2 * OpenConnect (SSL + DTLS) VPN client
4 * Copyright © 2008-2012 Intel Corporation.
5 * Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
7 * Author: David Woodhouse <dwmw2@infradead.org>
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * version 2.1, as published by the Free Software Foundation.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to:
21 * Free Software Foundation, Inc.
22 * 51 Franklin Street, Fifth Floor,
23 * Boston, MA 02110-1301 USA
26 #ifndef __OPENCONNECT_INTERNAL_H__
27 #define __OPENCONNECT_INTERNAL_H__
29 #include "openconnect.h"
31 #if defined (OPENCONNECT_OPENSSL) || defined(DTLS_OPENSSL)
32 #include <openssl/ssl.h>
33 #include <openssl/err.h>
35 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
36 #define method_const const
42 #if defined (OPENCONNECT_GNUTLS)
43 #include <gnutls/gnutls.h>
44 #include <gnutls/abstract.h>
45 #include <gnutls/x509.h>
47 #include <trousers/tss.h>
48 #include <trousers/trousers.h>
54 #include <sys/socket.h>
55 #include <sys/select.h>
57 #include <sys/types.h>
67 #define _(s) dgettext("openconnect", s)
76 /****************************************************************************/
88 struct vpn_option *next;
94 #define KA_KEEPALIVE 3
97 struct keepalive_info {
107 struct split_include {
109 struct split_include *next;
113 struct pin_cache *next;
118 #define RECONNECT_INTERVAL_MIN 10
119 #define RECONNECT_INTERVAL_MAX 100
121 #define CERT_TYPE_UNKNOWN 0
122 #define CERT_TYPE_PEM 1
123 #define CERT_TYPE_PKCS12 2
124 #define CERT_TYPE_TPM 3
126 struct openconnect_info {
129 const char *csd_xmltag;
137 char *csd_scriptname;
140 pxProxyFactory *proxy_factory;
146 const char *localname;
150 int cert_expire_warning;
156 const char *servercert;
157 const char *xmlconfig;
158 char xmlsha1[(SHA1_SIZE * 2) + 1];
167 int no_http_keepalive;
169 OPENCONNECT_X509 *peer_cert;
171 char *cookie; /* Pointer to within cookies list */
172 struct vpn_option *cookies;
173 struct vpn_option *cstp_options;
174 struct vpn_option *dtls_options;
176 #if defined(OPENCONNECT_OPENSSL)
180 #elif defined(OPENCONNECT_GNUTLS)
181 gnutls_session_t https_sess;
182 gnutls_certificate_credentials_t https_cred;
183 struct pin_cache *pin_cache;
185 TSS_HCONTEXT tpm_context;
187 TSS_HPOLICY srk_policy;
189 TSS_HPOLICY tpm_key_policy;
191 #ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
193 gnutls_pkcs11_privkey_t my_p11key;
195 gnutls_privkey_t my_pkey;
196 gnutls_x509_crt_t *my_certs;
197 unsigned int nr_my_certs;
199 #endif /* OPENCONNECT_GNUTLS */
200 struct keepalive_info ssl_times;
201 int owe_ssl_dpd_response;
202 struct pkt *deflate_pkt;
203 struct pkt *current_ssl_pkt;
204 struct pkt *pending_deflated_pkt;
206 z_stream inflate_strm;
207 uint32_t inflate_adler32;
208 z_stream deflate_strm;
209 uint32_t deflate_adler32;
212 int reconnect_timeout;
213 int reconnect_interval;
214 int dtls_attempt_period;
215 time_t new_dtls_started;
216 #if defined(DTLS_OPENSSL)
220 SSL_SESSION *dtls_session;
221 #elif defined(DTLS_GNUTLS)
222 /* Call these *_ssl rather than *_sess because they're just
223 pointers, and generic code (in mainloop.c for example)
224 wants to check if they're NULL or not. No point in being
225 differently named to the OpenSSL variant, and forcing us to
226 have ifdefs or accessor macros for them. */
227 gnutls_session_t dtls_ssl;
228 gnutls_session_t new_dtls_ssl;
230 struct keepalive_info dtls_times;
231 unsigned char dtls_session_id[32];
232 unsigned char dtls_secret[48];
235 const char *vpnc_script;
242 const char *vpn_addr;
243 const char *vpn_netmask;
244 const char *vpn_addr6;
245 const char *vpn_netmask6;
246 const char *vpn_dns[3];
247 const char *vpn_nbns[3];
248 const char *vpn_domain;
249 const char *vpn_proxy_pac;
250 struct split_include *split_dns;
251 struct split_include *split_includes;
252 struct split_include *split_excludes;
269 struct pkt *incoming_queue;
270 struct pkt *outgoing_queue;
274 socklen_t peer_addrlen;
275 struct sockaddr *peer_addr;
276 struct sockaddr *dtls_addr;
283 const char *quit_reason;
286 openconnect_validate_peer_cert_vfn validate_peer_cert;
287 openconnect_write_new_config_vfn write_new_config;
288 openconnect_process_auth_form_vfn process_auth_form;
289 openconnect_progress_vfn progress;
292 #if (defined (DTLS_OPENSSL) && defined (SSL_OP_CISCO_ANYCONNECT)) || \
293 (defined (DTLS_GNUTLS) && defined (HAVE_GNUTLS_SESSION_SET_PREMASTER))
