Add source port option for DTLS
[platform/upstream/openconnect.git] / openconnect-internal.h
1 /*
2  * OpenConnect (SSL + DTLS) VPN client
3  *
4  * Copyright © 2008-2012 Intel Corporation.
5  * Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
6  *
7  * Author: David Woodhouse <dwmw2@infradead.org>
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU Lesser General Public License
11  * version 2.1, as published by the Free Software Foundation.
12  *
13  * This program is distributed in the hope that it will be useful, but
14  * WITHOUT ANY WARRANTY; without even the implied warranty of
15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
16  * Lesser General Public License for more details.
17  *
18  * You should have received a copy of the GNU Lesser General Public
19  * License along with this library; if not, write to:
20  *
21  *   Free Software Foundation, Inc.
22  *   51 Franklin Street, Fifth Floor,
23  *   Boston, MA 02110-1301 USA
24  */
25
26 #ifndef __OPENCONNECT_INTERNAL_H__
27 #define __OPENCONNECT_INTERNAL_H__
28
29 #include "openconnect.h"
30
31 #if defined (OPENCONNECT_OPENSSL) || defined(DTLS_OPENSSL)
32 #include <openssl/ssl.h>
33 #include <openssl/err.h>
34 /* Ick */
35 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
36 #define method_const const
37 #else
38 #define method_const
39 #endif
40 #endif /* OPENSSL */
41
42 #if defined (OPENCONNECT_GNUTLS)
43 #include <gnutls/gnutls.h>
44 #include <gnutls/abstract.h>
45 #include <gnutls/x509.h>
46 #ifdef HAVE_TROUSERS
47 #include <trousers/tss.h>
48 #include <trousers/trousers.h>
49 #endif
50 #endif
51
52 #include <zlib.h>
53 #include <stdint.h>
54 #include <sys/socket.h>
55 #include <sys/select.h>
56 #include <sys/time.h>
57 #include <sys/types.h>
58 #include <unistd.h>
59
60 #ifdef LIBPROXY_HDR
61 #include LIBPROXY_HDR
62 #endif
63
64 #ifdef ENABLE_NLS
65 #include <locale.h>
66 #include <libintl.h>
67 #define _(s) dgettext("openconnect", s)
68 #else
69 #define _(s) s
70 #endif
71 #define N_(s) s
72
73 #define SHA1_SIZE 20
74 #define MD5_SIZE 16
75
76 /****************************************************************************/
77
78 struct pkt {
79         int len;
80         struct pkt *next;
81         unsigned char hdr[8];
82         unsigned char data[];
83 };
84
85 struct vpn_option {
86         char *option;
87         char *value;
88         struct vpn_option *next;
89 };
90
91 #define KA_NONE         0
92 #define KA_DPD          1
93 #define KA_DPD_DEAD     2
94 #define KA_KEEPALIVE    3
95 #define KA_REKEY        4
96
97 struct keepalive_info {
98         int dpd;
99         int keepalive;
100         int rekey;
101         time_t last_rekey;
102         time_t last_tx;
103         time_t last_rx;
104         time_t last_dpd;
105 };
106
107 struct split_include {
108         char *route;
109         struct split_include *next;
110 };
111
112 struct pin_cache {
113         struct pin_cache *next;
114         char *token;
115         char *pin;
116 };
117
118 #define RECONNECT_INTERVAL_MIN  10
119 #define RECONNECT_INTERVAL_MAX  100
120
121 #define CERT_TYPE_UNKNOWN       0
122 #define CERT_TYPE_PEM           1
123 #define CERT_TYPE_PKCS12        2
124 #define CERT_TYPE_TPM           3
125
126 struct openconnect_info {
127         char *redirect_url;
128
129         char *csd_token;
130         char *csd_ticket;
131         char *csd_stuburl;
132         char *csd_starturl;
133         char *csd_waiturl;
134         char *csd_preurl;
135
136         char *csd_scriptname;
137
138 #ifdef LIBPROXY_HDR
139         pxProxyFactory *proxy_factory;
140 #endif
141         char *proxy_type;
142         char *proxy;
143         int proxy_port;
144
145         const char *localname;
146         char *hostname;
147         int port;
148         char *urlpath;
149         int cert_expire_warning;
150         const char *cert;
151         const char *sslkey;
152         int cert_type;
153         char *cert_password;
154         const char *cafile;
155         const char *servercert;
156         const char *xmlconfig;
157         char xmlsha1[(SHA1_SIZE * 2) + 1];
158         char *username;
159         char *password;
160         char *authgroup;
161         int nopasswd;
162         char *dtls_ciphers;
163         uid_t uid_csd;
164         char *csd_wrapper;
165         int uid_csd_given;
166         int no_http_keepalive;
167
168         OPENCONNECT_X509 *peer_cert;
169
170         char *cookie; /* Pointer to within cookies list */
171         struct vpn_option *cookies;
