android: Native parts handle ikev2-cert VPN type
[strongswan.git] / src / frontends / android / jni / libandroidbridge / backend / android_service.c
1 /*
2 * Copyright (C) 2010-2012 Tobias Brunner
3 * Copyright (C) 2012 Giuliano Grassi
4 * Copyright (C) 2012 Ralf Sager
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include <errno.h>
19 #include <unistd.h>
20
21 #include "android_service.h"
22 #include "../charonservice.h"
23 #include "../vpnservice_builder.h"
24
25 #include <daemon.h>
26 #include <library.h>
27 #include <ipsec.h>
28 #include <processing/jobs/callback_job.h>
29 #include <threading/rwlock.h>
30 #include <threading/thread.h>
31
32 typedef struct private_android_service_t private_android_service_t;
33
34 #define TUN_DEFAULT_MTU 1400
35
36 /**
37 * private data of Android service
38 */
39 struct private_android_service_t {
40
41 /**
42 * public interface
43 */
44 android_service_t public;
45
46 /**
47 * credential set
48 */
49 android_creds_t *creds;
50
51 /**
52 * current IKE_SA
53 */
54 ike_sa_t *ike_sa;
55
56 /**
57 * the type of VPN
58 */
59 char *type;
60
61 /**
62 * local ipv4 address
63 */
64 char *local_address;
65
66 /**
67 * gateway
68 */
69 char *gateway;
70
71 /**
72 * username
73 */
74 char *username;
75
76 /**
77 * password
78 */
79 char *password;
80
81 /**
82 * lock to safely access the TUN device fd
83 */
84 rwlock_t *lock;
85
86 /**
87 * TUN device file descriptor
88 */
89 int tunfd;
90
91 };
92
93 /**
94 * Outbound callback
95 */
96 static void send_esp(void *data, esp_packet_t *packet)
97 {
98 charon->sender->send_no_marker(charon->sender, (packet_t*)packet);
99 }
100
101 /**
102 * Inbound callback
103 */
104 static void deliver_plain(private_android_service_t *this,
105 ip_packet_t *packet)
106 {
107 chunk_t encoding;
108 ssize_t len;
109
110 encoding = packet->get_encoding(packet);
111
112 this->lock->read_lock(this->lock);
113 if (this->tunfd < 0)
114 { /* the TUN device is already closed */
115 this->lock->unlock(this->lock);
116 packet->destroy(packet);
117 return;
118 }
119 len = write(this->tunfd, encoding.ptr, encoding.len);
120 this->lock->unlock(this->lock);
121
122 if (len < 0 || len != encoding.len)
123 {
124 DBG1(DBG_DMN, "failed to write packet to TUN device: %s",
125 strerror(errno));
126 }
127 packet->destroy(packet);
128 }
129
130 /**
131 * Receiver callback
132 */
133 static void receiver_esp_cb(void *data, packet_t *packet)
134 {
135 esp_packet_t *esp_packet;
136
137 esp_packet = esp_packet_create_from_packet(packet);
138 ipsec->processor->queue_inbound(ipsec->processor, esp_packet);
139 }
140
141 /**
142 * Job handling outbound plaintext packets
143 */
144 static job_requeue_t handle_plain(private_android_service_t *this)
145 {
146 ip_packet_t *packet;
147 chunk_t raw;
148 fd_set set;
149 ssize_t len;
150 int tunfd;
151 bool old;
152
153 FD_ZERO(&set);
154
155 this->lock->read_lock(this->lock);
156 if (this->tunfd < 0)
157 { /* the TUN device is already closed */
158 this->lock->unlock(this->lock);
159 return JOB_REQUEUE_NONE;
160 }
161 tunfd = this->tunfd;
162 FD_SET(tunfd, &set);
163 this->lock->unlock(this->lock);
164
165 old = thread_cancelability(TRUE);
166 len = select(tunfd + 1, &set, NULL, NULL, NULL);
167 thread_cancelability(old);
168
169 if (len < 0)
170 {
171 DBG1(DBG_DMN, "select on TUN device failed: %s", strerror(errno));
172 return JOB_REQUEUE_NONE;
173 }
174
175 raw = chunk_alloc(TUN_DEFAULT_MTU);
176 len = read(tunfd, raw.ptr, raw.len);
177 if (len < 0)
178 {
179 DBG1(DBG_DMN, "reading from TUN device failed: %s", strerror(errno));
180 chunk_free(&raw);
181 return JOB_REQUEUE_FAIR;
182 }
183 raw.len = len;
184
185 packet = ip_packet_create(raw);
186 if (packet)
187 {
188 ipsec->processor->queue_outbound(ipsec->processor, packet);
189 }
190 else
191 {
192 DBG1(DBG_DMN, "invalid IP packet read from TUN device");
193 }
194 return JOB_REQUEUE_DIRECT;
