diff options
Diffstat (limited to 'src/charon-nm')
-rw-r--r-- | src/charon-nm/Makefile.in | 2 | ||||
-rw-r--r-- | src/charon-nm/charon-nm.c | 2 | ||||
-rw-r--r-- | src/charon-nm/nm/nm_creds.c | 72 | ||||
-rw-r--r-- | src/charon-nm/nm/nm_handler.c | 48 | ||||
-rw-r--r-- | src/charon-nm/nm/nm_service.c | 66 |
5 files changed, 132 insertions, 58 deletions
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in index 90cdb8cc3..3efcb8f34 100644 --- a/src/charon-nm/Makefile.in +++ b/src/charon-nm/Makefile.in @@ -361,6 +361,7 @@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ fips_mode = @fips_mode@ +fuzz_plugins = @fuzz_plugins@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ host = @host@ @@ -383,6 +384,7 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libfuzzer = @libfuzzer@ libiptc_CFLAGS = @libiptc_CFLAGS@ libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c index ca12db866..89aa34d98 100644 --- a/src/charon-nm/charon-nm.c +++ b/src/charon-nm/charon-nm.c @@ -196,7 +196,7 @@ int main(int argc, char *argv[]) /* use random ports to avoid conflicts with regular charon */ lib->settings->set_int(lib->settings, "charon-nm.port", 0); - lib->settings->set_int(lib->settings, "charon-nm.port_natt_t", 0); + lib->settings->set_int(lib->settings, "charon-nm.port_nat_t", 0); DBG1(DBG_DMN, "Starting charon NetworkManager backend (strongSwan "VERSION")"); if (lib->integrity) diff --git a/src/charon-nm/nm/nm_creds.c b/src/charon-nm/nm/nm_creds.c index f8fae9504..e70fd9e89 100644 --- a/src/charon-nm/nm/nm_creds.c +++ b/src/charon-nm/nm/nm_creds.c @@ -120,48 +120,49 @@ typedef struct { identification_t *id; } cert_data_t; -/** - * Destroy CA certificate enumerator data - */ -static void cert_data_destroy(cert_data_t *data) +CALLBACK(cert_data_destroy, void, + cert_data_t *data) { data->this->lock->unlock(data->this->lock); free(data); } -/** - * Filter function for certificates enumerator - */ -static bool cert_filter(cert_data_t *data, certificate_t **in, - certificate_t **out) +CALLBACK(cert_filter, bool, + cert_data_t *data, enumerator_t *orig, va_list args) { - certificate_t *cert = *in; + certificate_t *cert, **out; public_key_t *public; - public = cert->get_public_key(cert); - if (!public) - { - return FALSE; - } - if (data->key != KEY_ANY && public->get_type(public) != data->key) - { - public->destroy(public); - return FALSE; - } - if (data->id && data->id->get_type(data->id) == ID_KEY_ID && - public->has_fingerprint(public, data->id->get_encoding(data->id))) + VA_ARGS_VGET(args, out); + + while (orig->enumerate(orig, &cert)) { + public = cert->get_public_key(cert); + if (!public) + { + continue; + } + if (data->key != KEY_ANY && public->get_type(public) != data->key) + { + public->destroy(public); + continue; + } + if (data->id && data->id->get_type(data->id) == ID_KEY_ID && + public->has_fingerprint(public, data->id->get_encoding(data->id))) + { + public->destroy(public); + *out = cert; + return TRUE; + } public->destroy(public); + if (data->id && !cert->has_subject(cert, data->id)) + { + continue; + } *out = cert; return TRUE; } - public->destroy(public); - if (data->id && !cert->has_subject(cert, data->id)) - { - return FALSE; - } - *out = cert; - return TRUE; + return FALSE; } /** @@ -181,7 +182,7 @@ static enumerator_t *create_trusted_cert_enumerator(private_nm_creds_t *this, this->lock->read_lock(this->lock); return enumerator_create_filter( this->certs->create_enumerator(this->certs), - (void*)cert_filter, data, (void*)cert_data_destroy); + cert_filter, data, cert_data_destroy); } METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, @@ -235,9 +236,13 @@ typedef struct { } shared_enumerator_t; METHOD(enumerator_t, shared_enumerate, bool, - shared_enumerator_t *this, shared_key_t **key, id_match_t *me, - id_match_t *other) + shared_enumerator_t *this, va_list args) { + shared_key_t **key; + id_match_t *me, *other; + + VA_ARGS_VGET(args, key, me, other); + if (this->done) { return FALSE; @@ -307,7 +312,8 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, INIT(enumerator, .public = { - .enumerate = (void*)_shared_enumerate, + .enumerate = enumerator_enumerate_default, + .venumerate = _shared_enumerate, .destroy = _shared_destroy, }, .this = this, diff --git a/src/charon-nm/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c index bdc0667cf..3eb2eb13c 100644 --- a/src/charon-nm/nm/nm_handler.c +++ b/src/charon-nm/nm/nm_handler.c @@ -65,29 +65,33 @@ METHOD(attribute_handler_t, handle, bool, return TRUE; } -/** - * Implementation of create_attribute_enumerator().enumerate() for WINS - */ -static bool enumerate_nbns(enumerator_t *this, - configuration_attribute_type_t *type, chunk_t *data) +METHOD(enumerator_t, enumerate_nbns, bool, + enumerator_t *this, va_list args) { + configuration_attribute_type_t *type; + chunk_t *data; + + VA_ARGS_VGET(args, type, data); *type = INTERNAL_IP4_NBNS; *data = chunk_empty; - /* done */ - this->enumerate = (void*)return_false; + this->venumerate = (void*)return_false; return TRUE; } /** * Implementation of create_attribute_enumerator().enumerate() for DNS */ -static bool enumerate_dns(enumerator_t *this, - configuration_attribute_type_t *type, chunk_t *data) +METHOD(enumerator_t, enumerate_dns, bool, + enumerator_t *this, va_list args) { + configuration_attribute_type_t *type; + chunk_t *data; + + VA_ARGS_VGET(args, type, data); *type = INTERNAL_IP4_DNS; *data = chunk_empty; /* enumerate WINS server as next attribute ... */ - this->enumerate = (void*)enumerate_nbns; + this->venumerate = _enumerate_nbns; return TRUE; } @@ -100,7 +104,8 @@ METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*, INIT(enumerator, /* enumerate DNS attribute first ... */ - .enumerate = (void*)enumerate_dns, + .enumerate = enumerator_enumerate_default, + .venumerate = _enumerate_dns, .destroy = (void*)free, ); return enumerator; @@ -108,13 +113,20 @@ METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*, return enumerator_create_empty(); } -/** - * convert plain byte ptrs to handy chunk during enumeration - */ -static bool filter_chunks(void* null, char **in, chunk_t *out) +CALLBACK(filter_chunks, bool, + void *null, enumerator_t *orig, va_list args) { - *out = chunk_create(*in, 4); - return TRUE; + chunk_t *out; + char *ptr; + + VA_ARGS_VGET(args, out); + + if (orig->enumerate(orig, &ptr)) + { + *out = chunk_create(ptr, 4); + return TRUE; + } + return FALSE; } METHOD(nm_handler_t, create_enumerator, enumerator_t*, @@ -134,7 +146,7 @@ METHOD(nm_handler_t, create_enumerator, enumerator_t*, return enumerator_create_empty(); } return enumerator_create_filter(list->create_enumerator(list), - (void*)filter_chunks, NULL, NULL); + filter_chunks, NULL, NULL); } METHOD(nm_handler_t, reset, void, diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c index 571c0edba..3e8392a57 100644 --- a/src/charon-nm/nm/nm_service.c +++ b/src/charon-nm/nm/nm_service.c @@ -283,9 +283,11 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, NMStrongswanPluginPrivate *priv; NMSettingConnection *conn; NMSettingVPN *vpn; + enumerator_t *enumerator; identification_t *user = NULL, *gateway = NULL; const char *address, *str; - bool virtual, encap; + bool virtual, encap, proposal; + proposal_t *prop; ike_cfg_t *ike_cfg; peer_cfg_t *peer_cfg; child_cfg_t *child_cfg; @@ -344,7 +346,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, str = nm_setting_vpn_get_data_item(vpn, "encap"); encap = streq(str, "yes"); str = nm_setting_vpn_get_data_item(vpn, "ipcomp"); - child.ipcomp = streq(str, "yes"); + child.options |= streq(str, "yes") ? OPT_IPCOMP : 0; str = nm_setting_vpn_get_data_item(vpn, "method"); if (streq(str, "psk")) { @@ -540,8 +542,36 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, charon->socket->get_port(charon->socket, FALSE), (char*)address, IKEV2_UDP_PORT, FRAGMENTATION_YES, 0); - ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); - ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); + + str = nm_setting_vpn_get_data_item(vpn, "proposal"); + proposal = streq(str, "yes"); + str = nm_setting_vpn_get_data_item(vpn, "ike"); + if (proposal && str && strlen(str)) + { + enumerator = enumerator_create_token(str, ";", ""); + while (enumerator->enumerate(enumerator, &str)) + { + prop = proposal_create_from_string(PROTO_IKE, str); + if (!prop) + { + g_set_error(err, NM_VPN_PLUGIN_ERROR, + NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED, + "Invalid IKE proposal."); + enumerator->destroy(enumerator); + ike_cfg->destroy(ike_cfg); + gateway->destroy(gateway); + user->destroy(user); + return FALSE; + } + ike_cfg->add_proposal(ike_cfg, prop); + } + enumerator->destroy(enumerator); + } + else + { + ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE)); + } peer_cfg = peer_cfg_create(priv->name, ike_cfg, &peer); if (virtual) @@ -566,8 +596,32 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create(priv->name, &child); - child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); - child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); + str = nm_setting_vpn_get_data_item(vpn, "esp"); + if (proposal && str && strlen(str)) + { + enumerator = enumerator_create_token(str, ";", ""); + while (enumerator->enumerate(enumerator, &str)) + { + prop = proposal_create_from_string(PROTO_ESP, str); + if (!prop) + { + g_set_error(err, NM_VPN_PLUGIN_ERROR, + NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED, + "Invalid ESP proposal."); + enumerator->destroy(enumerator); + child_cfg->destroy(child_cfg); + peer_cfg->destroy(peer_cfg); + return FALSE; + } + child_cfg->add_proposal(child_cfg, prop); + } + enumerator->destroy(enumerator); + } + else + { + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); + child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP)); + } ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, |