41fc4d6179085eb62cb82847dd7f4fb7be2ee2c8
[strongswan.git] / src / frontends / android / jni / libandroidbridge / charonservice.c
1 /*
2 * Copyright (C) 2012-2013 Tobias Brunner
3 * Copyright (C) 2012 Giuliano Grassi
4 * Copyright (C) 2012 Ralf Sager
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include <signal.h>
19 #include <string.h>
20 #include <sys/utsname.h>
21 #include <android/log.h>
22 #include <errno.h>
23
24 #include "charonservice.h"
25 #include "android_jni.h"
26 #include "backend/android_attr.h"
27 #include "backend/android_creds.h"
28 #include "backend/android_private_key.h"
29 #include "backend/android_service.h"
30 #include "kernel/android_ipsec.h"
31 #include "kernel/android_net.h"
32
33 #ifdef USE_BYOD
34 #include "byod/imc_android.h"
35 #endif
36
37 #include <daemon.h>
38 #include <hydra.h>
39 #include <ipsec.h>
40 #include <library.h>
41 #include <threading/thread.h>
42
43 #define ANDROID_DEBUG_LEVEL 1
44 #define ANDROID_RETRASNMIT_TRIES 3
45 #define ANDROID_RETRANSMIT_TIMEOUT 2.0
46 #define ANDROID_RETRANSMIT_BASE 1.4
47
48 typedef struct private_charonservice_t private_charonservice_t;
49
50 /**
51 * private data of charonservice
52 */
53 struct private_charonservice_t {
54
55 /**
56 * public interface
57 */
58 charonservice_t public;
59
60 /**
61 * android_attr instance
62 */
63 android_attr_t *attr;
64
65 /**
66 * android_creds instance
67 */
68 android_creds_t *creds;
69
70 /**
71 * android_service instance
72 */
73 android_service_t *service;
74
75 /**
76 * VpnService builder (accessed via JNI)
77 */
78 vpnservice_builder_t *builder;
79
80 /**
81 * NetworkManager instance (accessed via JNI)
82 */
83 network_manager_t *network_manager;
84
85 /**
86 * Handle network events
87 */
88 android_net_t *net_handler;
89
90 /**
91 * CharonVpnService reference
92 */
93 jobject vpn_service;
94
95 /**
96 * Sockets that were bypassed and we keep track for
97 */
98 linked_list_t *sockets;
99 };
100
101 /**
102 * Single instance of charonservice_t.
103 */
104 charonservice_t *charonservice;
105
106 /**
107 * hook in library for debugging messages
108 */
109 extern void (*dbg)(debug_t group, level_t level, char *fmt, ...);
110
111 /**
112 * Logging hook for library logs, using android specific logging
113 */
114 static void dbg_android(debug_t group, level_t level, char *fmt, ...)
115 {
116 va_list args;
117
118 if (level <= ANDROID_DEBUG_LEVEL)
119 {
120 char sgroup[16], buffer[8192];
121 char *current = buffer, *next;
122
123 snprintf(sgroup, sizeof(sgroup), "%N", debug_names, group);
124 va_start(args, fmt);
125 vsnprintf(buffer, sizeof(buffer), fmt, args);
126 va_end(args);
127 while (current)
128 { /* log each line separately */
129 next = strchr(current, '\n');
130 if (next)
131 {
132 *(next++) = '\0';
133 }
134 __android_log_print(ANDROID_LOG_INFO, "charon", "00[%s] %s\n",
135 sgroup, current);
136 current = next;
137 }
138 }
139 }
140
141 METHOD(charonservice_t, update_status, bool,
142 private_charonservice_t *this, android_vpn_state_t code)
143 {
144 JNIEnv *env;
145 jmethodID method_id;
146 bool success = FALSE;
147
148 androidjni_attach_thread(&env);
149
150 method_id = (*env)->GetMethodID(env, android_charonvpnservice_class,
151 "updateStatus", "(I)V");
152 if (!method_id)
153 {
154 goto failed;
155 }
156 (*env)->CallVoidMethod(env, this->vpn_service, method_id, (jint)code);
157 success = !androidjni_exception_occurred(env);
158
159 failed:
160 androidjni_exception_occurred(env);
161 androidjni_detach_thread();
162 return success;
163 }
164
165 METHOD(charonservice_t, update_imc_state, bool,
166 private_charonservice_t *this, android_imc_state_t state)
167 {
168 JNIEnv *env;
169 jmethodID method_id;
170 bool success = FALSE;
171
172 androidjni_attach_thread(&env);
173
174 method_id = (*env)->GetMethodID(env, android_charonvpnservice_class,
175 "updateImcState", "(I)V");
