* Author: David Woodhouse <dwmw2@infradead.org>

*

* This program is free software; you can redistribute it and/or

* WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

* Lesser General Public License for more details.

*

* You should have received a copy of the GNU Lesser General Public

* License along with this library; if not, write to:

*

* Free Software Foundation, Inc.

* 51 Franklin Street, Fifth Floor,

* Boston, MA 02110-1301 USA

*/

#include <netdb.h>

#include <unistd.h>

#include <fcntl.h>

#include <time.h>

#include <errno.h>

#include <stdlib.h>

#include <stdio.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <netinet/tcp.h>

/*

* Data packets are encapsulated in the SSL stream as follows:

* 0000: Magic "STF\x1"

* 0004: Big-endian 16-bit length (not including 8-byte header)

* 0008: data payload

*/

static char data_hdr[8] = {

'S', 'T', 'F', 1,

0, 0, /* Length */

AC_PKT_DATA, /* Type */

0 /* Unknown */

};

static struct pkt keepalive_pkt = {

.hdr = { 'S', 'T', 'F', 1, 0, 0, AC_PKT_KEEPALIVE, 0 },

};

static struct pkt dpd_pkt = {

.hdr = { 'S', 'T', 'F', 1, 0, 0, AC_PKT_DPD_OUT, 0 },

};

static struct pkt dpd_resp_pkt = {

.hdr = { 'S', 'T', 'F', 1, 0, 0, AC_PKT_DPD_RESP, 0 },

};

static int __attribute__ ((format (printf, 3, 4)))

buf_append(char *buf, int len, const char *fmt, ...)

{

int start = strlen(buf);

int ret;

va_list args;

if (start >= len)

return 0;

va_start(args, fmt);

ret = vsnprintf(buf + start, len - start, fmt, args);

va_end(args);

if (ret > len)

ret = len;

return ret;

}

/* Calculate MTU to request. Old servers simply use the X-CSTP-MTU: header,

* which represents the tunnel MTU, while new servers do calculations on the

* X-CSTP-Base-MTU: header which represents the cleartext MTU between client

* and server.

*

* If possible, the legacy MTU value should be the TCP MSS less 5 bytes of

* TLS and 8 bytes of CSTP overhead. We can get the MSS from either the

* TCP_INFO or TCP_MAXSEG sockopts.

*

* The base MTU comes from the TCP_INFO sockopt under Linux, but I don't know

* how to work it out on other systems. So leave it blank and do things the

* legacy way there. Contributions welcome...

*

* If we don't even have TCP_MAXSEG, then default to sending a legacy MTU of

* 1406 which is what we always used to do.

*/

static void calculate_mtu(struct openconnect_info *vpninfo, int *base_mtu, int *mtu)

{

*base_mtu = vpninfo->basemtu;

if (!*mtu || !*base_mtu) {

struct tcp_info ti;

socklen_t ti_size = sizeof(ti);

&ti, &ti_size)) {

vpn_progress(vpninfo, PRG_TRACE,

_("TCP_INFO rcv mss %d, snd mss %d, adv mss %d, pmtu %d\n"),

ti.tcpi_rcv_mss, ti.tcpi_snd_mss, ti.tcpi_advmss, ti.tcpi_pmtu);

if (!*base_mtu) *base_mtu = ti.tcpi_pmtu;

if (!*mtu) {

if (ti.tcpi_rcv_mss < ti.tcpi_snd_mss)

*mtu = ti.tcpi_rcv_mss - 13;

else

*mtu = ti.tcpi_snd_mss - 13;

}

}

}

#endif

#ifdef TCP_MAXSEG

if (!*mtu) {

int mss;

socklen_t mss_size = sizeof(mss);

&mss, &mss_size)) {

vpn_progress(vpninfo, PRG_TRACE, _("TCP_MAXSEG %d\n"), mss);

*mtu = mss - 13;

}

}

#endif

if (!*mtu) {

/* Default */

*mtu = 1406;

}

if (*mtu < 1280)

*mtu = 1280;

}

{

char buf[65536];

int i;

struct vpn_option **next_dtls_option = &vpninfo->dtls_options;

struct vpn_option **next_cstp_option = &vpninfo->cstp_options;

struct vpn_option *old_cstp_opts = vpninfo->cstp_options;

struct vpn_option *old_dtls_opts = vpninfo->dtls_options;

const char *old_addr = vpninfo->vpn_addr;

const char *old_netmask = vpninfo->vpn_netmask;

const char *old_addr6 = vpninfo->vpn_addr6;

const char *old_netmask6 = vpninfo->vpn_netmask6;

