| Index: ipsec_manager.cc
|
| diff --git a/ipsec_manager.cc b/ipsec_manager.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..eb57044e68ac0348591a049aeba6e6ae6896504e
|
| --- /dev/null
|
| +++ b/ipsec_manager.cc
|
| @@ -0,0 +1,408 @@
|
| +// Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "vpn-manager/ipsec_manager.h"
|
| +
|
| +#include <arpa/inet.h> // for inet_ntop and inet_pton
|
| +#include <grp.h>
|
| +#include <netdb.h> // for getaddrinfo
|
| +#include <sys/types.h>
|
| +#include <sys/wait.h>
|
| +#include <unistd.h>
|
| +
|
| +#include <string>
|
| +#include <vector>
|
| +
|
| +#include "base/eintr_wrapper.h"
|
| +#include "base/file_util.h"
|
| +#include "base/logging.h"
|
| +#include "base/string_util.h"
|
| +#include "chromeos/process.h"
|
| +#include "gflags/gflags.h"
|
| +
|
| +#pragma GCC diagnostic ignored "-Wstrict-aliasing"
|
| +DEFINE_int32(ipsec_timeout, 10, "timeout for ipsec to be established");
|
| +DEFINE_string(leftprotoport, "17/1701", "client protocol/port");
|
| +DEFINE_bool(pfs, false, "pfs");
|
| +DEFINE_bool(rekey, false, "rekey");
|
| +DEFINE_string(rightprotoport, "17/1701", "server protocol/port");
|
| +#pragma GCC diagnostic error "-Wstrict-aliasing"
|
| +
|
| +const char kIpsecConnectionName[] = "ipsec_managed";
|
| +const char kIpsecGroupName[] = "ipsec";
|
| +const char kIpsecRunPath[] = "/var/run/ipsec";
|
| +const char kIpsecUpFile[] = "/var/run/ipsec/up";
|
| +const char kIpsecServiceName[] = "ipsec";
|
| +const char kStarterPidFile[] = "/var/run/starter.pid";
|
| +const mode_t kIpsecRunPathMode = (S_IRUSR | S_IWUSR | S_IXUSR |
|
| + S_IRGRP | S_IWGRP | S_IXGRP);
|
| +const char kStatefulContainer[] = "/mnt/stateful_partition/etc";
|
| +
|
| +// Give IPsec layer 2 seconds to shut down before killing it.
|
| +const int kTermTimeout = 2;
|
| +
|
| +using ::chromeos::Process;
|
| +using ::chromeos::ProcessImpl;
|
| +
|
| +IpsecManager::IpsecManager()
|
| + : ServiceManager(kIpsecServiceName),
|
| + force_local_address_(NULL),
|
| + output_fd_(-1),
|
| + ike_version_(0),
|
| + ipsec_group_(0),
|
| + stateful_container_(kStatefulContainer),
|
| + ipsec_run_path_(kIpsecRunPath),
|
| + ipsec_up_file_(kIpsecUpFile),
|
| + starter_pid_file_(kStarterPidFile),
|
| + starter_(new ProcessImpl) {
|
| +}
|
| +
|
| +bool IpsecManager::Initialize(int ike_version,
|
| + const std::string& remote_address,
|
| + const std::string& psk_file,
|
| + const std::string& server_ca_file,
|
| + const std::string& client_key_file,
|
| + const std::string& client_cert_file) {
|
| + if (remote_address.empty()) {
|
| + LOG(ERROR) << "Missing remote address to IPsec layer";
|
| + return false;
|
| + }
|
| + remote_address_ = remote_address;
|
| +
|
| + if (psk_file.empty()) {
|
| + if (server_ca_file.empty() && client_key_file.empty() &&
|
| + client_cert_file.empty()) {
|
| + LOG(ERROR) << "Must specify either PSK or certificates for IPsec layer";
|
| + return false;
|
| + }
|
| +
|
| + // Must be a certificate based connection.