176 if (!method_id)
177 {
178 goto failed;
179 }
180 (*env)->CallVoidMethod(env, this->vpn_service, method_id, (jint)state);
181 success = !androidjni_exception_occurred(env);
182
183 failed:
184 androidjni_exception_occurred(env);
185 androidjni_detach_thread();
186 return success;
187 }
188
189 METHOD(charonservice_t, add_remediation_instr, bool,
190 private_charonservice_t *this, char *instr)
191 {
192 JNIEnv *env;
193 jmethodID method_id;
194 jstring jinstr;
195 bool success = FALSE;
196
197 androidjni_attach_thread(&env);
198
199 method_id = (*env)->GetMethodID(env, android_charonvpnservice_class,
200 "addRemediationInstruction",
201 "(Ljava/lang/String;)V");
202 if (!method_id)
203 {
204 goto failed;
205 }
206 jinstr = (*env)->NewStringUTF(env, instr);
207 if (!jinstr)
208 {
209 goto failed;
210 }
211 (*env)->CallVoidMethod(env, this->vpn_service, method_id, jinstr);
212 success = !androidjni_exception_occurred(env);
213
214 failed:
215 androidjni_exception_occurred(env);
216 androidjni_detach_thread();
217 return success;
218 }
219
220 /**
221 * Bypass a single socket
222 */
223 static bool bypass_single_socket(intptr_t fd, private_charonservice_t *this)
224 {
225 JNIEnv *env;
226 jmethodID method_id;
227
228 androidjni_attach_thread(&env);
229
230 method_id = (*env)->GetMethodID(env, android_charonvpnservice_class,
231 "protect", "(I)Z");
232 if (!method_id)
233 {
234 goto failed;
235 }
236 if (!(*env)->CallBooleanMethod(env, this->vpn_service, method_id, fd))
237 {
238 DBG2(DBG_KNL, "VpnService.protect() failed");
239 goto failed;
240 }
241 androidjni_detach_thread();
242 return TRUE;
243
244 failed:
245 androidjni_exception_occurred(env);
246 androidjni_detach_thread();
247 return FALSE;
248 }
249
250 METHOD(charonservice_t, bypass_socket, bool,
251 private_charonservice_t *this, int fd, int family)
252 {
253 if (fd >= 0)
254 {
255 this->sockets->insert_last(this->sockets, (void*)(intptr_t)fd);
256 return bypass_single_socket((intptr_t)fd, this);
257 }
258 this->sockets->invoke_function(this->sockets, (void*)bypass_single_socket,
259 this);
260 return TRUE;
261 }
262
263 /**
264 * Converts the given Java array of byte arrays (byte[][]) to a linked list
265 * of chunk_t objects.
266 */
267 static linked_list_t *convert_array_of_byte_arrays(JNIEnv *env,
268 jobjectArray jarray)
269 {
270 linked_list_t *list;
271 jsize i;
272
273 list = linked_list_create();
274 for (i = 0; i < (*env)->GetArrayLength(env, jarray); ++i)
275 {
276 chunk_t *chunk;
277 jbyteArray jbytearray;
278
279 chunk = malloc_thing(chunk_t);
280 list->insert_last(list, chunk);
281
282 jbytearray = (*env)->GetObjectArrayElement(env, jarray, i);
283 *chunk = chunk_alloc((*env)->GetArrayLength(env, jbytearray));
284 (*env)->GetByteArrayRegion(env, jbytearray, 0, chunk->len, chunk->ptr);
285 (*env)->DeleteLocalRef(env, jbytearray);
286 }
287 return list;
288 }
289
290 METHOD(charonservice_t, get_trusted_certificates, linked_list_t*,
291 private_charonservice_t *this)
292 {
293 JNIEnv *env;
294 jmethodID method_id;
295 jobjectArray jcerts;
296 linked_list_t *list;
297
298 androidjni_attach_thread(&env);
299
300 method_id = (*env)->GetMethodID(env,
301 android_charonvpnservice_class,
302 "getTrustedCertificates", "(Ljava/lang/String;)[[B");
303 if (!method_id)
304 {
305 goto failed;
306 }
307 jcerts = (*env)->CallObjectMethod(env, this->vpn_service, method_id, NULL);
308 if (!jcerts || androidjni_exception_occurred(env))
309 {
310 goto failed;
311 }
312 list = convert_array_of_byte_arrays(env, jcerts);
313 androidjni_detach_thread();
314 return list;
315
316 failed:
317 androidjni_exception_occurred(env);
318 androidjni_detach_thread();
319 return NULL;
320 }
321
322 METHOD(charonservice_t, get_user_certificate, linked_list_t*,
323 private_charonservice_t *this)
324 {
325 JNIEnv *env;
326 jmethodID method_id;
