rpms/NetworkManager-libreswan
5
0
Fork 0
Code Issues Pull Requests Releases Activity

- Modified fix for the bz 607352

Browse Source 
- Fix to read connection configuration from stdin
- Fix to read Xauth user password from stdin
- Fix to delete the secret file as soon as read by Openswan
This commit is contained in:
avesh agarwal 2010-07-13 23:11:02 +00:00
parent f98504abad
commit f47d176e86
2 changed files with 256 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
NetworkManager-openswan.spec
View File

@ -1,4 +1,4 @@
%define openswan_version 2.6.25-2
%define openswan_version 2.6.27-1
%define snapshot .20100411git
%define realversion 0.8
@ -6,7 +6,7 @@
Summary: NetworkManager VPN plug-in for openswan
Name: NetworkManager-openswan
Version: 0.8.0
Release: 3%{snapshot}%{?dist}
Release: 4%{snapshot}%{?dist}
License: GPLv2+
Group: System Environment/Base
URL: http://people.redhat.com/avagarwa/files/NetworkManager-openswan/
@ -76,6 +76,12 @@ rm -rf $RPM_BUILD_ROOT
%dir %{_datadir}/gnome-vpn-properties/openswan
%changelog
* Tue Jul 13 2010 Avesh Agarwal <avagarwa@redhat.com> - 0.8.0-4.20100411git
- Modified fix for the bz 607352
- Fix to read connection configuration from stdin
- Fix to read Xauth user password from stdin
- Fix to delete the secret file as soon as read by Openswan
* Thu Jul 8 2010 Avesh Agarwal <avagarwa@redhat.com> - 0.8.0-3.20100411git
- Modified the patch so that it does not pass user password to
"ipsec whack" command.

268
nm-secret-whack.patch
View File

@ -231,8 +231,35 @@ diff -urNp NetworkManager-openswan-0.8-orig/properties/nm-openswan-dialog.glade
</child>
diff -urNp NetworkManager-openswan-0.8-orig/src/nm-openswan-service.c NetworkManager-openswan-0.8/src/nm-openswan-service.c
--- NetworkManager-openswan-0.8-orig/src/nm-openswan-service.c 2010-06-04 17:50:13.000000000 -0400
+++ NetworkManager-openswan-0.8/src/nm-openswan-service.c 2010-07-08 16:05:26.372305285 -0400
@@ -218,6 +218,7 @@ openswan_watch_cb_auto (GPid pid, gint s
+++ NetworkManager-openswan-0.8/src/nm-openswan-service.c 2010-07-13 18:19:05.137333584 -0400
@@ -212,12 +212,32 @@ openswan_watch_cb_auto (GPid pid, gint s
nm_warning ("openswan: ipsec auto died from an unknown cause");
/* Reap child if needed. */
- waitpid (priv->pid_auto, NULL, WNOHANG);
- priv->pid_auto = 0;
+ //waitpid (priv->pid_auto, NULL, WNOHANG);
+ //priv->pid_auto = 0;
+
+ waitpid (priv->pid, NULL, WNOHANG);
+ priv->pid = 0;
+
+ /* Must be after data->state is set since signals use data->state */
+ switch (error) {
+ case 2:
+ /* Couldn't log in due to bad user/pass */
+ nm_vpn_plugin_failure (NM_VPN_PLUGIN (plugin), NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
+ break;
+ case 1:
+ /* Other error (couldn't bind to address, etc) */
+ nm_vpn_plugin_failure (NM_VPN_PLUGIN (plugin), NM_VPN_PLUGIN_FAILURE_CONNECT_FAILED);
+ break;
+ default:
+ break;
+ }
+
+ nm_vpn_plugin_set_state (NM_VPN_PLUGIN (plugin), NM_VPN_SERVICE_STATE_STOPPED);
}
static gint
@ -240,15 +267,29 @@ diff -urNp NetworkManager-openswan-0.8-orig/src/nm-openswan-service.c NetworkMan
nm_openswan_start_openswan_binary (NMOPENSWANPlugin *plugin, GError **error)
{
GPid pid, pid_auto;
@@ -259,12 +260,14 @@ nm_openswan_start_openswan_binary (NMOPE
@@ -257,14 +277,27 @@ nm_openswan_start_openswan_binary (NMOPE
}
g_ptr_array_free (openswan_argv, TRUE);
