/*

* OpenConnect (SSL + DTLS) VPN client

*

*

* Author: David Woodhouse <dwmw2@infradead.org>

*

* This program is free software; you can redistribute it and/or

* modify it under the terms of the GNU Lesser General Public License

* version 2.1, as published by the Free Software Foundation.

*

* This program is distributed in the hope that it will be useful, but

* WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

* Lesser General Public License for more details.

*/

#include <config.h>

#include <fcntl.h>

#include <string.h>

#include <ctype.h>

#include <stdio.h>

#include <errno.h>

#include <stdarg.h>

#include <stdlib.h>

#ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY

/* Shut up about gnutls_sign_callback_set() being deprecated. We only use it

in the GnuTLS 2.12 case, and there just isn't another way of doing it. */

#define GNUTLS_INTERNAL_BUILD 1

#endif

#include <gnutls/gnutls.h>

#include <gnutls/x509.h>

#include <gnutls/crypto.h>

#ifdef HAVE_TROUSERS

#include <trousers/tss.h>

#include <trousers/trousers.h>

#endif

#ifdef HAVE_P11KIT

#include <p11-kit/p11-kit.h>

static int gnutls_pin_callback(void *priv, int attempt, const char *uri,

const char *token_label, unsigned int flags,

char *pin, size_t pin_max);

#ifndef HAVE_GNUTLS_X509_CRT_SET_PIN_FUNCTION

/* If we don't have this (3.1.0+) then we'll use p11-kit callbacks instead

* because the old GnuTLS callback was global rather than context-specific,

* which makes it basically unusable from libopenconnect. The p11-kit

typedef enum {

GNUTLS_PIN_USER = (1 << 0),

GNUTLS_PIN_SO = (1 << 1),

GNUTLS_PIN_FINAL_TRY = (1 << 2),

GNUTLS_PIN_COUNT_LOW = (1 << 3),

GNUTLS_PIN_CONTEXT_SPECIFIC = (1 << 4),

GNUTLS_PIN_WRONG = (1 << 5)

} gnutls_pin_flag_t;

static P11KitPin *p11kit_pin_callback(const char *pin_source, P11KitUri *pin_uri,

const char *pin_description,

P11KitPinFlags flags,

void *_vpninfo);

#endif /* !HAVE_GNUTLS_X509_CRT_SET_PIN_FUNCTION */

#include "openconnect-internal.h"

/* GnuTLS 2.x lacked this. But GNUTLS_E_UNEXPECTED_PACKET_LENGTH basically

* does the same thing.

* http://lists.infradead.org/pipermail/openconnect-devel/2014-March/001726.html

*/

#ifndef GNUTLS_E_PREMATURE_TERMINATION

#define GNUTLS_E_PREMATURE_TERMINATION GNUTLS_E_UNEXPECTED_PACKET_LENGTH

#endif

/* Compile-time optimisable GnuTLS version check. We should never be

* run against a version of GnuTLS which is *older* than the one we

* were built again, but we might be run against a version which is

* newer. So some ancient compatibility code *can* be dropped at

* compile time. Likewise, if building against GnuTLS 2.x then we

* can never be running agsinst a 3.x library — the soname changed. */

#define gtls_ver(a,b,c) ( GNUTLS_VERSION_MAJOR >= (a) && \

(GNUTLS_VERSION_NUMBER >= ( ((a) << 16) + ((b) << 8) + (c) ) || \

gnutls_check_version(#a "." #b "." #c)))

{

size_t orig_len = len;

while (len) {

if (done > 0)

len -= done;

FD_ZERO(&wr_set);

FD_ZERO(&rd_set);

if (gnutls_record_get_direction(ses))

FD_SET(fd, &wr_set);

vpn_progress(vpninfo, PRG_ERR, _("SSL write cancelled\n"));

return -EINTR;

}

} else {

vpn_progress(vpninfo, PRG_ERR, _("Failed to write to SSL socket: %s\n"),

gnutls_strerror(done));

return -EIO;

}

}

return orig_len;

}

static int openconnect_gnutls_write(struct openconnect_info *vpninfo, char *buf, size_t len)

{

return _openconnect_gnutls_write(vpninfo->https_sess, vpninfo->ssl_fd, vpninfo, buf, len);

}

int openconnect_dtls_write(struct openconnect_info *vpninfo, void *buf, size_t len)

{

return _openconnect_gnutls_write(vpninfo->dtls_ssl, vpninfo->dtls_fd, vpninfo, buf, len);

