2 * OpenConnect (SSL + DTLS) VPN client
4 * Copyright © 2008-2010 Intel Corporation.
6 * Author: David Woodhouse <dwmw2@infradead.org>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1, as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to:
20 * Free Software Foundation, Inc.
21 * 51 Franklin Street, Fifth Floor,
22 * Boston, MA 02110-1301 USA
25 #include <sys/types.h>
27 #include <sys/socket.h>
28 #include <sys/ioctl.h>
34 #include <netinet/in_systm.h>
35 #include <netinet/in.h>
36 #include <netinet/ip.h>
38 #include <arpa/inet.h>
43 #include <sys/sockio.h>
44 #include <net/if_tun.h>
46 #error "Install TAP driver from http://www.whiteboard.ne.jp/~admin2/tuntap/"
50 #include "openconnect-internal.h"
53 * If an if_tun.h include file was found anywhere (by the Makefile), it's
54 * included. Else, we end up assuming that we have BSD-style devices such
62 * The OS X tun/tap driver doesn't provide a header file; you're expected
63 * to define this for yourself.
66 #define TUNSIFHEAD _IOW('t', 96, int)
70 * OpenBSD always puts the protocol family prefix onto packets. Other
71 * systems let us enable that with the TUNSIFHEAD ioctl, and some of them
72 * (e.g. FreeBSD) _need_ it otherwise they'll interpret IPv6 packets as IPv4.
74 #if defined(__OpenBSD__) || defined(TUNSIFHEAD)
75 #define TUN_HAS_AF_PREFIX 1
76 #define AF_PREFIX_SIZE (sizeof(int))
78 #define AF_PREFIX_SIZE (0)
82 static int local_config_tun(struct openconnect_info *vpninfo, int mtu_only)
85 vpn_progress(vpninfo, PRG_ERR,
86 _("No vpnc-script configured. Need Solaris IP-setting code\n"));
90 static int local_config_tun(struct openconnect_info *vpninfo, int mtu_only)
95 net_fd = socket(PF_INET, SOCK_DGRAM, 0);
97 perror(_("open net"));
100 memset(&ifr, 0, sizeof(ifr));
101 strncpy(ifr.ifr_name, vpninfo->ifname, sizeof(ifr.ifr_name) - 1);
104 struct sockaddr_in addr;
106 if (ioctl(net_fd, SIOCGIFFLAGS, &ifr) < 0)
107 perror(_("SIOCGIFFLAGS"));
109 ifr.ifr_flags |= IFF_UP | IFF_POINTOPOINT;
110 if (ioctl(net_fd, SIOCSIFFLAGS, &ifr) < 0)
111 perror(_("SIOCSIFFLAGS"));
113 addr.sin_family = AF_INET;
114 addr.sin_addr.s_addr = inet_addr(vpninfo->vpn_addr);
115 memcpy(&ifr.ifr_addr, &addr, sizeof(addr));
116 if (ioctl(net_fd, SIOCSIFADDR, &ifr) < 0)
117 perror(_("SIOCSIFADDR"));
120 ifr.ifr_mtu = vpninfo->mtu;
121 if (ioctl(net_fd, SIOCSIFMTU, &ifr) < 0)
122 perror(_("SIOCSIFMTU"));
130 static int setenv_int(const char *opt, int value)
133 sprintf(buf, "%d", value);
134 return setenv(opt, buf, 1);
137 static int netmasklen(struct in_addr addr)
141 for (masklen = 0; masklen < 32; masklen++) {
142 if (ntohl(addr.s_addr) >= (0xffffffff << masklen))
148 static int process_split_xxclude(struct openconnect_info *vpninfo,
149 int include, const char *route, int *v4_incs,
153 const char *in_ex = include?"IN":"EX";
157 slash = strchr(route, '/');
161 vpn_progress(vpninfo, PRG_ERR,
162 _("Discard bad split include: \"%s\"\n"),
165 vpn_progress(vpninfo, PRG_ERR,
166 _("Discard bad split exclude: \"%s\"\n"),
173 if (strchr(route, ':')) {
174 snprintf(envname, 79, "CISCO_IPV6_SPLIT_%sC_%d_ADDR", in_ex,
176 setenv(envname, route, 1);
178 snprintf(envname, 79, "CISCO_IPV6_SPLIT_%sC_%d_MASKLEN", in_ex,
180 setenv(envname, slash+1, 1);
186 if (!inet_aton(route, &addr)) {
192 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_ADDR", in_ex, *v4_incs);
193 setenv(envname, route, 1);
