/*

* OpenConnect (SSL + DTLS) VPN client

*

*

* Author: David Woodhouse <dwmw2@infradead.org>

*

* This program is free software; you can redistribute it and/or

* modify it under the terms of the GNU Lesser General Public License

* version 2.1, as published by the Free Software Foundation.

*

* This program is distributed in the hope that it will be useful, but

* WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

* Lesser General Public License for more details.

*/

#include <config.h>

#include "openconnect-internal.h"

#include "gnutls.h"

#include <gnutls/gnutls.h>

#include <gnutls/x509.h>

#include <gnutls/crypto.h>

#ifdef HAVE_P11KIT

#include <p11-kit/p11-kit.h>

#include <sys/types.h>

#include <sys/stat.h>

#include <fcntl.h>

#include <string.h>

#include <ctype.h>

#include <stdio.h>

#include <errno.h>

#include <stdarg.h>

#include <stdlib.h>

static int gnutls_pin_callback(void *priv, int attempt, const char *uri,

const char *token_label, unsigned int flags,

char *pin, size_t pin_max);

/* GnuTLS 2.x lacked this. But GNUTLS_E_UNEXPECTED_PACKET_LENGTH basically

* does the same thing.

*/

#ifndef GNUTLS_E_PREMATURE_TERMINATION

#define GNUTLS_E_PREMATURE_TERMINATION GNUTLS_E_UNEXPECTED_PACKET_LENGTH

#endif

/* GnuTLS 3.5.0 added this flag to send a client cert, even if its issuer is

* mismatched to the list of issuers requested by the server. OpenSSL does

* this by default.

* https://github.com/curl/curl/issues/1411

*/

#ifndef GNUTLS_FORCE_CLIENT_CERT

#define GNUTLS_FORCE_CLIENT_CERT 0

#endif

static char tls_library_version[32] = "";

{

if (!*tls_library_version) {

snprintf(tls_library_version, sizeof(tls_library_version), "GnuTLS %s",

gnutls_check_version(NULL));

}

return tls_library_version;

}

{

/* XX: As of GnuTLS 3.6.13, no released version has (yet) removed 3DES/RC4 from default builds,

* but like OpenSSL (removed in 1.1.0) it may happen. */

if (gnutls_cipher_get_id("3DES-CBC") == GNUTLS_CIPHER_UNKNOWN ||

gnutls_cipher_get_id("ARCFOUR-128") == GNUTLS_CIPHER_UNKNOWN)

return -ENOENT;

return 0;

}

{

size_t orig_len = len;

while (len) {

if (done > 0)

len -= done;

FD_ZERO(&wr_set);

FD_ZERO(&rd_set);

if (gnutls_record_get_direction(ses))

FD_SET(fd, &wr_set);

while (select(maxfd + 1, &rd_set, &wr_set, NULL, NULL) < 0) {

if (errno != EINTR) {

vpn_perror(vpninfo, _("Failed select() for TLS"));

return -EIO;

}

return -EINTR;

}

gnutls_strerror(done));

return -EIO;

}

}

return orig_len;

}

static int openconnect_gnutls_write(struct openconnect_info *vpninfo, char *buf, size_t len)

{

return _openconnect_gnutls_write(vpninfo->https_sess, vpninfo->ssl_fd, vpninfo, buf, len);

}

int openconnect_dtls_write(struct openconnect_info *vpninfo, void *buf, size_t len)

{

return _openconnect_gnutls_write(vpninfo->dtls_ssl, vpninfo->dtls_fd, vpninfo, buf, len);

}

static int _openconnect_gnutls_read(gnutls_session_t ses, int fd, struct openconnect_info *vpninfo, char *buf, size_t len, unsigned ms)

int done, ret;

struct timeval timeout, *tv = NULL;

if (ms) {

timeout.tv_sec = ms/1000;

timeout.tv_usec = (ms%1000)*1000;

tv = &timeout;

}

/* Wait for something to happen on the socket, or on cmd_fd */

fd_set wr_set, rd_set;

FD_ZERO(&wr_set);

FD_ZERO(&rd_set);

if (gnutls_record_get_direction(ses))

FD_SET(fd, &wr_set);

while ((ret = select(maxfd + 1, &rd_set, &wr_set, NULL, tv)) < 0) {

if (errno != EINTR) {

vpn_perror(vpninfo, _("Failed select() for TLS/DTLS"));

return -EIO;

}

}

done = -EINTR;

goto cleanup;

}

if (ret == 0) {

done = -ETIMEDOUT;

goto cleanup;

} else if (done == GNUTLS_E_PREMATURE_TERMINATION) {

/* We've seen this with HTTP 1.0 responses followed by abrupt

socket closure and no clean SSL shutdown.

https://bugs.launchpad.net/bugs/1225276 */

done = 0;

goto cleanup;

} else if (done == GNUTLS_E_REHANDSHAKE) {

int ret = cstp_handshake(vpninfo, 0);

if (ret) {

done = ret;

goto cleanup;

}

if (done == GNUTLS_E_TIMEDOUT) {

done = -ETIMEDOUT;

goto cleanup;

