Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / connectivity / shill / 94cde5868317c2f874f97cf9a31ad147c8058109 / . / openvpn_driver.cc
blob: c2af24361f6bda127cc595cb256cf2305fbbbe0d [file] [log] [blame]
Darin Petkov33af05c2012-02-28 10:10:30 +0100[diff] [blame]1// Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "shill/openvpn_driver.h"
6
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]7#include <arpa/inet.h>
8
Darin Petkov1fa81942012-04-02 11:38:08 +0200[diff] [blame]9#include <base/file_util.h>
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]10#include <base/string_number_conversions.h>
Darin Petkov78f63262012-03-26 01:30:24 +0200[diff] [blame]11#include <base/string_split.h>
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]12#include <base/string_util.h>
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]13#include <chromeos/dbus/service_constants.h>
14
Paul Stewart5baebb72013-03-14 11:43:29 -0700[diff] [blame]15#include "shill/certificate_file.h"
Paul Stewartce4ec192012-03-14 12:53:46 -0700[diff] [blame]16#include "shill/connection.h"
Paul Stewartca6abd42012-03-01 15:45:29 -0800[diff] [blame]17#include "shill/device_info.h"
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]18#include "shill/dhcp_config.h"
Darin Petkov33af05c2012-02-28 10:10:30 +0100[diff] [blame]19#include "shill/error.h"
Christopher Wileyb691efd2012-08-09 13:51:51 -0700[diff] [blame]20#include "shill/logging.h"
Paul Stewartce4ec192012-03-14 12:53:46 -0700[diff] [blame]21#include "shill/manager.h"
Darin Petkov3c5e4dc2012-04-02 14:44:27 +0200[diff] [blame]22#include "shill/nss.h"
Darin Petkov46463022012-03-29 14:57:32 +0200[diff] [blame]23#include "shill/openvpn_management_server.h"
Darin Petkov5a850472012-06-06 15:44:24 +0200[diff] [blame]24#include "shill/process_killer.h"
Darin Petkova9b1fed2012-02-29 11:49:05 +0100[diff] [blame]25#include "shill/rpc_task.h"
Darin Petkov46463022012-03-29 14:57:32 +0200[diff] [blame]26#include "shill/sockets.h"
mukesh agrawal9da07772013-05-15 14:15:17 -0700[diff] [blame]27#include "shill/virtual_device.h"
Darin Petkov79d74c92012-03-07 17:20:32 +0100[diff] [blame]28#include "shill/vpn_service.h"
Darin Petkov33af05c2012-02-28 10:10:30 +0100[diff] [blame]29
Darin Petkov5a850472012-06-06 15:44:24 +0200[diff] [blame]30using base::Closure;
Albert Chaulk0e1cdea2013-02-27 15:32:55 -0800[diff] [blame]31using base::FilePath;
Darin Petkov78f63262012-03-26 01:30:24 +0200[diff] [blame]32using base::SplitString;
Darin Petkova5e07ef2012-07-09 14:27:57 +0200[diff] [blame]33using base::Unretained;
Darin Petkov5a850472012-06-06 15:44:24 +0200[diff] [blame]34using base::WeakPtr;
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]35using std::map;
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]36using std::string;
37using std::vector;
38
Darin Petkov33af05c2012-02-28 10:10:30 +0100[diff] [blame]39namespace shill {
40
Darin Petkova9b1fed2012-02-29 11:49:05 +0100[diff] [blame]41namespace {
Darin Petkov5a850472012-06-06 15:44:24 +0200[diff] [blame]42
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]43const char kOpenVPNForeignOptionPrefix[] = "foreign_option_";
44const char kOpenVPNIfconfigBroadcast[] = "ifconfig_broadcast";
45const char kOpenVPNIfconfigLocal[] = "ifconfig_local";
46const char kOpenVPNIfconfigNetmask[] = "ifconfig_netmask";
47const char kOpenVPNIfconfigRemote[] = "ifconfig_remote";
48const char kOpenVPNRouteOptionPrefix[] = "route_";
49const char kOpenVPNRouteVPNGateway[] = "route_vpn_gateway";
50const char kOpenVPNTrustedIP[] = "trusted_ip";
51const char kOpenVPNTunMTU[] = "tun_mtu";
Darin Petkovf3c71d72012-03-21 12:32:15 +0100[diff] [blame]52
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]53const char kDefaultPKCS11Provider[] = "libchaps.so";
54
Paul Stewart4698c1a2013-05-16 15:42:19 -0700[diff] [blame]55// Some configurations pass the netmask in the ifconfig_remote property.
56// This is due to some servers not explicitly indicating that they are using
57// a "broadcast mode" network instead of peer-to-peer. See
58// http://crbug.com/241264 for an example of this issue.
59const char kSuspectedNetmaskPrefix[] = "255.";
60
Paul Stewartebd38562012-03-23 13:06:40 -0700[diff] [blame]61} // namespace
62
63// static
Darin Petkovc418b4b2012-10-05 11:42:52 +0200[diff] [blame]64const char OpenVPNDriver::kDefaultCACertificates[] =
65 "/etc/ssl/certs/ca-certificates.crt";
Darin Petkovca8a0e62012-09-26 13:16:52 +0200[diff] [blame]66// static
Paul Stewartebd38562012-03-23 13:06:40 -0700[diff] [blame]67const char OpenVPNDriver::kOpenVPNPath[] = "/usr/sbin/openvpn";
68// static
Darin Petkov728faa92012-10-12 11:25:47 +0200[diff] [blame]69const char OpenVPNDriver::kOpenVPNScript[] = SHIMDIR "/openvpn-script";
Paul Stewartebd38562012-03-23 13:06:40 -0700[diff] [blame]70// static
Darin Petkovd4325392012-04-23 15:48:22 +0200[diff] [blame]71const VPNDriver::Property OpenVPNDriver::kProperties[] = {
Darin Petkov1847d792012-04-17 11:33:06 +0200[diff] [blame]72 { flimflam::kOpenVPNAuthNoCacheProperty, 0 },
73 { flimflam::kOpenVPNAuthProperty, 0 },
74 { flimflam::kOpenVPNAuthRetryProperty, 0 },
75 { flimflam::kOpenVPNAuthUserPassProperty, 0 },
76 { flimflam::kOpenVPNCaCertNSSProperty, 0 },
77 { flimflam::kOpenVPNCaCertProperty, 0 },
78 { flimflam::kOpenVPNCipherProperty, 0 },
Darin Petkovcb715292012-04-25 13:04:37 +0200[diff] [blame]79 { flimflam::kOpenVPNClientCertIdProperty, Property::kCredential },
Darin Petkov1847d792012-04-17 11:33:06 +0200[diff] [blame]80 { flimflam::kOpenVPNCompLZOProperty, 0 },
81 { flimflam::kOpenVPNCompNoAdaptProperty, 0 },
82 { flimflam::kOpenVPNKeyDirectionProperty, 0 },
83 { flimflam::kOpenVPNNsCertTypeProperty, 0 },
Darin Petkovcb715292012-04-25 13:04:37 +0200[diff] [blame]84 { flimflam::kOpenVPNOTPProperty,
Darin Petkov02236552012-06-11 13:15:19 +0200[diff] [blame]85 Property::kEphemeral | Property::kCredential | Property::kWriteOnly },
86 { flimflam::kOpenVPNPasswordProperty,
87 Property::kCredential | Property::kWriteOnly },
Darin Petkovcb715292012-04-25 13:04:37 +0200[diff] [blame]88 { flimflam::kOpenVPNPinProperty, Property::kCredential },
Darin Petkov1847d792012-04-17 11:33:06 +0200[diff] [blame]89 { flimflam::kOpenVPNPortProperty, 0 },
90 { flimflam::kOpenVPNProtoProperty, 0 },
91 { flimflam::kOpenVPNProviderProperty, 0 },
92 { flimflam::kOpenVPNPushPeerInfoProperty, 0 },
93 { flimflam::kOpenVPNRemoteCertEKUProperty, 0 },
94 { flimflam::kOpenVPNRemoteCertKUProperty, 0 },
95 { flimflam::kOpenVPNRemoteCertTLSProperty, 0 },
96 { flimflam::kOpenVPNRenegSecProperty, 0 },
97 { flimflam::kOpenVPNServerPollTimeoutProperty, 0 },
98 { flimflam::kOpenVPNShaperProperty, 0 },
99 { flimflam::kOpenVPNStaticChallengeProperty, 0 },
100 { flimflam::kOpenVPNTLSAuthContentsProperty, 0 },
101 { flimflam::kOpenVPNTLSRemoteProperty, 0 },
102 { flimflam::kOpenVPNUserProperty, 0 },
103 { flimflam::kProviderHostProperty, 0 },
Darin Petkov1847d792012-04-17 11:33:06 +0200[diff] [blame]104 { flimflam::kProviderTypeProperty, 0 },
Paul Stewart0f9c9302013-06-14 15:41:28 -0700[diff] [blame]105 { kOpenVPNCaCertPemProperty, Property::kArray },
Darin Petkov1847d792012-04-17 11:33:06 +0200[diff] [blame]106 { kOpenVPNCertProperty, 0 },
Paul Stewartf3b6d572013-06-17 09:35:33 -0700[diff] [blame]107 { kOpenVPNExtraCertPemProperty, Property::kArray },
Darin Petkov1847d792012-04-17 11:33:06 +0200[diff] [blame]108 { kOpenVPNKeyProperty, 0 },
109 { kOpenVPNPingExitProperty, 0 },
110 { kOpenVPNPingProperty, 0 },
111 { kOpenVPNPingRestartProperty, 0 },
112 { kOpenVPNTLSAuthProperty, 0 },
113 { kOpenVPNVerbProperty, 0 },
114 { kVPNMTUProperty, 0 },
Darin Petkovf3c71d72012-03-21 12:32:15 +0100[diff] [blame]115};
Paul Stewart291a4732012-03-14 19:19:02 -0700[diff] [blame]116
Darin Petkov1a462de2012-05-02 11:10:48 +0200[diff] [blame]117const char OpenVPNDriver::kLSBReleaseFile[] = "/etc/lsb-release";
Darin Petkov1a462de2012-05-02 11:10:48 +0200[diff] [blame]118const char OpenVPNDriver::kChromeOSReleaseName[] = "CHROMEOS_RELEASE_NAME";
Darin Petkov1a462de2012-05-02 11:10:48 +0200[diff] [blame]119const char OpenVPNDriver::kChromeOSReleaseVersion[] =
120 "CHROMEOS_RELEASE_VERSION";
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]121
122// Directory where OpenVPN configuration files are exported while the
123// process is running.
