cstp.c 27 KB
Newer Older
David Woodhouse's avatar
David Woodhouse committed
1
/*
2
 * OpenConnect (SSL + DTLS) VPN client
David Woodhouse's avatar
David Woodhouse committed
3
 *
David Woodhouse's avatar
David Woodhouse committed
4
 * Copyright © 2008-2012 Intel Corporation.
5
 * Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
David Woodhouse's avatar
David Woodhouse committed
6
 *
7 8 9
 * Author: David Woodhouse <dwmw2@infradead.org>
 *
 * This program is free software; you can redistribute it and/or
David Woodhouse's avatar
David Woodhouse committed
10
 * modify it under the terms of the GNU Lesser General Public License
11
 * version 2.1, as published by the Free Software Foundation.
David Woodhouse's avatar
David Woodhouse committed
12
 *
13
 * This program is distributed in the hope that it will be useful, but
David Woodhouse's avatar
David Woodhouse committed
14 15 16 17 18 19 20 21 22 23 24
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to:
 *
 *   Free Software Foundation, Inc.
 *   51 Franklin Street, Fifth Floor,
 *   Boston, MA 02110-1301 USA
 */
25

David Woodhouse's avatar
David Woodhouse committed
26 27 28 29
#include <netdb.h>
#include <unistd.h>
#include <fcntl.h>
#include <time.h>
30
#include <string.h>
David Woodhouse's avatar
David Woodhouse committed
31
#include <ctype.h>
32 33 34
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
35 36
#include <sys/types.h>
#include <sys/socket.h>
37 38
#include <netinet/in.h>
#include <netinet/tcp.h>
39
#include <stdarg.h>
David Woodhouse's avatar
David Woodhouse committed
40

41
#include "openconnect-internal.h"
David Woodhouse's avatar
David Woodhouse committed
42 43 44

/*
 * Data packets are encapsulated in the SSL stream as follows:
Nick Andrew's avatar
Nick Andrew committed
45
 *
David Woodhouse's avatar
David Woodhouse committed
46 47
 * 0000: Magic "STF\x1"
 * 0004: Big-endian 16-bit length (not including 8-byte header)
48
 * 0006: Byte packet type (see openconnect-internal.h)
David Woodhouse's avatar
David Woodhouse committed
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70
 * 0008: data payload
 */

static char data_hdr[8] = {
	'S', 'T', 'F', 1,
	0, 0,		/* Length */
	AC_PKT_DATA,	/* Type */
	0		/* Unknown */
};

static struct pkt keepalive_pkt = {
	.hdr = { 'S', 'T', 'F', 1, 0, 0, AC_PKT_KEEPALIVE, 0 },
};

static struct pkt dpd_pkt = {
	.hdr = { 'S', 'T', 'F', 1, 0, 0, AC_PKT_DPD_OUT, 0 },
};

static struct pkt dpd_resp_pkt = {
	.hdr = { 'S', 'T', 'F', 1, 0, 0, AC_PKT_DPD_RESP, 0 },
};

71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89
static int  __attribute__ ((format (printf, 3, 4)))
    buf_append(char *buf, int len, const char *fmt, ...)
{
	int start = strlen(buf);
	int ret;
	va_list args;

	if (start >= len)
		return 0;

	va_start(args, fmt);
	ret = vsnprintf(buf + start, len - start, fmt, args);
	va_end(args);

	if (ret > len)
		ret = len;

	return ret;
}
David Woodhouse's avatar
David Woodhouse committed
90

91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111
/* Calculate MTU to request. Old servers simply use the X-CSTP-MTU: header,
 * which represents the tunnel MTU, while new servers do calculations on the
 * X-CSTP-Base-MTU: header which represents the cleartext MTU between client
 * and server.
 *
 * If possible, the legacy MTU value should be the TCP MSS less 5 bytes of
 * TLS and 8 bytes of CSTP overhead. We can get the MSS from either the
 * TCP_INFO or TCP_MAXSEG sockopts.
 *
 * The base MTU comes from the TCP_INFO sockopt under Linux, but I don't know
 * how to work it out on other systems. So leave it blank and do things the
 * legacy way there. Contributions welcome...
 *
 * If we don't even have TCP_MAXSEG, then default to sending a legacy MTU of
 * 1406 which is what we always used to do.
 */
static void calculate_mtu(struct openconnect_info *vpninfo, int *base_mtu, int *mtu)
{
	*mtu = vpninfo->mtu;
	*base_mtu = vpninfo->basemtu;

112
#if defined(__linux__) && defined(TCP_INFO)
113 114 115 116
	if (!*mtu || !*base_mtu) {
		struct tcp_info ti;
		socklen_t ti_size = sizeof(ti);

117
		if (!getsockopt(vpninfo->ssl_fd, IPPROTO_TCP, TCP_INFO,
118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135
				&ti, &ti_size)) {
			vpn_progress(vpninfo, PRG_TRACE,
				     _("TCP_INFO rcv mss %d, snd mss %d, adv mss %d, pmtu %d\n"),
				     ti.tcpi_rcv_mss, ti.tcpi_snd_mss, ti.tcpi_advmss, ti.tcpi_pmtu);
			if (!*base_mtu) *base_mtu = ti.tcpi_pmtu;
			if (!*mtu) {
				if (ti.tcpi_rcv_mss < ti.tcpi_snd_mss)
					*mtu = ti.tcpi_rcv_mss - 13;
				else
					*mtu = ti.tcpi_snd_mss - 13;
			}
		}
	}
#endif
#ifdef TCP_MAXSEG
	if (!*mtu) {
		int mss;
		socklen_t mss_size = sizeof(mss);
136
		if (!getsockopt(vpninfo->ssl_fd, IPPROTO_TCP, TCP_MAXSEG,
137 138 139 140 141 142 143 144 145 146 147 148
				&mss, &mss_size)) {
			vpn_progress(vpninfo, PRG_TRACE, _("TCP_MAXSEG %d\n"), mss);
			*mtu = mss - 13;
		}
	}
#endif
	if (!*mtu) {
		/* Default */
		*mtu = 1406;
	}
}

