Blame - openvpn_driver.cc - platform/system/connectivity/shill

blob: be68cfae810d09c58369a383ef753931f35d992a [file] [log] [blame]

Darin Petkov	33af05c	2012-02-28 10:10:30 +0100	[diff] [blame]	1	// Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
				2	// Use of this source code is governed by a BSD-style license that can be
				3	// found in the LICENSE file.
				4
				5	#include "shill/openvpn_driver.h"
				6
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	7	#include <arpa/inet.h>
				8
Darin Petkov	1fa8194	2012-04-02 11:38:08 +0200	[diff] [blame]	9	#include <base/file_util.h>
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	10	#include <base/logging.h>
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	11	#include <base/string_number_conversions.h>
Darin Petkov	78f6326	2012-03-26 01:30:24 +0200	[diff] [blame]	12	#include <base/string_split.h>
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	13	#include <base/string_util.h>
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	14	#include <chromeos/dbus/service_constants.h>
				15
Paul Stewart	ce4ec19	2012-03-14 12:53:46 -0700	[diff] [blame]	16	#include "shill/connection.h"
Paul Stewart	ca6abd4	2012-03-01 15:45:29 -0800	[diff] [blame]	17	#include "shill/device_info.h"
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	18	#include "shill/dhcp_config.h"
Darin Petkov	33af05c	2012-02-28 10:10:30 +0100	[diff] [blame]	19	#include "shill/error.h"
Paul Stewart	ce4ec19	2012-03-14 12:53:46 -0700	[diff] [blame]	20	#include "shill/manager.h"
Darin Petkov	3c5e4dc	2012-04-02 14:44:27 +0200	[diff] [blame]	21	#include "shill/nss.h"
Darin Petkov	4646302	2012-03-29 14:57:32 +0200	[diff] [blame]	22	#include "shill/openvpn_management_server.h"
Paul Stewart	ebd3856	2012-03-23 13:06:40 -0700	[diff] [blame]	23	#include "shill/property_accessor.h"
Darin Petkov	a9b1fed	2012-02-29 11:49:05 +0100	[diff] [blame]	24	#include "shill/rpc_task.h"
Darin Petkov	4646302	2012-03-29 14:57:32 +0200	[diff] [blame]	25	#include "shill/sockets.h"
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	26	#include "shill/store_interface.h"
Darin Petkov	f20994f	2012-03-05 16:12:19 +0100	[diff] [blame]	27	#include "shill/vpn.h"
Darin Petkov	79d74c9	2012-03-07 17:20:32 +0100	[diff] [blame]	28	#include "shill/vpn_service.h"
Darin Petkov	33af05c	2012-02-28 10:10:30 +0100	[diff] [blame]	29
Darin Petkov	78f6326	2012-03-26 01:30:24 +0200	[diff] [blame]	30	using base::SplitString;
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	31	using std::map;
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	32	using std::string;
				33	using std::vector;
				34
Darin Petkov	33af05c	2012-02-28 10:10:30 +0100	[diff] [blame]	35	namespace shill {
				36
Darin Petkov	a9b1fed	2012-02-29 11:49:05 +0100	[diff] [blame]	37	namespace {
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	38	const char kOpenVPNForeignOptionPrefix[] = "foreign_option_";
				39	const char kOpenVPNIfconfigBroadcast[] = "ifconfig_broadcast";
				40	const char kOpenVPNIfconfigLocal[] = "ifconfig_local";
				41	const char kOpenVPNIfconfigNetmask[] = "ifconfig_netmask";
				42	const char kOpenVPNIfconfigRemote[] = "ifconfig_remote";
				43	const char kOpenVPNRouteOptionPrefix[] = "route_";
				44	const char kOpenVPNRouteVPNGateway[] = "route_vpn_gateway";
				45	const char kOpenVPNTrustedIP[] = "trusted_ip";
				46	const char kOpenVPNTunMTU[] = "tun_mtu";
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	47
Darin Petkov	e0d5dd1	2012-04-04 16:10:48 +0200	[diff] [blame]	48	const char kDefaultPKCS11Provider[] = "libchaps.so";
				49
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	50	// TODO(petkov): Move to chromeos/dbus/service_constants.h.
