chromiumos/platform/vpn-manager.git
16 months agovpn-manager: Accept PEM files 42/60542/2 factory-4455.B factory-pit-4390.B factory-pit-4471.B firmware-falco_peppy-4389.B firmware-leon-4389.26.B firmware-pit-4482.B firmware-wolf-4389.24.B master release-R30-4537.B stabilize-4443.B stabilize-4512.B
Paul Stewart [Fri, 28 Jun 2013 22:50:56 +0000 (15:50 -0700)]
vpn-manager: Accept PEM files

Try to open CA certificate files as PEM when trying to retrieve
subject information from certificates.

BUG=chromium:249363
TEST=Unit tests.

Change-Id: I41cb60ddcbb4e6a0e2eb1a4120a58d1f8955c344
Reviewed-on: https://gerrit.chromium.org/gerrit/60542
Reviewed-by: Christopher Wiley <wiley@chromium.org>
Reviewed-by: Darin Petkov <petkov@chromium.org>
Commit-Queue: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
18 months agovpn-manager: use MOCK_CONST_METHOD for const func 66/48566/5 factory-4128.B factory-4290.B factory-pit-4280.B factory-spring-4131.B factory-spring-4262.B release-R28-4100.B release-R29-4319.B stabilize-4035.0.B stabilize-4068.0.B stabilize-4100.38.B stabilize-4255.B stabilize-4287.B stabilize-spring-4100.53.B toolchainB
Yunlian Jiang [Thu, 18 Apr 2013 22:04:13 +0000 (15:04 -0700)]
vpn-manager: use MOCK_CONST_METHOD for const func

BUG=chromium:233350
TEST=FEATURES="test" CXXFLAGS="-clang" emerge-lumpy vpn-manager
     passes.

Change-Id: I29f04071e0c95a3385a9026bd93c4aa37a28557e
Reviewed-on: https://gerrit.chromium.org/gerrit/48566
Reviewed-by: Paul Stewart <pstew@chromium.org>
Commit-Queue: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
18 months agovpn-manager: Change root of persistent directory 96/47096/3 stabilize-4008.0.B
Paul Stewart [Tue, 2 Apr 2013 03:28:11 +0000 (20:28 -0700)]
vpn-manager: Change root of persistent directory

The symlinks for the ipsec configuration have changed from pointing
to the stateful partition to a link directory to be created in
/var/run.  Update service_manager to point to these links, and
have ipsec_manager change permissions on the top level so that
CA certificate links are still world readable.

CQ-DEPEND=CL:47095
BUG=chromium:225565
TEST=Manual: run connect-vpn against an l2tpipsec VPN server; make sure
the /var/run/l2tpipsec_vpn/current directory is world readable:
  su nobody -s /bin/bash -c "ls -al /var/run/l2tpipsec_vpn/current"

Change-Id: I9fba0a231d5fbbbc96c801f282d6d7801c4deaf7
Reviewed-on: https://gerrit.chromium.org/gerrit/47096
Reviewed-by: Darin Petkov <petkov@chromium.org>
Commit-Queue: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
19 months agoipsec-manager: Accept "tunnel group" parameter 53/46153/5
Paul Stewart [Thu, 21 Mar 2013 19:09:55 +0000 (12:09 -0700)]
ipsec-manager: Accept "tunnel group" parameter

Specify to "Agressive Mode" and encode the tunnel group name
when asked to do so via a command-line flag.  This allows a
user realm to be specified during the first round of negotiations,
which is interpreted by Cisco VPNs as the Tunnel Group for which
various configuration and policy is layered.

BUG=chromium:199004
TEST=Use in tandem with https://gerrit.chromium.org/gerrit/46154
and the new "--tunnel-group" parameter to the "connect-vpn" test
script and a Cisco ASA 5505 VPN configured with an alterate tunnel
group.  Unfortunately due to configuration issues on the VPN, the
IPSec connection was observed to be established, and the correct
tunnel group was indicated in the logs, but the PPP link did not
come up due to an AAA internal issue to the VPN.  Verify that
connections to the default tunnel group continue to work correctly
without the "--tunnel-group" flag.

Change-Id: Ie53bbe8dd1c16a72ae2265d4879e5435fb23d73e
Reviewed-on: https://gerrit.chromium.org/gerrit/46153
Commit-Queue: Paul Stewart <pstew@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
19 months agoipsec-manager: Unify configuration file writing 41/45741/5
Paul Stewart [Thu, 14 Mar 2013 15:49:35 +0000 (08:49 -0700)]
ipsec-manager: Unify configuration file writing

Unify the process of writing out configuration files, and
switch to a new output directory in /var/run instead of
using the chronos home directory.