}

static int _openconnect_gnutls_read(gnutls_session_t ses, int fd, struct openconnect_info *vpninfo, char *buf, size_t len, unsigned ms)

int done, ret;

struct timeval timeout, *tv = NULL;

if (ms) {

timeout.tv_sec = ms/1000;

timeout.tv_usec = (ms%1000)*1000;

tv = &timeout;

}

/* Wait for something to happen on the socket, or on cmd_fd */

fd_set wr_set, rd_set;

FD_ZERO(&wr_set);

FD_ZERO(&rd_set);

if (gnutls_record_get_direction(ses))

FD_SET(fd, &wr_set);

done = -EINTR;

goto cleanup;

}

if (ret == 0) {

done = -ETIMEDOUT;

goto cleanup;

} else if (done == GNUTLS_E_PREMATURE_TERMINATION) {

/* We've seen this with HTTP 1.0 responses followed by abrupt

socket closure and no clean SSL shutdown.

https://bugs.launchpad.net/bugs/1225276 */

done = 0;

goto cleanup;

} else if (done == GNUTLS_E_REHANDSHAKE) {

int ret = cstp_handshake(vpninfo, 0);

if (ret) {

done = ret;

goto cleanup;

}

} else {

vpn_progress(vpninfo, PRG_ERR, _("Failed to read from SSL socket: %s\n"),

gnutls_strerror(done));

if (done == GNUTLS_E_TIMEDOUT) {

done = -ETIMEDOUT;

goto cleanup;

} else {

done = -EIO;

goto cleanup;

}

cleanup:

}

static int openconnect_gnutls_read(struct openconnect_info *vpninfo, char *buf, size_t len)

{

return _openconnect_gnutls_read(vpninfo->https_sess, vpninfo->ssl_fd, vpninfo, buf, len, 0);

}

int openconnect_dtls_read(struct openconnect_info *vpninfo, void *buf, size_t len, unsigned ms)

{

return _openconnect_gnutls_read(vpninfo->dtls_ssl, vpninfo->dtls_fd, vpninfo, buf, len, ms);

}

{

int i = 0;

int ret;

if (len < 2)

return -EINVAL;

while (1) {

ret = gnutls_record_recv(vpninfo->https_sess, buf + i, 1);

if (ret == 1) {

if (buf[i] == '\n') {

buf[i] = 0;

if (i && buf[i-1] == '\r') {

buf[i-1] = 0;

i--;

}

return i;

}

i++;

if (i >= len - 1) {

buf[i] = 0;

return i;

}

fd_set rd_set, wr_set;

int maxfd = vpninfo->ssl_fd;

FD_ZERO(&rd_set);

FD_ZERO(&wr_set);

if (gnutls_record_get_direction(vpninfo->https_sess))

FD_SET(vpninfo->ssl_fd, &wr_set);

else

FD_SET(vpninfo->ssl_fd, &rd_set);

vpn_progress(vpninfo, PRG_ERR, _("SSL read cancelled\n"));

ret = -EINTR;

break;

}

} else if (ret == GNUTLS_E_REHANDSHAKE) {

ret = cstp_handshake(vpninfo, 0);

if (ret)

return ret;

} else {

vpn_progress(vpninfo, PRG_ERR, _("Failed to read from SSL socket: %s\n"),

gnutls_strerror(ret));

ret = -EIO;

break;

}

}

buf[i] = 0;

return i ?: ret;

}

int ssl_nonblock_read(struct openconnect_info *vpninfo, void *buf, int maxlen)

{

int ret;

ret = gnutls_record_recv(vpninfo->https_sess, buf, maxlen);

if (ret > 0)

return ret;

vpn_progress(vpninfo, PRG_ERR,

_("SSL read error: %s; reconnecting.\n"),

gnutls_strerror(ret));

return -EIO;

}

return 0;

}

int ssl_nonblock_write(struct openconnect_info *vpninfo, void *buf, int buflen)

{

int ret;

ret = gnutls_record_send(vpninfo->https_sess, buf, buflen);

if (ret > 0)

return ret;

/*

* Before 3.3.13, GnuTLS could return zero instead of one,

* indicating that it was waiting for a read when in fact

* it was waiting for a write. That caused us to block for

* ever, waiting for the read that it said it wanted.

*

* So instead, just *assume* it actually wants a write.

* Which is true most of the time, and on the rare occasion

* that it *isn't* true, the failure mode will just be that

* we keep waking up and calling GnuTLS again until the read

* that it's waiting for does arrive.