|
| + if (!file_util::PathExists(FilePath(server_ca_file))) {
|
| + LOG(ERROR) << "Invalid server CA file for IPsec layer: "
|
| + << server_ca_file;
|
| + return false;
|
| + }
|
| + server_ca_file_ = server_ca_file;
|
| +
|
| + if (!file_util::PathExists(FilePath(client_key_file))) {
|
| + LOG(ERROR) << "Invalid client key file for IPsec layer: "
|
| + << client_key_file;
|
| + return false;
|
| + }
|
| + client_key_file_ = client_key_file;
|
| +
|
| + if (!file_util::PathExists(FilePath(client_cert_file))) {
|
| + LOG(ERROR) << "Invalid client certificate file for IPsec layer: "
|
| + << client_key_file;
|
| + return false;
|
| + }
|
| + client_cert_file_ = client_cert_file;
|
| + } else {
|
| + if (!server_ca_file.empty() ||
|
| + !client_key_file.empty() ||
|
| + !client_cert_file.empty()) {
|
| + LOG(ERROR) << "Specified both PSK and certificates for IPsec layer";
|
| + return false;
|
| + }
|
| + if (!file_util::PathExists(FilePath(psk_file))) {
|
| + LOG(ERROR) << "Invalid PSK file for IPsec layer: " << psk_file;
|
| + return false;
|
| + }
|
| + psk_file_ = psk_file;
|
| + }
|
| +
|
| + if (ike_version != 1 && ike_version != 2) {
|
| + LOG(ERROR) << "Unsupported IKE version" << ike_version;
|
| + return false;
|
| + }
|
| + ike_version_ = ike_version;
|
| +
|
| + file_util::Delete(FilePath(kIpsecUpFile), false);
|
| +
|
| + return true;
|
| +}
|
| +
|
| +bool IpsecManager::GetLocalAddressForRemote(
|
| + const std::string& remote_address_text,
|
| + std::string* local_address_text) {
|
| + static const char kService[] = "80";
|
| + if (force_local_address_ != NULL) {
|
| + *local_address_text = force_local_address_;
|
| + return true;
|
| + }
|
| + struct addrinfo *remote_address;
|
| + int s = getaddrinfo(remote_address_text.c_str(), kService, NULL,
|
| + &remote_address);
|
| + if (s != 0) {
|
| + LOG(ERROR) << "getaddrinfo failed: " << gai_strerror(s);
|
| + return false;
|
| + }
|
| + int sock = HANDLE_EINTR(socket(AF_INET, SOCK_DGRAM, 0));
|
| + if (sock < 0) {
|
| + LOG(ERROR) << "Unable to create socket";
|
| + return false;
|
| + }
|
| + if (HANDLE_EINTR(
|
| + connect(sock, remote_address->ai_addr, sizeof(sockaddr))) != 0) {
|
| + LOG(ERROR) << "Unable to connect";
|
| + HANDLE_EINTR(close(sock));
|
| + return false;
|
| + }
|
| + bool result = false;
|
| + struct sockaddr local_address;
|
| + socklen_t addr_len = sizeof(local_address);
|
| + char str[INET6_ADDRSTRLEN] = { 0 };
|
| + if (getsockname(sock, &local_address, &addr_len) != 0) {
|
| + int saved_errno = errno;
|
| + LOG(ERROR) << "getsockname failed on socket connecting to "
|
| + << remote_address_text << ": " << saved_errno;
|
| + goto error_label;
|
| + }
|
| + // convert local_address to local_address_text.
|
| + switch (local_address.sa_family) {
|
| + case AF_INET:
|
| + if (!inet_ntop(AF_INET, &reinterpret_cast<sockaddr_in*>(
|
| + &local_address)->sin_addr, str, INET6_ADDRSTRLEN)) {
|
| + LOG(ERROR) << "inet_ntop failed on " << remote_address_text;
|
| + goto error_label;
|
| + }
|
| + break;
|
| + case AF_INET6:
|
| + if (!inet_ntop(AF_INET6, &reinterpret_cast<sockaddr_in6*>(
|
| + &local_address)->sin6_addr, str, INET6_ADDRSTRLEN)) {
|
| + LOG(ERROR) << "inet_ntop failed on " << remote_address_text;
|
| + goto error_label;
|
| + }
|
| + break;
|
| + default:
|
| + LOG(ERROR) << "Unknown address family converting " << remote_address_text;
|
| + goto error_label;
|
| + }
|
| + *local_address_text = str;
|
| + LOG(INFO) << "Remote address " << remote_address_text << " has local address "
|
| + << *local_address_text;
|
| + result = true;
|
| +
|
| + error_label:
|
| + HANDLE_EINTR(close(sock));
|
| + freeaddrinfo(remote_address);
|
| + return result;
|
| +}
|
| +
|
| +bool IpsecManager::FormatPsk(const FilePath& input_file,
|
| + std::string* formatted) {
|
| + std::string psk;
|
| + if (!file_util::ReadFileToString(input_file, &psk)) {
|
| + LOG(ERROR) << "Unable to read PSK from " << input_file.value();
|
| + return false;
|
| + }
|
| + std::string local_address;
|
| + if (!GetLocalAddressForRemote(remote_address_, &local_address)) {
|
| + LOG(ERROR) << "Local IP address could not be determined for PSK mode";
|
| + return false;
|
| + }
|
| + TrimWhitespaceASCII(psk, TRIM_TRAILING, &psk);
