2010-05-04 16:26:07 +00:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2010 Tobias Brunner
|
|
|
|
* Hochschule fuer Technik Rapperswil
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
* for more details.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <cutils/sockets.h>
|
|
|
|
#include <cutils/properties.h>
|
2010-06-24 12:05:53 +00:00
|
|
|
#include <signal.h>
|
2010-05-04 16:26:07 +00:00
|
|
|
|
|
|
|
#include "android_service.h"
|
|
|
|
|
2010-07-05 11:52:05 +00:00
|
|
|
#include <hydra.h>
|
2010-05-04 16:26:07 +00:00
|
|
|
#include <daemon.h>
|
|
|
|
#include <threading/thread.h>
|
|
|
|
#include <processing/jobs/callback_job.h>
|
|
|
|
|
|
|
|
typedef struct private_android_service_t private_android_service_t;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* private data of Android service
|
|
|
|
*/
|
|
|
|
struct private_android_service_t {
|
|
|
|
|
|
|
|
/**
|
|
|
|
* public interface
|
|
|
|
*/
|
|
|
|
android_service_t public;
|
|
|
|
|
|
|
|
/**
|
2010-06-24 12:00:39 +00:00
|
|
|
* current IKE_SA
|
2010-05-04 16:26:07 +00:00
|
|
|
*/
|
2010-06-24 12:00:39 +00:00
|
|
|
ike_sa_t *ike_sa;
|
2010-05-04 16:26:07 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* job that handles requests from the Android control socket
|
|
|
|
*/
|
|
|
|
callback_job_t *job;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* android credentials
|
|
|
|
*/
|
|
|
|
android_creds_t *creds;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* android control socket
|
|
|
|
*/
|
|
|
|
int control;
|
|
|
|
|
|
|
|
};
|
|
|
|
|
2010-06-24 11:41:07 +00:00
|
|
|
/**
|
|
|
|
* Some of the error codes defined in VpnManager.java
|
|
|
|
*/
|
|
|
|
typedef enum {
|
|
|
|
/** Error code to indicate an error from authentication. */
|
|
|
|
VPN_ERROR_AUTH = 51,
|
|
|
|
/** Error code to indicate the connection attempt failed. */
|
|
|
|
VPN_ERROR_CONNECTION_FAILED = 101,
|
|
|
|
/** Error code to indicate an error of remote server hanging up. */
|
|
|
|
VPN_ERROR_REMOTE_HUNG_UP = 7,
|
|
|
|
/** Error code to indicate an error of losing connectivity. */
|
|
|
|
VPN_ERROR_CONNECTION_LOST = 103,
|
|
|
|
} android_vpn_errors_t;
|
|
|
|
|
2010-06-24 11:57:03 +00:00
|
|
|
/**
|
|
|
|
* send a status code back to the Android app
|
|
|
|
*/
|
|
|
|
static void send_status(private_android_service_t *this, u_char code)
|
|
|
|
{
|
|
|
|
DBG1(DBG_CFG, "status of Android plugin changed: %d", code);
|
|
|
|
send(this->control, &code, 1, 0);
|
|
|
|
}
|
|
|
|
|
2010-06-24 12:00:39 +00:00
|
|
|
METHOD(listener_t, ike_updown, bool,
|
|
|
|
private_android_service_t *this, ike_sa_t *ike_sa, bool up)
|
|
|
|
{
|
2010-06-24 12:02:52 +00:00
|
|
|
/* this callback is only registered during initiation, so if the IKE_SA
|
|
|
|
* goes down we assume an authentication error */
|
|
|
|
if (this->ike_sa == ike_sa && !up)
|
|
|
|
{
|
|
|
|
send_status(this, VPN_ERROR_AUTH);
|
|
|
|
return FALSE;
|
|
|
|
}
|
2010-06-24 12:00:39 +00:00
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
METHOD(listener_t, child_state_change, bool,
|
|
|
|
private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
|
|
|
|
child_sa_state_t state)
|
|
|
|
{
|
2010-06-24 12:02:52 +00:00
|
|
|
/* this callback is only registered during initiation, so we still have
|
|
|
|
* the control socket open */
|
|
|
|
if (this->ike_sa == ike_sa && state == CHILD_DESTROYING)
|
|
|
|