*/

if (GNUTLS_VERSION_NUMBER < 0x03030d ||

gnutls_record_get_direction(vpninfo->https_sess)) {

/* Waiting for the socket to become writable — it's

probably stalled, and/or the buffers are full */

monitor_write_fd(vpninfo, ssl);

}

return 0;

}

vpn_progress(vpninfo, PRG_ERR, _("SSL send failed: %s\n"),

gnutls_strerror(ret));

return -1;

}

static int check_certificate_expiry(struct openconnect_info *vpninfo, gnutls_x509_crt_t cert)

{

const char *reason = NULL;

time_t expires = gnutls_x509_crt_get_expiration_time(cert);

time_t now = time(NULL);

if (expires == -1) {

vpn_progress(vpninfo, PRG_ERR,

_("Could not extract expiration time of certificate\n"));

return -EINVAL;

}

if (expires < now)

reason = _("Client certificate has expired at");

else if (expires < now + vpninfo->cert_expire_warning)

reason = _("Client certificate expires soon at");

if (reason) {

char buf[80];

#ifdef _WIN32

/*

* Windows doesn't have gmtime_r but apparently its gmtime()

* *is* thread-safe because it uses a per-thread static buffer.

* cf. http://sourceforge.net/p/mingw/bugs/1625/

*

* We also explicitly say 'GMT' because %Z would give us the

* Microsoft stupidity "GMT Standard Time". Which is not only

* silly, but also ambiguous because Windows actually says that

* even when it means British Summer Time (GMT+1). And having

* used gmtime() we really *are* giving the time in GMT.

*/

struct tm *tm = gmtime(&expires);

strftime(buf, 80, "%a, %d %b %Y %H:%M:%S GMT", tm);

#else

struct tm tm;

gmtime_r(&expires, &tm);

strftime(buf, 80, "%a, %d %b %Y %T %Z", &tm);

vpn_progress(vpninfo, PRG_ERR, "%s: %s\n", reason, buf);

}

return 0;

}

static int load_datum(struct openconnect_info *vpninfo,

gnutls_datum_t *datum, const char *fname)

{

struct stat st;

int fd, err;

#ifdef ANDROID_KEYSTORE

if (!strncmp(fname, "keystore:", 9)) {

int len;

const char *p = fname + 9;

/* Skip first two slashes if the user has given it as

keystore://foo ... */

if (*p == '/')

p++;

if (*p == '/')

p++;

len = keystore_fetch(p, &datum->data);

if (len <= 0) {

_("Failed to load item '%s' from keystore: %s\n"),

p, keystore_strerror(len));

return -EINVAL;

}

datum->size = len;

return 0;

}

if (fd == -1) {

err = errno;

vpn_progress(vpninfo, PRG_ERR,

_("Failed to open key/certificate file %s: %s\n"),

fname, strerror(err));

return -ENOENT;

}

if (fstat(fd, &st)) {

err = errno;

vpn_progress(vpninfo, PRG_ERR,

_("Failed to stat key/certificate file %s: %s\n"),

fname, strerror(err));

close(fd);

return -EIO;

if (!datum->data) {

vpn_progress(vpninfo, PRG_ERR,

_("Failed to allocate certificate buffer\n"));

close(fd);

return -ENOMEM;

}

errno = EAGAIN;

if (read(fd, datum->data, datum->size) != datum->size) {

err = errno;

vpn_progress(vpninfo, PRG_ERR,

_("Failed to read certificate into memory: %s\n"),

strerror(err));

close(fd);

gnutls_free(datum->data);

return -EIO;

}

close(fd);

return 0;

}

/* A non-zero, non-error return to make load_certificate() continue and

interpreting the file as other types */

#define NOT_PKCS12 1

gnutls_datum_t *datum,

gnutls_x509_privkey_t *key,

gnutls_x509_crt_t **chain,

unsigned int *chain_len,

{

gnutls_pkcs12_t p12;

char *pass;

int err;

err = gnutls_pkcs12_init(&p12);

if (err) {

vpn_progress(vpninfo, PRG_ERR,

_("Failed to setup PKCS#12 data structure: %s\n"),

gnutls_strerror(err));

return -EIO;

}

err = gnutls_pkcs12_import(p12, datum, GNUTLS_X509_FMT_DER, 0);

if (err) {

gnutls_pkcs12_deinit(p12);

}

pass = vpninfo->cert_password;

if (!pass) {

/* OpenSSL's PKCS12_parse() code will try both NULL and "" automatically,

* but GnuTLS requires two separate attempts. */

err = gnutls_pkcs12_verify_mac(p12, "");

pass = strdup("");

break;

}

} else

vpn_progress(vpninfo, PRG_ERR,

_("Failed to decrypt PKCS#12 certificate file\n"));

free(pass);

