Global: Add UI options for certificate-based authentication, fix

generation of ipsec.conf and ipsec.secrets

properties/import-export.c

@@ -66,8 +66,10 @@ user = my_login (str)
 gateway = 192.168.0.1 (str)
 
 ipsec-enabled = true (bool)
-ipsec-group-name = GroupVPN (str)
+ipsec-group-name = my_group (str)
 ipsec-psk = my_psk (str) ????
+ipsec-rsa = my_rsa (str) ????
+ipsec-rsa-pw = my_rsa_pw (str) ????
 ipsec-gateway-id = my_gateway (str)
 
 [ipv4]
@@ -111,6 +113,8 @@ static VpnImportExportProperty vpn_properties[] = {
 	{ NM_L2TP_KEY_IPSEC_GATEWAY_ID,  G_TYPE_STRING, FALSE },
 	{ NM_L2TP_KEY_IPSEC_GROUP_NAME,  G_TYPE_STRING, FALSE },
 	{ NM_L2TP_KEY_IPSEC_PSK,         G_TYPE_STRING, FALSE },
+	{ NM_L2TP_KEY_IPSEC_RSA,         G_TYPE_STRING, FALSE },
+	{ NM_L2TP_KEY_IPSEC_RSA_PW,      G_TYPE_STRING, FALSE },
 	{ NULL,                          G_TYPE_NONE,   FALSE }
 };
 

properties/ipsec-dialog.c

@@ -46,6 +46,8 @@ static const char *ipsec_keys[] = {
 	NM_L2TP_KEY_IPSEC_GROUP_NAME,
 	NM_L2TP_KEY_IPSEC_GATEWAY_ID,
 	NM_L2TP_KEY_IPSEC_PSK,
+	NM_L2TP_KEY_IPSEC_RSA,
+	NM_L2TP_KEY_IPSEC_RSA_PW,
 	NULL
 };
 
@@ -87,6 +89,12 @@ handle_enable_changed (GtkWidget *check, gboolean is_init, GtkBuilder *builder)
 	widget = GTK_WIDGET (gtk_builder_get_object (builder, "ipsec_psk"));
 	gtk_widget_set_sensitive (widget, enabledp);
 
+	widget = GTK_WIDGET (gtk_builder_get_object (builder, "ipsec_rsa"));
+	gtk_widget_set_sensitive (widget, enabledp);
+
+	widget = GTK_WIDGET (gtk_builder_get_object (builder, "ipsec_rsa_pw"));
+	gtk_widget_set_sensitive (widget, enabledp);
+
 	widget = GTK_WIDGET (gtk_builder_get_object (builder, "ipsec_gateway_id"));
 	gtk_widget_set_sensitive (widget, enabledp);
 
@@ -143,7 +151,7 @@ ipsec_dialog_new (GHashTable *hash)
 
 	widget = GTK_WIDGET (gtk_builder_get_object (builder, "ipsec_group_name"));
 	value = g_hash_table_lookup (hash, NM_L2TP_KEY_IPSEC_GROUP_NAME);
-	if (!value) value="GroupVPN";
+	if (!value) value="";
 	gtk_entry_set_text(GTK_ENTRY(widget), value);
 
 	widget = GTK_WIDGET (gtk_builder_get_object (builder, "ipsec_gateway_id"));
@@ -154,6 +162,14 @@ ipsec_dialog_new (GHashTable *hash)
 	if((value = g_hash_table_lookup (hash, NM_L2TP_KEY_IPSEC_PSK)))
 		gtk_entry_set_text(GTK_ENTRY(widget), value);
 
+	widget = GTK_WIDGET (gtk_builder_get_object (builder, "ipsec_rsa"));
+	if((value = g_hash_table_lookup (hash, NM_L2TP_KEY_IPSEC_RSA)))
+		gtk_entry_set_text(GTK_ENTRY(widget), value);
+
+	widget = GTK_WIDGET (gtk_builder_get_object (builder, "ipsec_rsa_pw"));
+	if((value = g_hash_table_lookup (hash, NM_L2TP_KEY_IPSEC_RSA_PW)))
+		gtk_entry_set_text(GTK_ENTRY(widget), value);
+
 	widget = GTK_WIDGET (gtk_builder_get_object (builder,"ipsec_enable"));
 	handle_enable_changed (widget, TRUE, builder);
 	g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (enable_toggled_cb), builder);
@@ -196,6 +212,14 @@ ipsec_dialog_new_hash_from_dialog (GtkWidget *dialog, GError **error)
 	g_hash_table_insert(hash, g_strdup(NM_L2TP_KEY_IPSEC_PSK),
 			g_strdup(gtk_entry_get_text(GTK_ENTRY(widget))));
 
