Darin Petkov | 33af05c | 2012-02-28 10:10:30 +0100 | [diff] [blame] | 1 | // Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file. |
| 4 | |
| 5 | #include "shill/openvpn_driver.h" |
| 6 | |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 7 | #include <arpa/inet.h> |
| 8 | |
Darin Petkov | 1fa8194 | 2012-04-02 11:38:08 +0200 | [diff] [blame] | 9 | #include <base/file_util.h> |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 10 | #include <base/string_number_conversions.h> |
Darin Petkov | 78f6326 | 2012-03-26 01:30:24 +0200 | [diff] [blame] | 11 | #include <base/string_split.h> |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 12 | #include <base/string_util.h> |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 13 | #include <chromeos/dbus/service_constants.h> |
| 14 | |
Paul Stewart | ce4ec19 | 2012-03-14 12:53:46 -0700 | [diff] [blame] | 15 | #include "shill/connection.h" |
Paul Stewart | ca6abd4 | 2012-03-01 15:45:29 -0800 | [diff] [blame] | 16 | #include "shill/device_info.h" |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 17 | #include "shill/dhcp_config.h" |
Darin Petkov | 33af05c | 2012-02-28 10:10:30 +0100 | [diff] [blame] | 18 | #include "shill/error.h" |
Christopher Wiley | b691efd | 2012-08-09 13:51:51 -0700 | [diff] [blame] | 19 | #include "shill/logging.h" |
Paul Stewart | ce4ec19 | 2012-03-14 12:53:46 -0700 | [diff] [blame] | 20 | #include "shill/manager.h" |
Darin Petkov | 3c5e4dc | 2012-04-02 14:44:27 +0200 | [diff] [blame] | 21 | #include "shill/nss.h" |
Darin Petkov | 4646302 | 2012-03-29 14:57:32 +0200 | [diff] [blame] | 22 | #include "shill/openvpn_management_server.h" |
Darin Petkov | 5a85047 | 2012-06-06 15:44:24 +0200 | [diff] [blame] | 23 | #include "shill/process_killer.h" |
Darin Petkov | a9b1fed | 2012-02-29 11:49:05 +0100 | [diff] [blame] | 24 | #include "shill/rpc_task.h" |
Darin Petkov | 4646302 | 2012-03-29 14:57:32 +0200 | [diff] [blame] | 25 | #include "shill/sockets.h" |
Darin Petkov | f20994f | 2012-03-05 16:12:19 +0100 | [diff] [blame] | 26 | #include "shill/vpn.h" |
Darin Petkov | 79d74c9 | 2012-03-07 17:20:32 +0100 | [diff] [blame] | 27 | #include "shill/vpn_service.h" |
Darin Petkov | 33af05c | 2012-02-28 10:10:30 +0100 | [diff] [blame] | 28 | |
Darin Petkov | 5a85047 | 2012-06-06 15:44:24 +0200 | [diff] [blame] | 29 | using base::Closure; |
Darin Petkov | 78f6326 | 2012-03-26 01:30:24 +0200 | [diff] [blame] | 30 | using base::SplitString; |
Darin Petkov | a5e07ef | 2012-07-09 14:27:57 +0200 | [diff] [blame] | 31 | using base::Unretained; |
Darin Petkov | 5a85047 | 2012-06-06 15:44:24 +0200 | [diff] [blame] | 32 | using base::WeakPtr; |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 33 | using std::map; |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 34 | using std::string; |
| 35 | using std::vector; |
| 36 | |
Darin Petkov | 33af05c | 2012-02-28 10:10:30 +0100 | [diff] [blame] | 37 | namespace shill { |
| 38 | |
Darin Petkov | a9b1fed | 2012-02-29 11:49:05 +0100 | [diff] [blame] | 39 | namespace { |
Darin Petkov | 5a85047 | 2012-06-06 15:44:24 +0200 | [diff] [blame] | 40 | |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 41 | const char kOpenVPNForeignOptionPrefix[] = "foreign_option_"; |
| 42 | const char kOpenVPNIfconfigBroadcast[] = "ifconfig_broadcast"; |
| 43 | const char kOpenVPNIfconfigLocal[] = "ifconfig_local"; |
| 44 | const char kOpenVPNIfconfigNetmask[] = "ifconfig_netmask"; |
| 45 | const char kOpenVPNIfconfigRemote[] = "ifconfig_remote"; |
| 46 | const char kOpenVPNRouteOptionPrefix[] = "route_"; |
| 47 | const char kOpenVPNRouteVPNGateway[] = "route_vpn_gateway"; |
| 48 | const char kOpenVPNTrustedIP[] = "trusted_ip"; |
| 49 | const char kOpenVPNTunMTU[] = "tun_mtu"; |
Darin Petkov | f3c71d7 | 2012-03-21 12:32:15 +0100 | [diff] [blame] | 50 | |
Darin Petkov | e0d5dd1 | 2012-04-04 16:10:48 +0200 | [diff] [blame] | 51 | const char kDefaultPKCS11Provider[] = "libchaps.so"; |
| 52 | |
Darin Petkov | f3c71d7 | 2012-03-21 12:32:15 +0100 | [diff] [blame] | 53 | // TODO(petkov): Move to chromeos/dbus/service_constants.h. |
| 54 | const char kOpenVPNCertProperty[] = "OpenVPN.Cert"; |
| 55 | const char kOpenVPNKeyProperty[] = "OpenVPN.Key"; |
| 56 | const char kOpenVPNPingProperty[] = "OpenVPN.Ping"; |
| 57 | const char kOpenVPNPingExitProperty[] = "OpenVPN.PingExit"; |
| 58 | const char kOpenVPNPingRestartProperty[] = "OpenVPN.PingRestart"; |
| 59 | const char kOpenVPNTLSAuthProperty[] = "OpenVPN.TLSAuth"; |
| 60 | const char kOpenVPNVerbProperty[] = "OpenVPN.Verb"; |
| 61 | const char kVPNMTUProperty[] = "VPN.MTU"; |
Darin Petkov | 5a85047 | 2012-06-06 15:44:24 +0200 | [diff] [blame] | 62 | |
Paul Stewart | ebd3856 | 2012-03-23 13:06:40 -0700 | [diff] [blame] | 63 | } // namespace |
| 64 | |
| 65 | // static |
| 66 | const char OpenVPNDriver::kOpenVPNPath[] = "/usr/sbin/openvpn"; |
| 67 | // static |
| 68 | const char OpenVPNDriver::kOpenVPNScript[] = SCRIPTDIR "/openvpn-script"; |
| 69 | // static |
Darin Petkov | d432539 | 2012-04-23 15:48:22 +0200 | [diff] [blame] | 70 | const VPNDriver::Property OpenVPNDriver::kProperties[] = { |
Darin Petkov | 1847d79 | 2012-04-17 11:33:06 +0200 | [diff] [blame] | 71 | { flimflam::kOpenVPNAuthNoCacheProperty, 0 }, |
| 72 | { flimflam::kOpenVPNAuthProperty, 0 }, |
| 73 | { flimflam::kOpenVPNAuthRetryProperty, 0 }, |
| 74 | { flimflam::kOpenVPNAuthUserPassProperty, 0 }, |
| 75 | { flimflam::kOpenVPNCaCertNSSProperty, 0 }, |
| 76 | { flimflam::kOpenVPNCaCertProperty, 0 }, |
| 77 | { flimflam::kOpenVPNCipherProperty, 0 }, |
Darin Petkov | cb71529 | 2012-04-25 13:04:37 +0200 | [diff] [blame] | 78 | { flimflam::kOpenVPNClientCertIdProperty, Property::kCredential }, |
Darin Petkov | 1847d79 | 2012-04-17 11:33:06 +0200 | [diff] [blame] | 79 | { flimflam::kOpenVPNCompLZOProperty, 0 }, |
| 80 | { flimflam::kOpenVPNCompNoAdaptProperty, 0 }, |
| 81 | { flimflam::kOpenVPNKeyDirectionProperty, 0 }, |
| 82 | { flimflam::kOpenVPNNsCertTypeProperty, 0 }, |
Darin Petkov | cb71529 | 2012-04-25 13:04:37 +0200 | [diff] [blame] | 83 | { flimflam::kOpenVPNOTPProperty, |