195 }
196
197 /**
198 * Add a route to the TUN device builder
199 */
200 static bool add_route(vpnservice_builder_t *builder, host_t *net,
201 u_int8_t prefix)
202 {
203 /* if route is 0.0.0.0/0, split it into two routes 0.0.0.0/1 and
204 * 128.0.0.0/1 because otherwise it would conflict with the current default
205 * route */
206 if (net->is_anyaddr(net) && prefix == 0)
207 {
208 bool success;
209
210 success = add_route(builder, net, 1);
211 net = host_create_from_string("128.0.0.0", 0);
212 success = success && add_route(builder, net, 1);
213 net->destroy(net);
214 return success;
215 }
216 return builder->add_route(builder, net, prefix);
217 }
218
219 /**
220 * Generate and set routes from installed IPsec policies
221 */
222 static bool add_routes(vpnservice_builder_t *builder, child_sa_t *child_sa)
223 {
224 traffic_selector_t *src_ts, *dst_ts;
225 enumerator_t *enumerator;
226 bool success = TRUE;
227
228 enumerator = child_sa->create_policy_enumerator(child_sa);
229 while (success && enumerator->enumerate(enumerator, &src_ts, &dst_ts))
230 {
231 host_t *net;
232 u_int8_t prefix;
233
234 dst_ts->to_subnet(dst_ts, &net, &prefix);
235 success = add_route(builder, net, prefix);
236 net->destroy(net);
237 }
238 enumerator->destroy(enumerator);
239 return success;
240 }
241
242 /**
243 * Setup a new TUN device for the supplied SAs, also queues a job that
244 * reads packets from this device.
245 * Additional information such as DNS servers are gathered in appropriate
246 * listeners asynchronously. To be sure every required bit of information is
247 * available this should be called after the CHILD_SA has been established.
248 */
249 static bool setup_tun_device(private_android_service_t *this,
250 ike_sa_t *ike_sa, child_sa_t *child_sa)
251 {
252 vpnservice_builder_t *builder;
253 host_t *vip;
254 int tunfd;
255
256 DBG1(DBG_DMN, "setting up TUN device for CHILD_SA %s{%u}",
257 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa));
258 vip = ike_sa->get_virtual_ip(ike_sa, TRUE);
259 if (!vip || vip->is_anyaddr(vip))
260 {
261 DBG1(DBG_DMN, "setting up TUN device failed, no virtual IP found");
262 return FALSE;
263 }
264
265 builder = charonservice->get_vpnservice_builder(charonservice);
266 if (!builder->add_address(builder, vip) ||
267 !add_routes(builder, child_sa) ||
268 !builder->set_mtu(builder, TUN_DEFAULT_MTU))
269 {
270 return FALSE;
271 }
272
273 tunfd = builder->establish(builder);
274 if (tunfd == -1)
275 {
276 return FALSE;
277 }
278
279 this->lock->write_lock(this->lock);
280 this->tunfd = tunfd;
281 this->lock->unlock(this->lock);
282
283 DBG1(DBG_DMN, "successfully created TUN device");
284
285 charon->receiver->add_esp_cb(charon->receiver,
286 (receiver_esp_cb_t)receiver_esp_cb, NULL);
287 ipsec->processor->register_inbound(ipsec->processor,
288 (ipsec_inbound_cb_t)deliver_plain, this);
289 ipsec->processor->register_outbound(ipsec->processor,
290 (ipsec_outbound_cb_t)send_esp, NULL);
291
292 lib->processor->queue_job(lib->processor,
293 (job_t*)callback_job_create((callback_job_cb_t)handle_plain, this,
294 NULL, (callback_job_cancel_t)return_false));
295 return TRUE;
296 }
297
298 /**
299 * Close the current tun device
300 */
301 static void close_tun_device(private_android_service_t *this)
302 {
303 int tunfd;
304
305 this->lock->write_lock(this->lock);
306 if (this->tunfd < 0)
307 { /* already closed (or never created) */
308 this->lock->unlock(this->lock);
309 return;
310 }
311 tunfd = this->tunfd;
312 this->tunfd = -1;
313 this->lock->unlock(this->lock);
314
315 ipsec->processor->unregister_outbound(ipsec->processor,
316 (ipsec_outbound_cb_t)send_esp);
317 ipsec->processor->unregister_inbound(ipsec->processor,
318 (ipsec_inbound_cb_t)deliver_plain);
319 charon->receiver->del_esp_cb(charon->receiver,
320 (receiver_esp_cb_t)receiver_esp_cb);
321 close(tunfd);
322 }
323