{
|
|
|
|
send_status(this, VPN_ERROR_CONNECTION_FAILED);
|
|
|
|
return FALSE;
|
|
|
|
}
|
2010-06-24 12:00:39 +00:00
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
2010-06-24 12:05:53 +00:00
|
|
|
/**
|
|
|
|
* Callback used to shutdown the daemon
|
|
|
|
*/
|
|
|
|
static job_requeue_t shutdown_callback(void *data)
|
|
|
|
{
|
|
|
|
kill(0, SIGTERM);
|
|
|
|
return JOB_REQUEUE_NONE;
|
|
|
|
}
|
|
|
|
|
2010-06-24 12:00:39 +00:00
|
|
|
METHOD(listener_t, child_updown, bool,
|
|
|
|
private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
|
|
|
|
bool up)
|
|
|
|
{
|
2010-06-24 12:02:52 +00:00
|
|
|
if (this->ike_sa == ike_sa)
|
|
|
|
{
|
|
|
|
if (up)
|
|
|
|
{
|
|
|
|
/* disable the hooks registered to catch initiation failures */
|
|
|
|
this->public.listener.ike_updown = NULL;
|
|
|
|
this->public.listener.child_state_change = NULL;
|
|
|
|
property_set("vpn.status", "ok");
|
|
|
|
}
|
2010-06-24 12:05:53 +00:00
|
|
|
else
|
|
|
|
{
|
|
|
|
callback_job_t *job;
|
|
|
|
/* the control socket is closed as soon as vpn.status is set to "ok"
|
|
|
|
* and the daemon proxy then only checks for terminated daemons to
|
|
|
|
* detect lost connections, so... */
|
|
|
|
DBG1(DBG_CFG, "connection lost, raising delayed SIGTERM");
|
|
|
|
/* to avoid any conflicts we send the SIGTERM not directly from this
|
|
|
|
* callback, but from a different thread. we also delay it to avoid
|
|
|
|
* a race condition during a regular shutdown */
|
|
|
|
job = callback_job_create(shutdown_callback, NULL, NULL, NULL);
|
2010-07-06 11:23:42 +00:00
|
|
|
hydra->scheduler->schedule_job(hydra->scheduler, (job_t*)job, 1);
|
2010-06-24 12:05:53 +00:00
|
|
|
return FALSE;
|
|
|
|
}
|
2010-06-24 12:02:52 +00:00
|
|
|
}
|
2010-06-24 12:00:39 +00:00
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
METHOD(listener_t, ike_rekey, bool,
|
|
|
|
private_android_service_t *this, ike_sa_t *old, ike_sa_t *new)
|
|
|
|
{
|
|
|
|
if (this->ike_sa == old)
|
|
|
|
{
|
|
|
|
this->ike_sa = new;
|
|
|
|
}
|
|
|
|
return TRUE;
|
|
|
|
}
|
|
|
|
|
2010-05-04 16:26:07 +00:00
|
|
|
/**
|
|
|
|
* Read a string argument from the Android control socket
|
|
|
|
*/
|
|
|
|
static char *read_argument(int fd, u_char length)
|
|
|
|
{
|
|
|
|
int offset = 0;
|
|
|
|
char *data = malloc(length + 1);
|
|
|
|
while (offset < length)
|
|
|
|
{
|
|
|
|
int n = recv(fd, &data[offset], length - offset, 0);
|
|
|
|
if (n < 0)
|
|
|
|
{
|
|
|
|
DBG1(DBG_CFG, "failed to read argument from Android"
|
|
|
|
" control socket: %s", strerror(errno));
|
|
|
|
free(data);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
offset += n;
|
|
|
|
}
|
|
|
|
data[length] = '\0';
|
2010-06-24 12:44:45 +00:00
|
|
|
DBG3(DBG_CFG, "received argument from Android control socket: %s", data);
|
2010-05-04 16:26:07 +00:00
|
|
|
return data;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* handle the request received from the Android control socket
|
|
|
|
*/
|
|
|
|
static job_requeue_t initiate(private_android_service_t *this)
|
|
|
|
{
|
|
|
|
bool oldstate;
|
|
|
|
int fd, i = 0;
|
|
|
|
char *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL;
|
|
|
|
identification_t *gateway = NULL, *user = NULL;
|
|
|
|
ike_cfg_t *ike_cfg;
|
|
|
|
peer_cfg_t *peer_cfg;
|
|
|
|
child_cfg_t *child_cfg;
|
|
|
|
traffic_selector_t *ts;
|
|
|
|
ike_sa_t *ike_sa;
|
|
|
|
auth_cfg_t *auth;
|
|
|
|
