flimflam: Add L2TP/IPsec VPN plugin

plugins/l2tpipsec.c

+/*
+ * L2TP/IPsec VPN plugin.
+ *
+ * Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include <stdio.h>
+#include <net/if.h>
+
+#include <glib.h>
+
+#define CONNMAN_API_SUBJECT_TO_CHANGE
+#include <connman/plugin.h>
+#include <connman/provider.h>
+#include <connman/log.h>
+#include <connman/task.h>
+#include <connman/dbus.h>
+#include <connman/inet.h>
+
+#include "vpn.h"
+
+#define _DBG_VPN(fmt, arg...)   DBG(DBG_VPN, fmt, ## arg)
+
+static DBusConnection *connection;
+
+static DBusMessage *li_get_sec(struct connman_task *task,
+                        DBusMessage *msg, void *user_data)
+{
+        const char *user, *passwd;
+        struct connman_provider *provider = user_data;
+
+        DBG(DBG_VPN, "li_get_sec: security request");
+
+        if (dbus_message_get_no_reply(msg) == FALSE) {
+                DBusMessage *reply;
+
+                user = connman_provider_get_string(provider, "L2TPIPsec.User");
+                passwd = connman_provider_get_string(provider,
+                                                     "L2TPIPsec.Password");
+
+                if (user == NULL || strlen(user) == 0 ||
+                                passwd == NULL || strlen(passwd) == 0)

[Sam Leffler, 2011/03/04 17:47:45]

debug msg or connman_error?

[kmixter1, 2011/03/05 09:30:51]

Done.

+                        return NULL;
+
+                reply = dbus_message_new_method_return(msg);
+                if (reply == NULL)
+                        return NULL;
+
+                dbus_message_append_args(reply, DBUS_TYPE_STRING, &user,
+                                                DBUS_TYPE_STRING, &passwd,
+                                                DBUS_TYPE_INVALID);
+
+                return reply;
+        }
+
+        return NULL;
+}
+
+static int li_notify(DBusMessage *msg, struct connman_provider *provider)
+{
+        DBusMessageIter iter, dict;
+        const char *reason, *key, *value;
+        char *ifname = NULL;
+        char *dns1 = NULL;
+        char *dns2 = NULL;
+        struct connman_ipaddress ipaddr;
+
+        DBG(DBG_VPN, "li_notify: interface up message");
+
+        dbus_message_iter_init(msg, &iter);
+
+        dbus_message_iter_get_basic(&iter, &reason);
+        dbus_message_iter_next(&iter);
+
+        if (!provider) {

[Sam Leffler, 2011/03/04 17:47:45]

prevailing style is to compare ptr's to NULL

[kmixter1, 2011/03/05 09:30:51]

Done.

+                connman_error("No provider found");

[Sam Leffler, 2011/03/04 17:47:45]

uniquely identify; e.g. connman_error("%s: no provider", __func__);

[kmixter1, 2011/03/05 09:30:51]

Done.

+                return VPN_STATE_FAILURE;
+        }
+
+        if (strcmp(reason, "connect"))
+                return VPN_STATE_DISCONNECT;
+
+        memset(&ipaddr, 0, sizeof(ipaddr));
+        ipaddr.af = AF_INET;
+        ipaddr.mask |= CONNMAN_IPCONFIG_AF;
+
+        dbus_message_iter_recurse(&iter, &dict);
+
+        while (dbus_message_iter_get_arg_type(&dict) == DBUS_TYPE_DICT_ENTRY) {
+                DBusMessageIter entry;
+
+                dbus_message_iter_recurse(&dict, &entry);
+                dbus_message_iter_get_basic(&entry, &key);
+                dbus_message_iter_next(&entry);
+                dbus_message_iter_get_basic(&entry, &value);
+
+                DBG(DBG_VPN, "%s = %s", key, value);

[Sam Leffler, 2011/03/04 17:47:45]

_DBG_VPN

[kmixter1, 2011/03/05 09:30:51]

Done.

+
+                if (!strcmp(key, "INTERNAL_IP4_ADDRESS")) {
+                        ipaddr.local = g_strdup(value);
+                        ipaddr.mask |= CONNMAN_IPCONFIG_LOCAL;
+                } else if (!strcmp(key, "EXTERNAL_IP4_ADDRESS")) {
+                        ipaddr.peer = g_strdup(value);

[kmixter1, 2011/03/04 02:06:02]

I'm getting 0.0.0.0 from the pppd plugin.  Trying to get at a real peer address.

[kmixter1, 2011/03/05 09:30:51]

FWIW, I found the peer address and it's now returned.

