2 * OpenConnect (SSL + DTLS) VPN client
4 * Copyright © 2008-2012 Intel Corporation.
5 * Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
7 * Author: David Woodhouse <dwmw2@infradead.org>
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * version 2.1, as published by the Free Software Foundation.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to:
21 * Free Software Foundation, Inc.
22 * 51 Franklin Street, Fifth Floor,
23 * Boston, MA 02110-1301 USA
26 #ifndef __OPENCONNECT_INTERNAL_H__
27 #define __OPENCONNECT_INTERNAL_H__
29 #include "openconnect.h"
31 #if defined (OPENCONNECT_OPENSSL) || defined(DTLS_OPENSSL)
32 #include <openssl/ssl.h>
33 #include <openssl/err.h>
35 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
36 #define method_const const
42 #if defined (OPENCONNECT_GNUTLS)
43 #include <gnutls/gnutls.h>
44 #include <gnutls/abstract.h>
45 #include <gnutls/x509.h>
47 #include <trousers/tss.h>
48 #include <trousers/trousers.h>
54 #include <sys/socket.h>
55 #include <sys/select.h>
57 #include <sys/types.h>
65 #include LIBSTOKEN_HDR
71 #define _(s) dgettext("openconnect", s)
80 /****************************************************************************/
92 struct vpn_option *next;
98 #define KA_KEEPALIVE 3
101 struct keepalive_info {
111 struct split_include {
113 struct split_include *next;
117 struct pin_cache *next;
122 #define RECONNECT_INTERVAL_MIN 10
123 #define RECONNECT_INTERVAL_MAX 100
125 #define CERT_TYPE_UNKNOWN 0
126 #define CERT_TYPE_PEM 1
127 #define CERT_TYPE_PKCS12 2
128 #define CERT_TYPE_TPM 3
130 struct openconnect_info {
133 const char *csd_xmltag;
141 char *csd_scriptname;
144 pxProxyFactory *proxy_factory;
150 const char *localname;
154 int cert_expire_warning;
160 const char *servercert;
161 const char *xmlconfig;
162 char xmlsha1[(SHA1_SIZE * 2) + 1];
171 int no_http_keepalive;
174 struct stoken_ctx *stoken_ctx;
182 OPENCONNECT_X509 *peer_cert;
184 char *cookie; /* Pointer to within cookies list */
185 struct vpn_option *cookies;
186 struct vpn_option *cstp_options;
187 struct vpn_option *dtls_options;
189 #if defined(OPENCONNECT_OPENSSL)
193 #elif defined(OPENCONNECT_GNUTLS)
194 gnutls_session_t https_sess;
195 gnutls_certificate_credentials_t https_cred;
196 struct pin_cache *pin_cache;
198 TSS_HCONTEXT tpm_context;
200 TSS_HPOLICY srk_policy;
202 TSS_HPOLICY tpm_key_policy;
204 #ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
206 gnutls_pkcs11_privkey_t my_p11key;
208 gnutls_privkey_t my_pkey;
209 gnutls_x509_crt_t *my_certs;
210 unsigned int nr_my_certs;
212 #endif /* OPENCONNECT_GNUTLS */
213 struct keepalive_info ssl_times;
214 int owe_ssl_dpd_response;
215 struct pkt *deflate_pkt;
216 struct pkt *current_ssl_pkt;
217 struct pkt *pending_deflated_pkt;
219 z_stream inflate_strm;
220 uint32_t inflate_adler32;
221 z_stream deflate_strm;
222 uint32_t deflate_adler32;
225 int reconnect_timeout;
226 int reconnect_interval;
227 int dtls_attempt_period;
228 time_t new_dtls_started;
229 #if defined(DTLS_OPENSSL)
233 SSL_SESSION *dtls_session;
234 #elif defined(DTLS_GNUTLS)
235 /* Call these *_ssl rather than *_sess because they're just
236 pointers, and generic code (in mainloop.c for example)
237 wants to check if they're NULL or not. No point in being
238 differently named to the OpenSSL variant, and forcing us to
239 have ifdefs or accessor macros for them. */
240 gnutls_session_t dtls_ssl;
241 gnutls_session_t new_dtls_ssl;
243 struct keepalive_info dtls_times;
244 unsigned char dtls_session_id[32];
245 unsigned char dtls_secret[48];
248 const char *vpnc_script;
255 const char *vpn_addr;
256 const char *vpn_netmask;
257 const char *vpn_addr6;
258 const char *vpn_netmask6;
259 const char *vpn_dns[3];
260 const char *vpn_nbns[3];
261 const char *vpn_domain;
262 const char *vpn_proxy_pac;
263 struct split_include *split_dns;
264 struct split_include *split_includes;
265 struct split_include *split_excludes;
282 struct pkt *incoming_queue;
283 struct pkt *outgoing_queue;
287 socklen_t peer_addrlen;
288 struct sockaddr *peer_addr;
289 struct sockaddr *dtls_addr;
296 const char *quit_reason;
299 openconnect_validate_peer_cert_vfn validate_peer_cert;
300 openconnect_write_new_config_vfn write_new_config;
301 openconnect_process_auth_form_vfn process_auth_form;
302 openconnect_progress_vfn progress;
305 #if (defined (DTLS_OPENSSL) && defined (SSL_OP_CISCO_ANYCONNECT)) || \
306 (defined (DTLS_GNUTLS) && defined (HAVE_GNUTLS_SESSION_SET_PREMASTER))