124const char OpenVPNDriver::kDefaultOpenVPNConfigurationDirectory[] =
125 RUNDIR "/openvpn_config";
126
Darin Petkov0cd0d1e2013-02-11 12:49:10 +0100[diff] [blame]127const int OpenVPNDriver::kReconnectOfflineTimeoutSeconds = 2 * 60;
128const int OpenVPNDriver::kReconnectTLSErrorTimeoutSeconds = 20;
Darin Petkov1a462de2012-05-02 11:10:48 +0200[diff] [blame]129
Darin Petkova9b1fed2012-02-29 11:49:05 +0100[diff] [blame]130OpenVPNDriver::OpenVPNDriver(ControlInterface *control,
Darin Petkovf20994f2012-03-05 16:12:19 +0100[diff] [blame]131 EventDispatcher *dispatcher,
132 Metrics *metrics,
133 Manager *manager,
Paul Stewartca6abd42012-03-01 15:45:29 -0800[diff] [blame]134 DeviceInfo *device_info,
Paul Stewart451aa7f2012-04-11 19:07:58 -0700[diff] [blame]135 GLib *glib)
Darin Petkov602303f2012-06-06 12:15:59 +0200[diff] [blame]136 : VPNDriver(dispatcher, manager, kProperties, arraysize(kProperties)),
Darin Petkovb451d6e2012-04-23 11:56:41 +0200[diff] [blame]137 control_(control),
Darin Petkovf20994f2012-03-05 16:12:19 +0100[diff] [blame]138 metrics_(metrics),
Paul Stewartca6abd42012-03-01 15:45:29 -0800[diff] [blame]139 device_info_(device_info),
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]140 glib_(glib),
Darin Petkov46463022012-03-29 14:57:32 +0200[diff] [blame]141 management_server_(new OpenVPNManagementServer(this, glib)),
Darin Petkov3c5e4dc2012-04-02 14:44:27 +0200[diff] [blame]142 nss_(NSS::GetInstance()),
Paul Stewarteb713e82013-06-28 14:51:54 -0700[diff] [blame]143 certificate_file_(new CertificateFile()),
Darin Petkov5a850472012-06-06 15:44:24 +0200[diff] [blame]144 process_killer_(ProcessKiller::GetInstance()),
Darin Petkov1a462de2012-05-02 11:10:48 +0200[diff] [blame]145 lsb_release_file_(kLSBReleaseFile),
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]146 openvpn_config_directory_(kDefaultOpenVPNConfigurationDirectory),
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]147 pid_(0),
Darin Petkova5e07ef2012-07-09 14:27:57 +0200[diff] [blame]148 child_watch_tag_(0),
149 default_service_callback_tag_(0) {}
Darin Petkov33af05c2012-02-28 10:10:30 +0100[diff] [blame]150
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]151OpenVPNDriver::~OpenVPNDriver() {
Darin Petkovaba89322013-03-11 14:48:22 +0100[diff] [blame]152 IdleService();
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]153}
154
Darin Petkovaba89322013-03-11 14:48:22 +0100[diff] [blame]155void OpenVPNDriver::IdleService() {
Darin Petkov1c049c72013-03-21 13:15:45 +0100[diff] [blame]156 Cleanup(Service::kStateIdle,
157 Service::kFailureUnknown,
158 Service::kErrorDetailsNone);
Darin Petkovaba89322013-03-11 14:48:22 +0100[diff] [blame]159}
160
Darin Petkov1c049c72013-03-21 13:15:45 +0100[diff] [blame]161void OpenVPNDriver::FailService(Service::ConnectFailure failure,
162 const string &error_details) {
163 Cleanup(Service::kStateFailure, failure, error_details);
Darin Petkovaba89322013-03-11 14:48:22 +0100[diff] [blame]164}
165
166void OpenVPNDriver::Cleanup(Service::ConnectState state,
Darin Petkov1c049c72013-03-21 13:15:45 +0100[diff] [blame]167 Service::ConnectFailure failure,
Darin Petkovaba89322013-03-11 14:48:22 +0100[diff] [blame]168 const string &error_details) {
Ben Chanfad4a0b2012-04-18 15:49:59 -0700[diff] [blame]169 SLOG(VPN, 2) << __func__ << "(" << Service::ConnectStateToString(state)
Darin Petkovaba89322013-03-11 14:48:22 +0100[diff] [blame]170 << ", " << error_details << ")";
Darin Petkov602303f2012-06-06 12:15:59 +0200[diff] [blame]171 StopConnectTimeout();
Darin Petkov84a95532013-03-13 12:24:45 +0100[diff] [blame]172 if (child_watch_tag_) {
173 glib_->SourceRemove(child_watch_tag_);
174 child_watch_tag_ = 0;
175 }
176 // Disconnecting the management interface will terminate the openvpn
177 // process. Ensure this is handled robustly by first removing the child watch
178 // above and then terminating and reaping the process through ProcessKiller.
