/
openconnect-internal.h
1238 lines (1087 loc) · 37.8 KB
1
2
3
/*
* OpenConnect (SSL + DTLS) VPN client
*
4
* Copyright © 2008-2015 Intel Corporation.
5
* Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
6
* Copyright © 2013 John Morrissey <jwm@horde.net>
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
*
* Author: David Woodhouse <dwmw2@infradead.org>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* version 2.1, as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*/
#ifndef __OPENCONNECT_INTERNAL_H__
#define __OPENCONNECT_INTERNAL_H__
23
24
#define __OPENCONNECT_PRIVATE__
25
26
27
#ifdef _WIN32
#include <winsock2.h>
#include <ws2tcpip.h>
28
29
30
31
#ifndef SECURITY_WIN32
#define SECURITY_WIN32 1
#endif
#include <security.h>
32
#else
33
#include <sys/types.h>
34
35
36
37
38
39
40
41
#include <sys/socket.h>
#include <sys/select.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <fcntl.h>
#endif
42
43
#include "openconnect.h"
44
#if defined(OPENCONNECT_OPENSSL)
45
#include <openssl/ssl.h>
46
#include <openssl/err.h>
47
48
49
50
51
/* Ick */
#if OPENSSL_VERSION_NUMBER >= 0x00909000L
#define method_const const
#else
#define method_const
52
#endif
53
54
#endif /* OPENSSL */
55
#if defined(OPENCONNECT_GNUTLS)
56
#include <gnutls/gnutls.h>
57
#include <gnutls/abstract.h>
58
#include <gnutls/x509.h>
59
#include <gnutls/crypto.h>
60
61
#endif
62
63
64
65
66
#ifdef HAVE_ICONV
#include <langinfo.h>
#include <iconv.h>
#endif
67
68
69
70
71
#include <zlib.h>
#include <stdint.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
72
#include <string.h>
73
74
#ifdef LIBPROXY_HDR
75
76
#include LIBPROXY_HDR
#endif
77
78
79
#ifdef HAVE_LIBSTOKEN
#include <stoken.h>
80
81
#endif
82
#ifdef HAVE_GSSAPI
83
#include GSSAPI_HDR
84
85
#endif
86
87
88
89
#ifdef HAVE_LIBPSKC
#include <pskc/pskc.h>
#endif
90
91
92
93
#ifdef HAVE_LIBP11
#include <libp11.h>
#endif
94
95
#ifdef ENABLE_NLS
#include <libintl.h>
96
#define _(s) dgettext("openconnect", s)
97
#else
98
#define _(s) ((char *)(s))
99
#endif
100
#define N_(s) s
101
102
103
#include <libxml/tree.h>
104
#define SHA256_SIZE 32
105
#define SHA1_SIZE 20
106
#define MD5_SIZE 16
107
108
109
/* FreeBSD provides this in <sys/param.h> */
#ifndef MAX
110
#define MAX(x,y) ((x)>(y))?(x):(y)
111
#endif
112
113
114
#ifndef MIN
#define MIN(x,y) ((x)<(y))?(x):(y)
#endif
115
116
117
118
119
/****************************************************************************/
struct pkt {
int len;
struct pkt *next;
120
union {
121
122
123
124
125
126
struct {
uint32_t spi;
uint32_t seq;
unsigned char iv[16];
unsigned char payload[];
} esp;
127
struct {
128
unsigned char pad[2];
129
130
unsigned char rec[2];
unsigned char kmp[20];
131
} oncp;
132
133
struct {
unsigned char pad[16];
134
unsigned char hdr[8];
135
} cstp;
136
137
138
139
struct {
unsigned char pad[8];
unsigned char hdr[16];
} gpst;
140
};
141
142
143
unsigned char data[];
};
144
145
146
147
#define REKEY_NONE 0
#define REKEY_TUNNEL 1
#define REKEY_SSL 2
148
149
150
151
152
153
#define KA_NONE 0
#define KA_DPD 1
#define KA_DPD_DEAD 2
#define KA_KEEPALIVE 3
#define KA_REKEY 4
154
155
156
#define DTLS_NOSECRET 0 /* Random secret has not been generated yet */
#define DTLS_SECRET 1 /* Secret is present, ready to attempt DTLS */
#define DTLS_DISABLED 2 /* DTLS was disabled on the *client* side */
157
158
159
#define DTLS_SLEEPING 3 /* For ESP, sometimes sending probes */
#define DTLS_CONNECTING 4 /* ESP probe received; must tell server */
#define DTLS_CONNECTED 5 /* Server informed and should be sending ESP */
160
161
#define COMPR_DEFLATE (1<<0)
162
#define COMPR_LZS (1<<1)
163
#define COMPR_LZ4 (1<<2)
164
165
#define COMPR_LZO (1<<3)
#define COMPR_MAX COMPR_LZO
166
167
#ifdef HAVE_LZ4
168
#define COMPR_STATELESS (COMPR_LZS | COMPR_LZ4 | COMPR_LZO)
169
#else
170
#define COMPR_STATELESS (COMPR_LZS)
171
#endif
172
#define COMPR_ALL (COMPR_STATELESS | COMPR_DEFLATE)
173
174
175
#define DTLS_APP_ID_EXT 48018
176
177
178
179
struct keepalive_info {
int dpd;
int keepalive;
int rekey;
180
int rekey_method;
181
