2 * OpenConnect (SSL + DTLS) VPN client
4 * Copyright © 2008-2010 Intel Corporation.
6 * Author: David Woodhouse <dwmw2@infradead.org>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1, as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to:
20 * Free Software Foundation, Inc.
21 * 51 Franklin Street, Fifth Floor,
22 * Boston, MA 02110-1301 USA
25 #include <sys/types.h>
27 #include <sys/socket.h>
28 #include <sys/ioctl.h>
34 #include <netinet/in_systm.h>
35 #include <netinet/in.h>
36 #include <netinet/ip.h>
38 #include <arpa/inet.h>
43 #include <sys/sockio.h>
44 #include <net/if_tun.h>
46 #error "Install TAP driver from http://www.whiteboard.ne.jp/~admin2/tuntap/"
50 #include "openconnect-internal.h"
53 * If an if_tun.h include file was found anywhere (by the Makefile), it's
54 * included. Else, we end up assuming that we have BSD-style devices such
62 * The OS X tun/tap driver doesn't provide a header file; you're expected
63 * to define this for yourself.
66 #define TUNSIFHEAD _IOW('t', 96, int)
70 * OpenBSD always puts the protocol family prefix onto packets. Other
71 * systems let us enable that with the TUNSIFHEAD ioctl, and some of them
72 * (e.g. FreeBSD) _need_ it otherwise they'll interpret IPv6 packets as IPv4.
74 #if defined(__OpenBSD__) || defined(TUNSIFHEAD)
75 #define TUN_HAS_AF_PREFIX 1
79 static int local_config_tun(struct openconnect_info *vpninfo, int mtu_only)
82 vpn_progress(vpninfo, PRG_ERR,
83 _("No vpnc-script configured. Need Solaris IP-setting code\n"));
87 static int local_config_tun(struct openconnect_info *vpninfo, int mtu_only)
92 net_fd = socket(PF_INET, SOCK_DGRAM, 0);
94 perror(_("open net"));
97 memset(&ifr, 0, sizeof(ifr));
98 strncpy(ifr.ifr_name, vpninfo->ifname, sizeof(ifr.ifr_name) - 1);
101 struct sockaddr_in addr;
103 if (ioctl(net_fd, SIOCGIFFLAGS, &ifr) < 0)
104 perror(_("SIOCGIFFLAGS"));
106 ifr.ifr_flags |= IFF_UP | IFF_POINTOPOINT;
107 if (ioctl(net_fd, SIOCSIFFLAGS, &ifr) < 0)
108 perror(_("SIOCSIFFLAGS"));
110 addr.sin_family = AF_INET;
111 addr.sin_addr.s_addr = inet_addr(vpninfo->vpn_addr);
112 memcpy(&ifr.ifr_addr, &addr, sizeof(addr));
113 if (ioctl(net_fd, SIOCSIFADDR, &ifr) < 0)
114 perror(_("SIOCSIFADDR"));
117 ifr.ifr_mtu = vpninfo->mtu;
118 if (ioctl(net_fd, SIOCSIFMTU, &ifr) < 0)
119 perror(_("SIOCSIFMTU"));
127 static int setenv_int(const char *opt, int value)
130 sprintf(buf, "%d", value);
131 return setenv(opt, buf, 1);
134 static int netmasklen(struct in_addr addr)
138 for (masklen = 0; masklen < 32; masklen++) {
139 if (ntohl(addr.s_addr) >= (0xffffffff << masklen))
145 static int process_split_xxclude(struct openconnect_info *vpninfo,
146 int include, const char *route, int *v4_incs,
150 const char *in_ex = include?"IN":"EX";
154 slash = strchr(route, '/');
158 vpn_progress(vpninfo, PRG_ERR,
159 _("Discard bad split include: \"%s\"\n"),
162 vpn_progress(vpninfo, PRG_ERR,
163 _("Discard bad split exclude: \"%s\"\n"),
170 if (strchr(route, ':')) {
171 snprintf(envname, 79, "CISCO_IPV6_SPLIT_%sC_%d_ADDR", in_ex,
173 setenv(envname, route, 1);
175 snprintf(envname, 79, "CISCO_IPV6_SPLIT_%sC_%d_MASKLEN", in_ex,
177 setenv(envname, slash+1, 1);
183 if (!inet_aton(route, &addr)) {
189 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_ADDR", in_ex, *v4_incs);
190 setenv(envname, route, 1);
192 /* Put it back how we found it */
195 if (!inet_aton(slash+1, &addr))
