nm uses the distributions trusted root CAs if none is explicitly specified

5 files changed, 191 insertions, 59 deletions

diff --git a/src/charon/plugins/nm/Makefile.am b/src/charon/plugins/nm/Makefile.am
index b74a4e46f..56eae6e00 100644
--- a/src/charon/plugins/nm/Makefile.am
+++ b/src/charon/plugins/nm/Makefile.am
@@ -1,7 +1,8 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon ${nm_CFLAGS}
 
-AM_CFLAGS = -rdynamic
+AM_CFLAGS = -rdynamic \
+  -DNM_CA_DIR=\"${nm_ca_dir}\"
 
 plugin_LTLIBRARIES = libstrongswan-nm.la
 libstrongswan_nm_la_SOURCES = \
diff --git a/src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade b/src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade
index fe70bc82f..03a94e973 100644
--- a/src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade
+++ b/src/charon/plugins/nm/gnome/properties/nm-strongswan-dialog.glade
@@ -81,7 +81,7 @@
                     <child>
                       <widget class="GtkFileChooserButton" id="certificate-button">
                         <property name="visible">True</property>
-                        <property name="tooltip">Gateway or CA certificate to use for gateway authentication.</property>
+                        <property name="tooltip">Gateway or CA certificate to use for gateway authentication. If none is specified, pre-installed CA certificates are used.</property>
                       </widget>
                       <packing>
                         <property name="left_attach">1</property>
diff --git a/src/charon/plugins/nm/nm_creds.c b/src/charon/plugins/nm/nm_creds.c
index f9b852d27..c28b05548 100644
--- a/src/charon/plugins/nm/nm_creds.c
+++ b/src/charon/plugins/nm/nm_creds.c
@@ -15,8 +15,13 @@
 
 #include "nm_creds.h"
 
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
 #include <daemon.h>
 #include <utils/mutex.h>
+#include <credentials/certificates/x509.h>
 
 typedef struct private_nm_creds_t private_nm_creds_t;
 
@@ -31,9 +36,9 @@ struct private_nm_creds_t {
 	nm_creds_t public;
 
 	/**
-	 * gateway certificate
+	 * List of trusted certificates, certificate_t*
 	 */
-	certificate_t *cert;
+	linked_list_t *certs;
 
 	/**
 	 * User name
@@ -94,6 +99,82 @@ static enumerator_t *create_usercert_enumerator(private_nm_creds_t *this,
 }
 
 /**
+ * CA certificate enumerator data
+ */
+typedef struct {
+	/** ref to credential credential store */
+	private_nm_creds_t *this;
+	/** type of key we are looking for */
+	key_type_t key;
+	/** CA certificate ID */
+	identification_t *id;
+} cert_data_t;
+
+/**
+ * Destroy CA certificate enumerator data
+ */
+static void cert_data_destroy(cert_data_t *data)
+{
+	data->this->lock->unlock(data->this->lock);
+	free(data);
+}
+
+/**
+ * Filter function for certificates enumerator
+ */
+static bool cert_filter(cert_data_t *data, certificate_t **in,
+						 certificate_t **out)
+{
+	certificate_t *cert = *in;
+	public_key_t *public;
+	chunk_t keyid;
+
+	public = cert->get_public_key(cert);
+	if (!public)
+	{
+		return FALSE;
+	}
+	if (data->key != KEY_ANY && public->get_type(public) != data->key)
+	{
+		public->destroy(public);
+		return FALSE;
+	}
+	if (data->id && data->id->get_type(data->id) == ID_KEY_ID &&
+		public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid) &&
+		chunk_equals(keyid, data->id->get_encoding(data->id)))
+	{
+		public->destroy(public);
+		*out = cert;
+		return TRUE;
+	}
+	public->destroy(public);
+	if (data->id && !cert->has_subject(cert, data->id))
+	{
+		return FALSE;
+	}
+	*out = cert;
+	return TRUE;
+}
+
+/**
+ * Create enumerator for trusted certificates
+ */
+static enumerator_t *create_trusted_cert_enumerator(private_nm_creds_t *this,
+										key_type_t key, identification_t *id)
+{
+	cert_data_t *data = malloc_thing(cert_data_t);
+
+	data->this = this;
+	data->id = id;
+	data->key = key;
+
+	this->lock->read_lock(this->lock);
+	return enumerator_create_filter(
+					this->certs->create_enumerator(this->certs),
+					(void*)cert_filter, data, (void*)cert_data_destroy);
+}
+
+/**
  * Implements credential_set_t.create_cert_enumerator
  */
 static enumerator_t* create_cert_enumerator(private_nm_creds_t *this,
@@ -105,38 +186,11 @@ static enumerator_t* create_cert_enumerator(private_nm_creds_t *this,
 	{
 		return create_usercert_enumerator(this, cert, key);
 	}
-
-	if (!this->cert)
-	{
-		return NULL;
-	}
-	if (cert != CERT_ANY && cert != this->cert->get_type(this->cert))
-	{
-		return NULL;
-	}
-	if (id && !this->cert->has_subject(this->cert, id))
+	if (cert == CERT_X509 || cert == CERT_ANY)
 	{
-		return NULL;
+		return create_trusted_cert_enumerator(this, key, id);
 	}
-	if (key != KEY_ANY)
-	{
-		public_key_t *public;
-
-		public = this->cert->get_public_key(this->cert);
-		if (!public)
-		{
-			return NULL;
-		}
-		if (public->get_type(public) != key)
-		{
-			public->destroy(public);
-			return NULL;
-		}
-		public->destroy(public);
-	}
-	this->lock->read_lock(this->lock);
-	return enumerator_create_cleaner(enumerator_create_single(this->cert, NULL),
-									 (void*)this->lock->unlock, this->lock);
+	return NULL;
 }
 