BUG=chromium-os:36959,chromium-os:39676
TEST=Connected to StrongSwan 4.x using both PSK and certificate
authentication.

Change-Id: I9a6ff0d7b61ec7fefe829983946bd35b3af25369
Reviewed-on: https://gerrit.chromium.org/gerrit/45741
Commit-Queue: Paul Stewart <pstew@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
19 months agoipsec_manager: Be more careful when shutting down 34/45334/9
Paul Stewart [Wed, 13 Mar 2013 19:31:25 +0000 (12:31 -0700)]
ipsec_manager: Be more careful when shutting down

The ipsec manager was sloppy about killing the child starter and
charon processes, in the sense that killing one may perturb the
state (notably the pid file) of the other in ways which make it
difficult to find and kill both processes.  To fix this, create
a "Daemon" object which can hold the pid-file and process state
simultaneously so we can garner state about the running processes
in one pass, and kill them in a separate pass.  This also cleans
up some questionable code, like re-using the starter Process
instance for killing both starter and charon processes during
startup.  It also fixes references to base::FilePath in the
various files in this project where it is used, and uses a
ScopedTempDir for temporary files used in unit tests.

BUG=chromium-os:36959
TEST=Unit tests, manual: start and stop an l2tpipsec connection
repeately using connect-vpn / disconnect-service, and ensure that
no PID files or processes are left over for charon or starter.

Change-Id: I59c2cdabb9b99fc9fc54cb25bab029f8573b8c26
Reviewed-on: https://gerrit.chromium.org/gerrit/45334
Commit-Queue: Paul Stewart <pstew@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
19 months agovpn-manager: Support strongSwan 5.0.2 87/44987/8
Paul Stewart [Wed, 20 Feb 2013 16:35:32 +0000 (08:35 -0800)]
vpn-manager: Support strongSwan 5.0.2

Update vpn-manager for writing out config files for StrongSwan 5.0.2.
This new StrongSwan now provides both IKEv1 and IKEv2 support through
the "charon" daemon.  Small changes to the configuration file format
needed to be made.  While here fix some questionable reuse of the
|starter_| Process instance in IpsecManager::KillRunningDaemon.  This
appears to make the shutdown of the starter and charon processes much
more reliable.

CQ-DEPEND=CL:44988
BUG=chromium-os:36959
TEST=Connected to StrongSwan 4.x using both PSK and certificate
authentication.  Connected to Cisco 5505 using PSK authentication.
Connected to Windows RRAS using PSK authentication.

Change-Id: I8620bb591622b2e87e2ce5265a76f879cb7322e0
Reviewed-on: https://gerrit.chromium.org/gerrit/44987
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Queue: Paul Stewart <pstew@chromium.org>
Tested-by: Paul Stewart <pstew@chromium.org>
19 months agovpn_manager: Calculate gmock/gtest library dependencies programatically 22/46422/3 release-R27-3912.B stabilize-3912.79.B toolchainA
Gaurav Shah [Sun, 24 Mar 2013 22:54:53 +0000 (15:54 -0700)]
vpn_manager: Calculate gmock/gtest library dependencies programatically

(gmock/gtest doesn't generate pkg-config metadata, calculating lib
 dependencies this way makes it easier to upgrade gmock/gtest packages.)

BUG=chromium:211445
TEST=build tests for package using gtest 1.6

Change-Id: I1f8cd7a5b9a6f5bcc462ad745667c886fcd6be4c
Reviewed-on: https://gerrit.chromium.org/gerrit/46422
Reviewed-by: Darin Petkov <petkov@chromium.org>
Commit-Queue: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
19 months agovpn-manager: Wrap the code in a vpn_manager namespace. 11/45311/4 factory-spring-3842.B stabilize-3881.0.B
Darin Petkov [Wed, 13 Mar 2013 13:42:14 +0000 (14:42 +0100)]
vpn-manager: Wrap the code in a vpn_manager namespace.

This is done so that service_error.h can be included cleanly by shill
to translate vpn-manager exit codes to UI failure reasons. Also, it
follows code style now.

BUG=chromium-os:32877
TEST=build and ran vpn-manager unit tests

Change-Id: I4a123326487f9fe8e194c360f91589a755ca3a70
Reviewed-on: https://gerrit.chromium.org/gerrit/45311
Tested-by: Darin Petkov <petkov@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Commit-Queue: Darin Petkov <petkov@chromium.org>

20 months agovpn-manager: Update to build against libchrome-180609 16/43316/3 firmware-spring-3824.4.B firmware-spring-3824.55.B firmware-spring-3824.84.B firmware-spring-3824.B firmware-spring-3833.B
Chris Masone [Thu, 14 Feb 2013 22:08:57 +0000 (14:08 -0800)]
vpn-manager: Update to build against libchrome-180609

Updated to cope with moved scoped_temp_dir.h and eintr_wrapper.h,
and also the moving of ScopedTempDir into the base namespace.