Darin Petkov46463022012-03-29 14:57:32 +0200[diff] [blame]179 management_server_->Stop();
Darin Petkov1fa81942012-04-02 11:38:08 +0200[diff] [blame]180 if (!tls_auth_file_.empty()) {
181 file_util::Delete(tls_auth_file_, false);
182 tls_auth_file_.clear();
183 }
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]184 if (!openvpn_config_file_.empty()) {
185 file_util::Delete(openvpn_config_file_, false);
186 openvpn_config_file_.clear();
187 }
Darin Petkova5e07ef2012-07-09 14:27:57 +0200[diff] [blame]188 if (default_service_callback_tag_) {
189 manager()->DeregisterDefaultServiceCallback(default_service_callback_tag_);
190 default_service_callback_tag_ = 0;
191 }
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]192 rpc_task_.reset();
Darin Petkov5a850472012-06-06 15:44:24 +0200[diff] [blame]193 int interface_index = -1;
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]194 if (device_) {
Darin Petkov5a850472012-06-06 15:44:24 +0200[diff] [blame]195 interface_index = device_->interface_index();
mukesh agrawal9da07772013-05-15 14:15:17 -0700[diff] [blame]196 device_->DropConnection();
Eric Shienbrood9a245532012-03-07 14:20:39 -0500[diff] [blame]197 device_->SetEnabled(false);
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]198 device_ = NULL;
Darin Petkov5a850472012-06-06 15:44:24 +0200[diff] [blame]199 }
200 if (pid_) {
201 Closure callback;
202 if (interface_index >= 0) {
203 callback =
204 Bind(&DeleteInterface, device_info_->AsWeakPtr(), interface_index);
205 interface_index = -1;
206 }
207 process_killer_->Kill(pid_, callback);
208 pid_ = 0;
209 }
210 if (interface_index >= 0) {
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]211 device_info_->DeleteInterface(interface_index);
212 }
213 tunnel_interface_.clear();
Darin Petkov79d74c92012-03-07 17:20:32 +0100[diff] [blame]214 if (service_) {
Darin Petkov1c049c72013-03-21 13:15:45 +0100[diff] [blame]215 if (state == Service::kStateFailure) {
216 service_->SetErrorDetails(error_details);
217 service_->SetFailure(failure);
218 } else {
219 service_->SetState(state);
220 }
Darin Petkov79d74c92012-03-07 17:20:32 +0100[diff] [blame]221 service_ = NULL;
222 }
Darin Petkov3189a472012-10-05 09:55:33 +0200[diff] [blame]223 ip_properties_ = IPConfig::Properties();
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]224}
225
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]226// static
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]227string OpenVPNDriver::JoinOptions(const vector<vector<string>> &options,
228 char separator) {
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]229 vector<string> option_strings;
230 for (const auto &option : options) {
Paul Stewart7590d6f2013-08-07 12:47:39 -0700[diff] [blame]231 vector<string> quoted_option;
232 for (const auto &argument : option) {
233 if (argument.find(' ') != string::npos ||
234 argument.find('\t') != string::npos ||
235 argument.find('"') != string::npos ||
236 argument.find(separator) != string::npos) {
237 string quoted_argument(argument);
238 const char separator_chars[] = { separator, '\0' };
239 ReplaceChars(argument, separator_chars, " ", &quoted_argument);
240 ReplaceChars(quoted_argument, "\\", "\\\\", &quoted_argument);
241 ReplaceChars(quoted_argument, "\"", "\\\"", &quoted_argument);
242 quoted_option.push_back("\"" + quoted_argument + "\"");
243 } else {
244 quoted_option.push_back(argument);
245 }
246 }
247 option_strings.push_back(JoinString(quoted_option, ' '));
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]248 }
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]249 return JoinString(option_strings, separator);
250}
251
252bool OpenVPNDriver::WriteConfigFile(
253 const vector<vector<string>> &options,
254 FilePath *config_file) {
255 if (!file_util::DirectoryExists(openvpn_config_directory_)) {
256 if (!file_util::CreateDirectory(openvpn_config_directory_)) {
257 LOG(ERROR) << "Unable to create configuration directory "
258 << openvpn_config_directory_.value();
259 return false;
260 }
261 if (chmod(openvpn_config_directory_.value().c_str(), S_IRWXU)) {
262 LOG(ERROR) << "Failed to set permissions on "
263 << openvpn_config_directory_.value();
264 file_util::Delete(openvpn_config_directory_, true);
265 return false;
266 }
267 }
268
269 string contents = JoinOptions(options, '\n');
270 contents.push_back('\n');
271 if (!file_util::CreateTemporaryFileInDir(openvpn_config_directory_,
272 config_file) ||
273 file_util::WriteFile(*config_file, contents.data(), contents.size()) !=
274 static_cast<int>(contents.size())) {
275 LOG(ERROR) << "Unable to setup OpenVPN config file.";
276 return false;
277 }
278 return true;
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]279}
280
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]281bool OpenVPNDriver::SpawnOpenVPN() {
Ben Chanfad4a0b2012-04-18 15:49:59 -0700[diff] [blame]282 SLOG(VPN, 2) << __func__ << "(" << tunnel_interface_ << ")";
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]283
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]284 vector<vector<string>> options;
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]285 Error error;
286 InitOptions(&options, &error);
287 if (error.IsFailure()) {
288 return false;
289 }
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]290 LOG(INFO) << "OpenVPN process options: " << JoinOptions(options, ',');
291 if (!WriteConfigFile(options, &openvpn_config_file_)) {
292 return false;
293 }
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]294
mukesh agrawalae30e9e2013-05-28 14:09:16 -0700[diff] [blame]295 // TODO(quiche): This should be migrated to use ExternalTask.
296 // (crbug.com/246263).
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]297 vector<char *> process_args;
298 process_args.push_back(const_cast<char *>(kOpenVPNPath));
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]299 process_args.push_back(const_cast<char *>("--config"));
300 process_args.push_back(const_cast<char *>(
301 openvpn_config_file_.value().c_str()));
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]302 process_args.push_back(NULL);
Darin Petkov1a462de2012-05-02 11:10:48 +0200[diff] [blame]303
304 vector<string> environment;
305 InitEnvironment(&environment);
306
307 vector<char *> process_env;
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]308 for (const auto &environment_variable : environment) {
309 process_env.push_back(const_cast<char *>(environment_variable.c_str()));
Darin Petkov1a462de2012-05-02 11:10:48 +0200[diff] [blame]310 }
311 process_env.push_back(NULL);
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]312
313 CHECK(!pid_);
Darin Petkov68710d72013-02-13 14:22:56 +0100[diff] [blame]314 if (!glib_->SpawnAsync(NULL,
315 process_args.data(),
316 process_env.data(),
317 G_SPAWN_DO_NOT_REAP_CHILD,
318 NULL,
319 NULL,
320 &pid_,
321 NULL)) {
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]322 LOG(ERROR) << "Unable to spawn: " << kOpenVPNPath;
323 return false;
324 }
325 CHECK(!child_watch_tag_);
326 child_watch_tag_ = glib_->ChildWatchAdd(pid_, OnOpenVPNDied, this);
327 return true;
328}
329
330// static
331void OpenVPNDriver::OnOpenVPNDied(GPid pid, gint status, gpointer data) {
Ben Chanfad4a0b2012-04-18 15:49:59 -0700[diff] [blame]332 SLOG(VPN, 2) << __func__ << "(" << pid << ", " << status << ")";
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]333 OpenVPNDriver *me = reinterpret_cast<OpenVPNDriver *>(data);
334 me->child_watch_tag_ = 0;
335 CHECK_EQ(pid, me->pid_);
Darin Petkov5a850472012-06-06 15:44:24 +0200[diff] [blame]336 me->pid_ = 0;
Darin Petkov1c049c72013-03-21 13:15:45 +0100[diff] [blame]337 me->FailService(Service::kFailureInternal, Service::kErrorDetailsNone);
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]338 // TODO(petkov): Figure if we need to restart the connection.
