2 * OpenConnect (SSL + DTLS) VPN client
4 * Copyright © 2008-2010 Intel Corporation.
6 * Author: David Woodhouse <dwmw2@infradead.org>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1, as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to:
20 * Free Software Foundation, Inc.
21 * 51 Franklin Street, Fifth Floor,
22 * Boston, MA 02110-1301 USA
26 #include <sys/types.h>
27 #include <sys/socket.h>
30 #include <netinet/in.h>
31 #include <openssl/err.h>
32 #include <openssl/ssl.h>
36 #include "openconnect-internal.h"
38 static unsigned char nybble(unsigned char n)
40 if (n >= '0' && n <= '9') return n - '0';
41 else if (n >= 'A' && n <= 'F') return n - ('A' - 10);
42 else if (n >= 'a' && n <= 'f') return n - ('a' - 10);
46 unsigned char unhex(const char *data)
48 return (nybble(data[0]) << 4) | nybble(data[1]);
51 #ifdef SSL_F_DTLS1_CONNECT
54 * Useful for catching test cases, where we want everything to be
55 * reproducible. *NEVER* do this in the wild.
57 time_t time(time_t *t)
59 time_t x = 0x3ab2d948;
64 int RAND_pseudo_bytes(char *buf, int len)
66 memset(buf, 0x5a, len);
67 printf("FAKE PSEUDO RANDOM!\n");
71 int RAND_bytes(char *buf, int len)
73 static int foo = 0x5b;
74 printf("FAKE RANDOM!\n");
75 memset(buf, foo, len);
81 * The master-secret is generated randomly by the client. The server
82 * responds with a DTLS Session-ID. These, done over the HTTPS
83 * connection, are enough to 'resume' a DTLS session, bypassing all
84 * the normal setup of a normal DTLS connection.
86 * Cisco use a version of the protocol which predates RFC4347, but
87 * isn't quite the same as the pre-RFC version of the protocol which
88 * was in OpenSSL 0.9.8e -- it includes backports of some later
91 * The openssl/ directory of this source tree should contain both a
92 * small patch against OpenSSL 0.9.8e to make it support Cisco's
93 * snapshot of the protocol, and a larger patch against newer OpenSSL
94 * which gives us an option to use the old protocol again.
96 * Cisco's server also seems to respond to the official version of the
97 * protocol, with a change in the ChangeCipherSpec packet which implies
98 * that it does know the difference and isn't just repeating the version
99 * number seen in the ClientHello. But although I can make the handshake
100 * complete by hacking tls1_mac() to use the _old_ protocol version
101 * number when calculating the MAC, the server still seems to be ignoring
102 * my subsequent data packets. So we use the old protocol, which is what
103 * their clients use anyway.
106 int connect_dtls_socket(struct openconnect_info *vpninfo)
108 STACK_OF(SSL_CIPHER) *ciphers;
109 method_const SSL_METHOD *dtls_method;
110 SSL_CIPHER *dtls_cipher;
115 if (!vpninfo->dtls_addr) {
116 vpninfo->progress(vpninfo, PRG_ERR, "No DTLS address\n");
117 vpninfo->dtls_attempt_period = 0;
121 if (!vpninfo->dtls_cipher) {
122 /* We probably didn't offer it any ciphers it liked */
