projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Use CRITICAL job priority class for long running dispatcher jobs
[strongswan.git] / src / libcharon / plugins / maemo / maemo_service.c
1 /*
2 * Copyright (C) 2010 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <glib.h>
17 #include <libosso.h>
18 #include <sys/stat.h>
19
20 #include "maemo_service.h"
21
22 #include <daemon.h>
23 #include <credentials/sets/mem_cred.h>
24 #include <processing/jobs/callback_job.h>
25
26 #define OSSO_STATUS_NAME "status"
27 #define OSSO_STATUS_SERVICE "org.strongswan."OSSO_STATUS_NAME
28 #define OSSO_STATUS_OBJECT "/org/strongswan/"OSSO_STATUS_NAME
29 #define OSSO_STATUS_IFACE "org.strongswan."OSSO_STATUS_NAME
30
31 #define OSSO_CHARON_NAME "charon"
32 #define OSSO_CHARON_SERVICE "org.strongswan."OSSO_CHARON_NAME
33 #define OSSO_CHARON_OBJECT "/org/strongswan/"OSSO_CHARON_NAME
34 #define OSSO_CHARON_IFACE "org.strongswan."OSSO_CHARON_NAME
35
36 #define MAEMO_COMMON_CA_DIR "/etc/certs/common-ca"
37 #define MAEMO_USER_CA_DIR "/home/user/.maemosec-certs/wifi-ca"
38 /* there is also an smime-ca and an ssl-ca sub-directory and the same for
39 * ...-user, which store end user/server certificates */
40
41 typedef enum {
42 VPN_STATUS_DISCONNECTED,
43 VPN_STATUS_CONNECTING,
44 VPN_STATUS_CONNECTED,
45 VPN_STATUS_AUTH_FAILED,
46 VPN_STATUS_CONNECTION_FAILED,
47 } vpn_status_t;
48
49 typedef struct private_maemo_service_t private_maemo_service_t;
50
51 /**
52 * private data of maemo service
53 */
54 struct private_maemo_service_t {
55
56 /**
57 * public interface
58 */
59 maemo_service_t public;
60
61 /**
62 * credentials
63 */
64 mem_cred_t *creds;
65
66 /**
67 * Glib main loop for a thread, handles DBUS calls
68 */
69 GMainLoop *loop;
70
71 /**
72 * Context for OSSO
73 */
74 osso_context_t *context;
75
76 /**
77 * Current IKE_SA
78 */
79 ike_sa_t *ike_sa;
80
81 /**
82 * Status of the current connection
83 */
84 vpn_status_t status;
85
86 /**
87 * Name of the current connection
88 */
89 gchar *current;
90
91 };
92
93 static gint change_status(private_maemo_service_t *this, int status)
94 {
95 osso_rpc_t retval;
96 gint res;
97 this->status = status;
98 res = osso_rpc_run (this->context, OSSO_STATUS_SERVICE, OSSO_STATUS_OBJECT,
99 OSSO_STATUS_IFACE, "StatusChanged", &retval,
100 DBUS_TYPE_INT32, status,
101 DBUS_TYPE_INVALID);
102 return res;
103 }
104
105 METHOD(listener_t, ike_updown, bool,
106 private_maemo_service_t *this, ike_sa_t *ike_sa, bool up)
107 {
108 /* this callback is only registered during initiation, so if the IKE_SA
109 * goes down we assume an authentication error */
110 if (this->ike_sa == ike_sa && !up)
111 {
112 change_status(this, VPN_STATUS_AUTH_FAILED);
113 return FALSE;
114 }
115 return TRUE;
116 }
117
118 METHOD(listener_t, ike_state_change, bool,
119 private_maemo_service_t *this, ike_sa_t *ike_sa, ike_sa_state_t state)
120 {
121 /* this call back is only registered during initiation */
122 if (this->ike_sa == ike_sa && state == IKE_DESTROYING)
123 {
124 change_status(this, VPN_STATUS_CONNECTION_FAILED);
125 return FALSE;
126 }
127 return TRUE;
128 }
129
130 METHOD(listener_t, child_updown, bool,
131 private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
132 bool up)
133 {
134 if (this->ike_sa == ike_sa)
135 {
136 if (up)
137 {
138 /* disable hooks registered to catch initiation failures */
139 this->public.listener.ike_updown = NULL;
140 this->public.listener.ike_state_change = NULL;
141 change_status(this, VPN_STATUS_CONNECTED);
142 }
143 else
144 {
145 change_status(this, VPN_STATUS_CONNECTION_FAILED);
146 return FALSE;
147 }
148 }
149 return TRUE;
150 }
151
152 METHOD(listener_t, ike_rekey, bool,
153 private_maemo_service_t *this, ike_sa_t *old, ike_sa_t *new)
154 {
155 if (this->ike_sa == old)
156 {
157 this->ike_sa = new;
