c4daad927e
Resolves: RHEL-50696
183 lines
9.1 KiB
Diff
183 lines
9.1 KiB
Diff
From 95517f4dd6de399f4608c63f48658228ac902c93 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
|
|
Date: Mon, 9 Sep 2024 11:47:57 +0200
|
|
Subject: [PATCH] properties: add require-id-on-certificate
|
|
|
|
From `man ipsec.conf`:
|
|
|
|
require-id-on-certificate:
|
|
When using certificates, check whether the IKE peer ID is present as
|
|
a subjectAltName (SAN) on the peer certificate. Accepted values are
|
|
yes (the default) or no. This check should only be disabled when
|
|
intentionally using certificates that do not have their peer ID specified
|
|
as a SAN on the certificate. These certificates violate RFC 4945 Section
|
|
3.1 and are normally rejected to prevent a compromised host from assuming
|
|
the IKE identity of another host. The SAN limits the IDs that the
|
|
peer is able to assume.
|
|
---
|
|
properties/nm-libreswan-dialog.ui | 26 +++++++++++++++++++++++++
|
|
properties/nm-libreswan-editor-plugin.c | 2 ++
|
|
properties/nm-libreswan-editor.c | 9 +++++++++
|
|
shared/nm-service-defines.h | 1 +
|
|
shared/utils.c | 5 +++++
|
|
src/nm-libreswan-service.c | 1 +
|
|
6 files changed, 44 insertions(+)
|
|
|
|
diff --git a/properties/nm-libreswan-dialog.ui b/properties/nm-libreswan-dialog.ui
|
|
index b682895..17a7171 100644
|
|
--- a/properties/nm-libreswan-dialog.ui
|
|
+++ b/properties/nm-libreswan-dialog.ui
|
|
@@ -1222,6 +1222,32 @@ config: authby <value>
|
|
<property name="top_attach">0</property>
|
|
</packing>
|
|
</child>
|
|
+ <child>
|
|
+ <object class="GtkLabel" id="require_id_on_certificate_label">
|
|
+ <property name="visible">True</property>
|
|
+ <property name="can_focus">False</property>
|
|
+ <property name="label" translatable="yes">Don't require remote certificate name</property>
|
|
+ <property name="use_underline">True</property>
|
|
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
|
|
+ <property name="xalign">1</property>
|
|
+ </object>
|
|
+ <packing>
|
|
+ <property name="left_attach">0</property>
|
|
+ <property name="top_attach">1</property>
|
|
+ </packing>
|
|
+ </child>
|
|
+ <child>
|
|
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
|
|
+ <property name="visible">True</property>
|
|
+ <property name="can_focus">True</property>
|
|
+ <property name="receives_default">False</property>
|
|
+ <property name="draw_indicator">True</property>
|
|
+ </object>
|
|
+ <packing>
|
|
+ <property name="left_attach">1</property>
|
|
+ <property name="top_attach">1</property>
|
|
+ </packing>
|
|
+ </child>
|
|
</object>
|
|
</child>
|
|
</object>
|
|
diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
|
|
index fe473d1..7aa528e 100644
|
|
--- a/properties/nm-libreswan-editor-plugin.c
|
|
+++ b/properties/nm-libreswan-editor-plugin.c
|
|
@@ -214,6 +214,8 @@ import_from_file (NMVpnEditorPlugin *self,
|
|
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY, str + NM_STRLEN("hostaddrfamily="));
|
|
else if (g_str_has_prefix (str, "clientaddrfamily="))
|
|
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, str + NM_STRLEN("clientaddrfamily="));
|
|
+ else if (g_str_has_prefix (str, "require-id-on-certificate="))
|
|
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, str + NM_STRLEN("require-id-on-certificate="));
|
|
else if (g_str_has_prefix (str, "rightsubnet=")) {
|
|
if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0"))
|
|
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]);
|
|
diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c
|
|
index 5687dc7..b350819 100644
|
|
--- a/properties/nm-libreswan-editor.c
|
|
+++ b/properties/nm-libreswan-editor.c
|
|
@@ -379,6 +379,7 @@ populate_adv_dialog (LibreswanEditor *self)
|
|
populate_widget (self, "authby_entry", NM_LIBRESWAN_KEY_AUTHBY, NULL, NULL);
|
|
populate_widget (self, "disable_modecfgclient_checkbutton", NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT, NULL, "no");
|
|
populate_widget (self, "remote_cert_entry", NM_LIBRESWAN_KEY_RIGHTCERT, NULL, NULL);
