/
cstp.c
995 lines (868 loc) · 27.6 KB
1
/*
2
* OpenConnect (SSL + DTLS) VPN client
3
*
4
* Copyright © 2008-2012 Intel Corporation.
5
* Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
6
*
7
8
9
* Author: David Woodhouse <dwmw2@infradead.org>
*
* This program is free software; you can redistribute it and/or
10
* modify it under the terms of the GNU Lesser General Public License
11
* version 2.1, as published by the Free Software Foundation.
12
*
13
* This program is distributed in the hope that it will be useful, but
14
15
16
17
18
19
20
21
22
23
24
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to:
*
* Free Software Foundation, Inc.
* 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301 USA
*/
25
26
27
28
29
#include <netdb.h>
#include <unistd.h>
#include <fcntl.h>
#include <time.h>
30
#include <string.h>
31
#include <ctype.h>
32
33
34
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
35
36
#include <sys/types.h>
#include <sys/socket.h>
37
38
#include <netinet/in.h>
#include <netinet/tcp.h>
39
#include <stdarg.h>
40
41
#include "openconnect-internal.h"
42
43
44
/*
* Data packets are encapsulated in the SSL stream as follows:
45
*
46
47
* 0000: Magic "STF\x1"
* 0004: Big-endian 16-bit length (not including 8-byte header)
48
* 0006: Byte packet type (see openconnect-internal.h)
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
* 0008: data payload
*/
static char data_hdr[8] = {
'S', 'T', 'F', 1,
0, 0, /* Length */
AC_PKT_DATA, /* Type */
0 /* Unknown */
};
static struct pkt keepalive_pkt = {
.hdr = { 'S', 'T', 'F', 1, 0, 0, AC_PKT_KEEPALIVE, 0 },
};
static struct pkt dpd_pkt = {
.hdr = { 'S', 'T', 'F', 1, 0, 0, AC_PKT_DPD_OUT, 0 },
};
static struct pkt dpd_resp_pkt = {
.hdr = { 'S', 'T', 'F', 1, 0, 0, AC_PKT_DPD_RESP, 0 },
};
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
static int __attribute__ ((format (printf, 3, 4)))
buf_append(char *buf, int len, const char *fmt, ...)
{
int start = strlen(buf);
int ret;
va_list args;
if (start >= len)
return 0;
va_start(args, fmt);
ret = vsnprintf(buf + start, len - start, fmt, args);
va_end(args);
if (ret > len)
ret = len;
return ret;
}
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
/* Calculate MTU to request. Old servers simply use the X-CSTP-MTU: header,
* which represents the tunnel MTU, while new servers do calculations on the
* X-CSTP-Base-MTU: header which represents the cleartext MTU between client
* and server.
*
* If possible, the legacy MTU value should be the TCP MSS less 5 bytes of
* TLS and 8 bytes of CSTP overhead. We can get the MSS from either the
* TCP_INFO or TCP_MAXSEG sockopts.
*
* The base MTU comes from the TCP_INFO sockopt under Linux, but I don't know
* how to work it out on other systems. So leave it blank and do things the
* legacy way there. Contributions welcome...
*
* If we don't even have TCP_MAXSEG, then default to sending a legacy MTU of
* 1406 which is what we always used to do.
*/
static void calculate_mtu(struct openconnect_info *vpninfo, int *base_mtu, int *mtu)
{
109
*mtu = vpninfo->reqmtu;
110
111
*base_mtu = vpninfo->basemtu;
112
#if defined(__linux__) && defined(TCP_INFO)
113
114
115
116
if (!*mtu || !*base_mtu) {
struct tcp_info ti;
socklen_t ti_size = sizeof(ti);
117
if (!getsockopt(vpninfo->ssl_fd, IPPROTO_TCP, TCP_INFO,
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
&ti, &ti_size)) {
vpn_progress(vpninfo, PRG_TRACE,
_("TCP_INFO rcv mss %d, snd mss %d, adv mss %d, pmtu %d\n"),
ti.tcpi_rcv_mss, ti.tcpi_snd_mss, ti.tcpi_advmss, ti.tcpi_pmtu);
if (!*base_mtu) *base_mtu = ti.tcpi_pmtu;
if (!*mtu) {
if (ti.tcpi_rcv_mss < ti.tcpi_snd_mss)
*mtu = ti.tcpi_rcv_mss - 13;
else