149
static int start_cstp_connection(struct openconnect_info *vpninfo)
David Woodhouse's avatar
David Woodhouse committed
150 151 152
{
	char buf[65536];
	int i;
153
	int retried = 0, sessid_found = 0;
David Woodhouse's avatar
David Woodhouse committed
154 155 156 157 158 159
	struct vpn_option **next_dtls_option = &vpninfo->dtls_options;
	struct vpn_option **next_cstp_option = &vpninfo->cstp_options;
	struct vpn_option *old_cstp_opts = vpninfo->cstp_options;
	struct vpn_option *old_dtls_opts = vpninfo->dtls_options;
	const char *old_addr = vpninfo->vpn_addr;
	const char *old_netmask = vpninfo->vpn_netmask;
David Woodhouse's avatar
David Woodhouse committed
160 161
	const char *old_addr6 = vpninfo->vpn_addr6;
	const char *old_netmask6 = vpninfo->vpn_netmask6;
David Woodhouse's avatar
David Woodhouse committed
162
	struct split_include *inc;
163
	int base_mtu, mtu;
David Woodhouse's avatar
David Woodhouse committed
164 165 166

	/* Clear old options which will be overwritten */
	vpninfo->vpn_addr = vpninfo->vpn_netmask = NULL;
David Woodhouse's avatar
David Woodhouse committed
167
	vpninfo->vpn_addr6 = vpninfo->vpn_netmask6 = NULL;
David Woodhouse's avatar
David Woodhouse committed
168
	vpninfo->cstp_options = vpninfo->dtls_options = NULL;
169
	vpninfo->vpn_domain = vpninfo->vpn_proxy_pac = NULL;
170
	vpninfo->banner = NULL;
171

David Woodhouse's avatar
David Woodhouse committed
172 173 174
	for (i=0; i<3; i++)
		vpninfo->vpn_dns[i] = vpninfo->vpn_nbns[i] = NULL;

175
	for (inc = vpninfo->split_includes; inc; ) {
David Woodhouse's avatar
David Woodhouse committed
176 177 178 179
		struct split_include *next = inc->next;
		free(inc);
		inc = next;
	}
180
	for (inc = vpninfo->split_excludes; inc; ) {
181 182 183 184
		struct split_include *next = inc->next;
		free(inc);
		inc = next;
	}
185 186 187 188 189 190
	for (inc = vpninfo->split_dns; inc; ) {
		struct split_include *next = inc->next;
		free(inc);
		inc = next;
	}
	vpninfo->split_dns = vpninfo->split_includes = vpninfo->split_excludes = NULL;
191 192 193 194

	/* Create (new) random master key for DTLS connection, if needed */
	if (vpninfo->dtls_times.last_rekey + vpninfo->dtls_times.rekey <
	    time(NULL) + 300 &&
195
	    openconnect_random(vpninfo->dtls_secret, sizeof(vpninfo->dtls_secret))) {
196
		fprintf(stderr, _("Failed to initialise DTLS secret\n"));
197 198 199
		exit(1);
	}

David Woodhouse's avatar
David Woodhouse committed
200
 retry:
201 202
	calculate_mtu(vpninfo, &base_mtu, &mtu);

203 204 205 206 207 208 209 210 211
	buf[0] = 0;
	buf_append(buf, sizeof(buf), "CONNECT /CSCOSSLC/tunnel HTTP/1.1\r\n");
	buf_append(buf, sizeof(buf), "Host: %s\r\n", vpninfo->hostname);
	buf_append(buf, sizeof(buf), "User-Agent: %s\r\n", vpninfo->useragent);
	buf_append(buf, sizeof(buf), "Cookie: webvpn=%s\r\n", vpninfo->cookie);
	buf_append(buf, sizeof(buf), "X-CSTP-Version: 1\r\n");
	buf_append(buf, sizeof(buf), "X-CSTP-Hostname: %s\r\n", vpninfo->localname);
	if (vpninfo->deflate && i < sizeof(buf))
		buf_append(buf, sizeof(buf), "X-CSTP-Accept-Encoding: deflate;q=1.0\r\n");
212 213 214
	if (base_mtu)
		buf_append(buf, sizeof(buf), "X-CSTP-Base-MTU: %d\r\n", base_mtu);
	buf_append(buf, sizeof(buf), "X-CSTP-MTU: %d\r\n", mtu);
215
	buf_append(buf, sizeof(buf), "X-CSTP-Address-Type: %s\r\n",
David Woodhouse's avatar
David Woodhouse committed
216
			       vpninfo->disable_ipv6?"IPv4":"IPv6,IPv4");
217
	buf_append(buf, sizeof(buf), "X-DTLS-Master-Secret: ");
David Woodhouse's avatar
David Woodhouse committed
218
	for (i = 0; i < sizeof(vpninfo->dtls_secret); i++)
219 220
		buf_append(buf, sizeof(buf), "%02X", vpninfo->dtls_secret[i]);
	buf_append(buf, sizeof(buf), "\r\nX-DTLS-CipherSuite: %s\r\n\r\n",
221
			       vpninfo->dtls_ciphers?:"AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA");
David Woodhouse's avatar
David Woodhouse committed
222

223 224
	openconnect_SSL_write(vpninfo, buf, strlen(buf));

225 226 227
	if ((i = openconnect_SSL_gets(vpninfo, buf, 65536) < 0)) {
		if (i == -EINTR)
			return i;
228 229
		vpn_progress(vpninfo, PRG_ERR,
			     _("Error fetching HTTPS response\n"));
David Woodhouse's avatar
David Woodhouse committed
230 231
		if (!retried) {
			retried = 1;
232
			openconnect_close_https(vpninfo, 0);
Nick Andrew's avatar
Nick Andrew committed
233

