vpn/plugins/ipsec.c

   1 /*
   2  *
   3  *  ConnMan VPN daemon
   4  *
   5  *  This program is free software; you can redistribute it and/or modify
   6  *  it under the terms of the GNU General Public License version 2 as
   7  *  published by the Free Software Foundation.
   8  *
   9  *  This program is distributed in the hope that it will be useful,
  10  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  *  GNU General Public License for more details.
  13  *
  14  *  You should have received a copy of the GNU General Public License
  15  *  along with this program; if not, write to the Free Software
  16  *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
  17  *
  18  */
  19
  20 #ifdef HAVE_CONFIG_H
  21 #include <config.h>
  22 #endif
  23
  24 #include <stdlib.h>
  25 #include <string.h>
  26 #include <errno.h>
  27 #include <unistd.h>
  28 #include <stdio.h>
  29 #include <sys/stat.h>
  30 #include <net/if.h>
  31
  32 #include <glib.h>
  33 #include <gio/gio.h>
  34
  35 #include <openssl/bio.h>
  36 #include <openssl/pem.h>
  37 #include <openssl/err.h>
  38 #include <openssl/safestack.h>
  39 #include <openssl/pkcs12.h>
  40 #include <openssl/x509.h>
  41 #include <openssl/conf.h>
  42
  43 #define CONNMAN_API_SUBJECT_TO_CHANGE
  44 #include <connman/plugin.h>
  45 #include <connman/log.h>
  46 #include <connman/task.h>
  47 #include <connman/dbus.h>
  48 #include <connman/ipconfig.h>
  49
  50 #include "../vpn-provider.h"
  51
  52 #include "vpn.h"
  53 #include "ipsec.h"
  54 #include "vici-client.h"
  55
  56 #define ARRAY_SIZE(a) (sizeof(a)/sizeof(a[0]))
  57
  58 typedef enum {
  59         CERT_TYPE_NONE,
  60         CERT_TYPE_DER,
  61         CERT_TYPE_PEM,
  62         CERT_TYPE_PKCS12,
  63         CERT_TYPE_MAX,
  64 } cert_type_e;
  65
  66 static DBusConnection *connection;
  67 static VICIClient *vici_client;
  68 static GFileMonitor* monitor;
  69
  70 struct openssl_private_data {
  71         EVP_PKEY *private_key;
  72         X509 *local_cert;
  73         STACK_OF(X509) *ca_certs;
  74 };
  75
  76 struct ipsec_private_data {
  77         struct vpn_provider *provider;
  78         struct openssl_private_data openssl_data;
  79         vpn_provider_connect_cb_t connect_cb;
  80         void *connect_user_data;
  81 };
  82
  83 struct ipsec_event_data {
  84         vpn_event_callback event_cb;
  85         void *event_user_data;
  86 };
  87
  88 struct {
  89         const char *cm_opt;
  90         const char *vici_key;
  91         const char *subsection;
  92         vici_add_element add_elem;
  93 } ipsec_conn_options[] = {
  94         {"IPsec.Version", "version", NULL, vici_add_kv},
  95         {"IPsec.LeftAddrs", "local_addrs", NULL, vici_add_kvl},
  96         {"IPsec.RightAddrs", "remote_addrs", NULL, vici_add_kvl},
  97
  98         {"IPsec.LocalAuth", "auth", "local", vici_add_kv},
  99         {"IPsec.LocalID", "id", "local", vici_add_kv},
 100         {"IPsec.LocalXauthID", "xauth_id", "local", vici_add_kv},
 101         {"IPsec.LocalXauthAuth", "auth", "local-xauth", vici_add_kv},
 102         {"IPsec.LocalXauthXauthID", "xauth_id", "local-xauth", vici_add_kv},
 103         {"IPsec.RemoteAuth", "auth", "remote", vici_add_kv},
 104         {"IPsec.RemoteID", "id", "remote", vici_add_kv},
 105         {"IPsec.RemoteXauthID", "xauth_id", "remote", vici_add_kv},
 106         {"IPsec.RemoteXauthAuth", "auth", "remote-xauth", vici_add_kv},
 107         {"IPsec.RemoteXauthXauthID", "xauth_id", "remote-xauth", vici_add_kv},
 108         {"IPsec.ChildrenLocalTS", "local_ts", "children", vici_add_kvl},
 109         {"IPsec.ChildrenRemoteTS", "remote_ts", "children", vici_add_kvl},
 110 };
 111
 112 struct {
 113         const char *cm_opt;
 114         const char *vici_type;
 115 } ipsec_shared_options[] = {
 116         {"IPsec.IKEData", "data"},
 117         {"IPsec.IKEOwners", "owners"},
 118         {"IPsec.XauthData", "data"},
 119         {"IPsec.XauthOwners", "owners"},
 120 };
 121
 122 struct {
 123         const char *cm_opt;
 124         const char *vici_type;
 125         const char *vici_flag;
 126 } ipsec_cert_options[] = {
 127         {"IPsec.CertType", "type", NULL},
 128         {"IPsec.CertFlag", "flag", NULL},
 129         {"IPsec.CertData", "data", NULL},
 130         {"IPsec.CertPass", "data", NULL},
 131 };
 132
 133 struct {
 134         const char *cm_opt;
 135         const char *vici_type;
 136 } ipsec_pkey_options[] = {
 137         {"IPsec.PKeyType", "type"},
 138         {"IPsec.PKeyData", "data"},
 139 };
 140
 141 static const char *ikev1_esp_proposals [] ={
 142                 "aes256-sha256",
 143                 "aes128-sha256",
 144                 "aes256-sha1",
 145                 "aes128-sha1",
 146                 "aes256-md5",
 147                 "aes128-md5",
 148                 "3des-sha1",
 149                 "3des-md5",
 150                 NULL,
 151 };
 152
 153 static const char *ikev1_proposals [] ={
 154                 "aes256-sha256-modp1024",
 155                 "aes128-sha256-modp1024",
 156                 "aes256-sha1-modp1024",
 157                 "aes128-sha1-modp1024",
 158                 "aes256-md5-modp1024",
 159                 "aes128-md5-modp1024",
 160                 "3des-sha1-modp1024",
 161                 "3des-md5-modp1024",
 162                 NULL,
 163 };
 164
 165 static const char *ikev2_esp_proposals = "aes256-aes128-sha256-sha1";
 166
 167 static const char *ikev2_proposals = "aes256-aes128-sha512-sha384-sha256-sha1-modp2048-modp1536-modp1024";
 168
 169 static struct ipsec_event_data event_data;
 170
 171 static void init_openssl(void)