lifetime_cfg_t lifetime = {
|
|
|
|
.time = {
|
|
|
|
.life = 10800, /* 3h */
|
|
|
|
.rekey = 10200, /* 2h50min */
|
|
|
|
.jitter = 300 /* 5min */
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
fd = accept(this->control, NULL, 0);
|
|
|
|
if (fd < 0)
|
|
|
|
{
|
|
|
|
DBG1(DBG_CFG, "accept on Android control socket failed: %s",
|
|
|
|
strerror(errno));
|
|
|
|
return JOB_REQUEUE_NONE;
|
|
|
|
}
|
2010-06-24 11:57:03 +00:00
|
|
|
/* the original control socket is not used anymore */
|
2010-05-04 16:26:07 +00:00
|
|
|
close(this->control);
|
2010-06-24 11:57:03 +00:00
|
|
|
this->control = fd;
|
2010-05-04 16:26:07 +00:00
|
|
|
|
|
|
|
while (TRUE)
|
|
|
|
{
|
|
|
|
u_char length;
|
|
|
|
if (recv(fd, &length, 1, 0) != 1)
|
|
|
|
{
|
|
|
|
DBG1(DBG_CFG, "failed to read from Android control socket: %s",
|
|
|
|
strerror(errno));
|
|
|
|
return JOB_REQUEUE_NONE;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (length == 0xFF)
|
|
|
|
{ /* last argument */
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
switch (i++)
|
|
|
|
{
|
|
|
|
case 0: /* gateway */
|
|
|
|
hostname = read_argument(fd, length);
|
|
|
|
break;
|
|
|
|
case 1: /* CA certificate name */
|
|
|
|
cacert = read_argument(fd, length);
|
|
|
|
break;
|
|
|
|
case 2: /* username */
|
|
|
|
username = read_argument(fd, length);
|
|
|
|
break;
|
|
|
|
case 3: /* password */
|
|
|
|
password = read_argument(fd, length);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (cacert)
|
|
|
|
{
|
|
|
|
if (!this->creds->add_certificate(this->creds, cacert))
|
|
|
|
{
|
|
|
|
DBG1(DBG_CFG, "failed to load CA certificate");
|
|
|
|
}
|
|
|
|
/* if this is a server cert we could use the cert subject as id
|
|
|
|
* but we have to test first if that possible to configure */
|
|
|
|
}
|
|
|
|
|
|
|
|
gateway = identification_create_from_string(hostname);
|
|
|
|
DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway);
|
|
|
|
|
|
|
|
if (username)
|
|
|
|
{
|
|
|
|
user = identification_create_from_string(username);
|
|
|
|
this->creds->set_username_password(this->creds, user, password);
|
|
|
|
}
|
|
|
|
|
|
|
|
ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT,
|
|
|
|
hostname, IKEV2_UDP_PORT);
|
|
|
|
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
|
|
|
|
|
|
|
|
peer_cfg = peer_cfg_create("android", 2, ike_cfg, CERT_SEND_IF_ASKED,
|
|
|
|
UNIQUE_REPLACE, 1, /* keyingtries */
|
|
|
|
36000, 0, /* rekey 10h, reauth none */
|
|
|
|
600, 600, /* jitter, over 10min */
|
|
|
|
TRUE, 0, /* mobike, DPD */
|
|
|
|
host_create_from_string("0.0.0.0", 0) /* virt */,
|
|
|
|
NULL, FALSE, NULL, NULL); /* pool, mediation */
|
|
|
|
|
|
|
|
auth = auth_cfg_create();
|
|
|
|
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
|
|
|
|
auth->add(auth, AUTH_RULE_IDENTITY, user);
|
|
|
|
peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
|
|
|
|
auth = auth_cfg_create();
|
|
|
|
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
|
|
|
|
auth->add(auth, AUTH_RULE_IDENTITY, gateway);
|
|
|
|
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
|
|
|
|
|
|
|
|
child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
|
2010-07-09 07:06:02 +00:00
|
|
|
ACTION_NONE, ACTION_NONE, FALSE, 0, 0,
|
|
|
|
NULL, NULL);
|
2010-05-04 16:26:07 +00:00
|
|
|
child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
|
|
|
|
ts = traffic_selector_create_dynamic(0, 0, 65535);
|
|
|
|