David Woodhouse's avatar
David Woodhouse committed
234
			if (openconnect_open_https(vpninfo)) {
235
				vpn_progress(vpninfo, PRG_ERR,
236 237
					     _("Failed to open HTTPS connection to %s\n"),
					     vpninfo->hostname);
David Woodhouse's avatar
David Woodhouse committed
238 239 240 241 242 243 244 245
				exit(1);
			}
			goto retry;
		}
		return -EINVAL;
	}

	if (strncmp(buf, "HTTP/1.1 200 ", 13)) {
246 247
		if (!strncmp(buf, "HTTP/1.1 503 ", 13)) {
			/* "Service Unavailable. Why? */
248
			const char *reason = "<unknown>";
249
			while ((i = openconnect_SSL_gets(vpninfo, buf, sizeof(buf)))) {
250 251 252 253 254
				if (!strncmp(buf, "X-Reason: ", 10)) {
					reason = buf + 10;
					break;
				}
			}
255 256 257
			vpn_progress(vpninfo, PRG_ERR,
				     _("VPN service unavailable; reason: %s\n"),
				     reason);
258 259
			return -EINVAL;
		}
260
		vpn_progress(vpninfo, PRG_ERR,
261 262
			     _("Got inappropriate HTTP CONNECT response: %s\n"),
			     buf);
David Woodhouse's avatar
David Woodhouse committed
263 264 265 266 267
		if (!strncmp(buf, "HTTP/1.1 401 ", 13))
			exit(2);
		return -EINVAL;
	}

268
	vpn_progress(vpninfo, PRG_INFO, _("Got CONNECT response: %s\n"), buf);
David Woodhouse's avatar
David Woodhouse committed
269 270 271 272

	/* We may have advertised it, but we only do it if the server agrees */
	vpninfo->deflate = 0;

273
	while ((i = openconnect_SSL_gets(vpninfo, buf, sizeof(buf)))) {
David Woodhouse's avatar
David Woodhouse committed
274
		struct vpn_option *new_option;
275 276 277 278 279 280
		char *colon;

		if (i < 0)
			return i;

		colon = strchr(buf, ':');
David Woodhouse's avatar
David Woodhouse committed
281 282 283 284 285 286 287 288 289 290 291 292 293 294
		if (!colon)
			continue;

		*colon = 0;
		colon++;
		if (*colon == ' ')
			colon++;

		if (strncmp(buf, "X-DTLS-", 7) &&
		    strncmp(buf, "X-CSTP-", 7))
			continue;

		new_option = malloc(sizeof(*new_option));
		if (!new_option) {
295
			vpn_progress(vpninfo, PRG_ERR, _("No memory for options\n"));
David Woodhouse's avatar
David Woodhouse committed
296 297 298 299 300 301 302
			return -ENOMEM;
		}
		new_option->option = strdup(buf);
		new_option->value = strdup(colon);
		new_option->next = NULL;

		if (!new_option->option || !new_option->value) {
303
			vpn_progress(vpninfo, PRG_ERR, _("No memory for options\n"));
David Woodhouse's avatar
David Woodhouse committed
304 305 306
			return -ENOMEM;
		}

307
		vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);
David Woodhouse's avatar
David Woodhouse committed
308 309 310 311

		if (!strncmp(buf, "X-DTLS-", 7)) {
			*next_dtls_option = new_option;
			next_dtls_option = &new_option->next;
312

313 314 315 316 317
			if (!strcmp(buf + 7, "MTU")) {
				int mtu = atol(colon);
				if (mtu > vpninfo->mtu)
					vpninfo->mtu = mtu;
			} else if (!strcmp(buf + 7, "Session-ID")) {
318
				if (strlen(colon) != 64) {
319
					vpn_progress(vpninfo, PRG_ERR,
320 321
						     _("X-DTLS-Session-ID not 64 characters; is: \"%s\"\n"),
						     colon);
322 323 324 325 326 327 328 329
					vpninfo->dtls_attempt_period = 0;
					return -EINVAL;
				}
				for (i = 0; i < 64; i += 2)
					vpninfo->dtls_session_id[i/2] = unhex(colon + i);
				sessid_found = 1;
				time(&vpninfo->dtls_times.last_rekey);
			}
David Woodhouse's avatar
David Woodhouse committed
330 331 332 333 334 335 336 337 338 339
			continue;
		}
		/* CSTP options... */
		*next_cstp_option = new_option;
		next_cstp_option = &new_option->next;