327 jobjectArray jencodings;
328 linked_list_t *list;
329
330 androidjni_attach_thread(&env);
331
332 method_id = (*env)->GetMethodID(env,
333 android_charonvpnservice_class,
334 "getUserCertificate", "()[[B");
335 if (!method_id)
336 {
337 goto failed;
338 }
339 jencodings = (*env)->CallObjectMethod(env, this->vpn_service, method_id);
340 if (!jencodings || androidjni_exception_occurred(env))
341 {
342 goto failed;
343 }
344 list = convert_array_of_byte_arrays(env, jencodings);
345 androidjni_detach_thread();
346 return list;
347
348 failed:
349 androidjni_exception_occurred(env);
350 androidjni_detach_thread();
351 return NULL;
352 }
353
354 METHOD(charonservice_t, get_user_key, private_key_t*,
355 private_charonservice_t *this, public_key_t *pubkey)
356 {
357 JNIEnv *env;
358 jmethodID method_id;
359 private_key_t *key;
360 jobject jkey;
361
362 androidjni_attach_thread(&env);
363
364 method_id = (*env)->GetMethodID(env,
365 android_charonvpnservice_class,
366 "getUserKey", "()Ljava/security/PrivateKey;");
367 if (!method_id)
368 {
369 goto failed;
370 }
371 jkey = (*env)->CallObjectMethod(env, this->vpn_service, method_id);
372 if (!jkey || androidjni_exception_occurred(env))
373 {
374 goto failed;
375 }
376 key = android_private_key_create(jkey, pubkey);
377 androidjni_detach_thread();
378 return key;
379
380 failed:
381 DESTROY_IF(pubkey);
382 androidjni_exception_occurred(env);
383 androidjni_detach_thread();
384 return NULL;
385 }
386
387 METHOD(charonservice_t, get_vpnservice_builder, vpnservice_builder_t*,
388 private_charonservice_t *this)
389 {
390 return this->builder;
391 }
392
393 METHOD(charonservice_t, get_network_manager, network_manager_t*,
394 private_charonservice_t *this)
395 {
396 return this->network_manager;
397 }
398
399 /**
400 * Initiate a new connection
401 *
402 * @param gateway gateway address (gets owned)
403 * @param username username (gets owned)
404 * @param password password (gets owned)
405 */
406 static void initiate(char *type, char *gateway, char *username, char *password)
407 {
408 private_charonservice_t *this = (private_charonservice_t*)charonservice;
409
410 this->creds->clear(this->creds);
411 DESTROY_IF(this->service);
412 this->service = android_service_create(this->creds, type, gateway,
413 username, password);
414 }
415
416 /**
417 * Initialize/deinitialize Android backend
418 */
419 static bool charonservice_register(plugin_t *plugin, plugin_feature_t *feature,
420 bool reg, void *data)
421 {
422 private_charonservice_t *this = (private_charonservice_t*)charonservice;
423 if (reg)
424 {
425 this->net_handler = android_net_create();
426 lib->credmgr->add_set(lib->credmgr, &this->creds->set);
427 hydra->attributes->add_handler(hydra->attributes,
428 &this->attr->handler);
429 }
430 else
431 {
432 this->net_handler->destroy(this->net_handler);
433 lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
434 hydra->attributes->remove_handler(hydra->attributes,
435 &this->attr->handler);
436 if (this->service)
437 {
438 this->service->destroy(this->service);
439 this->service = NULL;
440 }
441 }
442 return TRUE;
443 }
444
445 /**
446 * Set strongswan.conf options
447 */
448 static void set_options(char *logfile)
449 {
450 lib->settings->set_int(lib->settings,
451 "charon.plugins.android_log.loglevel", ANDROID_DEBUG_LEVEL);
452 /* setup file logger */
453 lib->settings->set_str(lib->settings,
454 "charon.filelog.%s.time_format", "%b %e %T", logfile);
455 lib->settings->set_bool(lib->settings,
456 "charon.filelog.%s.append", FALSE, logfile);
457 lib->settings->set_bool(lib->settings,
458 "charon.filelog.%s.flush_line", TRUE, logfile);
459 lib->settings->set_int(lib->settings,
460 "charon.filelog.%s.default", ANDROID_DEBUG_LEVEL, logfile);
461
462 lib->settings->set_int(lib->settings,
463 "charon.retransmit_tries", ANDROID_RETRASNMIT_TRIES);