324 METHOD(listener_t, child_updown, bool,
325 private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
326 bool up)
327 {
328 if (this->ike_sa == ike_sa)
329 {
330 if (up)
331 {
332 /* disable the hooks registered to catch initiation failures */
333 this->public.listener.ike_updown = NULL;
334 this->public.listener.ike_state_change = NULL;
335 if (!setup_tun_device(this, ike_sa, child_sa))
336 {
337 DBG1(DBG_DMN, "failed to setup TUN device");
338 charonservice->update_status(charonservice,
339 CHARONSERVICE_GENERIC_ERROR);
340 return FALSE;
341
342 }
343 charonservice->update_status(charonservice,
344 CHARONSERVICE_CHILD_STATE_UP);
345 }
346 else
347 {
348 close_tun_device(this);
349 charonservice->update_status(charonservice,
350 CHARONSERVICE_CHILD_STATE_DOWN);
351 return FALSE;
352 }
353 }
354 return TRUE;
355 }
356
357 METHOD(listener_t, ike_updown, bool,
358 private_android_service_t *this, ike_sa_t *ike_sa, bool up)
359 {
360 /* this callback is only registered during initiation, so if the IKE_SA
361 * goes down we assume an authentication error */
362 if (this->ike_sa == ike_sa && !up)
363 {
364 charonservice->update_status(charonservice,
365 CHARONSERVICE_AUTH_ERROR);
366 return FALSE;
367 }
368 return TRUE;
369 }
370
371 METHOD(listener_t, ike_state_change, bool,
372 private_android_service_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
373 {
374 /* this call back is only registered during initiation */
375 if (this->ike_sa == ike_sa && state == IKE_DESTROYING)
376 {
377 charonservice->update_status(charonservice,
378 CHARONSERVICE_UNREACHABLE_ERROR);
379 return FALSE;
380 }
381 return TRUE;
382 }
383
384 METHOD(listener_t, alert, bool,
385 private_android_service_t *this, ike_sa_t *ike_sa, alert_t alert,
386 va_list args)
387 {
388 if (this->ike_sa == ike_sa)
389 {
390 switch (alert)
391 {
392 case ALERT_PEER_ADDR_FAILED:
393 charonservice->update_status(charonservice,
394 CHARONSERVICE_LOOKUP_ERROR);
395 break;
396 case ALERT_PEER_AUTH_FAILED:
397 charonservice->update_status(charonservice,
398 CHARONSERVICE_PEER_AUTH_ERROR);
399 break;
400 default:
401 break;
402 }
403 }
404 return TRUE;
405 }
406
407 METHOD(listener_t, ike_rekey, bool,
408 private_android_service_t *this, ike_sa_t *old, ike_sa_t *new)
409 {
410 if (this->ike_sa == old)
411 {
412 this->ike_sa = new;
413 }
414 return TRUE;
415 }
416
417 static job_requeue_t initiate(private_android_service_t *this)
418 {
419 identification_t *gateway, *user;
420 ike_cfg_t *ike_cfg;
421 peer_cfg_t *peer_cfg;
422 child_cfg_t *child_cfg;
423 traffic_selector_t *ts;
424 ike_sa_t *ike_sa;
425 auth_cfg_t *auth;
426 lifetime_cfg_t lifetime = {
427 .time = {
428 .life = 10800, /* 3h */
429 .rekey = 10200, /* 2h50min */
430 .jitter = 300 /* 5min */
431 }
432 };
433
434 ike_cfg = ike_cfg_create(TRUE, TRUE, this->local_address, FALSE,
435 charon->socket->get_port(charon->socket, FALSE),
436 this->gateway, FALSE, IKEV2_UDP_PORT);
437 ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
438
439 peer_cfg = peer_cfg_create("android", IKEV2, ike_cfg, CERT_SEND_IF_ASKED,
440 UNIQUE_REPLACE, 1, /* keyingtries */
441 36000, 0, /* rekey 10h, reauth none */
442 600, 600, /* jitter, over 10min */
443 TRUE, FALSE, /* mobike, aggressive */
444 0, 0, /* DPD delay, timeout */
445 host_create_from_string("0.0.0.0", 0) /* virt */,
446 NULL, FALSE, NULL, NULL); /* pool, mediation */
447
448 /* local auth config */
449 if (streq("ikev2-eap", this->type))
450 {
451 auth = auth_cfg_create();
452 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
453 user = identification_create_from_string(this->username);
454 auth->add(auth, AUTH_RULE_IDENTITY, user);
455
456 this->creds->add_username_password(this->creds, this->username,
457 this->password);
458 memwipe(this->password, strlen(this->password));
459 peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
460 }
