/
cstp.c
999 lines (872 loc) · 27.8 KB
1
/*
2
* OpenConnect (SSL + DTLS) VPN client
3
*
4
* Copyright © 2008-2012 Intel Corporation.
5
* Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
6
*
7
8
9
* Author: David Woodhouse <dwmw2@infradead.org>
*
* This program is free software; you can redistribute it and/or
10
* modify it under the terms of the GNU Lesser General Public License
11
* version 2.1, as published by the Free Software Foundation.
12
*
13
* This program is distributed in the hope that it will be useful, but
14
15
16
17
18
19
20
21
22
23
24
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to:
*
* Free Software Foundation, Inc.
* 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301 USA
*/
25
26
27
28
29
#include <netdb.h>
#include <unistd.h>
#include <fcntl.h>
#include <time.h>
30
#include <string.h>
31
#include <ctype.h>
32
33
34
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
35
36
#include <sys/types.h>
#include <sys/socket.h>
37
38
#include <netinet/in.h>
#include <netinet/tcp.h>
39
#include <stdarg.h>
40
41
#include "openconnect-internal.h"
42
43
44
/*
* Data packets are encapsulated in the SSL stream as follows:
45
*
46
47
* 0000: Magic "STF\x1"
* 0004: Big-endian 16-bit length (not including 8-byte header)
48
* 0006: Byte packet type (see openconnect-internal.h)
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
* 0008: data payload
*/
static char data_hdr[8] = {
'S', 'T', 'F', 1,
0, 0, /* Length */
AC_PKT_DATA, /* Type */
0 /* Unknown */
};
static struct pkt keepalive_pkt = {
.hdr = { 'S', 'T', 'F', 1, 0, 0, AC_PKT_KEEPALIVE, 0 },
};
static struct pkt dpd_pkt = {
.hdr = { 'S', 'T', 'F', 1, 0, 0, AC_PKT_DPD_OUT, 0 },
};
static struct pkt dpd_resp_pkt = {
.hdr = { 'S', 'T', 'F', 1, 0, 0, AC_PKT_DPD_RESP, 0 },
};
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
static int __attribute__ ((format (printf, 3, 4)))
buf_append(char *buf, int len, const char *fmt, ...)
{
int start = strlen(buf);
int ret;
va_list args;
if (start >= len)
return 0;
va_start(args, fmt);
ret = vsnprintf(buf + start, len - start, fmt, args);
va_end(args);
if (ret > len)
ret = len;
return ret;
}
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
/* Calculate MTU to request. Old servers simply use the X-CSTP-MTU: header,
* which represents the tunnel MTU, while new servers do calculations on the
* X-CSTP-Base-MTU: header which represents the cleartext MTU between client
* and server.
*
* If possible, the legacy MTU value should be the TCP MSS less 5 bytes of
* TLS and 8 bytes of CSTP overhead. We can get the MSS from either the
* TCP_INFO or TCP_MAXSEG sockopts.
*
* The base MTU comes from the TCP_INFO sockopt under Linux, but I don't know
* how to work it out on other systems. So leave it blank and do things the
* legacy way there. Contributions welcome...
*
* If we don't even have TCP_MAXSEG, then default to sending a legacy MTU of
* 1406 which is what we always used to do.
*/
static void calculate_mtu(struct openconnect_info *vpninfo, int *base_mtu, int *mtu)
{
109
*mtu = vpninfo->reqmtu;
110
111
*base_mtu = vpninfo->basemtu;
112
#if defined(__linux__) && defined(TCP_INFO)
113
114
115
116
if (!*mtu || !*base_mtu) {
struct tcp_info ti;
socklen_t ti_size = sizeof(ti);
117
if (!getsockopt(vpninfo->ssl_fd, IPPROTO_TCP, TCP_INFO,
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
&ti, &ti_size)) {
vpn_progress(vpninfo, PRG_TRACE,
_("TCP_INFO rcv mss %d, snd mss %d, adv mss %d, pmtu %d\n"),
ti.tcpi_rcv_mss, ti.tcpi_snd_mss, ti.tcpi_advmss, ti.tcpi_pmtu);
if (!*base_mtu) *base_mtu = ti.tcpi_pmtu;
if (!*mtu) {
if (ti.tcpi_rcv_mss < ti.tcpi_snd_mss)
*mtu = ti.tcpi_rcv_mss - 13;
else
*mtu = ti.tcpi_snd_mss - 13;
}
}
}
#endif
