2 * Open AnyConnect (SSL + DTLS) client
4 * © 2008 David Woodhouse <dwmw2@infradead.org>
6 * Permission to use, copy, modify, and/or distribute this software
7 * for any purpose with or without fee is hereby granted, provided
8 * that the above copyright notice and this permission notice appear
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
12 * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
13 * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
14 * AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
15 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
16 * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
17 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
18 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 #include <sys/types.h>
23 #include <sys/socket.h>
26 #include <openssl/err.h>
28 #include "anyconnect.h"
31 * The master-secret is generated randomly by the client. The server
32 * responds with a DTLS Session-ID. These, done over the HTTPS
33 * connection, are enough to 'resume' a DTLS session, bypassing all
34 * the normal setup of a normal DTLS connection.
36 * Cisco's own client uses an old version of OpenSSL, which implements
37 * the pre-RFC version of DTLS. I haven't been able to get it working
38 * when I force it to link against any of my own builds of OpenSSL.
40 * Hopefully, it'll just work when I get round to implementing it
41 * here, either with the system OpenSSL, or linking against their
42 * library (which will at least be progress, and make it a little
46 static unsigned char nybble(unsigned char n)
48 if (n >= '0' && n <= '9') return n - '0';
49 else if (n >= 'A' && n <= 'F') return n - ('A' - 10);
50 else if (n >= 'a' && n <= 'f') return n - ('a' - 10);
54 static unsigned char hex(const char *data)
56 return (nybble(data[0]) << 4) | nybble(data[1]);
59 static int connect_dtls_socket(struct anyconnect_info *vpninfo, int dtls_port)
61 SSL_METHOD *dtls_method;
63 SSL_SESSION *dtls_session;
64 SSL_CIPHER *https_cipher;
69 if (vpninfo->peer_addr->sa_family == AF_INET) {
70 struct sockaddr_in *sin = (void *)vpninfo->peer_addr;
71 sin->sin_port = htons(dtls_port);
72 } else if (vpninfo->peer_addr->sa_family == AF_INET6) {
73 struct sockaddr_in6 *sin = (void *)vpninfo->peer_addr;
74 sin->sin6_port = htons(dtls_port);
76 fprintf(stderr, "Unknown protocol family %d. Cannot do DTLS\n",
77 vpninfo->peer_addr->sa_family);
81 dtls_fd = socket(vpninfo->peer_addr->sa_family, SOCK_DGRAM, IPPROTO_UDP);
83 perror("Open UDP socket for DTLS:");
87 if (connect(dtls_fd, vpninfo->peer_addr, vpninfo->peer_addrlen)) {
88 perror("UDP (DTLS) connect:\n");
93 dtls_method = DTLSv1_client_method();
94 dtls_ctx = SSL_CTX_new(dtls_method);
95 SSL_CTX_set_read_ahead(dtls_ctx, 1);
96 https_cipher = SSL_get_current_cipher(vpninfo->https_ssl);
98 dtls_ssl = SSL_new(dtls_ctx);
99 SSL_set_connect_state(dtls_ssl);
100 SSL_set_cipher_list(dtls_ssl, SSL_CIPHER_get_name(https_cipher));
102 /* We're going to "resume" a session which never existed. Fake it... */
103 dtls_session = SSL_SESSION_new();
105 dtls_session->ssl_version = DTLS1_VERSION;
107 dtls_session->master_key_length = sizeof(vpninfo->dtls_secret);
108 memcpy(dtls_session->master_key, vpninfo->dtls_secret,
109 sizeof(vpninfo->dtls_secret));
111 dtls_session->session_id_length = sizeof(vpninfo->dtls_session_id);
112 memcpy(dtls_session->session_id, vpninfo->dtls_session_id,
113 sizeof(vpninfo->dtls_session_id));
115 dtls_session->cipher = https_cipher;
116 dtls_session->cipher_id = https_cipher->id;
118 /* Having faked a session, add it to the CTX and the SSL */
119 if (!SSL_CTX_add_session(dtls_ctx, dtls_session))
120 printf("SSL_CTX_add_session() failed\n");
122 if (!SSL_set_session(dtls_ssl, dtls_session))
123 printf("SSL_set_session() failed\n");
126 dtls_bio = BIO_new_socket(dtls_fd, BIO_NOCLOSE);
127 SSL_set_bio(dtls_ssl, dtls_bio, dtls_bio);
129 if (SSL_do_handshake(dtls_ssl)) {
130 fprintf(stderr, "DTLS connection failure\n");
131 ERR_print_errors_fp(stderr);
133 SSL_CTX_free(dtls_ctx);
138 vpninfo->dtls_fd = dtls_fd;
142 int setup_dtls(struct anyconnect_info *vpninfo)
144 struct vpn_option *dtls_opt = vpninfo->dtls_options;
145 int sessid_found = 0;
151 printf("DTLS option %s : %s\n", dtls_opt->option, dtls_opt->value);
153 if (!strcmp(dtls_opt->option, "X-DTLS-Session-ID")) {
154 if (strlen(dtls_opt->value) != 64) {
155 fprintf(stderr, "X-DTLS-Session-ID not 64 characters\n");
156 fprintf(stderr, "Is: %s\n", dtls_opt->value);
159 for (i = 0; i < 64; i += 2)
160 vpninfo->dtls_session_id[i/2] = hex(dtls_opt->value + i);
162 } else if (!strcmp(dtls_opt->option, "X-DTLS-Port")) {
163 dtls_port = atol(dtls_opt->value);
164 } else if (!strcmp(dtls_opt->option, "X-DTLS-Keepalive")) {
165 vpninfo->dtls_keepalive = atol(dtls_opt->value);
168 dtls_opt = dtls_opt->next;
170 if (!sessid_found || !dtls_port)
173 if (connect_dtls_socket(vpninfo, dtls_port))
176 /* No idea how to do this yet */
177 close(vpninfo->dtls_fd);
178 vpninfo->dtls_fd = -1;
182 int dtls_mainloop(struct anyconnect_info *vpninfo, int *timeout)