CQ-DEPEND=Ib7a2e85819b2bf48ff82b1536dbaf78e6bc95a45

BUG=chromium-os:38951
TEST=FEATURES=test emerge-amd64-generic vpn-manager
STATUS=Fixed

Change-Id: Icab308db90fc2438c55428a536ab0ffd3ed5d4bf
Reviewed-on: https://gerrit.chromium.org/gerrit/43316
Reviewed-by: Chris Masone <cmasone@chromium.org>
Tested-by: Chris Masone <cmasone@chromium.org>
Commit-Queue: Chris Masone <cmasone@chromium.org>

20 months agovpn-manager: Updating common.mk to ToT to enable profiling 83/42783/3 release-R26-3701.B stabilize-3701.30.0 stabilize-3701.30.0b stabilize-3701.46.B stabilize-3701.81.B stabilize-bluetooth-smart toolchain-3701.42.B
Ryan Harrison [Wed, 6 Feb 2013 21:38:58 +0000 (16:38 -0500)]
vpn-manager: Updating common.mk to ToT to enable profiling

This update replaces the current common.mk used in this project with the newest
version. This will allow all of the common.mk based projects to be on the same
version for debugging and enables profiling support.

BUG=chromium-os:37854
TEST=Exectuted the following commands to confirm the build works:
     MODE=profiling cros_workon_make --board=link
     MODE=profiling cros_workon_make --board=link --test
     cros_workon_make --board=link
     cros_workon_make --board=link --test
     Repeated these with emerge-link, USE=profiling, and
     FEATURES=test as need.
     For the emerge command with profiling and testing enable, confirmed the
     appropriate coverage files were created in /usr/share/profiling/...

Change-Id: Iadfd956d42600209a4bc651cdda2409cd66c4264
Reviewed-on: https://gerrit.chromium.org/gerrit/42783
Tested-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>

2 years agovpn-manager: Use a different temporary directory for each unit test. factory-2914.B factory-2985.B factory-2993.B factory-3004.B factory-3536.B release-R23-2913.B release-R25-3428.B stabilize stabilize-3428.110.0 stabilize-3428.149 stabilize-3428.149.B stabilize-3428.193 stabilize-3658.0.0 stabilize-daisy stabilize-link stabilize-link-2913.278 stabilize2 toolchain-3428.65.B
Ben Chan [Tue, 11 Sep 2012 06:59:42 +0000 (23:59 -0700)]
vpn-manager: Use a different temporary directory for each unit test.

The CL modifies each unit test to use a different temporary directory to
prevent race conditions when unit tests run concurrently.

BUG=chromium-os:33867
TEST=cros_run_unit_tests -p vpn-manager

Change-Id: I5b0b66b4795d14422ea4861411cd8f220103614e
Reviewed-on: https://gerrit.chromium.org/gerrit/32904
Commit-Ready: Ben Chan <benchan@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Reviewed-by: Darin Petkov <petkov@chromium.org>
2 years agoconvert to common.mk factory-2846.B factory-2848.B firmware-butterfly-2788.B firmware-stout-2817.B
Mike Frysinger [Tue, 14 Aug 2012 18:54:31 +0000 (14:54 -0400)]
convert to common.mk

Use the common.mk build system so that we get things like out-of-tree
and incremental building.

BUG=chromium-os:33327
TEST=`cros_run_unit_tests --board x86-alex -p vpn-manager` worked

Change-Id: Ia32b622c675c4a52e4905e1403400b0488e84e19
Reviewed-on: https://gerrit.chromium.org/gerrit/30269
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
2 years agofix out-of-tree tests
Mike Frysinger [Tue, 14 Aug 2012 19:07:40 +0000 (15:07 -0400)]
fix out-of-tree tests

The current tests assume they are run in the source tree, but when we
try to build out-of-tree, they all fail.  Look up the source tree via
the $SRC env var which common.mk exports for us.

BUG=chromium-os:33327
TEST=`cros_run_unit_tests --board x86-alex -p vpn-manager` passes

Change-Id: I1d9c3b2db5949cecde72668bd9add6c29ab071b8
Reviewed-on: https://gerrit.chromium.org/gerrit/30270
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
2 years agovpn-manager: Create /mnt/stateful_partition/etc if it does not exist. factory-2268.16.B factory-2305.B factory-2338.B factory-2368.B factory-2394.B factory-2460.B factory-2475.B factory-2569.B factory-2717.B factory-2723.14.B firmware-link-2348.B firmware-link-2695.2.B firmware-link-2695.B firmware-parrot-2685.B firmware-snow-2695.90.B firmware-snow-2695.B release-R20-2268.B release-R21-2465.B release-R22-2723.B
Ben Chan [Sat, 14 Apr 2012 00:48:57 +0000 (17:48 -0700)]
vpn-manager: Create /mnt/stateful_partition/etc if it does not exist.

