2 * OpenConnect (SSL + DTLS) VPN client
4 * Copyright © 2008-2012 Intel Corporation.
6 * Author: David Woodhouse <dwmw2@infradead.org>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1, as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to:
20 * Free Software Foundation, Inc.
21 * 51 Franklin Street, Fifth Floor,
22 * Boston, MA 02110-1301 USA
25 #include <sys/types.h>
27 #include <sys/socket.h>
28 #include <sys/ioctl.h>
34 #include <netinet/in_systm.h>
35 #include <netinet/in.h>
36 #include <netinet/ip.h>
38 #include <arpa/inet.h>
45 #include <sys/sockio.h>
46 #include <net/if_tun.h>
48 #error "Install TAP driver from http://www.whiteboard.ne.jp/~admin2/tuntap/"
52 #include "openconnect-internal.h"
55 * If an if_tun.h include file was found anywhere (by the Makefile), it's
56 * included. Else, we end up assuming that we have BSD-style devices such
64 * The OS X tun/tap driver doesn't provide a header file; you're expected
65 * to define this for yourself.
68 #define TUNSIFHEAD _IOW('t', 96, int)
72 * OpenBSD always puts the protocol family prefix onto packets. Other
73 * systems let us enable that with the TUNSIFHEAD ioctl, and some of them
74 * (e.g. FreeBSD) _need_ it otherwise they'll interpret IPv6 packets as IPv4.
76 #if defined(__OpenBSD__) || defined(TUNSIFHEAD)
77 #define TUN_HAS_AF_PREFIX 1
80 static int set_tun_mtu(struct openconnect_info *vpninfo)
82 #ifndef __sun__ /* We don't know how to do this on Solaris */
86 net_fd = socket(PF_INET, SOCK_DGRAM, 0);
88 perror(_("open net"));
92 memset(&ifr, 0, sizeof(ifr));
93 strncpy(ifr.ifr_name, vpninfo->ifname, sizeof(ifr.ifr_name) - 1);
94 ifr.ifr_mtu = vpninfo->mtu;
96 if (ioctl(net_fd, SIOCSIFMTU, &ifr) < 0)
97 perror(_("SIOCSIFMTU"));
105 static int setenv_int(const char *opt, int value)
108 sprintf(buf, "%d", value);
109 return setenv(opt, buf, 1);
112 static int netmasklen(struct in_addr addr)
116 for (masklen = 0; masklen < 32; masklen++) {
117 if (ntohl(addr.s_addr) >= (0xffffffff << masklen))
123 static int process_split_xxclude(struct openconnect_info *vpninfo,
124 int include, const char *route, int *v4_incs,
128 const char *in_ex = include?"IN":"EX";
132 slash = strchr(route, '/');
136 vpn_progress(vpninfo, PRG_ERR,
137 _("Discard bad split include: \"%s\"\n"),
140 vpn_progress(vpninfo, PRG_ERR,
141 _("Discard bad split exclude: \"%s\"\n"),
148 if (strchr(route, ':')) {
149 snprintf(envname, 79, "CISCO_IPV6_SPLIT_%sC_%d_ADDR", in_ex,
151 setenv(envname, route, 1);
153 snprintf(envname, 79, "CISCO_IPV6_SPLIT_%sC_%d_MASKLEN", in_ex,
155 setenv(envname, slash+1, 1);
161 if (!inet_aton(route, &addr)) {
167 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_ADDR", in_ex, *v4_incs);
168 setenv(envname, route, 1);
170 /* Put it back how we found it */
173 if (!inet_aton(slash+1, &addr))
176 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_MASK", in_ex, *v4_incs);
177 setenv(envname, slash+1, 1);
179 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_MASKLEN", in_ex, *v4_incs);
180 setenv_int(envname, netmasklen(addr));
186 static int appendenv(const char *opt, const char *new)
189 char *old = getenv(opt);
193 snprintf(buf, 1023, "%s %s", old, new);
195 snprintf(buf, 1023, "%s", new);
197 return setenv(opt, buf, 1);
200 static void setenv_cstp_opts(struct openconnect_info *vpninfo)
205 struct vpn_option *opt;
207 for (opt = vpninfo->cstp_options; opt; opt = opt->next)
208 buflen += 2 + strlen(opt->option) + strlen(opt->value);
210 env_buf = malloc(buflen + 1);
216 for (opt = vpninfo->cstp_options; opt; opt = opt->next)