#ifdef TCP_MAXSEG
if (!*mtu) {
int mss;
socklen_t mss_size = sizeof(mss);
136
if (!getsockopt(vpninfo->ssl_fd, IPPROTO_TCP, TCP_MAXSEG,
137
138
139
140
141
142
143
144
145
146
&mss, &mss_size)) {
vpn_progress(vpninfo, PRG_TRACE, _("TCP_MAXSEG %d\n"), mss);
*mtu = mss - 13;
}
}
#endif
if (!*mtu) {
/* Default */
*mtu = 1406;
}
147
148
if (*mtu < 1280)
*mtu = 1280;
149
150
}
151
static int start_cstp_connection(struct openconnect_info *vpninfo)
152
153
154
{
char buf[65536];
int i;
155
int retried = 0, sessid_found = 0;
156
157
158
159
160
161
struct vpn_option **next_dtls_option = &vpninfo->dtls_options;
struct vpn_option **next_cstp_option = &vpninfo->cstp_options;
struct vpn_option *old_cstp_opts = vpninfo->cstp_options;
struct vpn_option *old_dtls_opts = vpninfo->dtls_options;
const char *old_addr = vpninfo->vpn_addr;
const char *old_netmask = vpninfo->vpn_netmask;
162
163
const char *old_addr6 = vpninfo->vpn_addr6;
const char *old_netmask6 = vpninfo->vpn_netmask6;
164
struct split_include *inc;
165
int base_mtu, mtu;
166
167
168
/* Clear old options which will be overwritten */
vpninfo->vpn_addr = vpninfo->vpn_netmask = NULL;
169
vpninfo->vpn_addr6 = vpninfo->vpn_netmask6 = NULL;
170
vpninfo->cstp_options = vpninfo->dtls_options = NULL;
171
vpninfo->vpn_domain = vpninfo->vpn_proxy_pac = NULL;
172
vpninfo->banner = NULL;
173
174
for (i = 0; i < 3; i++)
175
176
vpninfo->vpn_dns[i] = vpninfo->vpn_nbns[i] = NULL;
177
for (inc = vpninfo->split_includes; inc; ) {
178
179
180
181
struct split_include *next = inc->next;
free(inc);
inc = next;
}
182
for (inc = vpninfo->split_excludes; inc; ) {
183
184
185
186
struct split_include *next = inc->next;
free(inc);
inc = next;
}
187
188
189
190
191
192
for (inc = vpninfo->split_dns; inc; ) {
struct split_include *next = inc->next;
free(inc);
inc = next;
}
vpninfo->split_dns = vpninfo->split_includes = vpninfo->split_excludes = NULL;
193
194
195
196
/* Create (new) random master key for DTLS connection, if needed */
if (vpninfo->dtls_times.last_rekey + vpninfo->dtls_times.rekey <
time(NULL) + 300 &&
197
openconnect_random(vpninfo->dtls_secret, sizeof(vpninfo->dtls_secret))) {
198
fprintf(stderr, _("Failed to initialise DTLS secret\n"));
199
200
201
exit(1);
}
202
retry:
203
204
calculate_mtu(vpninfo, &base_mtu, &mtu);
205
206
207
208
209
210
211
212
213
buf[0] = 0;
buf_append(buf, sizeof(buf), "CONNECT /CSCOSSLC/tunnel HTTP/1.1\r\n");
buf_append(buf, sizeof(buf), "Host: %s\r\n", vpninfo->hostname);
buf_append(buf, sizeof(buf), "User-Agent: %s\r\n", vpninfo->useragent);
buf_append(buf, sizeof(buf), "Cookie: webvpn=%s\r\n", vpninfo->cookie);
buf_append(buf, sizeof(buf), "X-CSTP-Version: 1\r\n");
buf_append(buf, sizeof(buf), "X-CSTP-Hostname: %s\r\n", vpninfo->localname);
if (vpninfo->deflate && i < sizeof(buf))
buf_append(buf, sizeof(buf), "X-CSTP-Accept-Encoding: deflate;q=1.0\r\n");
214
215
216
if (base_mtu)
buf_append(buf, sizeof(buf), "X-CSTP-Base-MTU: %d\r\n", base_mtu);
buf_append(buf, sizeof(buf), "X-CSTP-MTU: %d\r\n", mtu);
217
buf_append(buf, sizeof(buf), "X-CSTP-Address-Type: %s\r\n",
218
vpninfo->disable_ipv6 ? "IPv4" : "IPv6,IPv4");
219
buf_append(buf, sizeof(buf), "X-DTLS-Master-Secret: ");
220
for (i = 0; i < sizeof(vpninfo->dtls_secret); i++)
221
222
buf_append(buf, sizeof(buf), "%02X", vpninfo->dtls_secret[i]);
buf_append(buf, sizeof(buf), "\r\nX-DTLS-CipherSuite: %s\r\n\r\n",
223
vpninfo->dtls_ciphers ? : "AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA");
224
225
226
openconnect_SSL_write(vpninfo, buf, strlen(buf));
227
228
229
if ((i = openconnect_SSL_gets(vpninfo, buf, 65536) < 0)) {
if (i == -EINTR)
return i;
230
231
vpn_progress(vpninfo, PRG_ERR,
_("Error fetching HTTPS response\n"));