 172 {
 173         /* Load the human readable error strings for libcrypto */
 174 #if OPENSSL_API_COMPAT < 0x10100000L
 175         /* TODO :remove this after debug */
 176         DBG("openssl version is under 1.01");
 177         ERR_load_crypto_strings();
 178 #else
 179         /* As of version 1.1.0 OpenSSL will automatically allocate
 180          * all resources that it needs so no explicit initialisation
 181          * is required. Similarly it will also automatically
 182          * deinitialise as required. */
 183         /* OPENSSL_init_crypto(); */
 184 #endif
 185         /* Load all digest and cipher algorithms */
 186 #if OPENSSL_API_COMPAT < 0x10100000L
 187         OpenSSL_add_all_algorithms();
 188 #else
 189         /* As of version 1.1.0 OpenSSL will automatically allocate
 190          * all resources that it needs so no explicit initialisation
 191          * is required. Similarly it will also automatically
 192          * deinitialise as required. */
 193         /* OPENSSL_init_crypto(); */
 194 #endif
 195 #if OPENSSL_API_COMPAT < 0x10100000L
 196         OPENSSL_config(NULL);
 197 #else
 198 #endif
 199         /* TODO :remove this after debug */
 200         DBG("init openssl");
 201         return;
 202 }
 203
 204 static void deinit_openssl(void)
 205 {
 206 #if OPENSSL_API_COMPAT < 0x10100000L
 207         EVP_cleanup();
 208 #else
 209 #endif
 210 #if OPENSSL_API_COMPAT < 0x10100000L
 211         ERR_free_strings();
 212 #else
 213 #endif
 214         return;
 215 }
 216
 217 static int print_openssl_error_cb(const char *str, size_t len, void *u)
 218 {
 219         connman_error("%s", str);
 220         return 0;
 221 }
 222
 223 static void print_openssl_error()
 224 {
 225         ERR_print_errors_cb(print_openssl_error_cb, NULL);
 226         return;
 227 }
 228
 229 static int get_cert_type(const char *path)
 230 {
 231         char *down_str = NULL;
 232         int cert_type;
 233
 234         down_str = g_ascii_strdown(path, strlen(path));
 235         if (!down_str)
 236                 return CERT_TYPE_NONE;
 237
 238         if(g_str_has_suffix(down_str, ".pem"))
 239                 cert_type = CERT_TYPE_PEM;
 240         else if (g_str_has_suffix(down_str, ".der") || g_str_has_suffix(down_str, ".crt"))
 241                 cert_type = CERT_TYPE_DER;
 242         else if (g_str_has_suffix(down_str, ".p12") || g_str_has_suffix(down_str, ".pfx"))
 243                 cert_type = CERT_TYPE_PKCS12;
 244         else
 245                 cert_type = CERT_TYPE_NONE;
 246         g_free(down_str);
 247
 248         return cert_type;
 249 }
 250
 251 static int read_der_file(const char *path, X509 **cert)
 252 {
 253         FILE *fp = NULL;
 254         int err = 0;
 255
 256         if(!path || !cert) {
 257                 /* TODO :remove this after debug */
 258                 DBG("there's no cert data");
 259                 return 0;
 260         }
 261
 262         DBG("der path %s\n", path);
 263         fp = fopen(path, "r");
 264         if (!fp) {
 265                 connman_error("Failed to open file");
 266                 return -EINVAL;
 267         }
 268
 269         *cert = d2i_X509_fp(fp, NULL);
 270         if (!(*cert)) {
 271                 connman_error("Failed to read der file");
 272                 err = -EINVAL;
 273         }
 274
 275         fclose(fp);
 276         return err;
 277 }
 278
 279 static int read_pem_file(const char *path, X509 **cert)
 280 {
 281         FILE *fp = NULL;
 282         int err = 0;
 283
 284         if(!path || !cert) {
 285                 /* TODO :remove this after debug */
 286                 DBG("there's no cert data");
 287                 return 0;
 288         }
 289
 290         DBG("pem path %s\n", path);
 291         fp = fopen(path, "r");
 292         if (!fp) {
 293                 connman_error("Failed to open file");
 294                 return -EINVAL;
 295         }
 296
 297         *cert = PEM_read_X509(fp, cert, NULL, NULL);
 298         if (!(*cert)) {
 299                 connman_error("Failed to read pem file");
 300                 err = -EINVAL;
 301         }
 302
 303         fclose(fp);
 304         return err;
 305 }
 306
 307 static int read_pkcs12_file(const char *path, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
 308 {
 309         FILE *fp = NULL;
 310         PKCS12 *p12;
 311         int err = 0;
 312
 313         if(!path || !pass || !pkey || !cert || !ca) {
 314                 /* TODO :remove this after debug */
 315                 DBG("there's no cert data");
 316                 return 0;
 317         }
 318
 319         DBG("pkcs12 path %s\n", path);
 320         fp = fopen(path, "r");
 321         if (!fp) {
 322                 connman_error("Failed to open file");
 323                 return -EINVAL;
 324         }
 325
 326         p12 = d2i_PKCS12_fp(fp, NULL);
 327         if (!p12) {
 328                 connman_error("Failed to open pkcs12");
 329                 fclose(fp);
 330                 return -EINVAL;
 331         }
 332
 333         if (!PKCS12_parse(p12, pass, pkey, cert, ca)) {
 334                 connman_error("Failed to parse pkcs12");
 335                 err = -EINVAL;
 336         }
 337
 338         PKCS12_free(p12);
 339         fclose(fp);
 340
 341         return err;
 342 }
 343
 344 static char *get_private_key_str(struct openssl_private_data *data)
 345 {
 346         EVP_PKEY *pkey;
 347         BIO* bio;
 348         BUF_MEM *buf_ptr;
 349         char *private_key_str = NULL;
 350
 351         if (!data)
 352                 return NULL;
 353