182
183
184
185
186
time_t last_rekey;
time_t last_tx;
time_t last_rx;
time_t last_dpd;
};
187
188
189
190
191
192
struct pin_cache {
struct pin_cache *next;
char *token;
char *pin;
};
193
194
195
196
197
198
199
struct oc_text_buf {
char *data;
int pos;
int buf_len;
int error;
};
200
201
#define TLS_MASTER_KEY_SIZE 48
202
203
204
#define RECONNECT_INTERVAL_MIN 10
#define RECONNECT_INTERVAL_MAX 100
205
206
207
208
#define REDIR_TYPE_NONE 0
#define REDIR_TYPE_NEWHOST 1
#define REDIR_TYPE_LOCAL 2
209
210
211
212
213
214
215
#define AUTH_TYPE_GSSAPI 0
#define AUTH_TYPE_NTLM 1
#define AUTH_TYPE_DIGEST 2
#define AUTH_TYPE_BASIC 3
#define MAX_AUTH_TYPES 4
216
#define AUTH_DEFAULT_DISABLED -3
217
#define AUTH_DISABLED -2
218
219
220
221
222
223
#define AUTH_FAILED -1 /* Failed */
#define AUTH_UNSEEN 0 /* Server has not offered it */
#define AUTH_AVAILABLE 1 /* Server has offered it, we have not tried it */
/* Individual auth types may use 2 onwards for their own state */
#define AUTH_IN_PROGRESS 2 /* In-progress attempt */
224
struct http_auth_state {
225
226
int state;
char *challenge;
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
union {
#ifdef HAVE_GSSAPI
struct {
gss_name_t gss_target_name;
gss_ctx_id_t gss_context;
};
#endif
#ifdef _WIN32
struct {
CredHandle ntlm_sspi_cred;
CtxtHandle ntlm_sspi_ctx;
};
struct {
CredHandle sspi_cred;
CtxtHandle sspi_ctx;
SEC_WCHAR *sspi_target_name;
};
#else
struct {
int ntlm_helper_fd;
};
#endif
};
250
251
};
252
struct vpn_proto {
253
const char *name;
254
255
const char *pretty_name;
const char *description;
256
const char *udp_protocol;
257
unsigned int flags;
258
int (*vpn_close_session)(struct openconnect_info *vpninfo, const char *reason);
259
260
261
262
/* This does the full authentication, calling back as appropriate */
int (*obtain_cookie)(struct openconnect_info *vpninfo);
263
264
265
266
267
/* Establish the TCP connection (and obtain configuration) */
int (*tcp_connect)(struct openconnect_info *vpninfo);
int (*tcp_mainloop)(struct openconnect_info *vpninfo, int *timeout);
268
269
270
/* Add headers common to each HTTP request */
void (*add_http_headers)(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
271
272
273
274
275
276
277
278
279
280
281
282
/* Set up the UDP (DTLS) connection. Doesn't actually *start* it. */
int (*udp_setup)(struct openconnect_info *vpninfo, int attempt_period);
/* This will actually complete the UDP connection setup/handshake on the wire,
as well as transporting packets */
int (*udp_mainloop)(struct openconnect_info *vpninfo, int *timeout);
/* Close the connection but leave the session setup so it restarts */
void (*udp_close)(struct openconnect_info *vpninfo);
/* Close and destroy the (UDP) session */
void (*udp_shutdown)(struct openconnect_info *vpninfo);
283
284
285
286
287
288
/* Send probe packets to start or maintain the (UDP) session */
int (*udp_send_probes)(struct openconnect_info *vpninfo);
/* Catch probe packet confirming the (UDP) session */
int (*udp_catch_probe)(struct openconnect_info *vpninfo, struct pkt *p);
289
290
};
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
struct pkt_q {
struct pkt *head;
struct pkt **tail;
int count;
};
static inline struct pkt *dequeue_packet(struct pkt_q *q)
{
struct pkt *ret = q->head;
if (ret) {
q->head = ret->next;
if (!--q->count)
q->tail = &q->head;
}
return ret;
}
static inline void requeue_packet(struct pkt_q *q, struct pkt *p)
{
p->next = q->head;
q->head = p;
if (!q->count++)
q->tail = &p->next;
}
static inline int queue_packet(struct pkt_q *q, struct pkt *p)
{
*(q->tail) = p;
p->next = NULL;
q->tail = &p->next;
return ++q->count;
}
static inline void init_pkt_queue(struct pkt_q *q)
{
q->tail = &q->head;
}
329
330
#define DTLS_OVERHEAD (1 /* packet + header */ + 13 /* DTLS header */ + \
331
20 /* biggest supported MAC (SHA1) */ + 32 /* biggest supported IV (AES-256) */ + \
332
333
16 /* max padding */)
334
struct esp {
335
#if defined(OPENCONNECT_GNUTLS)
336
337
gnutls_cipher_hd_t cipher;
gnutls_hmac_hd_t hmac;
338
#elif defined(OPENCONNECT_OPENSSL)