*mtu = ti.tcpi_snd_mss - 13;
}
}
}
#endif
#ifdef TCP_MAXSEG
if (!*mtu) {
int mss;
socklen_t mss_size = sizeof(mss);
136
if (!getsockopt(vpninfo->ssl_fd, IPPROTO_TCP, TCP_MAXSEG,
137
138
139
140
141
142
143
144
145
146
&mss, &mss_size)) {
vpn_progress(vpninfo, PRG_TRACE, _("TCP_MAXSEG %d\n"), mss);
*mtu = mss - 13;
}
}
#endif
if (!*mtu) {
/* Default */
*mtu = 1406;
}
147
148
if (*mtu < 1280)
*mtu = 1280;
149
150
}
151
static int start_cstp_connection(struct openconnect_info *vpninfo)
152
153
154
{
char buf[65536];
int i;
155
int retried = 0, sessid_found = 0;
156
157
158
159
160
161
struct vpn_option **next_dtls_option = &vpninfo->dtls_options;
struct vpn_option **next_cstp_option = &vpninfo->cstp_options;
struct vpn_option *old_cstp_opts = vpninfo->cstp_options;
struct vpn_option *old_dtls_opts = vpninfo->dtls_options;
const char *old_addr = vpninfo->vpn_addr;
const char *old_netmask = vpninfo->vpn_netmask;
162
163
const char *old_addr6 = vpninfo->vpn_addr6;
const char *old_netmask6 = vpninfo->vpn_netmask6;
164
struct split_include *inc;
165
int base_mtu, mtu;
166
167
168
/* Clear old options which will be overwritten */
vpninfo->vpn_addr = vpninfo->vpn_netmask = NULL;
169
vpninfo->vpn_addr6 = vpninfo->vpn_netmask6 = NULL;
170
vpninfo->cstp_options = vpninfo->dtls_options = NULL;
171
vpninfo->vpn_domain = vpninfo->vpn_proxy_pac = NULL;
172
vpninfo->banner = NULL;
173
174
175
176
for (i=0; i<3; i++)
vpninfo->vpn_dns[i] = vpninfo->vpn_nbns[i] = NULL;
177
for (inc = vpninfo->split_includes; inc; ) {
178
179
180
181
struct split_include *next = inc->next;
free(inc);
inc = next;
}
182
for (inc = vpninfo->split_excludes; inc; ) {
183
184
185
186
struct split_include *next = inc->next;
free(inc);
inc = next;
}
187
188
189
190
191
192
for (inc = vpninfo->split_dns; inc; ) {
struct split_include *next = inc->next;
free(inc);
inc = next;
}
vpninfo->split_dns = vpninfo->split_includes = vpninfo->split_excludes = NULL;
193
194
195
196
/* Create (new) random master key for DTLS connection, if needed */
if (vpninfo->dtls_times.last_rekey + vpninfo->dtls_times.rekey <
time(NULL) + 300 &&
197
openconnect_random(vpninfo->dtls_secret, sizeof(vpninfo->dtls_secret))) {
198
fprintf(stderr, _("Failed to initialise DTLS secret\n"));
199
200
201
exit(1);
}
202
retry:
203
204
calculate_mtu(vpninfo, &base_mtu, &mtu);
205
206
207
208
209
210
211
212
213
buf[0] = 0;
buf_append(buf, sizeof(buf), "CONNECT /CSCOSSLC/tunnel HTTP/1.1\r\n");
buf_append(buf, sizeof(buf), "Host: %s\r\n", vpninfo->hostname);
buf_append(buf, sizeof(buf), "User-Agent: %s\r\n", vpninfo->useragent);
buf_append(buf, sizeof(buf), "Cookie: webvpn=%s\r\n", vpninfo->cookie);
buf_append(buf, sizeof(buf), "X-CSTP-Version: 1\r\n");
buf_append(buf, sizeof(buf), "X-CSTP-Hostname: %s\r\n", vpninfo->localname);
if (vpninfo->deflate && i < sizeof(buf))
buf_append(buf, sizeof(buf), "X-CSTP-Accept-Encoding: deflate;q=1.0\r\n");
214
215
216
if (base_mtu)
buf_append(buf, sizeof(buf), "X-CSTP-Base-MTU: %d\r\n", base_mtu);
buf_append(buf, sizeof(buf), "X-CSTP-MTU: %d\r\n", mtu);
217
buf_append(buf, sizeof(buf), "X-CSTP-Address-Type: %s\r\n",
218
vpninfo->disable_ipv6?"IPv4":"IPv6,IPv4");
219
buf_append(buf, sizeof(buf), "X-DTLS-Master-Secret: ");
220
for (i = 0; i < sizeof(vpninfo->dtls_secret); i++)
221
222
buf_append(buf, sizeof(buf), "%02X", vpninfo->dtls_secret[i]);
buf_append(buf, sizeof(buf), "\r\nX-DTLS-CipherSuite: %s\r\n\r\n",
223
vpninfo->dtls_ciphers?:"AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA");
224
225
226
openconnect_SSL_write(vpninfo, buf, strlen(buf));
227
228
229
if ((i = openconnect_SSL_gets(vpninfo, buf, 65536) < 0)) {
if (i == -EINTR)
return i;
230