123 vpninfo->progress(vpninfo, PRG_ERR, "Server offered no DTLS cipher option\n");
124 vpninfo->dtls_attempt_period = 0;
128 if (vpninfo->proxy) {
129 /* XXX: Theoretically, SOCKS5 proxies can do UDP too */
130 vpninfo->progress(vpninfo, PRG_ERR, "No DTLS when connected via proxy\n");
131 vpninfo->dtls_attempt_period = 0;
135 dtls_fd = socket(vpninfo->peer_addr->sa_family, SOCK_DGRAM, IPPROTO_UDP);
137 perror("Open UDP socket for DTLS:");
141 if (connect(dtls_fd, vpninfo->dtls_addr, vpninfo->peer_addrlen)) {
142 perror("UDP (DTLS) connect:\n");
147 fcntl(dtls_fd, F_SETFD, FD_CLOEXEC);
149 if (!vpninfo->dtls_ctx) {
150 dtls_method = DTLSv1_client_method();
151 vpninfo->dtls_ctx = SSL_CTX_new(dtls_method);
152 if (!vpninfo->dtls_ctx) {
153 vpninfo->progress(vpninfo, PRG_ERR, "Initialise DTLSv1 CTX failed\n");
154 vpninfo->dtls_attempt_period = 0;
158 /* If we don't readahead, then we do short reads and throw
159 away the tail of data packets. */
160 SSL_CTX_set_read_ahead(vpninfo->dtls_ctx, 1);
162 if (!SSL_CTX_set_cipher_list(vpninfo->dtls_ctx, vpninfo->dtls_cipher)) {
163 vpninfo->progress(vpninfo, PRG_ERR, "Set DTLS cipher list failed\n");
164 SSL_CTX_free(vpninfo->dtls_ctx);
165 vpninfo->dtls_ctx = NULL;
166 vpninfo->dtls_attempt_period = 0;
171 if (!vpninfo->dtls_session) {
172 /* We're going to "resume" a session which never existed. Fake it... */
173 vpninfo->dtls_session = SSL_SESSION_new();
174 if (!vpninfo->dtls_session) {
175 vpninfo->progress(vpninfo, PRG_ERR, "Initialise DTLSv1 session failed\n");
176 vpninfo->dtls_attempt_period = 0;
179 vpninfo->dtls_session->ssl_version = 0x0100; // DTLS1_BAD_VER
182 /* Do this every time; it may have changed due to a rekey */
183 vpninfo->dtls_session->master_key_length = sizeof(vpninfo->dtls_secret);
184 memcpy(vpninfo->dtls_session->master_key, vpninfo->dtls_secret,
185 sizeof(vpninfo->dtls_secret));
187 vpninfo->dtls_session->session_id_length = sizeof(vpninfo->dtls_session_id);
188 memcpy(vpninfo->dtls_session->session_id, vpninfo->dtls_session_id,
189 sizeof(vpninfo->dtls_session_id));
191 dtls_ssl = SSL_new(vpninfo->dtls_ctx);
192 SSL_set_connect_state(dtls_ssl);
194 ciphers = SSL_get_ciphers(dtls_ssl);
195 if (sk_SSL_CIPHER_num(ciphers) != 1) {
196 vpninfo->progress(vpninfo, PRG_ERR, "Not precisely one DTLS cipher\n");
197 SSL_CTX_free(vpninfo->dtls_ctx);
199 SSL_SESSION_free(vpninfo->dtls_session);
200 vpninfo->dtls_ctx = NULL;
201 vpninfo->dtls_session = NULL;
202 vpninfo->dtls_attempt_period = 0;
205 dtls_cipher = sk_SSL_CIPHER_value(ciphers, 0);
207 /* Set the appropriate cipher on our session to be resumed */
208 vpninfo->dtls_session->cipher = dtls_cipher;
209 vpninfo->dtls_session->cipher_id = dtls_cipher->id;
211 /* Add the generated session to the SSL */
212 if (!SSL_set_session(dtls_ssl, vpninfo->dtls_session)) {
213 vpninfo->progress(vpninfo, PRG_ERR,
214 "SSL_set_session() failed with old protocol version 0x%x\n"
215 "Are you using a version of OpenSSL older than 0.9.8m?\n"