217 bufofs += snprintf(env_buf + bufofs, buflen - bufofs,
218 "%s=%s\n", opt->option, opt->value);
220 setenv("CISCO_CSTP_OPTIONS", env_buf, 1);
224 static void set_banner(struct openconnect_info *vpninfo)
229 if (!vpninfo->banner || !(banner = malloc(strlen(vpninfo->banner)+1))) {
230 unsetenv("CISCO_BANNER");
237 if (*p == '%' && isxdigit((int)(unsigned char)p[1]) &&
238 isxdigit((int)(unsigned char)p[2])) {
239 *(q++) = unhex(p + 1);
245 setenv("CISCO_BANNER", banner, 1);
250 static void set_script_env(struct openconnect_info *vpninfo)
253 int ret = getnameinfo(vpninfo->peer_addr, vpninfo->peer_addrlen, host,
254 sizeof(host), NULL, 0, NI_NUMERICHOST);
256 setenv("VPNGATEWAY", host, 1);
259 unsetenv("CISCO_SPLIT_INC");
260 unsetenv("CISCO_SPLIT_EXC");
262 setenv_int("INTERNAL_IP4_MTU", vpninfo->mtu);
264 if (vpninfo->vpn_addr) {
265 setenv("INTERNAL_IP4_ADDRESS", vpninfo->vpn_addr, 1);
266 if (vpninfo->vpn_netmask) {
270 if (inet_aton(vpninfo->vpn_addr, &addr) &&
271 inet_aton(vpninfo->vpn_netmask, &mask)) {
274 addr.s_addr &= mask.s_addr;
275 netaddr = inet_ntoa(addr);
277 setenv("INTERNAL_IP4_NETADDR", netaddr, 1);
278 setenv("INTERNAL_IP4_NETMASK", vpninfo->vpn_netmask, 1);
279 setenv_int("INTERNAL_IP4_NETMASKLEN", netmasklen(mask));
283 if (vpninfo->vpn_addr6) {
284 setenv("INTERNAL_IP6_ADDRESS", vpninfo->vpn_addr6, 1);
285 setenv("INTERNAL_IP6_NETMASK", vpninfo->vpn_netmask6, 1);
288 if (vpninfo->vpn_dns[0])
289 setenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[0], 1);
291 unsetenv("INTERNAL_IP4_DNS");
292 if (vpninfo->vpn_dns[1])
293 appendenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[1]);
294 if (vpninfo->vpn_dns[2])
295 appendenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[2]);
297 if (vpninfo->vpn_nbns[0])
298 setenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[0], 1);
300 unsetenv("INTERNAL_IP4_NBNS");
301 if (vpninfo->vpn_nbns[1])
302 appendenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[1]);
303 if (vpninfo->vpn_nbns[2])
304 appendenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[2]);
306 if (vpninfo->vpn_domain)
307 setenv("CISCO_DEF_DOMAIN", vpninfo->vpn_domain, 1);
308 else unsetenv ("CISCO_DEF_DOMAIN");
310 if (vpninfo->vpn_proxy_pac)
311 setenv("CISCO_PROXY_PAC", vpninfo->vpn_proxy_pac, 1);
313 if (vpninfo->split_dns) {
316 struct split_include *dns = vpninfo->split_dns;
319 len += strlen(dns->route) + 1;
326 dns = vpninfo->split_dns;
328 strcpy(p, dns->route);
335 setenv("CISCO_SPLIT_DNS", list, 1);
339 if (vpninfo->split_includes) {
340 struct split_include *this = vpninfo->split_includes;
341 int nr_split_includes = 0;
342 int nr_v6_split_includes = 0;
345 process_split_xxclude(vpninfo, 1, this->route,
347 &nr_v6_split_includes);
350 if (nr_split_includes)
351 setenv_int("CISCO_SPLIT_INC", nr_split_includes);
352 if (nr_v6_split_includes)
353 setenv_int("CISCO_IPV6_SPLIT_INC", nr_v6_split_includes);
355 if (vpninfo->split_excludes) {
356 struct split_include *this = vpninfo->split_excludes;
357 int nr_split_excludes = 0;
358 int nr_v6_split_excludes = 0;
361 process_split_xxclude(vpninfo, 0, this->route,
363 &nr_v6_split_excludes);
366 if (nr_split_excludes)
367 setenv_int("CISCO_SPLIT_EXC", nr_split_excludes);
368 if (nr_v6_split_excludes)
369 setenv_int("CISCO_IPV6_SPLIT_EXC", nr_v6_split_excludes);
371 setenv_cstp_opts(vpninfo);
374 int script_config_tun(struct openconnect_info *vpninfo, const char *reason)
376 if (!vpninfo->vpnc_script)
379 setenv("reason", reason, 1);