				51	const char kOpenVPNCertProperty[] = "OpenVPN.Cert";
				52	const char kOpenVPNKeyProperty[] = "OpenVPN.Key";
				53	const char kOpenVPNPingProperty[] = "OpenVPN.Ping";
				54	const char kOpenVPNPingExitProperty[] = "OpenVPN.PingExit";
				55	const char kOpenVPNPingRestartProperty[] = "OpenVPN.PingRestart";
				56	const char kOpenVPNTLSAuthProperty[] = "OpenVPN.TLSAuth";
				57	const char kOpenVPNVerbProperty[] = "OpenVPN.Verb";
				58	const char kVPNMTUProperty[] = "VPN.MTU";
				59
Paul Stewart	ebd3856	2012-03-23 13:06:40 -0700	[diff] [blame]	60	} // namespace
				61
				62	// static
				63	const char OpenVPNDriver::kOpenVPNPath[] = "/usr/sbin/openvpn";
				64	// static
				65	const char OpenVPNDriver::kOpenVPNScript[] = SCRIPTDIR "/openvpn-script";
				66	// static
				67	const OpenVPNDriver::Property OpenVPNDriver::kProperties[] = {
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	68	{ flimflam::kOpenVPNAuthNoCacheProperty, false },
				69	{ flimflam::kOpenVPNAuthProperty, false },
				70	{ flimflam::kOpenVPNAuthRetryProperty, false },
				71	{ flimflam::kOpenVPNAuthUserPassProperty, false },
				72	{ flimflam::kOpenVPNCaCertNSSProperty, false },
				73	{ flimflam::kOpenVPNCaCertProperty, false },
				74	{ flimflam::kOpenVPNCipherProperty, false },
				75	{ flimflam::kOpenVPNCompLZOProperty, false },
				76	{ flimflam::kOpenVPNCompNoAdaptProperty, false },
				77	{ flimflam::kOpenVPNKeyDirectionProperty, false },
				78	{ flimflam::kOpenVPNNsCertTypeProperty, false },
				79	{ flimflam::kOpenVPNPasswordProperty, true },
				80	{ flimflam::kOpenVPNPinProperty, false },
				81	{ flimflam::kOpenVPNPortProperty, false },
				82	{ flimflam::kOpenVPNProtoProperty, false },
				83	{ flimflam::kOpenVPNProviderProperty, false },
				84	{ flimflam::kOpenVPNPushPeerInfoProperty, false },
				85	{ flimflam::kOpenVPNRemoteCertEKUProperty, false },
				86	{ flimflam::kOpenVPNRemoteCertKUProperty, false },
				87	{ flimflam::kOpenVPNRemoteCertTLSProperty, false },
				88	{ flimflam::kOpenVPNRenegSecProperty, false },
				89	{ flimflam::kOpenVPNServerPollTimeoutProperty, false },
				90	{ flimflam::kOpenVPNShaperProperty, false },
				91	{ flimflam::kOpenVPNStaticChallengeProperty, false },
				92	{ flimflam::kOpenVPNTLSAuthContentsProperty, false },
				93	{ flimflam::kOpenVPNTLSRemoteProperty, false },
				94	{ flimflam::kOpenVPNUserProperty, false },
				95	{ flimflam::kProviderHostProperty, false },
				96	{ flimflam::kProviderNameProperty, false },
				97	{ flimflam::kProviderTypeProperty, false },
				98	{ kOpenVPNCertProperty, false },
				99	{ kOpenVPNKeyProperty, false },
				100	{ kOpenVPNPingExitProperty, false },
				101	{ kOpenVPNPingProperty, false },
				102	{ kOpenVPNPingRestartProperty, false },
				103	{ kOpenVPNTLSAuthProperty, false },
				104	{ kOpenVPNVerbProperty, false },
				105	{ kVPNMTUProperty, false },
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	106	};
Paul Stewart	291a473	2012-03-14 19:19:02 -0700	[diff] [blame]	107
Darin Petkov	a9b1fed	2012-02-29 11:49:05 +0100	[diff] [blame]	108	OpenVPNDriver::OpenVPNDriver(ControlInterface *control,
Darin Petkov	f20994f	2012-03-05 16:12:19 +0100	[diff] [blame]	109	EventDispatcher *dispatcher,
				110	Metrics *metrics,
				111	Manager *manager,
Paul Stewart	ca6abd4	2012-03-01 15:45:29 -0800	[diff] [blame]	112	DeviceInfo *device_info,
Darin Petkov	36a3ace	2012-03-06 17:22:14 +0100	[diff] [blame]	113	GLib *glib,
Darin Petkov	a9b1fed	2012-02-29 11:49:05 +0100	[diff] [blame]	114	const KeyValueStore &args)
				115	: control_(control),
Darin Petkov	f20994f	2012-03-05 16:12:19 +0100	[diff] [blame]	116	dispatcher_(dispatcher),
				117	metrics_(metrics),
				118	manager_(manager),
Paul Stewart	ca6abd4	2012-03-01 15:45:29 -0800	[diff] [blame]	119	device_info_(device_info),
Darin Petkov	36a3ace	2012-03-06 17:22:14 +0100	[diff] [blame]	120	glib_(glib),
				121	args_(args),
Darin Petkov	4646302	2012-03-29 14:57:32 +0200	[diff] [blame]	122	management_server_(new OpenVPNManagementServer(this, glib)),