231
vpn_progress(vpninfo, PRG_ERR,
_("Error fetching HTTPS response\n"));
232
233
if (!retried) {
retried = 1;
234
openconnect_close_https(vpninfo, 0);
235
236
if (openconnect_open_https(vpninfo)) {
237
vpn_progress(vpninfo, PRG_ERR,
238
239
_("Failed to open HTTPS connection to %s\n"),
vpninfo->hostname);
240
241
242
243
244
245
246
247
exit(1);
}
goto retry;
}
return -EINVAL;
}
if (strncmp(buf, "HTTP/1.1 200 ", 13)) {
248
249
if (!strncmp(buf, "HTTP/1.1 503 ", 13)) {
/* "Service Unavailable. Why? */
250
const char *reason = "<unknown>";
251
while ((i = openconnect_SSL_gets(vpninfo, buf, sizeof(buf)))) {
252
253
254
255
256
if (!strncmp(buf, "X-Reason: ", 10)) {
reason = buf + 10;
break;
}
}
257
258
259
vpn_progress(vpninfo, PRG_ERR,
_("VPN service unavailable; reason: %s\n"),
reason);
260
261
return -EINVAL;
}
262
vpn_progress(vpninfo, PRG_ERR,
263
264
_("Got inappropriate HTTP CONNECT response: %s\n"),
buf);
265
266
267
268
269
if (!strncmp(buf, "HTTP/1.1 401 ", 13))
exit(2);
return -EINVAL;
}
270
vpn_progress(vpninfo, PRG_INFO, _("Got CONNECT response: %s\n"), buf);
271
272
273
/* We may have advertised it, but we only do it if the server agrees */
vpninfo->deflate = 0;
274
mtu = 0;
275
276
while ((i = openconnect_SSL_gets(vpninfo, buf, sizeof(buf)))) {
277
struct vpn_option *new_option;
278
279
280
281
282
283
char *colon;
if (i < 0)
return i;
colon = strchr(buf, ':');
284
285
286
287
288
289
290
291
292
293
294
295
296
297
if (!colon)
continue;
*colon = 0;
colon++;
if (*colon == ' ')
colon++;
if (strncmp(buf, "X-DTLS-", 7) &&
strncmp(buf, "X-CSTP-", 7))
continue;
new_option = malloc(sizeof(*new_option));
if (!new_option) {
298
vpn_progress(vpninfo, PRG_ERR, _("No memory for options\n"));
299
300
301
302
303
304
305
return -ENOMEM;
}
new_option->option = strdup(buf);
new_option->value = strdup(colon);
new_option->next = NULL;
if (!new_option->option || !new_option->value) {
306
vpn_progress(vpninfo, PRG_ERR, _("No memory for options\n"));
307
308
309
free(new_option->option);
free(new_option->value);
free(new_option);
310
311
312
return -ENOMEM;
}
313
vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);
314
315
316
317
if (!strncmp(buf, "X-DTLS-", 7)) {
*next_dtls_option = new_option;
next_dtls_option = &new_option->next;
318
319
if (!strcmp(buf + 7, "MTU")) {
320
321
322
int dtlsmtu = atol(colon);
if (dtlsmtu > mtu)
mtu = dtlsmtu;
323
} else if (!strcmp(buf + 7, "Session-ID")) {
324
if (strlen(colon) != 64) {
325
vpn_progress(vpninfo, PRG_ERR,
326
327
_("X-DTLS-Session-ID not 64 characters; is: \"%s\"\n"),
colon);
328
329
330
331
332
333
334
335
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
for (i = 0; i < 64; i += 2)
vpninfo->dtls_session_id[i/2] = unhex(colon + i);
sessid_found = 1;
time(&vpninfo->dtls_times.last_rekey);
}
336
337
338
339
340
341
342
343
344
345
continue;
}
/* CSTP options... */
*next_cstp_option = new_option;
next_cstp_option = &new_option->next;
if (!strcmp(buf + 7, "Keepalive")) {
vpninfo->ssl_times.keepalive = atol(colon);
} else if (!strcmp(buf + 7, "DPD")) {
346
347
348
int j = atol(colon);
if (j && (!vpninfo->ssl_times.dpd || j < vpninfo->ssl_times.dpd))
vpninfo->ssl_times.dpd = j;
349
350
} else if (!strcmp(buf + 7, "Rekey-Time")) {
vpninfo->ssl_times.rekey = atol(colon);
351
352
353
354
} else if (!strcmp(buf + 7, "Content-Encoding")) {
if (!strcmp(colon, "deflate"))
vpninfo->deflate = 1;
else {
355
vpn_progress(vpninfo, PRG_ERR,
356
357
_("Unknown CSTP-Content-Encoding %s\n"),
colon);
358
359
360
return -EINVAL;
}
} else if (!strcmp(buf + 7, "MTU")) {
361
362
363
int cstpmtu = atol(colon);
if (cstpmtu > mtu)
mtu = cstpmtu;
364
} else if (!strcmp(buf + 7, "Address")) {