339}
Darin Petkov33af05c2012-02-28 10:10:30 +0100[diff] [blame]340
Darin Petkov5a850472012-06-06 15:44:24 +0200[diff] [blame]341// static
Darin Petkov5dbd2612012-06-07 16:22:16 +0200[diff] [blame]342void OpenVPNDriver::DeleteInterface(const WeakPtr<DeviceInfo> &device_info,
Darin Petkov5a850472012-06-06 15:44:24 +0200[diff] [blame]343 int interface_index) {
344 if (device_info) {
345 LOG(INFO) << "Deleting interface " << interface_index;
346 device_info->DeleteInterface(interface_index);
347 }
348}
349
Paul Stewartca6abd42012-03-01 15:45:29 -0800[diff] [blame]350bool OpenVPNDriver::ClaimInterface(const string &link_name,
351 int interface_index) {
352 if (link_name != tunnel_interface_) {
353 return false;
354 }
355
Ben Chanfad4a0b2012-04-18 15:49:59 -0700[diff] [blame]356 SLOG(VPN, 2) << "Claiming " << link_name << " for OpenVPN tunnel";
Paul Stewartca6abd42012-03-01 15:45:29 -0800[diff] [blame]357
Darin Petkovf20994f2012-03-05 16:12:19 +0100[diff] [blame]358 CHECK(!device_);
mukesh agrawal9da07772013-05-15 14:15:17 -0700[diff] [blame]359 device_ = new VirtualDevice(control_, dispatcher(), metrics_, manager(),
360 link_name, interface_index, Technology::kVPN);
Eric Shienbrood9a245532012-03-07 14:20:39 -0500[diff] [blame]361 device_->SetEnabled(true);
Eric Shienbrood9a245532012-03-07 14:20:39 -0500[diff] [blame]362
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]363 rpc_task_.reset(new RPCTask(control_, this));
Darin Petkov1c049c72013-03-21 13:15:45 +0100[diff] [blame]364 if (SpawnOpenVPN()) {
Darin Petkov68710d72013-02-13 14:22:56 +0100[diff] [blame]365 default_service_callback_tag_ =
366 manager()->RegisterDefaultServiceCallback(
367 Bind(&OpenVPNDriver::OnDefaultServiceChanged, Unretained(this)));
Darin Petkov1c049c72013-03-21 13:15:45 +0100[diff] [blame]368 } else {
369 FailService(Service::kFailureInternal, Service::kErrorDetailsNone);
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]370 }
Paul Stewartca6abd42012-03-01 15:45:29 -0800[diff] [blame]371 return true;
372}
373
Darin Petkov209e6292012-04-20 11:33:32 +0200[diff] [blame]374void OpenVPNDriver::GetLogin(string */*user*/, string */*password*/) {
375 NOTREACHED();
376}
377
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]378void OpenVPNDriver::Notify(const string &reason,
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]379 const map<string, string> &dict) {
Darin Petkov602303f2012-06-06 12:15:59 +0200[diff] [blame]380 LOG(INFO) << "IP configuration received: " << reason;
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]381 if (reason != "up") {
mukesh agrawal9da07772013-05-15 14:15:17 -0700[diff] [blame]382 device_->DropConnection();
Darin Petkov36a3ace2012-03-06 17:22:14 +0100[diff] [blame]383 return;
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]384 }
Darin Petkov3189a472012-10-05 09:55:33 +0200[diff] [blame]385 // On restart/reconnect, update the existing IP configuration.
386 ParseIPConfiguration(dict, &ip_properties_);
387 device_->SelectService(service_);
388 device_->UpdateIPConfig(ip_properties_);
Paul Stewart91a43cb2013-03-02 21:34:15 -0800[diff] [blame]389 ReportConnectionMetrics();
Darin Petkov602303f2012-06-06 12:15:59 +0200[diff] [blame]390 StopConnectTimeout();
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]391}
392
393// static
394void OpenVPNDriver::ParseIPConfiguration(
395 const map<string, string> &configuration,
396 IPConfig::Properties *properties) {
397 ForeignOptions foreign_options;
Darin Petkov60596742012-03-05 12:17:17 +0100[diff] [blame]398 RouteOptions routes;
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]399 properties->address_family = IPAddress::kFamilyIPv4;
Darin Petkove8587e32012-07-02 13:56:07 +0200[diff] [blame]400 if (!properties->subnet_prefix) {
401 properties->subnet_prefix =
402 IPAddress::GetMaxPrefixLength(properties->address_family);
403 }
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]404 for (const auto &configuration_map : configuration) {
405 const string &key = configuration_map.first;
406 const string &value = configuration_map.second;
Ben Chanfad4a0b2012-04-18 15:49:59 -0700[diff] [blame]407 SLOG(VPN, 2) << "Processing: " << key << " -> " << value;
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]408 if (LowerCaseEqualsASCII(key, kOpenVPNIfconfigLocal)) {
409 properties->address = value;
410 } else if (LowerCaseEqualsASCII(key, kOpenVPNIfconfigBroadcast)) {
411 properties->broadcast_address = value;
412 } else if (LowerCaseEqualsASCII(key, kOpenVPNIfconfigNetmask)) {
Paul Stewart48100b02012-03-19 07:53:52 -0700[diff] [blame]413 properties->subnet_prefix =
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]414 IPAddress::GetPrefixLengthFromMask(properties->address_family, value);
415 } else if (LowerCaseEqualsASCII(key, kOpenVPNIfconfigRemote)) {
Paul Stewart4698c1a2013-05-16 15:42:19 -0700[diff] [blame]416 if (StartsWithASCII(value, kSuspectedNetmaskPrefix, false)) {
417 LOG(WARNING) << "Option " << key << " value " << value
418 << " looks more like a netmask than a peer address; "
419 << "assuming it is the former.";
420 // In this situation, the "peer_address" value will be left
421 // unset and Connection::UpdateFromIPConfig() will treat the
422 // interface as if it were a broadcast-style network. The
423 // kernel will, automatically set the peer address equal to
424 // the local address.
425 properties->subnet_prefix =
426 IPAddress::GetPrefixLengthFromMask(properties->address_family,
427 value);
428 } else {
429 properties->peer_address = value;
430 }
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]431 } else if (LowerCaseEqualsASCII(key, kOpenVPNRouteVPNGateway)) {
432 properties->gateway = value;
433 } else if (LowerCaseEqualsASCII(key, kOpenVPNTrustedIP)) {
Paul Stewartce4ec192012-03-14 12:53:46 -0700[diff] [blame]434 properties->trusted_ip = value;
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]435 } else if (LowerCaseEqualsASCII(key, kOpenVPNTunMTU)) {
436 int mtu = 0;
437 if (base::StringToInt(value, &mtu) && mtu >= DHCPConfig::kMinMTU) {
438 properties->mtu = mtu;
439 } else {
440 LOG(ERROR) << "MTU " << value << " ignored.";
441 }
442 } else if (StartsWithASCII(key, kOpenVPNForeignOptionPrefix, false)) {
443 const string suffix = key.substr(strlen(kOpenVPNForeignOptionPrefix));
444 int order = 0;
445 if (base::StringToInt(suffix, &order)) {
446 foreign_options[order] = value;
447 } else {
448 LOG(ERROR) << "Ignored unexpected foreign option suffix: " << suffix;
449 }
450 } else if (StartsWithASCII(key, kOpenVPNRouteOptionPrefix, false)) {
Darin Petkov60596742012-03-05 12:17:17 +0100[diff] [blame]451 ParseRouteOption(key.substr(strlen(kOpenVPNRouteOptionPrefix)),
452 value, &routes);
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]453 } else {
Ben Chanfad4a0b2012-04-18 15:49:59 -0700[diff] [blame]454 SLOG(VPN, 2) << "Key ignored.";
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]455 }
456 }
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]457 ParseForeignOptions(foreign_options, properties);
Darin Petkov60596742012-03-05 12:17:17 +0100[diff] [blame]458 SetRoutes(routes, properties);
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]459}
460
461// static
462void OpenVPNDriver::ParseForeignOptions(const ForeignOptions &options,
463 IPConfig::Properties *properties) {
Darin Petkove8587e32012-07-02 13:56:07 +0200[diff] [blame]464 vector<string> domain_search;
465 vector<string> dns_servers;
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]466 for (const auto &option_map : options) {
467 ParseForeignOption(option_map.second, &domain_search, &dns_servers);
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]468 }
Darin Petkove8587e32012-07-02 13:56:07 +0200[diff] [blame]469 if (!domain_search.empty()) {
470 properties->domain_search.swap(domain_search);
471 }
472 LOG_IF(WARNING, properties->domain_search.empty())
473 << "No search domains provided.";
474 if (!dns_servers.empty()) {
475 properties->dns_servers.swap(dns_servers);
476 }
477 LOG_IF(WARNING, properties->dns_servers.empty())
478 << "No DNS servers provided.";
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]479}
480
481// static
482void OpenVPNDriver::ParseForeignOption(const string &option,
Darin Petkove8587e32012-07-02 13:56:07 +0200[diff] [blame]483 vector<string> *domain_search,
484 vector<string> *dns_servers) {
Ben Chanfad4a0b2012-04-18 15:49:59 -0700[diff] [blame]485 SLOG(VPN, 2) << __func__ << "(" << option << ")";
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]486 vector<string> tokens;
Darin Petkov78f63262012-03-26 01:30:24 +0200[diff] [blame]487 SplitString(option, ' ', &tokens);
488 if (tokens.size() != 3 || !LowerCaseEqualsASCII(tokens[0], "dhcp-option")) {