Darin Petkov	3c5e4dc	2012-04-02 14:44:27 +0200	[diff] [blame]	123	nss_(NSS::GetInstance()),
Darin Petkov	36a3ace	2012-03-06 17:22:14 +0100	[diff] [blame]	124	pid_(0),
				125	child_watch_tag_(0) {}
Darin Petkov	33af05c	2012-02-28 10:10:30 +0100	[diff] [blame]	126
Darin Petkov	36a3ace	2012-03-06 17:22:14 +0100	[diff] [blame]	127	OpenVPNDriver::~OpenVPNDriver() {
Darin Petkov	3f9131c	2012-03-20 11:37:32 +0100	[diff] [blame]	128	Cleanup(Service::kStateIdle);
Darin Petkov	36a3ace	2012-03-06 17:22:14 +0100	[diff] [blame]	129	}
				130
Darin Petkov	3f9131c	2012-03-20 11:37:32 +0100	[diff] [blame]	131	void OpenVPNDriver::Cleanup(Service::ConnectState state) {
Darin Petkov	1fa8194	2012-04-02 11:38:08 +0200	[diff] [blame]	132	VLOG(2) << __func__ << "(" << Service::ConnectStateToString(state) << ")";
Darin Petkov	4646302	2012-03-29 14:57:32 +0200	[diff] [blame]	133	management_server_->Stop();
Darin Petkov	1fa8194	2012-04-02 11:38:08 +0200	[diff] [blame]	134	if (!tls_auth_file_.empty()) {
				135	file_util::Delete(tls_auth_file_, false);
				136	tls_auth_file_.clear();
				137	}
Darin Petkov	36a3ace	2012-03-06 17:22:14 +0100	[diff] [blame]	138	if (child_watch_tag_) {
				139	glib_->SourceRemove(child_watch_tag_);
				140	child_watch_tag_ = 0;
				141	CHECK(pid_);
				142	kill(pid_, SIGTERM);
				143	}
				144	if (pid_) {
				145	glib_->SpawnClosePID(pid_);
				146	pid_ = 0;
				147	}
				148	rpc_task_.reset();
				149	if (device_) {
				150	int interface_index = device_->interface_index();
Eric Shienbrood	9a24553	2012-03-07 14:20:39 -0500	[diff] [blame]	151	device_->SetEnabled(false);
Darin Petkov	36a3ace	2012-03-06 17:22:14 +0100	[diff] [blame]	152	device_ = NULL;
				153	device_info_->DeleteInterface(interface_index);
				154	}
				155	tunnel_interface_.clear();
Darin Petkov	79d74c9	2012-03-07 17:20:32 +0100	[diff] [blame]	156	if (service_) {
Darin Petkov	3f9131c	2012-03-20 11:37:32 +0100	[diff] [blame]	157	service_->SetState(state);
Darin Petkov	79d74c9	2012-03-07 17:20:32 +0100	[diff] [blame]	158	service_ = NULL;
				159	}
Darin Petkov	36a3ace	2012-03-06 17:22:14 +0100	[diff] [blame]	160	}
				161
				162	bool OpenVPNDriver::SpawnOpenVPN() {
				163	VLOG(2) << __func__ << "(" << tunnel_interface_ << ")";
				164
				165	vector<string> options;
				166	Error error;
				167	InitOptions(&options, &error);
				168	if (error.IsFailure()) {
				169	return false;
				170	}
				171	VLOG(2) << "OpenVPN process options: " << JoinString(options, ' ');
				172
				173	// TODO(petkov): This code needs to be abstracted away in a separate external
				174	// process module (crosbug.com/27131).
				175	vector<char *> process_args;
				176	process_args.push_back(const_cast<char *>(kOpenVPNPath));
				177	for (vector<string>::const_iterator it = options.begin();
				178	it != options.end(); ++it) {
				179	process_args.push_back(const_cast<char *>(it->c_str()));
				180	}
				181	process_args.push_back(NULL);
				182	char *envp[1] = { NULL };
				183
				184	CHECK(!pid_);
				185	// Redirect all openvpn output to stderr.
				186	int stderr_fd = fileno(stderr);
				187	if (!glib_->SpawnAsyncWithPipesCWD(process_args.data(),
				188	envp,
				189	G_SPAWN_DO_NOT_REAP_CHILD,
				190	NULL,
				191	NULL,
				192	&pid_,
				193	NULL,
				194	&stderr_fd,
				195	&stderr_fd,
				196	NULL)) {
				197	LOG(ERROR) << "Unable to spawn: " << kOpenVPNPath;
				198	return false;
				199	}
				200	CHECK(!child_watch_tag_);
				201	child_watch_tag_ = glib_->ChildWatchAdd(pid_, OnOpenVPNDied, this);
				202	return true;
				203	}
				204
				205	// static
				206	void OpenVPNDriver::OnOpenVPNDied(GPid pid, gint status, gpointer data) {
				207	VLOG(2) << __func__ << "(" << pid << ", " << status << ")";
				208	OpenVPNDriver me = reinterpret_cast<OpenVPNDriver >(data);
				209	me->child_watch_tag_ = 0;
				210	CHECK_EQ(pid, me->pid_);
Darin Petkov	3f9131c	2012-03-20 11:37:32 +0100	[diff] [blame]	211	me->Cleanup(Service::kStateFailure);
Darin Petkov	36a3ace	2012-03-06 17:22:14 +0100	[diff] [blame]	212	// TODO(petkov): Figure if we need to restart the connection.