232
233
if (!retried) {
retried = 1;
234
openconnect_close_https(vpninfo, 0);
235
236
if (openconnect_open_https(vpninfo)) {
237
vpn_progress(vpninfo, PRG_ERR,
238
239
_("Failed to open HTTPS connection to %s\n"),
vpninfo->hostname);
240
241
242
243
244
245
246
247
exit(1);
}
goto retry;
}
return -EINVAL;
}
if (strncmp(buf, "HTTP/1.1 200 ", 13)) {
248
249
if (!strncmp(buf, "HTTP/1.1 503 ", 13)) {
/* "Service Unavailable. Why? */
250
const char *reason = "<unknown>";
251
while ((i = openconnect_SSL_gets(vpninfo, buf, sizeof(buf)))) {
252
253
254
255
256
if (!strncmp(buf, "X-Reason: ", 10)) {
reason = buf + 10;
break;
}
}
257
258
259
vpn_progress(vpninfo, PRG_ERR,
_("VPN service unavailable; reason: %s\n"),
reason);
260
261
return -EINVAL;
}
262
vpn_progress(vpninfo, PRG_ERR,
263
264
_("Got inappropriate HTTP CONNECT response: %s\n"),
buf);
265
266
267
268
269
if (!strncmp(buf, "HTTP/1.1 401 ", 13))
exit(2);
return -EINVAL;
}
270
vpn_progress(vpninfo, PRG_INFO, _("Got CONNECT response: %s\n"), buf);
271
272
273
/* We may have advertised it, but we only do it if the server agrees */
vpninfo->deflate = 0;
274
mtu = 0;
275
276
while ((i = openconnect_SSL_gets(vpninfo, buf, sizeof(buf)))) {
277
struct vpn_option *new_option;
278
279
280
281
282
283
char *colon;
if (i < 0)
return i;
colon = strchr(buf, ':');
284
285
286
287
288
289
290
291
292
293
294
295
296
297
if (!colon)
continue;
*colon = 0;
colon++;
if (*colon == ' ')
colon++;
if (strncmp(buf, "X-DTLS-", 7) &&
strncmp(buf, "X-CSTP-", 7))
continue;
new_option = malloc(sizeof(*new_option));
if (!new_option) {
298
vpn_progress(vpninfo, PRG_ERR, _("No memory for options\n"));
299
300
301
302
303
304
305
return -ENOMEM;
}
new_option->option = strdup(buf);
new_option->value = strdup(colon);
new_option->next = NULL;
if (!new_option->option || !new_option->value) {
306
vpn_progress(vpninfo, PRG_ERR, _("No memory for options\n"));
307
308
309
free(new_option->option);
free(new_option->value);
free(new_option);
310
311
312
return -ENOMEM;
}
313
314
315
316
317
/* This contains the whole document, including the webvpn cookie. */
if (!strcasecmp(buf, "X-CSTP-Post-Auth-XML"))
vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, _("<elided>"));
else
vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);
318
319
320
321
if (!strncmp(buf, "X-DTLS-", 7)) {
*next_dtls_option = new_option;
next_dtls_option = &new_option->next;
322
323
if (!strcmp(buf + 7, "MTU")) {
324
325
326
int dtlsmtu = atol(colon);
if (dtlsmtu > mtu)
mtu = dtlsmtu;
327
} else if (!strcmp(buf + 7, "Session-ID")) {
328
if (strlen(colon) != 64) {
329
vpn_progress(vpninfo, PRG_ERR,
330
331
_("X-DTLS-Session-ID not 64 characters; is: \"%s\"\n"),
colon);
332
333
334
335
336
337
338
339
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
for (i = 0; i < 64; i += 2)
vpninfo->dtls_session_id[i/2] = unhex(colon + i);
sessid_found = 1;
time(&vpninfo->dtls_times.last_rekey);
}
340
341
342
343
344
345
346
347
348
349
continue;
}
/* CSTP options... */
*next_cstp_option = new_option;
next_cstp_option = &new_option->next;
if (!strcmp(buf + 7, "Keepalive")) {
vpninfo->ssl_times.keepalive = atol(colon);
} else if (!strcmp(buf + 7, "DPD")) {
350
351
352
int j = atol(colon);
if (j && (!vpninfo->ssl_times.dpd || j < vpninfo->ssl_times.dpd))
vpninfo->ssl_times.dpd = j;
353
354
} else if (!strcmp(buf + 7, "Rekey-Time")) {
vpninfo->ssl_times.rekey = atol(colon);
355
356
357
358
} else if (!strcmp(buf + 7, "Content-Encoding")) {
if (!strcmp(colon, "deflate"))
vpninfo->deflate = 1;
else {
359
vpn_progress(vpninfo, PRG_ERR,
360
361
_("Unknown CSTP-Content-Encoding %s\n"),
colon);
362
363
364
return -EINVAL;
}
} else if (!strcmp(buf + 7, "MTU")) {