Darin Petkov | 0223655 | 2012-06-11 13:15:19 +0200 | [diff] [blame] | 84 | Property::kEphemeral | Property::kCredential | Property::kWriteOnly }, |
| 85 | { flimflam::kOpenVPNPasswordProperty, |
| 86 | Property::kCredential | Property::kWriteOnly }, |
Darin Petkov | cb71529 | 2012-04-25 13:04:37 +0200 | [diff] [blame] | 87 | { flimflam::kOpenVPNPinProperty, Property::kCredential }, |
Darin Petkov | 1847d79 | 2012-04-17 11:33:06 +0200 | [diff] [blame] | 88 | { flimflam::kOpenVPNPortProperty, 0 }, |
| 89 | { flimflam::kOpenVPNProtoProperty, 0 }, |
| 90 | { flimflam::kOpenVPNProviderProperty, 0 }, |
| 91 | { flimflam::kOpenVPNPushPeerInfoProperty, 0 }, |
| 92 | { flimflam::kOpenVPNRemoteCertEKUProperty, 0 }, |
| 93 | { flimflam::kOpenVPNRemoteCertKUProperty, 0 }, |
| 94 | { flimflam::kOpenVPNRemoteCertTLSProperty, 0 }, |
| 95 | { flimflam::kOpenVPNRenegSecProperty, 0 }, |
| 96 | { flimflam::kOpenVPNServerPollTimeoutProperty, 0 }, |
| 97 | { flimflam::kOpenVPNShaperProperty, 0 }, |
| 98 | { flimflam::kOpenVPNStaticChallengeProperty, 0 }, |
| 99 | { flimflam::kOpenVPNTLSAuthContentsProperty, 0 }, |
| 100 | { flimflam::kOpenVPNTLSRemoteProperty, 0 }, |
| 101 | { flimflam::kOpenVPNUserProperty, 0 }, |
| 102 | { flimflam::kProviderHostProperty, 0 }, |
| 103 | { flimflam::kProviderNameProperty, 0 }, |
| 104 | { flimflam::kProviderTypeProperty, 0 }, |
| 105 | { kOpenVPNCertProperty, 0 }, |
| 106 | { kOpenVPNKeyProperty, 0 }, |
| 107 | { kOpenVPNPingExitProperty, 0 }, |
| 108 | { kOpenVPNPingProperty, 0 }, |
| 109 | { kOpenVPNPingRestartProperty, 0 }, |
| 110 | { kOpenVPNTLSAuthProperty, 0 }, |
| 111 | { kOpenVPNVerbProperty, 0 }, |
| 112 | { kVPNMTUProperty, 0 }, |
Paul Stewart | 2280799 | 2012-04-11 08:48:31 -0700 | [diff] [blame] | 113 | |
| 114 | // Provided only for compatibility. crosbug.com/29286 |
Darin Petkov | 1847d79 | 2012-04-17 11:33:06 +0200 | [diff] [blame] | 115 | { flimflam::kOpenVPNMgmtEnableProperty, 0 }, |
Darin Petkov | f3c71d7 | 2012-03-21 12:32:15 +0100 | [diff] [blame] | 116 | }; |
Paul Stewart | 291a473 | 2012-03-14 19:19:02 -0700 | [diff] [blame] | 117 | |
Darin Petkov | 1a462de | 2012-05-02 11:10:48 +0200 | [diff] [blame] | 118 | // static |
| 119 | const char OpenVPNDriver::kLSBReleaseFile[] = "/etc/lsb-release"; |
| 120 | // static |
| 121 | const char OpenVPNDriver::kChromeOSReleaseName[] = "CHROMEOS_RELEASE_NAME"; |
| 122 | //static |
| 123 | const char OpenVPNDriver::kChromeOSReleaseVersion[] = |
| 124 | "CHROMEOS_RELEASE_VERSION"; |
| 125 | |
Darin Petkov | a9b1fed | 2012-02-29 11:49:05 +0100 | [diff] [blame] | 126 | OpenVPNDriver::OpenVPNDriver(ControlInterface *control, |
Darin Petkov | f20994f | 2012-03-05 16:12:19 +0100 | [diff] [blame] | 127 | EventDispatcher *dispatcher, |
| 128 | Metrics *metrics, |
| 129 | Manager *manager, |
Paul Stewart | ca6abd4 | 2012-03-01 15:45:29 -0800 | [diff] [blame] | 130 | DeviceInfo *device_info, |
Paul Stewart | 451aa7f | 2012-04-11 19:07:58 -0700 | [diff] [blame] | 131 | GLib *glib) |
Darin Petkov | 602303f | 2012-06-06 12:15:59 +0200 | [diff] [blame] | 132 | : VPNDriver(dispatcher, manager, kProperties, arraysize(kProperties)), |
Darin Petkov | b451d6e | 2012-04-23 11:56:41 +0200 | [diff] [blame] | 133 | control_(control), |
Darin Petkov | f20994f | 2012-03-05 16:12:19 +0100 | [diff] [blame] | 134 | metrics_(metrics), |
Paul Stewart | ca6abd4 | 2012-03-01 15:45:29 -0800 | [diff] [blame] | 135 | device_info_(device_info), |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 136 | glib_(glib), |
Darin Petkov | 4646302 | 2012-03-29 14:57:32 +0200 | [diff] [blame] | 137 | management_server_(new OpenVPNManagementServer(this, glib)), |
Darin Petkov | 3c5e4dc | 2012-04-02 14:44:27 +0200 | [diff] [blame] | 138 | nss_(NSS::GetInstance()), |
Darin Petkov | 5a85047 | 2012-06-06 15:44:24 +0200 | [diff] [blame] | 139 | process_killer_(ProcessKiller::GetInstance()), |
Darin Petkov | 1a462de | 2012-05-02 11:10:48 +0200 | [diff] [blame] | 140 | lsb_release_file_(kLSBReleaseFile), |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 141 | pid_(0), |
Darin Petkov | a5e07ef | 2012-07-09 14:27:57 +0200 | [diff] [blame] | 142 | child_watch_tag_(0), |
| 143 | default_service_callback_tag_(0) {} |
Darin Petkov | 33af05c | 2012-02-28 10:10:30 +0100 | [diff] [blame] | 144 | |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 145 | OpenVPNDriver::~OpenVPNDriver() { |
Darin Petkov | 3f9131c | 2012-03-20 11:37:32 +0100 | [diff] [blame] | 146 | Cleanup(Service::kStateIdle); |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 147 | } |
| 148 | |
Darin Petkov | 3f9131c | 2012-03-20 11:37:32 +0100 | [diff] [blame] | 149 | void OpenVPNDriver::Cleanup(Service::ConnectState state) { |
Ben Chan | fad4a0b | 2012-04-18 15:49:59 -0700 | [diff] [blame] | 150 | SLOG(VPN, 2) << __func__ << "(" << Service::ConnectStateToString(state) |
| 151 | << ")"; |
Darin Petkov | 602303f | 2012-06-06 12:15:59 +0200 | [diff] [blame] | 152 | StopConnectTimeout(); |
Darin Petkov | 4646302 | 2012-03-29 14:57:32 +0200 | [diff] [blame] | 153 | management_server_->Stop(); |
Darin Petkov | 1fa8194 | 2012-04-02 11:38:08 +0200 | [diff] [blame] | 154 | if (!tls_auth_file_.empty()) { |
| 155 | file_util::Delete(tls_auth_file_, false); |
| 156 | tls_auth_file_.clear(); |
| 157 | } |
Darin Petkov | a5e07ef | 2012-07-09 14:27:57 +0200 | [diff] [blame] | 158 | if (default_service_callback_tag_) { |
| 159 | manager()->DeregisterDefaultServiceCallback(default_service_callback_tag_); |
| 160 | default_service_callback_tag_ = 0; |
| 161 | } |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 162 | if (child_watch_tag_) { |
| 163 | glib_->SourceRemove(child_watch_tag_); |
| 164 | child_watch_tag_ = 0; |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 165 | } |
| 166 | rpc_task_.reset(); |
Darin Petkov | 5a85047 | 2012-06-06 15:44:24 +0200 | [diff] [blame] | 167 | int interface_index = -1; |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 168 | if (device_) { |
Darin Petkov | 5a85047 | 2012-06-06 15:44:24 +0200 | [diff] [blame] | 169 | interface_index = device_->interface_index(); |