 354         if (!(pkey = data->private_key))
 355                 return NULL;
 356
 357         bio = BIO_new(BIO_s_mem());
 358         if (!bio) {
 359                 print_openssl_error();
 360                 return NULL;
 361         }
 362
 363         if (!PEM_write_bio_PrivateKey(bio, pkey, NULL, NULL, 0, NULL, NULL)) {
 364                 print_openssl_error();
 365                 BIO_free(bio);
 366                 return NULL;
 367         }
 368
 369         BIO_get_mem_ptr(bio, &buf_ptr);
 370         if (!buf_ptr) {
 371                 print_openssl_error();
 372                 BIO_free(bio);
 373                 return NULL;
 374         }
 375
 376         private_key_str = g_try_malloc0(buf_ptr->length + 1);
 377         if (!private_key_str) {
 378                 print_openssl_error();
 379                 BIO_free(bio);
 380                 return NULL;
 381         }
 382
 383         g_strlcpy(private_key_str, buf_ptr->data, buf_ptr->length);
 384
 385         BIO_free(bio);
 386
 387         return private_key_str;
 388 }
 389
 390 static char *get_cert_str(X509 *cert)
 391 {
 392         BIO* bio;
 393         BUF_MEM *buf_ptr;
 394         char *cert_str = NULL;
 395
 396         if (!cert)
 397                 return NULL;
 398
 399         bio = BIO_new(BIO_s_mem());
 400         if (!bio) {
 401                 print_openssl_error();
 402                 return NULL;
 403         }
 404
 405         if (!PEM_write_bio_X509_AUX(bio, cert)) {
 406                 print_openssl_error();
 407                 BIO_free(bio);
 408                 return NULL;
 409         }
 410
 411         BIO_get_mem_ptr(bio, &buf_ptr);
 412         if (!buf_ptr) {
 413                 print_openssl_error();
 414                 BIO_free(bio);
 415                 return NULL;
 416         }
 417
 418         cert_str = g_try_malloc0(buf_ptr->length + 1);
 419         if (!cert_str) {
 420                 print_openssl_error();
 421                 BIO_free(bio);
 422                 return NULL;
 423         }
 424
 425         g_strlcpy(cert_str, buf_ptr->data, buf_ptr->length);
 426
 427         BIO_free(bio);
 428         return cert_str;
 429 }
 430
 431 static char * get_local_cert_str(struct openssl_private_data *data)
 432 {
 433         if (!data)
 434                 return NULL;
 435
 436         if (!(data->local_cert))
 437                 return NULL;
 438
 439         return get_cert_str(data->local_cert);
 440 }
 441
 442 int get_ca_cert_num(struct openssl_private_data *data)
 443 {
 444         if(!data || !data->ca_certs)
 445                 return 0;
 446
 447         return sk_X509_num(data->ca_certs);
 448 }
 449
 450 static char * get_nth_ca_cert_str(struct openssl_private_data *data, int num)
 451 {
 452         X509 *cert = NULL;
 453
 454         if (!data)
 455                 return NULL;
 456
 457         if (!(data->ca_certs))
 458                 return NULL;
 459
 460         cert = sk_X509_value(data->ca_certs, num);
 461
 462         return get_cert_str(cert);
 463 }
 464
 465 static int extract_cert_info(const char *path, const char *pass, struct openssl_private_data *data)
 466 {
 467         int err = 0;
 468         if(!path || !data) {
 469                 /* TODO :remove this after debug */
 470                 DBG("there's no cert data");
 471                 return 0;
 472         }
 473
 474         switch (get_cert_type(path)) {
 475         case CERT_TYPE_DER:
 476                 err = read_der_file(path, &(data->local_cert));
 477                 break;
 478         case CERT_TYPE_PEM:
 479                 err = read_pem_file(path, &(data->local_cert));
 480                 break;
 481         case CERT_TYPE_PKCS12:
 482                 err = read_pkcs12_file(path, pass, &(data->private_key), &(data->local_cert), &(data->ca_certs));
 483                 break;
 484         default:
 485                 break;
 486         }
 487
 488         return err;
 489 }
 490
 491 static void free_openssl_private_data(struct openssl_private_data *data)
 492 {
 493         if (!data)
 494                 return;
 495
 496         EVP_PKEY *private_key = data->private_key;
 497         X509 *local_cert = data->local_cert;
 498         STACK_OF(X509) *ca_certs = data->ca_certs;
 499
 500         if (private_key)
 501                 EVP_PKEY_free(private_key);
 502
 503         if (local_cert)
 504                 X509_free(local_cert);
 505
 506         if (ca_certs)
 507                 sk_X509_pop_free(ca_certs, X509_free);
 508
 509         return;
 510 }
 511
 512 static void free_private_data(struct ipsec_private_data *data)
 513 {
 514         free_openssl_private_data(&(data->openssl_data));
 515         deinit_openssl();
 516         g_free(data);
 517 }
 518
 519 static int ipsec_notify(DBusMessage *msg, struct vpn_provider *provider)
 520 {
 521         return 0;
 522 }
 523
 524 static void ipsec_set_event_cb(vpn_event_callback event_cb, struct vpn_provider *provider)
 525 {
 526         DBG("set event cb!");
 527         event_data.event_cb = event_cb;
 528         event_data.event_user_data = provider;
 529         return;
 530 }
 531
 532 static int ipsec_is_same_auth(const char* req, const char* target)
 533 {
 534         if (req == NULL || target == NULL)
 535                 return 0;
 536         return (g_strcmp0(req, target) == 0);
 537 }
 538
 539 static int vici_load_cert(const char* type, const char* flag, const char* data)
 540 {
 541         VICISection *sect;
 542         int ret = 0;
 543
 544         sect = vici_create_section(NULL);
 545         if (!sect)
 546                 return -ENOMEM;
 547