339
340
HMAC_CTX *hmac, *pkt_hmac;
EVP_CIPHER_CTX *cipher;
341
#endif
342
uint64_t seq_backlog;
343
uint64_t seq;
344
uint32_t spi; /* Stored network-endian */
345
346
unsigned char enc_key[0x40]; /* Encryption key */
unsigned char hmac_key[0x40]; /* HMAC key */
347
348
};
349
struct oc_pcsc_ctx;
350
struct oc_tpm1_ctx;
351
struct oc_tpm2_ctx;
352
353
struct openconnect_info {
354
const struct vpn_proto *proto;
355
356
357
358
359
#ifdef HAVE_ICONV
iconv_t ic_legacy_to_utf8;
iconv_t ic_utf8_to_legacy;
#endif
360
char *redirect_url;
361
int redirect_type;
362
363
364
365
366
367
368
369
unsigned char esp_hmac;
unsigned char esp_enc;
unsigned char esp_compr;
uint32_t esp_replay_protect;
uint32_t esp_lifetime_bytes;
uint32_t esp_lifetime_seconds;
uint32_t esp_ssl_fallback;
370
371
372
int current_esp_in;
int old_esp_maxseq;
struct esp esp_in[2];
373
struct esp esp_out;
374
375
int enc_key_len;
int hmac_key_len;
376
uint32_t esp_magic; /* GlobalProtect magic ping address (network-endian) */
377
378
int tncc_fd; /* For Juniper TNCC */
379
const char *csd_xmltag;
380
int csd_nostub;
381
char *platname;
382
383
384
char *mobile_platform_version;
char *mobile_device_type;
char *mobile_device_uniqueid;
385
386
387
388
389
390
391
392
char *csd_token;
char *csd_ticket;
char *csd_stuburl;
char *csd_starturl;
char *csd_waiturl;
char *csd_preurl;
char *csd_scriptname;
393
xmlNode *opaque_srvdata;
394
395
396
397
char *profile_url;
char *profile_sha1;
398
#ifdef LIBPROXY_HDR
399
400
401
402
403
pxProxyFactory *proxy_factory;
#endif
char *proxy_type;
char *proxy;
int proxy_port;
404
int proxy_fd;
405
406
char *proxy_user;
char *proxy_pass;
407
int proxy_close_during_auth;
408
409
int retry_on_auth_fail;
int try_http_auth;
410
struct http_auth_state http_auth[MAX_AUTH_TYPES];
411
struct http_auth_state proxy_auth[MAX_AUTH_TYPES];
412
413
char *localname;
414
char *hostname;
415
char *unique_hostname;
416
417
int port;
char *urlpath;
418
int cert_expire_warning;
419
420
char *cert;
char *sslkey;
421
char *cert_password;
422
char *cafile;
423
unsigned no_system_trust;
424
const char *xmlconfig;
425
char xmlsha1[(SHA1_SIZE * 2) + 1];
426
427
char *authgroup;
int nopasswd;
428
int xmlpost;
429
char *dtls_ciphers;
430
char *dtls12_ciphers;
431
432
char *csd_wrapper;
int no_http_keepalive;
433
int dump_http_traffic;
434
435
436
437
438
int token_mode;
int token_bypassed;
int token_tries;
time_t token_time;
439
#ifdef HAVE_LIBSTOKEN
440
441
struct stoken_ctx *stoken_ctx;
char *stoken_pin;
442
443
int stoken_concat_pin;
int stoken_interval;
444
#endif
445
446
447
448
#ifdef HAVE_LIBPSKC
pskc_t *pskc;
pskc_key_t *pskc_key;
#endif
449
450
char *oath_secret;
size_t oath_secret_len;
451
452
453
454
455
enum {
OATH_ALG_HMAC_SHA1 = 0,
OATH_ALG_HMAC_SHA256,
OATH_ALG_HMAC_SHA512,
} oath_hmac_alg;
456
457
458
459
460
461
enum {
HOTP_SECRET_BASE32 = 1,
HOTP_SECRET_RAW,
HOTP_SECRET_HEX,
HOTP_SECRET_PSKC,
} hotp_secret_format; /* We need to give it back in the same form */
462
463
#ifdef HAVE_LIBPCSCLITE
464
struct oc_pcsc_ctx *pcsc;
465
unsigned char yubikey_pwhash[16];
466
#endif
467
468
469
openconnect_lock_token_vfn lock_token;
openconnect_unlock_token_vfn unlock_token;
void *tok_cbdata;
470
471
void *peer_cert;
472
473
474
475
476
/* The SHA1 and SHA256 hashes of the peer's public key */
uint8_t peer_cert_sha1_raw[SHA1_SIZE];
uint8_t peer_cert_sha256_raw[SHA256_SIZE];
/* this value is cache for openconnect_get_peer_cert_hash */
char *peer_cert_hash;
477
478
void *cert_list_handle;
int cert_list_size;
479
480
char *cookie; /* Pointer to within cookies list */
481
482
483
struct oc_vpn_option *cookies;
struct oc_vpn_option *cstp_options;
struct oc_vpn_option *dtls_options;
484
485
struct oc_vpn_option *script_env;
486
struct oc_vpn_option *csd_env;
487
488
unsigned pfs;
489
unsigned no_tls13;
490
#if defined(OPENCONNECT_OPENSSL)
491
492
493
494
495
496
497
498
#ifdef HAVE_LIBP11
PKCS11_CTX *pkcs11_ctx;
PKCS11_SLOT *pkcs11_slot_list;
unsigned int pkcs11_slot_count;
PKCS11_SLOT *pkcs11_cert_slot;
