openconnect-internal.h

   1 /*
   2  * OpenConnect (SSL + DTLS) VPN client
   3  *
   4  * Copyright © 2008-2012 Intel Corporation.
   5  * Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
   6  *
   7  * Author: David Woodhouse <dwmw2@infradead.org>
   8  *
   9  * This program is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU Lesser General Public License
  11  * version 2.1, as published by the Free Software Foundation.
  12  *
  13  * This program is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public
  19  * License along with this library; if not, write to:
  20  *
  21  *   Free Software Foundation, Inc.
  22  *   51 Franklin Street, Fifth Floor,
  23  *   Boston, MA 02110-1301 USA
  24  */
  25
  26 #ifndef __OPENCONNECT_INTERNAL_H__
  27 #define __OPENCONNECT_INTERNAL_H__
  28
  29 #include "openconnect.h"
  30
  31 #if defined (OPENCONNECT_OPENSSL) || defined(DTLS_OPENSSL)
  32 #include <openssl/ssl.h>
  33 #include <openssl/err.h>
  34 /* Ick */
  35 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
  36 #define method_const const
  37 #else
  38 #define method_const
  39 #endif
  40 #endif /* OPENSSL */
  41
  42 #if defined (OPENCONNECT_GNUTLS)
  43 #include <gnutls/gnutls.h>
  44 #include <gnutls/abstract.h>
  45 #include <gnutls/x509.h>
  46 #ifdef HAVE_TROUSERS
  47 #include <trousers/tss.h>
  48 #include <trousers/trousers.h>
  49 #endif
  50 #endif
  51
  52 #include <zlib.h>
  53 #include <stdint.h>
  54 #include <sys/socket.h>
  55 #include <sys/select.h>
  56 #include <sys/time.h>
  57 #include <sys/types.h>
  58 #include <unistd.h>
  59
  60 #ifdef LIBPROXY_HDR
  61 #include LIBPROXY_HDR
  62 #endif
  63
  64 #ifdef LIBSTOKEN_HDR
  65 #include LIBSTOKEN_HDR
  66 #endif
  67
  68 #ifdef ENABLE_NLS
  69 #include <locale.h>
  70 #include <libintl.h>
  71 #define _(s) dgettext("openconnect", s)
  72 #else
  73 #define _(s) s
  74 #endif
  75 #define N_(s) s
  76
  77 #define SHA1_SIZE 20
  78 #define MD5_SIZE 16
  79
  80 /****************************************************************************/
  81
  82 struct pkt {
  83         int len;
  84         struct pkt *next;
  85         unsigned char hdr[8];
  86         unsigned char data[];
  87 };
  88
  89 struct vpn_option {
  90         char *option;
  91         char *value;
  92         struct vpn_option *next;
  93 };
  94
  95 #define KA_NONE         0
  96 #define KA_DPD          1
  97 #define KA_DPD_DEAD     2
  98 #define KA_KEEPALIVE    3
  99 #define KA_REKEY        4
 100
 101 struct keepalive_info {
 102         int dpd;
 103         int keepalive;
 104         int rekey;
 105         time_t last_rekey;
 106         time_t last_tx;
 107         time_t last_rx;
 108         time_t last_dpd;
 109 };
 110
 111 struct split_include {
 112         char *route;
 113         struct split_include *next;
 114 };
 115
 116 struct pin_cache {
 117         struct pin_cache *next;
 118         char *token;
 119         char *pin;
 120 };
 121
 122 #define RECONNECT_INTERVAL_MIN  10
 123 #define RECONNECT_INTERVAL_MAX  100
 124
 125 #define CERT_TYPE_UNKNOWN       0
 126 #define CERT_TYPE_PEM           1
 127 #define CERT_TYPE_PKCS12        2
 128 #define CERT_TYPE_TPM           3
 129
 130 struct openconnect_info {
 131         char *redirect_url;
 132
 133         const char *csd_xmltag;
 134         char *csd_token;
 135         char *csd_ticket;
 136         char *csd_stuburl;
 137         char *csd_starturl;
 138         char *csd_waiturl;
 139         char *csd_preurl;
 140
 141         char *csd_scriptname;