464 lib->settings->set_double(lib->settings,
465 "charon.retransmit_timeout", ANDROID_RETRANSMIT_TIMEOUT);
466 lib->settings->set_double(lib->settings,
467 "charon.retransmit_base", ANDROID_RETRANSMIT_BASE);
468 lib->settings->set_bool(lib->settings,
469 "charon.close_ike_on_child_failure", TRUE);
470 /* setting the source address breaks the VpnService.protect() function which
471 * uses SO_BINDTODEVICE internally. the addresses provided to the kernel as
472 * auxiliary data have precedence over this option causing a routing loop if
473 * the gateway is contained in the VPN routes. alternatively, providing an
474 * explicit device (in addition or instead of the source address) in the
475 * auxiliary data would also work, but we currently don't have that
476 * information */
477 lib->settings->set_bool(lib->settings,
478 "charon.plugins.socket-default.set_source", FALSE);
479 /* the Linux kernel does currently not support UDP encaspulation for IPv6
480 * so lets disable IPv6 for now to avoid issues with dual-stack gateways */
481 lib->settings->set_bool(lib->settings,
482 "charon.plugins.socket-default.use_ipv6", FALSE);
483 /* don't install virtual IPs via kernel-netlink */
484 lib->settings->set_bool(lib->settings,
485 "charon.install_virtual_ip", FALSE);
486 /* kernel-netlink should not trigger roam events, we use Android's
487 * ConnectivityManager for that, much less noise */
488 lib->settings->set_bool(lib->settings,
489 "charon.plugins.kernel-netlink.roam_events", FALSE);
490 /* ignore tun devices (it's mostly tun0 but it may already be taken, ignore
491 * some others too), also ignore lo as a default route points to it when
492 * no connectivity is available */
493 lib->settings->set_str(lib->settings,
494 "charon.interfaces_ignore", "lo, tun0, tun1, tun2, tun3, "
495 "tun4");
496
497 #ifdef USE_BYOD
498 lib->settings->set_str(lib->settings,
499 "charon.plugins.eap-tnc.protocol", "tnccs-2.0");
500 lib->settings->set_bool(lib->settings,
501 "android.imc.send_os_info", TRUE);
502 lib->settings->set_str(lib->settings,
503 "libtnccs.tnc_config", "");
504 #endif
505 }
506
507 /**
508 * Initialize the charonservice object
509 */
510 static void charonservice_init(JNIEnv *env, jobject service, jobject builder,
511 jboolean byod)
512 {
513 private_charonservice_t *this;
514 static plugin_feature_t features[] = {
515 PLUGIN_CALLBACK(kernel_ipsec_register, kernel_android_ipsec_create),
516 PLUGIN_PROVIDE(CUSTOM, "kernel-ipsec"),
517 PLUGIN_CALLBACK(charonservice_register, NULL),
518 PLUGIN_PROVIDE(CUSTOM, "android-backend"),
519 PLUGIN_DEPENDS(CUSTOM, "libcharon"),
520 };
521
522 INIT(this,
523 .public = {
524 .update_status = _update_status,
525 .update_imc_state = _update_imc_state,
526 .add_remediation_instr = _add_remediation_instr,
527 .bypass_socket = _bypass_socket,
528 .get_trusted_certificates = _get_trusted_certificates,
529 .get_user_certificate = _get_user_certificate,
530 .get_user_key = _get_user_key,
531 .get_vpnservice_builder = _get_vpnservice_builder,
532 .get_network_manager = _get_network_manager,
533 },
534 .attr = android_attr_create(),
535 .creds = android_creds_create(),
536 .builder = vpnservice_builder_create(builder),
537 .network_manager = network_manager_create(service),
538 .sockets = linked_list_create(),
539 .vpn_service = (*env)->NewGlobalRef(env, service),
540 );
541 charonservice = &this->public;
542
543 lib->plugins->add_static_features(lib->plugins, "androidbridge", features,
544 countof(features), TRUE);
545
546 #ifdef USE_BYOD
547 if (byod)
548 {
549 plugin_feature_t byod_features[] = {
550 PLUGIN_CALLBACK(imc_android_register, this->vpn_service),
551 PLUGIN_PROVIDE(CUSTOM, "android-imc"),
552 PLUGIN_DEPENDS(CUSTOM, "android-backend"),
553 PLUGIN_DEPENDS(CUSTOM, "imc-manager"),
554 };
555
556 lib->plugins->add_static_features(lib->plugins, "android-byod",
