openconnect-internal.h

   1 /*
   2  * OpenConnect (SSL + DTLS) VPN client
   3  *
   4  * Copyright © 2008-2012 Intel Corporation.
   5  * Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
   6  *
   7  * Author: David Woodhouse <dwmw2@infradead.org>
   8  *
   9  * This program is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU Lesser General Public License
  11  * version 2.1, as published by the Free Software Foundation.
  12  *
  13  * This program is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public
  19  * License along with this library; if not, write to:
  20  *
  21  *   Free Software Foundation, Inc.
  22  *   51 Franklin Street, Fifth Floor,
  23  *   Boston, MA 02110-1301 USA
  24  */
  25
  26 #ifndef __OPENCONNECT_INTERNAL_H__
  27 #define __OPENCONNECT_INTERNAL_H__
  28
  29 #include "openconnect.h"
  30
  31 #if defined (OPENCONNECT_OPENSSL) || defined(DTLS_OPENSSL)
  32 #include <openssl/ssl.h>
  33 #include <openssl/err.h>
  34 /* Ick */
  35 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
  36 #define method_const const
  37 #else
  38 #define method_const
  39 #endif
  40 #endif /* OPENSSL */
  41
  42 #if defined (OPENCONNECT_GNUTLS)
  43 #include <gnutls/gnutls.h>
  44 #include <gnutls/abstract.h>
  45 #include <gnutls/x509.h>
  46 #ifdef HAVE_TROUSERS
  47 #include <trousers/tss.h>
  48 #include <trousers/trousers.h>
  49 #endif
  50 #endif
  51
  52 #include <zlib.h>
  53 #include <stdint.h>
  54 #include <sys/socket.h>
  55 #include <sys/select.h>
  56 #include <sys/time.h>
  57 #include <sys/types.h>
  58 #include <unistd.h>
  59
  60 #ifdef LIBPROXY_HDR
  61 #include LIBPROXY_HDR
  62 #endif
  63
  64 #ifdef ENABLE_NLS
  65 #include <locale.h>
  66 #include <libintl.h>
  67 #define _(s) dgettext("openconnect", s)
  68 #else
  69 #define _(s) s
  70 #endif
  71 #define N_(s) s
  72
  73 #define SHA1_SIZE 20
  74 #define MD5_SIZE 16
  75
  76 /****************************************************************************/
  77
  78 struct pkt {
  79         int len;
  80         struct pkt *next;
  81         unsigned char hdr[8];
  82         unsigned char data[];
  83 };
  84
  85 struct vpn_option {
  86         char *option;
  87         char *value;
  88         struct vpn_option *next;
  89 };
  90
  91 #define KA_NONE         0
  92 #define KA_DPD          1
  93 #define KA_DPD_DEAD     2
  94 #define KA_KEEPALIVE    3
  95 #define KA_REKEY        4
  96
  97 struct keepalive_info {
  98         int dpd;
  99         int keepalive;
 100         int rekey;
 101         time_t last_rekey;
 102         time_t last_tx;
 103         time_t last_rx;
 104         time_t last_dpd;
 105 };
 106
 107 struct split_include {
 108         char *route;
 109         struct split_include *next;
 110 };
 111
 112 struct pin_cache {
 113         struct pin_cache *next;
 114         char *token;
 115         char *pin;
 116 };
 117
 118 #define RECONNECT_INTERVAL_MIN  10
 119 #define RECONNECT_INTERVAL_MAX  100
 120
 121 #define CERT_TYPE_UNKNOWN       0
 122 #define CERT_TYPE_PEM           1
 123 #define CERT_TYPE_PKCS12        2
 124 #define CERT_TYPE_TPM           3
 125
 126 struct openconnect_info {
 127         char *redirect_url;
 128
 129         const char *csd_xmltag;
 130         char *csd_token;
 131         char *csd_ticket;
 132         char *csd_stuburl;
 133         char *csd_starturl;
 134         char *csd_waiturl;
 135         char *csd_preurl;
 136
 137         char *csd_scriptname;
 138
 139 #ifdef LIBPROXY_HDR
 140         pxProxyFactory *proxy_factory;
 141 #endif
 142         char *proxy_type;
 143         char *proxy;
 144         int proxy_port;
 145
 146         const char *localname;
 147         char *hostname;
 148         int port;
 149         char *urlpath;
 150         int cert_expire_warning;
 151         const char *cert;
 152         const char *sslkey;
 153         int cert_type;
 154         char *cert_password;
 155         const char *cafile;
 156         const char *servercert;
 157         const char *xmlconfig;
 158         char xmlsha1[(SHA1_SIZE * 2) + 1];
 159         char *username;
 160         char *password;
 161         char *authgroup;
 162         int nopasswd;
 163         char *dtls_ciphers;
 164         uid_t uid_csd;
 165         char *csd_wrapper;
 166         int uid_csd_given;
 167         int no_http_keepalive;
 168
 169         OPENCONNECT_X509 *peer_cert;
 170
 171         char *cookie; /* Pointer to within cookies list */
 172         struct vpn_option *cookies;
 173         struct vpn_option *cstp_options;
 174         struct vpn_option *dtls_options;