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]489 return;
490 }
491 if (LowerCaseEqualsASCII(tokens[1], "domain")) {
Darin Petkove8587e32012-07-02 13:56:07 +0200[diff] [blame]492 domain_search->push_back(tokens[2]);
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]493 } else if (LowerCaseEqualsASCII(tokens[1], "dns")) {
Darin Petkove8587e32012-07-02 13:56:07 +0200[diff] [blame]494 dns_servers->push_back(tokens[2]);
Darin Petkov14c29ec2012-03-02 11:34:19 +0100[diff] [blame]495 }
496}
497
Darin Petkov60596742012-03-05 12:17:17 +0100[diff] [blame]498// static
499IPConfig::Route *OpenVPNDriver::GetRouteOptionEntry(
500 const string &prefix, const string &key, RouteOptions *routes) {
501 int order = 0;
502 if (!StartsWithASCII(key, prefix, false) ||
503 !base::StringToInt(key.substr(prefix.size()), &order)) {
504 return NULL;
505 }
506 return &(*routes)[order];
507}
508
509// static
510void OpenVPNDriver::ParseRouteOption(
511 const string &key, const string &value, RouteOptions *routes) {
512 IPConfig::Route *route = GetRouteOptionEntry("network_", key, routes);
513 if (route) {
514 route->host = value;
515 return;
516 }
517 route = GetRouteOptionEntry("netmask_", key, routes);
518 if (route) {
519 route->netmask = value;
520 return;
521 }
522 route = GetRouteOptionEntry("gateway_", key, routes);
523 if (route) {
524 route->gateway = value;
525 return;
526 }
527 LOG(WARNING) << "Unknown route option ignored: " << key;
528}
529
530// static
531void OpenVPNDriver::SetRoutes(const RouteOptions &routes,
532 IPConfig::Properties *properties) {
Darin Petkove8587e32012-07-02 13:56:07 +0200[diff] [blame]533 vector<IPConfig::Route> new_routes;
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]534 for (const auto &route_map : routes) {
535 const IPConfig::Route &route = route_map.second;
Darin Petkov60596742012-03-05 12:17:17 +0100[diff] [blame]536 if (route.host.empty() || route.netmask.empty() || route.gateway.empty()) {
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]537 LOG(WARNING) << "Ignoring incomplete route: " << route_map.first;
Darin Petkov60596742012-03-05 12:17:17 +0100[diff] [blame]538 continue;
539 }
Darin Petkove8587e32012-07-02 13:56:07 +0200[diff] [blame]540 new_routes.push_back(route);
Darin Petkov60596742012-03-05 12:17:17 +0100[diff] [blame]541 }
Darin Petkove8587e32012-07-02 13:56:07 +0200[diff] [blame]542 if (!new_routes.empty()) {
543 properties->routes.swap(new_routes);
544 }
545 LOG_IF(WARNING, properties->routes.empty()) << "No routes provided.";
Darin Petkov60596742012-03-05 12:17:17 +0100[diff] [blame]546}
547
Darin Petkov4b944842012-09-21 10:48:48 +0200[diff] [blame]548// static
549bool OpenVPNDriver::SplitPortFromHost(
550 const string &host, string *name, string *port) {
551 vector<string> tokens;
552 SplitString(host, ':', &tokens);
553 int port_number = 0;
554 if (tokens.size() != 2 || tokens[0].empty() || tokens[1].empty() ||
555 !IsAsciiDigit(tokens[1][0]) ||
556 !base::StringToInt(tokens[1], &port_number) || port_number > kuint16max) {
557 return false;
558 }
559 *name = tokens[0];
560 *port = tokens[1];
561 return true;
562}
563
Darin Petkov602303f2012-06-06 12:15:59 +0200[diff] [blame]564void OpenVPNDriver::Connect(const VPNServiceRefPtr &service, Error *error) {
Darin Petkov0cd0d1e2013-02-11 12:49:10 +0100[diff] [blame]565 StartConnectTimeout(kDefaultConnectTimeoutSeconds);
Darin Petkov79d74c92012-03-07 17:20:32 +0100[diff] [blame]566 service_ = service;
567 service_->SetState(Service::kStateConfiguring);
Darin Petkovf20994f2012-03-05 16:12:19 +0100[diff] [blame]568 if (!device_info_->CreateTunnelInterface(&tunnel_interface_)) {
569 Error::PopulateAndLog(
570 error, Error::kInternalError, "Could not create tunnel interface.");
Darin Petkov1c049c72013-03-21 13:15:45 +0100[diff] [blame]571 FailService(Service::kFailureInternal, Service::kErrorDetailsNone);
Darin Petkovf20994f2012-03-05 16:12:19 +0100[diff] [blame]572 }
573 // Wait for the ClaimInterface callback to continue the connection process.
Darin Petkov33af05c2012-02-28 10:10:30 +0100[diff] [blame]574}
575
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]576void OpenVPNDriver::InitOptions(vector<vector<string>> *options, Error *error) {
Darin Petkovb451d6e2012-04-23 11:56:41 +0200[diff] [blame]577 string vpnhost = args()->LookupString(flimflam::kProviderHostProperty, "");
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]578 if (vpnhost.empty()) {
579 Error::PopulateAndLog(
580 error, Error::kInvalidArguments, "VPN host not specified.");
581 return;
582 }
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]583 AppendOption("client", options);
584 AppendOption("tls-client", options);
Darin Petkov4b944842012-09-21 10:48:48 +0200[diff] [blame]585
Darin Petkov4b944842012-09-21 10:48:48 +0200[diff] [blame]586 string host_name, host_port;
587 if (SplitPortFromHost(vpnhost, &host_name, &host_port)) {
588 DCHECK(!host_name.empty());
589 DCHECK(!host_port.empty());
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]590 AppendOption("remote", host_name, host_port, options);
Darin Petkov4b944842012-09-21 10:48:48 +0200[diff] [blame]591 } else {
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]592 AppendOption("remote", vpnhost, options);
Darin Petkov4b944842012-09-21 10:48:48 +0200[diff] [blame]593 }
594
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]595 AppendOption("nobind", options);
596 AppendOption("persist-key", options);
597 AppendOption("persist-tun", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]598
Darin Petkovf20994f2012-03-05 16:12:19 +0100[diff] [blame]599 CHECK(!tunnel_interface_.empty());
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]600 AppendOption("dev", tunnel_interface_, options);
601 AppendOption("dev-type", "tun", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]602
Darin Petkov55771b72012-04-25 09:25:19 +0200[diff] [blame]603 InitLoggingOptions(options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]604
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]605 AppendValueOption(kVPNMTUProperty, "mtu", options);
606 AppendValueOption(flimflam::kOpenVPNProtoProperty, "proto", options);
607 AppendValueOption(flimflam::kOpenVPNPortProperty, "port", options);
608 AppendValueOption(kOpenVPNTLSAuthProperty, "tls-auth", options);
Darin Petkov1fa81942012-04-02 11:38:08 +0200[diff] [blame]609 {
610 string contents =
Darin Petkovb451d6e2012-04-23 11:56:41 +0200[diff] [blame]611 args()->LookupString(flimflam::kOpenVPNTLSAuthContentsProperty, "");
Darin Petkov1fa81942012-04-02 11:38:08 +0200[diff] [blame]612 if (!contents.empty()) {
613 if (!file_util::CreateTemporaryFile(&tls_auth_file_) ||
614 file_util::WriteFile(
615 tls_auth_file_, contents.data(), contents.size()) !=
616 static_cast<int>(contents.size())) {
617 Error::PopulateAndLog(
618 error, Error::kInternalError, "Unable to setup tls-auth file.");
619 return;
620 }
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]621 AppendOption("tls-auth", tls_auth_file_.value(), options);
Darin Petkov1fa81942012-04-02 11:38:08 +0200[diff] [blame]622 }
623 }
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]624 AppendValueOption(
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]625 flimflam::kOpenVPNTLSRemoteProperty, "tls-remote", options);
626 AppendValueOption(flimflam::kOpenVPNCipherProperty, "cipher", options);
627 AppendValueOption(flimflam::kOpenVPNAuthProperty, "auth", options);
628 AppendFlag(flimflam::kOpenVPNAuthNoCacheProperty, "auth-nocache", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]629 AppendValueOption(
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]630 flimflam::kOpenVPNAuthRetryProperty, "auth-retry", options);
631 AppendFlag(flimflam::kOpenVPNCompLZOProperty, "comp-lzo", options);
632 AppendFlag(flimflam::kOpenVPNCompNoAdaptProperty, "comp-noadapt", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]633 AppendFlag(
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]634 flimflam::kOpenVPNPushPeerInfoProperty, "push-peer-info", options);
635 AppendValueOption(flimflam::kOpenVPNRenegSecProperty, "reneg-sec", options);
636 AppendValueOption(flimflam::kOpenVPNShaperProperty, "shaper", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]637 AppendValueOption(flimflam::kOpenVPNServerPollTimeoutProperty,
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]638 "server-poll-timeout", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]639
Darin Petkovca8a0e62012-09-26 13:16:52 +0200[diff] [blame]640 if (!InitCAOptions(options, error)) {
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]641 return;
Darin Petkov3c5e4dc2012-04-02 14:44:27 +0200[diff] [blame]642 }
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]643
644 // Client-side ping support.