				213	}
Darin Petkov	33af05c	2012-02-28 10:10:30 +0100	[diff] [blame]	214
Paul Stewart	ca6abd4	2012-03-01 15:45:29 -0800	[diff] [blame]	215	bool OpenVPNDriver::ClaimInterface(const string &link_name,
				216	int interface_index) {
				217	if (link_name != tunnel_interface_) {
				218	return false;
				219	}
				220
				221	VLOG(2) << "Claiming " << link_name << " for OpenVPN tunnel";
				222
Darin Petkov	f20994f	2012-03-05 16:12:19 +0100	[diff] [blame]	223	CHECK(!device_);
				224	device_ = new VPN(control_, dispatcher_, metrics_, manager_,
				225	link_name, interface_index);
Eric Shienbrood	9a24553	2012-03-07 14:20:39 -0500	[diff] [blame]	226
				227	device_->SetEnabled(true);
Darin Petkov	79d74c9	2012-03-07 17:20:32 +0100	[diff] [blame]	228	device_->SelectService(service_);
Eric Shienbrood	9a24553	2012-03-07 14:20:39 -0500	[diff] [blame]	229
Darin Petkov	36a3ace	2012-03-06 17:22:14 +0100	[diff] [blame]	230	rpc_task_.reset(new RPCTask(control_, this));
				231	if (!SpawnOpenVPN()) {
Darin Petkov	3f9131c	2012-03-20 11:37:32 +0100	[diff] [blame]	232	Cleanup(Service::kStateFailure);
Darin Petkov	36a3ace	2012-03-06 17:22:14 +0100	[diff] [blame]	233	}
Paul Stewart	ca6abd4	2012-03-01 15:45:29 -0800	[diff] [blame]	234	return true;
				235	}
				236
Darin Petkov	36a3ace	2012-03-06 17:22:14 +0100	[diff] [blame]	237	void OpenVPNDriver::Notify(const string &reason,
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	238	const map<string, string> &dict) {
				239	VLOG(2) << __func__ << "(" << reason << ")";
				240	if (reason != "up") {
Darin Petkov	79d74c9	2012-03-07 17:20:32 +0100	[diff] [blame]	241	device_->OnDisconnected();
Darin Petkov	36a3ace	2012-03-06 17:22:14 +0100	[diff] [blame]	242	return;
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	243	}
				244	IPConfig::Properties properties;
				245	ParseIPConfiguration(dict, &properties);
Paul Stewart	ce4ec19	2012-03-14 12:53:46 -0700	[diff] [blame]	246	PinHostRoute(properties);
				247
Darin Petkov	79d74c9	2012-03-07 17:20:32 +0100	[diff] [blame]	248	device_->UpdateIPConfig(properties);
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	249	}
				250
				251	// static
				252	void OpenVPNDriver::ParseIPConfiguration(
				253	const map<string, string> &configuration,
				254	IPConfig::Properties *properties) {
				255	ForeignOptions foreign_options;
Darin Petkov	6059674	2012-03-05 12:17:17 +0100	[diff] [blame]	256	RouteOptions routes;
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	257	properties->address_family = IPAddress::kFamilyIPv4;
Paul Stewart	48100b0	2012-03-19 07:53:52 -0700	[diff] [blame]	258	properties->subnet_prefix = IPAddress::GetMaxPrefixLength(
				259	properties->address_family);
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	260	for (map<string, string>::const_iterator it = configuration.begin();
				261	it != configuration.end(); ++it) {
				262	const string &key = it->first;
				263	const string &value = it->second;
				264	VLOG(2) << "Processing: " << key << " -> " << value;
				265	if (LowerCaseEqualsASCII(key, kOpenVPNIfconfigLocal)) {
				266	properties->address = value;
				267	} else if (LowerCaseEqualsASCII(key, kOpenVPNIfconfigBroadcast)) {
				268	properties->broadcast_address = value;
				269	} else if (LowerCaseEqualsASCII(key, kOpenVPNIfconfigNetmask)) {
Paul Stewart	48100b0	2012-03-19 07:53:52 -0700	[diff] [blame]	270	properties->subnet_prefix =
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	271	IPAddress::GetPrefixLengthFromMask(properties->address_family, value);
				272	} else if (LowerCaseEqualsASCII(key, kOpenVPNIfconfigRemote)) {
				273	properties->peer_address = value;
				274	} else if (LowerCaseEqualsASCII(key, kOpenVPNRouteVPNGateway)) {
				275	properties->gateway = value;
				276	} else if (LowerCaseEqualsASCII(key, kOpenVPNTrustedIP)) {
Paul Stewart	ce4ec19	2012-03-14 12:53:46 -0700	[diff] [blame]	277	properties->trusted_ip = value;
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	278	} else if (LowerCaseEqualsASCII(key, kOpenVPNTunMTU)) {
				279	int mtu = 0;
				280	if (base::StringToInt(value, &mtu) && mtu >= DHCPConfig::kMinMTU) {
				281	properties->mtu = mtu;
				282	} else {
				283	LOG(ERROR) << "MTU " << value << " ignored.";
				284	}
				285	} else if (StartsWithASCII(key, kOpenVPNForeignOptionPrefix, false)) {
				286	const string suffix = key.substr(strlen(kOpenVPNForeignOptionPrefix));
				287	int order = 0;
				288	if (base::StringToInt(suffix, &order)) {
				289	foreign_options[order] = value;
				290	} else {
				291	LOG(ERROR) << "Ignored unexpected foreign option suffix: " << suffix;
				292	}
				293	} else if (StartsWithASCII(key, kOpenVPNRouteOptionPrefix, false)) {
Darin Petkov	6059674	2012-03-05 12:17:17 +0100	[diff] [blame]	294	ParseRouteOption(key.substr(strlen(kOpenVPNRouteOptionPrefix)),
				295	value, &routes);
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	296	} else {
				297	VLOG(2) << "Key ignored.";
				298	}
				299	}