380 if (system(vpninfo->vpnc_script)) {
382 vpn_progress(vpninfo, PRG_ERR,
383 _("Failed to spawn script '%s' for %s: %s\n"),
384 vpninfo->vpnc_script, reason, strerror(e));
391 static int link_proto(int unit_nr, const char *devname, uint64_t flags)
393 int ip_fd, mux_id, tun2_fd;
396 tun2_fd = open("/dev/tun", O_RDWR);
398 perror(_("Could not /dev/tun for plumbing"));
401 if (ioctl(tun2_fd, I_PUSH, "ip") < 0) {
402 perror(_("Can't push IP"));
407 sprintf(ifr.lifr_name, "tun%d", unit_nr);
408 ifr.lifr_ppa = unit_nr;
409 ifr.lifr_flags = flags;
411 if (ioctl(tun2_fd, SIOCSLIFNAME, &ifr) < 0) {
412 perror(_("Can't set ifname"));
417 ip_fd = open(devname, O_RDWR);
419 fprintf(stderr, _("Can't open %s: %s"), devname,
425 mux_id = ioctl(ip_fd, I_LINK, tun2_fd);
427 fprintf(stderr, _("Can't plumb %s for IPv%d: %s\n"),
428 ifr.lifr_name, (flags == IFF_IPV4) ? 4 : 6,
442 static int bsd_open_tun(char *tun_name)
448 fd = open(tun_name, O_RDWR);
452 s = socket(AF_INET, SOCK_DGRAM, 0);
456 memset(&ifr, 0, sizeof(ifr));
457 strncpy(ifr.ifr_name, tun_name + 5, sizeof(ifr.ifr_name) - 1);
458 if (!ioctl(s, SIOCIFCREATE, &ifr))
459 fd = open(tun_name, O_RDWR);
466 #define bsd_open_tun(tun_name) open(tun_name, O_RDWR)
469 static int os_setup_tun(struct openconnect_info *vpninfo)
473 #ifdef IFF_TUN /* Linux */
477 tun_fd = open("/dev/net/tun", O_RDWR);
479 /* Android has /dev/tun instead of /dev/net/tun
480 Since other systems might have too, just try it
481 as a fallback instead of using ifdef __ANDROID__ */
483 tun_fd = open("/dev/tun", O_RDWR);
486 /* If the error on /dev/tun is ENOENT, that's boring.
487 Use the error we got on /dev/net/tun instead */
491 vpn_progress(vpninfo, PRG_ERR,
492 _("Failed to open tun device: %s\n"),
496 memset(&ifr, 0, sizeof(ifr));
497 ifr.ifr_flags = IFF_TUN | IFF_NO_PI;
499 strncpy(ifr.ifr_name, vpninfo->ifname,
500 sizeof(ifr.ifr_name) - 1);
501 if (ioctl(tun_fd, TUNSETIFF, (void *) &ifr) < 0) {
502 vpn_progress(vpninfo, PRG_ERR,
503 _("TUNSETIFF failed: %s\n"),
507 if (!vpninfo->ifname)
508 vpninfo->ifname = strdup(ifr.ifr_name);
509 #elif defined (__sun__)
510 static char tun_name[80];
513 tun_fd = open("/dev/tun", O_RDWR);
515 perror(_("open /dev/tun"));
519 unit_nr = ioctl(tun_fd, TUNNEWPPA, -1);
521 perror(_("Failed to create new tun"));
526 if (ioctl(tun_fd, I_SRDOPT, RMSGD) < 0) {
527 perror(_("Failed to put tun file descriptor into message-discard mode"));
532 sprintf(tun_name, "tun%d", unit_nr);
533 vpninfo->ifname = strdup(tun_name);
535 vpninfo->ip_fd = link_proto(unit_nr, "/dev/udp", IFF_IPV4);
536 if (vpninfo->ip_fd < 0) {
541 if (vpninfo->vpn_addr6) {
542 vpninfo->ip6_fd = link_proto(unit_nr, "/dev/udp6", IFF_IPV6);
543 if (vpninfo->ip6_fd < 0) {
545 close(vpninfo->ip_fd);
550 vpninfo->ip6_fd = -1;
552 #else /* BSD et al have /dev/tun$x devices */
553 static char tun_name[80];
556 if (vpninfo->ifname) {
558 if (strncmp(vpninfo->ifname, "tun", 3) ||
559 ((void)strtol(vpninfo->ifname + 3, &endp, 10), !endp) ||
561 vpn_progress(vpninfo, PRG_ERR,
562 _("Invalid interface name '%s'; must match 'tun%%d'\n"),
566 snprintf(tun_name, sizeof(tun_name),
567 "/dev/%s", vpninfo->ifname);
568 tun_fd = bsd_open_tun(tun_name);
571 vpn_progress(vpninfo, PRG_ERR,
572 _("Cannot open '%s': %s\n"),
573 tun_name, strerror(err));
577 #ifdef HAVE_FDEVNAME_R
578 /* We don't have to iterate over the possible devices; on FreeBSD
579 at least, opening /dev/tun will give us the next available
582 tun_fd = open("/dev/tun", O_RDWR);
584 if (!fdevname_r(tun_fd, tun_name, sizeof(tun_name)) ||