|
|
+ populate_widget (self, "require_id_on_certificate_checkbutton", NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, NULL, "no");
|
|
}
|
|
|
|
static gboolean
|
|
@@ -642,6 +643,14 @@ update_adv_settings (LibreswanEditor *self, NMSettingVpn *s_vpn)
|
|
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT, str);
|
|
else
|
|
nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT);
|
|
+
|
|
+ /* Disable Require ID on certificate */
|
|
+ widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "require_id_on_certificate_checkbutton"));
|
|
+ if (gtk_check_button_get_active (GTK_CHECK_BUTTON (widget)))
|
|
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, "no");
|
|
+ else
|
|
+ nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
|
|
+
|
|
}
|
|
|
|
static gboolean
|
|
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
|
|
index 167b837..5f523bd 100644
|
|
--- a/shared/nm-service-defines.h
|
|
+++ b/shared/nm-service-defines.h
|
|
@@ -73,6 +73,7 @@
|
|
#define NM_LIBRESWAN_KEY_TYPE "type"
|
|
#define NM_LIBRESWAN_KEY_HOSTADDRFAMILY "hostaddrfamily"
|
|
#define NM_LIBRESWAN_KEY_CLIENTADDRFAMILY "clientaddrfamily"
|
|
+#define NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE "require-id-on-certificate"
|
|
|
|
#define NM_LIBRESWAN_IKEV2_NO "no"
|
|
#define NM_LIBRESWAN_IKEV2_NEVER "never"
|
|
diff --git a/shared/utils.c b/shared/utils.c
|
|
index 65bc603..9394099 100644
|
|
--- a/shared/utils.c
|
|
+++ b/shared/utils.c
|
|
@@ -122,6 +122,7 @@ nm_libreswan_config_write (gint fd,
|
|
const char *mobike;
|
|
const char *pfs;
|
|
const char *client_family;
|
|
+ const char *require_id_on_certificate;
|
|
const char *item;
|
|
gboolean is_ikev2 = FALSE;
|
|
|
|
@@ -173,6 +174,10 @@ nm_libreswan_config_write (gint fd,
|
|
if (client_family && strlen (client_family))
|
|
WRITE_CHECK (fd, debug_write_fcn, error, " clientaddrfamily=%s", client_family);
|
|
|
|
+ require_id_on_certificate = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
|
|
+ if (require_id_on_certificate && strlen (require_id_on_certificate))
|
|
+ WRITE_CHECK (fd, debug_write_fcn, error, " require-id-on-certificate=%s", require_id_on_certificate);
|
|
+
|
|
leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY);
|
|
rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY);
|
|
leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT);
|
|
diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
|
|
index e5956af..984e991 100644
|
|
--- a/src/nm-libreswan-service.c
|
|
+++ b/src/nm-libreswan-service.c
|
|
@@ -274,6 +274,7 @@ static ValidProperty valid_properties[] = {
|
|
{ NM_LIBRESWAN_KEY_TYPE, G_TYPE_STRING, 0, 0 },
|
|
{ NM_LIBRESWAN_KEY_HOSTADDRFAMILY, G_TYPE_STRING, 0, 0 },
|
|
{ NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, G_TYPE_STRING, 0, 0 },
|
|
+ { NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, G_TYPE_STRING, 0, 0 },
|
|
/* Ignored option for internal use */
|
|
{ NM_LIBRESWAN_KEY_PSK_INPUT_MODES, G_TYPE_NONE, 0, 0 },
|
|
{ NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, G_TYPE_NONE, 0, 0 },
|
|
--- a/gtk4/nm-libreswan-dialog.ui
|
|
+++ b/gtk4/nm-libreswan-dialog.ui
|
|
@@ -979,6 +979,27 @@
|
|
</layout>
|
|
</object>
|
|
</child>
|
|
+ <child>
|
|
+ <object class="GtkLabel" id="require_id_on_certificate_label">
|
|
+ <property name="label" translatable="1">Don't require remote certificate name</property>
|
|
+ <property name="use_underline">1</property>
|
|
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
|
|
+ <property name="xalign">1</property>
|
|
+ <layout>
|
|
+ <property name="column">0</property>
|
|
+ <property name="row">1</property>
|
|
+ </layout>
|
|
+ </object>
|
|
+ </child>
|
|
+ <child>
|
|
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
|
|
+ <property name="focusable">1</property>
|
|
+ <layout>
|
|
+ <property name="column">1</property>
|
|
+ <property name="row">1</property>
|
|
+ </layout>
|
|
+ </object>
|
|
+ </child>
|
|
</object>
|
|
</child>
|
|
</object>
|
|
--
|
|
2.44.0
|
|
|