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	300	ParseForeignOptions(foreign_options, properties);
Darin Petkov	6059674	2012-03-05 12:17:17 +0100	[diff] [blame]	301	SetRoutes(routes, properties);
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	302	}
				303
				304	// static
				305	void OpenVPNDriver::ParseForeignOptions(const ForeignOptions &options,
				306	IPConfig::Properties *properties) {
				307	for (ForeignOptions::const_iterator it = options.begin();
				308	it != options.end(); ++it) {
				309	ParseForeignOption(it->second, properties);
				310	}
				311	}
				312
				313	// static
				314	void OpenVPNDriver::ParseForeignOption(const string &option,
				315	IPConfig::Properties *properties) {
				316	VLOG(2) << __func__ << "(" << option << ")";
				317	vector<string> tokens;
Darin Petkov	78f6326	2012-03-26 01:30:24 +0200	[diff] [blame]	318	SplitString(option, ' ', &tokens);
				319	if (tokens.size() != 3 \|\| !LowerCaseEqualsASCII(tokens[0], "dhcp-option")) {
Darin Petkov	14c29ec	2012-03-02 11:34:19 +0100	[diff] [blame]	320	return;
				321	}
				322	if (LowerCaseEqualsASCII(tokens[1], "domain")) {
				323	properties->domain_search.push_back(tokens[2]);
				324	} else if (LowerCaseEqualsASCII(tokens[1], "dns")) {
				325	properties->dns_servers.push_back(tokens[2]);
				326	}
				327	}
				328
Darin Petkov	6059674	2012-03-05 12:17:17 +0100	[diff] [blame]	329	// static
				330	IPConfig::Route *OpenVPNDriver::GetRouteOptionEntry(
				331	const string &prefix, const string &key, RouteOptions *routes) {
				332	int order = 0;
				333	if (!StartsWithASCII(key, prefix, false) \|\|
				334	!base::StringToInt(key.substr(prefix.size()), &order)) {
				335	return NULL;
				336	}
				337	return &(*routes)[order];
				338	}
				339
				340	// static
				341	void OpenVPNDriver::ParseRouteOption(
				342	const string &key, const string &value, RouteOptions *routes) {
				343	IPConfig::Route *route = GetRouteOptionEntry("network_", key, routes);
				344	if (route) {
				345	route->host = value;
				346	return;
				347	}
				348	route = GetRouteOptionEntry("netmask_", key, routes);
				349	if (route) {
				350	route->netmask = value;
				351	return;
				352	}
				353	route = GetRouteOptionEntry("gateway_", key, routes);
				354	if (route) {
				355	route->gateway = value;
				356	return;
				357	}
				358	LOG(WARNING) << "Unknown route option ignored: " << key;
				359	}
				360
				361	// static
				362	void OpenVPNDriver::SetRoutes(const RouteOptions &routes,
				363	IPConfig::Properties *properties) {
				364	for (RouteOptions::const_iterator it = routes.begin();
				365	it != routes.end(); ++it) {
				366	const IPConfig::Route &route = it->second;
				367	if (route.host.empty() \|\| route.netmask.empty() \|\| route.gateway.empty()) {
				368	LOG(WARNING) << "Ignoring incomplete route: " << it->first;
				369	continue;
				370	}
				371	properties->routes.push_back(route);
				372	}
				373	}
				374
Darin Petkov	79d74c9	2012-03-07 17:20:32 +0100	[diff] [blame]	375	void OpenVPNDriver::Connect(const VPNServiceRefPtr &service,
				376	Error *error) {
				377	service_ = service;
				378	service_->SetState(Service::kStateConfiguring);
Darin Petkov	f20994f	2012-03-05 16:12:19 +0100	[diff] [blame]	379	if (!device_info_->CreateTunnelInterface(&tunnel_interface_)) {
				380	Error::PopulateAndLog(
				381	error, Error::kInternalError, "Could not create tunnel interface.");
Darin Petkov	3f9131c	2012-03-20 11:37:32 +0100	[diff] [blame]	382	Cleanup(Service::kStateFailure);
Darin Petkov	f20994f	2012-03-05 16:12:19 +0100	[diff] [blame]	383	}
				384	// Wait for the ClaimInterface callback to continue the connection process.
Darin Petkov	33af05c	2012-02-28 10:10:30 +0100	[diff] [blame]	385	}
				386
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	387	void OpenVPNDriver::InitOptions(vector<string> options, Error error) {
Darin Petkov	7f06033	2012-03-14 11:46:47 +0100	[diff] [blame]	388	string vpnhost = args_.LookupString(flimflam::kProviderHostProperty, "");
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	389	if (vpnhost.empty()) {
				390	Error::PopulateAndLog(
				391	error, Error::kInvalidArguments, "VPN host not specified.");
				392	return;
				393	}
				394	options->push_back("--client");
				395	options->push_back("--tls-client");
				396	options->push_back("--remote");
				397	options->push_back(vpnhost);
				398	options->push_back("--nobind");
				399	options->push_back("--persist-key");
				400	options->push_back("--persist-tun");
				401
Darin Petkov	f20994f	2012-03-05 16:12:19 +0100	[diff] [blame]	402	CHECK(!tunnel_interface_.empty());
Paul Stewart	ca6abd4	2012-03-01 15:45:29 -0800	[diff] [blame]	403	options->push_back("--dev");
				404	options->push_back(tunnel_interface_);
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	405	options->push_back("--dev-type");
				406	options->push_back("tun");
				407	options->push_back("--syslog");
				408
				409	// TODO(petkov): Enable verbosity based on shill logging options too.