+ nm_info ("openswan: ipsec started with pid %d", pid);
+
+ NM_OPENSWAN_PLUGIN_GET_PRIVATE (plugin)->pid = pid;
+ openswan_watch = g_child_watch_source_new (pid);
+ g_source_set_callback (openswan_watch, (GSourceFunc) openswan_watch_cb_auto, plugin, NULL);
+ g_source_attach (openswan_watch, NULL);
+ g_source_unref (openswan_watch);
+
sleep(2);
- /*ipsec auto --up <conn-name>*/
openswan_argv = g_ptr_array_new ();
g_ptr_array_add (openswan_argv, (gpointer) (*openswan_binary));
g_ptr_array_add (openswan_argv, (gpointer) "auto");
g_ptr_array_add (openswan_argv, (gpointer) "--up");
- g_ptr_array_add (openswan_argv, (gpointer) "--up");
+ g_ptr_array_add (openswan_argv, (gpointer) "--add");
+ g_ptr_array_add (openswan_argv, (gpointer) "--config");
+ g_ptr_array_add (openswan_argv, (gpointer) "-");
+ //g_ptr_array_add (openswan_argv, (gpointer) "--up");
+ //g_ptr_array_add (openswan_argv, (gpointer) "--name");
g_ptr_array_add (openswan_argv, (gpointer) "nm-conn1");
+ //g_ptr_array_add (openswan_argv, (gpointer) "--xauthpass");
@ -256,7 +297,7 @@ diff -urNp NetworkManager-openswan-0.8-orig/src/nm-openswan-service.c NetworkMan
g_ptr_array_add (openswan_argv, NULL);
if (!g_spawn_async_with_pipes (NULL, (char **) openswan_argv->pdata, NULL,
@@ -277,13 +280,13 @@ nm_openswan_start_openswan_binary (NMOPE
@@ -277,13 +310,64 @@ nm_openswan_start_openswan_binary (NMOPE
}
g_ptr_array_free (openswan_argv, TRUE);
@ -268,15 +309,77 @@ diff -urNp NetworkManager-openswan-0.8-orig/src/nm-openswan-service.c NetworkMan
- g_source_set_callback (openswan_watch, (GSourceFunc) openswan_watch_cb_auto, plugin, NULL);
- g_source_attach (openswan_watch, NULL);
- g_source_unref (openswan_watch);
+ NM_OPENSWAN_PLUGIN_GET_PRIVATE (plugin)->pid_auto = pid_auto;
+ /*NM_OPENSWAN_PLUGIN_GET_PRIVATE (plugin)->pid_auto = pid_auto;
+ openswan_watch = g_child_watch_source_new (pid_auto);
+ g_source_set_callback (openswan_watch, (GSourceFunc) openswan_watch_cb_auto, plugin, NULL);
+ g_source_attach (openswan_watch, NULL);
+ g_source_unref (openswan_watch);
+ g_source_unref (openswan_watch);*/
+
+ return stdin_fd;
+}
+
+
+
+static gint
+nm_openswan_start_openswan_connection (NMOPENSWANPlugin *plugin, GError **error)
+{
+ GPid pid;
+ const char **openswan_binary = NULL;
+ GPtrArray *openswan_argv;
+ gint stdin_fd;
+
+ /* Find openswan ipsec */
+ openswan_binary = openswan_binary_paths;
+ while (*openswan_binary != NULL) {
+ if (g_file_test (*openswan_binary, G_FILE_TEST_EXISTS))
+ break;
+ openswan_binary++;
+ }
+
+ if (!*openswan_binary) {
+ g_set_error (error,
+ NM_VPN_PLUGIN_ERROR,
+ NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
+ "%s",
+ "Could not find openswan binary.");
+ return -1;
+ }
+
+ openswan_argv = g_ptr_array_new ();
+ g_ptr_array_add (openswan_argv, (gpointer) (*openswan_binary));
+ g_ptr_array_add (openswan_argv, (gpointer) "auto");
+ g_ptr_array_add (openswan_argv, (gpointer) "--up");
+ g_ptr_array_add (openswan_argv, (gpointer) "nm-conn1");
+ g_ptr_array_add (openswan_argv, NULL);
+
+ if (!g_spawn_async_with_pipes (NULL, (char **) openswan_argv->pdata, NULL,
+ G_SPAWN_DO_NOT_REAP_CHILD, NULL, NULL, &pid, &stdin_fd,
+ NULL, NULL, error)) {
+
+ g_ptr_array_free (openswan_argv, TRUE);
+ nm_warning ("openswan: ipsec auto connection failed to start. error: '%s'", (*error)->message);
+ return -1;
