dfc0d2342482834002c183730ba3526447fc6ea7
[strongswan.git] / src / frontends / android / jni / libandroidbridge / backend / android_service.c
1 /*
2 * Copyright (C) 2010-2012 Tobias Brunner
3 * Copyright (C) 2012 Giuliano Grassi
4 * Copyright (C) 2012 Ralf Sager
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include <errno.h>
19 #include <unistd.h>
20
21 #include "android_service.h"
22 #include "../charonservice.h"
23 #include "../vpnservice_builder.h"
24
25 #include <daemon.h>
26 #include <library.h>
27 #include <ipsec.h>
28 #include <processing/jobs/callback_job.h>
29 #include <threading/rwlock.h>
30 #include <threading/thread.h>
31
32 typedef struct private_android_service_t private_android_service_t;
33
34 #define TUN_DEFAULT_MTU 1400
35
36 /**
37 * private data of Android service
38 */
39 struct private_android_service_t {
40
41 /**
42 * public interface
43 */
44 android_service_t public;
45
46 /**
47 * current IKE_SA
48 */
49 ike_sa_t *ike_sa;
50
51 /**
52 * local ipv4 address
53 */
54 char *local_address;
55
56 /**
57 * gateway
58 */
59 char *gateway;
60
61 /**
62 * username
63 */
64 char *username;
65
66 /**
67 * lock to safely access the TUN device fd
68 */
69 rwlock_t *lock;
70
71 /**
72 * TUN device file descriptor
73 */
74 int tunfd;
75
76 };
77
78 /**
79 * Outbound callback
80 */
81 static void send_esp(void *data, esp_packet_t *packet)
82 {
83 charon->sender->send_no_marker(charon->sender, (packet_t*)packet);
84 }
85
86 /**
87 * Inbound callback
88 */
89 static void deliver_plain(private_android_service_t *this,
90 ip_packet_t *packet)
91 {
92 chunk_t encoding;
93 ssize_t len;
94
95 encoding = packet->get_encoding(packet);
96
97 this->lock->read_lock(this->lock);
98 if (this->tunfd < 0)
99 { /* the TUN device is already closed */
100 this->lock->unlock(this->lock);
101 packet->destroy(packet);
102 return;
103 }
104 len = write(this->tunfd, encoding.ptr, encoding.len);
105 this->lock->unlock(this->lock);
106
107 if (len < 0 || len != encoding.len)
108 {
109 DBG1(DBG_DMN, "failed to write packet to TUN device: %s",
110 strerror(errno));
111 }
112 packet->destroy(packet);
113 }
114
115 /**
116 * Receiver callback
117 */
118 static void receiver_esp_cb(void *data, packet_t *packet)
119 {
120 esp_packet_t *esp_packet;
121
122 esp_packet = esp_packet_create_from_packet(packet);
123 ipsec->processor->queue_inbound(ipsec->processor, esp_packet);
124 }
125
126 /**
127 * Job handling outbound plaintext packets
128 */
129 static job_requeue_t handle_plain(private_android_service_t *this)
130 {
131 ip_packet_t *packet;
132 chunk_t raw;
133 fd_set set;
134 ssize_t len;
135 int tunfd;
136 bool old;
137
138 FD_ZERO(&set);
139
140 this->lock->read_lock(this->lock);
141 if (this->tunfd < 0)
142 { /* the TUN device is already closed */
143 this->lock->unlock(this->lock);
144 return JOB_REQUEUE_NONE;
145 }
146 tunfd = this->tunfd;
147 FD_SET(tunfd, &set);
148 this->lock->unlock(this->lock);
149
150 old = thread_cancelability(TRUE);
151 len = select(tunfd + 1, &set, NULL, NULL, NULL);
152 thread_cancelability(old);
153
154 if (len < 0)
155 {
156 DBG1(DBG_DMN, "select on TUN device failed: %s", strerror(errno));
157 return JOB_REQUEUE_NONE;
158 }
159
160 raw = chunk_alloc(TUN_DEFAULT_MTU);
161 len = read(tunfd, raw.ptr, raw.len);
162 if (len < 0)
163 {
164 DBG1(DBG_DMN, "reading from TUN device failed: %s", strerror(errno));
165 chunk_free(&raw);
166 return JOB_REQUEUE_FAIR;
167 }
168 raw.len = len;
169
170 packet = ip_packet_create(raw);
171 if (packet)
172 {
