NetworkManager-libreswan/1002-properties-add-require-id-on-certificate.patch
Íñigo Huguet c4daad927e Support require-id-on-certificate
Resolves: RHEL-50696
2024-09-12 16:56:17 +02:00

183 lines
9.1 KiB
Diff

From 95517f4dd6de399f4608c63f48658228ac902c93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=8D=C3=B1igo=20Huguet?= <ihuguet@redhat.com>
Date: Mon, 9 Sep 2024 11:47:57 +0200
Subject: [PATCH] properties: add require-id-on-certificate
From `man ipsec.conf`:
require-id-on-certificate:
When using certificates, check whether the IKE peer ID is present as
a subjectAltName (SAN) on the peer certificate. Accepted values are
yes (the default) or no. This check should only be disabled when
intentionally using certificates that do not have their peer ID specified
as a SAN on the certificate. These certificates violate RFC 4945 Section
3.1 and are normally rejected to prevent a compromised host from assuming
the IKE identity of another host. The SAN limits the IDs that the
peer is able to assume.
---
properties/nm-libreswan-dialog.ui | 26 +++++++++++++++++++++++++
properties/nm-libreswan-editor-plugin.c | 2 ++
properties/nm-libreswan-editor.c | 9 +++++++++
shared/nm-service-defines.h | 1 +
shared/utils.c | 5 +++++
src/nm-libreswan-service.c | 1 +
6 files changed, 44 insertions(+)
diff --git a/properties/nm-libreswan-dialog.ui b/properties/nm-libreswan-dialog.ui
index b682895..17a7171 100644
--- a/properties/nm-libreswan-dialog.ui
+++ b/properties/nm-libreswan-dialog.ui
@@ -1222,6 +1222,32 @@ config: authby &lt;value&gt;
<property name="top_attach">0</property>
</packing>
</child>
+ <child>
+ <object class="GtkLabel" id="require_id_on_certificate_label">
+ <property name="visible">True</property>
+ <property name="can_focus">False</property>
+ <property name="label" translatable="yes">Don't require remote certificate name</property>
+ <property name="use_underline">True</property>
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
+ <property name="xalign">1</property>
+ </object>
+ <packing>
+ <property name="left_attach">0</property>
+ <property name="top_attach">1</property>
+ </packing>
+ </child>
+ <child>
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="receives_default">False</property>
+ <property name="draw_indicator">True</property>
+ </object>
+ <packing>
+ <property name="left_attach">1</property>
+ <property name="top_attach">1</property>
+ </packing>
+ </child>
</object>
</child>
</object>
diff --git a/properties/nm-libreswan-editor-plugin.c b/properties/nm-libreswan-editor-plugin.c
index fe473d1..7aa528e 100644
--- a/properties/nm-libreswan-editor-plugin.c
+++ b/properties/nm-libreswan-editor-plugin.c
@@ -214,6 +214,8 @@ import_from_file (NMVpnEditorPlugin *self,
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_HOSTADDRFAMILY, str + NM_STRLEN("hostaddrfamily="));
else if (g_str_has_prefix (str, "clientaddrfamily="))
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, str + NM_STRLEN("clientaddrfamily="));
+ else if (g_str_has_prefix (str, "require-id-on-certificate="))
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, str + NM_STRLEN("require-id-on-certificate="));
else if (g_str_has_prefix (str, "rightsubnet=")) {
if (!g_str_has_prefix (str, "rightsubnet=0.0.0.0/0"))
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REMOTENETWORK, &str[12]);
diff --git a/properties/nm-libreswan-editor.c b/properties/nm-libreswan-editor.c
index 5687dc7..b350819 100644
--- a/properties/nm-libreswan-editor.c
+++ b/properties/nm-libreswan-editor.c
@@ -379,6 +379,7 @@ populate_adv_dialog (LibreswanEditor *self)
populate_widget (self, "authby_entry", NM_LIBRESWAN_KEY_AUTHBY, NULL, NULL);
populate_widget (self, "disable_modecfgclient_checkbutton", NM_LIBRESWAN_KEY_LEFTMODECFGCLIENT, NULL, "no");