198 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_MASK", in_ex, *v4_incs);
199 setenv(envname, slash+1, 1);
201 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_MASKLEN", in_ex, *v4_incs);
202 setenv_int(envname, netmasklen(addr));
208 static int appendenv(const char *opt, const char *new)
211 char *old = getenv(opt);
215 snprintf(buf, 1023, "%s %s", old, new);
217 snprintf(buf, 1023, "%s", new);
219 return setenv(opt, buf, 1);
222 static void setenv_cstp_opts(struct openconnect_info *vpninfo)
227 struct vpn_option *opt;
229 for (opt = vpninfo->cstp_options; opt; opt = opt->next)
230 buflen += 2 + strlen(opt->option) + strlen(opt->value);
232 env_buf = malloc(buflen + 1);
238 for (opt = vpninfo->cstp_options; opt; opt = opt->next)
239 bufofs += snprintf(env_buf + bufofs, buflen - bufofs,
240 "%s=%s\n", opt->option, opt->value);
242 setenv("CISCO_CSTP_OPTIONS", env_buf, 1);
246 static void set_banner(struct openconnect_info *vpninfo)
251 if (!vpninfo->banner || !(banner = malloc(strlen(vpninfo->banner)))) {
252 unsetenv("CISCO_BANNER");
259 if (*p == '%' && isxdigit((int)(unsigned char)p[1]) &&
260 isxdigit((int)(unsigned char)p[2])) {
261 *(q++) = unhex(p + 1);
267 setenv("CISCO_BANNER", banner, 1);
272 static void set_script_env(struct openconnect_info *vpninfo)
275 int ret = getnameinfo(vpninfo->peer_addr, vpninfo->peer_addrlen, host,
276 sizeof(host), NULL, 0, NI_NUMERICHOST);
278 setenv("VPNGATEWAY", host, 1);
280 setenv("reason", "connect", 1);
282 unsetenv("CISCO_SPLIT_INC");
283 unsetenv("CISCO_SPLIT_EXC");
285 setenv_int("INTERNAL_IP4_MTU", vpninfo->mtu);
287 if (vpninfo->vpn_addr) {
288 setenv("INTERNAL_IP4_ADDRESS", vpninfo->vpn_addr, 1);
289 if (vpninfo->vpn_netmask) {
293 if (inet_aton(vpninfo->vpn_addr, &addr) &&
294 inet_aton(vpninfo->vpn_netmask, &mask)) {
297 addr.s_addr &= mask.s_addr;
298 netaddr = inet_ntoa(addr);
300 setenv("INTERNAL_IP4_NETADDR", netaddr, 1);
301 setenv("INTERNAL_IP4_NETMASK", vpninfo->vpn_netmask, 1);
302 setenv_int("INTERNAL_IP4_NETMASKLEN", netmasklen(mask));
306 if (vpninfo->vpn_addr6) {
307 setenv("INTERNAL_IP6_ADDRESS", vpninfo->vpn_addr6, 1);
308 setenv("INTERNAL_IP6_NETMASK", vpninfo->vpn_netmask6, 1);
311 if (vpninfo->vpn_dns[0])
312 setenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[0], 1);
314 unsetenv("INTERNAL_IP4_DNS");
315 if (vpninfo->vpn_dns[1])
316 appendenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[1]);
317 if (vpninfo->vpn_dns[2])
318 appendenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[2]);
320 if (vpninfo->vpn_nbns[0])
321 setenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[0], 1);
323 unsetenv("INTERNAL_IP4_NBNS");
324 if (vpninfo->vpn_nbns[1])
325 appendenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[1]);
326 if (vpninfo->vpn_nbns[2])
327 appendenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[2]);
329 if (vpninfo->vpn_domain)
330 setenv("CISCO_DEF_DOMAIN", vpninfo->vpn_domain, 1);
331 else unsetenv ("CISCO_DEF_DOMAIN");
333 if (vpninfo->vpn_proxy_pac)
334 setenv("CISCO_PROXY_PAC", vpninfo->vpn_proxy_pac, 1);
336 if (vpninfo->split_includes) {
337 struct split_include *this = vpninfo->split_includes;
338 int nr_split_includes = 0;
339 int nr_v6_split_includes = 0;
342 process_split_xxclude(vpninfo, 1, this->route,
344 &nr_v6_split_includes);
347 if (nr_split_includes)
348 setenv_int("CISCO_SPLIT_INC", nr_split_includes);
349 if (nr_v6_split_includes)
350 setenv_int("CISCO_IPV6_SPLIT_INC", nr_v6_split_includes);
