summaryrefslogtreecommitdiff
path: root/src/charon-nm
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon-nm')
-rw-r--r--src/charon-nm/Makefile.in2
-rw-r--r--src/charon-nm/charon-nm.c2
-rw-r--r--src/charon-nm/nm/nm_creds.c72
-rw-r--r--src/charon-nm/nm/nm_handler.c48
-rw-r--r--src/charon-nm/nm/nm_service.c66
5 files changed, 132 insertions, 58 deletions
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index 90cdb8cc3..3efcb8f34 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -361,6 +361,7 @@ docdir = @docdir@
dvidir = @dvidir@
exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
+fuzz_plugins = @fuzz_plugins@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
host = @host@
@@ -383,6 +384,7 @@ json_CFLAGS = @json_CFLAGS@
json_LIBS = @json_LIBS@
libdir = @libdir@
libexecdir = @libexecdir@
+libfuzzer = @libfuzzer@
libiptc_CFLAGS = @libiptc_CFLAGS@
libiptc_LIBS = @libiptc_LIBS@
linux_headers = @linux_headers@
diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index ca12db866..89aa34d98 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -196,7 +196,7 @@ int main(int argc, char *argv[])
/* use random ports to avoid conflicts with regular charon */
lib->settings->set_int(lib->settings, "charon-nm.port", 0);
- lib->settings->set_int(lib->settings, "charon-nm.port_natt_t", 0);
+ lib->settings->set_int(lib->settings, "charon-nm.port_nat_t", 0);
DBG1(DBG_DMN, "Starting charon NetworkManager backend (strongSwan "VERSION")");
if (lib->integrity)
diff --git a/src/charon-nm/nm/nm_creds.c b/src/charon-nm/nm/nm_creds.c
index f8fae9504..e70fd9e89 100644
--- a/src/charon-nm/nm/nm_creds.c
+++ b/src/charon-nm/nm/nm_creds.c
@@ -120,48 +120,49 @@ typedef struct {
identification_t *id;
} cert_data_t;
-/**
- * Destroy CA certificate enumerator data
- */
-static void cert_data_destroy(cert_data_t *data)
+CALLBACK(cert_data_destroy, void,
+ cert_data_t *data)
{
data->this->lock->unlock(data->this->lock);
free(data);
}
-/**
- * Filter function for certificates enumerator
- */
-static bool cert_filter(cert_data_t *data, certificate_t **in,
- certificate_t **out)
+CALLBACK(cert_filter, bool,
+ cert_data_t *data, enumerator_t *orig, va_list args)
{
- certificate_t *cert = *in;
+ certificate_t *cert, **out;
public_key_t *public;
- public = cert->get_public_key(cert);
- if (!public)
- {
- return FALSE;
- }
- if (data->key != KEY_ANY && public->get_type(public) != data->key)
- {
- public->destroy(public);
- return FALSE;
- }
- if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
- public->has_fingerprint(public, data->id->get_encoding(data->id)))
+ VA_ARGS_VGET(args, out);
+
+ while (orig->enumerate(orig, &cert))
{
+ public = cert->get_public_key(cert);
+ if (!public)
+ {
+ continue;
+ }
+ if (data->key != KEY_ANY && public->get_type(public) != data->key)
+ {
+ public->destroy(public);
+ continue;
+ }
+ if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
+ public->has_fingerprint(public, data->id->get_encoding(data->id)))
+ {
+ public->destroy(public);
+ *out = cert;
+ return TRUE;
+ }
public->destroy(public);
+ if (data->id && !cert->has_subject(cert, data->id))
+ {
+ continue;
+ }
*out = cert;
return TRUE;
}
- public->destroy(public);
- if (data->id && !cert->has_subject(cert, data->id))
- {
- return FALSE;
- }
- *out = cert;
- return TRUE;
+ return FALSE;
}
/**