		if (!strcmp(buf + 7, "Keepalive")) {
			vpninfo->ssl_times.keepalive = atol(colon);
		} else if (!strcmp(buf + 7, "DPD")) {
David Woodhouse's avatar
David Woodhouse committed
340 341 342
			int j = atol(colon);
			if (j && (!vpninfo->ssl_times.dpd || j < vpninfo->ssl_times.dpd))
				vpninfo->ssl_times.dpd = j;
343 344
		} else if (!strcmp(buf + 7, "Rekey-Time")) {
			vpninfo->ssl_times.rekey = atol(colon);
David Woodhouse's avatar
David Woodhouse committed
345 346 347 348
		} else if (!strcmp(buf + 7, "Content-Encoding")) {
			if (!strcmp(colon, "deflate"))
				vpninfo->deflate = 1;
			else {
349
				vpn_progress(vpninfo, PRG_ERR,
350 351
					     _("Unknown CSTP-Content-Encoding %s\n"),
					     colon);
David Woodhouse's avatar
David Woodhouse committed
352 353 354
				return -EINVAL;
			}
		} else if (!strcmp(buf + 7, "MTU")) {
355 356 357
			int mtu = atol(colon);
			if (mtu > vpninfo->mtu)
				vpninfo->mtu = mtu;
David Woodhouse's avatar
David Woodhouse committed
358
		} else if (!strcmp(buf + 7, "Address")) {
359 360 361 362
			if (strchr(new_option->value, ':')) {
				if (!vpninfo->disable_ipv6)
					vpninfo->vpn_addr6 = new_option->value;
			} else
David Woodhouse's avatar
David Woodhouse committed
363
				vpninfo->vpn_addr = new_option->value;
David Woodhouse's avatar
David Woodhouse committed
364
		} else if (!strcmp(buf + 7, "Netmask")) {
365 366 367 368
			if (strchr(new_option->value, ':')) {
				if (!vpninfo->disable_ipv6)
					vpninfo->vpn_netmask6 = new_option->value;
			} else
David Woodhouse's avatar
David Woodhouse committed
369
				vpninfo->vpn_netmask = new_option->value;
David Woodhouse's avatar
David Woodhouse committed
370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387
		} else if (!strcmp(buf + 7, "DNS")) {
			int j;
			for (j = 0; j < 3; j++) {
				if (!vpninfo->vpn_dns[j]) {
					vpninfo->vpn_dns[j] = new_option->value;
					break;
				}
			}
		} else if (!strcmp(buf + 7, "NBNS")) {
			int j;
			for (j = 0; j < 3; j++) {
				if (!vpninfo->vpn_nbns[j]) {
					vpninfo->vpn_nbns[j] = new_option->value;
					break;
				}
			}
		} else if (!strcmp(buf + 7, "Default-Domain")) {
			vpninfo->vpn_domain = new_option->value;
388 389
		} else if (!strcmp(buf + 7, "MSIE-Proxy-PAC-URL")) {
			vpninfo->vpn_proxy_pac = new_option->value;
390 391
		} else if (!strcmp(buf + 7, "Banner")) {
			vpninfo->banner = new_option->value;
392 393 394 395 396 397 398
		} else if (!strcmp(buf + 7, "Split-DNS")) {
			struct split_include *dns = malloc(sizeof(*dns));
			if (!dns)
				continue;
			dns->route = new_option->value;
			dns->next = vpninfo->split_dns;
			vpninfo->split_dns = dns;
David Woodhouse's avatar
David Woodhouse committed
399 400 401 402 403 404 405
		} else if (!strcmp(buf + 7, "Split-Include")) {
			struct split_include *inc = malloc(sizeof(*inc));
			if (!inc)
				continue;
			inc->route = new_option->value;
			inc->next = vpninfo->split_includes;
			vpninfo->split_includes = inc;
406 407 408 409 410
		} else if (!strcmp(buf + 7, "Split-Exclude")) {
			struct split_include *exc = malloc(sizeof(*exc));
			if (!exc)
				continue;
			exc->route = new_option->value;
411
			exc->next = vpninfo->split_excludes;
412
			vpninfo->split_excludes = exc;
David Woodhouse's avatar
David Woodhouse committed
413 414 415
		}
	}

David Woodhouse's avatar
David Woodhouse committed
416
	if (!vpninfo->vpn_addr && !vpninfo->vpn_addr6) {
417 418
		vpn_progress(vpninfo, PRG_ERR,
			     _("No IP address received. Aborting\n"));
David Woodhouse's avatar
David Woodhouse committed
419 420 421 422
		return -EINVAL;
	}
	if (old_addr) {
		if (strcmp(old_addr, vpninfo->vpn_addr)) {
423 424 425
			vpn_progress(vpninfo, PRG_ERR,
				     _("Reconnect gave different Legacy IP address (%s != %s)\n"),
				     vpninfo->vpn_addr, old_addr);
David Woodhouse's avatar
David Woodhouse committed
426 427 428 429 430
			return -EINVAL;
		}
	}
	if (old_netmask) {
		if (strcmp(old_netmask, vpninfo->vpn_netmask)) {
431 432 433
			vpn_progress(vpninfo, PRG_ERR,
				     _("Reconnect gave different Legacy IP netmask (%s != %s)\n"),
				     vpninfo->vpn_netmask, old_netmask);
David Woodhouse's avatar
David Woodhouse committed
434 435 436
			return -EINVAL;
		}
	}
David Woodhouse's avatar
David Woodhouse committed
437 438
	if (old_addr6) {
		if (strcmp(old_addr6, vpninfo->vpn_addr6)) {
439 440 441
			vpn_progress(vpninfo, PRG_ERR,
				     _("Reconnect gave different IPv6 address (%s != %s)\n"),
				     vpninfo->vpn_addr6, old_addr6);
David Woodhouse's avatar
David Woodhouse committed
442 443 444 445 446
			return -EINVAL;
		}
	}
	if (old_netmask6) {
		if (strcmp(old_netmask6, vpninfo->vpn_netmask6)) {
447 448 449
			vpn_progress(vpninfo, PRG_ERR,
				     _("Reconnect gave different IPv6 netmask (%s != %s)\n"),
				     vpninfo->vpn_netmask6, old_netmask6);
David Woodhouse's avatar
David Woodhouse committed
450 451 452
			return -EINVAL;
		}
	}
David Woodhouse's avatar
David Woodhouse committed
453 454 455 456 457 458 459 460 461 462 463 464 465 466 467

	while (old_dtls_opts) {
		struct vpn_option *tmp = old_dtls_opts;
		old_dtls_opts = old_dtls_opts->next;
		free(tmp->value);
		free(tmp->option);
		free(tmp);
	}
	while (old_cstp_opts) {
		struct vpn_option *tmp = old_cstp_opts;
		old_cstp_opts = old_cstp_opts->next;
		free(tmp->value);
		free(tmp->option);
		free(tmp);
	}
468 469
	vpn_progress(vpninfo, PRG_INFO, _("CSTP connected. DPD %d, Keepalive %d\n"),
		     vpninfo->ssl_times.dpd, vpninfo->ssl_times.keepalive);
David Woodhouse's avatar
David Woodhouse committed
470