 142
 143 #ifdef LIBPROXY_HDR
 144         pxProxyFactory *proxy_factory;
 145 #endif
 146         char *proxy_type;
 147         char *proxy;
 148         int proxy_port;
 149
 150         const char *localname;
 151         char *hostname;
 152         int port;
 153         char *urlpath;
 154         int cert_expire_warning;
 155         const char *cert;
 156         const char *sslkey;
 157         int cert_type;
 158         char *cert_password;
 159         const char *cafile;
 160         const char *servercert;
 161         const char *xmlconfig;
 162         char xmlsha1[(SHA1_SIZE * 2) + 1];
 163         char *username;
 164         char *password;
 165         char *authgroup;
 166         int nopasswd;
 167         char *dtls_ciphers;
 168         uid_t uid_csd;
 169         char *csd_wrapper;
 170         int uid_csd_given;
 171         int no_http_keepalive;
 172
 173 #ifdef LIBSTOKEN_HDR
 174         struct stoken_ctx *stoken_ctx;
 175 #endif
 176         int use_stoken;
 177         int stoken_bypassed;
 178         int stoken_tries;
 179         time_t stoken_time;
 180         char *stoken_pin;
 181
 182         OPENCONNECT_X509 *peer_cert;
 183
 184         char *cookie; /* Pointer to within cookies list */
 185         struct vpn_option *cookies;
 186         struct vpn_option *cstp_options;
 187         struct vpn_option *dtls_options;
 188
 189 #if defined(OPENCONNECT_OPENSSL)
 190         X509 *cert_x509;
 191         SSL_CTX *https_ctx;
 192         SSL *https_ssl;
 193 #elif defined(OPENCONNECT_GNUTLS)
 194         gnutls_session_t https_sess;
 195         gnutls_certificate_credentials_t https_cred;
 196         struct pin_cache *pin_cache;
 197 #ifdef HAVE_TROUSERS
 198         TSS_HCONTEXT tpm_context;
 199         TSS_HKEY srk;
 200         TSS_HPOLICY srk_policy;
 201         TSS_HKEY tpm_key;
 202         TSS_HPOLICY tpm_key_policy;
 203 #endif
 204 #ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
 205 #ifdef HAVE_P11KIT
 206         gnutls_pkcs11_privkey_t my_p11key;
 207 #endif
 208         gnutls_privkey_t my_pkey;
 209         gnutls_x509_crt_t *my_certs;
 210         unsigned int nr_my_certs;
 211 #endif
 212 #endif /* OPENCONNECT_GNUTLS */
 213         struct keepalive_info ssl_times;
 214         int owe_ssl_dpd_response;
 215         struct pkt *deflate_pkt;
 216         struct pkt *current_ssl_pkt;
 217         struct pkt *pending_deflated_pkt;
 218
 219         z_stream inflate_strm;
 220         uint32_t inflate_adler32;
 221         z_stream deflate_strm;
 222         uint32_t deflate_adler32;
 223
 224         int disable_ipv6;
 225         int reconnect_timeout;
 226         int reconnect_interval;
 227         int dtls_attempt_period;
 228         time_t new_dtls_started;
 229 #if defined(DTLS_OPENSSL)
 230         SSL_CTX *dtls_ctx;
 231         SSL *dtls_ssl;
 232         SSL *new_dtls_ssl;
 233         SSL_SESSION *dtls_session;
 234 #elif defined(DTLS_GNUTLS)
 235         /* Call these *_ssl rather than *_sess because they're just
 236            pointers, and generic code (in mainloop.c for example)
 237            wants to check if they're NULL or not. No point in being
 238            differently named to the OpenSSL variant, and forcing us to
 239            have ifdefs or accessor macros for them. */
 240         gnutls_session_t dtls_ssl;
 241         gnutls_session_t new_dtls_ssl;
 242 #endif
 243         struct keepalive_info dtls_times;
 244         unsigned char dtls_session_id[32];
 245         unsigned char dtls_secret[48];
 246