_("Enter PKCS#12 pass phrase:"));

if (err) {

gnutls_pkcs12_deinit(p12);

return -EINVAL;

}

}

/* If it wasn't GNUTLS_E_MAC_VERIFY_FAILED, then the problem wasn't just a

bad password. Give up. */

if (err) {

int level = PRG_ERR;

int ret = -EINVAL;

gnutls_pkcs12_deinit(p12);

/* If the first attempt, and we didn't know for sure it was PKCS#12

anyway, bail out and try loading it as something different. */

ret = NOT_PKCS12;

}

vpn_progress(vpninfo, level,

_("Failed to process PKCS#12 file: %s\n"),

gnutls_strerror(err));

return ret;

}

err = gnutls_pkcs12_simple_parse(p12, pass, key, chain, chain_len,

extra_certs, extra_certs_len, crl, 0);

free(pass);

vpninfo->cert_password = NULL;

gnutls_pkcs12_deinit(p12);

if (err) {

vpn_progress(vpninfo, PRG_ERR,

_("Failed to load PKCS#12 certificate: %s\n"),

gnutls_strerror(err));

return -EINVAL;

}

return 0;

}

do it for them. Is there a bug reference for this? Or just the git commit

reference (c1ef7efb in master, 5196786c in gnutls_3_0_x-2)? */

static int check_issuer_sanity(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer)

{

return 0;

#else

unsigned char id1[512], id2[512];

size_t id1_size = 512, id2_size = 512;

int err;

err = gnutls_x509_crt_get_authority_key_id(cert, id1, &id1_size, NULL);

if (err)

return 0;

err = gnutls_x509_crt_get_subject_key_id(issuer, id2, &id2_size, NULL);

if (err)

return 0;

if (id1_size == id2_size && !memcmp(id1, id2, id1_size))

return 0;

/* EEP! */

return -EIO;

#endif

}

static int count_x509_certificates(gnutls_datum_t *datum)

{

int count = 0;

char *p = (char *)datum->data;

while (p) {

p = strstr(p, "-----BEGIN ");

if (!p)

break;

p += 11;

if (!strncmp(p, "CERTIFICATE", 11) ||

!strncmp(p, "X509 CERTIFICATE", 16))

}

return count;

}

static int get_cert_name(gnutls_x509_crt_t cert, char *name, size_t namelen)

{

if (gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME,

0, 0, name, &namelen) &&

gnutls_x509_crt_get_dn(cert, name, &namelen)) {

name[namelen-1] = 0;

snprintf(name, namelen-1, "<unknown>");

return -EINVAL;

}

return 0;

}

/* For GnuTLS 2.12 even if we *have* a privkey (as we do for PKCS#11), we

can't register it. So we have to use the cert_callback function. This

just hands out the certificate chain we prepared in load_certificate().

If we have a pkey then return that too; otherwise leave the key NULL —

we'll also have registered a sign_callback for the session, which will

handle that. */

static int gtls_cert_cb(gnutls_session_t sess, const gnutls_datum_t *req_ca_dn,

int nreqs, const gnutls_pk_algorithm_t *pk_algos,

struct openconnect_info *vpninfo = gnutls_session_get_ptr(sess);

int algo = GNUTLS_PK_RSA; /* TPM */

int i;

#ifdef HAVE_P11KIT

if (vpninfo->my_p11key) {

st->key_type = GNUTLS_PRIVKEY_PKCS11;

st->key.pkcs11 = vpninfo->my_p11key;

algo = gnutls_pkcs11_privkey_get_pk_algorithm(vpninfo->my_p11key, NULL);

};

#endif

for (i = 0; i < pk_algos_length; i++) {

if (algo == pk_algos[i])

break;

}

if (i == pk_algos_length)

return GNUTLS_E_UNKNOWN_PK_ALGORITHM;

st->cert_type = GNUTLS_CRT_X509;

st->cert.x509 = vpninfo->my_certs;

st->ncerts = vpninfo->nr_my_certs;

st->deinit_all = 0;

return 0;

}

/* For GnuTLS 2.12, this has to set the cert_callback to the function

above, which will return the pkey and certs on demand. Or in the

case of TPM we can't make a suitable pkey, so we have to set a

sign_callback too (which is done in openconnect_open_https() since

it has to be done on the *session*). */

static int assign_privkey(struct openconnect_info *vpninfo,

gnutls_privkey_t pkey,

gnutls_x509_crt_t *certs,

unsigned int nr_certs,

{

vpninfo->my_certs = gnutls_calloc(nr_certs, sizeof(*certs));

if (!vpninfo->my_certs)

return GNUTLS_E_MEMORY_ERROR;

gnutls_free(vpninfo->my_certs);

vpninfo->my_certs = NULL;

return GNUTLS_E_MEMORY_ERROR;

}

memcpy(vpninfo->free_my_certs, free_certs, nr_certs);

memcpy(vpninfo->my_certs, certs, nr_certs * sizeof(*certs));

vpninfo->nr_my_certs = nr_certs;

/* We are *keeping* the certs, unlike in GnuTLS 3 where our caller

can free them after gnutls_certificate_set_key() has been called.