IpsecManager originally assumed that /mnt/stateful_partition/etc already
exists when it tries to create files such as ipsec.conf in that
directory. That is no longer true. To avoid making such an assumption,
this CL changes IpsecManager to create /mnt/stateful_partition/etc if it
does not exist.

BUG=chromium-os:29485
TEST=Tested the following:
1. Build vpn-manager for {x86,amd64,arm}-generic.
2. Run vpn-manager unit tests.
3. Manually remove /mnt/stateful_partition/etc on a Cr48 and verify that
   l2tpipsec_vpn creates that directory when starting a VPN connection.

Change-Id: Ie01ba321f0dee97e0aac102aa7546227213bf292
Reviewed-on: https://gerrit.chromium.org/gerrit/20292
Reviewed-by: Paul Stewart <pstew@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Ben Chan <benchan@chromium.org>

2 years agoadd an OWNERS file
Mike Frysinger [Wed, 11 Apr 2012 15:51:13 +0000 (11:51 -0400)]
add an OWNERS file

BUG=None
TEST=`cat OWNERS` looks legit

Change-Id: I9e6cc5a4b62c40b139bae9ddca82b4c74ed7bd48
Reviewed-on: https://gerrit.chromium.org/gerrit/19987
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
2 years agoupdate to newer libbase
Mike Frysinger [Wed, 11 Apr 2012 15:49:43 +0000 (11:49 -0400)]
update to newer libbase

BUG=chromium-os:25872
TEST=`emerge-x86-alex vpn-manager` works
TEST=`cros_run_unit_tests --board=x86-alex -p vpn-manager` passed

Change-Id: I57cdb99c3b7541d3acc1b2ae66c8e72320914057
Reviewed-on: https://gerrit.chromium.org/gerrit/19988
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
2 years agoUse LIBDIR to determine the PKCS11 module path in Makefile. factory-1987.B release-R19-2046.B
Ben Chan [Wed, 14 Mar 2012 00:54:59 +0000 (17:54 -0700)]
Use LIBDIR to determine the PKCS11 module path in Makefile.

This CL changes the Makefile to use LIBDIR to determine where the PKCS11
module is installed (/usr/lib or /usr/lib64) such that ipsec can locate
libchaps.so.

BUG=chromium-os:27750
TEST=Tested the following:
1. emerge-{x86,amd64}-generic -v vpn-manager
2. FEATURES="test" emerge-{x86,amd64}-generic -v vpn-manager
3. Manually test L2TP/IPsec VPN connections.

Change-Id: Iae911e5cae8ae169f87ededa3b7d8fc7b1d6c901
Reviewed-on: https://gerrit.chromium.org/gerrit/18070
Tested-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Ben Chan <benchan@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
2 years agoconvert to SLOT-ed libbase
Mike Frysinger [Fri, 9 Mar 2012 16:08:45 +0000 (11:08 -0500)]
convert to SLOT-ed libbase

BUG=chromium-os:16623
TEST=`emerge-x86-alex vpn-manager` still works
TEST=`cros_run_unit_tests --board x86-alex -p vpn-manager` passed

Change-Id: I0cf8b78008defff45d95ec6db786ea98625685da
Reviewed-on: https://gerrit.chromium.org/gerrit/17968
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
2 years agovpn-manager: fix up pkg-config handling
Mike Frysinger [Thu, 16 Feb 2012 17:18:29 +0000 (12:18 -0500)]
vpn-manager: fix up pkg-config handling

Since libchrome provides a .pc file now, use that rather than hardcoding
the -lbase.  This lets us drop all the other hardcoded libs too that we
were adding for libbase.

Further, run pkg-config just once per cflags/libs rather than on every
compile line.

BUG=chromium-os:16623
TEST=`emerge-x86-alex vpn-manager` still works

Change-Id: Icba157fba53866a969811f5d3e5f792b2f6f6bf3
Reviewed-on: https://gerrit.chromium.org/gerrit/16036
Reviewed-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
2 years agovpn-manager: Switch to use the 'ignorepeeridcheck' option.
Ben Chan [Thu, 26 Jan 2012 06:31:43 +0000 (22:31 -0800)]
vpn-manager: Switch to use the 'ignorepeeridcheck' option.

The Chromium OS version of strongswan is patched to allow pluto to
ignored any peer ID mismatch by specifying 'ignorepeeridcheck=yes' in
the 'config setup' section ipsec.conf, such that the server may use an
IP address or fully qualified domain name as its ID.