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	410	AppendValueOption(kOpenVPNVerbProperty, "--verb", options);
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	411
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	412	AppendValueOption(kVPNMTUProperty, "--mtu", options);
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	413	AppendValueOption(flimflam::kOpenVPNProtoProperty, "--proto", options);
				414	AppendValueOption(flimflam::kOpenVPNPortProperty, "--port", options);
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	415	AppendValueOption(kOpenVPNTLSAuthProperty, "--tls-auth", options);
Darin Petkov	1fa8194	2012-04-02 11:38:08 +0200	[diff] [blame]	416	{
				417	string contents =
				418	args_.LookupString(flimflam::kOpenVPNTLSAuthContentsProperty, "");
				419	if (!contents.empty()) {
				420	if (!file_util::CreateTemporaryFile(&tls_auth_file_) \|\|
				421	file_util::WriteFile(
				422	tls_auth_file_, contents.data(), contents.size()) !=
				423	static_cast<int>(contents.size())) {
				424	Error::PopulateAndLog(
				425	error, Error::kInternalError, "Unable to setup tls-auth file.");
				426	return;
				427	}
				428	options->push_back("--tls-auth");
				429	options->push_back(tls_auth_file_.value());
				430	}
				431	}
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	432	AppendValueOption(
				433	flimflam::kOpenVPNTLSRemoteProperty, "--tls-remote", options);
				434	AppendValueOption(flimflam::kOpenVPNCipherProperty, "--cipher", options);
				435	AppendValueOption(flimflam::kOpenVPNAuthProperty, "--auth", options);
				436	AppendFlag(flimflam::kOpenVPNAuthNoCacheProperty, "--auth-nocache", options);
				437	AppendValueOption(
				438	flimflam::kOpenVPNAuthRetryProperty, "--auth-retry", options);
				439	AppendFlag(flimflam::kOpenVPNCompLZOProperty, "--comp-lzo", options);
				440	AppendFlag(flimflam::kOpenVPNCompNoAdaptProperty, "--comp-noadapt", options);
				441	AppendFlag(
				442	flimflam::kOpenVPNPushPeerInfoProperty, "--push-peer-info", options);
				443	AppendValueOption(flimflam::kOpenVPNRenegSecProperty, "--reneg-sec", options);
				444	AppendValueOption(flimflam::kOpenVPNShaperProperty, "--shaper", options);
				445	AppendValueOption(flimflam::kOpenVPNServerPollTimeoutProperty,
				446	"--server-poll-timeout", options);
				447
Darin Petkov	e0d5dd1	2012-04-04 16:10:48 +0200	[diff] [blame]	448	if (!InitNSSOptions(options, error)) {
				449	return;
Darin Petkov	3c5e4dc	2012-04-02 14:44:27 +0200	[diff] [blame]	450	}
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	451
				452	// Client-side ping support.
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	453	AppendValueOption(kOpenVPNPingProperty, "--ping", options);
				454	AppendValueOption(kOpenVPNPingExitProperty, "--ping-exit", options);
				455	AppendValueOption(kOpenVPNPingRestartProperty, "--ping-restart", options);
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	456
				457	AppendValueOption(flimflam::kOpenVPNCaCertProperty, "--ca", options);
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	458	AppendValueOption(kOpenVPNCertProperty, "--cert", options);
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	459	AppendValueOption(
				460	flimflam::kOpenVPNNsCertTypeProperty, "--ns-cert-type", options);
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	461	AppendValueOption(kOpenVPNKeyProperty, "--key", options);
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	462
Darin Petkov	e0d5dd1	2012-04-04 16:10:48 +0200	[diff] [blame]	463	InitPKCS11Options(options);
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	464
				465	// TLS suport.
Darin Petkov	7f06033	2012-03-14 11:46:47 +0100	[diff] [blame]	466	string remote_cert_tls =
				467	args_.LookupString(flimflam::kOpenVPNRemoteCertTLSProperty, "");
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	468	if (remote_cert_tls.empty()) {
				469	remote_cert_tls = "server";
				470	}
				471	if (remote_cert_tls != "none") {
				472	options->push_back("--remote-cert-tls");
				473	options->push_back(remote_cert_tls);
				474	}
				475
				476	// This is an undocumented command line argument that works like a .cfg file
				477	// entry. TODO(sleffler): Maybe roll this into --tls-auth?
				478	AppendValueOption(
				479	flimflam::kOpenVPNKeyDirectionProperty, "--key-direction", options);
				480	// TODO(sleffler): Support more than one eku parameter.
				481	AppendValueOption(
				482	flimflam::kOpenVPNRemoteCertEKUProperty, "--remote-cert-eku", options);
				483	AppendValueOption(
				484	flimflam::kOpenVPNRemoteCertKUProperty, "--remote-cert-ku", options);
				485
Darin Petkov	e0d5dd1	2012-04-04 16:10:48 +0200	[diff] [blame]	486	if (!InitManagementChannelOptions(options, error)) {
Darin Petkov	4646302	2012-03-29 14:57:32 +0200	[diff] [blame]	487	return;
				488	}
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	489
Darin Petkov	a9b1fed	2012-02-29 11:49:05 +0100	[diff] [blame]	490	// Setup openvpn-script options and RPC information required to send back
				491	// Layer 3 configuration.