/* Clear old options which will be overwritten */

vpninfo->vpn_addr = vpninfo->vpn_netmask = NULL;

for (i=0; i<3; i++)

vpninfo->vpn_dns[i] = vpninfo->vpn_nbns[i] = NULL;

struct split_include *next = inc->next;

free(inc);

inc = next;

}

struct split_include *next = inc->next;

free(inc);

inc = next;

}

for (inc = vpninfo->split_dns; inc; ) {

struct split_include *next = inc->next;

free(inc);

inc = next;

}

vpninfo->split_dns = vpninfo->split_includes = vpninfo->split_excludes = NULL;

/* Create (new) random master key for DTLS connection, if needed */

if (vpninfo->dtls_times.last_rekey + vpninfo->dtls_times.rekey <

time(NULL) + 300 &&

exit(1);

}

calculate_mtu(vpninfo, &base_mtu, &mtu);

buf[0] = 0;

buf_append(buf, sizeof(buf), "CONNECT /CSCOSSLC/tunnel HTTP/1.1\r\n");

buf_append(buf, sizeof(buf), "Host: %s\r\n", vpninfo->hostname);

buf_append(buf, sizeof(buf), "User-Agent: %s\r\n", vpninfo->useragent);

buf_append(buf, sizeof(buf), "Cookie: webvpn=%s\r\n", vpninfo->cookie);

buf_append(buf, sizeof(buf), "X-CSTP-Version: 1\r\n");

buf_append(buf, sizeof(buf), "X-CSTP-Hostname: %s\r\n", vpninfo->localname);

if (vpninfo->deflate && i < sizeof(buf))

buf_append(buf, sizeof(buf), "X-CSTP-Accept-Encoding: deflate;q=1.0\r\n");

if (base_mtu)

buf_append(buf, sizeof(buf), "X-CSTP-Base-MTU: %d\r\n", base_mtu);

buf_append(buf, sizeof(buf), "X-CSTP-MTU: %d\r\n", mtu);

buf_append(buf, sizeof(buf), "%02X", vpninfo->dtls_secret[i]);

buf_append(buf, sizeof(buf), "\r\nX-DTLS-CipherSuite: %s\r\n\r\n",

openconnect_SSL_write(vpninfo, buf, strlen(buf));

if ((i = openconnect_SSL_gets(vpninfo, buf, 65536) < 0)) {

if (i == -EINTR)

return i;

vpn_progress(vpninfo, PRG_ERR,

_("Error fetching HTTPS response\n"));

if (!retried) {

retried = 1;

_("Failed to open HTTPS connection to %s\n"),

vpninfo->hostname);

exit(1);

}

goto retry;

}

return -EINVAL;

}

if (strncmp(buf, "HTTP/1.1 200 ", 13)) {

if (!strncmp(buf, "HTTP/1.1 503 ", 13)) {

/* "Service Unavailable. Why? */

if (!strncmp(buf, "X-Reason: ", 10)) {

reason = buf + 10;

break;

}

}

vpn_progress(vpninfo, PRG_ERR,

_("VPN service unavailable; reason: %s\n"),

reason);

return -EINVAL;

}

_("Got inappropriate HTTP CONNECT response: %s\n"),

buf);

if (!strncmp(buf, "HTTP/1.1 401 ", 13))

exit(2);

return -EINVAL;

}

/* We may have advertised it, but we only do it if the server agrees */

vpninfo->deflate = 0;

char *colon;

if (i < 0)

return i;

colon = strchr(buf, ':');

if (!colon)

continue;

*colon = 0;

colon++;

if (*colon == ' ')

colon++;

if (strncmp(buf, "X-DTLS-", 7) &&

strncmp(buf, "X-CSTP-", 7))

continue;

new_option = malloc(sizeof(*new_option));

if (!new_option) {

return -ENOMEM;

}

new_option->option = strdup(buf);

new_option->value = strdup(colon);

new_option->next = NULL;

if (!new_option->option || !new_option->value) {

free(new_option->option);

free(new_option->value);

free(new_option);

return -ENOMEM;