365
366
367
int cstpmtu = atol(colon);
if (cstpmtu > mtu)
mtu = cstpmtu;
368
} else if (!strcmp(buf + 7, "Address")) {
369
370
371
372
if (strchr(new_option->value, ':')) {
if (!vpninfo->disable_ipv6)
vpninfo->vpn_addr6 = new_option->value;
} else
373
vpninfo->vpn_addr = new_option->value;
374
} else if (!strcmp(buf + 7, "Netmask")) {
375
376
377
378
if (strchr(new_option->value, ':')) {
if (!vpninfo->disable_ipv6)
vpninfo->vpn_netmask6 = new_option->value;
} else
379
vpninfo->vpn_netmask = new_option->value;
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
} else if (!strcmp(buf + 7, "DNS")) {
int j;
for (j = 0; j < 3; j++) {
if (!vpninfo->vpn_dns[j]) {
vpninfo->vpn_dns[j] = new_option->value;
break;
}
}
} else if (!strcmp(buf + 7, "NBNS")) {
int j;
for (j = 0; j < 3; j++) {
if (!vpninfo->vpn_nbns[j]) {
vpninfo->vpn_nbns[j] = new_option->value;
break;
}
}
} else if (!strcmp(buf + 7, "Default-Domain")) {
vpninfo->vpn_domain = new_option->value;
398
399
} else if (!strcmp(buf + 7, "MSIE-Proxy-PAC-URL")) {
vpninfo->vpn_proxy_pac = new_option->value;
400
401
} else if (!strcmp(buf + 7, "Banner")) {
vpninfo->banner = new_option->value;
402
403
404
405
406
407
408
} else if (!strcmp(buf + 7, "Split-DNS")) {
struct split_include *dns = malloc(sizeof(*dns));
if (!dns)
continue;
dns->route = new_option->value;
dns->next = vpninfo->split_dns;
vpninfo->split_dns = dns;
409
410
411
412
413
414
415
} else if (!strcmp(buf + 7, "Split-Include")) {
struct split_include *inc = malloc(sizeof(*inc));
if (!inc)
continue;
inc->route = new_option->value;
inc->next = vpninfo->split_includes;
vpninfo->split_includes = inc;
416
417
418
419
420
} else if (!strcmp(buf + 7, "Split-Exclude")) {
struct split_include *exc = malloc(sizeof(*exc));
if (!exc)
continue;
exc->route = new_option->value;
421
exc->next = vpninfo->split_excludes;
422
vpninfo->split_excludes = exc;
423
424
425
}
}
426
427
428
429
430
431
432
if (!mtu) {
vpn_progress(vpninfo, PRG_ERR,
_("No MTU received. Aborting\n"));
return -EINVAL;
}
vpninfo->actual_mtu = mtu;
433
if (!vpninfo->vpn_addr && !vpninfo->vpn_addr6) {
434
435
vpn_progress(vpninfo, PRG_ERR,
_("No IP address received. Aborting\n"));
436
437
438
439
return -EINVAL;
}
if (old_addr) {
if (strcmp(old_addr, vpninfo->vpn_addr)) {
440
441
442
vpn_progress(vpninfo, PRG_ERR,
_("Reconnect gave different Legacy IP address (%s != %s)\n"),
vpninfo->vpn_addr, old_addr);
443
444
445
446
447
return -EINVAL;
}
}
if (old_netmask) {
if (strcmp(old_netmask, vpninfo->vpn_netmask)) {
448
449
450
vpn_progress(vpninfo, PRG_ERR,
_("Reconnect gave different Legacy IP netmask (%s != %s)\n"),
vpninfo->vpn_netmask, old_netmask);
451
452
453
return -EINVAL;
}
}
454
455
if (old_addr6) {
if (strcmp(old_addr6, vpninfo->vpn_addr6)) {
456
457
458
vpn_progress(vpninfo, PRG_ERR,
_("Reconnect gave different IPv6 address (%s != %s)\n"),
vpninfo->vpn_addr6, old_addr6);
459
460
461
462
463
return -EINVAL;
}
}
if (old_netmask6) {
if (strcmp(old_netmask6, vpninfo->vpn_netmask6)) {
464
465
466
vpn_progress(vpninfo, PRG_ERR,
_("Reconnect gave different IPv6 netmask (%s != %s)\n"),
vpninfo->vpn_netmask6, old_netmask6);
467
468
469
return -EINVAL;
}
}
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
while (old_dtls_opts) {
struct vpn_option *tmp = old_dtls_opts;
old_dtls_opts = old_dtls_opts->next;
free(tmp->value);
free(tmp->option);
free(tmp);
}
while (old_cstp_opts) {
struct vpn_option *tmp = old_cstp_opts;
old_cstp_opts = old_cstp_opts->next;
free(tmp->value);
free(tmp->option);
free(tmp);
}
485
486
vpn_progress(vpninfo, PRG_INFO, _("CSTP connected. DPD %d, Keepalive %d\n"),
vpninfo->ssl_times.dpd, vpninfo->ssl_times.keepalive);
487
488
489
490
491