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]645 AppendValueOption(kOpenVPNPingProperty, "ping", options);
646 AppendValueOption(kOpenVPNPingExitProperty, "ping-exit", options);
647 AppendValueOption(kOpenVPNPingRestartProperty, "ping-restart", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]648
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]649 AppendValueOption(
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]650 flimflam::kOpenVPNNsCertTypeProperty, "ns-cert-type", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]651
Darin Petkov4e1b3f82012-09-27 13:22:37 +0200[diff] [blame]652 InitClientAuthOptions(options);
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]653 InitPKCS11Options(options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]654
655 // TLS suport.
Darin Petkov7f060332012-03-14 11:46:47 +0100[diff] [blame]656 string remote_cert_tls =
Darin Petkovb451d6e2012-04-23 11:56:41 +0200[diff] [blame]657 args()->LookupString(flimflam::kOpenVPNRemoteCertTLSProperty, "");
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]658 if (remote_cert_tls.empty()) {
659 remote_cert_tls = "server";
660 }
661 if (remote_cert_tls != "none") {
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]662 AppendOption("remote-cert-tls", remote_cert_tls, options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]663 }
664
665 // This is an undocumented command line argument that works like a .cfg file
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]666 // entry. TODO(sleffler): Maybe roll this into the "tls-auth" option?
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]667 AppendValueOption(
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]668 flimflam::kOpenVPNKeyDirectionProperty, "key-direction", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]669 // TODO(sleffler): Support more than one eku parameter.
670 AppendValueOption(
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]671 flimflam::kOpenVPNRemoteCertEKUProperty, "remote-cert-eku", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]672 AppendValueOption(
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]673 flimflam::kOpenVPNRemoteCertKUProperty, "remote-cert-ku", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]674
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]675 if (!InitManagementChannelOptions(options, error)) {
Darin Petkov46463022012-03-29 14:57:32 +0200[diff] [blame]676 return;
677 }
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]678
Darin Petkova9b1fed2012-02-29 11:49:05 +0100[diff] [blame]679 // Setup openvpn-script options and RPC information required to send back
680 // Layer 3 configuration.
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]681 AppendOption("setenv", kRPCTaskServiceVariable,
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]682 rpc_task_->GetRpcConnectionIdentifier(), options);
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]683 AppendOption("setenv", kRPCTaskServiceVariable,
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]684 rpc_task_->GetRpcConnectionIdentifier(), options);
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]685 AppendOption("setenv", kRPCTaskPathVariable, rpc_task_->GetRpcIdentifier(),
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]686 options);
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]687 AppendOption("script-security", "2", options);
688 AppendOption("up", kOpenVPNScript, options);
689 AppendOption("up-restart", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]690
691 // Disable openvpn handling since we do route+ifconfig work.
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]692 AppendOption("route-noexec", options);
693 AppendOption("ifconfig-noexec", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]694
695 // Drop root privileges on connection and enable callback scripts to send
696 // notify messages.
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]697 AppendOption("user", "openvpn", options);
698 AppendOption("group", "openvpn", options);
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]699}
700
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]701bool OpenVPNDriver::InitCAOptions(
702 vector<vector<string>> *options, Error *error) {
Darin Petkovb451d6e2012-04-23 11:56:41 +0200[diff] [blame]703 string ca_cert =
Darin Petkovca8a0e62012-09-26 13:16:52 +0200[diff] [blame]704 args()->LookupString(flimflam::kOpenVPNCaCertProperty, "");
705 string ca_cert_nss =
Darin Petkovb451d6e2012-04-23 11:56:41 +0200[diff] [blame]706 args()->LookupString(flimflam::kOpenVPNCaCertNSSProperty, "");
Paul Stewart0f9c9302013-06-14 15:41:28 -0700[diff] [blame]707 vector<string> ca_cert_pem;
708 if (args()->ContainsStrings(kOpenVPNCaCertPemProperty)) {
709 ca_cert_pem = args()->GetStrings(kOpenVPNCaCertPemProperty);
710 }
Paul Stewart5baebb72013-03-14 11:43:29 -0700[diff] [blame]711
712 int num_ca_cert_types = 0;
713 if (!ca_cert.empty())
714 num_ca_cert_types++;
715 if (!ca_cert_nss.empty())
716 num_ca_cert_types++;
717 if (!ca_cert_pem.empty())
718 num_ca_cert_types++;
719 if (num_ca_cert_types == 0) {
Darin Petkovca8a0e62012-09-26 13:16:52 +0200[diff] [blame]720 // Use default CAs if no CA certificate is provided.
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]721 AppendOption("ca", kDefaultCACertificates, options);
Darin Petkovca8a0e62012-09-26 13:16:52 +0200[diff] [blame]722 return true;
Paul Stewart5baebb72013-03-14 11:43:29 -0700[diff] [blame]723 } else if (num_ca_cert_types > 1) {
724 Error::PopulateAndLog(
725 error, Error::kInvalidArguments,
726 "Can't specify more than one of CACert, CACertNSS and CACertPEM.");
Darin Petkovca8a0e62012-09-26 13:16:52 +0200[diff] [blame]727 return false;
728 }
Paul Stewart5baebb72013-03-14 11:43:29 -0700[diff] [blame]729 string cert_file;
Darin Petkovca8a0e62012-09-26 13:16:52 +0200[diff] [blame]730 if (!ca_cert_nss.empty()) {
Paul Stewart5baebb72013-03-14 11:43:29 -0700[diff] [blame]731 DCHECK(ca_cert.empty() && ca_cert_pem.empty());
Darin Petkovb451d6e2012-04-23 11:56:41 +0200[diff] [blame]732 const string &vpnhost = args()->GetString(flimflam::kProviderHostProperty);
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]733 vector<char> id(vpnhost.begin(), vpnhost.end());
Darin Petkovca8a0e62012-09-26 13:16:52 +0200[diff] [blame]734 FilePath certfile = nss_->GetPEMCertfile(ca_cert_nss, id);
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]735 if (certfile.empty()) {
Darin Petkovca8a0e62012-09-26 13:16:52 +0200[diff] [blame]736 Error::PopulateAndLog(
737 error,
738 Error::kInvalidArguments,
739 "Unable to extract NSS CA certificate: " + ca_cert_nss);
740 return false;
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]741 }
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]742 AppendOption("ca", certfile.value(), options);
Darin Petkovca8a0e62012-09-26 13:16:52 +0200[diff] [blame]743 return true;
Paul Stewart5baebb72013-03-14 11:43:29 -0700[diff] [blame]744 } else if (!ca_cert_pem.empty()) {
745 DCHECK(ca_cert.empty() && ca_cert_nss.empty());
Paul Stewart0f9c9302013-06-14 15:41:28 -0700[diff] [blame]746 FilePath certfile = certificate_file_->CreatePEMFromStrings(ca_cert_pem);
Paul Stewart5baebb72013-03-14 11:43:29 -0700[diff] [blame]747 if (certfile.empty()) {
748 Error::PopulateAndLog(
749 error,
750 Error::kInvalidArguments,
Paul Stewart0f9c9302013-06-14 15:41:28 -0700[diff] [blame]751 "Unable to extract PEM CA certificates.");
Paul Stewart5baebb72013-03-14 11:43:29 -0700[diff] [blame]752 return false;
753 }
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]754 AppendOption("ca", certfile.value(), options);
Paul Stewart5baebb72013-03-14 11:43:29 -0700[diff] [blame]755 return true;
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]756 }
Paul Stewart5baebb72013-03-14 11:43:29 -0700[diff] [blame]757 DCHECK(!ca_cert.empty() && ca_cert_nss.empty() && ca_cert_pem.empty());
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]758 AppendOption("ca", ca_cert, options);
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]759 return true;
760}
761
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]762void OpenVPNDriver::InitPKCS11Options(vector<vector<string>> *options) {
Darin Petkovb451d6e2012-04-23 11:56:41 +0200[diff] [blame]763 string id = args()->LookupString(flimflam::kOpenVPNClientCertIdProperty, "");
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]764 if (!id.empty()) {
765 string provider =
Darin Petkovb451d6e2012-04-23 11:56:41 +0200[diff] [blame]766 args()->LookupString(flimflam::kOpenVPNProviderProperty, "");
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]767 if (provider.empty()) {
768 provider = kDefaultPKCS11Provider;
769 }
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]770 AppendOption("pkcs11-providers", provider, options);
771 AppendOption("pkcs11-id", id, options);
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]772 }
773}
774
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]775void OpenVPNDriver::InitClientAuthOptions(vector<vector<string>> *options) {
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]776 bool has_cert = AppendValueOption(kOpenVPNCertProperty, "cert", options) ||
Paul Stewartbb985102013-06-27 16:51:11 -0700[diff] [blame]777 !args()->LookupString(flimflam::kOpenVPNClientCertIdProperty, "").empty();
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]778 bool has_key = AppendValueOption(kOpenVPNKeyProperty, "key", options);
Darin Petkov4e1b3f82012-09-27 13:22:37 +0200[diff] [blame]779 // If the AuthUserPass property is set, or the User property is non-empty, or
780 // there's neither a key, nor a cert available, specify user-password client
781 // authentication.