158 }
159 return TRUE;
160 }
161
162 /**
163 * load all CA certificates in the given directory
164 */
165 static void load_ca_dir(private_maemo_service_t *this, char *dir)
166 {
167 enumerator_t *enumerator;
168 char *rel, *abs;
169 struct stat st;
170
171 enumerator = enumerator_create_directory(dir);
172 if (enumerator)
173 {
174 while (enumerator->enumerate(enumerator, &rel, &abs, &st))
175 {
176 if (rel[0] != '.')
177 {
178 if (S_ISREG(st.st_mode))
179 {
180 certificate_t *cert;
181 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
182 CERT_X509, BUILD_FROM_FILE, abs,
183 BUILD_END);
184 if (!cert)
185 {
186 DBG1(DBG_CFG, "loading CA certificate '%s' failed",
187 abs);
188 continue;
189 }
190 DBG2(DBG_CFG, "loaded CA certificate '%Y'",
191 cert->get_subject(cert));
192 this->creds->add_cert(this->creds, TRUE, cert);
193 }
194 }
195 }
196 enumerator->destroy(enumerator);
197 }
198 }
199
200 static void disconnect(private_maemo_service_t *this)
201 {
202 ike_sa_t *ike_sa;
203 u_int id;
204
205 if (!this->current)
206 {
207 return;
208 }
209
210 /* avoid status updates, as this is called from the Glib main loop */
211 charon->bus->remove_listener(charon->bus, &this->public.listener);
212
213 ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager,
214 this->current, FALSE);
215 if (ike_sa)
216 {
217 id = ike_sa->get_unique_id(ike_sa);
218 charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
219 charon->controller->terminate_ike(charon->controller, id,
220 NULL, NULL);
221 }
222 this->current = (g_free(this->current), NULL);
223 this->status = VPN_STATUS_DISCONNECTED;
224 }
225
226 static gboolean initiate_connection(private_maemo_service_t *this,
227 GArray *arguments)
228 {
229 gint i;
230 gchar *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL;
231 identification_t *gateway = NULL, *user = NULL;
232 ike_sa_t *ike_sa;
233 ike_cfg_t *ike_cfg;
234 peer_cfg_t *peer_cfg;
235 child_cfg_t *child_cfg;
236 traffic_selector_t *ts;
237 auth_cfg_t *auth;
238 certificate_t *cert;
239 lifetime_cfg_t lifetime = {
240 .time = {
241 .life = 10800, /* 3h */
242 .rekey = 10200, /* 2h50min */
243 .jitter = 300 /* 5min */
244 }
245 };
246
247 if (this->status == VPN_STATUS_CONNECTED ||
248 this->status == VPN_STATUS_CONNECTING)
249 {
250 DBG1(DBG_CFG, "currently connected to '%s', disconnecting first",
251 this->current);
252 disconnect (this);
253 }
254
255 if (arguments->len != 5)
256 {
257 DBG1(DBG_CFG, "wrong number of arguments: %d", arguments->len);
258 return FALSE;
259 }
260
261 for (i = 0; i < arguments->len; i++)
262 {
263 osso_rpc_t *arg = &g_array_index(arguments, osso_rpc_t, i);
264 if (arg->type != DBUS_TYPE_STRING)
265 {
266 DBG1(DBG_CFG, "invalid argument [%d]: %d", i, arg->type);
267 return FALSE;
268 }
269 switch (i)
270 {
271 case 0: /* name */
272 this->current = (g_free(this->current), NULL);
273 this->current = g_strdup(arg->value.s);
274 break;
275 case 1: /* hostname */
276 hostname = arg->value.s;
277 break;
278 case 2: /* CA certificate path */
279 cacert = arg->value.s;
280 break;
281 case 3: /* username */
282 username = arg->value.s;
283 break;
284 case 4: /* password */
285 password = arg->value.s;
286 break;
287 }
288 }
289
290 DBG1(DBG_CFG, "received initiate for connection '%s'", this->current);
291
292 this->creds->clear(this->creds);
293
294 if (cacert && !streq(cacert, ""))
295 {
296 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
297 BUILD_FROM_FILE, cacert, BUILD_END);
298 if (cert)
299 {
300 this->creds->add_cert(this->creds, TRUE, cert);
301 }
302 else
303 {
304 DBG1(DBG_CFG, "failed to load CA certificate");
305 }
306 /* if this is a server cert we could use the cert subject as id */
307 }
308 else
309 {
310 load_ca_dir(this, MAEMO_COMMON_CA_DIR);
311 load_ca_dir(this, MAEMO_USER_CA_DIR);