 548         vici_add_kv(sect, "type", type, NULL);
 549         vici_add_kv(sect, "flag", flag, NULL);
 550         vici_add_kv(sect, "data", data, NULL);
 551
 552         ret = vici_send_request(vici_client, VICI_CMD_LOAD_CERT, sect);
 553         if (ret < 0)
 554                 connman_error("vici_send_request failed");
 555
 556         vici_destroy_section(sect);
 557
 558         return ret;
 559 }
 560
 561 static int vici_load_key(const char* type, const char* data)
 562 {
 563         VICISection *sect;
 564         sect = vici_create_section(NULL);
 565         int ret = 0;
 566
 567         vici_add_kv(sect, "type", type, NULL);
 568         vici_add_kv(sect, "data", data, NULL);
 569         ret = vici_send_request(vici_client, VICI_CMD_LOAD_KEY, sect);
 570         if (ret < 0)
 571                 connman_error("vici_send_request failed");
 572
 573         vici_destroy_section(sect);
 574
 575         return ret;
 576 }
 577
 578 static void ipsec_add_default_child_sa_data(struct vpn_provider *provider, VICISection *child)
 579 {
 580         const char *version = vpn_provider_get_string(provider, "IPsec.Version");
 581         if (g_strcmp0(version, "1") == 0) {
 582                 int i = 0;
 583                 GSList *list;
 584
 585                 for (list = NULL; ikev1_esp_proposals[i] != NULL; i++)
 586                         list = g_slist_append(list, g_strdup(ikev1_esp_proposals[i]));
 587                 vici_add_list(child, "esp_proposals", list, "net");
 588                 g_slist_free_full(list, g_free);
 589                 list = NULL;
 590         } else {
 591                 vici_add_kvl(child, "esp_proposals", ikev2_esp_proposals, "net");
 592         }
 593         return;
 594 }
 595
 596 static void ipsec_add_default_conn_data(struct vpn_provider *provider, VICISection *conn)
 597 {
 598         const char *version = vpn_provider_get_string(provider, "IPsec.Version");
 599         if (g_strcmp0(version, "1") == 0) {
 600                 int i = 0;
 601                 GSList *list;
 602
 603                 for (list = NULL; ikev1_proposals[i] != NULL; i++)
 604                         list = g_slist_append(list, g_strdup(ikev1_proposals[i]));
 605                 vici_add_list(conn, "proposals", list, NULL);
 606                 g_slist_free_full(list, g_free);
 607                 list = NULL;
 608
 609                 if (g_strcmp0(vpn_provider_get_string(provider, "IPsec.LocalAuth"), "psk") == 0)
 610                         vici_add_kv(conn, "aggressive", "yes", NULL);
 611         } else {
 612                 vici_add_kvl(conn, "proposals", ikev2_proposals, NULL);
 613         }
 614
 615         vici_add_kvl(conn, "vips", "0.0.0.0", NULL);
 616         return;
 617 }
 618
 619
 620 static int ipsec_load_conn(struct vpn_provider *provider, struct ipsec_private_data *data)
 621 {
 622         const char *key;
 623         const char *value;
 624         const char *subsection;
 625         char *local_cert_str;
 626         VICISection *conn;
 627         VICISection *children;
 628         int i;
 629         int ret = 0;
 630
 631         if (!provider || !data) {
 632                 connman_error("invalid provider or data");
 633                 return -EINVAL;
 634         }
 635
 636         value = vpn_provider_get_string(provider, "Name");
 637         DBG("Name: %s", value);
 638         conn = vici_create_section(value);
 639         children = vici_create_section("children");
 640         add_subsection("children", children, conn);
 641
 642         for (i = 0; i < (int)ARRAY_SIZE(ipsec_conn_options); i++) {
 643                 value = vpn_provider_get_string(provider, ipsec_conn_options[i].cm_opt);
 644                 if (!value)
 645                         continue;
 646
 647                 key = ipsec_conn_options[i].vici_key;
 648                 subsection = ipsec_conn_options[i].subsection;
 649                 ipsec_conn_options[i].add_elem(conn, key, value, subsection);
 650         }
 651
 652         local_cert_str = get_local_cert_str(&(data->openssl_data));
 653         if (local_cert_str) {
 654                 /* TODO :remove this after debug */
 655                 DBG("There's local certification to add local section");
 656                 vici_add_kvl(conn, "certs", local_cert_str, "local");
 657                 g_free(local_cert_str);
 658         }
 659
 660         ipsec_add_default_conn_data(provider, conn);
 661         ipsec_add_default_child_sa_data(provider, children);
 662
 663         ret = vici_send_request(vici_client, VICI_CMD_LOAD_CONN, conn);
 664         if (ret < 0)
 665                 connman_error("vici_send_request failed");
 666
 667         vici_destroy_section(conn);
 668
 669         return ret;
 670 }
 671
 672 static int ipsec_load_private_data(struct ipsec_private_data *data)
 673 {
 674         char *private_key_str;
 675         char *ca_cert_str;
 676         int ca_cert_num;
 677         int i;
 678         int ret = 0;
 679
 680         private_key_str = get_private_key_str(&(data->openssl_data));
 681         if (private_key_str) {
 682                 /* TODO :remove this after debug */
 683                 DBG("load private key");
 684                 ret = vici_load_key("RSA", private_key_str);
 685                 g_free(private_key_str);
 686         }
 687
 688         if (ret < 0)
 689                 return ret;
 690
 691         ca_cert_num = get_ca_cert_num(&(data->openssl_data));
 692         if (ca_cert_num < 1)
 693                 return 0;
 694
 695         for (i = 0; i < ca_cert_num; i++) {
 696                 /* TODO :remove this after debug */
