com_android_server_connectivity_Vpn.cpp revision 23a5e4bcdcf7d3fef9aaa6c4a20f9f08f22ca9a6
1/* 2 * Copyright (C) 2011 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#define LOG_NDEBUG 0 18 19#define LOG_TAG "VpnJni" 20#include <cutils/log.h> 21#include <cutils/properties.h> 22 23#include <stdio.h> 24#include <string.h> 25#include <sys/ioctl.h> 26#include <sys/types.h> 27#include <sys/stat.h> 28#include <sys/socket.h> 29#include <netinet/in.h> 30#include <arpa/inet.h> 31#include <errno.h> 32#include <fcntl.h> 33 34#include <linux/if.h> 35#include <linux/if_tun.h> 36#include <linux/route.h> 37#include <linux/ipv6_route.h> 38 39#include "jni.h" 40#include "JNIHelp.h" 41 42namespace android 43{ 44 45static inline in_addr_t *as_in_addr(sockaddr *sa) { 46 return &((sockaddr_in *)sa)->sin_addr.s_addr; 47} 48 49static inline in_addr_t *as_in_addr(sockaddr_storage *ss) { 50 return &((sockaddr_in *)ss)->sin_addr.s_addr; 51} 52 53static inline in6_addr *as_in6_addr(sockaddr_storage *ss) { 54 return &((sockaddr_in6 *)&ss)->sin6_addr; 55} 56 57//------------------------------------------------------------------------------ 58 59#define SYSTEM_ERROR -1 60#define BAD_ARGUMENT -2 61 62static int create_interface(int mtu, char *name, int *index) 63{ 64 int tun = open("/dev/tun", O_RDWR); 65 int inet4 = socket(AF_INET, SOCK_DGRAM, 0); 66 67 ifreq ifr4; 68 memset(&ifr4, 0, sizeof(ifr4)); 69 70 // Allocate interface. 71 ifr4.ifr_flags = IFF_TUN | IFF_NO_PI; 72 if (ioctl(tun, TUNSETIFF, &ifr4)) { 73 LOGE("Cannot allocate TUN: %s", strerror(errno)); 74 goto error; 75 } 76 77 // Activate interface. 78 ifr4.ifr_flags = IFF_UP; 79 if (ioctl(inet4, SIOCSIFFLAGS, &ifr4)) { 80 LOGE("Cannot activate %s: %s", ifr4.ifr_name, strerror(errno)); 81 goto error; 82 } 83 84 // Set MTU if it is specified. 85 ifr4.ifr_mtu = mtu; 86 if (mtu > 0 && ioctl(inet4, SIOCSIFMTU, &ifr4)) { 87 LOGE("Cannot set MTU on %s: %s", ifr4.ifr_name, strerror(errno)); 88 goto error; 89 } 90 91 // Get interface index. 92 if (ioctl(inet4, SIOGIFINDEX, &ifr4)) { 93 LOGE("Cannot get index of %s: %s", ifr4.ifr_name, strerror(errno)); 94 goto error; 95 } 96 97 strcpy(name, ifr4.ifr_name); 98 *index = ifr4.ifr_ifindex; 99 close(inet4); 100 return tun; 101 102error: 103 close(tun); 104 close(inet4); 105 return SYSTEM_ERROR; 106} 107 108static int set_addresses(const char *name, int index, const char *addresses) 109{ 110 int inet4 = socket(AF_INET, SOCK_DGRAM, 0); 111 int inet6 = socket(AF_INET6, SOCK_DGRAM, 0); 112 113 ifreq ifr4; 114 memset(&ifr4, 0, sizeof(ifr4)); 115 strcpy(ifr4.ifr_name, name); 116 ifr4.ifr_addr.sa_family = AF_INET; 117 118 in6_ifreq ifr6; 119 memset(&ifr6, 0, sizeof(ifr6)); 120 ifr6.ifr6_ifindex = index; 121 122 char address[65]; 123 int prefix; 124 125 int chars; 126 int count = 0; 127 128 while (sscanf(addresses, " %64[^/]/%d %n", address, &prefix, &chars) == 2) { 129 addresses += chars; 130 131 if (strchr(address, ':')) { 132 // Add an IPv6 address. 