 /**
@@ -240,17 +294,73 @@ static enumerator_t* create_shared_enumerator(private_nm_creds_t *this,
 }
 
 /**
- * Implementation of nm_creds_t.set_certificate
+ * Implementation of nm_creds_t.add_certificate
  */
-static void set_certificate(private_nm_creds_t *this, certificate_t *cert)
+static void add_certificate(private_nm_creds_t *this, certificate_t *cert)
 {
 	this->lock->write_lock(this->lock);
-	DESTROY_IF(this->cert);
-	this->cert = cert;
+	this->certs->insert_last(this->certs, cert);
 	this->lock->unlock(this->lock);
 }
 
 /**
+ * Load a certificate file
+ */
+static void load_ca_file(private_nm_creds_t *this, char *file)
+{
+	certificate_t *cert;
+
+	/* We add the CA constraint, as many CAs miss it */
+	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+							  BUILD_FROM_FILE, file, BUILD_END);
+	if (!cert)
+	{
+		DBG1(DBG_CFG, "loading CA certificate '%s' failed", file);
+	}
+	else
+	{
+		DBG2(DBG_CFG, "loaded CA certificate '%Y'", cert->get_subject(cert));
+		x509_t *x509 = (x509_t*)cert;
+		if (!(x509->get_flags(x509) & X509_SELF_SIGNED))
+		{
+			DBG1(DBG_CFG, "%Y is not self signed", cert->get_subject(cert));
+		}
+		this->certs->insert_last(this->certs, cert);
+	}
+}
+
+/**
+ * Implementation of nm_creds_t.load_ca_dir
+ */
+static void load_ca_dir(private_nm_creds_t *this, char *dir)
+{
+	enumerator_t *enumerator;
+	char *rel, *abs;
+	struct stat st;
+
+	enumerator = enumerator_create_directory(dir);
+	if (enumerator)
+	{
+		while (enumerator->enumerate(enumerator, &rel, &abs, &st))
+		{
+			/* skip '.', '..' and hidden files */
+			if (rel[0] != '.')
+			{
+				if (S_ISDIR(st.st_mode))
+				{
+					load_ca_dir(this, abs);
+				}
+				else if (S_ISREG(st.st_mode))
+				{
+					load_ca_file(this, abs);
+				}
+			}
+		}
+		enumerator->destroy(enumerator);
+	}
+}
+
+/**
  * Implementation of nm_creds_t.set_password
  */
 static void set_username_password(private_nm_creds_t *this, identification_t *id,
@@ -283,7 +393,12 @@ static void set_cert_and_key(private_nm_creds_t *this, certificate_t *cert,
  */
 static void clear(private_nm_creds_t *this)
 {
-	DESTROY_IF(this->cert);
+	certificate_t *cert;
+
+	while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS)
+	{
+		cert->destroy(cert);
+	}
 	DESTROY_IF(this->user);
 	free(this->pass);
 	DESTROY_IF(this->usercert);
@@ -291,7 +406,6 @@ static void clear(private_nm_creds_t *this)
 	this->key = NULL;
 	this->usercert = NULL;
 	this->pass = NULL;
-	this->cert = NULL;
 	this->user = NULL;
 }
 