This CL changes IpsecManager to use the 'ignorepeeridcheck' option when
no server ID is specified instead of the special value '%usepeercert'.

BUG=chromium-os:24476
TEST=Tested the following:
1. Build vpn-manager and run unit tests.
2. Test connecting to a L2TP/IPsec VPN server using a pre-shared key or
   user cerificate.
3. Run network_VPN autotest tests.

Change-Id: I54666a62197f4ca6b9bdfa84e95aad00ea51b68b
Reviewed-on: https://gerrit.chromium.org/gerrit/15009
Reviewed-by: Sam Leffler <sleffler@chromium.org>
Reviewed-by: Ken Mixter <kmixter@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Ben Chan <benchan@chromium.org>

2 years ago[vpn-manager] use libchromeos.pc release-R18-1660.B
Elly Jones [Wed, 11 Jan 2012 22:52:27 +0000 (17:52 -0500)]
[vpn-manager] use libchromeos.pc

BUG=chromium-os:24959
TEST=build

Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/14022
Reviewed-by: Mike Frysinger <vapier@chromium.org>
(cherry picked from commit 8658b6b585edc6596c872ce4f6c812ce09dcd61a)

Change-Id: Id5fba40180d2ab35aa34e06ebda4a6ff8659026f
Reviewed-on: https://gerrit.chromium.org/gerrit/14519
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Elly Jones <ellyjones@chromium.org>
Tested-by: Elly Jones <ellyjones@chromium.org>
2 years agovpn-manager: Make rekey default to yes in ipsec.conf
Ben Chan [Fri, 13 Jan 2012 21:01:57 +0000 (13:01 -0800)]
vpn-manager: Make rekey default to yes in ipsec.conf

This CL changes the rekey option in IpsecManager default to true such
that the pluto daemon on the client side (Chromium OS) can request a
renegotiation of the connection when it is about to expire. According to
the ipsec.conf man page, setting rekey=no is largely ineffective unless
both ends of the connection agree on it.

BUG=chromium-os:25070
TEST=Verified the following:
1. Connect successfully to Windows 2008 RRAS server, Cisco ASA 5505
   and StrongSWAN VPN server with a L2TP/IPsec pre-shared key or user
   certificate.
2. Check that pluto requests a renegotiation of the connection when the
   connection is about to expire, and the connection remains established
   after that.
3. Run network_VPN autotest test suite.

Change-Id: Ic9c25df0ff3fd3329e0ec3bccea4eade51a1aa54
Reviewed-on: https://gerrit.chromium.org/gerrit/14197
Reviewed-by: Sam Leffler <sleffler@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
Commit-Ready: Ben Chan <benchan@chromium.org>

2 years agoRevert "[vpn-manager] use libchromeos.pc"
Scott James Remnant [Fri, 13 Jan 2012 01:58:48 +0000 (17:58 -0800)]
Revert "[vpn-manager] use libchromeos.pc"

This reverts commit 8b4bfc7760c7b2b6aa3bf9db68e51f9d81ddbea6

Change-Id: I7cf6b1d4f349b598951083fbbb05f146aa2cf14f
Reviewed-on: https://gerrit.chromium.org/gerrit/14116
Reviewed-by: Scott James Remnant <keybuk@chromium.org>
Tested-by: Scott James Remnant <keybuk@chromium.org>
2 years ago[vpn-manager] use libchromeos.pc
Elly Jones [Wed, 11 Jan 2012 22:52:27 +0000 (17:52 -0500)]
[vpn-manager] use libchromeos.pc

BUG=chromium-os:24959
TEST=build

Change-Id: I48411e75322cf28f7b7211ed561118eeb1bc75c2
Signed-off-by: Elly Jones <ellyjones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/14022
Reviewed-by: Mike Frysinger <vapier@chromium.org>
2 years agoChanged PKCS #11 module from libopencryptoki.so to libchaps.so. factory-1412.B release-R17-1412.B
Darren Krahn [Tue, 8 Nov 2011 18:19:53 +0000 (10:19 -0800)]
Changed PKCS #11 module from libopencryptoki.so to libchaps.so.

BUG=chromium-os:21005
TEST=Manual test: l2tpipsec vpn with certs.

Change-Id: Ieebd197aebc422dba45500974d1ee63fc471578d
Reviewed-on: https://gerrit.chromium.org/gerrit/11432
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Reviewed-by: Ken Mixter <kmixter@chromium.org>
Commit-Ready: Darren Krahn <dkrahn@chromium.org>
Tested-by: Darren Krahn <dkrahn@chromium.org>
2 years agovpn-manager: Not to refuse PAP authentication by default. factory-1284.B firmware-kiev-2.112.B firmware-uboot_v2-1299.B
Ben Chan [Tue, 1 Nov 2011 23:33:12 +0000 (16:33 -0700)]
vpn-manager: Not to refuse PAP authentication by default.