471 472 473 474 475
	if (vpninfo->select_nfds <= vpninfo->ssl_fd)
		vpninfo->select_nfds = vpninfo->ssl_fd + 1;

	FD_SET(vpninfo->ssl_fd, &vpninfo->select_rfds);
	FD_SET(vpninfo->ssl_fd, &vpninfo->select_efds);
David Woodhouse's avatar
David Woodhouse committed
476

477 478 479 480 481
	if (!sessid_found)
		vpninfo->dtls_attempt_period = 0;

	vpninfo->ssl_times.last_rekey = vpninfo->ssl_times.last_rx =
		vpninfo->ssl_times.last_tx = time(NULL);
David Woodhouse's avatar
David Woodhouse committed
482 483 484 485
	return 0;
}


486
int make_cstp_connection(struct openconnect_info *vpninfo)
David Woodhouse's avatar
David Woodhouse committed
487
{
488 489
	int ret;

490 491
	ret = openconnect_open_https(vpninfo);
	if (ret)
492
		return ret;
David Woodhouse's avatar
David Woodhouse committed
493 494 495 496 497 498 499 500

	if (vpninfo->deflate) {
		vpninfo->deflate_adler32 = 1;
		vpninfo->inflate_adler32 = 1;

		if (inflateInit2(&vpninfo->inflate_strm, -12) ||
		    deflateInit2(&vpninfo->deflate_strm, Z_DEFAULT_COMPRESSION,
				 Z_DEFLATED, -12, 9, Z_DEFAULT_STRATEGY)) {
501
			vpn_progress(vpninfo, PRG_ERR, _("Compression setup failed\n"));
David Woodhouse's avatar
David Woodhouse committed
502 503 504 505 506 507
			vpninfo->deflate = 0;
		}

		if (!vpninfo->deflate_pkt) {
			vpninfo->deflate_pkt = malloc(sizeof(struct pkt) + 2048);
			if (!vpninfo->deflate_pkt) {
508 509
				vpn_progress(vpninfo, PRG_ERR,
					     _("Allocation of deflate buffer failed\n"));
510 511
				inflateEnd(&vpninfo->inflate_strm);
				deflateEnd(&vpninfo->deflate_strm);
David Woodhouse's avatar
David Woodhouse committed
512
				vpninfo->deflate = 0;
513 514 515 516
			} else {
				memset(vpninfo->deflate_pkt, 0, sizeof(struct pkt));
				memcpy(vpninfo->deflate_pkt->hdr, data_hdr, 8);
				vpninfo->deflate_pkt->hdr[6] = AC_PKT_COMPRESSED;
David Woodhouse's avatar
David Woodhouse committed
517 518 519 520
			}
		}
	}

521 522
	return start_cstp_connection(vpninfo);
}
David Woodhouse's avatar
David Woodhouse committed
523

524
int cstp_reconnect(struct openconnect_info *vpninfo)
525
{
526 527 528
	int ret;
	int timeout;
	int interval;
Nick Andrew's avatar
Nick Andrew committed
529

530
	openconnect_close_https(vpninfo, 0);
531

532 533
	/* Requeue the original packet that was deflated */
	if (vpninfo->current_ssl_pkt == vpninfo->deflate_pkt) {
534
		vpninfo->current_ssl_pkt = NULL;
535 536 537
		queue_packet(&vpninfo->outgoing_queue, vpninfo->pending_deflated_pkt);
		vpninfo->pending_deflated_pkt = NULL;
	}
538 539 540 541
	if (vpninfo->deflate) {
		inflateEnd(&vpninfo->inflate_strm);
		deflateEnd(&vpninfo->deflate_strm);
	}
542 543
	timeout = vpninfo->reconnect_timeout;
	interval = vpninfo->reconnect_interval;
544 545

	while ((ret = make_cstp_connection(vpninfo))) {
546
		if (timeout <= 0)
547
			return ret;
548
		vpn_progress(vpninfo, PRG_INFO,
549 550
			     _("sleep %ds, remaining timeout %ds\n"),
			     interval, timeout);
551
		sleep(interval);
552 553
		if (killed)
			return 1;
554 555 556 557
		timeout -= interval;
		interval += vpninfo->reconnect_interval;
		if (interval > RECONNECT_INTERVAL_MAX)
			interval = RECONNECT_INTERVAL_MAX;
558
	}
559
	script_config_tun(vpninfo, "reconnect");
David Woodhouse's avatar
David Woodhouse committed
560 561 562
	return 0;
}

563 564
static int inflate_and_queue_packet(struct openconnect_info *vpninfo,
				    unsigned char *buf, int len)
David Woodhouse's avatar
David Woodhouse committed
565 566
{
	struct pkt *new = malloc(sizeof(struct pkt) + vpninfo->mtu);
567
	uint32_t pkt_sum;
David Woodhouse's avatar
David Woodhouse committed
568 569 570 571 572 573 574 575 576 577 578 579 580 581

	if (!new)
		return -ENOMEM;

	new->next = NULL;

	vpninfo->inflate_strm.next_in = buf;
	vpninfo->inflate_strm.avail_in = len - 4;

	vpninfo->inflate_strm.next_out = new->data;
	vpninfo->inflate_strm.avail_out = vpninfo->mtu;
	vpninfo->inflate_strm.total_out = 0;

	if (inflate(&vpninfo->inflate_strm, Z_SYNC_FLUSH)) {
582
		vpn_progress(vpninfo, PRG_ERR, _("inflate failed\n"));
David Woodhouse's avatar
David Woodhouse committed
583 584 585 586 587 588 589 590 591
		free(new);
		return -EINVAL;
	}

	new->len = vpninfo->inflate_strm.total_out;

	vpninfo->inflate_adler32 = adler32(vpninfo->inflate_adler32,
					   new->data, new->len);