}

if (!strncmp(buf, "X-DTLS-", 7)) {

*next_dtls_option = new_option;

next_dtls_option = &new_option->next;

int dtlsmtu = atol(colon);

if (dtlsmtu > mtu)

mtu = dtlsmtu;

_("X-DTLS-Session-ID not 64 characters; is: \"%s\"\n"),

colon);

vpninfo->dtls_attempt_period = 0;

return -EINVAL;

}

for (i = 0; i < 64; i += 2)

vpninfo->dtls_session_id[i/2] = unhex(colon + i);

sessid_found = 1;

time(&vpninfo->dtls_times.last_rekey);

}

continue;

}

/* CSTP options... */

*next_cstp_option = new_option;

next_cstp_option = &new_option->next;

if (!strcmp(buf + 7, "Keepalive")) {

vpninfo->ssl_times.keepalive = atol(colon);

} else if (!strcmp(buf + 7, "DPD")) {

int j = atol(colon);

if (j && (!vpninfo->ssl_times.dpd || j < vpninfo->ssl_times.dpd))

vpninfo->ssl_times.dpd = j;

} else if (!strcmp(buf + 7, "Rekey-Time")) {

vpninfo->ssl_times.rekey = atol(colon);

} else if (!strcmp(buf + 7, "Content-Encoding")) {

if (!strcmp(colon, "deflate"))

vpninfo->deflate = 1;

else {

_("Unknown CSTP-Content-Encoding %s\n"),

colon);

return -EINVAL;

}

} else if (!strcmp(buf + 7, "MTU")) {

int cstpmtu = atol(colon);

if (cstpmtu > mtu)

mtu = cstpmtu;

if (strchr(new_option->value, ':')) {

if (!vpninfo->disable_ipv6)

vpninfo->vpn_addr6 = new_option->value;

} else

if (strchr(new_option->value, ':')) {

if (!vpninfo->disable_ipv6)

vpninfo->vpn_netmask6 = new_option->value;

} else

} else if (!strcmp(buf + 7, "DNS")) {

int j;

for (j = 0; j < 3; j++) {

if (!vpninfo->vpn_dns[j]) {

vpninfo->vpn_dns[j] = new_option->value;

break;

}

}

} else if (!strcmp(buf + 7, "NBNS")) {

int j;

for (j = 0; j < 3; j++) {

if (!vpninfo->vpn_nbns[j]) {

vpninfo->vpn_nbns[j] = new_option->value;

break;

}

}

} else if (!strcmp(buf + 7, "Default-Domain")) {

vpninfo->vpn_domain = new_option->value;

} else if (!strcmp(buf + 7, "MSIE-Proxy-PAC-URL")) {

vpninfo->vpn_proxy_pac = new_option->value;

} else if (!strcmp(buf + 7, "Banner")) {

vpninfo->banner = new_option->value;

} else if (!strcmp(buf + 7, "Split-DNS")) {

struct split_include *dns = malloc(sizeof(*dns));

if (!dns)

continue;

dns->route = new_option->value;

dns->next = vpninfo->split_dns;

vpninfo->split_dns = dns;

} else if (!strcmp(buf + 7, "Split-Include")) {

struct split_include *inc = malloc(sizeof(*inc));

if (!inc)

continue;

inc->route = new_option->value;

inc->next = vpninfo->split_includes;

vpninfo->split_includes = inc;

} else if (!strcmp(buf + 7, "Split-Exclude")) {

struct split_include *exc = malloc(sizeof(*exc));

if (!exc)

continue;

exc->route = new_option->value;

}

}

if (!mtu) {

vpn_progress(vpninfo, PRG_ERR,

_("No MTU received. Aborting\n"));

return -EINVAL;

}

vpninfo->actual_mtu = mtu;

vpn_progress(vpninfo, PRG_ERR,

_("No IP address received. Aborting\n"));

return -EINVAL;

}

if (old_addr) {

if (strcmp(old_addr, vpninfo->vpn_addr)) {

vpn_progress(vpninfo, PRG_ERR,

_("Reconnect gave different Legacy IP address (%s != %s)\n"),

vpninfo->vpn_addr, old_addr);

return -EINVAL;

}

}

if (old_netmask) {

if (strcmp(old_netmask, vpninfo->vpn_netmask)) {

vpn_progress(vpninfo, PRG_ERR,

_("Reconnect gave different Legacy IP netmask (%s != %s)\n"),

vpninfo->vpn_netmask, old_netmask);

return -EINVAL;