216 "See http://rt.openssl.org/Ticket/Display.html?id=1751\n"
217 "Use the --no-dtls command line option to avoid this message\n",
218 vpninfo->dtls_session->ssl_version);
219 vpninfo->dtls_attempt_period = 0;
224 dtls_bio = BIO_new_socket(dtls_fd, BIO_NOCLOSE);
225 SSL_set_bio(dtls_ssl, dtls_bio, dtls_bio);
227 #ifndef SSL_OP_CISCO_ANYCONNECT
228 #warning Your version of OpenSSL does not seem to support Cisco DTLS compatibility
229 #define SSL_OP_CISCO_ANYCONNECT 0x8000
231 SSL_set_options(dtls_ssl, SSL_OP_CISCO_ANYCONNECT);
233 /* Set non-blocking */
234 BIO_set_nbio(SSL_get_rbio(dtls_ssl), 1);
235 BIO_set_nbio(SSL_get_wbio(dtls_ssl), 1);
237 fcntl(dtls_fd, F_SETFL, fcntl(dtls_fd, F_GETFL) | O_NONBLOCK);
239 vpninfo->new_dtls_fd = dtls_fd;
240 vpninfo->new_dtls_ssl = dtls_ssl;
242 if (vpninfo->select_nfds <= dtls_fd)
243 vpninfo->select_nfds = dtls_fd + 1;
245 FD_SET(dtls_fd, &vpninfo->select_rfds);
246 FD_SET(dtls_fd, &vpninfo->select_efds);
248 time(&vpninfo->new_dtls_started);
249 return dtls_try_handshake(vpninfo);
252 int dtls_try_handshake(struct openconnect_info *vpninfo)
254 int ret = SSL_do_handshake(vpninfo->new_dtls_ssl);
257 vpninfo->progress(vpninfo, PRG_INFO, "Established DTLS connection\n");
259 if (vpninfo->dtls_ssl) {
260 /* We are replacing an old connection */
261 SSL_free(vpninfo->dtls_ssl);
262 close(vpninfo->dtls_fd);
263 FD_CLR(vpninfo->dtls_fd, &vpninfo->select_rfds);
264 FD_CLR(vpninfo->dtls_fd, &vpninfo->select_wfds);
265 FD_CLR(vpninfo->dtls_fd, &vpninfo->select_efds);
267 vpninfo->dtls_ssl = vpninfo->new_dtls_ssl;
268 vpninfo->dtls_fd = vpninfo->new_dtls_fd;
270 vpninfo->new_dtls_ssl = NULL;
271 vpninfo->new_dtls_fd = -1;
273 vpninfo->dtls_times.last_rx = vpninfo->dtls_times.last_tx = time(NULL);
278 ret = SSL_get_error(vpninfo->new_dtls_ssl, ret);
279 if (ret == SSL_ERROR_WANT_WRITE || ret == SSL_ERROR_WANT_READ) {
280 if (time(NULL) < vpninfo->new_dtls_started + 5)
282 vpninfo->progress(vpninfo, PRG_TRACE, "DTLS handshake timed out\n");
285 vpninfo->progress(vpninfo, PRG_ERR, "DTLS handshake failed: %d\n", ret);
286 report_ssl_errors(vpninfo);
288 /* Kill the new (failed) connection... */
289 SSL_free(vpninfo->new_dtls_ssl);
290 FD_CLR(vpninfo->new_dtls_fd, &vpninfo->select_rfds);
291 FD_CLR(vpninfo->new_dtls_fd, &vpninfo->select_efds);
292 close(vpninfo->new_dtls_fd);
293 vpninfo->new_dtls_ssl = NULL;
294 vpninfo->new_dtls_fd = -1;
296 /* ... and kill the old one too. The only time there'll be a valid
297 existing session is when it was a rekey, and in that case it's
298 time for the old one to die. */
299 if (vpninfo->dtls_ssl) {
300 SSL_free(vpninfo->dtls_ssl);
301 close(vpninfo->dtls_fd);
302 FD_CLR(vpninfo->dtls_fd, &vpninfo->select_rfds);
303 FD_CLR(vpninfo->dtls_fd, &vpninfo->select_wfds);
304 FD_CLR(vpninfo->dtls_fd, &vpninfo->select_efds);
305 vpninfo->dtls_ssl = NULL;
306 vpninfo->dtls_fd = -1;
309 time(&vpninfo->new_dtls_started);