Darin Petkov | 029d353 | 2012-04-18 14:38:04 +0200 | [diff] [blame] | 170 | device_->OnDisconnected(); |
Eric Shienbrood | 9a24553 | 2012-03-07 14:20:39 -0500 | [diff] [blame] | 171 | device_->SetEnabled(false); |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 172 | device_ = NULL; |
Darin Petkov | 5a85047 | 2012-06-06 15:44:24 +0200 | [diff] [blame] | 173 | } |
| 174 | if (pid_) { |
| 175 | Closure callback; |
| 176 | if (interface_index >= 0) { |
| 177 | callback = |
| 178 | Bind(&DeleteInterface, device_info_->AsWeakPtr(), interface_index); |
| 179 | interface_index = -1; |
| 180 | } |
| 181 | process_killer_->Kill(pid_, callback); |
| 182 | pid_ = 0; |
| 183 | } |
| 184 | if (interface_index >= 0) { |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 185 | device_info_->DeleteInterface(interface_index); |
| 186 | } |
| 187 | tunnel_interface_.clear(); |
Darin Petkov | 79d74c9 | 2012-03-07 17:20:32 +0100 | [diff] [blame] | 188 | if (service_) { |
Darin Petkov | 3f9131c | 2012-03-20 11:37:32 +0100 | [diff] [blame] | 189 | service_->SetState(state); |
Darin Petkov | 79d74c9 | 2012-03-07 17:20:32 +0100 | [diff] [blame] | 190 | service_ = NULL; |
| 191 | } |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 192 | } |
| 193 | |
| 194 | bool OpenVPNDriver::SpawnOpenVPN() { |
Ben Chan | fad4a0b | 2012-04-18 15:49:59 -0700 | [diff] [blame] | 195 | SLOG(VPN, 2) << __func__ << "(" << tunnel_interface_ << ")"; |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 196 | |
| 197 | vector<string> options; |
| 198 | Error error; |
| 199 | InitOptions(&options, &error); |
| 200 | if (error.IsFailure()) { |
| 201 | return false; |
| 202 | } |
Ben Chan | fad4a0b | 2012-04-18 15:49:59 -0700 | [diff] [blame] | 203 | SLOG(VPN, 2) << "OpenVPN process options: " << JoinString(options, ' '); |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 204 | |
| 205 | // TODO(petkov): This code needs to be abstracted away in a separate external |
| 206 | // process module (crosbug.com/27131). |
| 207 | vector<char *> process_args; |
| 208 | process_args.push_back(const_cast<char *>(kOpenVPNPath)); |
| 209 | for (vector<string>::const_iterator it = options.begin(); |
| 210 | it != options.end(); ++it) { |
| 211 | process_args.push_back(const_cast<char *>(it->c_str())); |
| 212 | } |
| 213 | process_args.push_back(NULL); |
Darin Petkov | 1a462de | 2012-05-02 11:10:48 +0200 | [diff] [blame] | 214 | |
| 215 | vector<string> environment; |
| 216 | InitEnvironment(&environment); |
| 217 | |
| 218 | vector<char *> process_env; |
| 219 | for (vector<string>::const_iterator it = environment.begin(); |
| 220 | it != environment.end(); ++it) { |
| 221 | process_env.push_back(const_cast<char *>(it->c_str())); |
| 222 | } |
| 223 | process_env.push_back(NULL); |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 224 | |
| 225 | CHECK(!pid_); |
| 226 | // Redirect all openvpn output to stderr. |
| 227 | int stderr_fd = fileno(stderr); |
| 228 | if (!glib_->SpawnAsyncWithPipesCWD(process_args.data(), |
Darin Petkov | 1a462de | 2012-05-02 11:10:48 +0200 | [diff] [blame] | 229 | process_env.data(), |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 230 | G_SPAWN_DO_NOT_REAP_CHILD, |
| 231 | NULL, |
| 232 | NULL, |
| 233 | &pid_, |
| 234 | NULL, |
| 235 | &stderr_fd, |
| 236 | &stderr_fd, |
| 237 | NULL)) { |
| 238 | LOG(ERROR) << "Unable to spawn: " << kOpenVPNPath; |
| 239 | return false; |
| 240 | } |
| 241 | CHECK(!child_watch_tag_); |
| 242 | child_watch_tag_ = glib_->ChildWatchAdd(pid_, OnOpenVPNDied, this); |
| 243 | return true; |
| 244 | } |
| 245 | |
| 246 | // static |
| 247 | void OpenVPNDriver::OnOpenVPNDied(GPid pid, gint status, gpointer data) { |
Ben Chan | fad4a0b | 2012-04-18 15:49:59 -0700 | [diff] [blame] | 248 | SLOG(VPN, 2) << __func__ << "(" << pid << ", " << status << ")"; |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 249 | OpenVPNDriver *me = reinterpret_cast<OpenVPNDriver *>(data); |
| 250 | me->child_watch_tag_ = 0; |
| 251 | CHECK_EQ(pid, me->pid_); |
Darin Petkov | 5a85047 | 2012-06-06 15:44:24 +0200 | [diff] [blame] | 252 | me->pid_ = 0; |
Darin Petkov | 3f9131c | 2012-03-20 11:37:32 +0100 | [diff] [blame] | 253 | me->Cleanup(Service::kStateFailure); |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 254 | // TODO(petkov): Figure if we need to restart the connection. |
| 255 | } |
Darin Petkov | 33af05c | 2012-02-28 10:10:30 +0100 | [diff] [blame] | 256 | |
Darin Petkov | 5a85047 | 2012-06-06 15:44:24 +0200 | [diff] [blame] | 257 | // static |
Darin Petkov | 5dbd261 | 2012-06-07 16:22:16 +0200 | [diff] [blame] | 258 | void OpenVPNDriver::DeleteInterface(const WeakPtr<DeviceInfo> &device_info, |
Darin Petkov | 5a85047 | 2012-06-06 15:44:24 +0200 | [diff] [blame] | 259 | int interface_index) { |
| 260 | if (device_info) { |
| 261 | LOG(INFO) << "Deleting interface " << interface_index; |
| 262 | device_info->DeleteInterface(interface_index); |
| 263 | } |
| 264 | } |
| 265 | |
Paul Stewart | ca6abd4 | 2012-03-01 15:45:29 -0800 | [diff] [blame] | 266 | bool OpenVPNDriver::ClaimInterface(const string &link_name, |
| 267 | int interface_index) { |
| 268 | if (link_name != tunnel_interface_) { |
| 269 | return false; |
| 270 | } |
| 271 | |
Ben Chan | fad4a0b | 2012-04-18 15:49:59 -0700 | [diff] [blame] | 272 | SLOG(VPN, 2) << "Claiming " << link_name << " for OpenVPN tunnel"; |
Paul Stewart | ca6abd4 | 2012-03-01 15:45:29 -0800 | [diff] [blame] | 273 | |
Darin Petkov | f20994f | 2012-03-05 16:12:19 +0100 | [diff] [blame] | 274 | CHECK(!device_); |
Darin Petkov | 602303f | 2012-06-06 12:15:59 +0200 | [diff] [blame] | 275 | device_ = new VPN(control_, dispatcher(), metrics_, manager(), |
Darin Petkov | f20994f | 2012-03-05 16:12:19 +0100 | [diff] [blame] | 276 | link_name, interface_index); |
Eric Shienbrood | 9a24553 | 2012-03-07 14:20:39 -0500 | [diff] [blame] | 277 | device_->SetEnabled(true); |
Darin Petkov | 79d74c9 | 2012-03-07 17:20:32 +0100 | [diff] [blame] | 278 | device_->SelectService(service_); |