unsigned char *pkcs11_cert_id;
size_t pkcs11_cert_id_len;
#endif
499
X509 *cert_x509;
500
501
SSL_CTX *https_ctx;
SSL *https_ssl;
502
503
504
#elif defined(OPENCONNECT_GNUTLS)
gnutls_session_t https_sess;
gnutls_certificate_credentials_t https_cred;
505
gnutls_psk_client_credentials_t psk_cred;
506
char local_cert_md5[MD5_SIZE * 2 + 1]; /* For CSD */
507
char gnutls_prio[256];
508
#ifdef HAVE_TROUSERS
509
struct oc_tpm1_ctx *tpm1;
510
#endif
511
512
513
#ifdef HAVE_TSS2
struct oc_tpm2_ctx *tpm2;
#endif
514
#endif /* OPENCONNECT_GNUTLS */
515
struct pin_cache *pin_cache;
516
517
518
struct keepalive_info ssl_times;
int owe_ssl_dpd_response;
519
520
521
522
int deflate_pkt_size; /* It may need to be larger than MTU */
struct pkt *deflate_pkt; /* For compressing outbound packets into */
struct pkt *pending_deflated_pkt; /* The original packet associated with above */
struct pkt *current_ssl_pkt; /* Partially sent SSL packet */
523
struct pkt_q oncp_control_queue; /* Control packets to be sent on oNCP next */
524
int oncp_rec_size; /* For packetising incoming oNCP stream */
525
/* Packet buffers for receiving into */
526
struct pkt *cstp_pkt;
527
struct pkt *dtls_pkt;
528
struct pkt *tun_pkt;
529
530
int pkt_trailer; /* How many bytes after payload for encryption (ESP HMAC) */
531
532
533
534
535
536
537
538
539
540
z_stream inflate_strm;
uint32_t inflate_adler32;
z_stream deflate_strm;
uint32_t deflate_adler32;
int disable_ipv6;
int reconnect_timeout;
int reconnect_interval;
int dtls_attempt_period;
time_t new_dtls_started;
541
#if defined(OPENCONNECT_OPENSSL)
542
543
SSL_CTX *dtls_ctx;
SSL *dtls_ssl;
544
#elif defined(OPENCONNECT_GNUTLS)
545
546
547
548
/* Call this dtls_ssl rather than dtls_sess because it's just a
pointer, and generic code in dtls.c wants to check if it's
NULL or not or pass it to DTLS_SEND/DTLS_RECV. This way we
have fewer ifdefs and accessor macros for it. */
549
gnutls_session_t dtls_ssl;
550
char *gnutls_dtls_cipher; /* cached for openconnect_get_dtls_cipher() */
551
#endif
552
553
char *cstp_cipher;
554
int dtls_state;
555
int dtls_need_reconnect;
556
557
struct keepalive_info dtls_times;
unsigned char dtls_session_id[32];
558
unsigned char dtls_secret[TLS_MASTER_KEY_SIZE];
559
560
unsigned char dtls_app_id[32];
unsigned dtls_app_id_size;
561
562
int cisco_dtls12;
563
char *dtls_cipher;
564
char *vpnc_script;
565
#ifndef _WIN32
566
567
568
int uid_csd_given;
uid_t uid_csd;
gid_t gid_csd;
569
uid_t uid;
570
gid_t gid;
571
572
#endif
int use_tun_script;
573
574
int script_tun;
char *ifname;
575
char *cmd_ifname;
576
577
int reqmtu, basemtu; /* Local static configured values */
578
const char *banner;
579
580
struct oc_ip_info ip_info;
581
int cstp_basemtu; /* Returned by server */
582
int idle_timeout; /* Returned by server */
583
584
585
#ifdef _WIN32
long dtls_monitored, ssl_monitored, cmd_monitored, tun_monitored;
586
HANDLE dtls_event, ssl_event, cmd_event;
587
#else
588
589
590
591
int _select_nfds;
fd_set _select_rfds;
fd_set _select_wfds;
fd_set _select_efds;
592
#endif
593
594
595
#ifdef __sun__
int ip_fd;
596
int ip6_fd;
597
598
599
#endif
#ifdef _WIN32
HANDLE tun_fh;
600
OVERLAPPED tun_rd_overlap, tun_wr_overlap;
601
int tun_idx, tun_rd_pending;
602
#else
603
int tun_fd;
604
#endif
605
606
int ssl_fd;
int dtls_fd;
607
608
609
610
611
int dtls_tos_current;
int dtls_pass_tos;
int dtls_tos_proto, dtls_tos_optname;
612
int cmd_fd;
613
int cmd_fd_write;
614
int got_cancel_cmd;
615
int got_pause_cmd;
616
char cancel_type;
617
618
619
struct pkt_q incoming_queue;
struct pkt_q outgoing_queue;
620
int max_qlen;
621
622
struct oc_stats stats;
openconnect_stats_vfn stats_handler;
623
624
625
626
627
socklen_t peer_addrlen;
struct sockaddr *peer_addr;
struct sockaddr *dtls_addr;
628
629
int dtls_local_port;
630
631
632
633
int req_compr; /* What we requested */
int cstp_compr; /* Accepted for CSTP */
int dtls_compr; /* Accepted for DTLS */
634
int is_dyndns; /* Attempt to redo DNS lookup on each CSTP reconnect */
635
char *useragent;
636
char *version_string;
637
638