173 ipsec->processor->queue_outbound(ipsec->processor, packet);
174 }
175 else
176 {
177 DBG1(DBG_DMN, "invalid IP packet read from TUN device");
178 }
179 return JOB_REQUEUE_DIRECT;
180 }
181
182 /**
183 * Add a route to the TUN device builder
184 */
185 static bool add_route(vpnservice_builder_t *builder, host_t *net,
186 u_int8_t prefix)
187 {
188 /* if route is 0.0.0.0/0, split it into two routes 0.0.0.0/1 and
189 * 128.0.0.0/1 because otherwise it would conflict with the current default
190 * route */
191 if (net->is_anyaddr(net) && prefix == 0)
192 {
193 bool success;
194
195 success = add_route(builder, net, 1);
196 net = host_create_from_string("128.0.0.0", 0);
197 success = success && add_route(builder, net, 1);
198 net->destroy(net);
199 return success;
200 }
201 return builder->add_route(builder, net, prefix);
202 }
203
204 /**
205 * Generate and set routes from installed IPsec policies
206 */
207 static bool add_routes(vpnservice_builder_t *builder, child_sa_t *child_sa)
208 {
209 traffic_selector_t *src_ts, *dst_ts;
210 enumerator_t *enumerator;
211 bool success = TRUE;
212
213 enumerator = child_sa->create_policy_enumerator(child_sa);
214 while (success && enumerator->enumerate(enumerator, &src_ts, &dst_ts))
215 {
216 host_t *net;
217 u_int8_t prefix;
218
219 dst_ts->to_subnet(dst_ts, &net, &prefix);
220 success = add_route(builder, net, prefix);
221 net->destroy(net);
222 }
223 enumerator->destroy(enumerator);
224 return success;
225 }
226
227 /**
228 * Setup a new TUN device for the supplied SAs, also queues a job that
229 * reads packets from this device.
230 * Additional information such as DNS servers are gathered in appropriate
231 * listeners asynchronously. To be sure every required bit of information is
232 * available this should be called after the CHILD_SA has been established.
233 */
234 static bool setup_tun_device(private_android_service_t *this,
235 ike_sa_t *ike_sa, child_sa_t *child_sa)
236 {
237 vpnservice_builder_t *builder;
238 host_t *vip;
239 int tunfd;
240
241 DBG1(DBG_DMN, "setting up TUN device for CHILD_SA %s{%u}",
242 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa));
243 vip = ike_sa->get_virtual_ip(ike_sa, TRUE);
244 if (!vip || vip->is_anyaddr(vip))
245 {
246 DBG1(DBG_DMN, "setting up TUN device failed, no virtual IP found");
247 return FALSE;
248 }
249
250 builder = charonservice->get_vpnservice_builder(charonservice);
251 if (!builder->add_address(builder, vip) ||
252 !add_routes(builder, child_sa) ||
253 !builder->set_mtu(builder, TUN_DEFAULT_MTU))
254 {
255 return FALSE;
256 }
257
258 tunfd = builder->establish(builder);
259 if (tunfd == -1)
260 {
261 return FALSE;
262 }
263
264 this->lock->write_lock(this->lock);
265 this->tunfd = tunfd;
266 this->lock->unlock(this->lock);
267
268 DBG1(DBG_DMN, "successfully created TUN device");
269
270 charon->receiver->add_esp_cb(charon->receiver,
271 (receiver_esp_cb_t)receiver_esp_cb, NULL);
272 ipsec->processor->register_inbound(ipsec->processor,
273 (ipsec_inbound_cb_t)deliver_plain, this);
274 ipsec->processor->register_outbound(ipsec->processor,
275 (ipsec_outbound_cb_t)send_esp, NULL);
276
277 lib->processor->queue_job(lib->processor,
278 (job_t*)callback_job_create((callback_job_cb_t)handle_plain, this,
279 NULL, (callback_job_cancel_t)return_false));
280 return TRUE;
281 }
282
283 /**
284 * Close the current tun device
285 */
286 static void close_tun_device(private_android_service_t *this)
287 {
288 int tunfd;
289
290 this->lock->write_lock(this->lock);
291 if (this->tunfd < 0)