312 }
313
314 gateway = identification_create_from_string(hostname);
315 DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway);
316
317 {
318 shared_key_t *shared_key;
319 chunk_t secret = chunk_create(password, strlen(password));
320 user = identification_create_from_string(username);
321 shared_key = shared_key_create(SHARED_EAP, chunk_clone(secret));
322 this->creds->add_shared(this->creds, shared_key, user->clone(user),
323 NULL);
324 }
325
326 ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT,
327 hostname, IKEV2_UDP_PORT);
328 ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
329
330 peer_cfg = peer_cfg_create(this->current, 2, ike_cfg, CERT_SEND_IF_ASKED,
331 UNIQUE_REPLACE, 1, /* keyingtries */
332 36000, 0, /* rekey 10h, reauth none */
333 600, 600, /* jitter, over 10min */
334 TRUE, 0, /* mobike, DPD */
335 host_create_from_string("0.0.0.0", 0) /* virt */,
336 NULL, FALSE, NULL, NULL); /* pool, mediation */
337
338 auth = auth_cfg_create();
339 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP);
340 auth->add(auth, AUTH_RULE_IDENTITY, user);
341 peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
342 auth = auth_cfg_create();
343 auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
344 auth->add(auth, AUTH_RULE_IDENTITY, gateway);
345 peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
346
347 child_cfg = child_cfg_create(this->current, &lifetime, NULL /* updown */,
348 TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE,
349 ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0);
350 child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
351 ts = traffic_selector_create_dynamic(0, 0, 65535);
352 child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
353 ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0",
354 0, "255.255.255.255", 65535);
355 child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
356 peer_cfg->add_child_cfg(peer_cfg, child_cfg);
357 /* get an additional reference because initiate consumes one */
358 child_cfg->get_ref(child_cfg);
359
360 /* get us an IKE_SA */
361 ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager,
362 peer_cfg);
363 if (!ike_sa->get_peer_cfg(ike_sa))
364 {
365 ike_sa->set_peer_cfg(ike_sa, peer_cfg);
366 }
367 peer_cfg->destroy(peer_cfg);
368
369 /* store the IKE_SA, so we can track its progress */
370 this->ike_sa = ike_sa;
371 this->status = VPN_STATUS_CONNECTING;
372 this->public.listener.ike_updown = _ike_updown;
373 this->public.listener.ike_state_change = _ike_state_change;
374 charon->bus->add_listener(charon->bus, &this->public.listener);
375
376 if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS)
377 {
378 DBG1(DBG_CFG, "failed to initiate tunnel");
379 charon->bus->remove_listener(charon->bus, &this->public.listener);
380 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
381 ike_sa);
382 this->status = VPN_STATUS_CONNECTION_FAILED;
383 return FALSE;
384 }
385 charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
386 return TRUE;
387 }
388
389 /**
390 * Callback for libosso dbus wrapper
391 */
392 static gint dbus_req_handler(const gchar *interface, const gchar *method,
393 GArray *arguments, private_maemo_service_t *this,
394 osso_rpc_t *retval)
395 {
396 if (streq(method, "Start"))
397 { /* void start (void), dummy function to start charon as root */
398 return OSSO_OK;
399 }
400 else if (streq(method, "Connect"))
401 { /* bool connect (name, host, cert, user, pass) */
402 retval->value.b = initiate_connection(this, arguments);
403 retval->type = DBUS_TYPE_BOOLEAN;
404 }
405 else if (streq(method, "Disconnect"))
406 { /* void disconnect (void) */
407 disconnect(this);
408 }
409 else
410 {
411 return OSSO_ERROR;
412 }
413 return OSSO_OK;
414 }
415
416 /**
417 * Main loop to handle D-BUS messages.
