rpms/NetworkManager-libreswan
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Support require-id-on-certificate

Browse Source 
Resolves: RHEL-50696
This commit is contained in:
Íñigo Huguet 2024-09-12 12:02:21 +02:00
parent 4d6dc4bc45
commit c4daad927e
3 changed files with 275 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
1001-editor-connect-stuff_changed_cb-from-populate_widget.patch Normal file
View File

@ -0,0 +1,81 @@
From 4957f0123c109df05885b2c85bfabc8f7311fe62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
Date: Mon, 9 Sep 2024 12:25:58 +0200
Subject: [PATCH] editor: connect stuff_changed_cb from populate_widget
There is no need to do it in 2 different steps, we always have to
connect it after creating the widget. Let's do it all together so no
developer forgets.
---
properties/nm-libreswan-editor.c | 47 --------------------------------
1 file changed, 47 deletions(-)
diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c
index b03d2fe..5687dc7 100644
--- a/properties/nm-libreswan-editor.c
+++ b/properties/nm-libreswan-editor.c
@@ -351,27 +351,6 @@ populate_widget (LibreswanEditor *self,
}
gtk_combo_box_set_active (GTK_COMBO_BOX (widget), idx);
}
-}
-
-
-/* Init the widget on the basis of its actual type.
- * widget_name: the name of the widget
- * key_name: the name of the key where the config value is stored
- * alt_key_name:alternative name of the key
- * match_value: used only for toggle_button and combo_box widgets; when matched
- * in the former it will set the toggle button as active, in the latter
- * will be used as a match for enabling the third index of possible values
- * (a three-valued logic value is expected: "no", "yes" or "match_value").
- */
-static void
-hook_stuff_changed_cb (LibreswanEditor *self,
- const char *widget_name)
-{
- LibreswanEditorPrivate *priv = LIBRESWAN_EDITOR_GET_PRIVATE (self);
- GtkWidget *widget;
-
- widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, widget_name));
- g_return_if_fail (widget);
g_signal_connect (G_OBJECT (widget),
GTK_IS_CHECK_BUTTON (widget) ? "toggled" : "changed",
@@ -471,33 +450,7 @@ init_editor_plugin (LibreswanEditor *self,
populate_widget (self, "group_entry", NM_LIBRESWAN_KEY_LEFTID, NULL, NULL);
populate_widget (self, "cert_entry", NM_LIBRESWAN_KEY_LEFTCERT, NULL, NULL);
populate_widget (self, "remoteid_entry", NM_LIBRESWAN_KEY_RIGHTID, NULL, NULL);
- hook_stuff_changed_cb (self, "gateway_entry");
- hook_stuff_changed_cb (self, "user_entry");
- hook_stuff_changed_cb (self, "group_entry");
- hook_stuff_changed_cb (self, "cert_entry");
- hook_stuff_changed_cb (self, "remoteid_entry");
-
- /* Advanced Dialog */
populate_adv_dialog (self);
- hook_stuff_changed_cb (self, "domain_entry");
- hook_stuff_changed_cb (self, "phase1_entry");
- hook_stuff_changed_cb (self, "phase2_entry");
- hook_stuff_changed_cb (self, "phase1_lifetime_entry");
- hook_stuff_changed_cb (self, "phase2_lifetime_entry");
- hook_stuff_changed_cb (self, "rekey_checkbutton");
- hook_stuff_changed_cb (self, "pfs_checkbutton");
- hook_stuff_changed_cb (self, "local_network_entry");
- hook_stuff_changed_cb (self, "remote_network_entry");
- hook_stuff_changed_cb (self, "narrowing_checkbutton");
- hook_stuff_changed_cb (self, "fragmentation_combo");
- hook_stuff_changed_cb (self, "mobike_combo");
- hook_stuff_changed_cb (self, "dpd_delay_entry");
- hook_stuff_changed_cb (self, "dpd_timeout_entry");
- hook_stuff_changed_cb (self, "dpd_action_combo");
- hook_stuff_changed_cb (self, "ipsec_interface_entry");
- hook_stuff_changed_cb (self, "authby_entry");
- hook_stuff_changed_cb (self, "disable_modecfgclient_checkbutton");
- hook_stuff_changed_cb (self, "remote_cert_entry");
priv->advanced_dialog = GTK_WIDGET (gtk_builder_get_object (priv->builder, "libreswan-advanced-dialog"));
g_return_val_if_fail (priv->advanced_dialog != NULL, FALSE);
--
2.44.0