 697                 DBG("load CA cert");
 698                 ca_cert_str = get_nth_ca_cert_str(&(data->openssl_data), i);
 699                 ret = vici_load_cert("X509", "CA", ca_cert_str);
 700                 g_free(ca_cert_str);
 701                 if (ret < 0)
 702                         return ret;
 703         }
 704
 705         return ret;
 706 }
 707
 708 static int ipsec_load_shared_psk(struct vpn_provider *provider)
 709 {
 710         const char *data;
 711         const char *owner;
 712         VICISection *sect;
 713         int ret = 0;
 714
 715         if (!provider) {
 716                 connman_error("invalid provider");
 717                 return -EINVAL;
 718         }
 719
 720         data = vpn_provider_get_string(provider, "IPsec.IKEData");
 721         owner = vpn_provider_get_string(provider, "IPsec.IKEOwners");
 722         DBG("IKEData: %s, IKEOwners: %s", data, owner);
 723
 724         if (!data)
 725                 return 0;
 726
 727         sect = vici_create_section(NULL);
 728         if (!sect) {
 729                 return -ENOMEM;
 730         }
 731
 732         vici_add_kv(sect, "type", VICI_SHARED_TYPE_PSK, NULL);
 733         vici_add_kv(sect, "data", data, NULL);
 734         vici_add_kvl(sect, "owners", owner, NULL);
 735
 736         ret = vici_send_request(vici_client, VICI_CMD_LOAD_SHARED, sect);
 737         if (ret < 0)
 738                 connman_error("vici_send_request failed");
 739
 740         vici_destroy_section(sect);
 741
 742         return ret;
 743 }
 744
 745 static int ipsec_load_shared_xauth(struct vpn_provider *provider)
 746 {
 747         const char *data;
 748         const char *owner;
 749         VICISection *sect;
 750         int ret = 0;
 751
 752         if (!provider) {
 753                 connman_error("invalid provider");
 754                 return -EINVAL;
 755         }
 756
 757         data = vpn_provider_get_string(provider, "IPsec.XauthData");
 758         owner = vpn_provider_get_string(provider, "IPsec.XauthOwners");
 759         DBG("XauthData: %s, XauthOwners: %s", data, owner);
 760
 761         if (!data)
 762                 return 0;
 763
 764         sect = vici_create_section(NULL);
 765
 766         vici_add_kv(sect, "type", VICI_SHARED_TYPE_XAUTH, NULL);
 767         vici_add_kv(sect, "data", data, NULL);
 768         vici_add_kvl(sect, "owners", owner, NULL);
 769
 770         ret = vici_send_request(vici_client, VICI_CMD_LOAD_SHARED, sect);
 771         if (ret < 0)
 772                 connman_error("vici_send_request failed");
 773
 774         vici_destroy_section(sect);
 775
 776         return ret;
 777 }
 778
 779 static char *load_file_from_path(const char *path)
 780 {
 781         struct stat st;
 782         FILE *fp = NULL;
 783         int fd = 0;
 784         size_t  file_size = 0;
 785         char *file_buff = NULL;
 786
 787         if (!path) {
 788                 connman_error("File path is NULL\n");
 789                 return NULL;
 790         }
 791
 792         fp = fopen(path, "rb");
 793         if (!fp) {
 794                 connman_error("fopen %s is failed\n", path);
 795                 return NULL;
 796         }
 797
 798         fd = fileno(fp);
 799         if (fd == -1) {
 800                 connman_error("fp is not a valid stream");
 801                 fclose(fp);
 802                 return NULL;
 803         }
 804
 805         fstat(fd, &st);
 806         file_size = st.st_size;
 807         file_buff = g_try_malloc0(sizeof(char)*st.st_size);
 808         if (file_buff == NULL) {
 809                 connman_error("g_try_malloc0 failed\n");
 810                 fclose(fp);
 811                 return NULL;
 812         }
 813
 814         if (fread(file_buff, 1, file_size, fp) != file_size) {
 815                 connman_error("file size not matched\n");
 816                 g_free(file_buff);
 817                 file_buff = NULL;
 818         }
 819
 820         fclose(fp);
 821         return file_buff;
 822 }
 823
 824 static int ipsec_load_key(struct vpn_provider *provider)
 825 {
 826         const char *type;
 827         const char *path;
 828         char *data;
 829         VICISection *sect;
 830         int ret = 0;
 831
 832         if (!provider) {
 833                 connman_error("invalid provider");
 834                 return -EINVAL;
 835         }
 836
 837         type = vpn_provider_get_string(provider, "IPsec.PKeyType");
 838         path = vpn_provider_get_string(provider, "IPsec.PKeyData");
 839         DBG("PKeyType: %s, PKeyData: %s", type, path);
 840
 841         if (!type || !path)
 842                 return 0;
 843
 844         data = load_file_from_path(path);
 845         if (!data)
 846                 return 0;
 847
 848         sect = vici_create_section(NULL);
 849         if (!sect) {
 850                 g_free(data);
 851                 return -ENOMEM;
 852         }
 853
 854         vici_add_kv(sect, "type", type, NULL);
 855         vici_add_kv(sect, "data", data, NULL);
 856
 857         ret = vici_send_request(vici_client, VICI_CMD_LOAD_KEY, sect);
 858         if (ret < 0)
 859                 connman_error("vici_send_request failed");
 860
 861         vici_destroy_section(sect);
 862         g_free(data);
 863
 864         return ret;
 865 }
 866
 867 static int ipsec_initiate(struct vpn_provider *provider)
 868 {
 869         VICISection *sect;
 870         int ret = 0;
 871
 872         sect = vici_create_section(NULL);
 873         if (!sect)
 874                 return -ENOMEM;
 875
 876         vici_add_kv(sect, "child", "net", NULL);