+	widget = GTK_WIDGET (gtk_builder_get_object (builder, "ipsec_rsa"));
+	g_hash_table_insert(hash, g_strdup(NM_L2TP_KEY_IPSEC_RSA),
+			g_strdup(gtk_entry_get_text(GTK_ENTRY(widget))));
+
+	widget = GTK_WIDGET (gtk_builder_get_object (builder, "ipsec_rsa_pw"));
+	g_hash_table_insert(hash, g_strdup(NM_L2TP_KEY_IPSEC_RSA_PW),
+			g_strdup(gtk_entry_get_text(GTK_ENTRY(widget))));
+
 	return hash;
 }
 

properties/nm-l2tp-dialog.ui

@@ -537,7 +537,7 @@ config: lcp-echo-failure and lcp-echo-interval</property>
           <object class="GtkTable" id="table1">
             <property name="visible">True</property>
             <property name="can_focus">False</property>
-            <property name="n_rows">3</property>
+            <property name="n_rows">5</property>
             <property name="n_columns">2</property>
             <child>
               <object class="GtkLabel" id="label4">
@@ -576,6 +576,32 @@ config: lcp-echo-failure and lcp-echo-interval</property>
                 <property name="y_options"></property>
               </packing>
             </child>
+            <child>
+              <object class="GtkLabel" id="label32">
+                <property name="visible">True</property>
+                <property name="can_focus">False</property>
+                <property name="label" translatable="yes">Private key file:</property>
+                <property name="justify">right</property>
+              </object>
+              <packing>
+                <property name="top_attach">3</property>
+                <property name="bottom_attach">4</property>
+                <property name="y_options"></property>
+              </packing>
+            </child>
+            <child>
+              <object class="GtkLabel" id="label33">
+                <property name="visible">True</property>
+                <property name="can_focus">False</property>
+                <property name="label" translatable="yes">Private key passphrase:</property>
+                <property name="justify">right</property>
+              </object>
+              <packing>
+                <property name="top_attach">4</property>
+                <property name="bottom_attach">5</property>
+                <property name="y_options"></property>
+              </packing>
+            </child>
             <child>
               <object class="GtkEntry" id="ipsec_group_name">
                 <property name="visible">True</property>
@@ -623,6 +649,39 @@ config: lcp-echo-failure and lcp-echo-interval</property>
                 <property name="y_options"></property>
               </packing>
             </child>
+            <child>
+              <object class="GtkEntry" id="ipsec_rsa">
+                <property name="visible">True</property>
+                <property name="can_focus">True</property>
+                <property name="invisible_char">●</property>
+                <property name="primary_icon_activatable">False</property>
+                <property name="secondary_icon_activatable">False</property>
+              </object>
+              <packing>
+                <property name="left_attach">1</property>
+                <property name="right_attach">2</property>
+                <property name="top_attach">3</property>
+                <property name="bottom_attach">4</property>
+                <property name="y_options"></property>
+              </packing>
+            </child>
+            <child>
+              <object class="GtkEntry" id="ipsec_rsa_pw">
+                <property name="visible">True</property>
+                <property name="can_focus">True</property>
+                <property name="visibility">False</property>
+                <property name="invisible_char">●</property>
+                <property name="primary_icon_activatable">False</property>
+                <property name="secondary_icon_activatable">False</property>
+              </object>
+              <packing>
+                <property name="left_attach">1</property>
+                <property name="right_attach">2</property>
+                <property name="top_attach">4</property>
+                <property name="bottom_attach">5</property>
+                <property name="y_options"></property>
+              </packing>
+            </child>
           </object>
           <packing>
             <property name="expand">True</property>

