/
openconnect-internal.h
399 lines (343 loc) · 10.4 KB
1
2
3
/*
* OpenConnect (SSL + DTLS) VPN client
*
4
* Copyright © 2008-2012 Intel Corporation.
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
* Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
*
* Author: David Woodhouse <dwmw2@infradead.org>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* version 2.1, as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to:
*
* Free Software Foundation, Inc.
* 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301 USA
*/
#ifndef __OPENCONNECT_INTERNAL_H__
#define __OPENCONNECT_INTERNAL_H__
#include "openconnect.h"
31
#if defined (OPENCONNECT_OPENSSL) || defined(DTLS_OPENSSL)
32
#include <openssl/ssl.h>
33
34
35
#include <openssl/err.h>
#endif
#if defined (OPENCONNECT_GNUTLS)
36
#include <gnutls/gnutls.h>
37
#include <gnutls/abstract.h>
38
#include <gnutls/x509.h>
39
40
41
42
#ifdef HAVE_TROUSERS
#include <trousers/tss.h>
#include <trousers/trousers.h>
#endif
43
44
#endif
45
46
47
48
49
50
51
#include <zlib.h>
#include <stdint.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
53
#ifdef LIBPROXY_HDR
54
55
#include LIBPROXY_HDR
#endif
57
#ifdef ENABLE_NLS
58
#include <locale.h>
59
#include <libintl.h>
60
#define _(s) dgettext("openconnect", s)
61
62
63
#else
#define _(s) s
#endif
64
#define N_(s) s
66
#define SHA1_SIZE 20
67
#define MD5_SIZE 16
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
/****************************************************************************/
struct pkt {
int len;
struct pkt *next;
unsigned char hdr[8];
unsigned char data[];
};
struct vpn_option {
char *option;
char *value;
struct vpn_option *next;
};
#define KA_NONE 0
#define KA_DPD 1
#define KA_DPD_DEAD 2
#define KA_KEEPALIVE 3
#define KA_REKEY 4
struct keepalive_info {
int dpd;
int keepalive;
int rekey;
time_t last_rekey;
time_t last_tx;
time_t last_rx;
time_t last_dpd;
};
struct split_include {
char *route;
struct split_include *next;
};
105
106
107
108
109
110
struct pin_cache {
struct pin_cache *next;
char *token;
char *pin;
};
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#define RECONNECT_INTERVAL_MIN 10
#define RECONNECT_INTERVAL_MAX 100
#define CERT_TYPE_UNKNOWN 0
#define CERT_TYPE_PEM 1
#define CERT_TYPE_PKCS12 2
#define CERT_TYPE_TPM 3
struct openconnect_info {
char *redirect_url;
char *csd_token;
char *csd_ticket;
char *csd_stuburl;
char *csd_starturl;
char *csd_waiturl;
char *csd_preurl;
char *csd_scriptname;
131
#ifdef LIBPROXY_HDR
132
133
134
135
136
137
138
139
140
141
pxProxyFactory *proxy_factory;
#endif
char *proxy_type;
char *proxy;
int proxy_port;
const char *localname;
char *hostname;
int port;
char *urlpath;
142
int cert_expire_warning;
143
144
145
146
147
148
149
const char *cert;
const char *sslkey;
int cert_type;
char *cert_password;
const char *cafile;
const char *servercert;
const char *xmlconfig;
150
char xmlsha1[(SHA1_SIZE * 2) + 1];
151
152
153
154
155
156
157
158
159
160
char *username;
char *password;
char *authgroup;
int nopasswd;
char *dtls_ciphers;
uid_t uid_csd;
char *csd_wrapper;
int uid_csd_given;
int no_http_keepalive;
161
OPENCONNECT_X509 *peer_cert;
163
char *cookie; /* Pointer to within cookies list */
164
165
166
167
struct vpn_option *cookies;
struct vpn_option *cstp_options;
struct vpn_option *dtls_options;
168
169
#if defined(OPENCONNECT_OPENSSL)
X509 *cert_x509;
170
171
SSL_CTX *https_ctx;
SSL *https_ssl;
172
173
174
#elif defined(OPENCONNECT_GNUTLS)
gnutls_session_t https_sess;
gnutls_certificate_credentials_t https_cred;
175
struct pin_cache *pin_cache;
176
177
178
179
180
#ifdef HAVE_TROUSERS
TSS_HCONTEXT tpm_context;
TSS_HKEY srk;
TSS_HPOLICY srk_policy;
TSS_HKEY tpm_key;
181
TSS_HPOLICY tpm_key_policy;
182