}

}

if (old_addr6) {

if (strcmp(old_addr6, vpninfo->vpn_addr6)) {

vpn_progress(vpninfo, PRG_ERR,

_("Reconnect gave different IPv6 address (%s != %s)\n"),

vpninfo->vpn_addr6, old_addr6);

return -EINVAL;

}

}

if (old_netmask6) {

if (strcmp(old_netmask6, vpninfo->vpn_netmask6)) {

vpn_progress(vpninfo, PRG_ERR,

_("Reconnect gave different IPv6 netmask (%s != %s)\n"),

vpninfo->vpn_netmask6, old_netmask6);

return -EINVAL;

}

}

while (old_dtls_opts) {

struct vpn_option *tmp = old_dtls_opts;

old_dtls_opts = old_dtls_opts->next;

free(tmp->value);

free(tmp->option);

free(tmp);

}

while (old_cstp_opts) {

struct vpn_option *tmp = old_cstp_opts;

old_cstp_opts = old_cstp_opts->next;

free(tmp->value);

free(tmp->option);

free(tmp);

}

vpn_progress(vpninfo, PRG_INFO, _("CSTP connected. DPD %d, Keepalive %d\n"),

vpninfo->ssl_times.dpd, vpninfo->ssl_times.keepalive);

if (vpninfo->select_nfds <= vpninfo->ssl_fd)

vpninfo->select_nfds = vpninfo->ssl_fd + 1;

FD_SET(vpninfo->ssl_fd, &vpninfo->select_rfds);

FD_SET(vpninfo->ssl_fd, &vpninfo->select_efds);

if (!sessid_found)

vpninfo->dtls_attempt_period = 0;

vpninfo->ssl_times.last_rekey = vpninfo->ssl_times.last_rx =

vpninfo->ssl_times.last_tx = time(NULL);

return 0;

}

int ret;

ret = openconnect_open_https(vpninfo);

if (ret)

if (vpninfo->deflate) {

vpninfo->deflate_adler32 = 1;

vpninfo->inflate_adler32 = 1;

if (inflateInit2(&vpninfo->inflate_strm, -12) ||

deflateInit2(&vpninfo->deflate_strm, Z_DEFAULT_COMPRESSION,

Z_DEFLATED, -12, 9, Z_DEFAULT_STRATEGY)) {

vpninfo->deflate = 0;

}

if (!vpninfo->deflate_pkt) {

vpninfo->deflate_pkt = malloc(sizeof(struct pkt) + 2048);

if (!vpninfo->deflate_pkt) {

vpn_progress(vpninfo, PRG_ERR,

_("Allocation of deflate buffer failed\n"));

inflateEnd(&vpninfo->inflate_strm);

deflateEnd(&vpninfo->deflate_strm);

} else {

memset(vpninfo->deflate_pkt, 0, sizeof(struct pkt));

memcpy(vpninfo->deflate_pkt->hdr, data_hdr, 8);

vpninfo->deflate_pkt->hdr[6] = AC_PKT_COMPRESSED;

}

}

}

return start_cstp_connection(vpninfo);

}

int ret;

int timeout;

int interval;

/* Requeue the original packet that was deflated */

if (vpninfo->current_ssl_pkt == vpninfo->deflate_pkt) {

vpninfo->current_ssl_pkt = NULL;

queue_packet(&vpninfo->outgoing_queue, vpninfo->pending_deflated_pkt);

vpninfo->pending_deflated_pkt = NULL;

}

inflateEnd(&vpninfo->inflate_strm);

deflateEnd(&vpninfo->deflate_strm);

}

timeout = vpninfo->reconnect_timeout;

interval = vpninfo->reconnect_interval;

while ((ret = make_cstp_connection(vpninfo))) {

_("sleep %ds, remaining timeout %ds\n"),

interval, timeout);

if (killed)

return 1;

timeout -= interval;

interval += vpninfo->reconnect_interval;

if (interval > RECONNECT_INTERVAL_MAX)

interval = RECONNECT_INTERVAL_MAX;

return 0;

}

static int inflate_and_queue_packet(struct openconnect_info *vpninfo,

unsigned char *buf, int len)

if (!new)

return -ENOMEM;

new->next = NULL;

vpninfo->inflate_strm.next_in = buf;

vpninfo->inflate_strm.avail_in = len - 4;

vpninfo->inflate_strm.next_out = new->data;

vpninfo->inflate_strm.total_out = 0;

if (inflate(&vpninfo->inflate_strm, Z_SYNC_FLUSH)) {

free(new);

return -EINVAL;