This CL changes the default value of the refuse_pap flag from true to
false in L2tpManager, which makes xl2tpd not to refuse PAP
authentication by default.

BUG=chromium-os:22386
TEST=Verified the following:
1. Connected successfully to Check Point VPN server (with a patched
   version of xl2tpd to remove some AVPs in L2TP control packets).
2. Connected successfully to Windows 2008 RRAS server, Cisco ASA 5505
   and StrongSWAN VPN server with L2TP/IPsec pre-shared key to make sure
   the existing VPN support still works fine.
3. Ran network_VPN autotest test suite.

Change-Id: I8626fa376977804339d44bf398a321b25b81836e
Reviewed-on: https://gerrit.chromium.org/gerrit/11018
Reviewed-by: Ken Mixter <kmixter@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
3 years agoChange log pattern for detecting IPsec authentication failures. factory-1235.B
Ben Chan [Sat, 1 Oct 2011 00:58:32 +0000 (17:58 -0700)]
Change log pattern for detecting IPsec authentication failures.

The previously used log pattern for detecting IPsec authentication
failures did not work when connnecting to a Windows 2008 RRAS server or
Cisco ASA 5505. This CL changes the log pattern to better handle these
cases.

BUG=chromium-os:18573
TEST=Tested connecting to Windows 2008 RRAS server, Cisco ASA 5505 and
StrongSWAN VPN server with invalid pre-shared key and certificate, and
verified that the UI shows the expected error messages.

Change-Id: I20fbaeecaea59f556321d2e799e1de213a8eb947
Reviewed-on: http://gerrit.chromium.org/gerrit/8609
Reviewed-by: Ken Mixter <kmixter@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
3 years agoImprove L2TP/IPsec VPN error reporting.
Ben Chan [Fri, 16 Sep 2011 18:26:45 +0000 (11:26 -0700)]
Improve L2TP/IPsec VPN error reporting.

This CL modifies l2tpipsec_vpn to extract error information from
low-level daemons (ipsec, xl2tpd, pppd) and return different exit codes
based on the type of error.

BUG=chromium-os:18573
TEST=Examined the exit code of l2tpipsec_vpn for different types of error.

Change-Id: I5c58fb0b003fa52e934f2a33ab5cd2126f41b2be
Reviewed-on: http://gerrit.chromium.org/gerrit/7897
Reviewed-by: Ken Mixter <kmixter@chromium.org>
Tested-by: Ben Chan <benchan@chromium.org>
3 years agovpn-manager: add option to disable pppd system configuration
Ken Mixter [Tue, 13 Sep 2011 00:02:26 +0000 (17:02 -0700)]
vpn-manager: add option to disable pppd system configuration

BUG=chromium-os:17185
TEST=automated tests

Change-Id: I54139efead439ed09ce3675f31f94f62bdea3146
Reviewed-on: http://gerrit.chromium.org/gerrit/7752
Reviewed-by: Ben Chan <benchan@chromium.org>
Tested-by: Ken Mixter <kmixter@chromium.org>
3 years agovpn-manager: also enable l2tp layer debugging with --debug
Ken Mixter [Fri, 26 Aug 2011 20:54:57 +0000 (13:54 -0700)]
vpn-manager: also enable l2tp layer debugging with --debug

BUG=none
TEST=manual

Change-Id: I07fe247f991ca3520770017854bf39b197ef9241
Reviewed-on: http://gerrit.chromium.org/gerrit/6782
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>
3 years agovpn-manager: Kill pluto daemon if running when bring up ipsec factory-1020.B
Ken Mixter [Thu, 8 Sep 2011 01:16:20 +0000 (18:16 -0700)]
vpn-manager: Kill pluto daemon if running when bring up ipsec

I have encountered during testing that ipsec does not come up because
pluto is running from an earlier instance but starter is not.

Change-Id: I95cc2eb4605336e4d0bf92f8dea7cdf8c77870ad

BUG=none
TEST=Run with pluto

Change-Id: Ic779bdd5b05b4b129e5890b05d4d13a7e94a2aeb
Reviewed-on: http://gerrit.chromium.org/gerrit/7387
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: James Simonsen <simonjam@chromium.org>
Reviewed-by: Ben Chan <benchan@chromium.org>
3 years agovpn-manager: Add more inner SA authentication proposals (md5) factory-980.B release-1011.B test-982.B
Ken Mixter [Thu, 11 Aug 2011 21:29:38 +0000 (14:29 -0700)]
vpn-manager: Add more inner SA authentication proposals (md5)

BUG=chromium-os:17185
TEST=Test connectivity to concentrator

Without this, we require SHA which is different from the defaults
for some VPN concentrators.