#endif
183
184
185
#ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
#ifdef HAVE_P11KIT
gnutls_pkcs11_privkey_t my_p11key;
186
#endif
187
188
189
190
191
gnutls_privkey_t my_pkey;
gnutls_x509_crt_t *my_certs;
unsigned int nr_my_certs;
#endif
#endif /* OPENCONNECT_GNUTLS */
192
193
194
195
struct keepalive_info ssl_times;
int owe_ssl_dpd_response;
struct pkt *deflate_pkt;
struct pkt *current_ssl_pkt;
196
struct pkt *pending_deflated_pkt;
197
198
199
200
201
202
203
204
205
206
207
z_stream inflate_strm;
uint32_t inflate_adler32;
z_stream deflate_strm;
uint32_t deflate_adler32;
int disable_ipv6;
int reconnect_timeout;
int reconnect_interval;
int dtls_attempt_period;
time_t new_dtls_started;
208
#if defined(DTLS_OPENSSL)
209
210
211
212
SSL_CTX *dtls_ctx;
SSL *dtls_ssl;
SSL *new_dtls_ssl;
SSL_SESSION *dtls_session;
213
#elif defined(DTLS_GNUTLS)
214
215
216
217
218
219
220
/* Call these *_ssl rather than *_sess because they're just
pointers, and generic code (in mainloop.c for example)
wants to check if they're NULL or not. No point in being
differently named to the OpenSSL variant, and forcing us to
have ifdefs or accessor macros for them. */
gnutls_session_t dtls_ssl;
gnutls_session_t new_dtls_ssl;
221
#endif
222
223
224
225
226
struct keepalive_info dtls_times;
unsigned char dtls_session_id[32];
unsigned char dtls_secret[48];
char *dtls_cipher;
227
const char *vpnc_script;
228
229
230
int script_tun;
char *ifname;
231
int mtu, basemtu;
232
233
234
235
236
237
238
239
240
const char *banner;
const char *vpn_addr;
const char *vpn_netmask;
const char *vpn_addr6;
const char *vpn_netmask6;
const char *vpn_dns[3];
const char *vpn_nbns[3];
const char *vpn_domain;
const char *vpn_proxy_pac;
241
struct split_include *split_dns;
242
243
244
245
246
247
248
249
250
251
struct split_include *split_includes;
struct split_include *split_excludes;
int select_nfds;
fd_set select_rfds;
fd_set select_wfds;
fd_set select_efds;
#ifdef __sun__
int ip_fd;
253
254
255
256
257
#endif
int tun_fd;
int ssl_fd;
int dtls_fd;
int new_dtls_fd;
258
int cancel_fd;
259
260
261
262
263
264
265
266
267
268
269
270
271
struct pkt *incoming_queue;
struct pkt *outgoing_queue;
int outgoing_qlen;
int max_qlen;
socklen_t peer_addrlen;
struct sockaddr *peer_addr;
struct sockaddr *dtls_addr;
int deflate;
char *useragent;
272
const char *quit_reason;
274
275
276
277
278
void *cbdata;
openconnect_validate_peer_cert_vfn validate_peer_cert;
openconnect_write_new_config_vfn write_new_config;
openconnect_process_auth_form_vfn process_auth_form;
openconnect_progress_vfn progress;
281
282
#if (defined (DTLS_OPENSSL) && defined (SSL_OP_CISCO_ANYCONNECT)) || \
(defined (DTLS_GNUTLS) && defined (HAVE_GNUTLS_SESSION_SET_PREMASTER))
283
284
285
#define HAVE_DTLS 1
#endif
286
287
288
289
290
291
292
293
294
295
296
/* Packet types */
#define AC_PKT_DATA 0 /* Uncompressed data */
#define AC_PKT_DPD_OUT 3 /* Dead Peer Detection */
#define AC_PKT_DPD_RESP 4 /* DPD response */
#define AC_PKT_DISCONN 5 /* Client disconnection notice */
#define AC_PKT_KEEPALIVE 7 /* Keepalive */
#define AC_PKT_COMPRESSED 8 /* Compressed data */
#define AC_PKT_TERM_SERVER 9 /* Server kick */
/* Ick */
297
#ifdef DTLS_OPENSSL
298
299
300
301
302
#if OPENSSL_VERSION_NUMBER >= 0x00909000L
#define method_const const
#else
#define method_const
#endif
305
306
#define vpn_progress(vpninfo, ...) (vpninfo)->progress ((vpninfo)->cbdata, __VA_ARGS__)
307
308
/****************************************************************************/
/* Oh Solaris how we hate thee! */
309
310
311
312
#ifdef __sun__
#define time(x) openconnect__time(x)
time_t openconnect__time(time_t *t);
#endif
313
314
315
316
#ifndef HAVE_ASPRINTF
#define asprintf openconnect__asprintf