557 byod_features, countof(byod_features), TRUE);
558 }
559 #endif
560 }
561
562 /**
563 * Deinitialize the charonservice object
564 */
565 static void charonservice_deinit(JNIEnv *env)
566 {
567 private_charonservice_t *this = (private_charonservice_t*)charonservice;
568
569 this->network_manager->destroy(this->network_manager);
570 this->sockets->destroy(this->sockets);
571 this->builder->destroy(this->builder);
572 this->creds->destroy(this->creds);
573 this->attr->destroy(this->attr);
574 (*env)->DeleteGlobalRef(env, this->vpn_service);
575 free(this);
576 charonservice = NULL;
577 }
578
579 /**
580 * Handle SIGSEGV/SIGILL signals raised by threads
581 */
582 static void segv_handler(int signal)
583 {
584 dbg_android(DBG_DMN, 1, "thread %u received %d", thread_current_id(),
585 signal);
586 exit(1);
587 }
588
589 /**
590 * Initialize charon and the libraries via JNI
591 */
592 JNI_METHOD(CharonVpnService, initializeCharon, void,
593 jobject builder, jstring jlogfile, jboolean byod)
594 {
595 struct sigaction action;
596 struct utsname utsname;
597 char *logfile, *plugins;
598
599 /* logging for library during initialization, as we have no bus yet */
600 dbg = dbg_android;
601
602 /* initialize library */
603 if (!library_init(NULL))
604 {
605 library_deinit();
606 return;
607 }
608
609 /* set options before initializing other libraries that might read them */
610 logfile = androidjni_convert_jstring(env, jlogfile);
611 set_options(logfile);
612 free(logfile);
613
614 if (!libhydra_init("charon"))
615 {
616 libhydra_deinit();
617 library_deinit();
618 return;
619 }
620
621 if (!libipsec_init())
622 {
623 libipsec_deinit();
624 libhydra_deinit();
625 library_deinit();
626 return;
627 }
628
629 if (!libcharon_init("charon"))
630 {
631 libcharon_deinit();
632 libipsec_deinit();
633 libhydra_deinit();
634 library_deinit();
635 return;
636 }
637
638 charon->load_loggers(charon, NULL, FALSE);
639
640 charonservice_init(env, this, builder, byod);
641
642 if (uname(&utsname) != 0)
643 {
644 memset(&utsname, 0, sizeof(utsname));
645 }
646 DBG1(DBG_DMN, "Starting IKE charon daemon (strongSwan "VERSION", %s %s, %s)",
647 utsname.sysname, utsname.release, utsname.machine);
648
649 #ifdef PLUGINS_BYOD
650 if (byod)
651 {
652 plugins = PLUGINS " " PLUGINS_BYOD;
653 }
654 else
655 #endif
656 {
657 plugins = PLUGINS;
658 }
659
660 if (!charon->initialize(charon, plugins))
661 {
662 libcharon_deinit();
663 charonservice_deinit(env);
664 libipsec_deinit();
665 libhydra_deinit();
666 library_deinit();
667 return;
668 }
669 lib->plugins->status(lib->plugins, LEVEL_CTRL);
670
671 /* add handler for SEGV and ILL etc. */
672 action.sa_handler = segv_handler;
673 action.sa_flags = 0;
674 sigemptyset(&action.sa_mask);
675 sigaction(SIGSEGV, &action, NULL);
676 sigaction(SIGILL, &action, NULL);
677 sigaction(SIGBUS, &action, NULL);
678 action.sa_handler = SIG_IGN;
679 sigaction(SIGPIPE, &action, NULL);
680
681 /* start daemon (i.e. the threads in the thread-pool) */
682 charon->start(charon);
683 }
684
685 /**
686 * Deinitialize charon and all libraries
687 */
688 JNI_METHOD(CharonVpnService, deinitializeCharon, void)
689 {
690 /* deinitialize charon before we destroy our own objects */
691 libcharon_deinit();
692 charonservice_deinit(env);
693 libipsec_deinit();
694 libhydra_deinit();
695 library_deinit();
696 }
697
698 /**
699 * Initiate SA
700 */
701 JNI_METHOD(CharonVpnService, initiate, void,
702 jstring jtype, jstring jgateway, jstring jusername, jstring jpassword)
703 {
704 char *type, *gateway, *username, *password;
705
706 type = androidjni_convert_jstring(env, jtype);
707 gateway = androidjni_convert_jstring(env, jgateway);
708 username = androidjni_convert_jstring(env, jusername);
709 password = androidjni_convert_jstring(env, jpassword);
710
711 initiate(type, gateway, username, password);
712 }