 877         ret = vici_send_request(vici_client, VICI_CMD_INITIATE, sect);
 878         if (ret < 0)
 879                 connman_error("vici_send_request failed");
 880
 881         vici_destroy_section(sect);
 882
 883         return ret;
 884 }
 885
 886 static int ipsec_load_cert(struct vpn_provider *provider)
 887 {
 888         const char *type;
 889         const char *flag;
 890         char *data;
 891         const char *local_auth_type;
 892         const char *remote_auth_type;
 893         int ret = 0;
 894
 895         if (!provider) {
 896                 connman_error("invalid provider");
 897                 return -EINVAL;
 898         }
 899
 900         local_auth_type = vpn_provider_get_string(provider, "IPsec.LocalAuth");
 901         remote_auth_type = vpn_provider_get_string(provider, "IPsec.RemoteAuth");
 902         if (!ipsec_is_same_auth(local_auth_type, "pubkey") &&
 903                         !ipsec_is_same_auth(remote_auth_type, "pubkey")) {
 904                 DBG("invalid auth type");
 905                 return 0;
 906         }
 907
 908         type = vpn_provider_get_string(provider, "IPsec.CertType");
 909         flag = vpn_provider_get_string(provider, "IPsec.CertFlag");
 910         data = load_file_from_path(vpn_provider_get_string(provider, "IPsec.CertData"));
 911         DBG("CertType: %s, CertFalg: %s,CertData: %s", type, flag, data);
 912         if (!type || ! flag || !data) {
 913                 connman_error("invalid certification information");
 914                 g_free(data);
 915                 return -EINVAL;
 916         }
 917
 918         ret = vici_load_cert(type, flag, data);
 919         if (ret < 0)
 920                 connman_error("failed to load cert");
 921
 922         g_free(data);
 923
 924         return ret;
 925 }
 926
 927 static int ipsec_terminate(struct vpn_provider *provider)
 928 {
 929         VICISection *sect;
 930         int ret = 0;
 931
 932         sect = vici_create_section(NULL);
 933         if (!sect)
 934                 return -ENOMEM;
 935
 936         vici_add_kv(sect, "child", "net", NULL);
 937         vici_add_kv(sect, "ike", vpn_provider_get_string(provider, "Name"), NULL);
 938         vici_add_kv(sect, "timeout", "-1", NULL);
 939         ret = vici_send_request(vici_client, VICI_CMD_TERMINATE, sect);
 940         if (ret < 0)
 941                 connman_error("vici_send_request failed");
 942
 943         vici_destroy_section(sect);
 944
 945         return ret;
 946 }
 947
 948 static void request_reply_cb(int err, void *user_data)
 949 {
 950         struct ipsec_private_data *data;
 951
 952         data = (struct ipsec_private_data *)user_data;
 953         DBG("request reply cb");
 954
 955         if(err != 0) {
 956                 if (event_data.event_cb)
 957                         event_data.event_cb(event_data.event_user_data, VPN_STATE_FAILURE);
 958                 /* TODO: Does close socket needed? */
 959         } else {
 960                 DBG("Series of requests are succeeded");
 961                 /* TODO: Not sure about below */
 962                 if (event_data.event_cb)
 963                         event_data.event_cb(event_data.event_user_data, VPN_STATE_CONNECT);
 964         }
 965
 966         free_private_data(data);
 967 }
 968
 969 static void ipsec_vici_event_cb(VICIClientEvent event, void *user_data)
 970 {
 971         struct vpn_provider *provider;
 972
 973         provider = (struct vpn_provider *)user_data;
 974         if (!provider) {
 975                 DBG("Invalid user data");
 976                 return;
 977         }
 978
 979         if(event == VICI_EVENT_CHILD_UP) {
 980                 if (event_data.event_cb)
 981                         event_data.event_cb(event_data.event_user_data, VPN_STATE_READY);
 982         } else if (event == VICI_EVENT_CHILD_DOWN) {
 983                 if (event_data.event_cb)
 984                         event_data.event_cb(event_data.event_user_data, VPN_STATE_DISCONNECT);
 985         } else {
 986                 DBG("Unknown event");
 987         }
 988
 989         return;
 990 }
 991
 992 static struct ipsec_private_data* create_ipsec_private_data(struct vpn_provider *provider,
 993                 vpn_provider_connect_cb_t cb, void* user_data)
 994 {
 995         struct ipsec_private_data *data;
 996         data = g_try_new0(struct ipsec_private_data, 1);
 997         if (!data) {
 998                 connman_error("out of memory");
 999                 return NULL;
1000         }
1001
1002         init_openssl();
1003
1004         data->provider = provider;
1005         data->connect_cb = cb;
1006         data->connect_user_data = user_data;
1007         return data;
1008 }
1009
1010 static void vici_connect(struct ipsec_private_data *data)
1011 {
1012         struct vpn_provider *provider = NULL;
1013         vpn_provider_connect_cb_t cb = NULL;
1014         int err = 0;
1015
1016         if (!data)
1017                 IPSEC_ERROR_CHECK_GOTO(-1, done, "Invalid data parameter");
1018
1019         provider = data->provider;
1020         cb = data->connect_cb;
1021         if (!provider || !cb)
1022                 IPSEC_ERROR_CHECK_GOTO(-1, done, "Invalid provider or callback");
1023
1024         DBG("data %p, provider %p", data, provider);
1025
1026         /*
1027          * Initialize vici client
1028          */
1029         err = vici_initialize(&vici_client);
1030         IPSEC_ERROR_CHECK_GOTO(err, done, "failed to initialize vici_client");
1031
1032         /* TODO :remove this after debug */
1033         DBG("success to initialize vici socket");
1034