133 if (inet_pton(AF_INET6, address, &ifr6.ifr6_addr) != 1 || 134 prefix < 0 || prefix > 128) { 135 count = BAD_ARGUMENT; 136 break; 137 } 138 139 ifr6.ifr6_prefixlen = prefix; 140 if (ioctl(inet6, SIOCSIFADDR, &ifr6)) { 141 count = (errno == EINVAL) ? BAD_ARGUMENT : SYSTEM_ERROR; 142 break; 143 } 144 } else { 145 // Add an IPv4 address. 146 if (inet_pton(AF_INET, address, as_in_addr(&ifr4.ifr_addr)) != 1 || 147 prefix < 0 || prefix > 32) { 148 count = BAD_ARGUMENT; 149 break; 150 } 151 152 if (count) { 153 sprintf(ifr4.ifr_name, "%s:%d", name, count); 154 } 155 if (ioctl(inet4, SIOCSIFADDR, &ifr4)) { 156 count = (errno == EINVAL) ? BAD_ARGUMENT : SYSTEM_ERROR; 157 break; 158 } 159 160 in_addr_t mask = prefix ? (~0 << (32 - prefix)) : 0; 161 *as_in_addr(&ifr4.ifr_addr) = htonl(mask); 162 if (ioctl(inet4, SIOCSIFNETMASK, &ifr4)) { 163 count = (errno == EINVAL) ? BAD_ARGUMENT : SYSTEM_ERROR; 164 break; 165 } 166 } 167 LOGV("Address added on %s: %s/%d", name, address, prefix); 168 ++count; 169 } 170 171 if (count == BAD_ARGUMENT) { 172 LOGE("Invalid address: %s/%d", address, prefix); 173 } else if (count == SYSTEM_ERROR) { 174 LOGE("Cannot add address: %s/%d: %s", address, prefix, strerror(errno)); 175 } else if (*addresses) { 176 LOGE("Invalid address: %s", addresses); 177 count = BAD_ARGUMENT; 178 } 179 180 close(inet4); 181 close(inet6); 182 return count; 183} 184 185static int set_routes(const char *name, int index, const char *routes) 186{ 187 int inet4 = socket(AF_INET, SOCK_DGRAM, 0); 188 int inet6 = socket(AF_INET6, SOCK_DGRAM, 0); 189 190 rtentry rt4; 191 memset(&rt4, 0, sizeof(rt4)); 192 rt4.rt_dev = (char *)name; 193 rt4.rt_flags = RTF_UP; 194 rt4.rt_dst.sa_family = AF_INET; 195 rt4.rt_genmask.sa_family = AF_INET; 196 rt4.rt_gateway.sa_family = AF_INET; 197 198 in6_rtmsg rt6; 199 memset(&rt6, 0, sizeof(rt6)); 200 rt6.rtmsg_ifindex = index; 201 rt6.rtmsg_flags = RTF_UP; 202 203 char address[65]; 204 int prefix; 205 char gateway[65]; 206 207 int chars; 208 int count = 0; 209 210 while (sscanf(routes, " %64[^/]/%d>%64[^ ] %n", 211 address, &prefix, gateway, &chars) == 3) { 212 routes += chars; 213 214 if (strchr(address, ':')) { 215 // Add an IPv6 route. 216 if (inet_pton(AF_INET6, gateway, &rt6.rtmsg_gateway) != 1 || 217 inet_pton(AF_INET6, address, &rt6.rtmsg_dst) != 1 || 218 prefix < 0 || prefix > 128) { 219 count = BAD_ARGUMENT; 220 break; 221 } 222 223 rt6.rtmsg_dst_len = prefix; 224 if (memcmp(&rt6.rtmsg_gateway, &in6addr_any, sizeof(in6addr_any))) { 225 rt6.rtmsg_flags |= RTF_GATEWAY; 226 } 227 if (ioctl(inet6, SIOCADDRT, &rt6) && errno != EEXIST) { 228 count = (errno == EINVAL) ? BAD_ARGUMENT : SYSTEM_ERROR; 229 break; 230 } 231 } else { 232 // Add an IPv4 route. 