src/nm-l2tp-service.c

@@ -381,6 +381,8 @@ static ValidProperty valid_properties[] = {
 	{ NM_L2TP_KEY_IPSEC_GATEWAY_ID,  G_TYPE_STRING, FALSE },
 	{ NM_L2TP_KEY_IPSEC_GROUP_NAME,  G_TYPE_STRING, FALSE },
 	{ NM_L2TP_KEY_IPSEC_PSK,         G_TYPE_STRING, FALSE },
+	{ NM_L2TP_KEY_IPSEC_RSA,         G_TYPE_STRING, FALSE },
+	{ NM_L2TP_KEY_IPSEC_RSA_PW,      G_TYPE_STRING, FALSE },
 	{ NULL,                          G_TYPE_NONE,   FALSE }
 };
 
@@ -423,6 +425,23 @@ validate_ipsec_id (const char *id)
 	return TRUE;
 }
 
+static gboolean
+validate_ipsec_gw_id (const char *id)
+{
+	const char *p = id;
+
+	if (!id || !*id) return TRUE;
+
+	/* Ensure it's a valid gateway-id */
+	p = id;
+	while (*p) {
+		if (!isalnum (*p) && (*p != '_') && (*p != '-') && (*p != '.') && (*p != ',') && (*p != '=') && (*p != ' ') && (*p != '@'))
+			return FALSE;
+		p++;
+	}
+	return TRUE;
+}
+
 typedef struct ValidateInfo {
 	ValidProperty *table;
 	GError **error;
@@ -458,6 +477,12 @@ validate_one_property (const char *key, const char *value, gpointer user_data)
 			if (!strcmp (prop.name, NM_L2TP_KEY_IPSEC_PSK))
 				return; /* valid */
 
+			if (!strcmp (prop.name, NM_L2TP_KEY_IPSEC_RSA))
+				return; /* valid */
+
+			if (!strcmp (prop.name, NM_L2TP_KEY_IPSEC_RSA_PW))
+				return; /* valid */
+
 			if (   !strcmp (prop.name, NM_L2TP_KEY_GATEWAY)
 			    && !validate_gateway (value)) {
 				g_set_error (info->error,
@@ -477,7 +502,7 @@ validate_one_property (const char *key, const char *value, gpointer user_data)
 				return;
 			}
 			if (   !strcmp (prop.name, NM_L2TP_KEY_IPSEC_GATEWAY_ID)
-			    && !validate_ipsec_id (value)) {
+			    && !validate_ipsec_gw_id (value)) {
 				g_set_error (info->error,
 				             NM_VPN_PLUGIN_ERROR,
 				             NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
@@ -485,6 +510,7 @@ validate_one_property (const char *key, const char *value, gpointer user_data)
 				             key);
 				return;
 			}
+			/* no break */
 		case G_TYPE_UINT:
 			errno = 0;
 			tmp = strtol (value, NULL, 10);
@@ -902,18 +928,35 @@ nm_l2tp_start_ipsec(NML2tpPlugin *plugin,
 		rename(tmp_secrets, "/etc/ipsec.secrets");
 		return nm_l2tp_ipsec_error(error, "Could not write /etc/ipsec.secrets file.");
 	}
+
 	value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_GROUP_NAME);
-	fprintf(fp, "%s%s ",value?"@":"", value?value:"%any");
+	if(value) {
+		fprintf(fp, "@%s", value);
+	}
 
-	value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_GATEWAY_ID);
-	fprintf(fp, "%s%s ",value?"@":"", value?value:"%any");
+	value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_GATEWAY);
+	fprintf(fp, "%s%s",value?"@":"", value?value:"%any");
 
 	value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_PSK);
-	if(!value)value="";
-	fprintf(fp, ": PSK \"%s\"\n",value);
+	if(value) {
+		fprintf(fp, " : PSK \"%s\"",value);
+	}
+
+	value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_RSA);
+	if(value) {
+		fprintf(fp, " : RSA \"%s\"",value);
+		value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_RSA_PW);
+		if(value) {
+			fprintf(fp, " \"%s\"",value);
+		}
+	}
+	fprintf(fp, "\n");
 	fclose(fp);
 	close(fd);
 