292 { /* already closed (or never created) */
293 this->lock->unlock(this->lock);
294 return;
295 }
296 tunfd = this->tunfd;
297 this->tunfd = -1;
298 this->lock->unlock(this->lock);
299
300 ipsec->processor->unregister_outbound(ipsec->processor,
301 (ipsec_outbound_cb_t)send_esp);
302 ipsec->processor->unregister_inbound(ipsec->processor,
303 (ipsec_inbound_cb_t)deliver_plain);
304 charon->receiver->del_esp_cb(charon->receiver,
305 (receiver_esp_cb_t)receiver_esp_cb);
306 close(tunfd);
307 }
308
309 METHOD(listener_t, child_updown, bool,
310 private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
311 bool up)
312 {
313 if (this->ike_sa == ike_sa)
314 {
315 if (up)
316 {
317 /* disable the hooks registered to catch initiation failures */
318 this->public.listener.ike_updown = NULL;
319 this->public.listener.ike_state_change = NULL;
320 if (!setup_tun_device(this, ike_sa, child_sa))
321 {
322 DBG1(DBG_DMN, "failed to setup TUN device");
323 charonservice->update_status(charonservice,
324 CHARONSERVICE_GENERIC_ERROR);
325 return FALSE;
326
327 }
328 charonservice->update_status(charonservice,
329 CHARONSERVICE_CHILD_STATE_UP);
330 }
331 else
332 {
333 close_tun_device(this);
334 charonservice->update_status(charonservice,
335 CHARONSERVICE_CHILD_STATE_DOWN);
336 return FALSE;
337 }
338 }
339 return TRUE;
340 }
341
342 METHOD(listener_t, ike_updown, bool,
343 private_android_service_t *this, ike_sa_t *ike_sa, bool up)
344 {
345 /* this callback is only registered during initiation, so if the IKE_SA
346 * goes down we assume an authentication error */
347 if (this->ike_sa == ike_sa && !up)
348 {
349 charonservice->update_status(charonservice,
350 CHARONSERVICE_AUTH_ERROR);
351 return FALSE;
352 }
353 return TRUE;
354 }
355
356 METHOD(listener_t, ike_state_change, bool,
357 private_android_service_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
358 {
359 /* this call back is only registered during initiation */
360 if (this->ike_sa == ike_sa && state == IKE_DESTROYING)
361 {
362 charonservice->update_status(charonservice,
363 CHARONSERVICE_UNREACHABLE_ERROR);
364 return FALSE;
365 }
366 return TRUE;
367 }
368
369 METHOD(listener_t, alert, bool,
370 private_android_service_t *this, ike_sa_t *ike_sa, alert_t alert,
371 va_list args)
372 {
373 if (this->ike_sa == ike_sa)
374 {
375 switch (alert)
376 {
377 case ALERT_PEER_ADDR_FAILED:
378 charonservice->update_status(charonservice,
379 CHARONSERVICE_LOOKUP_ERROR);
380 break;
381 case ALERT_PEER_AUTH_FAILED:
382 charonservice->update_status(charonservice,
383 CHARONSERVICE_PEER_AUTH_ERROR);
384 break;
385 default:
386 break;
387 }
388 }
389 return TRUE;
390 }
391
392 METHOD(listener_t, ike_rekey, bool,
393 private_android_service_t *this, ike_sa_t *old, ike_sa_t *new)
394 {
395 if (this->ike_sa == old)
396 {
397 this->ike_sa = new;
398 }
399 return TRUE;
400 }
401
402 static job_requeue_t initiate(private_android_service_t *this)
403 {
404 identification_t *gateway, *user;
405 ike_cfg_t *ike_cfg;
406 peer_cfg_t *peer_cfg;
407 child_cfg_t *child_cfg;
408 traffic_selector_t *ts;
409 ike_sa_t *ike_sa;
410 auth_cfg_t *auth;
411 lifetime_cfg_t lifetime = {
412 .time = {
413 .life = 10800, /* 3h */
414 .rekey = 10200, /* 2h50min */
415 .jitter = 300 /* 5min */
416 }
417 };
418
419 ike_cfg = ike_cfg_create(TRUE, TRUE, this->local_address, FALSE,
420 charon->socket->get_port(charon->socket, FALSE),
421 this->gateway, FALSE, IKEV2_UDP_PORT);
422 ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
423
424 peer_cfg = peer_cfg_create("android", IKEV2, ike_cfg, CERT_SEND_IF_ASKED,