352 if (vpninfo->split_excludes) {
353 struct split_include *this = vpninfo->split_excludes;
354 int nr_split_excludes = 0;
355 int nr_v6_split_excludes = 0;
358 process_split_xxclude(vpninfo, 0, this->route,
360 &nr_v6_split_excludes);
363 if (nr_split_excludes)
364 setenv_int("CISCO_SPLIT_EXC", nr_split_excludes);
365 if (nr_v6_split_excludes)
366 setenv_int("CISCO_IPV6_SPLIT_EXC", nr_v6_split_excludes);
368 setenv_cstp_opts(vpninfo);
371 static int script_config_tun(struct openconnect_info *vpninfo)
373 if (system(vpninfo->vpnc_script)) {
375 vpn_progress(vpninfo, PRG_ERR,
376 _("Failed to spawn script '%s': %s\n"),
377 vpninfo->vpnc_script, strerror(e));
383 void script_reconnect (struct openconnect_info *vpninfo)
385 setenv("reason", "reconnect", 1);
386 script_config_tun(vpninfo);
390 static int link_proto(int unit_nr, const char *devname, uint64_t flags)
392 int ip_fd, mux_id, tun2_fd;
395 tun2_fd = open("/dev/tun", O_RDWR);
397 perror(_("Could not /dev/tun for plumbing"));
400 if (ioctl(tun2_fd, I_PUSH, "ip") < 0) {
401 perror(_("Can't push IP"));
406 sprintf(ifr.lifr_name, "tun%d", unit_nr);
407 ifr.lifr_ppa = unit_nr;
408 ifr.lifr_flags = flags;
410 if (ioctl(tun2_fd, SIOCSLIFNAME, &ifr) < 0) {
411 perror(_("Can't set ifname"));
416 ip_fd = open(devname, O_RDWR);
418 fprintf(stderr, _("Can't open %s: %s"), devname,
423 if (ioctl(ip_fd, I_PUSH, "arp") < 0) {
424 perror(_("Can't push ARP"));
430 mux_id = ioctl(ip_fd, I_LINK, tun2_fd);
432 fprintf(stderr, _("Can't plumb %s for IPv%d: %s\n"),
433 ifr.lifr_name, (flags == IFF_IPV4) ? 4 : 6,
445 /* Set up a tuntap device. */
446 int setup_tun(struct openconnect_info *vpninfo)
450 set_script_env(vpninfo);
452 if (vpninfo->script_tun) {
456 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, fds)) {
457 perror(_("socketpair"));
467 setenv_int("VPNFD", fds[1]);
468 execl("/bin/sh", "/bin/sh", "-c", vpninfo->vpnc_script, NULL);
473 vpninfo->script_tun = child;
474 vpninfo->ifname = strdup(_("(script)"));
476 #ifdef IFF_TUN /* Linux */
480 tun_fd = open("/dev/net/tun", O_RDWR);
482 /* Android has /dev/tun instead of /dev/net/tun
483 Since other systems might have too, just try it
484 as a fallback instead of using ifdef __ANDROID__ */
486 tun_fd = open("/dev/tun", O_RDWR);
489 /* If the error on /dev/tun is ENOENT, that's boring.
490 Use the error we got on /dev/net/tun instead */
491 if (errno != -ENOENT)
494 vpn_progress(vpninfo, PRG_ERR,
495 _("Failed to open tun device: %s\n"),
499 memset(&ifr, 0, sizeof(ifr));
500 ifr.ifr_flags = IFF_TUN | IFF_NO_PI;
502 strncpy(ifr.ifr_name, vpninfo->ifname,
503 sizeof(ifr.ifr_name) - 1);
504 if (ioctl(tun_fd, TUNSETIFF, (void *) &ifr) < 0) {
505 vpn_progress(vpninfo, PRG_ERR,
506 _("TUNSETIFF failed: %s\n"),
510 if (!vpninfo->ifname)
511 vpninfo->ifname = strdup(ifr.ifr_name);
512 #elif defined (__sun__)
513 static char tun_name[80];
516 tun_fd = open("/dev/tun", O_RDWR);
518 perror(_("open /dev/tun"));
522 unit_nr = ioctl(tun_fd, TUNNEWPPA, -1);
524 perror(_("Failed to create new tun"));
529 if (ioctl(tun_fd, I_SRDOPT, RMSGD) < 0) {
530 perror(_("Failed to put tun file descriptor into message-discard mode"));
535 sprintf(tun_name, "tun%d", unit_nr);
536 vpninfo->ifname = strdup(tun_name);
538 vpninfo->ip_fd = link_proto(unit_nr, "/dev/udp", IFF_IPV4);
539 if (vpninfo->ip_fd < 0) {
544 if (vpninfo->vpn_addr6) {
545 vpninfo->ip6_fd = link_proto(unit_nr, "/dev/udp6", IFF_IPV6);