782 if (args()->ContainsString(flimflam::kOpenVPNAuthUserPassProperty) ||
783 !args()->LookupString(flimflam::kOpenVPNUserProperty, "").empty() ||
784 (!has_cert && !has_key)) {
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]785 AppendOption("auth-user-pass", options);
Darin Petkov4e1b3f82012-09-27 13:22:37 +0200[diff] [blame]786 }
787}
788
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]789bool OpenVPNDriver::InitManagementChannelOptions(
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]790 vector<vector<string>> *options, Error *error) {
Darin Petkov602303f2012-06-06 12:15:59 +0200[diff] [blame]791 if (!management_server_->Start(dispatcher(), &sockets_, options)) {
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]792 Error::PopulateAndLog(
793 error, Error::kInternalError, "Unable to setup management channel.");
794 return false;
795 }
Darin Petkova5e07ef2012-07-09 14:27:57 +0200[diff] [blame]796 // If there's a connected default service already, allow the openvpn client to
797 // establish connection as soon as it's started. Otherwise, hold the client
798 // until an underlying service connects and OnDefaultServiceChanged is
799 // invoked.
Darin Petkov4cbff5b2013-01-29 16:29:05 +0100[diff] [blame]800 if (manager()->IsOnline()) {
Darin Petkova5e07ef2012-07-09 14:27:57 +0200[diff] [blame]801 management_server_->ReleaseHold();
802 }
Darin Petkove0d5dd12012-04-04 16:10:48 +0200[diff] [blame]803 return true;
804}
805
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]806void OpenVPNDriver::InitLoggingOptions(vector<vector<string>> *options) {
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]807 AppendOption("syslog", options);
Darin Petkov55771b72012-04-25 09:25:19 +0200[diff] [blame]808
809 string verb = args()->LookupString(kOpenVPNVerbProperty, "");
810 if (verb.empty() && SLOG_IS_ON(VPN, 0)) {
811 verb = "3";
812 }
813 if (!verb.empty()) {
Paul Stewartb26347a2013-08-02 12:12:09 -0700[diff] [blame]814 AppendOption("verb", verb, options);
Darin Petkov55771b72012-04-25 09:25:19 +0200[diff] [blame]815 }
816}
817
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]818void OpenVPNDriver::AppendOption(
819 const string &option, vector<vector<string>> *options) {
820 options->push_back(vector<string>{ option });
821}
822
823void OpenVPNDriver::AppendOption(
824 const string &option,
825 const string &value,
826 vector<vector<string>> *options) {
827 options->push_back(vector<string>{ option, value });
828}
829
830void OpenVPNDriver::AppendOption(
831 const string &option,
832 const string &value0,
833 const string &value1,
834 vector<vector<string>> *options) {
835 options->push_back(vector<string>{ option, value0, value1 });
836}
837
Darin Petkov46463022012-03-29 14:57:32 +0200[diff] [blame]838bool OpenVPNDriver::AppendValueOption(
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]839 const string &property,
840 const string &option,
841 vector<vector<string>> *options) {
Darin Petkovb451d6e2012-04-23 11:56:41 +0200[diff] [blame]842 string value = args()->LookupString(property, "");
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]843 if (!value.empty()) {
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]844 AppendOption(option, value, options);
Darin Petkov46463022012-03-29 14:57:32 +0200[diff] [blame]845 return true;
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]846 }
Darin Petkov46463022012-03-29 14:57:32 +0200[diff] [blame]847 return false;
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]848}
849
Darin Petkov46463022012-03-29 14:57:32 +0200[diff] [blame]850bool OpenVPNDriver::AppendFlag(
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]851 const string &property,
852 const string &option,
853 vector<vector<string>> *options) {
Darin Petkovb451d6e2012-04-23 11:56:41 +0200[diff] [blame]854 if (args()->ContainsString(property)) {
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]855 AppendOption(option, options);
Darin Petkov46463022012-03-29 14:57:32 +0200[diff] [blame]856 return true;
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]857 }
Darin Petkov46463022012-03-29 14:57:32 +0200[diff] [blame]858 return false;
Darin Petkovfe6a9372012-02-28 16:25:06 +0100[diff] [blame]859}
860
Darin Petkov6aa21872012-03-09 16:10:19 +0100[diff] [blame]861void OpenVPNDriver::Disconnect() {
Ben Chanfad4a0b2012-04-18 15:49:59 -0700[diff] [blame]862 SLOG(VPN, 2) << __func__;
Darin Petkovaba89322013-03-11 14:48:22 +0100[diff] [blame]863 IdleService();
Darin Petkov6aa21872012-03-09 16:10:19 +0100[diff] [blame]864}
865
Darin Petkov5eb05422012-05-11 15:45:25 +0200[diff] [blame]866void OpenVPNDriver::OnConnectionDisconnected() {
Darin Petkova42afe32013-02-05 16:53:52 +0100[diff] [blame]867 LOG(INFO) << "Underlying connection disconnected.";
868 // Restart the OpenVPN client forcing a reconnect attempt.
869 management_server_->Restart();
870 // Indicate reconnect state right away to drop the VPN connection and start
871 // the connect timeout. This ensures that any miscommunication between shill
872 // and openvpn will not lead to a permanently stale connectivity state. Note
873 // that a subsequent invocation of OnReconnecting due to a RECONNECTING
874 // message will essentially be a no-op.
Darin Petkov0cd0d1e2013-02-11 12:49:10 +0100[diff] [blame]875 OnReconnecting(kReconnectReasonOffline);
Darin Petkova42afe32013-02-05 16:53:52 +0100[diff] [blame]876}
877
878void OpenVPNDriver::OnConnectTimeout() {
879 VPNDriver::OnConnectTimeout();
Darin Petkov1c049c72013-03-21 13:15:45 +0100[diff] [blame]880 Service::ConnectFailure failure =
881 management_server_->state() == OpenVPNManagementServer::kStateResolve ?
882 Service::kFailureDNSLookup : Service::kFailureConnect;
883 FailService(failure, Service::kErrorDetailsNone);
Darin Petkov5eb05422012-05-11 15:45:25 +0200[diff] [blame]884}
885
Darin Petkov0cd0d1e2013-02-11 12:49:10 +0100[diff] [blame]886void OpenVPNDriver::OnReconnecting(ReconnectReason reason) {
887 LOG(INFO) << __func__ << "(" << reason << ")";
888 int timeout_seconds = GetReconnectTimeoutSeconds(reason);
889 if (reason == kReconnectReasonTLSError &&
890 timeout_seconds < connect_timeout_seconds()) {
891 // Reconnect due to TLS error happens during connect so we need to cancel
892 // the original connect timeout first and then reduce the time limit.
893 StopConnectTimeout();
894 }
895 StartConnectTimeout(timeout_seconds);
Darin Petkova5e07ef2012-07-09 14:27:57 +0200[diff] [blame]896 // On restart/reconnect, drop the VPN connection, if any. The openvpn client
897 // might be in hold state if the VPN connection was previously established
898 // successfully. The hold will be released by OnDefaultServiceChanged when a
899 // new default service connects. This ensures that the client will use a fully
900 // functional underlying connection to reconnect.