425 UNIQUE_REPLACE, 1, /* keyingtries */
426 36000, 0, /* rekey 10h, reauth none */
427 600, 600, /* jitter, over 10min */
428 TRUE, FALSE, /* mobike, aggressive */
429 0, 0, /* DPD delay, timeout */
430 host_create_from_string("0.0.0.0", 0) /* virt */,
431 NULL, FALSE, NULL, NULL); /* pool, mediation */
432
433
434 auth = auth_cfg_create();
435 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
436 user = identification_create_from_string(this->username);
437 auth->add(auth, AUTH_RULE_IDENTITY, user);
438 peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
439 auth = auth_cfg_create();
440 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
441 gateway = identification_create_from_string(this->gateway);
442 auth->add(auth, AUTH_RULE_IDENTITY, gateway);
443 peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
444
445 child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
446 ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
447 0, 0, NULL, NULL, 0);
448 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
449 ts = traffic_selector_create_dynamic(0, 0, 65535);
450 child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
451 ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0",
452 0, "255.255.255.255", 65535);
453 child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
454 peer_cfg->add_child_cfg(peer_cfg, child_cfg);
455
456 /* get us an IKE_SA */
457 ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
458 peer_cfg);
459 if (!ike_sa)
460 {
461 peer_cfg->destroy(peer_cfg);
462 charonservice->update_status(charonservice,
463 CHARONSERVICE_GENERIC_ERROR);
464 return JOB_REQUEUE_NONE;
465 }
466 if (!ike_sa->get_peer_cfg(ike_sa))
467 {
468 ike_sa->set_peer_cfg(ike_sa, peer_cfg);
469 }
470 peer_cfg->destroy(peer_cfg);
471
472 /* store the IKE_SA so we can track its progress */
473 this->ike_sa = ike_sa;
474
475 /* get an additional reference because initiate consumes one */
476 child_cfg->get_ref(child_cfg);
477 if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
478 {
479 DBG1(DBG_CFG, "failed to initiate tunnel");
480 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
481 ike_sa);
482 return JOB_REQUEUE_NONE;
483 }
484 charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
485 return JOB_REQUEUE_NONE;
486 }
487
488 METHOD(android_service_t, destroy, void,
489 private_android_service_t *this)
490 {
491 charon->bus->remove_listener(charon->bus, &this->public.listener);
492 /* make sure the tun device is actually closed */
493 close_tun_device(this);
494 this->lock->destroy(this->lock);
495 free(this->local_address);
496 free(this->username);
497 free(this->gateway);
498 free(this);
499 }
500
501 /**
502 * See header
503 */
504 android_service_t *android_service_create(char *local_address, char *gateway,
505 char *username)
506 {
507 private_android_service_t *this;
508
509 INIT(this,
510 .public = {
511 .listener = {
512 .ike_rekey = _ike_rekey,
513 .ike_updown = _ike_updown,
514 .ike_state_change = _ike_state_change,
515 .child_updown = _child_updown,
516 .alert = _alert,
517 },
518 .destroy = _destroy,
519 },
520 .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
521 .local_address = local_address,
522 .username = username,
523 .gateway = gateway,
524 .tunfd = -1,
525 );
526
527 charon->bus->add_listener(charon->bus, &this->public.listener);
528
529 lib->processor->queue_job(lib->processor,
530 (job_t*)callback_job_create((callback_job_cb_t)initiate, this,
531 NULL, NULL));
532 return &this->public;
533 }