}

new->len = vpninfo->inflate_strm.total_out;

vpninfo->inflate_adler32 = adler32(vpninfo->inflate_adler32,

new->data, new->len);

pkt_sum = buf[len - 1] | (buf[len - 2] << 8) |

(buf[len - 3] << 16) | (buf[len - 4] << 24);

if (vpninfo->inflate_adler32 != pkt_sum) {

vpninfo->quit_reason = "Compression (inflate) adler32 failure";

}

queue_packet(&vpninfo->incoming_queue, new);

return 0;

}

#if defined (OPENCONNECT_OPENSSL)

static int cstp_read(struct openconnect_info *vpninfo, void *buf, int maxlen)

{

int len, ret;

len = SSL_read(vpninfo->https_ssl, buf, maxlen);

if (len > 0)

return len;

ret = SSL_get_error(vpninfo->https_ssl, len);

if (ret == SSL_ERROR_SYSCALL || ret == SSL_ERROR_ZERO_RETURN) {

vpn_progress(vpninfo, PRG_ERR,

_("SSL read error %d (server probably closed connection); reconnecting.\n"),

ret);

return -EIO;

}

return 0;

}

static int cstp_write(struct openconnect_info *vpninfo, void *buf, int buflen)

{

int ret;

ret = SSL_write(vpninfo->https_ssl, buf, buflen);

if (ret > 0)

return ret;

ret = SSL_get_error(vpninfo->https_ssl, ret);

switch (ret) {

case SSL_ERROR_WANT_WRITE:

/* Waiting for the socket to become writable -- it's

probably stalled, and/or the buffers are full */

FD_SET(vpninfo->ssl_fd, &vpninfo->select_wfds);

case SSL_ERROR_WANT_READ:

return 0;

default:

vpn_progress(vpninfo, PRG_ERR, _("SSL_write failed: %d\n"), ret);

openconnect_report_ssl_errors(vpninfo);

return -1;

}

}

#elif defined (OPENCONNECT_GNUTLS)

static int cstp_read(struct openconnect_info *vpninfo, void *buf, int maxlen)

{

int ret;

ret = gnutls_record_recv(vpninfo->https_sess, buf, maxlen);

if (ret > 0)

return ret;

if (ret != GNUTLS_E_AGAIN) {

vpn_progress(vpninfo, PRG_ERR,

_("SSL read error: %s; reconnecting.\n"),

gnutls_strerror(ret));

return -EIO;

}

return 0;

}

static int cstp_write(struct openconnect_info *vpninfo, void *buf, int buflen)

{

int ret;

ret = gnutls_record_send(vpninfo->https_sess, buf, buflen);

if (ret > 0)

return ret;

if (ret == GNUTLS_E_AGAIN) {

if (gnutls_record_get_direction(vpninfo->https_sess)) {

/* Waiting for the socket to become writable -- it's

probably stalled, and/or the buffers are full */

FD_SET(vpninfo->ssl_fd, &vpninfo->select_wfds);

}

return 0;

}

vpn_progress(vpninfo, PRG_ERR, _("SSL send failed: %s\n"),

gnutls_strerror(ret));

return -1;

}

#endif

{

unsigned char buf[16384];

int len, ret;

int work_done = 0;

/* FIXME: The poll() handling here is fairly simplistic. Actually,

if the SSL connection stalls it could return a WANT_WRITE error

on _either_ of the SSL_read() or SSL_write() calls. In that case,

we should probably remove POLLIN from the events we're looking for,

and add POLLOUT. As it is, though, it'll just chew CPU time in that

fairly unlikely situation, until the write backlog clears. */

int payload_len;

if (buf[0] != 'S' || buf[1] != 'T' ||

buf[2] != 'F' || buf[3] != 1 || buf[7])

goto unknown_pkt;

payload_len = (buf[4] << 8) + buf[5];

if (len != 8 + payload_len) {

_("Unexpected packet length. SSL_read returned %d but packet is\n"),

len);

"%02x %02x %02x %02x %02x %02x %02x %02x\n",

buf[0], buf[1], buf[2], buf[3],

buf[4], buf[5], buf[6], buf[7]);