Eric Shienbrood | 9a24553 | 2012-03-07 14:20:39 -0500 | [diff] [blame] | 279 | |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 280 | rpc_task_.reset(new RPCTask(control_, this)); |
| 281 | if (!SpawnOpenVPN()) { |
Darin Petkov | 3f9131c | 2012-03-20 11:37:32 +0100 | [diff] [blame] | 282 | Cleanup(Service::kStateFailure); |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 283 | } |
Darin Petkov | a5e07ef | 2012-07-09 14:27:57 +0200 | [diff] [blame] | 284 | default_service_callback_tag_ = |
| 285 | manager()->RegisterDefaultServiceCallback( |
| 286 | Bind(&OpenVPNDriver::OnDefaultServiceChanged, Unretained(this))); |
Paul Stewart | ca6abd4 | 2012-03-01 15:45:29 -0800 | [diff] [blame] | 287 | return true; |
| 288 | } |
| 289 | |
Darin Petkov | 209e629 | 2012-04-20 11:33:32 +0200 | [diff] [blame] | 290 | void OpenVPNDriver::GetLogin(string */*user*/, string */*password*/) { |
| 291 | NOTREACHED(); |
| 292 | } |
| 293 | |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 294 | void OpenVPNDriver::Notify(const string &reason, |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 295 | const map<string, string> &dict) { |
Darin Petkov | 602303f | 2012-06-06 12:15:59 +0200 | [diff] [blame] | 296 | LOG(INFO) << "IP configuration received: " << reason; |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 297 | if (reason != "up") { |
Darin Petkov | 79d74c9 | 2012-03-07 17:20:32 +0100 | [diff] [blame] | 298 | device_->OnDisconnected(); |
Darin Petkov | 36a3ace | 2012-03-06 17:22:14 +0100 | [diff] [blame] | 299 | return; |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 300 | } |
| 301 | IPConfig::Properties properties; |
Darin Petkov | e8587e3 | 2012-07-02 13:56:07 +0200 | [diff] [blame] | 302 | if (device_->ipconfig()) { |
| 303 | // On restart/reconnect, update the existing IP configuration. |
| 304 | properties = device_->ipconfig()->properties(); |
| 305 | } |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 306 | ParseIPConfiguration(dict, &properties); |
Darin Petkov | 79d74c9 | 2012-03-07 17:20:32 +0100 | [diff] [blame] | 307 | device_->UpdateIPConfig(properties); |
Darin Petkov | 602303f | 2012-06-06 12:15:59 +0200 | [diff] [blame] | 308 | StopConnectTimeout(); |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 309 | } |
| 310 | |
| 311 | // static |
| 312 | void OpenVPNDriver::ParseIPConfiguration( |
| 313 | const map<string, string> &configuration, |
| 314 | IPConfig::Properties *properties) { |
| 315 | ForeignOptions foreign_options; |
Darin Petkov | 6059674 | 2012-03-05 12:17:17 +0100 | [diff] [blame] | 316 | RouteOptions routes; |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 317 | properties->address_family = IPAddress::kFamilyIPv4; |
Darin Petkov | e8587e3 | 2012-07-02 13:56:07 +0200 | [diff] [blame] | 318 | if (!properties->subnet_prefix) { |
| 319 | properties->subnet_prefix = |
| 320 | IPAddress::GetMaxPrefixLength(properties->address_family); |
| 321 | } |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 322 | for (map<string, string>::const_iterator it = configuration.begin(); |
| 323 | it != configuration.end(); ++it) { |
| 324 | const string &key = it->first; |
| 325 | const string &value = it->second; |
Ben Chan | fad4a0b | 2012-04-18 15:49:59 -0700 | [diff] [blame] | 326 | SLOG(VPN, 2) << "Processing: " << key << " -> " << value; |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 327 | if (LowerCaseEqualsASCII(key, kOpenVPNIfconfigLocal)) { |
| 328 | properties->address = value; |
| 329 | } else if (LowerCaseEqualsASCII(key, kOpenVPNIfconfigBroadcast)) { |
| 330 | properties->broadcast_address = value; |
| 331 | } else if (LowerCaseEqualsASCII(key, kOpenVPNIfconfigNetmask)) { |
Paul Stewart | 48100b0 | 2012-03-19 07:53:52 -0700 | [diff] [blame] | 332 | properties->subnet_prefix = |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 333 | IPAddress::GetPrefixLengthFromMask(properties->address_family, value); |
| 334 | } else if (LowerCaseEqualsASCII(key, kOpenVPNIfconfigRemote)) { |
| 335 | properties->peer_address = value; |
| 336 | } else if (LowerCaseEqualsASCII(key, kOpenVPNRouteVPNGateway)) { |
| 337 | properties->gateway = value; |
| 338 | } else if (LowerCaseEqualsASCII(key, kOpenVPNTrustedIP)) { |
Paul Stewart | ce4ec19 | 2012-03-14 12:53:46 -0700 | [diff] [blame] | 339 | properties->trusted_ip = value; |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 340 | } else if (LowerCaseEqualsASCII(key, kOpenVPNTunMTU)) { |
| 341 | int mtu = 0; |
| 342 | if (base::StringToInt(value, &mtu) && mtu >= DHCPConfig::kMinMTU) { |
| 343 | properties->mtu = mtu; |
| 344 | } else { |
| 345 | LOG(ERROR) << "MTU " << value << " ignored."; |
| 346 | } |
| 347 | } else if (StartsWithASCII(key, kOpenVPNForeignOptionPrefix, false)) { |
| 348 | const string suffix = key.substr(strlen(kOpenVPNForeignOptionPrefix)); |
| 349 | int order = 0; |
| 350 | if (base::StringToInt(suffix, &order)) { |
| 351 | foreign_options[order] = value; |
| 352 | } else { |
| 353 | LOG(ERROR) << "Ignored unexpected foreign option suffix: " << suffix; |
| 354 | } |
| 355 | } else if (StartsWithASCII(key, kOpenVPNRouteOptionPrefix, false)) { |
Darin Petkov | 6059674 | 2012-03-05 12:17:17 +0100 | [diff] [blame] | 356 | ParseRouteOption(key.substr(strlen(kOpenVPNRouteOptionPrefix)), |
| 357 | value, &routes); |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 358 | } else { |
Ben Chan | fad4a0b | 2012-04-18 15:49:59 -0700 | [diff] [blame] | 359 | SLOG(VPN, 2) << "Key ignored."; |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 360 | } |
| 361 | } |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 362 | ParseForeignOptions(foreign_options, properties); |
Darin Petkov | 6059674 | 2012-03-05 12:17:17 +0100 | [diff] [blame] | 363 | SetRoutes(routes, properties); |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 364 | } |
| 365 | |
| 366 | // static |
| 367 | void OpenVPNDriver::ParseForeignOptions(const ForeignOptions &options, |
| 368 | IPConfig::Properties *properties) { |
Darin Petkov | e8587e3 | 2012-07-02 13:56:07 +0200 | [diff] [blame] | 369 | vector<string> domain_search; |