So wipe the 'free_certs' array. */

memset(free_certs, 0, nr_certs);

gnutls_certificate_set_retrieve_function(vpninfo->https_cred,

gtls_cert_cb);

vpninfo->my_pkey = pkey;

return 0;

}

/* For GnuTLS 3+ this is saner than the GnuTLS 2.12 version. But still we

have to convert the array of X509 certificates to gnutls_pcert_st for

ourselves. There's no function that takes a gnutls_privkey_t as the key

and gnutls_x509_crt_t certificates. */

static int assign_privkey(struct openconnect_info *vpninfo,

gnutls_privkey_t pkey,

gnutls_x509_crt_t *certs,

unsigned int nr_certs,

{

gnutls_pcert_st *pcerts = calloc(nr_certs, sizeof(*pcerts));

int i, err;

if (!pcerts)

return GNUTLS_E_MEMORY_ERROR;

err = gnutls_pcert_import_x509(pcerts + i, certs[i], 0);

if (err) {

vpn_progress(vpninfo, PRG_ERR,

_("Importing X509 certificate failed: %s\n"),

gnutls_strerror(err));

goto free_pcerts;

}

}

err = gnutls_certificate_set_key(vpninfo->https_cred, NULL, 0,

pcerts, nr_certs, pkey);

if (err) {

vpn_progress(vpninfo, PRG_ERR,

_("Setting PKCS#11 certificate failed: %s\n"),

gnutls_strerror(err));

free_pcerts:

}

return err;

}

#endif /* !SET_KEY */

static int verify_signed_data(gnutls_pubkey_t pubkey, gnutls_privkey_t privkey,

const gnutls_datum_t *data, const gnutls_datum_t *sig)

{

gnutls_sign_algorithm_t algo = GNUTLS_SIGN_RSA_SHA1; /* TPM keys */

if (privkey != OPENCONNECT_TPM_PKEY)

algo = gnutls_pk_to_sign(gnutls_privkey_get_pk_algorithm(privkey, NULL),

GNUTLS_DIG_SHA1);

return gnutls_pubkey_verify_data2(pubkey, algo, 0, data, sig);

#else

return gnutls_pubkey_verify_data(pubkey, 0, data, sig);

#endif

}

static int openssl_hash_password(struct openconnect_info *vpninfo, char *pass,

gnutls_datum_t *key, gnutls_datum_t *salt)

{

unsigned char md5[16];

gnutls_hash_hd_t hash;

int count = 0;

int err;

while (count < key->size) {

err = gnutls_hash_init(&hash, GNUTLS_DIG_MD5);

if (err) {

vpn_progress(vpninfo, PRG_ERR,

_("Could not initialise MD5 hash: %s\n"),

gnutls_strerror(err));

return -EIO;

}

if (count) {

err = gnutls_hash(hash, md5, sizeof(md5));

if (err) {

hash_err:

gnutls_hash_deinit(hash, NULL);

vpn_progress(vpninfo, PRG_ERR,

_("MD5 hash error: %s\n"),

gnutls_strerror(err));

return -EIO;

}

}

if (pass) {

err = gnutls_hash(hash, pass, strlen(pass));

if (err)

goto hash_err;

}

/* We only use the first 8 bytes of the salt for this */

err = gnutls_hash(hash, salt->data, 8);

if (err)

goto hash_err;

gnutls_hash_deinit(hash, md5);

if (key->size - count <= sizeof(md5)) {

memcpy(&key->data[count], md5, key->size - count);

break;

}

memcpy(&key->data[count], md5, sizeof(md5));

count += sizeof(md5);

}

return 0;

}

static int import_openssl_pem(struct openconnect_info *vpninfo,

gnutls_x509_privkey_t key,

char type, char *pem_header, size_t pem_size)

{

gnutls_cipher_hd_t handle;

gnutls_cipher_algorithm_t cipher;

gnutls_datum_t constructed_pem;

gnutls_datum_t b64_data;

gnutls_datum_t salt, enc_key;

unsigned char *key_data;

const char *begin;