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
|
|
|
|
ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0",
|
|
|
|
0, "255.255.255.255", 65535);
|
|
|
|
child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
|
|
|
|
peer_cfg->add_child_cfg(peer_cfg, child_cfg);
|
2010-06-24 11:42:57 +00:00
|
|
|
/* get an additional reference because initiate consumes one */
|
|
|
|
child_cfg->get_ref(child_cfg);
|
2010-05-04 16:26:07 +00:00
|
|
|
|
2010-06-24 12:02:52 +00:00
|
|
|
/* get us an IKE_SA */
|
|
|
|
ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
|
|
|
|
peer_cfg);
|
|
|
|
if (!ike_sa->get_peer_cfg(ike_sa))
|
|
|
|
{
|
|
|
|
ike_sa->set_peer_cfg(ike_sa, peer_cfg);
|
|
|
|
}
|
|
|
|
peer_cfg->destroy(peer_cfg);
|
|
|
|
|
|
|
|
/* store the IKE_SA so we can track its progress */
|
|
|
|
this->ike_sa = ike_sa;
|
2010-05-04 16:26:07 +00:00
|
|
|
|
|
|
|
/* confirm that we received the request */
|
2010-06-24 11:57:03 +00:00
|
|
|
send_status(this, i);
|
2010-05-04 16:26:07 +00:00
|
|
|
|
2010-06-24 12:02:52 +00:00
|
|
|
if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
|
2010-05-04 16:26:07 +00:00
|
|
|
{
|
|
|
|
DBG1(DBG_CFG, "failed to initiate tunnel");
|
2010-06-24 12:02:52 +00:00
|
|
|
charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
|
|
|
|
ike_sa);
|
2010-06-24 11:57:03 +00:00
|
|
|
send_status(this, VPN_ERROR_CONNECTION_FAILED);
|
2010-05-04 16:26:07 +00:00
|
|
|
return JOB_REQUEUE_NONE;
|
|
|
|
}
|
2010-06-24 12:02:52 +00:00
|
|
|
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
|
2010-05-04 16:26:07 +00:00
|
|
|
return JOB_REQUEUE_NONE;
|
|
|
|
}
|
|
|
|
|
|
|
|
METHOD(android_service_t, destroy, void,
|
|
|
|
private_android_service_t *this)
|
|
|
|
{
|
2010-06-24 12:00:39 +00:00
|
|
|
charon->bus->remove_listener(charon->bus, &this->public.listener);
|
2010-06-24 11:57:03 +00:00
|
|
|
close(this->control);
|
2010-05-04 16:26:07 +00:00
|
|
|
free(this);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* See header
|
|
|
|
*/
|
|
|
|
android_service_t *android_service_create(android_creds_t *creds)
|
|
|
|
{
|
|
|
|
private_android_service_t *this;
|
|
|
|
|
|
|
|
INIT(this,
|
|
|
|
.public = {
|
2010-06-24 12:00:39 +00:00
|
|
|
.listener = {
|
|
|
|
.ike_updown = _ike_updown,
|
|
|
|
.child_state_change = _child_state_change,
|
|
|
|
.child_updown = _child_updown,
|
|
|
|
.ike_rekey = _ike_rekey,
|
|
|
|
},
|
2010-05-04 16:26:07 +00:00
|
|
|
.destroy = _destroy,
|
|
|
|
},
|
|
|
|
.creds = creds,
|
|
|
|
);
|
|
|
|
|
|
|
|
this->control = android_get_control_socket("charon");
|
|
|
|
if (this->control == -1)
|
|
|
|
{
|
|
|
|
DBG1(DBG_CFG, "failed to get Android control socket");
|
|
|
|
free(this);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (listen(this->control, 1) < 0)
|
|
|
|
{
|
|
|
|
DBG1(DBG_CFG, "failed to listen on Android control socket: %s",
|
|
|
|
strerror(errno));
|
|
|
|
close(this->control);
|
|
|
|
free(this);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2010-06-24 12:00:39 +00:00
|
|
|
charon->bus->add_listener(charon->bus, &this->public.listener);
|
2010-05-04 16:26:07 +00:00
|
|
|
this->job = callback_job_create((callback_job_cb_t)initiate, this,
|
|
|
|
NULL, NULL);
|
2010-07-05 11:52:05 +00:00
|
|
|
hydra->processor->queue_job(hydra->processor, (job_t*)this->job);
|
2010-05-04 16:26:07 +00:00
|
|
|
|
|
|
|
return &this->public;
|
|
|
|
}
|
|
|
|
|