				492	options->push_back("--setenv");
				493	options->push_back("CONNMAN_BUSNAME");
				494	options->push_back(rpc_task_->GetRpcConnectionIdentifier());
				495	options->push_back("--setenv");
				496	options->push_back("CONNMAN_INTERFACE");
				497	options->push_back(rpc_task_->GetRpcInterfaceIdentifier());
				498	options->push_back("--setenv");
				499	options->push_back("CONNMAN_PATH");
				500	options->push_back(rpc_task_->GetRpcIdentifier());
				501	options->push_back("--script-security");
				502	options->push_back("2");
				503	options->push_back("--up");
				504	options->push_back(kOpenVPNScript);
				505	options->push_back("--up-restart");
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	506
				507	// Disable openvpn handling since we do route+ifconfig work.
				508	options->push_back("--route-noexec");
				509	options->push_back("--ifconfig-noexec");
				510
				511	// Drop root privileges on connection and enable callback scripts to send
				512	// notify messages.
				513	options->push_back("--user");
				514	options->push_back("openvpn");
				515	options->push_back("--group");
				516	options->push_back("openvpn");
				517	}
				518
Darin Petkov	e0d5dd1	2012-04-04 16:10:48 +0200	[diff] [blame]	519	bool OpenVPNDriver::InitNSSOptions(vector<string> options, Error error) {
				520	string ca_cert = args_.LookupString(flimflam::kOpenVPNCaCertNSSProperty, "");
				521	if (!ca_cert.empty()) {
				522	if (!args_.LookupString(flimflam::kOpenVPNCaCertProperty, "").empty()) {
				523	Error::PopulateAndLog(error,
				524	Error::kInvalidArguments,
				525	"Can't specify both CACert and CACertNSS.");
				526	return false;
				527	}
				528	const string &vpnhost = args_.GetString(flimflam::kProviderHostProperty);
				529	vector<char> id(vpnhost.begin(), vpnhost.end());
				530	FilePath certfile = nss_->GetPEMCertfile(ca_cert, id);
				531	if (certfile.empty()) {
				532	LOG(ERROR) << "Unable to extract certificate: " << ca_cert;
				533	} else {
				534	options->push_back("--ca");
				535	options->push_back(certfile.value());
				536	}
				537	}
				538	return true;
				539	}
				540
				541	void OpenVPNDriver::InitPKCS11Options(vector<string> *options) {
				542	string id = args_.LookupString(flimflam::kOpenVPNClientCertIdProperty, "");
				543	if (!id.empty()) {
				544	string provider =
				545	args_.LookupString(flimflam::kOpenVPNProviderProperty, "");
				546	if (provider.empty()) {
				547	provider = kDefaultPKCS11Provider;
				548	}
				549	options->push_back("--pkcs11-providers");
				550	options->push_back(provider);
				551	options->push_back("--pkcs11-id");
				552	options->push_back(id);
				553	}
				554	}
				555
				556	bool OpenVPNDriver::InitManagementChannelOptions(
				557	vector<string> options, Error error) {
				558	if (!management_server_->Start(dispatcher_, &sockets_, options)) {
				559	Error::PopulateAndLog(
				560	error, Error::kInternalError, "Unable to setup management channel.");
				561	return false;
				562	}
				563	return true;
				564	}
				565
Darin Petkov	4646302	2012-03-29 14:57:32 +0200	[diff] [blame]	566	bool OpenVPNDriver::AppendValueOption(
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	567	const string &property, const string &option, vector<string> *options) {
Darin Petkov	7f06033	2012-03-14 11:46:47 +0100	[diff] [blame]	568	string value = args_.LookupString(property, "");
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	569	if (!value.empty()) {
				570	options->push_back(option);
				571	options->push_back(value);
Darin Petkov	4646302	2012-03-29 14:57:32 +0200	[diff] [blame]	572	return true;
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	573	}
Darin Petkov	4646302	2012-03-29 14:57:32 +0200	[diff] [blame]	574	return false;
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	575	}
				576
Darin Petkov	4646302	2012-03-29 14:57:32 +0200	[diff] [blame]	577	bool OpenVPNDriver::AppendFlag(
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	578	const string &property, const string &option, vector<string> *options) {
				579	if (args_.ContainsString(property)) {
				580	options->push_back(option);
Darin Petkov	4646302	2012-03-29 14:57:32 +0200	[diff] [blame]	581	return true;
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	582	}
Darin Petkov	4646302	2012-03-29 14:57:32 +0200	[diff] [blame]	583	return false;
Darin Petkov	fe6a937	2012-02-28 16:25:06 +0100	[diff] [blame]	584	}
				585
Paul Stewart	ce4ec19	2012-03-14 12:53:46 -0700	[diff] [blame]	586	bool OpenVPNDriver::PinHostRoute(const IPConfig::Properties &properties) {
				587	if (properties.gateway.empty() \|\| properties.trusted_ip.empty()) {
				588	return false;
				589	}
				590
