/
ssl.c
510 lines (451 loc) · 12.7 KB
1
/*
2
* OpenConnect (SSL + DTLS) VPN client
3
*
4
* Copyright © 2008-2012 Intel Corporation.
5
*
6
7
8
* Author: David Woodhouse <dwmw2@infradead.org>
*
* This program is free software; you can redistribute it and/or
9
* modify it under the terms of the GNU Lesser General Public License
10
* version 2.1, as published by the Free Software Foundation.
11
*
12
* This program is distributed in the hope that it will be useful, but
13
14
15
16
17
18
19
20
21
22
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to:
*
* Free Software Foundation, Inc.
* 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301 USA
23
*/
24
25
#include <sys/types.h>
26
#include <sys/socket.h>
27
#include <sys/stat.h>
28
29
#include <netinet/in.h>
#include <arpa/inet.h>
30
31
#include <netdb.h>
#include <unistd.h>
32
#include <fcntl.h>
33
#include <string.h>
34
#include <stdio.h>
35
#include <errno.h>
36
#include <stdlib.h>
37
#include <stdarg.h>
38
#if defined(__linux__) || defined(ANDROID)
39
#include <sys/vfs.h>
40
#elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__OpenBSD__) || defined(__APPLE__)
41
42
#include <sys/param.h>
#include <sys/mount.h>
43
#elif defined (__sun__) || defined(__NetBSD__) || defined(__DragonFly__)
44
#include <sys/statvfs.h>
45
46
#elif defined (__GNU__)
#include <sys/statfs.h>
47
#endif
48
49
#include "openconnect-internal.h"
50
51
52
53
54
55
/* OSX < 1.6 doesn't have AI_NUMERICSERV */
#ifndef AI_NUMERICSERV
#define AI_NUMERICSERV 0
#endif
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
static int cancellable_connect(struct openconnect_info *vpninfo, int sockfd,
const struct sockaddr *addr, socklen_t addrlen)
{
struct sockaddr_storage peer;
socklen_t peerlen = sizeof(peer);
fd_set wr_set, rd_set;
int maxfd = sockfd;
fcntl(sockfd, F_SETFL, fcntl(sockfd, F_GETFL) | O_NONBLOCK);
if (connect(sockfd, addr, addrlen) < 0 && errno != EINPROGRESS)
return -1;
FD_ZERO(&wr_set);
FD_ZERO(&rd_set);
FD_SET(sockfd, &wr_set);
if (vpninfo->cancel_fd != -1) {
FD_SET(vpninfo->cancel_fd, &rd_set);
if (vpninfo->cancel_fd > sockfd)
maxfd = vpninfo->cancel_fd;
}
/* Later we'll render this whole exercise non-pointless by
including a 'cancelfd' here too. */
select(maxfd + 1, &rd_set, &wr_set, NULL, NULL);
if (vpninfo->cancel_fd != -1 && FD_ISSET(vpninfo->cancel_fd, &rd_set)) {
82
vpn_progress(vpninfo, PRG_ERR, _("Socket connect cancelled\n"));
83
84
85
86
87
88
89
90
91
errno = EINTR;
return -1;
}
/* Check whether connect() succeeded or failed by using
getpeername(). See http://cr.yp.to/docs/connect.html */
return getpeername(sockfd, (void *)&peer, &peerlen);
}
92
int connect_https_socket(struct openconnect_info *vpninfo)
93
{
94
int ssl_sock = -1;
95
96
int err;
97
98
99
if (!vpninfo->port)
vpninfo->port = 443;
100
if (vpninfo->peer_addr) {
101
102
103
104
105
106
107
108
109
110
111
#ifdef SOCK_CLOEXEC
ssl_sock = socket(vpninfo->peer_addr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_IP);
if (ssl_sock < 0)
#endif
{
ssl_sock = socket(vpninfo->peer_addr->sa_family, SOCK_STREAM, IPPROTO_IP);
if (ssl_sock < 0)
goto reconn_err;
fcntl(ssl_sock, F_SETFD, fcntl(ssl_sock, F_GETFD) | FD_CLOEXEC);
}
if (cancellable_connect(vpninfo, ssl_sock, vpninfo->peer_addr, vpninfo->peer_addrlen)) {