@@ -181,7 +182,7 @@ static enumerator_t *create_trusted_cert_enumerator(private_nm_creds_t *this,
this->lock->read_lock(this->lock);
return enumerator_create_filter(
this->certs->create_enumerator(this->certs),
- (void*)cert_filter, data, (void*)cert_data_destroy);
+ cert_filter, data, cert_data_destroy);
}
METHOD(credential_set_t, create_cert_enumerator, enumerator_t*,
@@ -235,9 +236,13 @@ typedef struct {
} shared_enumerator_t;
METHOD(enumerator_t, shared_enumerate, bool,
- shared_enumerator_t *this, shared_key_t **key, id_match_t *me,
- id_match_t *other)
+ shared_enumerator_t *this, va_list args)
{
+ shared_key_t **key;
+ id_match_t *me, *other;
+
+ VA_ARGS_VGET(args, key, me, other);
+
if (this->done)
{
return FALSE;
@@ -307,7 +312,8 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
INIT(enumerator,
.public = {
- .enumerate = (void*)_shared_enumerate,
+ .enumerate = enumerator_enumerate_default,
+ .venumerate = _shared_enumerate,
.destroy = _shared_destroy,
},
.this = this,
diff --git a/src/charon-nm/nm/nm_handler.c b/src/charon-nm/nm/nm_handler.c
index bdc0667cf..3eb2eb13c 100644
--- a/src/charon-nm/nm/nm_handler.c
+++ b/src/charon-nm/nm/nm_handler.c
@@ -65,29 +65,33 @@ METHOD(attribute_handler_t, handle, bool,
return TRUE;
}
-/**
- * Implementation of create_attribute_enumerator().enumerate() for WINS
- */
-static bool enumerate_nbns(enumerator_t *this,
- configuration_attribute_type_t *type, chunk_t *data)
+METHOD(enumerator_t, enumerate_nbns, bool,
+ enumerator_t *this, va_list args)
{
+ configuration_attribute_type_t *type;
+ chunk_t *data;
+
+ VA_ARGS_VGET(args, type, data);
*type = INTERNAL_IP4_NBNS;
*data = chunk_empty;
- /* done */
- this->enumerate = (void*)return_false;
+ this->venumerate = (void*)return_false;
return TRUE;
}
/**
* Implementation of create_attribute_enumerator().enumerate() for DNS
*/
-static bool enumerate_dns(enumerator_t *this,
- configuration_attribute_type_t *type, chunk_t *data)
+METHOD(enumerator_t, enumerate_dns, bool,
+ enumerator_t *this, va_list args)
{
+ configuration_attribute_type_t *type;
+ chunk_t *data;
+
+ VA_ARGS_VGET(args, type, data);
*type = INTERNAL_IP4_DNS;
*data = chunk_empty;
/* enumerate WINS server as next attribute ... */
- this->enumerate = (void*)enumerate_nbns;
+ this->venumerate = _enumerate_nbns;
return TRUE;
}
@@ -100,7 +104,8 @@ METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*,
INIT(enumerator,
/* enumerate DNS attribute first ... */
- .enumerate = (void*)enumerate_dns,
+ .enumerate = enumerator_enumerate_default,
+ .venumerate = _enumerate_dns,
.destroy = (void*)free,
);
return enumerator;
@@ -108,13 +113,20 @@ METHOD(attribute_handler_t, create_attribute_enumerator, enumerator_t*,
return enumerator_create_empty();
}
-/**
- * convert plain byte ptrs to handy chunk during enumeration
- */
-static bool filter_chunks(void* null, char **in, chunk_t *out)
+CALLBACK(filter_chunks, bool,
+ void *null, enumerator_t *orig, va_list args)
{
- *out = chunk_create(*in, 4);
- return TRUE;
+ chunk_t *out;
+ char *ptr;
+
+ VA_ARGS_VGET(args, out);
+
+ if (orig->enumerate(orig, &ptr))
+ {
+ *out = chunk_create(ptr, 4);
+ return TRUE;
+ }
+ return FALSE;
}
METHOD(nm_handler_t, create_enumerator, enumerator_t*,
@@ -134,7 +146,7 @@ METHOD(nm_handler_t, create_enumerator, enumerator_t*,
return enumerator_create_empty();
}
return enumerator_create_filter(list->create_enumerator(list),