172         struct vpn_option *cstp_options;
173         struct vpn_option *dtls_options;
174
175 #if defined(OPENCONNECT_OPENSSL)
176         X509 *cert_x509;
177         SSL_CTX *https_ctx;
178         SSL *https_ssl;
179 #elif defined(OPENCONNECT_GNUTLS)
180         gnutls_session_t https_sess;
181         gnutls_certificate_credentials_t https_cred;
182         struct pin_cache *pin_cache;
183 #ifdef HAVE_TROUSERS
184         TSS_HCONTEXT tpm_context;
185         TSS_HKEY srk;
186         TSS_HPOLICY srk_policy;
187         TSS_HKEY tpm_key;
188         TSS_HPOLICY tpm_key_policy;
189 #endif
190 #ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
191 #ifdef HAVE_P11KIT
192         gnutls_pkcs11_privkey_t my_p11key;
193 #endif
194         gnutls_privkey_t my_pkey;
195         gnutls_x509_crt_t *my_certs;
196         unsigned int nr_my_certs;
197 #endif
198 #endif /* OPENCONNECT_GNUTLS */
199         struct keepalive_info ssl_times;
200         int owe_ssl_dpd_response;
201         struct pkt *deflate_pkt;
202         struct pkt *current_ssl_pkt;
203         struct pkt *pending_deflated_pkt;
204
205         z_stream inflate_strm;
206         uint32_t inflate_adler32;
207         z_stream deflate_strm;
208         uint32_t deflate_adler32;
209
210         int disable_ipv6;
211         int reconnect_timeout;
212         int reconnect_interval;
213         int dtls_attempt_period;
214         time_t new_dtls_started;
215 #if defined(DTLS_OPENSSL)
216         SSL_CTX *dtls_ctx;
217         SSL *dtls_ssl;
218         SSL *new_dtls_ssl;
219         SSL_SESSION *dtls_session;
220 #elif defined(DTLS_GNUTLS)
221         /* Call these *_ssl rather than *_sess because they're just
222            pointers, and generic code (in mainloop.c for example)
223            wants to check if they're NULL or not. No point in being
224            differently named to the OpenSSL variant, and forcing us to
225            have ifdefs or accessor macros for them. */
226         gnutls_session_t dtls_ssl;
227         gnutls_session_t new_dtls_ssl;
228 #endif
229         struct keepalive_info dtls_times;
230         unsigned char dtls_session_id[32];
231         unsigned char dtls_secret[48];
232
233         char *dtls_cipher;
234         const char *vpnc_script;
235         int script_tun;
236         char *ifname;
237
238         int mtu, basemtu;
239         const char *banner;
240         const char *vpn_addr;
241         const char *vpn_netmask;
242         const char *vpn_addr6;
243         const char *vpn_netmask6;
244         const char *vpn_dns[3];
245         const char *vpn_nbns[3];
246         const char *vpn_domain;
247         const char *vpn_proxy_pac;
248         struct split_include *split_dns;
249         struct split_include *split_includes;
250         struct split_include *split_excludes;
251
252         int select_nfds;
253         fd_set select_rfds;
254         fd_set select_wfds;
255         fd_set select_efds;
256
257 #ifdef __sun__
258         int ip_fd;
259         int ip6_fd;
260 #endif
261         int tun_fd;
262         int ssl_fd;
263         int dtls_fd;
264         int new_dtls_fd;
265         int cancel_fd;
266
267         struct pkt *incoming_queue;
268         struct pkt *outgoing_queue;
269         int outgoing_qlen;
270         int max_qlen;
271
272         socklen_t peer_addrlen;
273         struct sockaddr *peer_addr;
274         struct sockaddr *dtls_addr;
275
276         int dtls_local_port;
277
278         int deflate;
279         char *useragent;
280
281         const char *quit_reason;
282
283         void *cbdata;
284         openconnect_validate_peer_cert_vfn validate_peer_cert;
285         openconnect_write_new_config_vfn write_new_config;
286         openconnect_process_auth_form_vfn process_auth_form;
287         openconnect_progress_vfn progress;
288 };
289
290 #if (defined (DTLS_OPENSSL) && defined (SSL_OP_CISCO_ANYCONNECT)) || \
291     (defined (DTLS_GNUTLS) && defined (HAVE_GNUTLS_SESSION_SET_PREMASTER))
292 #define HAVE_DTLS 1
293 #endif
294
295 /* Packet types */
296
297 #define AC_PKT_DATA             0       /* Uncompressed data */
298 #define AC_PKT_DPD_OUT          3       /* Dead Peer Detection */
299 #define AC_PKT_DPD_RESP         4       /* DPD response */
300 #define AC_PKT_DISCONN          5       /* Client disconnection notice */
301 #define AC_PKT_KEEPALIVE        7       /* Keepalive */
302 #define AC_PKT_COMPRESSED       8       /* Compressed data */
303 #define AC_PKT_TERM_SERVER      9       /* Server kick */