182
1002-properties-add-require-id-on-certificate.patch Normal file
View File

@ -0,0 +1,182 @@
From 95517f4dd6de399f4608c63f48658228ac902c93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
Date: Mon, 9 Sep 2024 11:47:57 +0200
Subject: [PATCH] properties: add require-id-on-certificate
From `man ipsec.conf`:
require-id-on-certificate:
When using certificates, check whether the IKE peer ID is present as
a subjectAltName (SAN) on the peer certificate. Accepted values are
yes (the default) or no. This check should only be disabled when
intentionally using certificates that do not have their peer ID specified
as a SAN on the certificate. These certificates violate RFC 4945 Section
3.1 and are normally rejected to prevent a compromised host from assuming
the IKE identity of another host. The SAN limits the IDs that the
peer is able to assume.
---
properties/nm-libreswan-dialog.ui | 26 +++++++++++++++++++++++++
properties/nm-libreswan-editor-plugin.c | 2 ++
properties/nm-libreswan-editor.c | 9 +++++++++
shared/nm-service-defines.h | 1 +
shared/utils.c | 5 +++++
src/nm-libreswan-service.c | 1 +
6 files changed, 44 insertions(+)
diff --git a/properties/nm-libreswan-dialog.ui b/properties/nm-libreswan-dialog.ui
index b682895..17a7171 100644
--- a/properties/nm-libreswan-dialog.ui
+++ b/properties/nm-libreswan-dialog.ui
@@ -1222,6 +1222,32 @@ config: authby &lt;value&gt;
<property name="top_attach">0</property>
</packing>
</child>
+ <child>
+ <object class="GtkLabel" id="require_id_on_certificate_label">
+ <property name="visible">True</property>
+ <property name="can_focus">False</property>
+ <property name="label" translatable="yes">Don't require remote certificate name</property>
+ <property name="use_underline">True</property>
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
+ <property name="xalign">1</property>
+ </object>
+ <packing>
+ <property name="left_attach">0</property>
+ <property name="top_attach">1</property>
+ </packing>
+ </child>
+ <child>
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="receives_default">False</property>
+ <property name="draw_indicator">True</property>
+ </object>
+ <packing>
+ <property name="left_attach">1</property>
+ <property name="top_attach">1</property>
+ </packing>
+ </child>
</object>
</child>
</object>
diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
index fe473d1..7aa528e 100644
--- a/properties/nm-libreswan-editor-plugin.c
+++ b/properties/nm-libreswan-editor-plugin.c
@@ -214,6 +214,8 @@ import_from_file (NMVpnEditorPlugin *self,
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY, str + NM_STRLEN("hostaddrfamily="));
else if (g_str_has_prefix (str, "clientaddrfamily="))
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, str + NM_STRLEN("clientaddrfamily="));
+ else if (g_str_has_prefix (str, "require-id-on-certificate="))
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, str + NM_STRLEN("require-id-on-certificate="));
else if (g_str_has_prefix (str, "rightsubnet=")) {
if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0"))
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]);
diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c
index 5687dc7..b350819 100644
--- a/properties/nm-libreswan-editor.c
+++ b/properties/nm-libreswan-editor.c
@@ -379,6 +379,7 @@ populate_adv_dialog (LibreswanEditor *self)
populate_widget (self, "authby_entry", NM_LIBRESWAN_KEY_AUTHBY, NULL, NULL);
populate_widget (self, "disable_modecfgclient_checkbutton", NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT, NULL, "no");
populate_widget (self, "remote_cert_entry", NM_LIBRESWAN_KEY_RIGHTCERT, NULL, NULL);
+ populate_widget (self, "require_id_on_certificate_checkbutton", NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, NULL, "no");
}
static gboolean
@@ -642,6 +643,14 @@ update_adv_settings (LibreswanEditor *self, NMSettingVpn *s_vpn)
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT, str);
else
nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT);
+
+ /* Disable Require ID on certificate */
+ widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "require_id_on_certificate_checkbutton"));
+ if (gtk_check_button_get_active (GTK_CHECK_BUTTON (widget)))
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, "no");
+ else
+ nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
+
}
static gboolean
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index 167b837..5f523bd 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -73,6 +73,7 @@
#define NM_LIBRESWAN_KEY_TYPE "type"
#define NM_LIBRESWAN_KEY_HOSTADDRFAMILY "hostaddrfamily"
#define NM_LIBRESWAN_KEY_CLIENTADDRFAMILY "clientaddrfamily"
+#define NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE "require-id-on-certificate"
#define NM_LIBRESWAN_IKEV2_NO "no"
#define NM_LIBRESWAN_IKEV2_NEVER "never"
diff --git a/shared/utils.c b/shared/utils.c
index 65bc603..9394099 100644
--- a/shared/utils.c
+++ b/shared/utils.c
@@ -122,6 +122,7 @@ nm_libreswan_config_write (gint fd,
const char *mobike;
const char *pfs;
const char *client_family;
+ const char *require_id_on_certificate;
const char *item;
gboolean is_ikev2 = FALSE;
@@ -173,6 +174,10 @@ nm_libreswan_config_write (gint fd,
if (client_family && strlen (client_family))
WRITE_CHECK (fd, debug_write_fcn, error, " clientaddrfamily=%s", client_family);
+ require_id_on_certificate = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
+ if (require_id_on_certificate && strlen (require_id_on_certificate))
+ WRITE_CHECK (fd, debug_write_fcn, error, " require-id-on-certificate=%s", require_id_on_certificate);
+
leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY);
rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY);
leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT);
diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
index e5956af..984e991 100644
--- a/src/nm-libreswan-service.c
+++ b/src/nm-libreswan-service.c
@@ -274,6 +274,7 @@ static ValidProperty valid_properties[] = {
{ NM_LIBRESWAN_KEY_TYPE, G_TYPE_STRING, 0, 0 },
{ NM_LIBRESWAN_KEY_HOSTADDRFAMILY, G_TYPE_STRING, 0, 0 },
{ NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, G_TYPE_STRING, 0, 0 },
+ { NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, G_TYPE_STRING, 0, 0 },
/* Ignored option for internal use */
{ NM_LIBRESWAN_KEY_PSK_INPUT_MODES, G_TYPE_NONE, 0, 0 },
{ NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, G_TYPE_NONE, 0, 0 },
--- a/gtk4/nm-libreswan-dialog.ui
+++ b/gtk4/nm-libreswan-dialog.ui
@@ -979,6 +979,27 @@
</layout>
</object>
</child>
+ <child>
+ <object class="GtkLabel" id="require_id_on_certificate_label">
+ <property name="label" translatable="1">Don&apos;t require remote certificate name</property>
+ <property name="use_underline">1</property>
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
+ <property name="xalign">1</property>
+ <layout>
+ <property name="column">0</property>
+ <property name="row">1</property>
+ </layout>
+ </object>
+ </child>
+ <child>
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
+ <property name="focusable">1</property>
+ <layout>
+ <property name="column">1</property>
+ <property name="row">1</property>
+ </layout>
+ </object>
+ </child>
</object>
</child>
</object>
--
2.44.0