233 if (inet_pton(AF_INET, gateway, as_in_addr(&rt4.rt_gateway)) != 1 || 234 inet_pton(AF_INET, address, as_in_addr(&rt4.rt_dst)) != 1 || 235 prefix < 0 || prefix > 32) { 236 count = BAD_ARGUMENT; 237 break; 238 } 239 240 in_addr_t mask = prefix ? (~0 << (32 - prefix)) : 0; 241 *as_in_addr(&rt4.rt_genmask) = htonl(mask); 242 if (*as_in_addr(&rt4.rt_gateway)) { 243 rt4.rt_flags |= RTF_GATEWAY; 244 } 245 if (ioctl(inet4, SIOCADDRT, &rt4) && errno != EEXIST) { 246 count = (errno == EINVAL) ? BAD_ARGUMENT : SYSTEM_ERROR; 247 break; 248 } 249 } 250 LOGV("Route added on %s: %s/%d -> %s", name, address, prefix, gateway); 251 ++count; 252 } 253 254 if (count == BAD_ARGUMENT) { 255 LOGE("Invalid route: %s/%d -> %s", address, prefix, gateway); 256 } else if (count == SYSTEM_ERROR) { 257 LOGE("Cannot add route: %s/%d -> %s: %s", 258 address, prefix, gateway, strerror(errno)); 259 } else if (*routes) { 260 LOGE("Invalid route: %s", routes); 261 count = BAD_ARGUMENT; 262 } 263 264 close(inet4); 265 close(inet6); 266 return count; 267} 268 269static int get_interface_name(char *name, int tun) 270{ 271 ifreq ifr4; 272 if (ioctl(tun, TUNGETIFF, &ifr4)) { 273 LOGE("Cannot get interface name: %s", strerror(errno)); 274 return SYSTEM_ERROR; 275 } 276 strcpy(name, ifr4.ifr_name); 277 return 0; 278} 279 280static int reset_interface(const char *name) 281{ 282 int inet4 = socket(AF_INET, SOCK_DGRAM, 0); 283 284 ifreq ifr4; 285 ifr4.ifr_flags = 0; 286 strncpy(ifr4.ifr_name, name, IFNAMSIZ); 287 288 if (ioctl(inet4, SIOCSIFFLAGS, &ifr4) && errno != ENODEV) { 289 LOGE("Cannot reset %s: %s", name, strerror(errno)); 290 close(inet4); 291 return SYSTEM_ERROR; 292 } 293 close(inet4); 294 return 0; 295} 296 297static int check_interface(const char *name) 298{ 299 int inet4 = socket(AF_INET, SOCK_DGRAM, 0); 300 301 ifreq ifr4; 302 strncpy(ifr4.ifr_name, name, IFNAMSIZ); 303 ifr4.ifr_flags = 0; 304 305 if (ioctl(inet4, SIOCGIFFLAGS, &ifr4) && errno != ENODEV) { 306 LOGE("Cannot check %s: %s", name, strerror(errno)); 307 } 308 close(inet4); 309 return ifr4.ifr_flags; 310} 311 312static int bind_to_interface(int fd, const char *name) 313{ 314 if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, name, strlen(name))) { 315 LOGE("Cannot bind socket to %s: %s", name, strerror(errno)); 316 return SYSTEM_ERROR; 317 } 318 return 0; 319} 320 321//------------------------------------------------------------------------------ 322 323static void throwException(JNIEnv *env, int error, const char *message) 324{ 325 if (error == SYSTEM_ERROR) { 326 jniThrowException(env, "java/lang/IllegalStateException", message); 327 } else { 328 jniThrowException(env, "java/lang/IllegalArgumentException", message); 329 } 330} 331 332static jint establish(JNIEnv *env, jobject thiz, 333 jint mtu, jstring jAddresses, jstring jRoutes) 334{ 335 char name[IFNAMSIZ]; 336 int index; 337 int tun = create_interface(mtu, name, &index); 338 if (tun < 0) { 339 throwException(env, tun, "Cannot create interface"); 340 return -1; 341 } 342 LOGD("%s is created", name); 343 344 const char *addresses; 345 const char *routes; 346 int count; 347 348 // Addresses are required. 