const char *quit_reason;
639
640
int verbose;
641
642
643
644
645
void *cbdata;
openconnect_validate_peer_cert_vfn validate_peer_cert;
openconnect_write_new_config_vfn write_new_config;
openconnect_process_auth_form_vfn process_auth_form;
openconnect_progress_vfn progress;
646
openconnect_protect_socket_vfn protect_socket;
647
openconnect_getaddrinfo_vfn getaddrinfo_override;
648
openconnect_setup_tun_vfn setup_tun;
649
openconnect_reconnected_vfn reconnected;
650
651
652
653
int (*ssl_read)(struct openconnect_info *vpninfo, char *buf, size_t len);
int (*ssl_gets)(struct openconnect_info *vpninfo, char *buf, size_t len);
int (*ssl_write)(struct openconnect_info *vpninfo, char *buf, size_t len);
654
655
};
656
657
658
659
660
661
662
663
664
665
666
667
#ifdef _WIN32
#define monitor_read_fd(_v, _n) _v->_n##_monitored |= FD_READ
#define monitor_write_fd(_v, _n) _v->_n##_monitored |= FD_WRITE
#define monitor_except_fd(_v, _n) _v->_n##_monitored |= FD_CLOSE
#define unmonitor_read_fd(_v, _n) _v->_n##_monitored &= ~FD_READ
#define unmonitor_write_fd(_v, _n) _v->_n##_monitored &= ~FD_WRITE
#define unmonitor_except_fd(_v, _n) _v->_n##_monitored &= ~FD_CLOSE
#define monitor_fd_new(_v, _n) do { if (!_v->_n##_event) _v->_n##_event = CreateEvent(NULL, FALSE, FALSE, NULL); } while (0)
#define read_fd_monitored(_v, _n) (_v->_n##_monitored & FD_READ)
#else
668
669
670
671
672
673
674
675
676
677
678
679
680
#define monitor_read_fd(_v, _n) FD_SET(_v-> _n##_fd, &vpninfo->_select_rfds)
#define unmonitor_read_fd(_v, _n) FD_CLR(_v-> _n##_fd, &vpninfo->_select_rfds)
#define monitor_write_fd(_v, _n) FD_SET(_v-> _n##_fd, &vpninfo->_select_wfds)
#define unmonitor_write_fd(_v, _n) FD_CLR(_v-> _n##_fd, &vpninfo->_select_wfds)
#define monitor_except_fd(_v, _n) FD_SET(_v-> _n##_fd, &vpninfo->_select_efds)
#define unmonitor_except_fd(_v, _n) FD_CLR(_v-> _n##_fd, &vpninfo->_select_efds)
#define monitor_fd_new(_v, _n) do { \
if (_v->_select_nfds <= vpninfo->_n##_fd) \
vpninfo->_select_nfds = vpninfo->_n##_fd + 1; \
} while (0)
#define read_fd_monitored(_v, _n) FD_ISSET(_v->_n##_fd, &_v->_select_rfds)
681
#endif
682
683
684
685
686
687
/* Key material for DTLS-PSK */
#define PSK_LABEL "EXPORTER-openconnect-psk"
#define PSK_LABEL_SIZE sizeof(PSK_LABEL)-1
#define PSK_KEY_SIZE 32
688
689
690
691
692
693
694
695
696
697
/* Packet types */
#define AC_PKT_DATA 0 /* Uncompressed data */
#define AC_PKT_DPD_OUT 3 /* Dead Peer Detection */
#define AC_PKT_DPD_RESP 4 /* DPD response */
#define AC_PKT_DISCONN 5 /* Client disconnection notice */
#define AC_PKT_KEEPALIVE 7 /* Keepalive */
#define AC_PKT_COMPRESSED 8 /* Compressed data */
#define AC_PKT_TERM_SERVER 9 /* Server kick */
698
699
700
701
702
703
/* Encryption and HMAC algorithms (matching Juniper's binary encoding) */
#define ENC_AES_128_CBC 2
#define ENC_AES_256_CBC 5
#define HMAC_MD5 1
#define HMAC_SHA1 2
704
705
#define vpn_progress(_v, lvl, ...) do { \
if ((_v)->verbose >= (lvl)) \
706
(_v)->progress((_v)->cbdata, lvl, __VA_ARGS__); \
707
} while(0)
708
#define vpn_perror(vpninfo, msg) vpn_progress((vpninfo), PRG_ERR, "%s: %s\n", (msg), strerror(errno))
709
710
711
/****************************************************************************/
/* Oh Solaris how we hate thee! */
712
#ifdef HAVE_SUNOS_BROKEN_TIME
713
714
715
#define time(x) openconnect__time(x)
time_t openconnect__time(time_t *t);
#endif
716
717
718
719
#ifndef HAVE_VASPRINTF
#define vasprintf openconnect__vasprintf
int openconnect__vasprintf(char **strp, const char *fmt, va_list ap);
#endif
720
721
722
723
#ifndef HAVE_ASPRINTF
#define asprintf openconnect__asprintf
int openconnect__asprintf(char **strp, const char *fmt, ...);
#endif
724
725
726
727
#ifndef HAVE_GETLINE
#define getline openconnect__getline
ssize_t openconnect__getline(char **lineptr, size_t *n, FILE *stream);
#endif
728
729
730
731
#ifndef HAVE_STRCASESTR
#define strcasestr openconnect__strcasestr
char *openconnect__strcasestr(const char *haystack, const char *needle);
#endif
732
733
734
735
736
#ifndef HAVE_STRNDUP
#undef strndup