546 if (vpninfo->ip6_fd < 0) {
548 close(vpninfo->ip_fd);
553 vpninfo->ip6_fd = -1;
555 #else /* BSD et al have /dev/tun$x devices */
556 static char tun_name[80];
558 for (i = 0; i < 255; i++) {
559 sprintf(tun_name, "/dev/tun%d", i);
560 tun_fd = open(tun_name, O_RDWR);
565 perror(_("open tun"));
568 vpninfo->ifname = strdup(tun_name + 5);
571 if (ioctl(tun_fd, TUNSIFHEAD, &i) < 0) {
572 perror(_("TUNSIFHEAD"));
577 if (vpninfo->vpnc_script) {
578 setenv("TUNDEV", vpninfo->ifname, 1);
579 script_config_tun(vpninfo);
580 /* We have to set the MTU for ourselves, because the script doesn't */
581 local_config_tun(vpninfo, 1);
583 local_config_tun(vpninfo, 0);
586 fcntl(tun_fd, F_SETFD, FD_CLOEXEC);
588 vpninfo->tun_fd = tun_fd;
590 if (vpninfo->select_nfds <= tun_fd)
591 vpninfo->select_nfds = tun_fd + 1;
593 FD_SET(tun_fd, &vpninfo->select_rfds);
595 fcntl(vpninfo->tun_fd, F_SETFL, fcntl(vpninfo->tun_fd, F_GETFL) | O_NONBLOCK);
600 static struct pkt *out_pkt;
602 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout)
607 #ifdef TUN_HAS_AF_PREFIX
608 if (!vpninfo->script_tun)
609 prefix_size = sizeof(int);
612 if (FD_ISSET(vpninfo->tun_fd, &vpninfo->select_rfds)) {
614 int len = vpninfo->mtu;
617 out_pkt = malloc(sizeof(struct pkt) + len);
619 vpn_progress(vpninfo, PRG_ERR, "Allocation failed\n");
624 len = read(vpninfo->tun_fd, out_pkt->data - prefix_size, len + prefix_size);
625 if (len <= prefix_size)
627 out_pkt->len = len - prefix_size;
629 queue_packet(&vpninfo->outgoing_queue, out_pkt);
633 vpninfo->outgoing_qlen++;
634 if (vpninfo->outgoing_qlen == vpninfo->max_qlen) {
635 FD_CLR(vpninfo->tun_fd, &vpninfo->select_rfds);
639 } else if (vpninfo->outgoing_qlen < vpninfo->max_qlen) {
640 FD_SET(vpninfo->tun_fd, &vpninfo->select_rfds);
643 /* The kernel returns -ENOMEM when the queue is full, so theoretically
644 we could handle that and retry... but it doesn't let us poll() for
645 the no-longer-full situation, so let's not bother. */
646 while (vpninfo->incoming_queue) {
647 struct pkt *this = vpninfo->incoming_queue;
648 unsigned char *data = this->data;
651 #ifdef TUN_HAS_AF_PREFIX
652 if (!vpninfo->script_tun) {
653 struct ip *iph = (void *)data;
658 else if (iph->ip_v == 4)
661 static int complained = 0;
664 vpn_progress(vpninfo, PRG_ERR,
665 _("Unknown packet (len %d) received: %02x %02x %02x %02x...\n"),
666 len, data[0], data[1], data[2], data[3]);
673 *(int *)data = htonl(type);
676 vpninfo->incoming_queue = this->next;
678 if (write(vpninfo->tun_fd, data, len) < 0) {
679 /* Handle death of "script" socket */
680 if (vpninfo->script_tun && errno == ENOTCONN) {
681 vpninfo->quit_reason = "Client connection terminated";
684 vpn_progress(vpninfo, PRG_ERR,
685 _("Failed to write incoming packet: %s\n"),
690 /* Work is not done if we just got rid of packets off the queue */
694 void shutdown_tun(struct openconnect_info *vpninfo)
696 if (vpninfo->script_tun) {
697 kill(vpninfo->script_tun, SIGHUP);
699 if (vpninfo->vpnc_script) {
700 setenv("reason", "disconnect", 1);
701 if (system(vpninfo->vpnc_script) == -1) {
702 vpn_progress(vpninfo, PRG_ERR,
703 _("Failed to spawn script '%s': %s\n"),
704 vpninfo->vpnc_script,
709 close(vpninfo->ip_fd);
711 if (vpninfo->ip6_fd != -1) {
712 close(vpninfo->ip6_fd);
713 vpninfo->ip6_fd = -1;
718 close(vpninfo->tun_fd);
719 vpninfo->tun_fd = -1;
projects / platform / upstream / openconnect.git / blob