365
366
367
368
if (strchr(new_option->value, ':')) {
if (!vpninfo->disable_ipv6)
vpninfo->vpn_addr6 = new_option->value;
} else
369
vpninfo->vpn_addr = new_option->value;
370
} else if (!strcmp(buf + 7, "Netmask")) {
371
372
373
374
if (strchr(new_option->value, ':')) {
if (!vpninfo->disable_ipv6)
vpninfo->vpn_netmask6 = new_option->value;
} else
375
vpninfo->vpn_netmask = new_option->value;
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
} else if (!strcmp(buf + 7, "DNS")) {
int j;
for (j = 0; j < 3; j++) {
if (!vpninfo->vpn_dns[j]) {
vpninfo->vpn_dns[j] = new_option->value;
break;
}
}
} else if (!strcmp(buf + 7, "NBNS")) {
int j;
for (j = 0; j < 3; j++) {
if (!vpninfo->vpn_nbns[j]) {
vpninfo->vpn_nbns[j] = new_option->value;
break;
}
}
} else if (!strcmp(buf + 7, "Default-Domain")) {
vpninfo->vpn_domain = new_option->value;
394
395
} else if (!strcmp(buf + 7, "MSIE-Proxy-PAC-URL")) {
vpninfo->vpn_proxy_pac = new_option->value;
396
397
} else if (!strcmp(buf + 7, "Banner")) {
vpninfo->banner = new_option->value;
398
399
400
401
402
403
404
} else if (!strcmp(buf + 7, "Split-DNS")) {
struct split_include *dns = malloc(sizeof(*dns));
if (!dns)
continue;
dns->route = new_option->value;
dns->next = vpninfo->split_dns;
vpninfo->split_dns = dns;
405
406
407
408
409
410
411
} else if (!strcmp(buf + 7, "Split-Include")) {
struct split_include *inc = malloc(sizeof(*inc));
if (!inc)
continue;
inc->route = new_option->value;
inc->next = vpninfo->split_includes;
vpninfo->split_includes = inc;
412
413
414
415
416
} else if (!strcmp(buf + 7, "Split-Exclude")) {
struct split_include *exc = malloc(sizeof(*exc));
if (!exc)
continue;
exc->route = new_option->value;
417
exc->next = vpninfo->split_excludes;
418
vpninfo->split_excludes = exc;
419
420
421
}
}
422
423
424
425
426
427
428
if (!mtu) {
vpn_progress(vpninfo, PRG_ERR,
_("No MTU received. Aborting\n"));
return -EINVAL;
}
vpninfo->actual_mtu = mtu;
429
if (!vpninfo->vpn_addr && !vpninfo->vpn_addr6) {
430
431
vpn_progress(vpninfo, PRG_ERR,
_("No IP address received. Aborting\n"));
432
433
434
435
return -EINVAL;
}
if (old_addr) {
if (strcmp(old_addr, vpninfo->vpn_addr)) {
436
437
438
vpn_progress(vpninfo, PRG_ERR,
_("Reconnect gave different Legacy IP address (%s != %s)\n"),
vpninfo->vpn_addr, old_addr);
439
440
441
442
443
return -EINVAL;
}
}
if (old_netmask) {
if (strcmp(old_netmask, vpninfo->vpn_netmask)) {
444
445
446
vpn_progress(vpninfo, PRG_ERR,
_("Reconnect gave different Legacy IP netmask (%s != %s)\n"),
vpninfo->vpn_netmask, old_netmask);
447
448
449
return -EINVAL;
}
}
450
451
if (old_addr6) {
if (strcmp(old_addr6, vpninfo->vpn_addr6)) {
452
453
454
vpn_progress(vpninfo, PRG_ERR,
_("Reconnect gave different IPv6 address (%s != %s)\n"),
vpninfo->vpn_addr6, old_addr6);
455
456
457
458
459
return -EINVAL;
}
}
if (old_netmask6) {
if (strcmp(old_netmask6, vpninfo->vpn_netmask6)) {
460
461
462
vpn_progress(vpninfo, PRG_ERR,
_("Reconnect gave different IPv6 netmask (%s != %s)\n"),
vpninfo->vpn_netmask6, old_netmask6);
463
464
465
return -EINVAL;
}
}
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
while (old_dtls_opts) {
struct vpn_option *tmp = old_dtls_opts;
old_dtls_opts = old_dtls_opts->next;
free(tmp->value);
free(tmp->option);
free(tmp);
}
while (old_cstp_opts) {
struct vpn_option *tmp = old_cstp_opts;
old_cstp_opts = old_cstp_opts->next;
free(tmp->value);
free(tmp->option);
free(tmp);
}
481
482
vpn_progress(vpninfo, PRG_INFO, _("CSTP connected. DPD %d, Keepalive %d\n"),
vpninfo->ssl_times.dpd, vpninfo->ssl_times.keepalive);
483
484
485
486
487
488
if (vpninfo->select_nfds <= vpninfo->ssl_fd)
vpninfo->select_nfds = vpninfo->ssl_fd + 1;
