM_STRLEN("hostaddrfamily=")); + else if (g_str_has_prefix (str, "clientaddrfamily=")) + nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, str + NM_STRLEN("clientaddrfamily=")); ++ else if (g_str_has_prefix (str, "require-id-on-certificate=")) ++ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, str + NM_STRLEN("require-id-on-certificate=")); + else if (g_str_has_prefix (str, "rightsubnet=")) { + if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0")) + nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]); +diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c +index 5687dc7..b350819 100644 +--- a/properties/nm-libreswan-editor.c ++++ b/properties/nm-libreswan-editor.c +@@ -379,6 +379,7 @@ populate_adv_dialog (LibreswanEditor *self) + populate_widget (self, "authby_entry", NM_LIBRESWAN_KEY_AUTHBY, NULL, NULL); + populate_widget (self, "disable_modecfgclient_checkbutton", NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT, NULL, "no"); + populate_widget (self, "remote_cert_entry", NM_LIBRESWAN_KEY_RIGHTCERT, NULL, NULL); ++ populate_widget (self, "require_id_on_certificate_checkbutton", NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, NULL, "no"); + } + + static gboolean +@@ -642,6 +643,14 @@ update_adv_settings (LibreswanEditor *self, NMSettingVpn *s_vpn) + nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT, str); + else + nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT); ++ ++ /* Disable Require ID on certificate */ ++ widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "require_id_on_certificate_checkbutton")); ++ if (gtk_check_button_get_active (GTK_CHECK_BUTTON (widget))) ++ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, "no"); ++ else ++ nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE); ++ + } + + static gboolean +diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h +index 167b837..5f523bd 100644 +--- a/shared/nm-service-defines.h ++++ b/shared/nm-service-defines.h +@@ -73,6 +73,7 @@ + #define NM_LIBRESWAN_KEY_TYPE "type" + #define NM_LIBRESWAN_KEY_HOSTADDRFAMILY "hostaddrfamily" + #define NM_LIBRESWAN_KEY_CLIENTADDRFAMILY "clientaddrfamily" ++#define NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE "require-id-on-certificate" + + #define NM_LIBRESWAN_IKEV2_NO "no" + #define NM_LIBRESWAN_IKEV2_NEVER "never" +diff --git a/shared/utils.c b/shared/utils.c +index 65bc603..9394099 100644 +--- a/shared/utils.c ++++ b/shared/utils.c +@@ -122,6 +122,7 @@ nm_libreswan_config_write (gint fd, + const char *mobike; + const char *pfs; + const char *client_family; ++ const char *require_id_on_certificate; + const char *item; + gboolean is_ikev2 = FALSE; + +@@ -173,6 +174,10 @@ nm_libreswan_config_write (gint fd, + if (client_family && strlen (client_family)) + WRITE_CHECK (fd, debug_write_fcn, error, " clientaddrfamily=%s", client_family); + ++ require_id_on_certificate = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE); ++ if (require_id_on_certificate && strlen (require_id_on_certificate)) ++ WRITE_CHECK (fd, debug_write_fcn, error, " require-id-on-certificate=%s", require_id_on_certificate); ++ + leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY); + rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY); + leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT); +diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c +index e5956af..984e991 100644 +--- a/src/nm-libreswan-service.c ++++ b/src/nm-libreswan-service.c +@@ -274,6 +274,7 @@ static ValidProperty valid_properties[] = { + { NM_LIBRESWAN_KEY_TYPE, G_TYPE_STRING, 0, 0 }, + { NM_LIBRESWAN_KEY_HOSTADDRFAMILY, G_TYPE_STRING, 0, 0 }, + { NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, G_TYPE_STRING, 0, 0 }, ++ { NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, G_TYPE_STRING, 0, 0 }, + /* Ignored option for internal use */ + { NM_LIBRESWAN_KEY_PSK_INPUT_MODES, G_TYPE_NONE, 0, 0 }, + { NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, G_TYPE_NONE, 0, 0 }, +--- a/gtk4/nm-libreswan-dialog.ui ++++ b/gtk4/nm-libreswan-dialog.ui +@@ -979,6 +979,27 @@ + + + ++ ++ ++ Don't require remote certificate name ++ 1 ++ require_id_on_certificate_checkbutton ++ 1 ++ ++ 0 ++ 1 ++ ++ ++ ++ ++ ++ 1 ++ ++ 1 ++ 1 ++ ++ ++ + + + +-- +2.44.0 + diff --git a/NetworkManager-libreswan.spec b/NetworkManager-libreswan.spec index 7bf48a7..583b359 100644 --- a/NetworkManager-libreswan.spec +++ b/NetworkManager-libreswan.spec @@ -11,7 +11,7 @@ %global real_version 1.2.22 %global rpm_version 1.2.22 -%global release_version 1 +%global release_version 2 %global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p') @@ -27,7 +27,14 @@ License: GPLv2+ URL: http://www.gnome.org/projects/NetworkManager/ Source0: https://download.gnome.org/sources/NetworkManager-libreswan/%{real_version_major}/%{name}-%{real_version}.tar.xz -# Patch1: 0001-some.patch +# These are not bugfixes, hence they are also relevant after +# the next rebase of the source tarball. +# Patch0001: 0001-some.patch + +# Bugfixes that are only relevant until next rebase of the package. +# Patch1001: 1001-some.patch +Patch1001: 1001-editor-connect-stuff_changed_cb-from-populate_widget.patch +Patch1002: 1002-properties-add-require-id-on-certificate.patch BuildRequires: make BuildRequires: gcc @@ -129,6 +136,9 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la %endif %changelog +* Thu Sep 12 2024 Íñigo Huguet - 1.2.22-2 +- Support require-id-on-certificate (RHEL-50696) + * Wed May 22 2024 Beniamino Galvani - 1.2.22-1 - Add IPv6 support (RHEL-21875)