313 static int dtls_restart(struct openconnect_info *vpninfo)
315 if (vpninfo->dtls_ssl) {
316 SSL_free(vpninfo->dtls_ssl);
317 close(vpninfo->dtls_fd);
318 FD_CLR(vpninfo->dtls_fd, &vpninfo->select_rfds);
319 FD_CLR(vpninfo->dtls_fd, &vpninfo->select_wfds);
320 FD_CLR(vpninfo->dtls_fd, &vpninfo->select_efds);
321 vpninfo->dtls_ssl = NULL;
322 vpninfo->dtls_fd = -1;
325 return connect_dtls_socket(vpninfo);
329 int setup_dtls(struct openconnect_info *vpninfo)
331 struct vpn_option *dtls_opt = vpninfo->dtls_options;
335 vpninfo->progress(vpninfo, PRG_TRACE,
336 "DTLS option %s : %s\n",
337 dtls_opt->option, dtls_opt->value);
339 if (!strcmp(dtls_opt->option + 7, "Port")) {
340 dtls_port = atol(dtls_opt->value);
341 } else if (!strcmp(dtls_opt->option + 7, "Keepalive")) {
342 vpninfo->dtls_times.keepalive = atol(dtls_opt->value);
343 } else if (!strcmp(dtls_opt->option + 7, "DPD")) {
344 int j = atol(dtls_opt->value);
345 if (j && (!vpninfo->dtls_times.dpd || j < vpninfo->dtls_times.dpd))
346 vpninfo->dtls_times.dpd = j;
347 } else if (!strcmp(dtls_opt->option + 7, "Rekey-Time")) {
348 vpninfo->dtls_times.rekey = atol(dtls_opt->value);
349 } else if (!strcmp(dtls_opt->option + 7, "CipherSuite")) {
350 vpninfo->dtls_cipher = strdup(dtls_opt->value);
353 dtls_opt = dtls_opt->next;
356 vpninfo->dtls_attempt_period = 0;
360 vpninfo->dtls_addr = malloc(vpninfo->peer_addrlen);
361 if (!vpninfo->dtls_addr) {
362 vpninfo->dtls_attempt_period = 0;
365 memcpy(vpninfo->dtls_addr, vpninfo->peer_addr, vpninfo->peer_addrlen);
367 if (vpninfo->peer_addr->sa_family == AF_INET) {
368 struct sockaddr_in *sin = (void *)vpninfo->dtls_addr;
369 sin->sin_port = htons(dtls_port);
370 } else if (vpninfo->peer_addr->sa_family == AF_INET6) {
371 struct sockaddr_in6 *sin = (void *)vpninfo->dtls_addr;
372 sin->sin6_port = htons(dtls_port);
374 vpninfo->progress(vpninfo, PRG_ERR, "Unknown protocol family %d. Cannot do DTLS\n",
375 vpninfo->peer_addr->sa_family);
376 vpninfo->dtls_attempt_period = 0;
380 if (connect_dtls_socket(vpninfo))
383 vpninfo->progress(vpninfo, PRG_TRACE,
384 "DTLS connected. DPD %d, Keepalive %d\n",
385 vpninfo->dtls_times.dpd, vpninfo->dtls_times.keepalive);
390 int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout)
392 unsigned char buf[2000];
397 while ( (len = SSL_read(vpninfo->dtls_ssl, buf, sizeof(buf))) > 0 ) {
399 vpninfo->progress(vpninfo, PRG_TRACE,
400 "Received DTLS packet 0x%02x of %d bytes\n",
403 vpninfo->dtls_times.last_rx = time(NULL);
407 queue_new_packet(&vpninfo->incoming_queue, buf+1, len-1);
412 vpninfo->progress(vpninfo, PRG_TRACE, "Got DTLS DPD request\n");
414 /* FIXME: What if the packet doesn't get through? */
415 magic_pkt = AC_PKT_DPD_RESP;
416 if (SSL_write(vpninfo->dtls_ssl, &magic_pkt, 1) != 1)
417 vpninfo->progress(vpninfo, PRG_ERR, "Failed to send DPD response. Expect disconnect\n");
420 case AC_PKT_DPD_RESP:
421 vpninfo->progress(vpninfo, PRG_TRACE, "Got DTLS DPD response\n");