| 370 | vector<string> dns_servers; |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 371 | for (ForeignOptions::const_iterator it = options.begin(); |
| 372 | it != options.end(); ++it) { |
Darin Petkov | e8587e3 | 2012-07-02 13:56:07 +0200 | [diff] [blame] | 373 | ParseForeignOption(it->second, &domain_search, &dns_servers); |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 374 | } |
Darin Petkov | e8587e3 | 2012-07-02 13:56:07 +0200 | [diff] [blame] | 375 | if (!domain_search.empty()) { |
| 376 | properties->domain_search.swap(domain_search); |
| 377 | } |
| 378 | LOG_IF(WARNING, properties->domain_search.empty()) |
| 379 | << "No search domains provided."; |
| 380 | if (!dns_servers.empty()) { |
| 381 | properties->dns_servers.swap(dns_servers); |
| 382 | } |
| 383 | LOG_IF(WARNING, properties->dns_servers.empty()) |
| 384 | << "No DNS servers provided."; |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 385 | } |
| 386 | |
| 387 | // static |
| 388 | void OpenVPNDriver::ParseForeignOption(const string &option, |
Darin Petkov | e8587e3 | 2012-07-02 13:56:07 +0200 | [diff] [blame] | 389 | vector<string> *domain_search, |
| 390 | vector<string> *dns_servers) { |
Ben Chan | fad4a0b | 2012-04-18 15:49:59 -0700 | [diff] [blame] | 391 | SLOG(VPN, 2) << __func__ << "(" << option << ")"; |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 392 | vector<string> tokens; |
Darin Petkov | 78f6326 | 2012-03-26 01:30:24 +0200 | [diff] [blame] | 393 | SplitString(option, ' ', &tokens); |
| 394 | if (tokens.size() != 3 || !LowerCaseEqualsASCII(tokens[0], "dhcp-option")) { |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 395 | return; |
| 396 | } |
| 397 | if (LowerCaseEqualsASCII(tokens[1], "domain")) { |
Darin Petkov | e8587e3 | 2012-07-02 13:56:07 +0200 | [diff] [blame] | 398 | domain_search->push_back(tokens[2]); |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 399 | } else if (LowerCaseEqualsASCII(tokens[1], "dns")) { |
Darin Petkov | e8587e3 | 2012-07-02 13:56:07 +0200 | [diff] [blame] | 400 | dns_servers->push_back(tokens[2]); |
Darin Petkov | 14c29ec | 2012-03-02 11:34:19 +0100 | [diff] [blame] | 401 | } |
| 402 | } |
| 403 | |
Darin Petkov | 6059674 | 2012-03-05 12:17:17 +0100 | [diff] [blame] | 404 | // static |
| 405 | IPConfig::Route *OpenVPNDriver::GetRouteOptionEntry( |
| 406 | const string &prefix, const string &key, RouteOptions *routes) { |
| 407 | int order = 0; |
| 408 | if (!StartsWithASCII(key, prefix, false) || |
| 409 | !base::StringToInt(key.substr(prefix.size()), &order)) { |
| 410 | return NULL; |
| 411 | } |
| 412 | return &(*routes)[order]; |
| 413 | } |
| 414 | |
| 415 | // static |
| 416 | void OpenVPNDriver::ParseRouteOption( |
| 417 | const string &key, const string &value, RouteOptions *routes) { |
| 418 | IPConfig::Route *route = GetRouteOptionEntry("network_", key, routes); |
| 419 | if (route) { |
| 420 | route->host = value; |
| 421 | return; |
| 422 | } |
| 423 | route = GetRouteOptionEntry("netmask_", key, routes); |
| 424 | if (route) { |
| 425 | route->netmask = value; |
| 426 | return; |
| 427 | } |
| 428 | route = GetRouteOptionEntry("gateway_", key, routes); |
| 429 | if (route) { |
| 430 | route->gateway = value; |
| 431 | return; |
| 432 | } |
| 433 | LOG(WARNING) << "Unknown route option ignored: " << key; |
| 434 | } |
| 435 | |
| 436 | // static |
| 437 | void OpenVPNDriver::SetRoutes(const RouteOptions &routes, |
| 438 | IPConfig::Properties *properties) { |
Darin Petkov | e8587e3 | 2012-07-02 13:56:07 +0200 | [diff] [blame] | 439 | vector<IPConfig::Route> new_routes; |
Darin Petkov | 6059674 | 2012-03-05 12:17:17 +0100 | [diff] [blame] | 440 | for (RouteOptions::const_iterator it = routes.begin(); |
| 441 | it != routes.end(); ++it) { |
| 442 | const IPConfig::Route &route = it->second; |
| 443 | if (route.host.empty() || route.netmask.empty() || route.gateway.empty()) { |
| 444 | LOG(WARNING) << "Ignoring incomplete route: " << it->first; |
| 445 | continue; |
| 446 | } |
Darin Petkov | e8587e3 | 2012-07-02 13:56:07 +0200 | [diff] [blame] | 447 | new_routes.push_back(route); |
Darin Petkov | 6059674 | 2012-03-05 12:17:17 +0100 | [diff] [blame] | 448 | } |
Darin Petkov | e8587e3 | 2012-07-02 13:56:07 +0200 | [diff] [blame] | 449 | if (!new_routes.empty()) { |
| 450 | properties->routes.swap(new_routes); |
| 451 | } |
| 452 | LOG_IF(WARNING, properties->routes.empty()) << "No routes provided."; |
Darin Petkov | 6059674 | 2012-03-05 12:17:17 +0100 | [diff] [blame] | 453 | } |
| 454 | |
Darin Petkov | 602303f | 2012-06-06 12:15:59 +0200 | [diff] [blame] | 455 | void OpenVPNDriver::Connect(const VPNServiceRefPtr &service, Error *error) { |
| 456 | StartConnectTimeout(); |
Darin Petkov | 79d74c9 | 2012-03-07 17:20:32 +0100 | [diff] [blame] | 457 | service_ = service; |
| 458 | service_->SetState(Service::kStateConfiguring); |
Darin Petkov | f20994f | 2012-03-05 16:12:19 +0100 | [diff] [blame] | 459 | if (!device_info_->CreateTunnelInterface(&tunnel_interface_)) { |
| 460 | Error::PopulateAndLog( |
| 461 | error, Error::kInternalError, "Could not create tunnel interface."); |
Darin Petkov | 3f9131c | 2012-03-20 11:37:32 +0100 | [diff] [blame] | 462 | Cleanup(Service::kStateFailure); |
Darin Petkov | f20994f | 2012-03-05 16:12:19 +0100 | [diff] [blame] | 463 | } |
| 464 | // Wait for the ClaimInterface callback to continue the connection process. |
Darin Petkov | 33af05c | 2012-02-28 10:10:30 +0100 | [diff] [blame] | 465 | } |
| 466 | |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 467 | void OpenVPNDriver::InitOptions(vector<string> *options, Error *error) { |
Darin Petkov | b451d6e | 2012-04-23 11:56:41 +0200 | [diff] [blame] | 468 | string vpnhost = args()->LookupString(flimflam::kProviderHostProperty, ""); |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 469 | if (vpnhost.empty()) { |
| 470 | Error::PopulateAndLog( |
| 471 | error, Error::kInvalidArguments, "VPN host not specified."); |
| 472 | return; |
| 473 | } |
| 474 | options->push_back("--client"); |
| 475 | options->push_back("--tls-client"); |
| 476 | options->push_back("--remote"); |