492
if (vpninfo->select_nfds <= vpninfo->ssl_fd)
vpninfo->select_nfds = vpninfo->ssl_fd + 1;
FD_SET(vpninfo->ssl_fd, &vpninfo->select_rfds);
FD_SET(vpninfo->ssl_fd, &vpninfo->select_efds);
493
494
495
496
497
498
if (!sessid_found)
vpninfo->dtls_attempt_period = 0;
vpninfo->ssl_times.last_rekey = vpninfo->ssl_times.last_rx =
vpninfo->ssl_times.last_tx = time(NULL);
499
500
501
502
return 0;
}
503
int make_cstp_connection(struct openconnect_info *vpninfo)
504
{
505
506
int ret;
507
508
ret = openconnect_open_https(vpninfo);
if (ret)
509
return ret;
510
511
512
513
514
515
516
517
if (vpninfo->deflate) {
vpninfo->deflate_adler32 = 1;
vpninfo->inflate_adler32 = 1;
if (inflateInit2(&vpninfo->inflate_strm, -12) ||
deflateInit2(&vpninfo->deflate_strm, Z_DEFAULT_COMPRESSION,
Z_DEFLATED, -12, 9, Z_DEFAULT_STRATEGY)) {
518
vpn_progress(vpninfo, PRG_ERR, _("Compression setup failed\n"));
519
520
521
522
523
524
vpninfo->deflate = 0;
}
if (!vpninfo->deflate_pkt) {
vpninfo->deflate_pkt = malloc(sizeof(struct pkt) + 2048);
if (!vpninfo->deflate_pkt) {
525
526
vpn_progress(vpninfo, PRG_ERR,
_("Allocation of deflate buffer failed\n"));
527
528
inflateEnd(&vpninfo->inflate_strm);
deflateEnd(&vpninfo->deflate_strm);
529
vpninfo->deflate = 0;
530
531
532
533
} else {
memset(vpninfo->deflate_pkt, 0, sizeof(struct pkt));
memcpy(vpninfo->deflate_pkt->hdr, data_hdr, 8);
vpninfo->deflate_pkt->hdr[6] = AC_PKT_COMPRESSED;
534
535
536
537
}
}
}
538
539
return start_cstp_connection(vpninfo);
}
540
541
int cstp_reconnect(struct openconnect_info *vpninfo)
542
{
543
544
545
int ret;
int timeout;
int interval;
546
547
openconnect_close_https(vpninfo, 0);
548
549
if (vpninfo->deflate) {
550
551
552
553
554
555
/* Requeue the original packet that was deflated */
if (vpninfo->current_ssl_pkt == vpninfo->deflate_pkt) {
vpninfo->current_ssl_pkt = NULL;
queue_packet(&vpninfo->outgoing_queue, vpninfo->pending_deflated_pkt);
vpninfo->pending_deflated_pkt = NULL;
}
556
557
558
inflateEnd(&vpninfo->inflate_strm);
deflateEnd(&vpninfo->deflate_strm);
}
559
560
timeout = vpninfo->reconnect_timeout;
interval = vpninfo->reconnect_interval;
561
562
while ((ret = make_cstp_connection(vpninfo))) {
563
if (timeout <= 0)
564
return ret;
565
vpn_progress(vpninfo, PRG_INFO,
566
567
_("sleep %ds, remaining timeout %ds\n"),
interval, timeout);
568
sleep(interval);
569
570
if (killed)
return 1;
571
572
573
574
timeout -= interval;
interval += vpninfo->reconnect_interval;
if (interval > RECONNECT_INTERVAL_MAX)
interval = RECONNECT_INTERVAL_MAX;
575
}
576
script_config_tun(vpninfo, "reconnect");
577
578
579
return 0;
}
580
581
static int inflate_and_queue_packet(struct openconnect_info *vpninfo,
unsigned char *buf, int len)
582
{
583
struct pkt *new = malloc(sizeof(struct pkt) + vpninfo->actual_mtu);
584
uint32_t pkt_sum;
585
586
587
588
589
590
591
592
593
594
if (!new)
return -ENOMEM;
new->next = NULL;
vpninfo->inflate_strm.next_in = buf;
vpninfo->inflate_strm.avail_in = len - 4;
vpninfo->inflate_strm.next_out = new->data;
595
vpninfo->inflate_strm.avail_out = vpninfo->actual_mtu;
596
597
598
vpninfo->inflate_strm.total_out = 0;
if (inflate(&vpninfo->inflate_strm, Z_SYNC_FLUSH)) {
599
vpn_progress(vpninfo, PRG_ERR, _("inflate failed\n"));
600
601
602
603
604
605
606
607
608
free(new);
return -EINVAL;
}
new->len = vpninfo->inflate_strm.total_out;
vpninfo->inflate_adler32 = adler32(vpninfo->inflate_adler32,
new->data, new->len);
609
610
611
612
pkt_sum = buf[len - 1] | (buf[len - 2] << 8) |
(buf[len - 3] << 16) | (buf[len - 4] << 24);
if (vpninfo->inflate_adler32 != pkt_sum) {
613
614
615
vpninfo->quit_reason = "Compression (inflate) adler32 failure";
}
616
vpn_progress(vpninfo, PRG_TRACE,