112
reconn_err:
113
if (vpninfo->proxy) {
114
vpn_progress(vpninfo, PRG_ERR,
115
116
117
_("Failed to reconnect to proxy %s\n"),
vpninfo->proxy);
} else {
118
vpn_progress(vpninfo, PRG_ERR,
119
120
121
_("Failed to reconnect to host %s\n"),
vpninfo->hostname);
}
122
123
if (ssl_sock >= 0)
close(ssl_sock);
124
return -EINVAL;
125
}
126
127
} else {
struct addrinfo hints, *result, *rp;
128
char *hostname;
129
char port[6];
130
131
132
133
134
135
136
137
138
139
memset(&hints, 0, sizeof(struct addrinfo));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_PASSIVE | AI_NUMERICSERV;
hints.ai_protocol = 0;
hints.ai_canonname = NULL;
hints.ai_addr = NULL;
hints.ai_next = NULL;
140
141
142
143
/* The 'port' variable is a string because it's easier
this way than if we pass NULL to getaddrinfo() and
then try to fill in the numeric value into
different types of returned sockaddr_in{6,}. */
144
#ifdef LIBPROXY_HDR
145
146
147
148
149
if (vpninfo->proxy_factory) {
char *url;
char **proxies;
int i = 0;
150
151
free(vpninfo->proxy_type);
vpninfo->proxy_type = NULL;
152
153
154
155
free(vpninfo->proxy);
vpninfo->proxy = NULL;
if (vpninfo->port == 443)
156
157
i = asprintf(&url, "https://%s/%s", vpninfo->hostname,
vpninfo->urlpath?:"");
158
else
159
160
161
162
i = asprintf(&url, "https://%s:%d/%s", vpninfo->hostname,
vpninfo->port, vpninfo->urlpath?:"");
if (i == -1)
return -ENOMEM;
163
164
165
166
proxies = px_proxy_factory_get_proxies(vpninfo->proxy_factory,
url);
167
i = 0;
168
while (proxies && proxies[i]) {
169
170
171
172
if (!vpninfo->proxy &&
(!strncmp(proxies[i], "http://", 7) ||
!strncmp(proxies[i], "socks://", 8) ||
!strncmp(proxies[i], "socks5://", 9)))
173
internal_parse_url(proxies[i], &vpninfo->proxy_type,
174
175
&vpninfo->proxy, &vpninfo->proxy_port,
NULL, 0);
176
177
178
179
180
i++;
}
free(url);
free(proxies);
if (vpninfo->proxy)
181
182
183
vpn_progress(vpninfo, PRG_TRACE,
_("Proxy from libproxy: %s://%s:%d/\n"),
vpninfo->proxy_type, vpninfo->proxy, vpninfo->port);
184
185
}
#endif
186
187
if (vpninfo->proxy) {
hostname = vpninfo->proxy;
188
snprintf(port, 6, "%d", vpninfo->proxy_port);
189
190
} else {
hostname = vpninfo->hostname;
191
snprintf(port, 6, "%d", vpninfo->port);
192
193
}
194
if (hostname[0] == '[' && hostname[strlen(hostname)-1] == ']') {
195
196
197
198
/* Solaris has no strndup(). */
int len = strlen(hostname) - 2;
char *new_hostname = malloc(len + 1);
if (!new_hostname)
199
return -ENOMEM;
200
201
202
203
memcpy(new_hostname, hostname + 1, len);
new_hostname[len] = 0;
hostname = new_hostname;
204
205
206
hints.ai_flags |= AI_NUMERICHOST;
}
207
err = getaddrinfo(hostname, port, &hints, &result);
208
209
if (err) {
210
211
212
vpn_progress(vpninfo, PRG_ERR,
_("getaddrinfo failed for host '%s': %s\n"),
hostname, gai_strerror(err));
213
214
if (hints.ai_flags & AI_NUMERICHOST)
free(hostname);
215
216
return -EINVAL;
}
217
218
if (hints.ai_flags & AI_NUMERICHOST)
free(hostname);
219
220
for (rp = result; rp ; rp = rp->ai_next) {
221
222
char host[80];
223
host[0] = 0;
224
225
if (!getnameinfo(rp->ai_addr, rp->ai_addrlen, host,
sizeof(host), NULL, 0, NI_NUMERICHOST))
226
227
228
vpn_progress(vpninfo, PRG_INFO, vpninfo->proxy_type?