- (void*)filter_chunks, NULL, NULL);
+ filter_chunks, NULL, NULL);
}
METHOD(nm_handler_t, reset, void,
diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index 571c0edba..3e8392a57 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -283,9 +283,11 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
NMStrongswanPluginPrivate *priv;
NMSettingConnection *conn;
NMSettingVPN *vpn;
+ enumerator_t *enumerator;
identification_t *user = NULL, *gateway = NULL;
const char *address, *str;
- bool virtual, encap;
+ bool virtual, encap, proposal;
+ proposal_t *prop;
ike_cfg_t *ike_cfg;
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
@@ -344,7 +346,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
str = nm_setting_vpn_get_data_item(vpn, "encap");
encap = streq(str, "yes");
str = nm_setting_vpn_get_data_item(vpn, "ipcomp");
- child.ipcomp = streq(str, "yes");
+ child.options |= streq(str, "yes") ? OPT_IPCOMP : 0;
str = nm_setting_vpn_get_data_item(vpn, "method");
if (streq(str, "psk"))
{
@@ -540,8 +542,36 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
charon->socket->get_port(charon->socket, FALSE),
(char*)address, IKEV2_UDP_PORT,
FRAGMENTATION_YES, 0);
- ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
- ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
+
+ str = nm_setting_vpn_get_data_item(vpn, "proposal");
+ proposal = streq(str, "yes");
+ str = nm_setting_vpn_get_data_item(vpn, "ike");
+ if (proposal && str && strlen(str))
+ {
+ enumerator = enumerator_create_token(str, ";", "");
+ while (enumerator->enumerate(enumerator, &str))
+ {
+ prop = proposal_create_from_string(PROTO_IKE, str);
+ if (!prop)
+ {
+ g_set_error(err, NM_VPN_PLUGIN_ERROR,
+ NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
+ "Invalid IKE proposal.");
+ enumerator->destroy(enumerator);
+ ike_cfg->destroy(ike_cfg);
+ gateway->destroy(gateway);
+ user->destroy(user);
+ return FALSE;
+ }
+ ike_cfg->add_proposal(ike_cfg, prop);
+ }
+ enumerator->destroy(enumerator);
+ }
+ else
+ {
+ ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+ ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
+ }
peer_cfg = peer_cfg_create(priv->name, ike_cfg, &peer);
if (virtual)
@@ -566,8 +596,32 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
child_cfg = child_cfg_create(priv->name, &child);
- child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
- child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
+ str = nm_setting_vpn_get_data_item(vpn, "esp");
+ if (proposal && str && strlen(str))
+ {
+ enumerator = enumerator_create_token(str, ";", "");
+ while (enumerator->enumerate(enumerator, &str))
+ {
+ prop = proposal_create_from_string(PROTO_ESP, str);
+ if (!prop)
+ {
+ g_set_error(err, NM_VPN_PLUGIN_ERROR,
+ NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
+ "Invalid ESP proposal.");
+ enumerator->destroy(enumerator);
+ child_cfg->destroy(child_cfg);
+ peer_cfg->destroy(peer_cfg);
+ return FALSE;
+ }
+ child_cfg->add_proposal(child_cfg, prop);
+ }
+ enumerator->destroy(enumerator);
+ }
+ else
+ {
+ child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+ child_cfg->add_proposal(child_cfg, proposal_create_default_aead(PROTO_ESP));
+ }
ts = traffic_selector_create_dynamic(0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE,
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 00:47:18 +0000