304
305 #define vpn_progress(vpninfo, ...) (vpninfo)->progress ((vpninfo)->cbdata, __VA_ARGS__)
306
307 /****************************************************************************/
308 /* Oh Solaris how we hate thee! */
309 #ifdef __sun__
310 #define time(x) openconnect__time(x)
311 time_t openconnect__time(time_t *t);
312 #endif
313 #ifndef HAVE_ASPRINTF
314 #define asprintf openconnect__asprintf
315 int openconnect__asprintf(char **strp, const char *fmt, ...);
316 #endif
317 #ifndef HAVE_GETLINE
318 #define getline openconnect__getline
319 ssize_t openconnect__getline(char **lineptr, size_t *n, FILE *stream);
320 #endif
321
322 /****************************************************************************/
323
324 /* tun.c */
325 int setup_tun(struct openconnect_info *vpninfo);
326 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout);
327 void shutdown_tun(struct openconnect_info *vpninfo);
328 int script_config_tun (struct openconnect_info *vpninfo, const char *reason);
329
330 /* dtls.c */
331 unsigned char unhex(const char *data);
332 int setup_dtls(struct openconnect_info *vpninfo);
333 int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
334 int dtls_try_handshake(struct openconnect_info *vpninfo);
335 int connect_dtls_socket(struct openconnect_info *vpninfo);
336
337 /* cstp.c */
338 int make_cstp_connection(struct openconnect_info *vpninfo);
339 int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout);
340 int cstp_bye(struct openconnect_info *vpninfo, const char *reason);
341 int cstp_reconnect(struct openconnect_info *vpninfo);
342
343 /* ssl.c */
344 int connect_https_socket(struct openconnect_info *vpninfo);
345 int request_passphrase(struct openconnect_info *vpninfo, const char *label,
346                        char **response, const char *fmt, ...);
347 int  __attribute__ ((format (printf, 2, 3)))
348     openconnect_SSL_printf(struct openconnect_info *vpninfo, const char *fmt, ...);
349 int openconnect_print_err_cb(const char *str, size_t len, void *ptr);
350 #define openconnect_report_ssl_errors(v) ERR_print_errors_cb(openconnect_print_err_cb, (v))
351 #ifdef FAKE_ANDROID_KEYSTORE
352 #define ANDROID_KEYSTORE
353 #endif
354 #ifdef ANDROID_KEYSTORE
355 char *keystore_strerror(int err);
356 int keystore_fetch(const char *key, unsigned char **result);
357 #endif
358
359 /* ${SSL_LIBRARY}.c */
360 int openconnect_SSL_gets(struct openconnect_info *vpninfo, char *buf, size_t len);
361 int openconnect_SSL_write(struct openconnect_info *vpninfo, char *buf, size_t len);
362 int openconnect_SSL_read(struct openconnect_info *vpninfo, char *buf, size_t len);
363 int openconnect_open_https(struct openconnect_info *vpninfo);
364 void openconnect_close_https(struct openconnect_info *vpninfo, int final);
365 int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, OPENCONNECT_X509 *cert,
366                              char *buf);
367 int openconnect_sha1(unsigned char *result, void *data, int len);
368 int openconnect_random(void *bytes, int len);
369 int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
370                                char *buf);
371
372 /* mainloop.c */
373 int vpn_add_pollfd(struct openconnect_info *vpninfo, int fd, short events);
374 int vpn_mainloop(struct openconnect_info *vpninfo);
375 int queue_new_packet(struct pkt **q, void *buf, int len);
376 void queue_packet(struct pkt **q, struct pkt *new);
377 int keepalive_action(struct keepalive_info *ka, int *timeout);
378 int ka_stalled_dpd_time(struct keepalive_info *ka, int *timeout);
379
380 extern int killed;
381
382 /* xml.c */
383 int config_lookup_host(struct openconnect_info *vpninfo, const char *host);
384
385 /* auth.c */
386 int parse_xml_response(struct openconnect_info *vpninfo, char *response,
387                        char *request_body, int req_len, const char **method,
388                        const char **request_body_type);
389
390 /* http.c */
391 char *openconnect_create_useragent(const char *base);
392 int process_proxy(struct openconnect_info *vpninfo, int ssl_sock);
393 int internal_parse_url(char *url, char **res_proto, char **res_host,
394                        int *res_port, char **res_path, int default_port);
395
396 /* ssl_ui.c */
397 int set_openssl_ui(void);
398
399 /* securid.c */
400 int generate_securid_tokencodes(struct openconnect_info *vpninfo);
401 int add_securid_pin(char *token, char *pin);
402
403 /* version.c */
404 extern const char *openconnect_version_str;
405
406 #endif /* __OPENCONNECT_INTERNAL_H__ */