FD_SET(vpninfo->ssl_fd, &vpninfo->select_rfds);
FD_SET(vpninfo->ssl_fd, &vpninfo->select_efds);
489
490
491
492
493
494
if (!sessid_found)
vpninfo->dtls_attempt_period = 0;
vpninfo->ssl_times.last_rekey = vpninfo->ssl_times.last_rx =
vpninfo->ssl_times.last_tx = time(NULL);
495
496
497
498
return 0;
}
499
int make_cstp_connection(struct openconnect_info *vpninfo)
500
{
501
502
int ret;
503
504
ret = openconnect_open_https(vpninfo);
if (ret)
505
return ret;
506
507
508
509
510
511
512
513
if (vpninfo->deflate) {
vpninfo->deflate_adler32 = 1;
vpninfo->inflate_adler32 = 1;
if (inflateInit2(&vpninfo->inflate_strm, -12) ||
deflateInit2(&vpninfo->deflate_strm, Z_DEFAULT_COMPRESSION,
Z_DEFLATED, -12, 9, Z_DEFAULT_STRATEGY)) {
514
vpn_progress(vpninfo, PRG_ERR, _("Compression setup failed\n"));
515
516
517
518
519
520
vpninfo->deflate = 0;
}
if (!vpninfo->deflate_pkt) {
vpninfo->deflate_pkt = malloc(sizeof(struct pkt) + 2048);
if (!vpninfo->deflate_pkt) {
521
522
vpn_progress(vpninfo, PRG_ERR,
_("Allocation of deflate buffer failed\n"));
523
524
inflateEnd(&vpninfo->inflate_strm);
deflateEnd(&vpninfo->deflate_strm);
525
vpninfo->deflate = 0;
526
527
528
529
} else {
memset(vpninfo->deflate_pkt, 0, sizeof(struct pkt));
memcpy(vpninfo->deflate_pkt->hdr, data_hdr, 8);
vpninfo->deflate_pkt->hdr[6] = AC_PKT_COMPRESSED;
530
531
532
533
}
}
}
534
535
return start_cstp_connection(vpninfo);
}
536
537
int cstp_reconnect(struct openconnect_info *vpninfo)
538
{
539
540
541
int ret;
int timeout;
int interval;
542
543
openconnect_close_https(vpninfo, 0);
544
545
if (vpninfo->deflate) {
546
547
548
549
550
551
/* Requeue the original packet that was deflated */
if (vpninfo->current_ssl_pkt == vpninfo->deflate_pkt) {
vpninfo->current_ssl_pkt = NULL;
queue_packet(&vpninfo->outgoing_queue, vpninfo->pending_deflated_pkt);
vpninfo->pending_deflated_pkt = NULL;
}
552
553
554
inflateEnd(&vpninfo->inflate_strm);
deflateEnd(&vpninfo->deflate_strm);
}
555
556
timeout = vpninfo->reconnect_timeout;
interval = vpninfo->reconnect_interval;
557
558
while ((ret = make_cstp_connection(vpninfo))) {
559
if (timeout <= 0)
560
return ret;
561
vpn_progress(vpninfo, PRG_INFO,
562
563
_("sleep %ds, remaining timeout %ds\n"),
interval, timeout);
564
sleep(interval);
565
566
if (killed)
return 1;
567
568
569
570
timeout -= interval;
interval += vpninfo->reconnect_interval;
if (interval > RECONNECT_INTERVAL_MAX)
interval = RECONNECT_INTERVAL_MAX;
571
}
572
script_config_tun(vpninfo, "reconnect");
573
574
575
return 0;
}
576
577
static int inflate_and_queue_packet(struct openconnect_info *vpninfo,
unsigned char *buf, int len)
578
{
579
struct pkt *new = malloc(sizeof(struct pkt) + vpninfo->actual_mtu);
580
uint32_t pkt_sum;
581
582
583
584
585
586
587
588
589
590
if (!new)
return -ENOMEM;
new->next = NULL;
vpninfo->inflate_strm.next_in = buf;
vpninfo->inflate_strm.avail_in = len - 4;
vpninfo->inflate_strm.next_out = new->data;
591
vpninfo->inflate_strm.avail_out = vpninfo->actual_mtu;
592
593
594
vpninfo->inflate_strm.total_out = 0;
if (inflate(&vpninfo->inflate_strm, Z_SYNC_FLUSH)) {
595
vpn_progress(vpninfo, PRG_ERR, _("inflate failed\n"));
596
597
598
599
600
601
602
603
604
free(new);
return -EINVAL;
}
new->len = vpninfo->inflate_strm.total_out;
vpninfo->inflate_adler32 = adler32(vpninfo->inflate_adler32,
new->data, new->len);
605
606
607
608
pkt_sum = buf[len - 1] | (buf[len - 2] << 8) |
(buf[len - 3] << 16) | (buf[len - 4] << 24);
if (vpninfo->inflate_adler32 != pkt_sum) {
609
610
611
vpninfo->quit_reason = "Compression (inflate) adler32 failure";
}
612
vpn_progress(vpninfo, PRG_TRACE,
613
_("Received compressed data packet of %ld bytes\n"),