+ }
+ g_ptr_array_free (openswan_argv, TRUE);
+
+ sleep(3);
+
+ nm_info ("openswan: ipsec auto connection started with pid %d", pid);
return stdin_fd;
}
@@ -365,7 +368,7 @@ write_one_property (const char *key, con
@@ -318,8 +402,8 @@ write_one_property (const char *key, con
WriteConfigInfo *info = (WriteConfigInfo *) user_data;
GType type = G_TYPE_INVALID;
int i;
- const char *default_username;
- const char *props_username;
+ //const char *default_username;
+ //const char *props_username;
const char *leftid;
if (info->error)
@@ -365,11 +449,11 @@ write_one_property (const char *key, con
//write_config_option (info->fd, "%s %s\n", (char *) key, (char *) value);
if (!strcmp (key, NM_OPENSWAN_PSK_VALUE)) {
@ -285,18 +388,51 @@ diff -urNp NetworkManager-openswan-0.8-orig/src/nm-openswan-service.c NetworkMan
write_config_option (info->secret_fd, "@%s: PSK \"%s\"\n", leftid, (char *) value);
}
@@ -426,8 +429,8 @@ nm_openswan_config_write (NMSettingVPN *
gint conf_fd=-1;
gint secret_fd=-1;
- if (!strcmp (key, NM_OPENSWAN_XAUTH_PASSWORD)) {
+ /*if (!strcmp (key, NM_OPENSWAN_XAUTH_PASSWORD)) {
default_username = nm_setting_vpn_get_user_name (info->s_vpn);
props_username = nm_setting_vpn_get_data_item (info->s_vpn, NM_OPENSWAN_LEFTXAUTHUSER);
if ( default_username && strlen (default_username)
@@ -378,7 +462,7 @@ write_one_property (const char *key, con
} else {
write_config_option (info->secret_fd, "@%s : XAUTH \"%s\"\n", props_username, (char *) value);
}
- }
+ }*/
} else if (type == G_TYPE_BOOLEAN) {
if (!strcmp (value, "yes")) {
@@ -414,22 +498,22 @@ write_one_property (const char *key, con
}
static gboolean
-nm_openswan_config_write (NMSettingVPN *s_vpn,
+nm_openswan_config_write (gint openswan_fd, NMSettingVPN *s_vpn,
GError **error)
{
WriteConfigInfo *info;
const char *props_username;
//const char *props_natt_mode;
const char *default_username;
- const char *pw_type;
+ //const char *pw_type;
gint fdtmp1=-1;
- gint conf_fd=-1;
- gint secret_fd=-1;
+ //gint conf_fd=-1;
+ //gint secret_fd=-1;
- conf_fd = open ("/etc/ipsec.d/ipsec-nm-conn1.conf", O_RDWR|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
- secret_fd = open ("/etc/ipsec.d/ipsec-nm-conn1.secrets", O_RDWR|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+ conf_fd = open ("/etc/ipsec.d/ipsec-nm-conn1.conf", O_RDWR|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR);
+ secret_fd = open ("/etc/ipsec.d/ipsec-nm-conn1.secrets", O_RDWR|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR);
+ //conf_fd = open ("/etc/ipsec.d/ipsec-nm-conn1.conf", O_RDWR|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR);
+ //secret_fd = open ("/etc/ipsec.d/ipsec-nm-conn1.secrets", O_RDWR|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR);
fdtmp1 = conf_fd;
- fdtmp1 = conf_fd;
+ fdtmp1 = openswan_fd;
if(fdtmp1 != -1) {
@@ -454,8 +457,10 @@ nm_openswan_config_write (NMSettingVPN *
write_config_option (fdtmp1, "conn nm-conn1\n");
write_config_option (fdtmp1, " aggrmode=yes\n");
@@ -454,8 +538,10 @@ nm_openswan_config_write (NMSettingVPN *
write_config_option (fdtmp1, " ike=aes-sha1\n");
write_config_option (fdtmp1, " esp=aes-sha1;modp1024\n");
write_config_option (fdtmp1, " nm_configured=yes\n");
@ -308,23 +444,115 @@ diff -urNp NetworkManager-openswan-0.8-orig/src/nm-openswan-service.c NetworkMan
}