 247         char *dtls_cipher;
 248         const char *vpnc_script;
 249         int script_tun;
 250         char *ifname;
 251
 252         int actual_mtu;
 253         int reqmtu, basemtu;
 254         const char *banner;
 255         const char *vpn_addr;
 256         const char *vpn_netmask;
 257         const char *vpn_addr6;
 258         const char *vpn_netmask6;
 259         const char *vpn_dns[3];
 260         const char *vpn_nbns[3];
 261         const char *vpn_domain;
 262         const char *vpn_proxy_pac;
 263         struct split_include *split_dns;
 264         struct split_include *split_includes;
 265         struct split_include *split_excludes;
 266
 267         int select_nfds;
 268         fd_set select_rfds;
 269         fd_set select_wfds;
 270         fd_set select_efds;
 271
 272 #ifdef __sun__
 273         int ip_fd;
 274         int ip6_fd;
 275 #endif
 276         int tun_fd;
 277         int ssl_fd;
 278         int dtls_fd;
 279         int new_dtls_fd;
 280         int cancel_fd;
 281
 282         struct pkt *incoming_queue;
 283         struct pkt *outgoing_queue;
 284         int outgoing_qlen;
 285         int max_qlen;
 286
 287         socklen_t peer_addrlen;
 288         struct sockaddr *peer_addr;
 289         struct sockaddr *dtls_addr;
 290
 291         int dtls_local_port;
 292
 293         int deflate;
 294         char *useragent;
 295
 296         const char *quit_reason;
 297
 298         void *cbdata;
 299         openconnect_validate_peer_cert_vfn validate_peer_cert;
 300         openconnect_write_new_config_vfn write_new_config;
 301         openconnect_process_auth_form_vfn process_auth_form;
 302         openconnect_progress_vfn progress;
 303 };
 304
 305 #if (defined (DTLS_OPENSSL) && defined (SSL_OP_CISCO_ANYCONNECT)) || \
 306     (defined (DTLS_GNUTLS) && defined (HAVE_GNUTLS_SESSION_SET_PREMASTER))
 307 #define HAVE_DTLS 1
 308 #endif
 309
 310 /* Packet types */
 311
 312 #define AC_PKT_DATA             0       /* Uncompressed data */
 313 #define AC_PKT_DPD_OUT          3       /* Dead Peer Detection */
 314 #define AC_PKT_DPD_RESP         4       /* DPD response */
 315 #define AC_PKT_DISCONN          5       /* Client disconnection notice */
 316 #define AC_PKT_KEEPALIVE        7       /* Keepalive */
 317 #define AC_PKT_COMPRESSED       8       /* Compressed data */
 318 #define AC_PKT_TERM_SERVER      9       /* Server kick */
 319
 320 #define vpn_progress(vpninfo, ...) (vpninfo)->progress ((vpninfo)->cbdata, __VA_ARGS__)
 321
 322 /****************************************************************************/
 323 /* Oh Solaris how we hate thee! */
 324 #ifdef __sun__
 325 #define time(x) openconnect__time(x)
 326 time_t openconnect__time(time_t *t);
 327 #endif
 328 #ifndef HAVE_ASPRINTF
 329 #define asprintf openconnect__asprintf
 330 int openconnect__asprintf(char **strp, const char *fmt, ...);
 331 #endif
 332 #ifndef HAVE_GETLINE
 333 #define getline openconnect__getline
 334 ssize_t openconnect__getline(char **lineptr, size_t *n, FILE *stream);
 335 #endif
 336 #ifndef HAVE_STRCASESTR
 337 #define strcasestr openconnect__strcasestr
 338 char *openconnect__strcasestr(const char *haystack, const char *needle);
 339 #endif
 340
 341 /****************************************************************************/
 342
 343 /* tun.c */
 344 int setup_tun(struct openconnect_info *vpninfo);
 345 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout);
 346 void shutdown_tun(struct openconnect_info *vpninfo);