} else {

done = -EIO;

goto cleanup;

}

cleanup:

}

static int openconnect_gnutls_read(struct openconnect_info *vpninfo, char *buf, size_t len)

{

return _openconnect_gnutls_read(vpninfo->https_sess, vpninfo->ssl_fd, vpninfo, buf, len, 0);

}

int openconnect_dtls_read(struct openconnect_info *vpninfo, void *buf, size_t len, unsigned ms)

{

return _openconnect_gnutls_read(vpninfo->dtls_ssl, vpninfo->dtls_fd, vpninfo, buf, len, ms);

}

{

int i = 0;

int ret;

if (len < 2)

return -EINVAL;

while (1) {

ret = gnutls_record_recv(vpninfo->https_sess, buf + i, 1);

if (ret == 1) {

if (buf[i] == '\n') {

buf[i] = 0;

if (i && buf[i-1] == '\r') {

buf[i-1] = 0;

i--;

}

return i;

}

i++;

if (i >= len - 1) {

buf[i] = 0;

return i;

}

fd_set rd_set, wr_set;

int maxfd = vpninfo->ssl_fd;

FD_ZERO(&rd_set);

FD_ZERO(&wr_set);

if (gnutls_record_get_direction(vpninfo->https_sess))

FD_SET(vpninfo->ssl_fd, &wr_set);

else

FD_SET(vpninfo->ssl_fd, &rd_set);

while (select(maxfd + 1, &rd_set, &wr_set, NULL, NULL) < 0) {

if (errno != EINTR) {

vpn_perror(vpninfo, _("Failed select() for TLS"));

return -EIO;

}

ret = -EINTR;

break;

}

} else if (ret == GNUTLS_E_REHANDSHAKE) {

ret = cstp_handshake(vpninfo, 0);

if (ret)

return ret;

gnutls_strerror(ret));

ret = -EIO;

break;

}

}

buf[i] = 0;

return i ?: ret;

}

int ret;

if (!sess) {

vpn_progress(vpninfo, PRG_ERR,

dtls ? "DTLS" : "TLS");

return -1;

}

ret = gnutls_record_recv(sess, buf, maxlen);

if (ret > 0)

return ret;

if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED)

return 0;

vpn_progress(vpninfo, PRG_ERR, _("Read error on %s session: %s\n"),

dtls ? "DTLS" : "SSL", gnutls_strerror(ret));

return -1;

}

int ret;

if (!sess) {

vpn_progress(vpninfo, PRG_ERR,

dtls ? "DTLS" : "TLS");

return -1;

}

ret = gnutls_record_send(sess, buf, buflen);

if (ret > 0)

return ret;

/*

* Before 3.3.13, GnuTLS could return zero instead of one,

* indicating that it was waiting for a read when in fact

* it was waiting for a write. That caused us to block for

* ever, waiting for the read that it said it wanted.

*

* So instead, just *assume* it actually wants a write.

* Which is true most of the time, and on the rare occasion

* that it *isn't* true, the failure mode will just be that

* we keep waking up and calling GnuTLS again until the read

* that it's waiting for does arrive.

*/

if (GNUTLS_VERSION_NUMBER < 0x03030d ||

if (dtls)

monitor_write_fd(vpninfo, dtls);

else

monitor_write_fd(vpninfo, ssl);

}

return 0;

}

vpn_progress(vpninfo, PRG_ERR, _("Write error on %s session: %s\n"),

dtls ? "DTLS" : "SSL", gnutls_strerror(ret));

return -1;

}

static int check_certificate_expiry(struct openconnect_info *vpninfo, struct cert_info *certinfo,

gnutls_x509_crt_t cert)

{

const char *reason = NULL;

time_t expires = gnutls_x509_crt_get_expiration_time(cert);

time_t now = time(NULL);

if (expires == -1) {

vpn_progress(vpninfo, PRG_ERR,

_("Could not extract expiration time of certificate\n"));

return -EINVAL;

}

if (expires < now)

reason = certinfo_string(certinfo, _("Client certificate has expired at"),

_("Secondary client certificate has expired at"));

reason = certinfo_string(certinfo, _("Client certificate expires soon at"),

_("Secondary client certificate expires soon at"));

if (reason) {

char buf[80];

#ifdef _WIN32

/*

* Windows doesn't have gmtime_r but apparently its gmtime()

* *is* thread-safe because it uses a per-thread static buffer.

*

* We also explicitly say 'GMT' because %Z would give us the

* Microsoft stupidity "GMT Standard Time". Which is not only

* silly, but also ambiguous because Windows actually says that

* even when it means British Summer Time (GMT+1). And having

* used gmtime() we really *are* giving the time in GMT.