592 593 594 595
	pkt_sum = buf[len - 1] | (buf[len - 2] << 8) |
		(buf[len - 3] << 16) | (buf[len - 4] << 24);

	if (vpninfo->inflate_adler32 != pkt_sum) {
David Woodhouse's avatar
David Woodhouse committed
596 597 598
		vpninfo->quit_reason = "Compression (inflate) adler32 failure";
	}

599
	vpn_progress(vpninfo, PRG_TRACE,
600
		     _("Received compressed data packet of %ld bytes\n"),
601
		     (long)vpninfo->inflate_strm.total_out);
David Woodhouse's avatar
David Woodhouse committed
602 603 604 605 606

	queue_packet(&vpninfo->incoming_queue, new);
	return 0;
}

607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688
#if defined (OPENCONNECT_OPENSSL)
static int cstp_read(struct openconnect_info *vpninfo, void *buf, int maxlen)
{
	int len, ret;

	len = SSL_read(vpninfo->https_ssl, buf, maxlen);
	if (len > 0)
		return len;

	ret = SSL_get_error(vpninfo->https_ssl, len);
	if (ret == SSL_ERROR_SYSCALL || ret == SSL_ERROR_ZERO_RETURN) {
		vpn_progress(vpninfo, PRG_ERR,
			     _("SSL read error %d (server probably closed connection); reconnecting.\n"),
			     ret);
		return -EIO;
	}
	return 0;
}

static int cstp_write(struct openconnect_info *vpninfo, void *buf, int buflen)
{
	int ret;

	ret = SSL_write(vpninfo->https_ssl, buf, buflen);
	if (ret > 0)
		return ret;

	ret = SSL_get_error(vpninfo->https_ssl, ret);
	switch (ret) {
	case SSL_ERROR_WANT_WRITE:
		/* Waiting for the socket to become writable -- it's
		   probably stalled, and/or the buffers are full */
		FD_SET(vpninfo->ssl_fd, &vpninfo->select_wfds);
	case SSL_ERROR_WANT_READ:
		return 0;

	default:
		vpn_progress(vpninfo, PRG_ERR, _("SSL_write failed: %d\n"), ret);
		openconnect_report_ssl_errors(vpninfo);
		return -1;
	}
}
#elif defined (OPENCONNECT_GNUTLS)
static int cstp_read(struct openconnect_info *vpninfo, void *buf, int maxlen)
{
	int ret;

	ret = gnutls_record_recv(vpninfo->https_sess, buf, maxlen);
	if (ret > 0)
		return ret;

	if (ret != GNUTLS_E_AGAIN) {
		vpn_progress(vpninfo, PRG_ERR,
			     _("SSL read error: %s; reconnecting.\n"),
			     gnutls_strerror(ret));
		return -EIO;
	}
	return 0;
}

static int cstp_write(struct openconnect_info *vpninfo, void *buf, int buflen)
{
	int ret;

	ret = gnutls_record_send(vpninfo->https_sess, buf, buflen);
	if (ret > 0)
		return ret;

	if (ret == GNUTLS_E_AGAIN) {
		if (gnutls_record_get_direction(vpninfo->https_sess)) {
			/* Waiting for the socket to become writable -- it's
			   probably stalled, and/or the buffers are full */
			FD_SET(vpninfo->ssl_fd, &vpninfo->select_wfds);
		}
		return 0;
	}
	vpn_progress(vpninfo, PRG_ERR, _("SSL send failed: %s\n"),
		     gnutls_strerror(ret));
	return -1;
}
#endif

689
int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout)
David Woodhouse's avatar
David Woodhouse committed
690 691 692 693 694 695 696 697 698 699 700
{
	unsigned char buf[16384];
	int len, ret;
	int work_done = 0;

	/* FIXME: The poll() handling here is fairly simplistic. Actually,
	   if the SSL connection stalls it could return a WANT_WRITE error
	   on _either_ of the SSL_read() or SSL_write() calls. In that case,
	   we should probably remove POLLIN from the events we're looking for,
	   and add POLLOUT. As it is, though, it'll just chew CPU time in that
	   fairly unlikely situation, until the write backlog clears. */
701
	while ( (len = cstp_read(vpninfo, buf, sizeof(buf))) > 0) {
David Woodhouse's avatar
David Woodhouse committed
702 703 704 705 706 707 708 709
		int payload_len;

		if (buf[0] != 'S' || buf[1] != 'T' ||
		    buf[2] != 'F' || buf[3] != 1 || buf[7])
			goto unknown_pkt;

		payload_len = (buf[4] << 8) + buf[5];
		if (len != 8 + payload_len) {
710
			vpn_progress(vpninfo, PRG_ERR,
711 712
				     _("Unexpected packet length. SSL_read returned %d but packet is\n"),
				     len);
713
			vpn_progress(vpninfo, PRG_ERR,
714 715 716
				     "%02x %02x %02x %02x %02x %02x %02x %02x\n",
				     buf[0], buf[1], buf[2], buf[3],
				     buf[4], buf[5], buf[6], buf[7]);
David Woodhouse's avatar
David Woodhouse committed
717 718 719 720 721
			continue;
		}
		vpninfo->ssl_times.last_rx = time(NULL);
		switch(buf[6]) {
		case AC_PKT_DPD_OUT:
722
			vpn_progress(vpninfo, PRG_TRACE,
723
				     _("Got CSTP DPD request\n"));
David Woodhouse's avatar
David Woodhouse committed
724 725 726 727
			vpninfo->owe_ssl_dpd_response = 1;
			continue;

		case AC_PKT_DPD_RESP:
728
			vpn_progress(vpninfo, PRG_TRACE,
729
				     _("Got CSTP DPD response\n"));
David Woodhouse's avatar
David Woodhouse committed
730 731 732
			continue;

		case AC_PKT_KEEPALIVE:
733
			vpn_progress(vpninfo, PRG_TRACE,
734
				     _("Got CSTP Keepalive\n"));
David Woodhouse's avatar
David Woodhouse committed
735 736 737
			continue;

		case AC_PKT_DATA:
738
			vpn_progress(vpninfo, PRG_TRACE,
739 740
				     _("Received uncompressed data packet of %d bytes\n"),
				     payload_len);
741
			queue_new_packet(&vpninfo->incoming_queue, buf + 8,
David Woodhouse's avatar
David Woodhouse committed
742 743 744 745
					 payload_len);
			work_done = 1;
			continue;