299 #define AC_PKT_DATA 0 /* Uncompressed data */
300 #define AC_PKT_DPD_OUT 3 /* Dead Peer Detection */
301 #define AC_PKT_DPD_RESP 4 /* DPD response */
302 #define AC_PKT_DISCONN 5 /* Client disconnection notice */
303 #define AC_PKT_KEEPALIVE 7 /* Keepalive */
304 #define AC_PKT_COMPRESSED 8 /* Compressed data */
305 #define AC_PKT_TERM_SERVER 9 /* Server kick */
307 #define vpn_progress(vpninfo, ...) (vpninfo)->progress ((vpninfo)->cbdata, __VA_ARGS__)
309 /****************************************************************************/
310 /* Oh Solaris how we hate thee! */
312 #define time(x) openconnect__time(x)
313 time_t openconnect__time(time_t *t);
315 #ifndef HAVE_ASPRINTF
316 #define asprintf openconnect__asprintf
317 int openconnect__asprintf(char **strp, const char *fmt, ...);
320 #define getline openconnect__getline
321 ssize_t openconnect__getline(char **lineptr, size_t *n, FILE *stream);
323 #ifndef HAVE_STRCASESTR
324 #define strcasestr openconnect__strcasestr
325 char *openconnect__strcasestr(const char *haystack, const char *needle);
328 /****************************************************************************/
331 int setup_tun(struct openconnect_info *vpninfo);
332 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout);
333 void shutdown_tun(struct openconnect_info *vpninfo);
334 int script_config_tun (struct openconnect_info *vpninfo, const char *reason);
337 unsigned char unhex(const char *data);
338 int setup_dtls(struct openconnect_info *vpninfo);
339 int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
340 int dtls_try_handshake(struct openconnect_info *vpninfo);
341 int connect_dtls_socket(struct openconnect_info *vpninfo);
344 int make_cstp_connection(struct openconnect_info *vpninfo);
345 int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout);
346 int cstp_bye(struct openconnect_info *vpninfo, const char *reason);
347 int cstp_reconnect(struct openconnect_info *vpninfo);
350 int connect_https_socket(struct openconnect_info *vpninfo);
351 int request_passphrase(struct openconnect_info *vpninfo, const char *label,
352 char **response, const char *fmt, ...);
353 int __attribute__ ((format (printf, 2, 3)))
354 openconnect_SSL_printf(struct openconnect_info *vpninfo, const char *fmt, ...);
355 int openconnect_print_err_cb(const char *str, size_t len, void *ptr);
356 #define openconnect_report_ssl_errors(v) ERR_print_errors_cb(openconnect_print_err_cb, (v))
357 #ifdef FAKE_ANDROID_KEYSTORE
358 #define ANDROID_KEYSTORE
360 #ifdef ANDROID_KEYSTORE
361 char *keystore_strerror(int err);
362 int keystore_fetch(const char *key, unsigned char **result);
365 /* ${SSL_LIBRARY}.c */
366 int openconnect_SSL_gets(struct openconnect_info *vpninfo, char *buf, size_t len);
367 int openconnect_SSL_write(struct openconnect_info *vpninfo, char *buf, size_t len);
368 int openconnect_SSL_read(struct openconnect_info *vpninfo, char *buf, size_t len);
369 int openconnect_open_https(struct openconnect_info *vpninfo);
370 void openconnect_close_https(struct openconnect_info *vpninfo, int final);
371 int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, OPENCONNECT_X509 *cert,
373 int openconnect_sha1(unsigned char *result, void *data, int len);
374 int openconnect_random(void *bytes, int len);
375 int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
379 int vpn_add_pollfd(struct openconnect_info *vpninfo, int fd, short events);
380 int vpn_mainloop(struct openconnect_info *vpninfo);
381 int queue_new_packet(struct pkt **q, void *buf, int len);
382 void queue_packet(struct pkt **q, struct pkt *new);
383 int keepalive_action(struct keepalive_info *ka, int *timeout);
384 int ka_stalled_action(struct keepalive_info *ka, int *timeout);
389 int config_lookup_host(struct openconnect_info *vpninfo, const char *host);
392 int parse_xml_response(struct openconnect_info *vpninfo, char *response,
393 char *request_body, int req_len, const char **method,
394 const char **request_body_type);
397 char *openconnect_create_useragent(const char *base);
398 int process_proxy(struct openconnect_info *vpninfo, int ssl_sock);
399 int internal_parse_url(char *url, char **res_proto, char **res_host,
400 int *res_port, char **res_path, int default_port);
403 int set_openssl_ui(void);
406 extern const char *openconnect_version_str;
408 #endif /* __OPENCONNECT_INTERNAL_H__ */