1035         vici_set_request_reply_cb(vici_client, (vici_request_reply_cb)request_reply_cb, data);
1036         /*
1037          * Sets child-updown event
1038          */
1039         err = vici_set_event_cb(vici_client, (vici_event_cb)ipsec_vici_event_cb, provider);
1040         IPSEC_ERROR_CHECK_GOTO(err, done, "register event failed");
1041
1042         /* TODO :remove this after debug */
1043         DBG("success to vici_set_event_cb");
1044         /*
1045          * Send the load-conn command
1046          */
1047         err = ipsec_load_conn(provider, data);
1048         IPSEC_ERROR_CHECK_GOTO(err, done, "load-conn failed");
1049
1050         /* TODO :remove this after debug */
1051         DBG("success to ipsec_load_conn");
1052
1053         err = ipsec_load_private_data(data);
1054         IPSEC_ERROR_CHECK_GOTO(err, done, "load private data failed");
1055
1056         /* TODO :remove this after debug */
1057         DBG("success to ipsec_load_private_data");
1058
1059         /*
1060          * Send the load-shared command for PSK
1061          */
1062         err = ipsec_load_shared_psk(provider);
1063         IPSEC_ERROR_CHECK_GOTO(err, done, "load-shared failed");
1064
1065         /* TODO :remove this after debug */
1066         DBG("success to ipsec_load_shared_psk");
1067
1068         /*
1069          * Send the load-shared command for XAUTH
1070          */
1071         err = ipsec_load_shared_xauth(provider);
1072         IPSEC_ERROR_CHECK_GOTO(err, done, "load-shared failed");
1073
1074         /* TODO :remove this after debug */
1075         DBG("success to ipsec_load_shared_xauth");
1076         /*
1077          * Send the load-cert command
1078          */
1079         err = ipsec_load_cert(provider);
1080         IPSEC_ERROR_CHECK_GOTO(err, done, "load-cert failed");
1081
1082         /* TODO :remove this after debug */
1083         DBG("success to ipsec_load_cert");
1084
1085         /*
1086          * Send the load-key command
1087          */
1088         err = ipsec_load_key(provider);
1089         IPSEC_ERROR_CHECK_GOTO(err, done, "load-key failed");
1090
1091         /* TODO :remove this after debug */
1092         DBG("success to ipsec_load_cert");
1093         /*
1094          * Send the initiate command
1095          */
1096         err = ipsec_initiate(provider);
1097         IPSEC_ERROR_CHECK_GOTO(err, done, "initiate failed");
1098
1099         /* TODO :remove this after debug */
1100         DBG("success to ipsec_initiate");
1101
1102 done:
1103         /* refer to connect_cb on vpn-provider.c for cb */
1104         if(cb)
1105                 cb(provider, data->connect_user_data, -err);
1106         /* TODO: Does close socket needed? when err is not zero */
1107
1108         return;
1109 }
1110
1111 static void monitor_changed(GFileMonitor *monitor, GFile *file, GFile *other_file,
1112                 GFileMonitorEvent  event_type, gpointer user_data)
1113 {
1114         DBG("file %s", g_file_get_path(file));
1115         if (event_type == G_FILE_MONITOR_EVENT_CREATED) {
1116                 if (g_file_test(VICI_DEFAULT_URI, G_FILE_TEST_EXISTS)) {
1117                         DBG("file created: %s", VICI_DEFAULT_URI);
1118                         struct ipsec_private_data *data = user_data;
1119                         vici_connect(data);
1120                         g_object_unref(monitor);
1121                 }
1122         }
1123 }
1124
1125 static void monitor_vici_socket(struct ipsec_private_data *data)
1126 {
1127         GError *error = NULL;
1128         GFile* file;
1129
1130         file = g_file_new_for_path(VICI_DEFAULT_URI);
1131         monitor = g_file_monitor_file(file, G_FILE_MONITOR_SEND_MOVED, NULL, &error);
1132         if (error) {
1133                 connman_error("g_file_monitor_directory failed: %s / %d", error->message, error->code);
1134                 g_error_free(error);
1135                 if(event_data.event_cb)
1136                         event_data.event_cb(event_data.event_user_data, VPN_STATE_FAILURE);
1137                 return;
1138         }
1139         /* TODO :remove this after debug */
1140         DBG("starting to monitor vici socket");
1141         g_signal_connect(monitor, "changed", G_CALLBACK(monitor_changed), data);
1142         g_object_unref(file);
1143 }
1144
1145 static void check_vici_socket(struct ipsec_private_data *data)
1146 {
1147         DBG("data %p", data);
1148         if (g_file_test(VICI_DEFAULT_URI, G_FILE_TEST_EXISTS)) {
1149                 DBG("file exists: %s", VICI_DEFAULT_URI);
1150                 vici_connect(data);
1151         } else {
1152                 monitor_vici_socket(data);
1153         }
1154 }
1155
1156 static void ipsec_died(struct connman_task *task, int exit_code, void *user_data)
1157 {
1158        DBG("task %p exit_code %d", task, exit_code);
1159        unlink(VICI_DEFAULT_URI);
1160        vpn_died(task, exit_code, user_data);
1161 }
1162
1163 static int ipsec_connect(struct vpn_provider *provider,
1164                         struct connman_task *task, const char *if_name,
1165                         vpn_provider_connect_cb_t cb, const char *dbus_sender,
1166                         void *user_data)
1167 {
1168         struct ipsec_private_data *data;
1169         const char *path;
1170         const char *pass;
1171         int err = 0;
1172
1173         data = create_ipsec_private_data(provider, cb, user_data);
1174         if (!data) {
1175                 connman_error("create ipsec private data failed");
1176                 return -ENOMEM;
1177         }
1178         /*
1179          * Start charon daemon using ipsec script of strongSwan.