				591	IPAddress trusted_ip(properties.address_family);
				592	if (!trusted_ip.SetAddressFromString(properties.trusted_ip)) {
				593	LOG(ERROR) << "Failed to parse trusted_ip "
				594	<< properties.trusted_ip << "; ignored.";
				595	return false;
				596	}
				597
				598	ServiceRefPtr default_service = manager_->GetDefaultService();
				599	if (!default_service) {
				600	LOG(ERROR) << "No default service exists.";
				601	return false;
				602	}
				603
				604	CHECK(default_service->connection());
				605	return default_service->connection()->RequestHostRoute(trusted_ip);
				606	}
				607
Darin Petkov	6aa2187	2012-03-09 16:10:19 +0100	[diff] [blame]	608	void OpenVPNDriver::Disconnect() {
Darin Petkov	271fe52	2012-03-27 13:47:29 +0200	[diff] [blame]	609	VLOG(2) << __func__;
Darin Petkov	3f9131c	2012-03-20 11:37:32 +0100	[diff] [blame]	610	Cleanup(Service::kStateIdle);
Darin Petkov	6aa2187	2012-03-09 16:10:19 +0100	[diff] [blame]	611	}
				612
Darin Petkov	271fe52	2012-03-27 13:47:29 +0200	[diff] [blame]	613	void OpenVPNDriver::OnReconnecting() {
				614	VLOG(2) << __func__;
				615	if (device_) {
				616	device_->OnDisconnected();
				617	}
				618	if (service_) {
				619	service_->SetState(Service::kStateAssociating);
				620	}
				621	}
				622
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	623	bool OpenVPNDriver::Load(StoreInterface *storage, const string &storage_id) {
Paul Stewart	ebd3856	2012-03-23 13:06:40 -0700	[diff] [blame]	624	for (size_t i = 0; i < arraysize(kProperties); i++) {
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	625	const string property = kProperties[i].property;
				626	string value;
				627	bool loaded = kProperties[i].crypted ?
				628	storage->GetCryptedString(storage_id, property, &value) :
				629	storage->GetString(storage_id, property, &value);
				630	if (loaded) {
				631	args_.SetString(property, value);
Paul Stewart	141983b	2012-03-23 07:58:32 -0700	[diff] [blame]	632	} else {
				633	args_.RemoveString(property);
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	634	}
				635	}
				636	return true;
				637	}
				638
				639	bool OpenVPNDriver::Save(StoreInterface *storage, const string &storage_id) {
Paul Stewart	ebd3856	2012-03-23 13:06:40 -0700	[diff] [blame]	640	for (size_t i = 0; i < arraysize(kProperties); i++) {
Darin Petkov	f3c71d7	2012-03-21 12:32:15 +0100	[diff] [blame]	641	const string property = kProperties[i].property;
				642	const string value = args_.LookupString(property, "");
				643	if (value.empty()) {
				644	storage->DeleteKey(storage_id, property);
				645	} else if (kProperties[i].crypted) {
				646	storage->SetCryptedString(storage_id, property, value);
				647	} else {
				648	storage->SetString(storage_id, property, value);
				649	}
				650	}
				651	return true;
				652	}
				653
Paul Stewart	ebd3856	2012-03-23 13:06:40 -0700	[diff] [blame]	654	void OpenVPNDriver::InitPropertyStore(PropertyStore *store) {
				655	for (size_t i = 0; i < arraysize(kProperties); i++) {
				656	store->RegisterDerivedString(
				657	kProperties[i].property,
				658	StringAccessor(
				659	new CustomMappedAccessor<OpenVPNDriver, string, size_t>(
				660	this,
				661	&OpenVPNDriver::ClearMappedProperty,
				662	&OpenVPNDriver::GetMappedProperty,
				663	&OpenVPNDriver::SetMappedProperty,
				664	i)));
				665	}
				666
				667	// TODO(pstew): Add the PassphraseRequired and PSKRequired properties.
				668	// crosbug.com/27323
				669	}
				670
				671	void OpenVPNDriver::ClearMappedProperty(const size_t &index,
				672	Error *error) {
				673	CHECK(index < arraysize(kProperties));
				674	if (args_.ContainsString(kProperties[index].property)) {
				675	args_.RemoveString(kProperties[index].property);
				676	} else {
				677	error->Populate(Error::kNotFound, "Property is not set");
				678	}
				679	}
				680
				681	string OpenVPNDriver::GetMappedProperty(const size_t &index,
				682	Error *error) {
				683	CHECK(index < arraysize(kProperties));
				684	if (kProperties[index].crypted) {
				685	error->Populate(Error::kPermissionDenied, "Property is write-only");
				686	return string();
				687	}
				688
				689	if (!args_.ContainsString(kProperties[index].property)) {
				690	error->Populate(Error::kNotFound, "Property is not set");
				691	return string();
				692	}
				693
				694	return args_.LookupString(kProperties[index].property, "");
				695	}
				696
				697	void OpenVPNDriver::SetMappedProperty(const size_t &index,
				698	const string &value,
				699	Error *error) {
				700	CHECK(index < arraysize(kProperties));
				701	args_.SetString(kProperties[index].property, value);
				702	}
				703
				704
Darin Petkov	33af05c	2012-02-28 10:10:30 +0100	[diff] [blame]	705	} // namespace shill