349 addresses = jAddresses ? env->GetStringUTFChars(jAddresses, NULL) : NULL; 350 if (!addresses) { 351 jniThrowNullPointerException(env, "address"); 352 goto error; 353 } 354 count = set_addresses(name, index, addresses); 355 env->ReleaseStringUTFChars(jAddresses, addresses); 356 if (count <= 0) { 357 throwException(env, count, "Cannot set address"); 358 goto error; 359 } 360 LOGD("Configured %d address(es) on %s", count, name); 361 362 // Routes are optional. 363 routes = jRoutes ? env->GetStringUTFChars(jRoutes, NULL) : NULL; 364 if (routes) { 365 count = set_routes(name, index, routes); 366 env->ReleaseStringUTFChars(jRoutes, routes); 367 if (count < 0) { 368 throwException(env, count, "Cannot set route"); 369 goto error; 370 } 371 LOGD("Configured %d route(s) on %s", count, name); 372 } 373 374 return tun; 375 376error: 377 close(tun); 378 LOGD("%s is destroyed", name); 379 return -1; 380} 381 382static jstring getName(JNIEnv *env, jobject thiz, jint fd) 383{ 384 char name[IFNAMSIZ]; 385 if (get_interface_name(name, fd) < 0) { 386 throwException(env, SYSTEM_ERROR, "Cannot get interface name"); 387 return NULL; 388 } 389 return env->NewStringUTF(name); 390} 391 392static void reset(JNIEnv *env, jobject thiz, jstring jName) 393{ 394 const char *name = jName ? 395 env->GetStringUTFChars(jName, NULL) : NULL; 396 if (!name) { 397 jniThrowNullPointerException(env, "name"); 398 return; 399 } 400 if (reset_interface(name) < 0) { 401 throwException(env, SYSTEM_ERROR, "Cannot reset interface"); 402 } else { 403 LOGD("%s is deactivated", name); 404 } 405 env->ReleaseStringUTFChars(jName, name); 406} 407 408static jint check(JNIEnv *env, jobject thiz, jstring jName) 409{ 410 const char *name = jName ? 411 env->GetStringUTFChars(jName, NULL) : NULL; 412 if (!name) { 413 jniThrowNullPointerException(env, "name"); 414 return 0; 415 } 416 int flags = check_interface(name); 417 env->ReleaseStringUTFChars(jName, name); 418 return flags; 419} 420 421static void protect(JNIEnv *env, jobject thiz, jint fd, jstring jName) 422{ 423 const char *name = jName ? 424 env->GetStringUTFChars(jName, NULL) : NULL; 425 if (!name) { 426 jniThrowNullPointerException(env, "name"); 427 return; 428 } 429 if (bind_to_interface(fd, name) < 0) { 430 throwException(env, SYSTEM_ERROR, "Cannot protect socket"); 431 } 432 env->ReleaseStringUTFChars(jName, name); 433} 434 435//------------------------------------------------------------------------------ 436 437static JNINativeMethod gMethods[] = { 438 {"nativeEstablish", "(ILjava/lang/String;Ljava/lang/String;)I", (void *)establish}, 439 {"nativeGetName", "(I)Ljava/lang/String;", (void *)getName}, 440 {"nativeReset", "(Ljava/lang/String;)V", (void *)reset}, 441 {"nativeCheck", "(Ljava/lang/String;)I", (void *)check}, 442 {"nativeProtect", "(ILjava/lang/String;)V", (void *)protect}, 443}; 444 445int register_android_server_connectivity_Vpn(JNIEnv *env) 446{ 447 return jniRegisterNativeMethods(env, "com/android/server/connectivity/Vpn", 448 gMethods, NELEM(gMethods)); 449} 450 451}; 452