|
| + *formatted =
|
| + StringPrintf("%s %s : PSK \"%s\"\n", local_address.c_str(),
|
| + remote_address_.c_str(), psk.c_str());
|
| + return true;
|
| +}
|
| +
|
| +void IpsecManager::KillCurrentlyRunning() {
|
| + if (!file_util::PathExists(FilePath(starter_pid_file_)))
|
| + return;
|
| + starter_->ResetPidByFile(starter_pid_file_);
|
| + if (Process::ProcessExists(starter_->pid()))
|
| + starter_->Reset(0);
|
| + else
|
| + starter_->Release();
|
| + file_util::Delete(FilePath(starter_pid_file_), false);
|
| +}
|
| +
|
| +bool IpsecManager::StartStarter() {
|
| + KillCurrentlyRunning();
|
| + LOG(INFO) << "Starting starter";
|
| + starter_->AddArg(IPSEC_STARTER);
|
| + starter_->AddArg("--nofork");
|
| + starter_->RedirectUsingPipe(STDERR_FILENO, false);
|
| + if (!starter_->Start()) {
|
| + LOG(ERROR) << "Starter did not start successfully";
|
| + return false;
|
| + }
|
| + output_fd_ = starter_->GetPipe(STDERR_FILENO);
|
| + pid_t starter_pid = starter_->pid();
|
| + LOG(INFO) << "Starter started as pid " << starter_pid;
|
| + ipsec_prefix_ = StringPrintf("ipsec[%d]: ", starter_pid);
|
| + return true;
|
| +}
|
| +
|
| +inline void AppendBoolSetting(std::string* config, const char* key,
|
| + bool value) {
|
| + config->append(StringPrintf("\t%s=%s\n", key, value ? "yes" : "no"));
|
| +}
|
| +
|
| +inline void AppendStringSetting(std::string* config, const char* key,
|
| + const std::string& value) {
|
| + config->append(StringPrintf("\t%s=%s\n", key, value.c_str()));
|
| +}
|
| +
|
| +inline void AppendIntSetting(std::string* config, const char* key,
|
| + int value) {
|
| + config->append(StringPrintf("\t%s=%d\n", key, value));
|
| +}
|
| +
|
| +std::string IpsecManager::FormatStarterConfigFile() {
|
| + std::string config;
|
| + config.append("config setup\n");
|
| + if (ike_version_ == 1) {
|
| + AppendBoolSetting(&config, "charonstart", false);
|
| + } else {
|
| + AppendBoolSetting(&config, "plutostart", false);
|
| + }
|
| + config.append("conn managed\n");
|
| + AppendStringSetting(&config, "keyexchange",
|
| + ike_version_ == 1 ? "ikev1" : "ikev2");
|
| + if (!psk_file_.empty()) AppendStringSetting(&config, "authby", "psk");
|
| + AppendBoolSetting(&config, "pfs", FLAGS_pfs);
|
| + AppendBoolSetting(&config, "rekey", FLAGS_rekey);
|
| + AppendStringSetting(&config, "left", "%defaultroute");
|
| + AppendStringSetting(&config, "leftprotoport", FLAGS_leftprotoport);
|
| + AppendStringSetting(&config, "leftupdown", IPSEC_UPDOWN);
|
| + AppendStringSetting(&config, "right", remote_address_);
|
| + AppendStringSetting(&config, "rightprotoport", FLAGS_rightprotoport);
|
| + AppendStringSetting(&config, "auto", "start");
|
| + return config;
|
| +}
|
| +
|
| +bool IpsecManager::SetIpsecGroup(const FilePath& file_path) {
|
| + return chown(file_path.value().c_str(), getuid(), ipsec_group_) == 0;
|
| +}
|
| +
|
| +bool IpsecManager::WriteConfigFiles() {
|
| + // We need to keep secrets in /mnt/stateful_partition/etc for now
|
| + // because pluto loses permissions to /home/chronos before it tries
|
| + // reading secrets.
|
| + // TODO(kmixter): write this via a fifo.
|
| + FilePath secrets_path_ = FilePath(stateful_container_).
|
| + Append("ipsec.secrets");
|
| + file_util::Delete(secrets_path_, false);
|
| + if (!psk_file_.empty()) {
|
| + std::string formatted;
|
| + if (!FormatPsk(FilePath(psk_file_), &formatted)) {
|
| + LOG(ERROR) << "Unable to create secrets contents";
|
| + return false;
|
| + }
|
| + if (!file_util::WriteFile(secrets_path_, formatted.c_str(),
|
| + formatted.length()) ||
|
| + !SetIpsecGroup(secrets_path_)) {
|
| + LOG(ERROR) << "Unable to write secrets file " << secrets_path_.value();
|
| + return false;
|
| + }
|
| + } else {
|
| + LOG(FATAL) << "Certificate mode not yet implemented";
|
| + }
|
| + FilePath starter_config_path = temp_path()->Append("ipsec.conf");
|
| + std::string starter_config = FormatStarterConfigFile();
|
| + if (!file_util::WriteFile(starter_config_path, starter_config.c_str(),
|
| + starter_config.size()) ||
|
| + !SetIpsecGroup(starter_config_path)) {
|
| + LOG(ERROR) << "Unable to write ipsec config files";
|
| + return false;
|
| + }
|
| + FilePath config_symlink_path = FilePath(stateful_container_).