614
(long)vpninfo->inflate_strm.total_out);
615
616
617
618
619
queue_packet(&vpninfo->incoming_queue, new);
return 0;
}
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
#if defined (OPENCONNECT_OPENSSL)
static int cstp_read(struct openconnect_info *vpninfo, void *buf, int maxlen)
{
int len, ret;
len = SSL_read(vpninfo->https_ssl, buf, maxlen);
if (len > 0)
return len;
ret = SSL_get_error(vpninfo->https_ssl, len);
if (ret == SSL_ERROR_SYSCALL || ret == SSL_ERROR_ZERO_RETURN) {
vpn_progress(vpninfo, PRG_ERR,
_("SSL read error %d (server probably closed connection); reconnecting.\n"),
ret);
return -EIO;
}
return 0;
}
static int cstp_write(struct openconnect_info *vpninfo, void *buf, int buflen)
{
int ret;
ret = SSL_write(vpninfo->https_ssl, buf, buflen);
if (ret > 0)
return ret;
ret = SSL_get_error(vpninfo->https_ssl, ret);
switch (ret) {
case SSL_ERROR_WANT_WRITE:
/* Waiting for the socket to become writable -- it's
probably stalled, and/or the buffers are full */
FD_SET(vpninfo->ssl_fd, &vpninfo->select_wfds);
case SSL_ERROR_WANT_READ:
return 0;
default:
vpn_progress(vpninfo, PRG_ERR, _("SSL_write failed: %d\n"), ret);
openconnect_report_ssl_errors(vpninfo);
return -1;
}
}
#elif defined (OPENCONNECT_GNUTLS)
static int cstp_read(struct openconnect_info *vpninfo, void *buf, int maxlen)
{
int ret;
ret = gnutls_record_recv(vpninfo->https_sess, buf, maxlen);
if (ret > 0)
return ret;
if (ret != GNUTLS_E_AGAIN) {
vpn_progress(vpninfo, PRG_ERR,
_("SSL read error: %s; reconnecting.\n"),
gnutls_strerror(ret));
return -EIO;
}
return 0;
}
static int cstp_write(struct openconnect_info *vpninfo, void *buf, int buflen)
{
int ret;
ret = gnutls_record_send(vpninfo->https_sess, buf, buflen);
if (ret > 0)
return ret;
if (ret == GNUTLS_E_AGAIN) {
if (gnutls_record_get_direction(vpninfo->https_sess)) {
/* Waiting for the socket to become writable -- it's
probably stalled, and/or the buffers are full */
FD_SET(vpninfo->ssl_fd, &vpninfo->select_wfds);
}
return 0;
}
vpn_progress(vpninfo, PRG_ERR, _("SSL send failed: %s\n"),
gnutls_strerror(ret));
return -1;
}
#endif
702
int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout)
703
704
705
706
707
708
709
710
711
712
713
{
unsigned char buf[16384];
int len, ret;
int work_done = 0;
/* FIXME: The poll() handling here is fairly simplistic. Actually,
if the SSL connection stalls it could return a WANT_WRITE error
on _either_ of the SSL_read() or SSL_write() calls. In that case,
we should probably remove POLLIN from the events we're looking for,
and add POLLOUT. As it is, though, it'll just chew CPU time in that
fairly unlikely situation, until the write backlog clears. */
714
while ( (len = cstp_read(vpninfo, buf, sizeof(buf))) > 0) {
715
716
717
718
719
720
721
722
int payload_len;
if (buf[0] != 'S' || buf[1] != 'T' ||
buf[2] != 'F' || buf[3] != 1 || buf[7])
goto unknown_pkt;
payload_len = (buf[4] << 8) + buf[5];
if (len != 8 + payload_len) {
723
vpn_progress(vpninfo, PRG_ERR,
724
725
_("Unexpected packet length. SSL_read returned %d but packet is\n"),
len);
726
vpn_progress(vpninfo, PRG_ERR,
727
728
729
"%02x %02x %02x %02x %02x %02x %02x %02x\n",
buf[0], buf[1], buf[2], buf[3],
buf[4], buf[5], buf[6], buf[7]);
730
731
732
733
734
continue;
}
vpninfo->ssl_times.last_rx = time(NULL);
switch(buf[6]) {
case AC_PKT_DPD_OUT:
735
vpn_progress(vpninfo, PRG_TRACE,
736
_("Got CSTP DPD request\n"));
737
738
739
740
vpninfo->owe_ssl_dpd_response = 1;
continue;
case AC_PKT_DPD_RESP:
741
vpn_progress(vpninfo, PRG_TRACE,
742
_("Got CSTP DPD response\n"));
743
744
745
continue;
case AC_PKT_KEEPALIVE:
746
vpn_progress(vpninfo, PRG_TRACE,
747
_("Got CSTP Keepalive\n"));