@@ -301,6 +415,7 @@ static void clear(private_nm_creds_t *this)
 static void destroy(private_nm_creds_t *this)
 {
 	clear(this);
+	this->certs->destroy(this->certs);
 	this->lock->destroy(this->lock);
 	free(this);
 }
@@ -317,7 +432,8 @@ nm_creds_t *nm_creds_create()
 	this->public.set.create_shared_enumerator = (void*)create_shared_enumerator;
 	this->public.set.create_cdp_enumerator = (void*)return_null;
 	this->public.set.cache_cert = (void*)nop;
-	this->public.set_certificate = (void(*)(nm_creds_t*, certificate_t *cert))set_certificate;
+	this->public.add_certificate = (void(*)(nm_creds_t*, certificate_t *cert))add_certificate;
+	this->public.load_ca_dir = (void(*)(nm_creds_t*, char *dir))load_ca_dir;
 	this->public.set_username_password = (void(*)(nm_creds_t*, identification_t *id, char *password))set_username_password;
 	this->public.set_cert_and_key = (void(*)(nm_creds_t*, certificate_t *cert, private_key_t *key))set_cert_and_key;
 	this->public.clear = (void(*)(nm_creds_t*))clear;
@@ -325,7 +441,7 @@ nm_creds_t *nm_creds_create()
 
 	this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
 
-	this->cert = NULL;
+	this->certs = linked_list_create();
 	this->user = NULL;
 	this->pass = NULL;
 	this->usercert = NULL;
diff --git a/src/charon/plugins/nm/nm_creds.h b/src/charon/plugins/nm/nm_creds.h
index 754fe53df..b55cff31e 100644
--- a/src/charon/plugins/nm/nm_creds.h
+++ b/src/charon/plugins/nm/nm_creds.h
@@ -37,11 +37,18 @@ struct nm_creds_t {
 	credential_set_t set;
 
 	/**
-	 * Set the trusted gateway certificate to serve by this set.
+	 * Add a trusted gateway certificate to serve by this set.
 	 *
 	 * @param cert		certificate to serve
 	 */
-	void (*set_certificate)(nm_creds_t *this, certificate_t *cert);
+	void (*add_certificate)(nm_creds_t *this, certificate_t *cert);
+
+	/**
+	 * Load CA certificates recursively from a directory.
+	 *
+	 * @param dir		directory to PEM encoded CA certificates
+	 */
+	void (*load_ca_dir)(nm_creds_t *this, char *dir);
 
 	/**
 	 * Set the username/password for authentication.
diff --git a/src/charon/plugins/nm/nm_service.c b/src/charon/plugins/nm/nm_service.c
index 412a97fa3..04c7b2b12 100644
--- a/src/charon/plugins/nm/nm_service.c
+++ b/src/charon/plugins/nm/nm_service.c
@@ -212,7 +212,7 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	NMStrongswanPluginPrivate *priv;
 	NMSettingConnection *conn;
 	NMSettingVPN *vpn;
-	identification_t *user = NULL, *gateway;
+	identification_t *user = NULL, *gateway = NULL;
 	const char *address, *str;
 	bool virtual, encap, ipcomp;
 	ike_cfg_t *ike_cfg;
@@ -292,29 +292,37 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection,
 	{
 		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 								  BUILD_FROM_FILE, str, BUILD_END);
-		priv->creds->set_certificate(priv->creds, cert);
+		if (!cert)
+		{
+			g_set_error(err, NM_VPN_PLUGIN_ERROR,
+						NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
+						"Loading gateway certificate failed.");
+			return FALSE;
+		}
+		priv->creds->add_certificate(priv->creds, cert);
+
+		x509 = (x509_t*)cert;
+		if (!(x509->get_flags(x509) & X509_CA))
+		{	/* For a gateway certificate, we use the cert subject as identity. */
+			gateway = cert->get_subject(cert);
+			gateway = gateway->clone(gateway);
+			DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
+		}
 	}
-	if (!cert)
+	else
 	{
-		g_set_error(err, NM_VPN_PLUGIN_ERROR, NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
-					"Loading gateway certificate failed.");
-		return FALSE;
+		/* no certificate defined, fall back to system-wide CA certificates */
+		priv->creds->load_ca_dir(priv->creds, NM_CA_DIR);
 	}
-	x509 = (x509_t*)cert;
-	if (x509->get_flags(x509) & X509_CA)
-	{	/* If the user configured a CA certificate, we use the IP/DNS
+	if (!gateway)
+	{
+		/* If the user configured a CA certificate, we use the IP/DNS
 		 * of the gateway as its identity. This identity will be used for
 		 * certificate lookup and requires the configured IP/DNS to be
 		 * included in the gateway certificate. */
 		gateway = identification_create_from_string((char*)address);
 		DBG1(DBG_CFG, "using CA certificate, gateway identity '%Y'", gateway);
 	}
-	else
-	{	/* For a gateway certificate, we use the cert subject as identity. */
-		gateway = cert->get_subject(cert);
-		gateway = gateway->clone(gateway);
-		DBG1(DBG_CFG, "using gateway certificate, identity '%Y'", gateway);
-	}
 
 	if (auth_class == AUTH_CLASS_EAP)
 	{