*/

struct tm *tm = gmtime(&expires);

strftime(buf, 80, "%a, %d %b %Y %H:%M:%S GMT", tm);

#else

struct tm tm;

gmtime_r(&expires, &tm);

strftime(buf, 80, "%a, %d %b %Y %T %Z", &tm);

vpn_progress(vpninfo, PRG_ERR, "%s: %s\n", reason, buf);

}

return 0;

}

static int load_datum(struct openconnect_info *vpninfo,

gnutls_datum_t *datum, const char *fname)

{

struct stat st;

#ifdef ANDROID_KEYSTORE

if (!strncmp(fname, "keystore:", 9)) {

int len;

const char *p = fname + 9;

/* Skip first two slashes if the user has given it as

keystore://foo ... */

if (*p == '/')

p++;

if (*p == '/')

p++;

len = keystore_fetch(p, &datum->data);

if (len <= 0) {

_("Failed to load item '%s' from keystore: %s\n"),

p, keystore_strerror(len));

return -EINVAL;

}

datum->size = len;

return 0;

}

if (fd == -1) {

vpn_progress(vpninfo, PRG_ERR,

return -ENOENT;

}

if (fstat(fd, &st)) {

vpn_progress(vpninfo, PRG_ERR,

close(fd);

return -EIO;

if (!datum->data) {

vpn_progress(vpninfo, PRG_ERR,

_("Failed to allocate certificate buffer\n"));

close(fd);

return -ENOMEM;

}

errno = EAGAIN;

if (read(fd, datum->data, datum->size) != datum->size) {

vpn_progress(vpninfo, PRG_ERR,

_("Failed to read certificate into memory: %s\n"),

close(fd);

gnutls_free(datum->data);

return -EIO;

}

close(fd);

return 0;

}

/* A non-zero, non-error return to make load_certificate() continue and

interpreting the file as other types */

#define NOT_PKCS12 1

gnutls_datum_t *datum,

gnutls_x509_privkey_t *key,

gnutls_x509_crt_t **chain,

unsigned int *chain_len,

{

gnutls_pkcs12_t p12;

char *pass;

int err;

err = gnutls_pkcs12_init(&p12);

if (err) {

vpn_progress(vpninfo, PRG_ERR,

_("Failed to setup PKCS#12 data structure: %s\n"),

gnutls_strerror(err));

return -EIO;

}

err = gnutls_pkcs12_import(p12, datum, GNUTLS_X509_FMT_DER, 0);

if (err) {

gnutls_pkcs12_deinit(p12);

}

if (!pass) {

/* OpenSSL's PKCS12_parse() code will try both NULL and "" automatically,

* but GnuTLS requires two separate attempts. */

err = gnutls_pkcs12_verify_mac(p12, "");

pass = strdup("");

break;

}

} else

vpn_progress(vpninfo, PRG_ERR,

_("Failed to decrypt PKCS#12 certificate file\n"));

err = request_passphrase(vpninfo,

certinfo_string(certinfo, "openconnect_pkcs12",

"openconnect_secondary_pkcs12"),

&pass,

certinfo_string(certinfo, _("Enter PKCS#12 pass phrase:"),

_("Enter secondary PKCS#12 pass phrase:")));

if (err) {

gnutls_pkcs12_deinit(p12);

return -EINVAL;

}

}

/* If it wasn't GNUTLS_E_MAC_VERIFY_FAILED, then the problem wasn't just a

bad password. Give up. */

if (err) {

int level = PRG_ERR;

int ret = -EINVAL;

gnutls_pkcs12_deinit(p12);

/* If the first attempt, and we didn't know for sure it was PKCS#12

anyway, bail out and try loading it as something different. */

ret = NOT_PKCS12;

}

vpn_progress(vpninfo, level,

_("Failed to process PKCS#12 file: %s\n"),

gnutls_strerror(err));

return ret;

}

err = gnutls_pkcs12_simple_parse(p12, pass, key, chain, chain_len,

extra_certs, extra_certs_len, crl, 0);

gnutls_pkcs12_deinit(p12);

if (err) {

vpn_progress(vpninfo, PRG_ERR,

certinfo_string(certinfo, _("Failed to load PKCS#12 certificate: %s\n"),

_("Failed to load secondary PKCS#12 certificate: %s\n")),

gnutls_strerror(err));

return -EINVAL;

}

return 0;

}

static int count_x509_certificates(gnutls_datum_t *datum)

{

int count = 0;

char *p = (char *)datum->data;

while (p) {

p = strstr(p, "-----BEGIN ");

if (!p)

break;

p += 11;

if (!strncmp(p, "CERTIFICATE", 11) ||

!strncmp(p, "X509 CERTIFICATE", 16))

}

return count;

}

static int get_cert_name(gnutls_x509_crt_t cert, char *name, size_t namelen)

{

/* When the name buffer is not big enough, gnutls_x509_crt_get_dn*() will

* update the length argument to the required size, and return

* GNUTLS_E_SHORT_MEMORY_BUFFER. We need to avoid clobbering the original

* length variable. */

size_t nl = namelen;

0, 0, name, &nl)) {

nl = namelen;

if (gnutls_x509_crt_get_dn(cert, name, &nl)) {

name[namelen-1] = 0;

snprintf(name, namelen-1, "<unknown>");

return -EINVAL;

}

}

return 0;

}

const gnutls_datum_t *data, const gnutls_datum_t *sig)

{

unsigned flags = 0;

#ifdef GNUTLS_VERIFY_ALLOW_BROKEN

flags |= GNUTLS_VERIFY_ALLOW_BROKEN;

#endif