int openconnect__asprintf(char **strp, const char *fmt, ...);
#endif
317
318
319
320
#ifndef HAVE_GETLINE
#define getline openconnect__getline
ssize_t openconnect__getline(char **lineptr, size_t *n, FILE *stream);
#endif
322
323
324
325
326
327
/****************************************************************************/
/* tun.c */
int setup_tun(struct openconnect_info *vpninfo);
int tun_mainloop(struct openconnect_info *vpninfo, int *timeout);
void shutdown_tun(struct openconnect_info *vpninfo);
328
int script_config_tun (struct openconnect_info *vpninfo, const char *reason);
329
330
331
332
333
334
335
336
337
338
339
/* dtls.c */
unsigned char unhex(const char *data);
int setup_dtls(struct openconnect_info *vpninfo);
int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
int dtls_try_handshake(struct openconnect_info *vpninfo);
int connect_dtls_socket(struct openconnect_info *vpninfo);
/* cstp.c */
int make_cstp_connection(struct openconnect_info *vpninfo);
int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout);
340
int cstp_bye(struct openconnect_info *vpninfo, const char *reason);
341
342
343
int cstp_reconnect(struct openconnect_info *vpninfo);
/* ssl.c */
344
int connect_https_socket(struct openconnect_info *vpninfo);
345
int request_passphrase(struct openconnect_info *vpninfo, const char *label,
346
char **response, const char *fmt, ...);
347
int __attribute__ ((format (printf, 2, 3)))
348
openconnect_SSL_printf(struct openconnect_info *vpninfo, const char *fmt, ...);
349
350
int openconnect_print_err_cb(const char *str, size_t len, void *ptr);
#define openconnect_report_ssl_errors(v) ERR_print_errors_cb(openconnect_print_err_cb, (v))
351
352
/* ${SSL_LIBRARY}.c */
353
int openconnect_SSL_gets(struct openconnect_info *vpninfo, char *buf, size_t len);
354
int openconnect_SSL_write(struct openconnect_info *vpninfo, char *buf, size_t len);
355
int openconnect_SSL_read(struct openconnect_info *vpninfo, char *buf, size_t len);
356
int openconnect_open_https(struct openconnect_info *vpninfo);
357
void openconnect_close_https(struct openconnect_info *vpninfo, int final);
358
int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, OPENCONNECT_X509 *cert,
360
int openconnect_sha1(unsigned char *result, void *data, int len);
361
int openconnect_random(void *bytes, int len);
362
363
int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
char *buf);
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
/* mainloop.c */
int vpn_add_pollfd(struct openconnect_info *vpninfo, int fd, short events);
int vpn_mainloop(struct openconnect_info *vpninfo);
int queue_new_packet(struct pkt **q, void *buf, int len);
void queue_packet(struct pkt **q, struct pkt *new);
int keepalive_action(struct keepalive_info *ka, int *timeout);
int ka_stalled_dpd_time(struct keepalive_info *ka, int *timeout);
extern int killed;
/* xml.c */
int config_lookup_host(struct openconnect_info *vpninfo, const char *host);
/* auth.c */
int parse_xml_response(struct openconnect_info *vpninfo, char *response,
380
381
char *request_body, int req_len, const char **method,
const char **request_body_type);
382
383
/* http.c */
384
char *openconnect_create_useragent(const char *base);
385
int process_proxy(struct openconnect_info *vpninfo, int ssl_sock);
386
387
int internal_parse_url(char *url, char **res_proto, char **res_host,
int *res_port, char **res_path, int default_port);
388
389
390
391
392
393
394
395
396
/* ssl_ui.c */
int set_openssl_ui(void);
/* securid.c */
int generate_securid_tokencodes(struct openconnect_info *vpninfo);
int add_securid_pin(char *token, char *pin);
/* version.c */
397
extern const char *openconnect_version_str;
398
399
#endif /* __OPENCONNECT_INTERNAL_H__ */