 175
 176 #if defined(OPENCONNECT_OPENSSL)
 177         X509 *cert_x509;
 178         SSL_CTX *https_ctx;
 179         SSL *https_ssl;
 180 #elif defined(OPENCONNECT_GNUTLS)
 181         gnutls_session_t https_sess;
 182         gnutls_certificate_credentials_t https_cred;
 183         struct pin_cache *pin_cache;
 184 #ifdef HAVE_TROUSERS
 185         TSS_HCONTEXT tpm_context;
 186         TSS_HKEY srk;
 187         TSS_HPOLICY srk_policy;
 188         TSS_HKEY tpm_key;
 189         TSS_HPOLICY tpm_key_policy;
 190 #endif
 191 #ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
 192 #ifdef HAVE_P11KIT
 193         gnutls_pkcs11_privkey_t my_p11key;
 194 #endif
 195         gnutls_privkey_t my_pkey;
 196         gnutls_x509_crt_t *my_certs;
 197         unsigned int nr_my_certs;
 198 #endif
 199 #endif /* OPENCONNECT_GNUTLS */
 200         struct keepalive_info ssl_times;
 201         int owe_ssl_dpd_response;
 202         struct pkt *deflate_pkt;
 203         struct pkt *current_ssl_pkt;
 204         struct pkt *pending_deflated_pkt;
 205
 206         z_stream inflate_strm;
 207         uint32_t inflate_adler32;
 208         z_stream deflate_strm;
 209         uint32_t deflate_adler32;
 210
 211         int disable_ipv6;
 212         int reconnect_timeout;
 213         int reconnect_interval;
 214         int dtls_attempt_period;
 215         time_t new_dtls_started;
 216 #if defined(DTLS_OPENSSL)
 217         SSL_CTX *dtls_ctx;
 218         SSL *dtls_ssl;
 219         SSL *new_dtls_ssl;
 220         SSL_SESSION *dtls_session;
 221 #elif defined(DTLS_GNUTLS)
 222         /* Call these *_ssl rather than *_sess because they're just
 223            pointers, and generic code (in mainloop.c for example)
 224            wants to check if they're NULL or not. No point in being
 225            differently named to the OpenSSL variant, and forcing us to
 226            have ifdefs or accessor macros for them. */
 227         gnutls_session_t dtls_ssl;
 228         gnutls_session_t new_dtls_ssl;
 229 #endif
 230         struct keepalive_info dtls_times;
 231         unsigned char dtls_session_id[32];
 232         unsigned char dtls_secret[48];
 233
 234         char *dtls_cipher;
 235         const char *vpnc_script;
 236         int script_tun;
 237         char *ifname;
 238
 239         int actual_mtu;
 240         int reqmtu, basemtu;
 241         const char *banner;
 242         const char *vpn_addr;
 243         const char *vpn_netmask;
 244         const char *vpn_addr6;
 245         const char *vpn_netmask6;
 246         const char *vpn_dns[3];
 247         const char *vpn_nbns[3];
 248         const char *vpn_domain;
 249         const char *vpn_proxy_pac;
 250         struct split_include *split_dns;
 251         struct split_include *split_includes;
 252         struct split_include *split_excludes;
 253
 254         int select_nfds;
 255         fd_set select_rfds;
 256         fd_set select_wfds;
 257         fd_set select_efds;
 258
 259 #ifdef __sun__
 260         int ip_fd;
 261         int ip6_fd;
 262 #endif
 263         int tun_fd;
 264         int ssl_fd;
 265         int dtls_fd;
 266         int new_dtls_fd;
 267         int cancel_fd;
 268
 269         struct pkt *incoming_queue;
 270         struct pkt *outgoing_queue;
 271         int outgoing_qlen;
 272         int max_qlen;
 273
 274         socklen_t peer_addrlen;
 275         struct sockaddr *peer_addr;
 276         struct sockaddr *dtls_addr;
 277
 278         int dtls_local_port;
 279
 280         int deflate;
 281         char *useragent;
 282
 283         const char *quit_reason;
 284
 285         void *cbdata;
 286         openconnect_validate_peer_cert_vfn validate_peer_cert;
 287         openconnect_write_new_config_vfn write_new_config;
 288         openconnect_process_auth_form_vfn process_auth_form;
 289         openconnect_progress_vfn progress;
 290 };
 291
 292 #if (defined (DTLS_OPENSSL) && defined (SSL_OP_CISCO_ANYCONNECT)) || \
 293     (defined (DTLS_GNUTLS) && defined (HAVE_GNUTLS_SESSION_SET_PREMASTER))
 294 #define HAVE_DTLS 1
 295 #endif
 296
 297 /* Packet types */
 298
 299 #define AC_PKT_DATA             0       /* Uncompressed data */
 300 #define AC_PKT_DPD_OUT          3       /* Dead Peer Detection */
 301 #define AC_PKT_DPD_RESP         4       /* DPD response */
 302 #define AC_PKT_DISCONN          5       /* Client disconnection notice */
 303 #define AC_PKT_KEEPALIVE        7       /* Keepalive */
 304 #define AC_PKT_COMPRESSED       8       /* Compressed data */
 305 #define AC_PKT_TERM_SERVER      9       /* Server kick */
 306