#define strndup openconnect__strndup
char *openconnect__strndup(const char *s, size_t n);
#endif
737
738
739
740
741
742
#ifndef HAVE_INET_ATON
#define inet_aton openconnect__inet_aton
int openconnect__inet_aton(const char *cp, struct in_addr *addr);
#endif
743
744
745
static inline int set_sock_nonblock(int fd)
{
#ifdef _WIN32
746
unsigned long mode = 1;
747
748
749
750
751
752
753
754
755
756
757
758
759
return ioctlsocket(fd, FIONBIO, &mode);
#else
return fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
#endif
}
static inline int set_fd_cloexec(int fd)
{
#ifdef _WIN32
return 0; /* Windows has O_INHERIT but... */
#else
return fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
#endif
}
760
761
762
763
764
765
766
767
static inline int tun_is_up(struct openconnect_info *vpninfo)
{
#ifdef _WIN32
return vpninfo->tun_fh != NULL;
#else
return vpninfo->tun_fd != -1;
#endif
}
768
769
#ifdef _WIN32
770
#define pipe(fds) _pipe(fds, 4096, O_BINARY)
771
int openconnect__win32_sock_init();
772
char *openconnect__win32_strerror(DWORD err);
773
774
775
#undef inet_pton
#define inet_pton openconnect__win32_inet_pton
int openconnect__win32_inet_pton(int af, const char *src, void *dst);
776
777
#define OPENCONNECT_CMD_SOCKET SOCKET
OPENCONNECT_CMD_SOCKET dumb_socketpair(OPENCONNECT_CMD_SOCKET socks[2], int make_overlapped);
778
779
#else
#define closesocket close
780
#define OPENCONNECT_CMD_SOCKET int
781
782
783
#ifndef O_BINARY
#define O_BINARY 0
#endif
784
785
#endif
786
787
788
789
790
791
/* For systems that don't support O_CLOEXEC, just don't bother.
We don't keep files open for long anyway. */
#ifndef O_CLOEXEC
#define O_CLOEXEC 0
#endif
792
793
794
795
796
797
798
799
/* I always coded as if it worked like this. Now it does. */
#define realloc_inplace(p, size) do { \
void *__realloc_old = p; \
p = realloc(p, size); \
if (size && !p) \
free(__realloc_old); \
} while (0)
800
801
/****************************************************************************/
802
803
804
805
806
807
808
809
810
/* iconv.c */
#ifdef HAVE_ICONV
char *openconnect_utf8_to_legacy(struct openconnect_info *vpninfo, const char *utf8);
char *openconnect_legacy_to_utf8(struct openconnect_info *vpninfo, const char *legacy);
#else
#define openconnect_utf8_to_legacy(v, str) ((char *)str)
#define openconnect_legacy_to_utf8(v, str) ((char *)str)
#endif
811
/* script.c */
812
unsigned char unhex(const char *data);
813
814
815
int script_setenv(struct openconnect_info *vpninfo, const char *opt, const char *val, int append);
int script_setenv_int(struct openconnect_info *vpninfo, const char *opt, int value);
void prepare_script_env(struct openconnect_info *vpninfo);
816
int script_config_tun(struct openconnect_info *vpninfo, const char *reason);
817
int apply_script_env(struct oc_vpn_option *envs);
818
void free_split_routes(struct openconnect_info *vpninfo);
819
820
/* tun.c / tun-win32.c */
821
void os_shutdown_tun(struct openconnect_info *vpninfo);
822
int os_read_tun(struct openconnect_info *vpninfo, struct pkt *pkt);
823
int os_write_tun(struct openconnect_info *vpninfo, struct pkt *pkt);
824
intptr_t os_setup_tun(struct openconnect_info *vpninfo);
825
826
827
828
829
/* {gnutls,openssl}-dtls.c */
int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd);
int dtls_try_handshake(struct openconnect_info *vpninfo);
unsigned dtls_set_mtu(struct openconnect_info *vpninfo, unsigned mtu);
830
void dtls_ssl_free(struct openconnect_info *vpninfo);
831
832
/* dtls.c */
833
int dtls_setup(struct openconnect_info *vpninfo, int dtls_attempt_period);
834
int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
835
void dtls_close(struct openconnect_info *vpninfo);
836
void dtls_shutdown(struct openconnect_info *vpninfo);
837
void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf, struct oc_text_buf *buf12);
838
void dtls_detect_mtu(struct openconnect_info *vpninfo);
839
840
int openconnect_dtls_read(struct openconnect_info *vpninfo, void *buf, size_t len, unsigned ms);
int openconnect_dtls_write(struct openconnect_info *vpninfo, void *buf, size_t len);