748
749
750
continue;
case AC_PKT_DATA:
751
vpn_progress(vpninfo, PRG_TRACE,
752
753
_("Received uncompressed data packet of %d bytes\n"),
payload_len);
754
queue_new_packet(&vpninfo->incoming_queue, buf + 8,
755
756
757
758
payload_len);
work_done = 1;
continue;
759
760
761
762
763
764
765
case AC_PKT_DISCONN: {
int i;
for (i = 0; i < payload_len; i++) {
if (!isprint(buf[payload_len + 8 + i]))
buf[payload_len + 8 + i] = '.';
}
buf[payload_len + 8] = 0;
766
vpn_progress(vpninfo, PRG_ERR,
767
768
_("Received server disconnect: %02x '%s'\n"),
buf[8], buf + 9);
769
770
771
vpninfo->quit_reason = "Server request";
return 1;
}
772
773
case AC_PKT_COMPRESSED:
if (!vpninfo->deflate) {
774
775
vpn_progress(vpninfo, PRG_ERR,
_("Compressed packet received in !deflate mode\n"));
776
777
goto unknown_pkt;
}
778
inflate_and_queue_packet(vpninfo, buf + 8, payload_len);
779
780
781
782
work_done = 1;
continue;
case AC_PKT_TERM_SERVER:
783
vpn_progress(vpninfo, PRG_ERR, _("received server terminate packet\n"));
784
785
786
787
788
vpninfo->quit_reason = "Server request";
return 1;
}
unknown_pkt:
789
vpn_progress(vpninfo, PRG_ERR,
790
791
792
_("Unknown packet %02x %02x %02x %02x %02x %02x %02x %02x\n"),
buf[0], buf[1], buf[2], buf[3],
buf[4], buf[5], buf[6], buf[7]);
793
794
795
vpninfo->quit_reason = "Unknown packet received";
return 1;
}
796
797
if (len < 0)
goto do_reconnect;
798
799
800
/* If SSL_write() fails we are expected to try again. With exactly
801
the same data, at exactly the same location. So we keep the
802
803
804
805
packet we had before.... */
if (vpninfo->current_ssl_pkt) {
handle_outgoing:
vpninfo->ssl_times.last_tx = time(NULL);
806
FD_CLR(vpninfo->ssl_fd, &vpninfo->select_wfds);
807
808
809
810
811
812
ret = cstp_write(vpninfo,
vpninfo->current_ssl_pkt->hdr,
vpninfo->current_ssl_pkt->len + 8);
if (ret < 0)
goto do_reconnect;
813
814
815
816
817
else if (!ret) {
/* -EAGAIN: cstp_write() will have added the SSL fd to
->select_wfds if appropriate, so we can just return
and wait. Unless it's been stalled for so long that
DPD kicks in and we kill the connection. */
818
819
switch (ka_stalled_action(&vpninfo->ssl_times, timeout)) {
case KA_DPD_DEAD:
820
goto peer_dead;
821
822
823
824
825
826
827
828
case KA_REKEY:
goto do_rekey;
case KA_NONE:
return work_done;
default:
/* This should never happen */
;
}
829
}
830
831
if (ret != vpninfo->current_ssl_pkt->len + 8) {
832
833
834
vpn_progress(vpninfo, PRG_ERR,
_("SSL wrote too few bytes! Asked for %d, sent %d\n"),
vpninfo->current_ssl_pkt->len + 8, ret);
835
836
837
838
vpninfo->quit_reason = "Internal error";
return 1;
}
/* Don't free the 'special' packets */
839
840
841
842
843
if (vpninfo->current_ssl_pkt == vpninfo->deflate_pkt)
free(vpninfo->pending_deflated_pkt);
else if (vpninfo->current_ssl_pkt != &dpd_pkt &&
vpninfo->current_ssl_pkt != &dpd_resp_pkt &&
vpninfo->current_ssl_pkt != &keepalive_pkt)
844
845
846
847
848
849
850
851
852
853
854
855
856
free(vpninfo->current_ssl_pkt);
vpninfo->current_ssl_pkt = NULL;
}
if (vpninfo->owe_ssl_dpd_response) {
vpninfo->owe_ssl_dpd_response = 0;
vpninfo->current_ssl_pkt = &dpd_resp_pkt;
goto handle_outgoing;
}
switch (keepalive_action(&vpninfo->ssl_times, timeout)) {
case KA_REKEY:
857
do_rekey:
858
859
/* Not that this will ever happen; we don't even process
the setting when we're asked for it. */
860
vpn_progress(vpninfo, PRG_INFO, _("CSTP rekey due\n"));
861
goto do_reconnect;
862
863
864
865
break;
case KA_DPD_DEAD:
peer_dead:
866
867
vpn_progress(vpninfo, PRG_ERR,
_("CSTP Dead Peer Detection detected dead peer!\n"));
868
do_reconnect:
869
if (cstp_reconnect(vpninfo)) {
870
vpn_progress(vpninfo, PRG_ERR, _("Reconnect failed\n"));