424 case AC_PKT_KEEPALIVE:
425 vpninfo->progress(vpninfo, PRG_TRACE, "Got DTLS Keepalive\n");
429 vpninfo->progress(vpninfo, PRG_ERR,
430 "Unknown DTLS packet type %02x, len %d\n", buf[0], len);
432 /* Some versions of OpenSSL have bugs with receiving out-of-order
433 * packets. Not only do they wrongly decide to drop packets if
434 * two packets get swapped in transit, but they also _fail_ to
435 * drop the packet in non-blocking mode; instead they return
436 * the appropriate length of garbage. So don't abort... for now. */
439 vpninfo->quit_reason = "Unknown packet received";
446 switch (keepalive_action(&vpninfo->dtls_times, timeout)) {
448 vpninfo->progress(vpninfo, PRG_INFO, "DTLS rekey due\n");
450 /* There ought to be a method of rekeying DTLS without tearing down
451 the CSTP session and restarting, but we don't (yet) know it */
452 if (cstp_reconnect(vpninfo)) {
453 vpninfo->progress(vpninfo, PRG_ERR, "Reconnect failed\n");
454 vpninfo->quit_reason = "CSTP reconnect failed";
458 if (dtls_restart(vpninfo)) {
459 vpninfo->progress(vpninfo, PRG_ERR, "DTLS rekey failed\n");
467 vpninfo->progress(vpninfo, PRG_ERR, "DTLS Dead Peer Detection detected dead peer!\n");
468 /* Fall back to SSL, and start a new DTLS connection */
469 dtls_restart(vpninfo);
473 vpninfo->progress(vpninfo, PRG_TRACE, "Send DTLS DPD\n");
475 magic_pkt = AC_PKT_DPD_OUT;
476 SSL_write(vpninfo->dtls_ssl, &magic_pkt, 1);
477 /* last_dpd will just have been set */
478 vpninfo->dtls_times.last_tx = vpninfo->dtls_times.last_dpd;
483 /* No need to send an explicit keepalive
484 if we have real data to send */
485 if (vpninfo->outgoing_queue)
488 vpninfo->progress(vpninfo, PRG_TRACE, "Send DTLS Keepalive\n");
490 magic_pkt = AC_PKT_KEEPALIVE;
491 SSL_write(vpninfo->dtls_ssl, &magic_pkt, 1);
492 time(&vpninfo->dtls_times.last_tx);
500 /* Service outgoing packet queue */
501 while (vpninfo->outgoing_queue) {
502 struct pkt *this = vpninfo->outgoing_queue;
505 vpninfo->outgoing_queue = this->next;
506 vpninfo->outgoing_qlen--;
508 /* One byte of header */
509 this->hdr[7] = AC_PKT_DATA;
511 ret = SSL_write(vpninfo->dtls_ssl, &this->hdr[7], this->len + 1);
513 ret = SSL_get_error(vpninfo->dtls_ssl, ret);
515 /* If it's a real error, kill the DTLS connection and
516 requeue the packet to be sent over SSL */
517 if (ret != SSL_ERROR_WANT_READ && ret != SSL_ERROR_WANT_WRITE) {
518 vpninfo->progress(vpninfo, PRG_ERR,
519 "DTLS got write error %d. Falling back to SSL\n", ret);
520 report_ssl_errors(vpninfo);
521 dtls_restart(vpninfo);
522 vpninfo->outgoing_queue = this;
523 vpninfo->outgoing_qlen++;
527 time(&vpninfo->dtls_times.last_tx);
528 vpninfo->progress(vpninfo, PRG_TRACE,
529 "Sent DTLS packet of %d bytes; SSL_write() returned %d\n",
536 #else /* No DTLS support in OpenSSL */
537 int setup_dtls(struct openconnect_info *vpninfo)
539 vpninfo->progress(vpninfo, PRG_ERR, "Built against OpenSSL with no DTLS support\n");