 347 int script_config_tun (struct openconnect_info *vpninfo, const char *reason);
 348
 349 /* dtls.c */
 350 unsigned char unhex(const char *data);
 351 int setup_dtls(struct openconnect_info *vpninfo);
 352 int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
 353 int dtls_try_handshake(struct openconnect_info *vpninfo);
 354 int connect_dtls_socket(struct openconnect_info *vpninfo);
 355
 356 /* cstp.c */
 357 int make_cstp_connection(struct openconnect_info *vpninfo);
 358 int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout);
 359 int cstp_bye(struct openconnect_info *vpninfo, const char *reason);
 360 int cstp_reconnect(struct openconnect_info *vpninfo);
 361
 362 /* ssl.c */
 363 int connect_https_socket(struct openconnect_info *vpninfo);
 364 int request_passphrase(struct openconnect_info *vpninfo, const char *label,
 365                        char **response, const char *fmt, ...);
 366 int  __attribute__ ((format (printf, 2, 3)))
 367     openconnect_SSL_printf(struct openconnect_info *vpninfo, const char *fmt, ...);
 368 int openconnect_print_err_cb(const char *str, size_t len, void *ptr);
 369 #define openconnect_report_ssl_errors(v) ERR_print_errors_cb(openconnect_print_err_cb, (v))
 370 #ifdef FAKE_ANDROID_KEYSTORE
 371 #define ANDROID_KEYSTORE
 372 #endif
 373 #ifdef ANDROID_KEYSTORE
 374 char *keystore_strerror(int err);
 375 int keystore_fetch(const char *key, unsigned char **result);
 376 #endif
 377
 378 /* ${SSL_LIBRARY}.c */
 379 int openconnect_SSL_gets(struct openconnect_info *vpninfo, char *buf, size_t len);
 380 int openconnect_SSL_write(struct openconnect_info *vpninfo, char *buf, size_t len);
 381 int openconnect_SSL_read(struct openconnect_info *vpninfo, char *buf, size_t len);
 382 int openconnect_open_https(struct openconnect_info *vpninfo);
 383 void openconnect_close_https(struct openconnect_info *vpninfo, int final);
 384 int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, OPENCONNECT_X509 *cert,
 385                              char *buf);
 386 int openconnect_sha1(unsigned char *result, void *data, int len);
 387 int openconnect_random(void *bytes, int len);
 388 int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
 389                                char *buf);
 390
 391 /* mainloop.c */
 392 int vpn_add_pollfd(struct openconnect_info *vpninfo, int fd, short events);
 393 int vpn_mainloop(struct openconnect_info *vpninfo);
 394 int queue_new_packet(struct pkt **q, void *buf, int len);
 395 void queue_packet(struct pkt **q, struct pkt *new);
 396 int keepalive_action(struct keepalive_info *ka, int *timeout);
 397 int ka_stalled_action(struct keepalive_info *ka, int *timeout);
 398
 399 extern int killed;
 400
 401 /* xml.c */
 402 int config_lookup_host(struct openconnect_info *vpninfo, const char *host);
 403
 404 /* auth.c */
 405 int parse_xml_response(struct openconnect_info *vpninfo, char *response,
 406                        char *request_body, int req_len, const char **method,
 407                        const char **request_body_type);
 408 int prepare_stoken(struct openconnect_info *vpninfo);
 409
 410 /* http.c */
 411 char *openconnect_create_useragent(const char *base);
 412 int process_proxy(struct openconnect_info *vpninfo, int ssl_sock);
 413 int internal_parse_url(char *url, char **res_proto, char **res_host,
 414                        int *res_port, char **res_path, int default_port);
 415
 416 /* ssl_ui.c */
 417 int set_openssl_ui(void);
 418
 419 /* version.c */
 420 extern const char *openconnect_version_str;
 421
 422 #endif /* __OPENCONNECT_INTERNAL_H__ */