Darin Petkov271fe522012-03-27 13:47:29 +0200[diff] [blame]901 if (device_) {
mukesh agrawal9da07772013-05-15 14:15:17 -0700[diff] [blame]902 device_->DropConnection();
Darin Petkov271fe522012-03-27 13:47:29 +0200[diff] [blame]903 }
904 if (service_) {
905 service_->SetState(Service::kStateAssociating);
906 }
907}
908
Darin Petkov0cd0d1e2013-02-11 12:49:10 +0100[diff] [blame]909// static
910int OpenVPNDriver::GetReconnectTimeoutSeconds(ReconnectReason reason) {
911 switch (reason) {
912 case kReconnectReasonOffline:
913 return kReconnectOfflineTimeoutSeconds;
914 case kReconnectReasonTLSError:
915 return kReconnectTLSErrorTimeoutSeconds;
916 default:
917 break;
918 }
919 return kDefaultConnectTimeoutSeconds;
920}
921
Paul Stewart39964fa2012-04-04 09:50:25 -0700[diff] [blame]922string OpenVPNDriver::GetProviderType() const {
923 return flimflam::kProviderOpenVpn;
924}
925
Darin Petkovb536a742012-04-26 11:31:28 +0200[diff] [blame]926KeyValueStore OpenVPNDriver::GetProvider(Error *error) {
927 SLOG(VPN, 2) << __func__;
928 KeyValueStore props = VPNDriver::GetProvider(error);
929 props.SetBool(flimflam::kPassphraseRequiredProperty,
930 args()->LookupString(
931 flimflam::kOpenVPNPasswordProperty, "").empty());
932 return props;
933}
934
Darin Petkov1a462de2012-05-02 11:10:48 +0200[diff] [blame]935// TODO(petkov): Consider refactoring lsb-release parsing out into a shared
936// singleton if it's used outside OpenVPN.
937bool OpenVPNDriver::ParseLSBRelease(map<string, string> *lsb_release) {
938 SLOG(VPN, 2) << __func__ << "(" << lsb_release_file_.value() << ")";
939 string contents;
940 if (!file_util::ReadFileToString(lsb_release_file_, &contents)) {
941 LOG(ERROR) << "Unable to read the lsb-release file: "
942 << lsb_release_file_.value();
943 return false;
944 }
945 vector<string> lines;
946 SplitString(contents, '\n', &lines);
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]947 for (const auto &line : lines) {
948 size_t assign = line.find('=');
Darin Petkov1a462de2012-05-02 11:10:48 +0200[diff] [blame]949 if (assign == string::npos) {
950 continue;
951 }
Paul Stewart406c4732013-08-01 09:30:12 -0700[diff] [blame]952 (*lsb_release)[line.substr(0, assign)] = line.substr(assign + 1);
Darin Petkov1a462de2012-05-02 11:10:48 +0200[diff] [blame]953 }
954 return true;
955}
956
957void OpenVPNDriver::InitEnvironment(vector<string> *environment) {
958 // Adds the platform name and version to the environment so that openvpn can
959 // send them to the server when OpenVPN.PushPeerInfo is set.
960 map<string, string> lsb_release;
961 ParseLSBRelease(&lsb_release);
962 string platform_name = lsb_release[kChromeOSReleaseName];
963 if (!platform_name.empty()) {
964 environment->push_back("IV_PLAT=" + platform_name);
965 }
966 string platform_version = lsb_release[kChromeOSReleaseVersion];
967 if (!platform_version.empty()) {
968 environment->push_back("IV_PLAT_REL=" + platform_version);
969 }
970}
971
Darin Petkova5e07ef2012-07-09 14:27:57 +0200[diff] [blame]972void OpenVPNDriver::OnDefaultServiceChanged(const ServiceRefPtr &service) {
973 SLOG(VPN, 2) << __func__
Darin Petkov457728b2013-01-09 09:49:08 +0100[diff] [blame]974 << "(" << (service ? service->unique_name() : "-") << ")";
Darin Petkova5e07ef2012-07-09 14:27:57 +0200[diff] [blame]975 // Allow the openvpn client to connect/reconnect only over a connected
976 // underlying default service. If there's no default connected service, hold
977 // the openvpn client until an underlying connection is established. If the
978 // default service is our VPN service, hold the openvpn client on reconnect so
979 // that the VPN connection can be torn down fully before a new connection
980 // attempt is made over the underlying service.
981 if (service && service != service_ && service->IsConnected()) {
982 management_server_->ReleaseHold();
983 } else {
984 management_server_->Hold();
985 }
986}
987
Paul Stewart91a43cb2013-03-02 21:34:15 -0800[diff] [blame]988void OpenVPNDriver::ReportConnectionMetrics() {
989 metrics_->SendEnumToUMA(
990 Metrics::kMetricVpnDriver,
991 Metrics::kVpnDriverOpenVpn,
992 Metrics::kMetricVpnDriverMax);
993
Paul Stewarte8e71da2013-03-20 08:48:33 -0700[diff] [blame]994 if (args()->LookupString(flimflam::kOpenVPNCaCertNSSProperty, "") != "" ||
995 args()->LookupString(flimflam::kOpenVPNCaCertProperty, "") != "") {
Paul Stewart91a43cb2013-03-02 21:34:15 -0800[diff] [blame]996 metrics_->SendEnumToUMA(
997 Metrics::kMetricVpnRemoteAuthenticationType,
998 Metrics::kVpnRemoteAuthenticationTypeOpenVpnCertificate,
999 Metrics::kMetricVpnRemoteAuthenticationTypeMax);
1000 } else {
1001 metrics_->SendEnumToUMA(
1002 Metrics::kMetricVpnRemoteAuthenticationType,
1003 Metrics::kVpnRemoteAuthenticationTypeOpenVpnDefault,
1004 Metrics::kMetricVpnRemoteAuthenticationTypeMax);
1005 }
1006
1007 bool has_user_authentication = false;
Paul Stewarte8e71da2013-03-20 08:48:33 -0700[diff] [blame]1008 if (args()->LookupString(flimflam::kOpenVPNOTPProperty, "") != "") {
Paul Stewart91a43cb2013-03-02 21:34:15 -0800[diff] [blame]1009 metrics_->SendEnumToUMA(
1010 Metrics::kMetricVpnUserAuthenticationType,
1011 Metrics::kVpnUserAuthenticationTypeOpenVpnUsernamePasswordOtp,
1012 Metrics::kMetricVpnUserAuthenticationTypeMax);
1013 has_user_authentication = true;
1014 }
Paul Stewarte8e71da2013-03-20 08:48:33 -0700[diff] [blame]1015 if (args()->LookupString(flimflam::kOpenVPNAuthUserPassProperty, "") != ""||
1016 args()->LookupString(flimflam::kOpenVPNUserProperty, "") != "") {
Paul Stewart91a43cb2013-03-02 21:34:15 -0800[diff] [blame]1017 metrics_->SendEnumToUMA(
1018 Metrics::kMetricVpnUserAuthenticationType,
1019 Metrics::kVpnUserAuthenticationTypeOpenVpnUsernamePassword,
1020 Metrics::kMetricVpnUserAuthenticationTypeMax);
1021 has_user_authentication = true;
1022 }
Paul Stewarte8e71da2013-03-20 08:48:33 -0700[diff] [blame]1023 if (args()->LookupString(flimflam::kOpenVPNClientCertIdProperty, "") != "" ||
1024 args()->LookupString(kOpenVPNCertProperty, "") != "") {
Paul Stewart91a43cb2013-03-02 21:34:15 -0800[diff] [blame]1025 metrics_->SendEnumToUMA(
1026 Metrics::kMetricVpnUserAuthenticationType,
1027 Metrics::kVpnUserAuthenticationTypeOpenVpnCertificate,
1028 Metrics::kMetricVpnUserAuthenticationTypeMax);
1029 has_user_authentication = true;
1030 }
1031 if (!has_user_authentication) {
1032 metrics_->SendEnumToUMA(
1033 Metrics::kMetricVpnUserAuthenticationType,
1034 Metrics::kVpnUserAuthenticationTypeOpenVpnNone,
1035 Metrics::kMetricVpnUserAuthenticationTypeMax);
1036 }
1037}
1038
Darin Petkov33af05c2012-02-28 10:10:30 +0100[diff] [blame]1039} // namespace shill