841
char *openconnect_bin2hex(const char *prefix, const uint8_t *data, unsigned len);
842
char *openconnect_bin2base64(const char *prefix, const uint8_t *data, unsigned len);
843
844
/* cstp.c */
845
void cstp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
846
int cstp_connect(struct openconnect_info *vpninfo);
847
int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout);
848
int cstp_bye(struct openconnect_info *vpninfo, const char *reason);
849
int decompress_and_queue_packet(struct openconnect_info *vpninfo, int compr_type,
850
unsigned char *buf, int len);
851
int compress_packet(struct openconnect_info *vpninfo, int compr_type, struct pkt *this);
852
853
854
855
856
/* auth-juniper.c */
int oncp_obtain_cookie(struct openconnect_info *vpninfo);
void oncp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
857
858
859
/* oncp.c */
int oncp_connect(struct openconnect_info *vpninfo);
int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout);
860
int oncp_bye(struct openconnect_info *vpninfo, const char *reason);
861
void oncp_esp_close(struct openconnect_info *vpninfo);
862
863
int oncp_esp_send_probes(struct openconnect_info *vpninfo);
int oncp_esp_catch_probe(struct openconnect_info *vpninfo, struct pkt *pkt);
864
865
866
867
868
869
870
/* auth-globalprotect.c */
int gpst_obtain_cookie(struct openconnect_info *vpninfo);
void gpst_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
int gpst_bye(struct openconnect_info *vpninfo, const char *reason);
/* gpst.c */
871
872
873
874
int gpst_xml_or_error(struct openconnect_info *vpninfo, char *response,
int (*xml_cb)(struct openconnect_info *, xmlNode *xml_node, void *cb_data),
int (*challenge_cb)(struct openconnect_info *, char *prompt, char *inputStr, void *cb_data),
void *cb_data);
875
876
int gpst_setup(struct openconnect_info *vpninfo);
int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout);
877
878
int gpst_esp_send_probes(struct openconnect_info *vpninfo);
int gpst_esp_catch_probe(struct openconnect_info *vpninfo, struct pkt *pkt);
879
880
881
/* lzs.c */
int lzs_decompress(unsigned char *dst, int dstlen, const unsigned char *src, int srclen);
882
int lzs_compress(unsigned char *dst, int dstlen, const unsigned char *src, int srclen);
883
884
/* ssl.c */
885
unsigned string_is_hostname(const char* str);
886
int connect_https_socket(struct openconnect_info *vpninfo);
887
888
int __attribute__ ((format(printf, 4, 5)))
request_passphrase(struct openconnect_info *vpninfo, const char *label,
889
char **response, const char *fmt, ...);
890
int __attribute__ ((format (printf, 2, 3)))
891
openconnect_SSL_printf(struct openconnect_info *vpninfo, const char *fmt, ...);
892
893
int openconnect_print_err_cb(const char *str, size_t len, void *ptr);
#define openconnect_report_ssl_errors(v) ERR_print_errors_cb(openconnect_print_err_cb, (v))
894
#if defined(FAKE_ANDROID_KEYSTORE) || defined(__ANDROID__)
895
896
897
#define ANDROID_KEYSTORE
#endif
#ifdef ANDROID_KEYSTORE
898
const char *keystore_strerror(int err);
899
900
int keystore_fetch(const char *key, unsigned char **result);
#endif
901
void cmd_fd_set(struct openconnect_info *vpninfo, fd_set *fds, int *maxfd);
902
void check_cmd_fd(struct openconnect_info *vpninfo, fd_set *fds);
903
int is_cancel_pending(struct openconnect_info *vpninfo, fd_set *fds);
904
void poll_cmd_fd(struct openconnect_info *vpninfo, int timeout);
905
906
907
908
int openconnect_open_utf8(struct openconnect_info *vpninfo,
const char *fname, int mode);
FILE *openconnect_fopen_utf8(struct openconnect_info *vpninfo,
const char *fname, const char *mode);
909
int udp_sockaddr(struct openconnect_info *vpninfo, int port);
910
int udp_connect(struct openconnect_info *vpninfo);
911
int ssl_reconnect(struct openconnect_info *vpninfo);
912
void openconnect_clear_cookies(struct openconnect_info *vpninfo);
913
914
int cancellable_gets(struct openconnect_info *vpninfo, int fd,
char *buf, size_t len);
915
916
917
918
919
int cancellable_send(struct openconnect_info *vpninfo, int fd,