//default_username = nm_setting_vpn_get_user_name (s_vpn);
@@ -514,8 +519,8 @@ real_connect (NMVPNPlugin *plugin,
@@ -472,7 +558,49 @@ nm_openswan_config_write (NMSettingVPN *
info = g_malloc0 (sizeof (WriteConfigInfo));
//info->fd = openswan_fd;
- info->conf_fd = conf_fd;
+ //info->conf_fd = conf_fd;
+ info->conf_fd = openswan_fd;
+ //info->secret_fd = secret_fd;
+ info->s_vpn = s_vpn;
+
+ /* Check for ignored user password */
+ /*pw_type = nm_setting_vpn_get_data_item (s_vpn, NM_OPENSWAN_XAUTH_PASSWORD_INPUT_MODES);
+ if (pw_type && !strcmp (pw_type, NM_OPENSWAN_PW_TYPE_UNUSED))
+ info->upw_ignored = TRUE;*/
+
+ /* Check for ignored group password */
+ /*pw_type = nm_setting_vpn_get_data_item (s_vpn, NM_OPENSWAN_PSK_INPUT_MODES);
+ if (pw_type && !strcmp (pw_type, NM_OPENSWAN_PW_TYPE_UNUSED))
+ info->gpw_ignored = TRUE;*/
+
+ nm_setting_vpn_foreach_data_item (s_vpn, write_one_property, info);
+ //nm_setting_vpn_foreach_secret (s_vpn, write_one_property, info);
+ *error = info->error;
+ //close(conf_fd);
+ close(openswan_fd);
+ sleep(3);
+ //close(secret_fd);
+ g_free (info);
+
+ return *error ? FALSE : TRUE;
+}
+
+
+static gboolean
+nm_openswan_config_secret_write (NMSettingVPN *s_vpn,
+ GError **error)
+{
+ WriteConfigInfo *info;
+ //const char *props_username;
+ //const char *default_username;
+ const char *pw_type;
+ //gint fdtmp1=-1;
+ //gint conf_fd=-1;
+ gint secret_fd=-1;
+
+ secret_fd = open ("/etc/ipsec.d/ipsec-nm-conn1.secrets", O_RDWR|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR);
+
+ info = g_malloc0 (sizeof (WriteConfigInfo));
info->secret_fd = secret_fd;
info->s_vpn = s_vpn;
@@ -486,16 +614,15 @@ nm_openswan_config_write (NMSettingVPN *
if (pw_type && !strcmp (pw_type, NM_OPENSWAN_PW_TYPE_UNUSED))
info->gpw_ignored = TRUE;
- nm_setting_vpn_foreach_data_item (s_vpn, write_one_property, info);
nm_setting_vpn_foreach_secret (s_vpn, write_one_property, info);
*error = info->error;
- close(conf_fd);
close(secret_fd);
g_free (info);
return *error ? FALSE : TRUE;
}
+
static gboolean
real_connect (NMVPNPlugin *plugin,
NMConnection *connection,
@@ -514,13 +641,31 @@ real_connect (NMVPNPlugin *plugin,
if (!nm_openswan_secrets_validate (s_vpn, error))
goto out;
- if (!nm_openswan_config_write (s_vpn, error))
- goto out;
+ if (!nm_openswan_config_write (s_vpn, error))
+ if (!nm_openswan_config_secret_write (s_vpn, error))
+ goto out;
openswan_fd = nm_openswan_start_openswan_binary (NM_OPENSWAN_PLUGIN (plugin), error);
if (openswan_fd < 0)
@@ -622,6 +627,9 @@ real_disconnect (NMVPNPlugin *plugin,
goto out;
+ if (!nm_openswan_config_write (openswan_fd, s_vpn, error)) {
+ goto out;
+ }
+ else {
+ /*no error*/
+ openswan_fd=-1;
+ }
+
+ unlink("/etc/ipsec.d/ipsec-nm-conn1.secrets");
+
+ openswan_fd = nm_openswan_start_openswan_connection (NM_OPENSWAN_PLUGIN (plugin), error);
+ if (openswan_fd < 0)
+ goto out;
+
+ write_config_option (openswan_fd, "%s", nm_setting_vpn_get_secret (s_vpn, NM_OPENSWAN_XAUTH_PASSWORD));
+ close(openswan_fd);
+ openswan_fd=-1;
+
success = TRUE;
out:
@@ -622,6 +767,9 @@ real_disconnect (NMVPNPlugin *plugin,
}
g_ptr_array_free (openswan_argv, TRUE);
+ unlink("/etc/ipsec.d/ipsec-nm-conn1.conf");
+ unlink("/etc/ipsec.d/ipsec-nm-conn1.secrets");
+ //unlink("/etc/ipsec.d/ipsec-nm-conn1.conf");
+ //unlink("/etc/ipsec.d/ipsec-nm-conn1.secrets");
+
return TRUE;
}