| 477 | options->push_back(vpnhost); |
| 478 | options->push_back("--nobind"); |
| 479 | options->push_back("--persist-key"); |
| 480 | options->push_back("--persist-tun"); |
| 481 | |
Darin Petkov | f20994f | 2012-03-05 16:12:19 +0100 | [diff] [blame] | 482 | CHECK(!tunnel_interface_.empty()); |
Paul Stewart | ca6abd4 | 2012-03-01 15:45:29 -0800 | [diff] [blame] | 483 | options->push_back("--dev"); |
| 484 | options->push_back(tunnel_interface_); |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 485 | options->push_back("--dev-type"); |
| 486 | options->push_back("tun"); |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 487 | |
Darin Petkov | 55771b7 | 2012-04-25 09:25:19 +0200 | [diff] [blame] | 488 | InitLoggingOptions(options); |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 489 | |
Darin Petkov | f3c71d7 | 2012-03-21 12:32:15 +0100 | [diff] [blame] | 490 | AppendValueOption(kVPNMTUProperty, "--mtu", options); |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 491 | AppendValueOption(flimflam::kOpenVPNProtoProperty, "--proto", options); |
| 492 | AppendValueOption(flimflam::kOpenVPNPortProperty, "--port", options); |
Darin Petkov | f3c71d7 | 2012-03-21 12:32:15 +0100 | [diff] [blame] | 493 | AppendValueOption(kOpenVPNTLSAuthProperty, "--tls-auth", options); |
Darin Petkov | 1fa8194 | 2012-04-02 11:38:08 +0200 | [diff] [blame] | 494 | { |
| 495 | string contents = |
Darin Petkov | b451d6e | 2012-04-23 11:56:41 +0200 | [diff] [blame] | 496 | args()->LookupString(flimflam::kOpenVPNTLSAuthContentsProperty, ""); |
Darin Petkov | 1fa8194 | 2012-04-02 11:38:08 +0200 | [diff] [blame] | 497 | if (!contents.empty()) { |
| 498 | if (!file_util::CreateTemporaryFile(&tls_auth_file_) || |
| 499 | file_util::WriteFile( |
| 500 | tls_auth_file_, contents.data(), contents.size()) != |
| 501 | static_cast<int>(contents.size())) { |
| 502 | Error::PopulateAndLog( |
| 503 | error, Error::kInternalError, "Unable to setup tls-auth file."); |
| 504 | return; |
| 505 | } |
| 506 | options->push_back("--tls-auth"); |
| 507 | options->push_back(tls_auth_file_.value()); |
| 508 | } |
| 509 | } |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 510 | AppendValueOption( |
| 511 | flimflam::kOpenVPNTLSRemoteProperty, "--tls-remote", options); |
| 512 | AppendValueOption(flimflam::kOpenVPNCipherProperty, "--cipher", options); |
| 513 | AppendValueOption(flimflam::kOpenVPNAuthProperty, "--auth", options); |
| 514 | AppendFlag(flimflam::kOpenVPNAuthNoCacheProperty, "--auth-nocache", options); |
| 515 | AppendValueOption( |
| 516 | flimflam::kOpenVPNAuthRetryProperty, "--auth-retry", options); |
| 517 | AppendFlag(flimflam::kOpenVPNCompLZOProperty, "--comp-lzo", options); |
| 518 | AppendFlag(flimflam::kOpenVPNCompNoAdaptProperty, "--comp-noadapt", options); |
| 519 | AppendFlag( |
| 520 | flimflam::kOpenVPNPushPeerInfoProperty, "--push-peer-info", options); |
| 521 | AppendValueOption(flimflam::kOpenVPNRenegSecProperty, "--reneg-sec", options); |
| 522 | AppendValueOption(flimflam::kOpenVPNShaperProperty, "--shaper", options); |
| 523 | AppendValueOption(flimflam::kOpenVPNServerPollTimeoutProperty, |
| 524 | "--server-poll-timeout", options); |
| 525 | |
Darin Petkov | e0d5dd1 | 2012-04-04 16:10:48 +0200 | [diff] [blame] | 526 | if (!InitNSSOptions(options, error)) { |
| 527 | return; |
Darin Petkov | 3c5e4dc | 2012-04-02 14:44:27 +0200 | [diff] [blame] | 528 | } |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 529 | |
| 530 | // Client-side ping support. |
Darin Petkov | f3c71d7 | 2012-03-21 12:32:15 +0100 | [diff] [blame] | 531 | AppendValueOption(kOpenVPNPingProperty, "--ping", options); |
| 532 | AppendValueOption(kOpenVPNPingExitProperty, "--ping-exit", options); |
| 533 | AppendValueOption(kOpenVPNPingRestartProperty, "--ping-restart", options); |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 534 | |
| 535 | AppendValueOption(flimflam::kOpenVPNCaCertProperty, "--ca", options); |
Darin Petkov | f3c71d7 | 2012-03-21 12:32:15 +0100 | [diff] [blame] | 536 | AppendValueOption(kOpenVPNCertProperty, "--cert", options); |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 537 | AppendValueOption( |
| 538 | flimflam::kOpenVPNNsCertTypeProperty, "--ns-cert-type", options); |
Darin Petkov | f3c71d7 | 2012-03-21 12:32:15 +0100 | [diff] [blame] | 539 | AppendValueOption(kOpenVPNKeyProperty, "--key", options); |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 540 | |
Darin Petkov | e0d5dd1 | 2012-04-04 16:10:48 +0200 | [diff] [blame] | 541 | InitPKCS11Options(options); |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 542 | |
| 543 | // TLS suport. |
Darin Petkov | 7f06033 | 2012-03-14 11:46:47 +0100 | [diff] [blame] | 544 | string remote_cert_tls = |
Darin Petkov | b451d6e | 2012-04-23 11:56:41 +0200 | [diff] [blame] | 545 | args()->LookupString(flimflam::kOpenVPNRemoteCertTLSProperty, ""); |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 546 | if (remote_cert_tls.empty()) { |
| 547 | remote_cert_tls = "server"; |
| 548 | } |
| 549 | if (remote_cert_tls != "none") { |
| 550 | options->push_back("--remote-cert-tls"); |
| 551 | options->push_back(remote_cert_tls); |
| 552 | } |
| 553 | |
| 554 | // This is an undocumented command line argument that works like a .cfg file |
| 555 | // entry. TODO(sleffler): Maybe roll this into --tls-auth? |
| 556 | AppendValueOption( |
| 557 | flimflam::kOpenVPNKeyDirectionProperty, "--key-direction", options); |
| 558 | // TODO(sleffler): Support more than one eku parameter. |
| 559 | AppendValueOption( |
| 560 | flimflam::kOpenVPNRemoteCertEKUProperty, "--remote-cert-eku", options); |
| 561 | AppendValueOption( |
| 562 | flimflam::kOpenVPNRemoteCertKUProperty, "--remote-cert-ku", options); |
| 563 | |
Darin Petkov | e0d5dd1 | 2012-04-04 16:10:48 +0200 | [diff] [blame] | 564 | if (!InitManagementChannelOptions(options, error)) { |
Darin Petkov | 4646302 | 2012-03-29 14:57:32 +0200 | [diff] [blame] | 565 | return; |
| 566 | } |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 567 | |