 307 #define vpn_progress(vpninfo, ...) (vpninfo)->progress ((vpninfo)->cbdata, __VA_ARGS__)
 308
 309 /****************************************************************************/
 310 /* Oh Solaris how we hate thee! */
 311 #ifdef __sun__
 312 #define time(x) openconnect__time(x)
 313 time_t openconnect__time(time_t *t);
 314 #endif
 315 #ifndef HAVE_ASPRINTF
 316 #define asprintf openconnect__asprintf
 317 int openconnect__asprintf(char **strp, const char *fmt, ...);
 318 #endif
 319 #ifndef HAVE_GETLINE
 320 #define getline openconnect__getline
 321 ssize_t openconnect__getline(char **lineptr, size_t *n, FILE *stream);
 322 #endif
 323 #ifndef HAVE_STRCASESTR
 324 #define strcasestr openconnect__strcasestr
 325 char *openconnect__strcasestr(const char *haystack, const char *needle);
 326 #endif
 327
 328 /****************************************************************************/
 329
 330 /* tun.c */
 331 int setup_tun(struct openconnect_info *vpninfo);
 332 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout);
 333 void shutdown_tun(struct openconnect_info *vpninfo);
 334 int script_config_tun (struct openconnect_info *vpninfo, const char *reason);
 335
 336 /* dtls.c */
 337 unsigned char unhex(const char *data);
 338 int setup_dtls(struct openconnect_info *vpninfo);
 339 int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
 340 int dtls_try_handshake(struct openconnect_info *vpninfo);
 341 int connect_dtls_socket(struct openconnect_info *vpninfo);
 342
 343 /* cstp.c */
 344 int make_cstp_connection(struct openconnect_info *vpninfo);
 345 int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout);
 346 int cstp_bye(struct openconnect_info *vpninfo, const char *reason);
 347 int cstp_reconnect(struct openconnect_info *vpninfo);
 348
 349 /* ssl.c */
 350 int connect_https_socket(struct openconnect_info *vpninfo);
 351 int request_passphrase(struct openconnect_info *vpninfo, const char *label,
 352                        char **response, const char *fmt, ...);
 353 int  __attribute__ ((format (printf, 2, 3)))
 354     openconnect_SSL_printf(struct openconnect_info *vpninfo, const char *fmt, ...);
 355 int openconnect_print_err_cb(const char *str, size_t len, void *ptr);
 356 #define openconnect_report_ssl_errors(v) ERR_print_errors_cb(openconnect_print_err_cb, (v))
 357 #ifdef FAKE_ANDROID_KEYSTORE
 358 #define ANDROID_KEYSTORE
 359 #endif
 360 #ifdef ANDROID_KEYSTORE
 361 char *keystore_strerror(int err);
 362 int keystore_fetch(const char *key, unsigned char **result);
 363 #endif
 364
 365 /* ${SSL_LIBRARY}.c */
 366 int openconnect_SSL_gets(struct openconnect_info *vpninfo, char *buf, size_t len);
 367 int openconnect_SSL_write(struct openconnect_info *vpninfo, char *buf, size_t len);
 368 int openconnect_SSL_read(struct openconnect_info *vpninfo, char *buf, size_t len);
 369 int openconnect_open_https(struct openconnect_info *vpninfo);
 370 void openconnect_close_https(struct openconnect_info *vpninfo, int final);
 371 int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, OPENCONNECT_X509 *cert,
 372                              char *buf);
 373 int openconnect_sha1(unsigned char *result, void *data, int len);
 374 int openconnect_random(void *bytes, int len);
 375 int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
 376                                char *buf);
 377
 378 /* mainloop.c */
 379 int vpn_add_pollfd(struct openconnect_info *vpninfo, int fd, short events);
 380 int vpn_mainloop(struct openconnect_info *vpninfo);
 381 int queue_new_packet(struct pkt **q, void *buf, int len);
 382 void queue_packet(struct pkt **q, struct pkt *new);
 383 int keepalive_action(struct keepalive_info *ka, int *timeout);
 384 int ka_stalled_action(struct keepalive_info *ka, int *timeout);
 385
 386 extern int killed;
 387
 388 /* xml.c */
 389 int config_lookup_host(struct openconnect_info *vpninfo, const char *host);
 390
 391 /* auth.c */
 392 int parse_xml_response(struct openconnect_info *vpninfo, char *response,
 393                        char *request_body, int req_len, const char **method,
 394                        const char **request_body_type);
 395
 396 /* http.c */
 397 char *openconnect_create_useragent(const char *base);
 398 int process_proxy(struct openconnect_info *vpninfo, int ssl_sock);
 399 int internal_parse_url(char *url, char **res_proto, char **res_host,
 400                        int *res_port, char **res_path, int default_port);
 401
 402 /* ssl_ui.c */
 403 int set_openssl_ui(void);
 404
 405 /* version.c */
 406 extern const char *openconnect_version_str;
 407
 408 #endif /* __OPENCONNECT_INTERNAL_H__ */