_("Attempting to connect to proxy %s%s%s:%s\n"):
_("Attempting to connect to server %s%s%s:%s\n"),
229
230
231
232
rp->ai_family == AF_INET6?"[":"",
host,
rp->ai_family == AF_INET6?"]":"",
port);
233
234
235
236
237
ssl_sock = socket(rp->ai_family, rp->ai_socktype,
rp->ai_protocol);
if (ssl_sock < 0)
continue;
238
if (cancellable_connect(vpninfo, ssl_sock, rp->ai_addr, rp->ai_addrlen) >= 0) {
239
240
241
242
/* Store the peer address we actually used, so that DTLS can
use it again later */
vpninfo->peer_addr = malloc(rp->ai_addrlen);
if (!vpninfo->peer_addr) {
243
244
vpn_progress(vpninfo, PRG_ERR,
_("Failed to allocate sockaddr storage\n"));
245
246
247
248
249
close(ssl_sock);
return -ENOMEM;
}
vpninfo->peer_addrlen = rp->ai_addrlen;
memcpy(vpninfo->peer_addr, rp->ai_addr, rp->ai_addrlen);
250
251
252
253
/* If no proxy, and if more than one address for the hostname,
ensure that we output the same IP address in authentication
results (from libopenconnect or --authenticate). */
if (!vpninfo->proxy && (rp != result || rp->ai_next) && host[0]) {
254
char *p = malloc(strlen(host) + 3);
255
256
257
258
259
260
261
262
263
if (p) {
free(vpninfo->hostname);
vpninfo->hostname = p;
if (rp->ai_family == AF_INET6)
*p++ = '[';
memcpy(p, host, strlen(host));
p += strlen(host);
if (rp->ai_family == AF_INET6)
*p++ = ']';
264
*p = 0;
265
266
}
}
267
268
269
270
271
272
273
274
break;
}
close(ssl_sock);
ssl_sock = -1;
}
freeaddrinfo(result);
if (ssl_sock < 0) {
275
276
277
vpn_progress(vpninfo, PRG_ERR,
_("Failed to connect to host %s\n"),
vpninfo->proxy?:vpninfo->hostname);
278
279
return -EINVAL;
}
280
281
}
282
if (vpninfo->proxy) {
283
err = process_proxy(vpninfo, ssl_sock);
284
285
286
287
288
289
if (err) {
close(ssl_sock);
return err;
}
}
290
291
292
return ssl_sock;
}
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
int __attribute__ ((format (printf, 2, 3)))
openconnect_SSL_printf(struct openconnect_info *vpninfo, const char *fmt, ...)
{
char buf[1024];
va_list args;
buf[1023] = 0;
va_start(args, fmt);
vsnprintf(buf, 1023, fmt, args);
va_end(args);
return openconnect_SSL_write(vpninfo, buf, strlen(buf));
}
308
int request_passphrase(struct openconnect_info *vpninfo, const char *label,
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
char **response, const char *fmt, ...)
{
struct oc_auth_form f;
struct oc_form_opt o;
char buf[1024];
va_list args;
int ret;
if (!vpninfo->process_auth_form)
return -EINVAL;
buf[1023] = 0;
memset(&f, 0, sizeof(f));
va_start(args, fmt);
vsnprintf(buf, 1023, fmt, args);
va_end(args);
326
f.auth_id = (char *)label;
327
328
329
330
f.opts = &o;
o.next = NULL;
o.type = OC_FORM_OPT_PASSWORD;
331
o.name = (char *)label;
332
333
334
o.label = buf;
o.value = NULL;
335
ret = vpninfo->process_auth_form(vpninfo->cbdata, &f);
336
337
338
339
340
341
342
343
if (!ret) {
*response = o.value;
return 0;
}
return -EIO;
}
344
#if defined(__sun__) || defined(__NetBSD__) || defined(__DragonFly__)
345
int openconnect_passphrase_from_fsid(struct openconnect_info *vpninfo)
346
347
348
349
350
{
struct statvfs buf;
if (statvfs(vpninfo->sslkey, &buf)) {
int err = errno;
351
352
vpn_progress(vpninfo, PRG_ERR, _("statvfs: %s\n"),
strerror(errno));
353
354
return -err;
}
355
356
if (asprintf(&vpninfo->cert_password, "%lx", buf.f_fsid))
return -ENOMEM;
357
358
359
return 0;
}
#else
360
int openconnect_passphrase_from_fsid(struct openconnect_info *vpninfo)