746 747 748 749 750 751 752
		case AC_PKT_DISCONN: {
			int i;
			for (i = 0; i < payload_len; i++) {
				if (!isprint(buf[payload_len + 8 + i]))
					buf[payload_len + 8 + i] = '.';
			}
			buf[payload_len + 8] = 0;
753
			vpn_progress(vpninfo, PRG_ERR,
754 755
				     _("Received server disconnect: %02x '%s'\n"),
				     buf[8], buf + 9);
756 757 758
			vpninfo->quit_reason = "Server request";
			return 1;
		}
David Woodhouse's avatar
David Woodhouse committed
759 760
		case AC_PKT_COMPRESSED:
			if (!vpninfo->deflate) {
761 762
				vpn_progress(vpninfo, PRG_ERR,
					     _("Compressed packet received in !deflate mode\n"));
David Woodhouse's avatar
David Woodhouse committed
763 764
				goto unknown_pkt;
			}
765
			inflate_and_queue_packet(vpninfo, buf + 8, payload_len);
David Woodhouse's avatar
David Woodhouse committed
766 767 768 769
			work_done = 1;
			continue;

		case AC_PKT_TERM_SERVER:
770
			vpn_progress(vpninfo, PRG_ERR, _("received server terminate packet\n"));
David Woodhouse's avatar
David Woodhouse committed
771 772 773 774 775
			vpninfo->quit_reason = "Server request";
			return 1;
		}

	unknown_pkt:
776
		vpn_progress(vpninfo, PRG_ERR,
777 778 779
			     _("Unknown packet %02x %02x %02x %02x %02x %02x %02x %02x\n"),
			     buf[0], buf[1], buf[2], buf[3],
			     buf[4], buf[5], buf[6], buf[7]);
David Woodhouse's avatar
David Woodhouse committed
780 781 782
		vpninfo->quit_reason = "Unknown packet received";
		return 1;
	}
783 784
	if (len < 0)
		goto do_reconnect;
785

David Woodhouse's avatar
David Woodhouse committed
786 787

	/* If SSL_write() fails we are expected to try again. With exactly
Nick Andrew's avatar
Nick Andrew committed
788
	   the same data, at exactly the same location. So we keep the
David Woodhouse's avatar
David Woodhouse committed
789 790 791 792
	   packet we had before.... */
	if (vpninfo->current_ssl_pkt) {
	handle_outgoing:
		vpninfo->ssl_times.last_tx = time(NULL);
793
		FD_CLR(vpninfo->ssl_fd, &vpninfo->select_wfds);
794 795 796 797 798 799 800 801 802 803

		ret = cstp_write(vpninfo,
				 vpninfo->current_ssl_pkt->hdr,
				 vpninfo->current_ssl_pkt->len + 8);
		
		if (ret < 0)
			goto do_reconnect;
		else if (!ret && ka_stalled_dpd_time(&vpninfo->ssl_times, timeout))
			goto peer_dead;

David Woodhouse's avatar
David Woodhouse committed
804
		if (ret != vpninfo->current_ssl_pkt->len + 8) {
805 806 807
			vpn_progress(vpninfo, PRG_ERR,
				     _("SSL wrote too few bytes! Asked for %d, sent %d\n"),
				     vpninfo->current_ssl_pkt->len + 8, ret);
David Woodhouse's avatar
David Woodhouse committed
808 809 810 811
			vpninfo->quit_reason = "Internal error";
			return 1;
		}
		/* Don't free the 'special' packets */
812 813 814 815 816
		if (vpninfo->current_ssl_pkt == vpninfo->deflate_pkt)
			free(vpninfo->pending_deflated_pkt);
		else if (vpninfo->current_ssl_pkt != &dpd_pkt &&
			 vpninfo->current_ssl_pkt != &dpd_resp_pkt &&
			 vpninfo->current_ssl_pkt != &keepalive_pkt)
David Woodhouse's avatar
David Woodhouse committed
817 818 819 820 821 822 823 824 825 826 827 828 829 830 831
			free(vpninfo->current_ssl_pkt);

		vpninfo->current_ssl_pkt = NULL;
	}

	if (vpninfo->owe_ssl_dpd_response) {
		vpninfo->owe_ssl_dpd_response = 0;
		vpninfo->current_ssl_pkt = &dpd_resp_pkt;
		goto handle_outgoing;
	}

	switch (keepalive_action(&vpninfo->ssl_times, timeout)) {
	case KA_REKEY:
		/* Not that this will ever happen; we don't even process
		   the setting when we're asked for it. */
832
		vpn_progress(vpninfo, PRG_INFO, _("CSTP rekey due\n"));
833
		goto do_reconnect;
David Woodhouse's avatar
David Woodhouse committed
834 835 836 837
		break;

	case KA_DPD_DEAD:
	peer_dead:
838 839
		vpn_progress(vpninfo, PRG_ERR,
			     _("CSTP Dead Peer Detection detected dead peer!\n"));
840
	do_reconnect:
841
		if (cstp_reconnect(vpninfo)) {
842
			vpn_progress(vpninfo, PRG_ERR, _("Reconnect failed\n"));
843
			vpninfo->quit_reason = "CSTP reconnect failed";
David Woodhouse's avatar
David Woodhouse committed
844 845 846 847 848 849 850
			return 1;
		}
		/* I think we can leave DTLS to its own devices; when we reconnect
		   with the same master secret, we do seem to get the same sessid */
		return 1;

	case KA_DPD:
851
		vpn_progress(vpninfo, PRG_TRACE, _("Send CSTP DPD\n"));
David Woodhouse's avatar
David Woodhouse committed
852 853 854 855 856 857 858 859 860 861

		vpninfo->current_ssl_pkt = &dpd_pkt;
		goto handle_outgoing;

	case KA_KEEPALIVE:
		/* No need to send an explicit keepalive
		   if we have real data to send */
		if (vpninfo->dtls_fd == -1 && vpninfo->outgoing_queue)
			break;