+	/* Wait a sec */
+	sleep(1);
+
 	sys = system(PATH_PREFIX " ipsec secrets");
 	if (!sys) {
 		sprintf(cmdbuf, PATH_PREFIX " ipsec auto "
@@ -1101,37 +1144,34 @@ nm_l2tp_config_write (NML2tpPlugin *plugin,
 	if (ipsec_fd == -1) {
 		return nm_l2tp_ipsec_error(error, "Could not write ipsec config.");
 	}
-	write_config_option (ipsec_fd, "version 2.0\n"
-"config setup\n"
-"  nat_traversal=yes\n"
-"  force_keepalive=yes\n"
-"  protostack=netkey\n"
-"  keep_alive=60\n"
-"\n");
+
+	write_config_option (ipsec_fd, "version	2.0\n\n");
+	write_config_option (ipsec_fd, "config setup\n"
+		"  plutodebug=none\n"
+		"  strictcrlpolicy=no\n"
+		"  nat_traversal=yes\n"
+		"  interfaces=%%defaultroute\n"
+		"  oe=off\n"
+		"  protostack=netkey\n\n");
+	write_config_option (ipsec_fd, "conn %%default\n"
+		"  keyingtries=3\n"
+		"  pfs=no\n"
+		"  rekey=yes\n"
+		"  type=transport\n"
+		"  left=%%defaultroute\n"
+		"  leftprotoport=17/1701\n"
+		"  rightprotoport=17/1701\n\n");
 	write_config_option (ipsec_fd, "conn nm-ipsec-l2tp-%d\n", pid);
 	write_config_option (ipsec_fd,
-"  auto=add\n"
-"  type=transport\n"
-"  auth=esp\n"
-"  pfs=no\n"
-"  authby=secret\n"
-"  keyingtries=0\n"
-"  left=%%defaultroute\n"
-"  leftprotoport=udp/l2tp\n"
-"  rightprotoport=udp/l2tp\n");
-	value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_GROUP_NAME);
-	if(value)write_config_option (ipsec_fd, "  leftid=@%s\n", value);
-	/* value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_GATEWAY); */
-	write_config_option (ipsec_fd, "  right=%s\n", priv->saddr);
+		"  authby=rsasig\n");
+	value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_RSA);
+	if(value) write_config_option (ipsec_fd, "  leftcert=\"%s\"\n", value);
+	value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_GATEWAY);
+	if(value) write_config_option (ipsec_fd, "  right=%s\n", value);
 	value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_GATEWAY_ID);
-	if(value)write_config_option (ipsec_fd, "  rightid=@%s\n", value);
+	if(value) write_config_option (ipsec_fd, "  rightid=\"%s\"\n", value);
 	write_config_option (ipsec_fd,
-"  esp=3des-sha1\n"
-"  keyexchange=ike\n"
-"  ike=3des-sha1-modp1024\n"
-"  aggrmode=no\n"
-"  forceencaps=yes\n");
-
+		"  auto=add\n\n");
 
 
 	filename = g_strdup_printf ("/var/run/nm-xl2tpd.conf.%d", pid);
@@ -1143,6 +1183,7 @@ nm_l2tp_config_write (NML2tpPlugin *plugin,
 		return nm_l2tp_ipsec_error(error, "Could not write xl2tpd config.");
 	}
 
+
 	filename = g_strdup_printf ("/var/run/nm-ppp-options.xl2tpd.%d", pid);
 	pppopt_fd = open (filename, O_RDWR|O_CREAT|O_TRUNC, S_IRUSR|S_IWUSR);
 	g_free (filename);

src/nm-l2tp-service.h

@@ -72,6 +72,8 @@
 #define NM_L2TP_KEY_IPSEC_GATEWAY_ID  "ipsec-gateway-id"
 #define NM_L2TP_KEY_IPSEC_GROUP_NAME  "ipsec-group-name"
 #define NM_L2TP_KEY_IPSEC_PSK         "ipsec-psk"
+#define NM_L2TP_KEY_IPSEC_RSA         "ipsec-rsa"
+#define NM_L2TP_KEY_IPSEC_RSA_PW      "ipsec-rsa-pw"
 
 
 typedef struct {