From 95517f4dd6de399f4608c63f48658228ac902c93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= Date: Mon, 9 Sep 2024 11:47:57 +0200 Subject: [PATCH] properties: add require-id-on-certificate From `man ipsec.conf`: require-id-on-certificate: When using certificates, check whether the IKE peer ID is present as a subjectAltName (SAN) on the peer certificate. Accepted values are yes (the default) or no. This check should only be disabled when intentionally using certificates that do not have their peer ID specified as a SAN on the certificate. These certificates violate RFC 4945 Section 3.1 and are normally rejected to prevent a compromised host from assuming the IKE identity of another host. The SAN limits the IDs that the peer is able to assume. --- properties/nm-libreswan-dialog.ui | 26 +++++++++++++++++++++++++ properties/nm-libreswan-editor-plugin.c | 2 ++ properties/nm-libreswan-editor.c | 9 +++++++++ shared/nm-service-defines.h | 1 + shared/utils.c | 5 +++++ src/nm-libreswan-service.c | 1 + 6 files changed, 44 insertions(+) diff --git a/properties/nm-libreswan-dialog.ui b/properties/nm-libreswan-dialog.ui index b682895..17a7171 100644 --- a/properties/nm-libreswan-dialog.ui +++ b/properties/nm-libreswan-dialog.ui @@ -1222,6 +1222,32 @@ config: authby <value> 0 + + + True + False + Don't require remote certificate name + True + require_id_on_certificate_checkbutton + 1 + + + 0 + 1 + + + + + True + True + False + True + + + 1 + 1 + + diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c index fe473d1..7aa528e 100644 --- a/properties/nm-libreswan-editor-plugin.c +++ b/properties/nm-libreswan-editor-plugin.c @@ -214,6 +214,8 @@ import_from_file (NMVpnEditorPlugin *self, nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY, str + NM_STRLEN("hostaddrfamily=")); else if (g_str_has_prefix (str, "clientaddrfamily=")) nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, str + NM_STRLEN("clientaddrfamily=")); + else if (g_str_has_prefix (str, "require-id-on-certificate=")) + nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, str + NM_STRLEN("require-id-on-certificate=")); else if (g_str_has_prefix (str, "rightsubnet=")) { if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0")) nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]); diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c index 5687dc7..b350819 100644 --- a/properties/nm-libreswan-editor.c +++ b/properties/nm-libreswan-editor.c @@ -379,6 +379,7 @@ populate_adv_dialog (LibreswanEditor *self) populate_widget (self, "authby_entry", NM_LIBRESWAN_KEY_AUTHBY, NULL, NULL); populate_widget (self, "disable_modecfgclient_checkbutton", NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT, NULL, "no"); populate_widget (self, "remote_cert_entry", NM_LIBRESWAN_KEY_RIGHTCERT, NULL, NULL); + populate_widget (self, "require_id_on_certificate_checkbutton", NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, NULL, "no"); } static gboolean @@ -642,6 +643,14 @@ update_adv_settings (LibreswanEditor *self, NMSettingVpn *s_vpn) nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT, str); else nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT); + + /* Disable Require ID on certificate */ + widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "require_id_on_certificate_checkbutton")); + if (gtk_check_button_get_active (GTK_CHECK_BUTTON (widget))) + nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, "no"); + else + nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE); + } static gboolean diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h index 167b837..5f523bd 100644 --- a/shared/nm-service-defines.h +++ b/shared/nm-service-defines.h @@ -73,6 +73,7 @@ #define NM_LIBRESWAN_KEY_TYPE "type" #define NM_LIBRESWAN_KEY_HOSTADDRFAMILY "hostaddrfamily" #define NM_LIBRESWAN_KEY_CLIENTADDRFAMILY "clientaddrfamily" +#define NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE "require-id-on-certificate" #define NM_LIBRESWAN_IKEV2_NO "no" #define NM_LIBRESWAN_IKEV2_NEVER "never" diff --git a/shared/utils.c b/shared/utils.c index 65bc603..9394099 100644 --- a/shared/utils.c +++ b/shared/utils.c @@ -122,6 +122,7 @@ nm_libreswan_config_write (gint fd, const char *mobike; const char *pfs; const char *client_family; + const char *require_id_on_certificate; const char *item; gboolean is_ikev2 = FALSE; @@ -173,6 +174,10 @@ nm_libreswan_config_write (gint fd, if (client_family && strlen (client_family)) WRITE_CHECK (fd, debug_write_fcn, error, " clientaddrfamily=%s", client_family); + require_id_on_certificate = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE); + if (require_id_on_certificate && strlen (require_id_on_certificate)) + WRITE_CHECK (fd, debug_write_fcn, error, " require-id-on-certificate=%s", require_id_on_certificate); + leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY); rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY); leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT); diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c index e5956af..984e991 100644 --- a/src/nm-libreswan-service.c +++ b/src/nm-libreswan-service.c @@ -274,6 +274,7 @@ static ValidProperty valid_properties[] = { { NM_LIBRESWAN_KEY_TYPE, G_TYPE_STRING, 0, 0 }, { NM_LIBRESWAN_KEY_HOSTADDRFAMILY, G_TYPE_STRING, 0, 0 }, { NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, G_TYPE_STRING, 0, 0 }, + { NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, G_TYPE_STRING, 0, 0 }, /* Ignored option for internal use */ { NM_LIBRESWAN_KEY_PSK_INPUT_MODES, G_TYPE_NONE, 0, 0 }, { NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, G_TYPE_NONE, 0, 0 }, --- a/gtk4/nm-libreswan-dialog.ui +++ b/gtk4/nm-libreswan-dialog.ui @@ -979,6 +979,27 @@ + + + Don't require remote certificate name + 1 + require_id_on_certificate_checkbutton + 1 + + 0 + 1 + + + + + + 1 + + 1 + 1 + + + -- 2.44.0