Change-Id: Idc18c108e539b5562860a460edd396a7585bf5c9
Reviewed-on: http://gerrit.chromium.org/gerrit/6612
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: Sam Leffler <sleffler@chromium.org>
3 years agovpn-manager: fix unit test for when certs and psk are both given 0.15.877.B firmware-881-u-boot-v1 firmware-u-boot-v1
Ken Mixter [Sat, 30 Jul 2011 00:31:02 +0000 (17:31 -0700)]
vpn-manager: fix unit test for when certs and psk are both given

BUG=chromium-os:18420
TEST=run unit tests

Change-Id: Ib4de399322e99449faf7f714509c16a5c080f4c5
Reviewed-on: http://gerrit.chromium.org/gerrit/5040
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: Ken Mixter <kmixter@chromium.org>
3 years agovpn-manager: Chrome started passing the pin in PSK mode. Ignore it.
Ken Mixter [Fri, 29 Jul 2011 17:33:51 +0000 (10:33 -0700)]
vpn-manager: Chrome started passing the pin in PSK mode.  Ignore it.

BUG=chromium-os:18420
TEST=connect with psk to RRAS server and local server.
Note no warnings about configuration.

Change-Id: I37a255c719a7aecbfc208223aceab561d056007c
Reviewed-on: http://gerrit.chromium.org/gerrit/5007
Reviewed-by: Ken Mixter <kmixter@chromium.org>
Tested-by: Ken Mixter <kmixter@chromium.org>
3 years agovpn-manager: Take --debug to emit IKE debug output
Ken Mixter [Sun, 24 Jul 2011 14:27:54 +0000 (07:27 -0700)]
vpn-manager: Take --debug to emit IKE debug output

Change-Id: I8c100cbab9cd550225d3c37caff6610222a413f2
Reviewed-on: http://gerrit.chromium.org/gerrit/4639
Reviewed-by: James Simonsen <simonjam@chromium.org>
Tested-by: Ken Mixter <kmixter@chromium.org>
3 years agovpn-manager: Default to slot 0 if none is given
Ken Mixter [Tue, 19 Jul 2011 22:25:09 +0000 (15:25 -0700)]
vpn-manager: Default to slot 0 if none is given

BUG=chromium-os:17619
TEST=unit test, hand test with certificate VPN from UI (after working around missing PIN)

Change-Id: I1ec4957344a8b691b6fc7a73155bc2a5fbbf45b4
Reviewed-on: http://gerrit.chromium.org/gerrit/4336
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: James Simonsen <simonjam@chromium.org>
3 years agovpn-manager: remove "tpm" from names, use "%usepeercert" to allow any server id 780.B
Ken Mixter [Wed, 8 Jun 2011 17:22:09 +0000 (10:22 -0700)]
vpn-manager: remove "tpm" from names, use "%usepeercert" to allow any server id

Since the slots and ids are pkcs#11 slots and IDs (that happen to use the PKCS#11 TPM token)
change the names to remove "tpm" from them.  Now that we've added the ability to connect
to any server with a proper CA signature in strongswan, pass %usepeercerts as rightid
whenever --server_id is not specified.

BUG=chromium-os:16279 chromium-os:16280
TEST=connect with certs from command line
connect with psk from command line

Change-Id: If03c69de8abb21c936ce55392d945530b728d8cd
Reviewed-on: http://gerrit.chromium.org/gerrit/2295
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: James Simonsen <simonjam@chromium.org>
3 years agovpn-manager: Resolve remote server address and pass it down to ppp plugin 0.13.587.B
Ken Mixter [Mon, 23 May 2011 22:59:51 +0000 (15:59 -0700)]
vpn-manager: Resolve remote server address and pass it down to ppp plugin

Instead of passing around hostnames all over the place when starting all
the services, resolve the hostname early and use the IP address.  Also
send the IP address down through the PPP plugin so that flimflam can
use it to set up a specific vpn host route.