|
| + Append("ipsec.conf");
|
| + // Use unlink to remove the symlink directly since file_util::Delete
|
| + // cannot delete dangling symlinks.
|
| + unlink(config_symlink_path.value().c_str());
|
| + if (file_util::PathExists(config_symlink_path)) {
|
| + LOG(ERROR) << "Unable to remove existing file "
|
| + << config_symlink_path.value();
|
| + return false;
|
| + }
|
| + if (symlink(starter_config_path.value().c_str(),
|
| + config_symlink_path.value().c_str()) < 0) {
|
| + int saved_errno = errno;
|
| + LOG(ERROR) << "Unable to symlink config file "
|
| + << config_symlink_path.value() << " -> "
|
| + << starter_config_path.value() << ": " << saved_errno;
|
| + return false;
|
| + }
|
| + return true;
|
| +}
|
| +
|
| +bool IpsecManager::CreateIpsecRunDirectory() {
|
| + if (!file_util::CreateDirectory(FilePath(ipsec_run_path_)) ||
|
| + !SetIpsecGroup(FilePath(ipsec_run_path_)) ||
|
| + chmod(ipsec_run_path_.c_str(), kIpsecRunPathMode) != 0) {
|
| + LOG(ERROR) << "Unable to create " << ipsec_run_path_;
|
| + return false;
|
| + }
|
| + return true;
|
| +}
|
| +
|
| +bool IpsecManager::Start() {
|
| + if (!ipsec_group_) {
|
| + struct group group_buffer;
|
| + struct group* group_result = NULL;
|
| + char buffer[256];
|
| + if (getgrnam_r(kIpsecGroupName, &group_buffer, buffer,
|
| + sizeof(buffer), &group_result) != 0 || !group_result) {
|
| + LOG(ERROR) << "Cannot find group id for " << kIpsecGroupName;
|
| + return false;
|
| + }
|
| + ipsec_group_ = group_result->gr_gid;
|
| + DLOG(INFO) << "Using ipsec group " << ipsec_group_;
|
| + }
|
| + if (!WriteConfigFiles())
|
| + return false;
|
| + if (!CreateIpsecRunDirectory())
|
| + return false;
|
| + if (!StartStarter())
|
| + return false;
|
| +
|
| + start_ticks_ = base::TimeTicks::Now();
|
| +
|
| + return true;
|
| +}
|
| +
|
| +int IpsecManager::Poll() {
|
| + if (is_running()) return -1;
|
| + if (start_ticks_.is_null()) return -1;
|
| + if (!file_util::PathExists(FilePath(ipsec_up_file_))) {
|
| + if (base::TimeTicks::Now() - start_ticks_ >
|
| + base::TimeDelta::FromSeconds(FLAGS_ipsec_timeout)) {
|
| + LOG(ERROR) << "IPsec connection timed out";
|
| + OnStopped(false);
|
| + // Poll in 1 second in order to check exit conditions.
|
| + }
|
| + return 1000;
|
| + }
|
| +
|
| + // This indicates that the connection came up successfully.
|
| + LOG(INFO) << "IPsec connection now up";
|
| + OnStarted();
|
| + return -1;
|
| +}
|
| +
|
| +void IpsecManager::ProcessOutput() {
|
| + ServiceManager::WriteFdToSyslog(output_fd_, ipsec_prefix_,
|
| + &partial_output_line_);
|
| +}
|
| +
|
| +bool IpsecManager::IsChild(pid_t pid) {
|
| + return pid == starter_->pid();
|
| +}
|
| +
|
| +void IpsecManager::Stop() {
|
| + if (starter_->pid() == 0) {
|
| + return;
|
| + }
|
| +
|
| + if (!starter_->Kill(SIGTERM, kTermTimeout)) {
|
| + starter_->Kill(SIGKILL, 0);
|
| + OnStopped(true);
|
| + return;
|
| + }
|
| + OnStopped(false);
|
| +}
|
|
|
Chromium Code Reviews
Issue 6508016:
vpn-manager: Add l2tp/ipsec vpn manager (Closed)
Base URL: ssh://git@gitrw.chromium.org:9222/vpn-manager.git@master