diff options
Diffstat (limited to 'src/libcharon/plugins/maemo/maemo_service.c')
| -rw-r--r-- | src/libcharon/plugins/maemo/maemo_service.c | 510 |
1 files changed, 510 insertions, 0 deletions
diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c new file mode 100644 index 000000000..efd914a00 --- /dev/null +++ b/src/libcharon/plugins/maemo/maemo_service.c @@ -0,0 +1,510 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <glib.h> +#include <libosso.h> +#include <sys/stat.h> + +#include "maemo_service.h" + +#include <daemon.h> +#include <credentials/sets/mem_cred.h> +#include <processing/jobs/callback_job.h> + +#define OSSO_STATUS_NAME "status" +#define OSSO_STATUS_SERVICE "org.strongswan."OSSO_STATUS_NAME +#define OSSO_STATUS_OBJECT "/org/strongswan/"OSSO_STATUS_NAME +#define OSSO_STATUS_IFACE "org.strongswan."OSSO_STATUS_NAME + +#define OSSO_CHARON_NAME "charon" +#define OSSO_CHARON_SERVICE "org.strongswan."OSSO_CHARON_NAME +#define OSSO_CHARON_OBJECT "/org/strongswan/"OSSO_CHARON_NAME +#define OSSO_CHARON_IFACE "org.strongswan."OSSO_CHARON_NAME + +#define MAEMO_COMMON_CA_DIR "/etc/certs/common-ca" +#define MAEMO_USER_CA_DIR "/home/user/.maemosec-certs/wifi-ca" +/* there is also an smime-ca and an ssl-ca sub-directory and the same for + * ...-user, which store end user/server certificates */ + +typedef enum { + VPN_STATUS_DISCONNECTED, + VPN_STATUS_CONNECTING, + VPN_STATUS_CONNECTED, + VPN_STATUS_AUTH_FAILED, + VPN_STATUS_CONNECTION_FAILED, +} vpn_status_t; + +typedef struct private_maemo_service_t private_maemo_service_t; + +/** + * private data of maemo service + */ +struct private_maemo_service_t { + + /** + * public interface + */ + maemo_service_t public; + + /** + * credentials + */ + mem_cred_t *creds; + + /** + * Glib main loop for a thread, handles DBUS calls + */ + GMainLoop *loop; + + /** + * Context for OSSO + */ + osso_context_t *context; + + /** + * Current IKE_SA + */ + ike_sa_t *ike_sa; + + /** + * Status of the current connection + */ + vpn_status_t status; + + /** + * Name of the current connection + */ + gchar *current; + +}; + +static gint change_status(private_maemo_service_t *this, int status) +{ + osso_rpc_t retval; + gint res; + this->status = status; + res = osso_rpc_run (this->context, OSSO_STATUS_SERVICE, OSSO_STATUS_OBJECT, + OSSO_STATUS_IFACE, "StatusChanged", &retval, + DBUS_TYPE_INT32, status, + DBUS_TYPE_INVALID); + return res; +} + +METHOD(listener_t, ike_updown, bool, + private_maemo_service_t *this, ike_sa_t *ike_sa, bool up) +{ + /* this callback is only registered during initiation, so if the IKE_SA + * goes down we assume an authentication error */ + if (this->ike_sa == ike_sa && !up) + { + change_status(this, VPN_STATUS_AUTH_FAILED); + return FALSE; + } + return TRUE; +} + +METHOD(listener_t, child_state_change, bool, + private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + child_sa_state_t state) +{ + /* this call back is only registered during initiation */ + if (this->ike_sa == ike_sa && state == CHILD_DESTROYING) + { + change_status(this, VPN_STATUS_CONNECTION_FAILED); + return FALSE; + } + return TRUE; +} + +METHOD(listener_t, child_updown, bool, + private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool up) +{ + if (this->ike_sa == ike_sa) + { + if (up) + { + /* disable hooks registered to catch initiation failures */ + this->public.listener.ike_updown = NULL; + this->public.listener.child_state_change = NULL; + change_status(this, VPN_STATUS_CONNECTED); + } + else + { + change_status(this, VPN_STATUS_CONNECTION_FAILED); + return FALSE; + } + } + return TRUE; +} + +METHOD(listener_t, ike_rekey, bool, + private_maemo_service_t *this, ike_sa_t *old, ike_sa_t *new) +{ + if (this->ike_sa == old) + { + this->ike_sa = new; + } + return TRUE; +} + +/** + * load all CA certificates in the given directory + */ +static void load_ca_dir(private_maemo_service_t *this, char *dir) +{ + enumerator_t *enumerator; + char *rel, *abs; + struct stat st; + + enumerator = enumerator_create_directory(dir); + if (enumerator) + { + while (enumerator->enumerate(enumerator, &rel, &abs, &st)) + { + if (rel[0] != '.') + { + if (S_ISREG(st.st_mode)) + { + certificate_t *cert; + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_X509, BUILD_FROM_FILE, abs, + BUILD_END); + if (!cert) + { + DBG1(DBG_CFG, "loading CA certificate '%s' failed", + abs); + continue; + } + DBG2(DBG_CFG, "loaded CA certificate '%Y'", + cert->get_subject(cert)); + this->creds->add_cert(this->creds, TRUE, cert); + } + } + } + enumerator->destroy(enumerator); + } +} + +static void disconnect(private_maemo_service_t *this) +{ + ike_sa_t *ike_sa; + u_int id; + + if (!this->current) + { + return; + } + + /* avoid status updates, as this is called from the Glib main loop */ + charon->bus->remove_listener(charon->bus, &this->public.listener); + + ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager, + this->current, FALSE); + if (ike_sa) + { + id = ike_sa->get_unique_id(ike_sa); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + charon->controller->terminate_ike(charon->controller, id, + NULL, NULL); + } + this->current = (g_free(this->current), NULL); + this->status = VPN_STATUS_DISCONNECTED; +} + +static gboolean initiate_connection(private_maemo_service_t *this, + GArray *arguments) +{ + gint i; + gchar *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL; + identification_t *gateway = NULL, *user = NULL; + ike_sa_t *ike_sa; + ike_cfg_t *ike_cfg; + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg; + traffic_selector_t *ts; + auth_cfg_t *auth; + certificate_t *cert; + lifetime_cfg_t lifetime = { + .time = { + .life = 10800, /* 3h */ + .rekey = 10200, /* 2h50min */ + .jitter = 300 /* 5min */ + } + }; + + if (this->status == VPN_STATUS_CONNECTED || + this->status == VPN_STATUS_CONNECTING) + { + DBG1(DBG_CFG, "currently connected to '%s', disconnecting first", + this->current); + disconnect (this); + } + + if (arguments->len != 5) + { + DBG1(DBG_CFG, "wrong number of arguments: %d", arguments->len); + return FALSE; + } + + for (i = 0; i < arguments->len; i++) + { + osso_rpc_t *arg = &g_array_index(arguments, osso_rpc_t, i); + if (arg->type != DBUS_TYPE_STRING) + { + DBG1(DBG_CFG, "invalid argument [%d]: %d", i, arg->type); + return FALSE; + } + switch (i) + { + case 0: /* name */ + this->current = (g_free(this->current), NULL); + this->current = g_strdup(arg->value.s); + break; + case 1: /* hostname */ + hostname = arg->value.s; + break; + case 2: /* CA certificate path */ + cacert = arg->value.s; + break; + case 3: /* username */ + username = arg->value.s; + break; + case 4: /* password */ + password = arg->value.s; + break; + } + } + + DBG1(DBG_CFG, "received initiate for connection '%s'", this->current); + + this->creds->clear(this->creds); + + if (cacert && !streq(cacert, "")) + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, cacert, BUILD_END); + if (cert) + { + this->creds->add_cert(this->creds, TRUE, cert); + } + else + { + DBG1(DBG_CFG, "failed to load CA certificate"); + } + /* if this is a server cert we could use the cert subject as id */ + } + else + { + load_ca_dir(this, MAEMO_COMMON_CA_DIR); + load_ca_dir(this, MAEMO_USER_CA_DIR); + } + + gateway = identification_create_from_string(hostname); + DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway); + + { + shared_key_t *shared_key; + chunk_t secret = chunk_create(password, strlen(password)); + user = identification_create_from_string(username); + shared_key = shared_key_create(SHARED_EAP, chunk_clone(secret)); + this->creds->add_shared(this->creds, shared_key, user->clone(user), + NULL); + } + + ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT, + hostname, IKEV2_UDP_PORT); + ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + + peer_cfg = peer_cfg_create(this->current, 2, ike_cfg, CERT_SEND_IF_ASKED, + UNIQUE_REPLACE, 1, /* keyingtries */ + 36000, 0, /* rekey 10h, reauth none */ + 600, 600, /* jitter, over 10min */ + TRUE, 0, /* mobike, DPD */ + host_create_from_string("0.0.0.0", 0) /* virt */, + NULL, FALSE, NULL, NULL); /* pool, mediation */ + + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); + auth->add(auth, AUTH_RULE_IDENTITY, user); + peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + auth->add(auth, AUTH_RULE_IDENTITY, gateway); + peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); + + child_cfg = child_cfg_create(this->current, &lifetime, NULL /* updown */, + TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE, + FALSE, 0, 0, NULL, NULL); + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); + ts = traffic_selector_create_dynamic(0, 0, 65535); + child_cfg->add_traffic_selector(child_cfg, TRUE, ts); + ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0", + 0, "255.255.255.255", 65535); + child_cfg->add_traffic_selector(child_cfg, FALSE, ts); + peer_cfg->add_child_cfg(peer_cfg, child_cfg); + /* get an additional reference because initiate consumes one */ + child_cfg->get_ref(child_cfg); + + /* get us an IKE_SA */ + ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, + peer_cfg); + if (!ike_sa->get_peer_cfg(ike_sa)) + { + ike_sa->set_peer_cfg(ike_sa, peer_cfg); + } + peer_cfg->destroy(peer_cfg); + + /* store the IKE_SA, so we can track its progress */ + this->ike_sa = ike_sa; + this->status = VPN_STATUS_CONNECTING; + this->public.listener.ike_updown = _ike_updown; + this->public.listener.child_state_change = _child_state_change; + charon->bus->add_listener(charon->bus, &this->public.listener); + + if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS) + { + DBG1(DBG_CFG, "failed to initiate tunnel"); + charon->bus->remove_listener(charon->bus, &this->public.listener); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, + ike_sa); + this->status = VPN_STATUS_CONNECTION_FAILED; + return FALSE; + } + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + return TRUE; +} + +/** + * Callback for libosso dbus wrapper + */ +static gint dbus_req_handler(const gchar *interface, const gchar *method, + GArray *arguments, private_maemo_service_t *this, + osso_rpc_t *retval) +{ + if (streq(method, "Start")) + { /* void start (void), dummy function to start charon as root */ + return OSSO_OK; + } + else if (streq(method, "Connect")) + { /* bool connect (name, host, cert, user, pass) */ + retval->value.b = initiate_connection(this, arguments); + retval->type = DBUS_TYPE_BOOLEAN; + } + else if (streq(method, "Disconnect")) + { /* void disconnect (void) */ + disconnect(this); + } + else + { + return OSSO_ERROR; + } + return OSSO_OK; +} + +/** + * Main loop to handle D-BUS messages. + */ +static job_requeue_t run(private_maemo_service_t *this) +{ + this->loop = g_main_loop_new(NULL, FALSE); + g_main_loop_run(this->loop); + return JOB_REQUEUE_NONE; +} + +METHOD(maemo_service_t, destroy, void, + private_maemo_service_t *this) +{ + if (this->loop) + { + if (g_main_loop_is_running(this->loop)) + { + g_main_loop_quit(this->loop); + } + g_main_loop_unref(this->loop); + } + if (this->context) + { + osso_rpc_unset_cb_f(this->context, + OSSO_CHARON_SERVICE, + OSSO_CHARON_OBJECT, + OSSO_CHARON_IFACE, + (osso_rpc_cb_f*)dbus_req_handler, + this); + osso_deinitialize(this->context); + } + charon->bus->remove_listener(charon->bus, &this->public.listener); + lib->credmgr->remove_set(lib->credmgr, &this->creds->set); + this->creds->destroy(this->creds); + this->current = (g_free(this->current), NULL); + free(this); +} + +/* + * See header + */ +maemo_service_t *maemo_service_create() +{ + osso_return_t result; + private_maemo_service_t *this; + + INIT(this, + .public = { + .listener = { + .ike_updown = _ike_updown, + .child_state_change = _child_state_change, + .child_updown = _child_updown, + .ike_rekey = _ike_rekey, + }, + .destroy = _destroy, + }, + .creds = mem_cred_create(), + ); + + lib->credmgr->add_set(lib->credmgr, &this->creds->set); + + this->context = osso_initialize(OSSO_CHARON_SERVICE, "0.0.1", TRUE, NULL); + if (!this->context) + { + DBG1(DBG_CFG, "failed to initialize OSSO context"); + destroy(this); + return NULL; + } + + result = osso_rpc_set_cb_f(this->context, + OSSO_CHARON_SERVICE, + OSSO_CHARON_OBJECT, + OSSO_CHARON_IFACE, + (osso_rpc_cb_f*)dbus_req_handler, + this); + if (result != OSSO_OK) + { + DBG1(DBG_CFG, "failed to set D-BUS callback (%d)", result); + destroy(this); + return NULL; + } + + this->loop = NULL; + if (!g_thread_supported()) + { + g_thread_init(NULL); + } + + lib->processor->queue_job(lib->processor, + (job_t*)callback_job_create((callback_job_cb_t)run, this, NULL, NULL)); + + return &this->public; +} + |