14
NetworkManager-libreswan.spec
View File

@ -11,7 +11,7 @@
%global real_version 1.2.22
%global rpm_version 1.2.22
%global release_version 1
%global release_version 2
%global real_version_major %(printf '%s' '%{real_version}' | sed -n 's/^\\([1-9][0-9]*\\.[1-9][0-9]*\\)\\.[1-9][0-9]*$/\\1/p')
@ -27,7 +27,14 @@ License: GPLv2+
URL: http://www.gnome.org/projects/NetworkManager/
Source0: https://download.gnome.org/sources/NetworkManager-libreswan/%{real_version_major}/%{name}-%{real_version}.tar.xz
# Patch1: 0001-some.patch
# These are not bugfixes, hence they are also relevant after
# the next rebase of the source tarball.
# Patch0001: 0001-some.patch
# Bugfixes that are only relevant until next rebase of the package.
# Patch1001: 1001-some.patch
Patch1001: 1001-editor-connect-stuff_changed_cb-from-populate_widget.patch
Patch1002: 1002-properties-add-require-id-on-certificate.patch
BuildRequires: make
BuildRequires: gcc
@ -129,6 +136,9 @@ rm -f %{buildroot}%{_libdir}/NetworkManager/lib*.la
%endif
%changelog
* Thu Sep 12 2024 Íñigo Huguet <ihuguet@redhat.com> - 1.2.22-2
- Support require-id-on-certificate (RHEL-50696)
* Wed May 22 2024 Beniamino Galvani <bgalvani@redhat.com> - 1.2.22-1
- Add IPv6 support (RHEL-21875)