312 #define AC_PKT_DATA 0 /* Uncompressed data */
313 #define AC_PKT_DPD_OUT 3 /* Dead Peer Detection */
314 #define AC_PKT_DPD_RESP 4 /* DPD response */
315 #define AC_PKT_DISCONN 5 /* Client disconnection notice */
316 #define AC_PKT_KEEPALIVE 7 /* Keepalive */
317 #define AC_PKT_COMPRESSED 8 /* Compressed data */
318 #define AC_PKT_TERM_SERVER 9 /* Server kick */
320 #define vpn_progress(vpninfo, ...) (vpninfo)->progress ((vpninfo)->cbdata, __VA_ARGS__)
322 /****************************************************************************/
323 /* Oh Solaris how we hate thee! */
325 #define time(x) openconnect__time(x)
326 time_t openconnect__time(time_t *t);
328 #ifndef HAVE_ASPRINTF
329 #define asprintf openconnect__asprintf
330 int openconnect__asprintf(char **strp, const char *fmt, ...);
333 #define getline openconnect__getline
334 ssize_t openconnect__getline(char **lineptr, size_t *n, FILE *stream);
336 #ifndef HAVE_STRCASESTR
337 #define strcasestr openconnect__strcasestr
338 char *openconnect__strcasestr(const char *haystack, const char *needle);
341 /****************************************************************************/
344 int setup_tun(struct openconnect_info *vpninfo);
345 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout);
346 void shutdown_tun(struct openconnect_info *vpninfo);
347 int script_config_tun (struct openconnect_info *vpninfo, const char *reason);
350 unsigned char unhex(const char *data);
351 int setup_dtls(struct openconnect_info *vpninfo);
352 int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
353 int dtls_try_handshake(struct openconnect_info *vpninfo);
354 int connect_dtls_socket(struct openconnect_info *vpninfo);
357 int make_cstp_connection(struct openconnect_info *vpninfo);
358 int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout);
359 int cstp_bye(struct openconnect_info *vpninfo, const char *reason);
360 int cstp_reconnect(struct openconnect_info *vpninfo);
363 int connect_https_socket(struct openconnect_info *vpninfo);
364 int request_passphrase(struct openconnect_info *vpninfo, const char *label,
365 char **response, const char *fmt, ...);
366 int __attribute__ ((format (printf, 2, 3)))
367 openconnect_SSL_printf(struct openconnect_info *vpninfo, const char *fmt, ...);
368 int openconnect_print_err_cb(const char *str, size_t len, void *ptr);
369 #define openconnect_report_ssl_errors(v) ERR_print_errors_cb(openconnect_print_err_cb, (v))
370 #ifdef FAKE_ANDROID_KEYSTORE
371 #define ANDROID_KEYSTORE
373 #ifdef ANDROID_KEYSTORE
374 char *keystore_strerror(int err);
375 int keystore_fetch(const char *key, unsigned char **result);
378 /* ${SSL_LIBRARY}.c */
379 int openconnect_SSL_gets(struct openconnect_info *vpninfo, char *buf, size_t len);
380 int openconnect_SSL_write(struct openconnect_info *vpninfo, char *buf, size_t len);
381 int openconnect_SSL_read(struct openconnect_info *vpninfo, char *buf, size_t len);
382 int openconnect_open_https(struct openconnect_info *vpninfo);
383 void openconnect_close_https(struct openconnect_info *vpninfo, int final);
384 int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, OPENCONNECT_X509 *cert,
386 int openconnect_sha1(unsigned char *result, void *data, int len);
387 int openconnect_random(void *bytes, int len);
388 int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
392 int vpn_add_pollfd(struct openconnect_info *vpninfo, int fd, short events);
393 int vpn_mainloop(struct openconnect_info *vpninfo);
394 int queue_new_packet(struct pkt **q, void *buf, int len);
395 void queue_packet(struct pkt **q, struct pkt *new);
396 int keepalive_action(struct keepalive_info *ka, int *timeout);
397 int ka_stalled_action(struct keepalive_info *ka, int *timeout);
402 int config_lookup_host(struct openconnect_info *vpninfo, const char *host);
405 int parse_xml_response(struct openconnect_info *vpninfo, char *response,
406 char *request_body, int req_len, const char **method,
407 const char **request_body_type);
408 int prepare_stoken(struct openconnect_info *vpninfo);
411 char *openconnect_create_useragent(const char *base);
412 int process_proxy(struct openconnect_info *vpninfo, int ssl_sock);
413 int internal_parse_url(char *url, char **res_proto, char **res_host,
414 int *res_port, char **res_path, int default_port);
417 int set_openssl_ui(void);
420 extern const char *openconnect_version_str;
422 #endif /* __OPENCONNECT_INTERNAL_H__ */