617
_("Received compressed data packet of %ld bytes\n"),
618
(long)vpninfo->inflate_strm.total_out);
619
620
621
622
623
queue_packet(&vpninfo->incoming_queue, new);
return 0;
}
624
#if defined(OPENCONNECT_OPENSSL)
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
static int cstp_read(struct openconnect_info *vpninfo, void *buf, int maxlen)
{
int len, ret;
len = SSL_read(vpninfo->https_ssl, buf, maxlen);
if (len > 0)
return len;
ret = SSL_get_error(vpninfo->https_ssl, len);
if (ret == SSL_ERROR_SYSCALL || ret == SSL_ERROR_ZERO_RETURN) {
vpn_progress(vpninfo, PRG_ERR,
_("SSL read error %d (server probably closed connection); reconnecting.\n"),
ret);
return -EIO;
}
return 0;
}
static int cstp_write(struct openconnect_info *vpninfo, void *buf, int buflen)
{
int ret;
ret = SSL_write(vpninfo->https_ssl, buf, buflen);
if (ret > 0)
return ret;
ret = SSL_get_error(vpninfo->https_ssl, ret);
switch (ret) {
case SSL_ERROR_WANT_WRITE:
/* Waiting for the socket to become writable -- it's
probably stalled, and/or the buffers are full */
FD_SET(vpninfo->ssl_fd, &vpninfo->select_wfds);
case SSL_ERROR_WANT_READ:
return 0;
default:
vpn_progress(vpninfo, PRG_ERR, _("SSL_write failed: %d\n"), ret);
openconnect_report_ssl_errors(vpninfo);
return -1;
}
}
666
#elif defined(OPENCONNECT_GNUTLS)
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
static int cstp_read(struct openconnect_info *vpninfo, void *buf, int maxlen)
{
int ret;
ret = gnutls_record_recv(vpninfo->https_sess, buf, maxlen);
if (ret > 0)
return ret;
if (ret != GNUTLS_E_AGAIN) {
vpn_progress(vpninfo, PRG_ERR,
_("SSL read error: %s; reconnecting.\n"),
gnutls_strerror(ret));
return -EIO;
}
return 0;
}
static int cstp_write(struct openconnect_info *vpninfo, void *buf, int buflen)
{
int ret;
ret = gnutls_record_send(vpninfo->https_sess, buf, buflen);
if (ret > 0)
return ret;
if (ret == GNUTLS_E_AGAIN) {
if (gnutls_record_get_direction(vpninfo->https_sess)) {
/* Waiting for the socket to become writable -- it's
probably stalled, and/or the buffers are full */
FD_SET(vpninfo->ssl_fd, &vpninfo->select_wfds);
}
return 0;
}
vpn_progress(vpninfo, PRG_ERR, _("SSL send failed: %s\n"),
gnutls_strerror(ret));
return -1;
}
#endif
706
int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout)
707
708
709
710
711
712
713
714
715
716
717
{
unsigned char buf[16384];
int len, ret;
int work_done = 0;
/* FIXME: The poll() handling here is fairly simplistic. Actually,
if the SSL connection stalls it could return a WANT_WRITE error
on _either_ of the SSL_read() or SSL_write() calls. In that case,
we should probably remove POLLIN from the events we're looking for,
and add POLLOUT. As it is, though, it'll just chew CPU time in that
fairly unlikely situation, until the write backlog clears. */
718
while ((len = cstp_read(vpninfo, buf, sizeof(buf))) > 0) {
719
720
721
722
723
724
725
726
int payload_len;
if (buf[0] != 'S' || buf[1] != 'T' ||
buf[2] != 'F' || buf[3] != 1 || buf[7])
goto unknown_pkt;
payload_len = (buf[4] << 8) + buf[5];
if (len != 8 + payload_len) {
727
vpn_progress(vpninfo, PRG_ERR,
728
729
_("Unexpected packet length. SSL_read returned %d but packet is\n"),
len);
730
vpn_progress(vpninfo, PRG_ERR,
731
732
733
"%02x %02x %02x %02x %02x %02x %02x %02x\n",
buf[0], buf[1], buf[2], buf[3],
buf[4], buf[5], buf[6], buf[7]);
734
735
736
continue;
}
vpninfo->ssl_times.last_rx = time(NULL);
737
switch (buf[6]) {
738
case AC_PKT_DPD_OUT:
739
vpn_progress(vpninfo, PRG_TRACE,
740
_("Got CSTP DPD request\n"));
741
742
743
744
vpninfo->owe_ssl_dpd_response = 1;
continue;
case AC_PKT_DPD_RESP:
745
vpn_progress(vpninfo, PRG_TRACE,
746
_("Got CSTP DPD response\n"));
747
748
749
continue;
case AC_PKT_KEEPALIVE:
750
vpn_progress(vpninfo, PRG_TRACE,
751
_("Got CSTP Keepalive\n"));
752
753
754
continue;
case AC_PKT_DATA:
755
vpn_progress(vpninfo, PRG_TRACE,
756
757
_("Received uncompressed data packet of %d bytes\n"),
payload_len);
758
queue_new_packet(&vpninfo->incoming_queue, buf + 8,
759
760
761
762
payload_len);
work_done = 1;
continue;
763
764
765
766
767
768
769
case AC_PKT_DISCONN: {
int i;
for (i = 0; i < payload_len; i++) {
if (!isprint(buf[payload_len + 8 + i]))
buf[payload_len + 8 + i] = '.';
}
buf[payload_len + 8] = 0;
770
vpn_progress(vpninfo, PRG_ERR,
771
772
_("Received server disconnect: %02x '%s'\n"),
buf[8], buf + 9);
773
774
775
vpninfo->quit_reason = "Server request";
return 1;
}
776
777
case AC_PKT_COMPRESSED:
if (!vpninfo->deflate) {
778
779
vpn_progress(vpninfo, PRG_ERR,
_("Compressed packet received in !deflate mode\n"));
780
781
goto unknown_pkt;
}
782
inflate_and_queue_packet(vpninfo, buf + 8, payload_len);
783
784
785
786
work_done = 1;
continue;
case AC_PKT_TERM_SERVER:
787
vpn_progress(vpninfo, PRG_ERR, _("received server terminate packet\n"));
788
789
790
791
792
vpninfo->quit_reason = "Server request";
return 1;
}
unknown_pkt:
793
vpn_progress(vpninfo, PRG_ERR,
794
795
796
_("Unknown packet %02x %02x %02x %02x %02x %02x %02x %02x\n"),
buf[0], buf[1], buf[2], buf[3],
buf[4], buf[5], buf[6], buf[7]);
797
798
799
vpninfo->quit_reason = "Unknown packet received";
return 1;
}
800
801
if (len < 0)
goto do_reconnect;
802
803
804
/* If SSL_write() fails we are expected to try again. With exactly
805
the same data, at exactly the same location. So we keep the
806
807
808
809
packet we had before.... */
if (vpninfo->current_ssl_pkt) {
handle_outgoing:
vpninfo->ssl_times.last_tx = time(NULL);
810
FD_CLR(vpninfo->ssl_fd, &vpninfo->select_wfds);
811
812
813
814
815
816
ret = cstp_write(vpninfo,
vpninfo->current_ssl_pkt->hdr,
vpninfo->current_ssl_pkt->len + 8);
if (ret < 0)
goto do_reconnect;
817
818
819
820
821
else if (!ret) {
/* -EAGAIN: cstp_write() will have added the SSL fd to
->select_wfds if appropriate, so we can just return
and wait. Unless it's been stalled for so long that
DPD kicks in and we kill the connection. */
822
823
switch (ka_stalled_action(&vpninfo->ssl_times, timeout)) {
case KA_DPD_DEAD:
824
goto peer_dead;
825
826
827
828
829
830
831
832
case KA_REKEY:
goto do_rekey;
case KA_NONE:
return work_done;
default:
/* This should never happen */
;
}
833
}
834
835
if (ret != vpninfo->current_ssl_pkt->len + 8) {
836
837
838
vpn_progress(vpninfo, PRG_ERR,
_("SSL wrote too few bytes! Asked for %d, sent %d\n"),
vpninfo->current_ssl_pkt->len + 8, ret);
839
840
841
842
vpninfo->quit_reason = "Internal error";
return 1;
}
/* Don't free the 'special' packets */
843
844
845
846
847
if (vpninfo->current_ssl_pkt == vpninfo->deflate_pkt)
free(vpninfo->pending_deflated_pkt);
else if (vpninfo->current_ssl_pkt != &dpd_pkt &&
vpninfo->current_ssl_pkt != &dpd_resp_pkt &&
vpninfo->current_ssl_pkt != &keepalive_pkt)
848
849
850
851
852
853
854
855
856
857
858
859
860
free(vpninfo->current_ssl_pkt);
vpninfo->current_ssl_pkt = NULL;
}
if (vpninfo->owe_ssl_dpd_response) {
vpninfo->owe_ssl_dpd_response = 0;
vpninfo->current_ssl_pkt = &dpd_resp_pkt;
goto handle_outgoing;
}
switch (keepalive_action(&vpninfo->ssl_times, timeout)) {
case KA_REKEY:
861
do_rekey:
862
863
/* Not that this will ever happen; we don't even process
the setting when we're asked for it. */
864
vpn_progress(vpninfo, PRG_INFO, _("CSTP rekey due\n"));
865
goto do_reconnect;
866
867
868
869
break;
case KA_DPD_DEAD:
peer_dead:
870
871
vpn_progress(vpninfo, PRG_ERR,
_("CSTP Dead Peer Detection detected dead peer!\n"));
872
do_reconnect:
873
if (cstp_reconnect(vpninfo)) {