Darin Petkov | a9b1fed | 2012-02-29 11:49:05 +0100 | [diff] [blame] | 568 | // Setup openvpn-script options and RPC information required to send back |
| 569 | // Layer 3 configuration. |
| 570 | options->push_back("--setenv"); |
| 571 | options->push_back("CONNMAN_BUSNAME"); |
| 572 | options->push_back(rpc_task_->GetRpcConnectionIdentifier()); |
| 573 | options->push_back("--setenv"); |
| 574 | options->push_back("CONNMAN_INTERFACE"); |
| 575 | options->push_back(rpc_task_->GetRpcInterfaceIdentifier()); |
| 576 | options->push_back("--setenv"); |
| 577 | options->push_back("CONNMAN_PATH"); |
| 578 | options->push_back(rpc_task_->GetRpcIdentifier()); |
| 579 | options->push_back("--script-security"); |
| 580 | options->push_back("2"); |
| 581 | options->push_back("--up"); |
| 582 | options->push_back(kOpenVPNScript); |
| 583 | options->push_back("--up-restart"); |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 584 | |
| 585 | // Disable openvpn handling since we do route+ifconfig work. |
| 586 | options->push_back("--route-noexec"); |
| 587 | options->push_back("--ifconfig-noexec"); |
| 588 | |
| 589 | // Drop root privileges on connection and enable callback scripts to send |
| 590 | // notify messages. |
| 591 | options->push_back("--user"); |
| 592 | options->push_back("openvpn"); |
| 593 | options->push_back("--group"); |
| 594 | options->push_back("openvpn"); |
| 595 | } |
| 596 | |
Darin Petkov | e0d5dd1 | 2012-04-04 16:10:48 +0200 | [diff] [blame] | 597 | bool OpenVPNDriver::InitNSSOptions(vector<string> *options, Error *error) { |
Darin Petkov | b451d6e | 2012-04-23 11:56:41 +0200 | [diff] [blame] | 598 | string ca_cert = |
| 599 | args()->LookupString(flimflam::kOpenVPNCaCertNSSProperty, ""); |
Darin Petkov | e0d5dd1 | 2012-04-04 16:10:48 +0200 | [diff] [blame] | 600 | if (!ca_cert.empty()) { |
Darin Petkov | b451d6e | 2012-04-23 11:56:41 +0200 | [diff] [blame] | 601 | if (!args()->LookupString(flimflam::kOpenVPNCaCertProperty, "").empty()) { |
Darin Petkov | e0d5dd1 | 2012-04-04 16:10:48 +0200 | [diff] [blame] | 602 | Error::PopulateAndLog(error, |
| 603 | Error::kInvalidArguments, |
| 604 | "Can't specify both CACert and CACertNSS."); |
| 605 | return false; |
| 606 | } |
Darin Petkov | b451d6e | 2012-04-23 11:56:41 +0200 | [diff] [blame] | 607 | const string &vpnhost = args()->GetString(flimflam::kProviderHostProperty); |
Darin Petkov | e0d5dd1 | 2012-04-04 16:10:48 +0200 | [diff] [blame] | 608 | vector<char> id(vpnhost.begin(), vpnhost.end()); |
| 609 | FilePath certfile = nss_->GetPEMCertfile(ca_cert, id); |
| 610 | if (certfile.empty()) { |
| 611 | LOG(ERROR) << "Unable to extract certificate: " << ca_cert; |
| 612 | } else { |
| 613 | options->push_back("--ca"); |
| 614 | options->push_back(certfile.value()); |
| 615 | } |
| 616 | } |
| 617 | return true; |
| 618 | } |
| 619 | |
| 620 | void OpenVPNDriver::InitPKCS11Options(vector<string> *options) { |
Darin Petkov | b451d6e | 2012-04-23 11:56:41 +0200 | [diff] [blame] | 621 | string id = args()->LookupString(flimflam::kOpenVPNClientCertIdProperty, ""); |
Darin Petkov | e0d5dd1 | 2012-04-04 16:10:48 +0200 | [diff] [blame] | 622 | if (!id.empty()) { |
| 623 | string provider = |
Darin Petkov | b451d6e | 2012-04-23 11:56:41 +0200 | [diff] [blame] | 624 | args()->LookupString(flimflam::kOpenVPNProviderProperty, ""); |
Darin Petkov | e0d5dd1 | 2012-04-04 16:10:48 +0200 | [diff] [blame] | 625 | if (provider.empty()) { |
| 626 | provider = kDefaultPKCS11Provider; |
| 627 | } |
| 628 | options->push_back("--pkcs11-providers"); |
| 629 | options->push_back(provider); |
| 630 | options->push_back("--pkcs11-id"); |
| 631 | options->push_back(id); |
| 632 | } |
| 633 | } |
| 634 | |
| 635 | bool OpenVPNDriver::InitManagementChannelOptions( |
| 636 | vector<string> *options, Error *error) { |
Darin Petkov | 602303f | 2012-06-06 12:15:59 +0200 | [diff] [blame] | 637 | if (!management_server_->Start(dispatcher(), &sockets_, options)) { |
Darin Petkov | e0d5dd1 | 2012-04-04 16:10:48 +0200 | [diff] [blame] | 638 | Error::PopulateAndLog( |
| 639 | error, Error::kInternalError, "Unable to setup management channel."); |
| 640 | return false; |
| 641 | } |
Darin Petkov | a5e07ef | 2012-07-09 14:27:57 +0200 | [diff] [blame] | 642 | // If there's a connected default service already, allow the openvpn client to |
| 643 | // establish connection as soon as it's started. Otherwise, hold the client |
| 644 | // until an underlying service connects and OnDefaultServiceChanged is |
| 645 | // invoked. |
| 646 | ServiceRefPtr service = manager()->GetDefaultService(); |
| 647 | if (service && service->IsConnected()) { |
| 648 | management_server_->ReleaseHold(); |
| 649 | } |
Darin Petkov | e0d5dd1 | 2012-04-04 16:10:48 +0200 | [diff] [blame] | 650 | return true; |
| 651 | } |
| 652 | |
Darin Petkov | 55771b7 | 2012-04-25 09:25:19 +0200 | [diff] [blame] | 653 | void OpenVPNDriver::InitLoggingOptions(vector<string> *options) { |
| 654 | options->push_back("--syslog"); |
| 655 | |
| 656 | string verb = args()->LookupString(kOpenVPNVerbProperty, ""); |
| 657 | if (verb.empty() && SLOG_IS_ON(VPN, 0)) { |
| 658 | verb = "3"; |
| 659 | } |
| 660 | if (!verb.empty()) { |
| 661 | options->push_back("--verb"); |
| 662 | options->push_back(verb); |
| 663 | } |
| 664 | } |
| 665 | |
Darin Petkov | 4646302 | 2012-03-29 14:57:32 +0200 | [diff] [blame] | 666 | bool OpenVPNDriver::AppendValueOption( |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 667 | const string &property, const string &option, vector<string> *options) { |
Darin Petkov | b451d6e | 2012-04-23 11:56:41 +0200 | [diff] [blame] | 668 | string value = args()->LookupString(property, ""); |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 669 | if (!value.empty()) { |
| 670 | options->push_back(option); |
| 671 | options->push_back(value); |
Darin Petkov | 4646302 | 2012-03-29 14:57:32 +0200 | [diff] [blame] | 672 | return true; |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 673 | } |
Darin Petkov | 4646302 | 2012-03-29 14:57:32 +0200 | [diff] [blame] | 674 | return false; |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 675 | } |