418 */
419 static job_requeue_t run(private_maemo_service_t *this)
420 {
421 this->loop = g_main_loop_new(NULL, FALSE);
422 g_main_loop_run(this->loop);
423 return JOB_REQUEUE_NONE;
424 }
425
426 METHOD(maemo_service_t, destroy, void,
427 private_maemo_service_t *this)
428 {
429 if (this->loop)
430 {
431 if (g_main_loop_is_running(this->loop))
432 {
433 g_main_loop_quit(this->loop);
434 }
435 g_main_loop_unref(this->loop);
436 }
437 if (this->context)
438 {
439 osso_rpc_unset_cb_f(this->context,
440 OSSO_CHARON_SERVICE,
441 OSSO_CHARON_OBJECT,
442 OSSO_CHARON_IFACE,
443 (osso_rpc_cb_f*)dbus_req_handler,
444 this);
445 osso_deinitialize(this->context);
446 }
447 charon->bus->remove_listener(charon->bus, &this->public.listener);
448 lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
449 this->creds->destroy(this->creds);
450 this->current = (g_free(this->current), NULL);
451 free(this);
452 }
453
454 /*
455 * See header
456 */
457 maemo_service_t *maemo_service_create()
458 {
459 osso_return_t result;
460 private_maemo_service_t *this;
461
462 INIT(this,
463 .public = {
464 .listener = {
465 .ike_updown = _ike_updown,
466 .ike_state_change = _ike_state_change,
467 .child_updown = _child_updown,
468 .ike_rekey = _ike_rekey,
469 },
470 .destroy = _destroy,
471 },
472 .creds = mem_cred_create(),
473 );
474
475 lib->credmgr->add_set(lib->credmgr, &this->creds->set);
476
477 this->context = osso_initialize(OSSO_CHARON_SERVICE, "0.0.1", TRUE, NULL);
478 if (!this->context)
479 {
480 DBG1(DBG_CFG, "failed to initialize OSSO context");
481 destroy(this);
482 return NULL;
483 }
484
485 result = osso_rpc_set_cb_f(this->context,
486 OSSO_CHARON_SERVICE,
487 OSSO_CHARON_OBJECT,
488 OSSO_CHARON_IFACE,
489 (osso_rpc_cb_f*)dbus_req_handler,
490 this);
491 if (result != OSSO_OK)
492 {
493 DBG1(DBG_CFG, "failed to set D-BUS callback (%d)", result);
494 destroy(this);
495 return NULL;
496 }
497
498 this->loop = NULL;
499 if (!g_thread_supported())
500 {
501 g_thread_init(NULL);
502 }
503
504 lib->processor->queue_job(lib->processor,
505 (job_t*)callback_job_create_with_prio((callback_job_cb_t)run,
506 this, NULL, NULL, JOB_PRIO_CRITICAL));
507
508 return &this->public;
509 }
510
strongSwan - IPsec VPN