1180          */
1181         err = connman_task_run(task, ipsec_died, provider, NULL, NULL, NULL);
1182         if (err < 0) {
1183                 connman_error("charon start failed");
1184                 if (cb)
1185                         cb(provider, user_data, err);
1186
1187                 g_free(data);
1188                 return err;
1189         }
1190
1191         path = vpn_provider_get_string(provider, "IPsec.LocalCerts");
1192         pass = vpn_provider_get_string(provider, "IPsec.LocalCertPass");
1193         err = extract_cert_info(path, pass, &(data->openssl_data));
1194         if (err < 0) {
1195                 connman_error("extract cert info failed");
1196                 if (cb)
1197                         cb(provider, user_data, err);
1198
1199                 g_free(data);
1200                 return err;
1201         }
1202
1203         check_vici_socket(data);
1204 //      g_usleep(G_USEC_PER_SEC);
1205
1206         return err;
1207 }
1208
1209 static int ipsec_error_code(struct vpn_provider *provider, int exit_code)
1210 {
1211         return 0;
1212 }
1213
1214 static int ipsec_save(struct vpn_provider *provider, GKeyFile *keyfile)
1215 {
1216         int i;
1217         const char *option;
1218
1219         DBG("");
1220         /*
1221          * Save IKE connection configurations
1222          */
1223         for (i = 0; i < (int)ARRAY_SIZE(ipsec_conn_options); i++) {
1224                 option = vpn_provider_get_string(provider, ipsec_conn_options[i].cm_opt);
1225                 if (option)
1226                         g_key_file_set_string(keyfile,
1227                                         vpn_provider_get_save_group(provider),
1228                                         ipsec_conn_options[i].cm_opt,
1229                                         option);
1230         }
1231
1232         /*
1233          * Save shared IKE PSK, EAP or XAUTH secret
1234          */
1235         for (i = 0; i < (int)ARRAY_SIZE(ipsec_shared_options); i++) {
1236                 option = vpn_provider_get_string(provider, ipsec_shared_options[i].cm_opt);
1237                 if (option)
1238                         g_key_file_set_string(keyfile,
1239                                         vpn_provider_get_save_group(provider),
1240                                         ipsec_shared_options[i].cm_opt,
1241                                         option);
1242         }
1243
1244         /*
1245          * Save certification
1246          */
1247         for (i = 0; i < (int)ARRAY_SIZE(ipsec_cert_options); i++) {
1248                 option = vpn_provider_get_string(provider, ipsec_cert_options[i].cm_opt);
1249                 if (option)
1250                         g_key_file_set_string(keyfile,
1251                                         vpn_provider_get_save_group(provider),
1252                                         ipsec_cert_options[i].cm_opt,
1253                                         option);
1254         }
1255
1256         /*
1257          * Save private key
1258          */
1259         for (i = 0; i < (int)ARRAY_SIZE(ipsec_pkey_options); i++) {
1260                 option = vpn_provider_get_string(provider, ipsec_pkey_options[i].cm_opt);
1261                 if (option)
1262                         g_key_file_set_string(keyfile,
1263                                         vpn_provider_get_save_group(provider),
1264                                         ipsec_pkey_options[i].cm_opt,
1265                                         option);
1266         }
1267
1268         /*
1269          * Save local certification
1270          */
1271         option = vpn_provider_get_string(provider, "IPsec.LocalCerts");
1272         if (option)
1273                 g_key_file_set_string(keyfile,
1274                                 vpn_provider_get_save_group(provider),
1275                                 "IPsec.LocalCerts",
1276                                 option);
1277         option = vpn_provider_get_string(provider, "IPsec.LocalCertPass");
1278         if (option)
1279                 g_key_file_set_string(keyfile,
1280                                 vpn_provider_get_save_group(provider),
1281                                 "IPsec.LocalCertPass",
1282                                 option);
1283         /*
1284          * Save CA certification directory
1285          */
1286         option = vpn_provider_get_string(provider, "IPsec.CACertsDir");
1287         if (option)
1288                 g_key_file_set_string(keyfile,
1289                                 vpn_provider_get_save_group(provider),
1290                                 "IPsec.CACertsDir",
1291                                 option);
1292
1293         return 0;
1294 }
1295
1296 static void ipsec_disconnect(struct vpn_provider *provider)
1297 {
1298         int err = 0;
1299         /*
1300          * Send the terminate command
1301          */
1302         err = ipsec_terminate(provider);
1303         IPSEC_ERROR_CHECK_RETURN(err, "terminate failed");
1304
1305         err = vici_deinitialize(vici_client);
1306         IPSEC_ERROR_CHECK_RETURN(err, "failed to deinitialize vici_client");
1307
1308         return;
1309 }
1310
1311 static struct vpn_driver vpn_driver = {
1312         .flags = VPN_FLAG_NO_TUN,
1313         .notify = ipsec_notify,
1314         .set_event_cb = ipsec_set_event_cb,
1315         .connect = ipsec_connect,
1316         .error_code = ipsec_error_code,
1317         .save = ipsec_save,
1318         .disconnect = ipsec_disconnect,
1319 };
1320
1321 static int ipsec_init(void)
1322 {
1323         connection = connman_dbus_get_connection();
1324
1325         event_data.event_cb = NULL;
1326         event_data.event_user_data = NULL;
1327
1328         return vpn_register("ipsec", &vpn_driver, IPSEC);
1329 }
1330
1331 static void ipsec_exit(void)
1332 {
1333         vpn_unregister("ipsec");
1334
1335         dbus_connection_unref(connection);
1336 }
1337
1338 CONNMAN_PLUGIN_DEFINE(ipsec, "IPSec plugin", VERSION,
1339         CONNMAN_PLUGIN_PRIORITY_DEFAULT, ipsec_init, ipsec_exit)