871
vpninfo->quit_reason = "CSTP reconnect failed";
872
873
874
875
876
877
878
return 1;
}
/* I think we can leave DTLS to its own devices; when we reconnect
with the same master secret, we do seem to get the same sessid */
return 1;
case KA_DPD:
879
vpn_progress(vpninfo, PRG_TRACE, _("Send CSTP DPD\n"));
880
881
882
883
884
885
886
887
888
889
vpninfo->current_ssl_pkt = &dpd_pkt;
goto handle_outgoing;
case KA_KEEPALIVE:
/* No need to send an explicit keepalive
if we have real data to send */
if (vpninfo->dtls_fd == -1 && vpninfo->outgoing_queue)
break;
890
vpn_progress(vpninfo, PRG_TRACE, _("Send CSTP Keepalive\n"));
891
892
893
894
895
896
897
898
899
900
901
902
vpninfo->current_ssl_pkt = &keepalive_pkt;
goto handle_outgoing;
case KA_NONE:
;
}
/* Service outgoing packet queue, if no DTLS */
while (vpninfo->dtls_fd == -1 && vpninfo->outgoing_queue) {
struct pkt *this = vpninfo->outgoing_queue;
vpninfo->outgoing_queue = this->next;
903
vpninfo->outgoing_qlen--;
904
905
906
907
908
909
910
911
912
913
914
915
916
if (vpninfo->deflate) {
unsigned char *adler;
int ret;
vpninfo->deflate_strm.next_in = this->data;
vpninfo->deflate_strm.avail_in = this->len;
vpninfo->deflate_strm.next_out = (void *)vpninfo->deflate_pkt->data;
vpninfo->deflate_strm.avail_out = 2040;
vpninfo->deflate_strm.total_out = 0;
ret = deflate(&vpninfo->deflate_strm, Z_SYNC_FLUSH);
if (ret) {
917
vpn_progress(vpninfo, PRG_ERR, _("deflate failed %d\n"), ret);
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
goto uncompr;
}
vpninfo->deflate_pkt->hdr[4] = (vpninfo->deflate_strm.total_out + 4) >> 8;
vpninfo->deflate_pkt->hdr[5] = (vpninfo->deflate_strm.total_out + 4) & 0xff;
/* Add ongoing adler32 to tail of compressed packet */
vpninfo->deflate_adler32 = adler32(vpninfo->deflate_adler32,
this->data, this->len);
adler = &vpninfo->deflate_pkt->data[vpninfo->deflate_strm.total_out];
*(adler++) = vpninfo->deflate_adler32 >> 24;
*(adler++) = (vpninfo->deflate_adler32 >> 16) & 0xff;
*(adler++) = (vpninfo->deflate_adler32 >> 8) & 0xff;
*(adler) = vpninfo->deflate_adler32 & 0xff;
vpninfo->deflate_pkt->len = vpninfo->deflate_strm.total_out + 4;
936
vpn_progress(vpninfo, PRG_TRACE,
937
938
_("Sending compressed data packet of %d bytes\n"),
this->len);
939
940
vpninfo->pending_deflated_pkt = this;
941
942
943
944
945
946
947
vpninfo->current_ssl_pkt = vpninfo->deflate_pkt;
} else {
uncompr:
memcpy(this->hdr, data_hdr, 8);
this->hdr[4] = this->len >> 8;
this->hdr[5] = this->len & 0xff;
948
vpn_progress(vpninfo, PRG_TRACE,
949
950
_("Sending uncompressed data packet of %d bytes\n"),
this->len);
951
952
953
954
955
956
957
958
959
960
vpninfo->current_ssl_pkt = this;
}
goto handle_outgoing;
}
/* Work is not done if we just got rid of packets off the queue */
return work_done;
}
961
int cstp_bye(struct openconnect_info *vpninfo, const char *reason)
962
963
{
unsigned char *bye_pkt;
964
965
966
int reason_len;
/* already lost connection? */
967
#if defined (OPENCONNECT_OPENSSL)
968
969
if (!vpninfo->https_ssl)
return 0;
970
971
972
973
#elif defined (OPENCONNECT_GNUTLS)
if (!vpninfo->https_sess)
return 0;
#endif
974
975
reason_len = strlen(reason);
976
bye_pkt = malloc(reason_len + 9);
977
978
if (!bye_pkt)
return -ENOMEM;
979
980
memcpy(bye_pkt, data_hdr, 8);
981
memcpy(bye_pkt + 9, reason, reason_len);
982
983
984
bye_pkt[4] = (reason_len + 1) >> 8;
bye_pkt[5] = (reason_len + 1) & 0xff;
985
bye_pkt[6] = AC_PKT_DISCONN;
986
bye_pkt[8] = 0xb0;
987
988
vpn_progress(vpninfo, PRG_INFO,
989
_("Send BYE packet: %s\n"), reason);
990
991
992
993
cstp_write(vpninfo, bye_pkt, reason_len + 9);
free(bye_pkt);
994
995
return 0;
}