874
vpn_progress(vpninfo, PRG_ERR, _("Reconnect failed\n"));
875
vpninfo->quit_reason = "CSTP reconnect failed";
876
877
878
879
880
881
882
return 1;
}
/* I think we can leave DTLS to its own devices; when we reconnect
with the same master secret, we do seem to get the same sessid */
return 1;
case KA_DPD:
883
vpn_progress(vpninfo, PRG_TRACE, _("Send CSTP DPD\n"));
884
885
886
887
888
889
890
891
892
893
vpninfo->current_ssl_pkt = &dpd_pkt;
goto handle_outgoing;
case KA_KEEPALIVE:
/* No need to send an explicit keepalive
if we have real data to send */
if (vpninfo->dtls_fd == -1 && vpninfo->outgoing_queue)
break;
894
vpn_progress(vpninfo, PRG_TRACE, _("Send CSTP Keepalive\n"));
895
896
897
898
899
900
901
902
903
904
905
906
vpninfo->current_ssl_pkt = &keepalive_pkt;
goto handle_outgoing;
case KA_NONE:
;
}
/* Service outgoing packet queue, if no DTLS */
while (vpninfo->dtls_fd == -1 && vpninfo->outgoing_queue) {
struct pkt *this = vpninfo->outgoing_queue;
vpninfo->outgoing_queue = this->next;
907
vpninfo->outgoing_qlen--;
908
909
910
911
912
913
914
915
916
917
918
919
920
if (vpninfo->deflate) {
unsigned char *adler;
int ret;
vpninfo->deflate_strm.next_in = this->data;
vpninfo->deflate_strm.avail_in = this->len;
vpninfo->deflate_strm.next_out = (void *)vpninfo->deflate_pkt->data;
vpninfo->deflate_strm.avail_out = 2040;
vpninfo->deflate_strm.total_out = 0;
ret = deflate(&vpninfo->deflate_strm, Z_SYNC_FLUSH);
if (ret) {
921
vpn_progress(vpninfo, PRG_ERR, _("deflate failed %d\n"), ret);
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
goto uncompr;
}
vpninfo->deflate_pkt->hdr[4] = (vpninfo->deflate_strm.total_out + 4) >> 8;
vpninfo->deflate_pkt->hdr[5] = (vpninfo->deflate_strm.total_out + 4) & 0xff;
/* Add ongoing adler32 to tail of compressed packet */
vpninfo->deflate_adler32 = adler32(vpninfo->deflate_adler32,
this->data, this->len);
adler = &vpninfo->deflate_pkt->data[vpninfo->deflate_strm.total_out];
*(adler++) = vpninfo->deflate_adler32 >> 24;
*(adler++) = (vpninfo->deflate_adler32 >> 16) & 0xff;
*(adler++) = (vpninfo->deflate_adler32 >> 8) & 0xff;
*(adler) = vpninfo->deflate_adler32 & 0xff;
vpninfo->deflate_pkt->len = vpninfo->deflate_strm.total_out + 4;
940
vpn_progress(vpninfo, PRG_TRACE,
941
942
_("Sending compressed data packet of %d bytes\n"),
this->len);
943
944
vpninfo->pending_deflated_pkt = this;
945
946
947
948
949
950
951
vpninfo->current_ssl_pkt = vpninfo->deflate_pkt;
} else {
uncompr:
memcpy(this->hdr, data_hdr, 8);
this->hdr[4] = this->len >> 8;
this->hdr[5] = this->len & 0xff;
952
vpn_progress(vpninfo, PRG_TRACE,
953
954
_("Sending uncompressed data packet of %d bytes\n"),
this->len);
955
956
957
958
959
960
961
962
963
964
vpninfo->current_ssl_pkt = this;
}
goto handle_outgoing;
}
/* Work is not done if we just got rid of packets off the queue */
return work_done;
}
965
int cstp_bye(struct openconnect_info *vpninfo, const char *reason)
966
967
{
unsigned char *bye_pkt;
968
969
970
int reason_len;
/* already lost connection? */
971
#if defined(OPENCONNECT_OPENSSL)
972
973
if (!vpninfo->https_ssl)
return 0;
974
#elif defined(OPENCONNECT_GNUTLS)
975
976
977
if (!vpninfo->https_sess)
return 0;
#endif
978
979
reason_len = strlen(reason);
980
bye_pkt = malloc(reason_len + 9);
981
982
if (!bye_pkt)
return -ENOMEM;
983
984
memcpy(bye_pkt, data_hdr, 8);
985
memcpy(bye_pkt + 9, reason, reason_len);
986
987
988
bye_pkt[4] = (reason_len + 1) >> 8;
bye_pkt[5] = (reason_len + 1) & 0xff;
989
bye_pkt[6] = AC_PKT_DISCONN;
990
bye_pkt[8] = 0xb0;
991
992
vpn_progress(vpninfo, PRG_INFO,
993
_("Send BYE packet: %s\n"), reason);
994
995
996
997
cstp_write(vpninfo, bye_pkt, reason_len + 9);
free(bye_pkt);
998
999
return 0;
}