585 strncmp(tun_name, "tun", 3)) {
589 vpninfo->ifname = strdup(tun_name);
594 for (i = 0; i < 255; i++) {
595 sprintf(tun_name, "/dev/tun%d", i);
596 tun_fd = bsd_open_tun(tun_name);
601 perror(_("open tun"));
604 vpninfo->ifname = strdup(tun_name + 5);
608 if (ioctl(tun_fd, TUNSIFHEAD, &i) < 0) {
609 perror(_("TUNSIFHEAD"));
617 /* Set up a tuntap device. */
618 int setup_tun(struct openconnect_info *vpninfo)
622 set_script_env(vpninfo);
624 if (vpninfo->script_tun) {
628 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, fds)) {
629 perror(_("socketpair"));
639 setenv_int("VPNFD", fds[1]);
640 execl("/bin/sh", "/bin/sh", "-c", vpninfo->vpnc_script, NULL);
645 vpninfo->script_tun = child;
646 vpninfo->ifname = strdup(_("(script)"));
648 script_config_tun(vpninfo, "pre-init");
650 tun_fd = os_setup_tun(vpninfo);
654 setenv("TUNDEV", vpninfo->ifname, 1);
655 script_config_tun(vpninfo, "connect");
657 /* Ancient vpnc-scripts might not get this right */
658 set_tun_mtu(vpninfo);
661 fcntl(tun_fd, F_SETFD, FD_CLOEXEC);
663 vpninfo->tun_fd = tun_fd;
665 if (vpninfo->select_nfds <= tun_fd)
666 vpninfo->select_nfds = tun_fd + 1;
668 FD_SET(tun_fd, &vpninfo->select_rfds);
670 fcntl(vpninfo->tun_fd, F_SETFL, fcntl(vpninfo->tun_fd, F_GETFL) | O_NONBLOCK);
675 static struct pkt *out_pkt;
677 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout)
682 #ifdef TUN_HAS_AF_PREFIX
683 if (!vpninfo->script_tun)
684 prefix_size = sizeof(int);
687 if (FD_ISSET(vpninfo->tun_fd, &vpninfo->select_rfds)) {
689 int len = vpninfo->mtu;
692 out_pkt = malloc(sizeof(struct pkt) + len);
694 vpn_progress(vpninfo, PRG_ERR, "Allocation failed\n");
699 len = read(vpninfo->tun_fd, out_pkt->data - prefix_size, len + prefix_size);
700 if (len <= prefix_size)
702 out_pkt->len = len - prefix_size;
704 queue_packet(&vpninfo->outgoing_queue, out_pkt);
708 vpninfo->outgoing_qlen++;
709 if (vpninfo->outgoing_qlen == vpninfo->max_qlen) {
710 FD_CLR(vpninfo->tun_fd, &vpninfo->select_rfds);
714 } else if (vpninfo->outgoing_qlen < vpninfo->max_qlen) {
715 FD_SET(vpninfo->tun_fd, &vpninfo->select_rfds);
718 /* The kernel returns -ENOMEM when the queue is full, so theoretically
719 we could handle that and retry... but it doesn't let us poll() for
720 the no-longer-full situation, so let's not bother. */
721 while (vpninfo->incoming_queue) {
722 struct pkt *this = vpninfo->incoming_queue;
723 unsigned char *data = this->data;
726 #ifdef TUN_HAS_AF_PREFIX
727 if (!vpninfo->script_tun) {
728 struct ip *iph = (void *)data;
733 else if (iph->ip_v == 4)
736 static int complained = 0;
739 vpn_progress(vpninfo, PRG_ERR,
740 _("Unknown packet (len %d) received: %02x %02x %02x %02x...\n"),
741 len, data[0], data[1], data[2], data[3]);
748 *(int *)data = htonl(type);
751 vpninfo->incoming_queue = this->next;
753 if (write(vpninfo->tun_fd, data, len) < 0) {
754 /* Handle death of "script" socket */
755 if (vpninfo->script_tun && errno == ENOTCONN) {
756 vpninfo->quit_reason = "Client connection terminated";
759 vpn_progress(vpninfo, PRG_ERR,
760 _("Failed to write incoming packet: %s\n"),
765 /* Work is not done if we just got rid of packets off the queue */
769 void shutdown_tun(struct openconnect_info *vpninfo)
771 if (vpninfo->script_tun) {
772 kill(vpninfo->script_tun, SIGHUP);
774 script_config_tun(vpninfo, "disconnect");
776 close(vpninfo->ip_fd);
778 if (vpninfo->ip6_fd != -1) {
779 close(vpninfo->ip6_fd);
780 vpninfo->ip6_fd = -1;
785 close(vpninfo->tun_fd);
786 vpninfo->tun_fd = -1;