+                        ipaddr.mask |= CONNMAN_IPCONFIG_PEER;
+                } else if (!strcmp(key, "DNS1")) {
+                        dns1 = g_strdup(value);
+                } else if (!strcmp(key, "DNS2")) {
+                        dns2 = g_strdup(value);
+                } else if (!strcmp(key, "INTERNAL_IFNAME")) {
+                        ifname = g_strdup(value);
+                }
+
+                dbus_message_iter_next(&dict);
+        }
+
+        ipaddr.dns_servers = g_try_new0(gchar *, 3);
+        if (dns1 != NULL) {
+                ipaddr.dns_servers[0] = dns1;
+                if (dns2 != NULL)
+                        ipaddr.dns_servers[1] = dns2;
+                ipaddr.mask |= CONNMAN_IPCONFIG_DNS;
+        }
+
+        /* TODO(kmixter): Should this go before or after ipconfig_set?
+           No routes come through? */

[Sam Leffler, 2011/03/04 17:47:45]

should not matter because the ipconfig settings are not installed until you
return from this routine

[kmixter1, 2011/03/05 09:30:51]

Done.

+        if (vpn_set_ifname(provider, ifname) <0) {
+                g_free(ifname);
+                return VPN_STATE_FAILURE;
+        }
+
+        DBG(DBG_VPN, "li_notify: doing ipconfig set");
+
+        connman_provider_ipconfig_set(provider, &ipaddr);

[kmixter1, 2011/03/04 02:06:02]

So this is failing... it fails because ipv4config is NULL.  I believe it's NULL
because much earlier during vpn_connect connman_ipconfig_create failed because
the index it was passed was negative.  That index was provider->element.index
(in __connman_provider_ipconfig_init).  I suspect that's because
connman_provider_set_index was not called.  Probably it would have been called
as part of vpn_create_tun but of course I hav vpn_driver.flags =
VPN_FLAGS_NO_TUN.  The ppp tunnel would actually be known at this point (ifname
== "ppp0") but it's too late.  So I'm not sure how this was supposed to work
upstream...

[Sam Leffler, 2011/03/04 17:47:45]

Can't comment on upstream.  We allocate ipv4config when the provider enters the
"CONNECT" state which should happen before your plugin initiates the connection
and you get notified.

[kmixter1, 2011/03/05 09:30:51]

Sort of - it tries to enter that state but ultimately the ipconfig init fails
because there is no device index yet (we don't know the device, since it's not a
tun device flimflam itself opens before initiating the connection).

I think is see now upstream doesn't have the problem because it's related to the
ways we've forked the ipconfig code.

In any case I've found a workaround.

+
+        g_free(ifname);
+        g_free(dns1);
+        g_free(dns2);
+        g_strfreev(ipaddr.dns_servers);  /* TODO(kmixter): OK to free? */
+
+        return VPN_STATE_CONNECT;
+}
+
+static int li_connect(struct connman_provider *provider,
+                struct connman_task *task, const char *if_name)
+{
+#define OPT_STR(property, option) do {                                   \
+        const char *s = connman_provider_get_string(provider, property); \
+        if (s != NULL)                                                   \
+                connman_task_add_argument(task, option, (char *)s);      \
+} while (0)
+#define OPT_BOOL(property, option) do {                                  \
+        const char *s = connman_provider_get_string(provider, property); \
+        if (s != NULL)                                                   \
+                connman_task_add_argument(task, option, NULL);          \
+} while (0)
+        const char *vpnhost;
+        int err, fd;
+
+        if (connman_task_set_notify(task, "getsec",
+                                        li_get_sec, provider))
+                return -ENOMEM;
+
+        vpnhost = connman_provider_get_string(provider, "Host");
+        if (!vpnhost) {
+                connman_error("%s: host not set; cannot enable VPN", __func__);
+                return -EINVAL;
+        }
+
+        connman_task_add_argument(task, "--remote", (char *)vpnhost);
+        // TODO: figure out the local address.
+        connman_task_add_argument(task, "--local", "172.22.75.194");
+        connman_task_add_argument(task, "--pppd_plugin",
+                                  SCRIPTDIR "/libppp-plugin.so");
+        OPT_STR("L2TPIPsec.CACert",     "--server_ca_file");
+        OPT_STR("L2TPIPsec.Key",        "--client_key_file");
+        OPT_STR("L2TPIPsec.Cert",       "--client_cert_file");
+        OPT_STR("L2TPIPsec.PSK",        "--psk_file");
+        OPT_STR("L2TPIPsec.User",       "--user");
+
+        fd = fileno(stderr);
+        err = connman_task_run(task, vpn_died, provider,
+                                NULL, &fd, &fd);
+        if (err < 0) {
+                connman_error("l2tpipsec failed to start");
+                return -EIO;
+        }
+
+        return 0;
+}
+
+static struct vpn_driver vpn_driver = {
+        .flags          = VPN_FLAG_NO_TUN,
+        .notify         = li_notify,
+        .connect        = li_connect,
+};
+
+static int li_init(void)
+{
+        connection = connman_dbus_get_connection();
+
+        return vpn_register("l2tpipsec", &vpn_driver, L2TPIPSEC);
+}
+
+static void li_exit(void)
+{
+        vpn_unregister("l2tpipsec");
+
+        dbus_connection_unref(connection);
+}
+
+CONNMAN_PLUGIN_DEFINE(l2tpipsec, "l2tpipsec plugin", VERSION,
+        CONNMAN_PLUGIN_PRIORITY_DEFAULT, li_init, li_exit)