| 676 | |
Darin Petkov | 4646302 | 2012-03-29 14:57:32 +0200 | [diff] [blame] | 677 | bool OpenVPNDriver::AppendFlag( |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 678 | const string &property, const string &option, vector<string> *options) { |
Darin Petkov | b451d6e | 2012-04-23 11:56:41 +0200 | [diff] [blame] | 679 | if (args()->ContainsString(property)) { |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 680 | options->push_back(option); |
Darin Petkov | 4646302 | 2012-03-29 14:57:32 +0200 | [diff] [blame] | 681 | return true; |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 682 | } |
Darin Petkov | 4646302 | 2012-03-29 14:57:32 +0200 | [diff] [blame] | 683 | return false; |
Darin Petkov | fe6a937 | 2012-02-28 16:25:06 +0100 | [diff] [blame] | 684 | } |
| 685 | |
Darin Petkov | 6aa2187 | 2012-03-09 16:10:19 +0100 | [diff] [blame] | 686 | void OpenVPNDriver::Disconnect() { |
Ben Chan | fad4a0b | 2012-04-18 15:49:59 -0700 | [diff] [blame] | 687 | SLOG(VPN, 2) << __func__; |
Darin Petkov | 3f9131c | 2012-03-20 11:37:32 +0100 | [diff] [blame] | 688 | Cleanup(Service::kStateIdle); |
Darin Petkov | 6aa2187 | 2012-03-09 16:10:19 +0100 | [diff] [blame] | 689 | } |
| 690 | |
Darin Petkov | 5eb0542 | 2012-05-11 15:45:25 +0200 | [diff] [blame] | 691 | void OpenVPNDriver::OnConnectionDisconnected() { |
Darin Petkov | 602303f | 2012-06-06 12:15:59 +0200 | [diff] [blame] | 692 | LOG(ERROR) << "VPN connection disconnected."; |
Darin Petkov | 5eb0542 | 2012-05-11 15:45:25 +0200 | [diff] [blame] | 693 | Cleanup(Service::kStateFailure); |
| 694 | } |
| 695 | |
Darin Petkov | 271fe52 | 2012-03-27 13:47:29 +0200 | [diff] [blame] | 696 | void OpenVPNDriver::OnReconnecting() { |
Ben Chan | fad4a0b | 2012-04-18 15:49:59 -0700 | [diff] [blame] | 697 | SLOG(VPN, 2) << __func__; |
Darin Petkov | 602303f | 2012-06-06 12:15:59 +0200 | [diff] [blame] | 698 | StartConnectTimeout(); |
Darin Petkov | a5e07ef | 2012-07-09 14:27:57 +0200 | [diff] [blame] | 699 | // On restart/reconnect, drop the VPN connection, if any. The openvpn client |
| 700 | // might be in hold state if the VPN connection was previously established |
| 701 | // successfully. The hold will be released by OnDefaultServiceChanged when a |
| 702 | // new default service connects. This ensures that the client will use a fully |
| 703 | // functional underlying connection to reconnect. |
Darin Petkov | 271fe52 | 2012-03-27 13:47:29 +0200 | [diff] [blame] | 704 | if (device_) { |
| 705 | device_->OnDisconnected(); |
| 706 | } |
| 707 | if (service_) { |
| 708 | service_->SetState(Service::kStateAssociating); |
| 709 | } |
| 710 | } |
| 711 | |
Paul Stewart | 39964fa | 2012-04-04 09:50:25 -0700 | [diff] [blame] | 712 | string OpenVPNDriver::GetProviderType() const { |
| 713 | return flimflam::kProviderOpenVpn; |
| 714 | } |
| 715 | |
Darin Petkov | b536a74 | 2012-04-26 11:31:28 +0200 | [diff] [blame] | 716 | KeyValueStore OpenVPNDriver::GetProvider(Error *error) { |
| 717 | SLOG(VPN, 2) << __func__; |
| 718 | KeyValueStore props = VPNDriver::GetProvider(error); |
| 719 | props.SetBool(flimflam::kPassphraseRequiredProperty, |
| 720 | args()->LookupString( |
| 721 | flimflam::kOpenVPNPasswordProperty, "").empty()); |
| 722 | return props; |
| 723 | } |
| 724 | |
Darin Petkov | 1a462de | 2012-05-02 11:10:48 +0200 | [diff] [blame] | 725 | // TODO(petkov): Consider refactoring lsb-release parsing out into a shared |
| 726 | // singleton if it's used outside OpenVPN. |
| 727 | bool OpenVPNDriver::ParseLSBRelease(map<string, string> *lsb_release) { |
| 728 | SLOG(VPN, 2) << __func__ << "(" << lsb_release_file_.value() << ")"; |
| 729 | string contents; |
| 730 | if (!file_util::ReadFileToString(lsb_release_file_, &contents)) { |
| 731 | LOG(ERROR) << "Unable to read the lsb-release file: " |
| 732 | << lsb_release_file_.value(); |
| 733 | return false; |
| 734 | } |
| 735 | vector<string> lines; |
| 736 | SplitString(contents, '\n', &lines); |
| 737 | for (vector<string>::const_iterator it = lines.begin(); |
| 738 | it != lines.end(); ++it) { |
| 739 | size_t assign = it->find('='); |
| 740 | if (assign == string::npos) { |
| 741 | continue; |
| 742 | } |
| 743 | (*lsb_release)[it->substr(0, assign)] = it->substr(assign + 1); |
| 744 | } |
| 745 | return true; |
| 746 | } |
| 747 | |
| 748 | void OpenVPNDriver::InitEnvironment(vector<string> *environment) { |
| 749 | // Adds the platform name and version to the environment so that openvpn can |
| 750 | // send them to the server when OpenVPN.PushPeerInfo is set. |
| 751 | map<string, string> lsb_release; |
| 752 | ParseLSBRelease(&lsb_release); |
| 753 | string platform_name = lsb_release[kChromeOSReleaseName]; |
| 754 | if (!platform_name.empty()) { |
| 755 | environment->push_back("IV_PLAT=" + platform_name); |
| 756 | } |
| 757 | string platform_version = lsb_release[kChromeOSReleaseVersion]; |
| 758 | if (!platform_version.empty()) { |
| 759 | environment->push_back("IV_PLAT_REL=" + platform_version); |
| 760 | } |
| 761 | } |
| 762 | |
Darin Petkov | a5e07ef | 2012-07-09 14:27:57 +0200 | [diff] [blame] | 763 | void OpenVPNDriver::OnDefaultServiceChanged(const ServiceRefPtr &service) { |
| 764 | SLOG(VPN, 2) << __func__ |
| 765 | << "(" << (service ? service->friendly_name() : "-") << ")"; |
| 766 | // Allow the openvpn client to connect/reconnect only over a connected |
| 767 | // underlying default service. If there's no default connected service, hold |
| 768 | // the openvpn client until an underlying connection is established. If the |
| 769 | // default service is our VPN service, hold the openvpn client on reconnect so |
| 770 | // that the VPN connection can be torn down fully before a new connection |
| 771 | // attempt is made over the underlying service. |
| 772 | if (service && service != service_ && service->IsConnected()) { |
| 773 | management_server_->ReleaseHold(); |
| 774 | } else { |
| 775 | management_server_->Hold(); |
| 776 | } |
| 777 | } |
| 778 | |
Darin Petkov | 33af05c | 2012-02-28 10:10:30 +0100 | [diff] [blame] | 779 | } // namespace shill |