361
362
363
364
365
366
367
{
struct statfs buf;
unsigned *fsid = (unsigned *)&buf.f_fsid;
unsigned long long fsid64;
if (statfs(vpninfo->sslkey, &buf)) {
int err = errno;
368
369
vpn_progress(vpninfo, PRG_ERR, _("statfs: %s\n"),
strerror(errno));
370
371
372
return -err;
}
fsid64 = ((unsigned long long)fsid[0] << 32) | fsid[1];
373
374
375
if (asprintf(&vpninfo->cert_password, "%llx", fsid64))
return -ENOMEM;
376
377
return 0;
}
378
#endif
379
380
381
382
#if defined(OPENCONNECT_OPENSSL) || defined (DTLS_OPENSSL)
/* We put this here rather than in openssl.c because it might be needed
for OpenSSL DTLS support even when GnuTLS is being used for HTTPS */
383
int openconnect_print_err_cb(const char *str, size_t len, void *ptr)
384
385
386
387
388
389
390
{
struct openconnect_info *vpninfo = ptr;
vpn_progress(vpninfo, PRG_ERR, "%s", str);
return 0;
}
#endif
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
#ifdef FAKE_ANDROID_KEYSTORE
char *keystore_strerror(int err)
{
return (char *)strerror(-err);
}
int keystore_fetch(const char *key, unsigned char **result)
{
unsigned char *data;
struct stat st;
int fd;
int ret;
fd = open(key, O_RDONLY);
if (fd < 0)
return -errno;
if (fstat(fd, &st)) {
ret = -errno;
goto out_fd;
}
414
data = malloc(st.st_size + 1);
415
416
417
418
419
420
421
422
423
424
if (!data) {
ret = -ENOMEM;
goto out_fd;
}
if (read(fd, data, st.st_size) != st.st_size) {
ret = -EIO;
free(data);
goto out_fd;
}
425
426
data[st.st_size] = 0;
427
428
429
430
431
432
433
434
435
436
437
438
439
*result = data;
ret = st.st_size;
out_fd:
close(fd);
return ret;
}
#elif defined (ANDROID_KEYSTORE)
#include <cutils/sockets.h>
#include <keystore.h>
char *keystore_strerror(int err)
{
switch (-err) {
case NO_ERROR: return _("No error");
440
case LOCKED: return _("Keystore locked");
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
case UNINITIALIZED: return _("Keystore uninitialized");
case SYSTEM_ERROR: return _("System error");
case PROTOCOL_ERROR: return _("Protocol error");
case PERMISSION_DENIED: return _("Permission denied");
case KEY_NOT_FOUND: return _("Key not found");
case VALUE_CORRUPTED: return _("Value corrupted");
case UNDEFINED_ACTION: return _("Undefined action");
case WRONG_PASSWORD_0:
case WRONG_PASSWORD_1:
case WRONG_PASSWORD_2:
case WRONG_PASSWORD_3: return _("Wrong password");
default: return _("Unknown error");
}
}
/* Returns length, or a negative errno in its own namespace (handled by its
own strerror function above). The numbers are from Android's keystore.h */
int keystore_fetch(const char *key, unsigned char **result)
{
unsigned char *data, *p;
unsigned char buf[3];
int len, fd, ofs;
int ret = -SYSTEM_ERROR;
fd = socket_local_client("keystore",
ANDROID_SOCKET_NAMESPACE_RESERVED,
SOCK_STREAM);
if (fd < 0)
return -SYSTEM_ERROR;
len = strlen(key);
buf[0] = 'g';
buf[1] = len >> 8;
buf[2] = len & 0xff;
if (send(fd, buf, 3, 0) != 3 || send(fd, key, len, 0) != len ||
shutdown(fd, SHUT_WR) || recv(fd, buf, 1, 0) != 1)
goto out;
if (buf[0] != NO_ERROR) {
/* Should never be zero */
ret = buf[0] ? -buf[0] : -PROTOCOL_ERROR;
goto out;
}
if (recv(fd, buf, 2, 0) != 2)
goto out;
len = (buf[0] << 8) + buf[1];
data = malloc(len);
if (!data)
goto out;
p = data;
ret = len;
while (len) {
int got = recv(fd, p, len, 0);
if (got <= 0) {
free(data);
ret = -PROTOCOL_ERROR;
goto out;
}
len -= got;
p += got;
}
*result = data;
out:
close(fd);
return ret;
}
#endif