char *buf, size_t len);
int cancellable_recv(struct openconnect_info *vpninfo, int fd,
char *buf, size_t len);
920
921
922
923
/* openssl-pkcs11.c */
int load_pkcs11_key(struct openconnect_info *vpninfo);
int load_pkcs11_certificate(struct openconnect_info *vpninfo);
924
925
926
/* esp.c */
int verify_packet_seqno(struct openconnect_info *vpninfo,
struct esp *esp, uint32_t seq);
927
928
929
930
int esp_setup(struct openconnect_info *vpninfo, int dtls_attempt_period);
int esp_mainloop(struct openconnect_info *vpninfo, int *timeout);
void esp_close(struct openconnect_info *vpninfo);
void esp_shutdown(struct openconnect_info *vpninfo);
931
int print_esp_keys(struct openconnect_info *vpninfo, const char *name, struct esp *esp);
932
933
/* {gnutls,openssl}-esp.c */
934
int setup_esp_keys(struct openconnect_info *vpninfo, int new_keys);
935
void destroy_esp_ciphers(struct esp *esp);
936
int decrypt_esp_packet(struct openconnect_info *vpninfo, struct esp *esp, struct pkt *pkt);
937
int encrypt_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt);
938
939
/* {gnutls,openssl}.c */
940
941
int ssl_nonblock_read(struct openconnect_info *vpninfo, void *buf, int maxlen);
int ssl_nonblock_write(struct openconnect_info *vpninfo, void *buf, int buflen);
942
int openconnect_open_https(struct openconnect_info *vpninfo);
943
void openconnect_close_https(struct openconnect_info *vpninfo, int final);
944
int cstp_handshake(struct openconnect_info *vpninfo, unsigned init);
945
int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, void *cert,
946
char *buf);
947
int openconnect_sha1(unsigned char *result, void *data, int len);
948
int openconnect_sha256(unsigned char *result, void *data, int len);
949
int openconnect_md5(unsigned char *result, void *data, int len);
950
int openconnect_random(void *bytes, int len);
951
952
int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
char *buf);
953
954
955
int openconnect_yubikey_chalresp(struct openconnect_info *vpninfo,
const void *challenge, int chall_len, void *result);
int openconnect_hash_yubikey_password(struct openconnect_info *vpninfo,
956
957
const char *password, int pwlen,
const void *ident, int id_len);
958
int hotp_hmac(struct openconnect_info *vpninfo, const void *challenge);
959
960
961
962
963
#if defined(OPENCONNECT_OPENSSL)
#define openconnect_https_connected(_v) ((_v)->https_ssl)
#elif defined (OPENCONNECT_GNUTLS)
#define openconnect_https_connected(_v) ((_v)->https_sess)
#endif
964
965
/* mainloop.c */
966
int tun_mainloop(struct openconnect_info *vpninfo, int *timeout);
967
int queue_new_packet(struct pkt_q *q, void *buf, int len);
968
int keepalive_action(struct keepalive_info *ka, int *timeout);
969
int ka_stalled_action(struct keepalive_info *ka, int *timeout);
970
int ka_check_deadline(int *timeout, time_t now, time_t due);
971
972
/* xml.c */
973
974
ssize_t read_file_into_string(struct openconnect_info *vpninfo, const char *fname,
char **ptr);
975
976
int config_lookup_host(struct openconnect_info *vpninfo, const char *host);
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
/* oath.c */
int set_totp_mode(struct openconnect_info *vpninfo, const char *token_str);
int set_hotp_mode(struct openconnect_info *vpninfo, const char *token_str);
int can_gen_totp_code(struct openconnect_info *vpninfo,
struct oc_auth_form *form,
struct oc_form_opt *opt);
int can_gen_hotp_code(struct openconnect_info *vpninfo,
struct oc_auth_form *form,
struct oc_form_opt *opt);
int do_gen_totp_code(struct openconnect_info *vpninfo,
struct oc_auth_form *form,
struct oc_form_opt *opt);
int do_gen_hotp_code(struct openconnect_info *vpninfo,
struct oc_auth_form *form,
struct oc_form_opt *opt);
993
994
995
996
997
998
999
1000
/* stoken.c */
int prepare_stoken(struct openconnect_info *vpninfo);
int set_libstoken_mode(struct openconnect_info *vpninfo, const char *token_str);
int can_gen_stoken_code(struct openconnect_info *vpninfo,
struct oc_auth_form *form,
struct oc_form_opt *opt);
int do_gen_stoken_code(struct openconnect_info *vpninfo,
struct oc_auth_form *form,