populate_widget (self, "remote_cert_entry", NM_LIBRESWAN_KEY_RIGHTCERT, NULL, NULL);
+ populate_widget (self, "require_id_on_certificate_checkbutton", NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, NULL, "no");
}
static gboolean
@@ -642,6 +643,14 @@ update_adv_settings (LibreswanEditor *self, NMSettingVpn *s_vpn)
nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT, str);
else
nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTCERT);
+
+ /* Disable Require ID on certificate */
+ widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "require_id_on_certificate_checkbutton"));
+ if (gtk_check_button_get_active (GTK_CHECK_BUTTON (widget)))
+ nm_setting_vpn_add_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, "no");
+ else
+ nm_setting_vpn_remove_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
+
}
static gboolean
diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h
index 167b837..5f523bd 100644
--- a/shared/nm-service-defines.h
+++ b/shared/nm-service-defines.h
@@ -73,6 +73,7 @@
#define NM_LIBRESWAN_KEY_TYPE "type"
#define NM_LIBRESWAN_KEY_HOSTADDRFAMILY "hostaddrfamily"
#define NM_LIBRESWAN_KEY_CLIENTADDRFAMILY "clientaddrfamily"
+#define NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE "require-id-on-certificate"
#define NM_LIBRESWAN_IKEV2_NO "no"
#define NM_LIBRESWAN_IKEV2_NEVER "never"
diff --git a/shared/utils.c b/shared/utils.c
index 65bc603..9394099 100644
--- a/shared/utils.c
+++ b/shared/utils.c
@@ -122,6 +122,7 @@ nm_libreswan_config_write (gint fd,
const char *mobike;
const char *pfs;
const char *client_family;
+ const char *require_id_on_certificate;
const char *item;
gboolean is_ikev2 = FALSE;
@@ -173,6 +174,10 @@ nm_libreswan_config_write (gint fd,
if (client_family && strlen (client_family))
WRITE_CHECK (fd, debug_write_fcn, error, " clientaddrfamily=%s", client_family);
+ require_id_on_certificate = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE);
+ if (require_id_on_certificate && strlen (require_id_on_certificate))
+ WRITE_CHECK (fd, debug_write_fcn, error, " require-id-on-certificate=%s", require_id_on_certificate);
+
leftrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTRSASIGKEY);
rightrsasigkey = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_RIGHTRSASIGKEY);
leftcert = nm_setting_vpn_get_data_item (s_vpn, NM_LIBRESWAN_KEY_LEFTCERT);
diff --git a/src/nm-libreswan-service.c b/src/nm-libreswan-service.c
index e5956af..984e991 100644
--- a/src/nm-libreswan-service.c
+++ b/src/nm-libreswan-service.c
@@ -274,6 +274,7 @@ static ValidProperty valid_properties[] = {
{ NM_LIBRESWAN_KEY_TYPE, G_TYPE_STRING, 0, 0 },
{ NM_LIBRESWAN_KEY_HOSTADDRFAMILY, G_TYPE_STRING, 0, 0 },
{ NM_LIBRESWAN_KEY_CLIENTADDRFAMILY, G_TYPE_STRING, 0, 0 },
+ { NM_LIBRESWAN_KEY_REQUIRE_ID_ON_CERTIFICATE, G_TYPE_STRING, 0, 0 },
/* Ignored option for internal use */
{ NM_LIBRESWAN_KEY_PSK_INPUT_MODES, G_TYPE_NONE, 0, 0 },
{ NM_LIBRESWAN_KEY_XAUTH_PASSWORD_INPUT_MODES, G_TYPE_NONE, 0, 0 },
--- a/gtk4/nm-libreswan-dialog.ui
+++ b/gtk4/nm-libreswan-dialog.ui
@@ -979,6 +979,27 @@
</layout>
</object>
</child>
+ <child>
+ <object class="GtkLabel" id="require_id_on_certificate_label">
+ <property name="label" translatable="1">Don&apos;t require remote certificate name</property>
+ <property name="use_underline">1</property>
+ <property name="mnemonic_widget">require_id_on_certificate_checkbutton</property>
+ <property name="xalign">1</property>
+ <layout>
+ <property name="column">0</property>
+ <property name="row">1</property>
+ </layout>
+ </object>
+ </child>
+ <child>
+ <object class="GtkCheckButton" id="require_id_on_certificate_checkbutton">
+ <property name="focusable">1</property>
+ <layout>
+ <property name="column">1</property>
+ <property name="row">1</property>
+ </layout>
+ </object>
+ </child>
</object>
</child>
</object>
--
2.44.0