862
		vpn_progress(vpninfo, PRG_TRACE, _("Send CSTP Keepalive\n"));
David Woodhouse's avatar
David Woodhouse committed
863 864 865 866 867 868 869 870 871 872 873 874

		vpninfo->current_ssl_pkt = &keepalive_pkt;
		goto handle_outgoing;

	case KA_NONE:
		;
	}

	/* Service outgoing packet queue, if no DTLS */
	while (vpninfo->dtls_fd == -1 && vpninfo->outgoing_queue) {
		struct pkt *this = vpninfo->outgoing_queue;
		vpninfo->outgoing_queue = this->next;
875
		vpninfo->outgoing_qlen--;
David Woodhouse's avatar
David Woodhouse committed
876 877 878 879 880 881 882 883 884 885 886 887 888

		if (vpninfo->deflate) {
			unsigned char *adler;
			int ret;

			vpninfo->deflate_strm.next_in = this->data;
			vpninfo->deflate_strm.avail_in = this->len;
			vpninfo->deflate_strm.next_out = (void *)vpninfo->deflate_pkt->data;
			vpninfo->deflate_strm.avail_out = 2040;
			vpninfo->deflate_strm.total_out = 0;

			ret = deflate(&vpninfo->deflate_strm, Z_SYNC_FLUSH);
			if (ret) {
889
				vpn_progress(vpninfo, PRG_ERR, _("deflate failed %d\n"), ret);
David Woodhouse's avatar
David Woodhouse committed
890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907
				goto uncompr;
			}

			vpninfo->deflate_pkt->hdr[4] = (vpninfo->deflate_strm.total_out + 4) >> 8;
			vpninfo->deflate_pkt->hdr[5] = (vpninfo->deflate_strm.total_out + 4) & 0xff;

			/* Add ongoing adler32 to tail of compressed packet */
			vpninfo->deflate_adler32 = adler32(vpninfo->deflate_adler32,
							   this->data, this->len);

			adler = &vpninfo->deflate_pkt->data[vpninfo->deflate_strm.total_out];
			*(adler++) =  vpninfo->deflate_adler32 >> 24;
			*(adler++) = (vpninfo->deflate_adler32 >> 16) & 0xff;
			*(adler++) = (vpninfo->deflate_adler32 >> 8) & 0xff;
			*(adler)   =  vpninfo->deflate_adler32 & 0xff;

			vpninfo->deflate_pkt->len = vpninfo->deflate_strm.total_out + 4;

908
			vpn_progress(vpninfo, PRG_TRACE,
909 910
				     _("Sending compressed data packet of %d bytes\n"),
				     this->len);
911

912
			vpninfo->pending_deflated_pkt = this;
David Woodhouse's avatar
David Woodhouse committed
913 914 915 916 917 918 919
			vpninfo->current_ssl_pkt = vpninfo->deflate_pkt;
		} else {
		uncompr:
			memcpy(this->hdr, data_hdr, 8);
			this->hdr[4] = this->len >> 8;
			this->hdr[5] = this->len & 0xff;

920
			vpn_progress(vpninfo, PRG_TRACE,
921 922
				     _("Sending uncompressed data packet of %d bytes\n"),
				     this->len);
923

David Woodhouse's avatar
David Woodhouse committed
924 925 926 927 928 929 930 931 932
			vpninfo->current_ssl_pkt = this;
		}
		goto handle_outgoing;
	}

	/* Work is not done if we just got rid of packets off the queue */
	return work_done;
}

933
int cstp_bye(struct openconnect_info *vpninfo, const char *reason)
David Woodhouse's avatar
David Woodhouse committed
934 935
{
	unsigned char *bye_pkt;
936 937 938
	int reason_len;

	/* already lost connection? */
939
#if defined (OPENCONNECT_OPENSSL)
940 941
	if (!vpninfo->https_ssl)
		return 0;
942 943 944 945
#elif defined (OPENCONNECT_GNUTLS)
	if (!vpninfo->https_sess)
		return 0;
#endif
946 947

	reason_len = strlen(reason);
David Woodhouse's avatar
David Woodhouse committed
948
	bye_pkt = malloc(reason_len + 9);
David Woodhouse's avatar
David Woodhouse committed
949 950
	if (!bye_pkt)
		return -ENOMEM;
Nick Andrew's avatar
Nick Andrew committed
951

David Woodhouse's avatar
David Woodhouse committed
952
	memcpy(bye_pkt, data_hdr, 8);
David Woodhouse's avatar
David Woodhouse committed
953
	memcpy(bye_pkt + 9, reason, reason_len);
David Woodhouse's avatar
David Woodhouse committed
954

David Woodhouse's avatar
David Woodhouse committed
955 956
	bye_pkt[4] = (reason_len + 1) >> 8;
	bye_pkt[5] = (reason_len + 1) & 0xff;
957
	bye_pkt[6] = AC_PKT_DISCONN;
David Woodhouse's avatar
David Woodhouse committed
958
	bye_pkt[8] = 0xb0;
David Woodhouse's avatar
David Woodhouse committed
959

960
	vpn_progress(vpninfo, PRG_INFO,
961
		     _("Send BYE packet: %s\n"), reason);
David Woodhouse's avatar
David Woodhouse committed
962

963 964 965
	cstp_write(vpninfo, bye_pkt, reason_len + 9);
	free(bye_pkt);

David Woodhouse's avatar
David Woodhouse committed
966 967
	return 0;
}