BUG=chromium-os:15369
TEST=VPN wifilab test & manual tests

Change-Id: If345c7ef30c17569a515a4605dc7749d3e6a101e
Reviewed-on: http://gerrit.chromium.org/gerrit/1410
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: Darin Petkov <petkov@chromium.org>
3 years ago[vpn-manager] Roll forward to new libchrome 0.13.558.B
Chris Masone [Thu, 12 May 2011 21:43:41 +0000 (14:43 -0700)]
[vpn-manager] Roll forward to new libchrome

BUG=chromium-os:14304
TEST=build, unit tests

Change-Id: Ib9ee646be51b60410f03aca557f6b1a45edcbc14
Reviewed-on: http://gerrit.chromium.org/gerrit/824
Reviewed-by: Chris Masone <cmasone@chromium.org>
Tested-by: Chris Masone <cmasone@chromium.org>
3 years agovpn-manager: Change names of parameters to be more exact (PKCS#11 vs TPM) 0.13.509.B
Ken Mixter [Sat, 7 May 2011 01:02:14 +0000 (18:02 -0700)]
vpn-manager: Change names of parameters to be more exact (PKCS#11 vs TPM)

BUG=chromium-os:12695
TEST=connect-vpn

Change-Id: I181762267cf89863d2095e9c794a958862180c86
Reviewed-on: http://gerrit.chromium.org/gerrit/485
Tested-by: Ken Mixter <kmixter@chromium.org>
Reviewed-by: Darin Petkov <petkov@chromium.org>
3 years agoSupport IPsec with certificates. 10/310/2
James Simonsen [Wed, 4 May 2011 18:39:44 +0000 (11:39 -0700)]
Support IPsec with certificates.

BUG=12695
TEST=ipsec_manager_test and invoking l2tpipsec_vpn on system with custom
permissions.

Create a request:

pkcs11-tool --module=/usr/lib/opencryptoki/libopencryptoki.so.0 -l -k -d 07 -a vpn --key-type rsa:2048

Copy /etc/entd/openssl.conf and update it with the user PIN.

openssl req -config openssl.conf -engine pkcs11 -new -keyform engine -out ~/req.pem -subj "/CN=localhost" -key slot_0-id_07

(Sign the requset on the VPN server.)

Install the new certificate:

openssl x509 -in tpm.pem -out tpm.der -outform DER

pkcs11-tool --module=/usr/lib/opencryptoki/libopencryptoki.so.0 -l -d 07 -a vpn -w ~/tpm.der -y cert

Set the permissions:

add pkcs11 to ipsec in /etc/group
chgrp pkcs11 /home/chronos/user
chmod 750 /home/chronos/user
chmod 750 /home/chronos/user/.tpm
cd /home/chronos/user/.tpm
chmod 640 NVTOK.DAT P*
cd TOK_OBJ
chmod 640 *
chgrp pkcs11 *
cd /var/lib/opencryptoki/tpm
ln -s /home/chronos/user/.tpm ipsec
chgrp pkcs11 ipsec

Change-Id: Idab3e80824562a97c16adc514211e267354b6f96

3 years agovpn-manager: accept a hostname for remote host 0.12.362.B 0.12.369.B 0.12.392.B 0.12.433.B 0.12.433.B109 0.12.433.B62 0.13.434.B
Ken Mixter [Thu, 24 Mar 2011 22:48:42 +0000 (15:48 -0700)]
vpn-manager: accept a hostname for remote host

Change-Id: Iefe53207cf8df8bfbe32c3b69409348e23ac1bb2

BUG=chromium-os:13472
TEST=connect-vpn with remote host name instead of ip address

Review URL: http://codereview.chromium.org/6731015

3 years agovpn-manager: Fix l2tp/ipsec connections to Windows RRAS server
Ken Mixter [Wed, 23 Mar 2011 00:49:48 +0000 (17:49 -0700)]
vpn-manager: Fix l2tp/ipsec connections to Windows RRAS server

Change-Id: I6322c0d4d8e7f21ed1abf24c645eb7e7cd41cc3f

BUG=none
TEST=Connect to windows vpn

Review URL: http://codereview.chromium.org/6713058

3 years agovpn-manager: set up l2tp/ipsec gateway by default
Ken Mixter [Mon, 21 Mar 2011 19:52:19 +0000 (12:52 -0700)]
vpn-manager: set up l2tp/ipsec gateway by default

Change-Id: I7786ab0d1bdcfc4bf23f7257db216cd8e33d947f

R=petkov@chromium.org,simonjam@chromium.org
BUG=none
TEST=connect-vpn l2tpisec

Review URL: http://codereview.chromium.org/6712013

3 years agovpn-manager: Add l2tp/ipsec vpn manager
Ken Mixter [Fri, 11 Mar 2011 20:56:50 +0000 (12:56 -0800)]
vpn-manager: Add l2tp/ipsec vpn manager

Change-Id: I3d0e36bc8595b9038782364368ff2e7d77b39472

Related to flimflam review:
http://codereview.chromium.org/6513009/

BUG=chromium-os:11814
TEST=unit tests / run connect-vpn script with l2tpipsec type

Review URL: http://codereview.chromium.org/6508016

3 years agoRepo init.
Nelson Araujo [Thu, 6 Jan 2011 22:21:57 +0000 (14:21 -0800)]
Repo init.