461 else if (streq("ikev2-cert", this->type))
462 {
463 certificate_t *cert;
464 identification_t *id;
465
466 cert = this->creds->load_user_certificate(this->creds);
467 if (!cert)
468 {
469 peer_cfg->destroy(peer_cfg);
470 charonservice->update_status(charonservice,
471 CHARONSERVICE_GENERIC_ERROR);
472 return JOB_REQUEUE_NONE;
473
474 }
475 auth = auth_cfg_create();
476 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
477 auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert);
478 id = cert->get_subject(cert);
479 auth->add(auth, AUTH_RULE_IDENTITY, id->clone(id));
480 peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
481 }
482
483 /* remote auth config */
484 auth = auth_cfg_create();
485 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
486 gateway = identification_create_from_string(this->gateway);
487 auth->add(auth, AUTH_RULE_IDENTITY, gateway);
488 peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
489
490 child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
491 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
492 0, 0, NULL, NULL, 0);
493 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
494 ts = traffic_selector_create_dynamic(0, 0, 65535);
495 child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
496 ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0",
497 0, "255.255.255.255", 65535);
498 child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
499 peer_cfg->add_child_cfg(peer_cfg, child_cfg);
500
501 /* get us an IKE_SA */
502 ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
503 peer_cfg);
504 if (!ike_sa)
505 {
506 peer_cfg->destroy(peer_cfg);
507 charonservice->update_status(charonservice,
508 CHARONSERVICE_GENERIC_ERROR);
509 return JOB_REQUEUE_NONE;
510 }
511 if (!ike_sa->get_peer_cfg(ike_sa))
512 {
513 ike_sa->set_peer_cfg(ike_sa, peer_cfg);
514 }
515 peer_cfg->destroy(peer_cfg);
516
517 /* store the IKE_SA so we can track its progress */
518 this->ike_sa = ike_sa;
519
520 /* get an additional reference because initiate consumes one */
521 child_cfg->get_ref(child_cfg);
522 if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
523 {
524 DBG1(DBG_CFG, "failed to initiate tunnel");
525 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
526 ike_sa);
527 return JOB_REQUEUE_NONE;
528 }
529 charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
530 return JOB_REQUEUE_NONE;
531 }
532
533 METHOD(android_service_t, destroy, void,
534 private_android_service_t *this)
535 {
536 charon->bus->remove_listener(charon->bus, &this->public.listener);
537 /* make sure the tun device is actually closed */
538 close_tun_device(this);
539 this->lock->destroy(this->lock);
540 free(this->type);
541 free(this->local_address);
542 free(this->gateway);
543 free(this->username);
544 if (this->password)
545 {
546 memwipe(this->password, strlen(this->password));
547 free(this->password);
548 }
549 free(this);
550 }
551
552 /**
553 * See header
554 */
555 android_service_t *android_service_create(android_creds_t *creds, char *type,
556 char *local_address, char *gateway,
557 char *username, char *password)
558 {
559 private_android_service_t *this;
560
561 INIT(this,
562 .public = {
563 .listener = {
564 .ike_rekey = _ike_rekey,
565 .ike_updown = _ike_updown,
566 .ike_state_change = _ike_state_change,
567 .child_updown = _child_updown,
568 .alert = _alert,
569 },
570 .destroy = _destroy,
571 },
572 .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
573 .local_address = local_address,
574 .username = username,
575 .password = password,
576 .gateway = gateway,
577 .creds = creds,
578 .type = type,
579 .tunfd = -1,
580 );
581
582 charon->bus->add_listener(charon->bus, &this->public.listener);
583
584 lib->processor->queue_job(lib->processor,
585 (job_t*)callback_job_create((callback_job_cb_t)initiate, this,
586 NULL, NULL));
587 return &this->public;
588 }