195 /* Put it back how we found it */
198 if (!inet_aton(slash+1, &addr))
201 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_MASK", in_ex, *v4_incs);
202 setenv(envname, slash+1, 1);
204 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_MASKLEN", in_ex, *v4_incs);
205 setenv_int(envname, netmasklen(addr));
211 static int appendenv(const char *opt, const char *new)
214 char *old = getenv(opt);
218 snprintf(buf, 1023, "%s %s", old, new);
220 snprintf(buf, 1023, "%s", new);
222 return setenv(opt, buf, 1);
225 static void setenv_cstp_opts(struct openconnect_info *vpninfo)
230 struct vpn_option *opt;
232 for (opt = vpninfo->cstp_options; opt; opt = opt->next)
233 buflen += 2 + strlen(opt->option) + strlen(opt->value);
235 env_buf = malloc(buflen + 1);
241 for (opt = vpninfo->cstp_options; opt; opt = opt->next)
242 bufofs += snprintf(env_buf + bufofs, buflen - bufofs,
243 "%s=%s\n", opt->option, opt->value);
245 setenv("CISCO_CSTP_OPTIONS", env_buf, 1);
249 static void set_banner(struct openconnect_info *vpninfo)
254 if (!vpninfo->banner || !(banner = malloc(strlen(vpninfo->banner)))) {
255 unsetenv("CISCO_BANNER");
262 if (*p == '%' && isxdigit((int)(unsigned char)p[1]) &&
263 isxdigit((int)(unsigned char)p[2])) {
264 *(q++) = unhex(p + 1);
270 setenv("CISCO_BANNER", banner, 1);
275 static void set_script_env(struct openconnect_info *vpninfo)
278 int ret = getnameinfo(vpninfo->peer_addr, vpninfo->peer_addrlen, host,
279 sizeof(host), NULL, 0, NI_NUMERICHOST);
281 setenv("VPNGATEWAY", host, 1);
283 setenv("reason", "connect", 1);
285 unsetenv("CISCO_SPLIT_INC");
286 unsetenv("CISCO_SPLIT_EXC");
288 setenv_int("INTERNAL_IP4_MTU", vpninfo->mtu);
290 if (vpninfo->vpn_addr) {
291 setenv("INTERNAL_IP4_ADDRESS", vpninfo->vpn_addr, 1);
292 if (vpninfo->vpn_netmask) {
296 if (inet_aton(vpninfo->vpn_addr, &addr) &&
297 inet_aton(vpninfo->vpn_netmask, &mask)) {
300 addr.s_addr &= mask.s_addr;
301 netaddr = inet_ntoa(addr);
303 setenv("INTERNAL_IP4_NETADDR", netaddr, 1);
304 setenv("INTERNAL_IP4_NETMASK", vpninfo->vpn_netmask, 1);
305 setenv_int("INTERNAL_IP4_NETMASKLEN", netmasklen(mask));
309 if (vpninfo->vpn_addr6) {
310 setenv("INTERNAL_IP6_ADDRESS", vpninfo->vpn_addr6, 1);
311 setenv("INTERNAL_IP6_NETMASK", vpninfo->vpn_netmask6, 1);
314 if (vpninfo->vpn_dns[0])
315 setenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[0], 1);
317 unsetenv("INTERNAL_IP4_DNS");
318 if (vpninfo->vpn_dns[1])
319 appendenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[1]);
320 if (vpninfo->vpn_dns[2])
321 appendenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[2]);
323 if (vpninfo->vpn_nbns[0])
324 setenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[0], 1);
326 unsetenv("INTERNAL_IP4_NBNS");
327 if (vpninfo->vpn_nbns[1])
328 appendenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[1]);
329 if (vpninfo->vpn_nbns[2])
330 appendenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[2]);
332 if (vpninfo->vpn_domain)
333 setenv("CISCO_DEF_DOMAIN", vpninfo->vpn_domain, 1);
334 else unsetenv ("CISCO_DEF_DOMAIN");
336 if (vpninfo->vpn_proxy_pac)
337 setenv("CISCO_PROXY_PAC", vpninfo->vpn_proxy_pac, 1);
339 if (vpninfo->split_includes) {
340 struct split_include *this = vpninfo->split_includes;
341 int nr_split_includes = 0;
342 int nr_v6_split_includes = 0;
345 process_split_xxclude(vpninfo, 1, this->route,
347 &nr_v6_split_includes);
350 if (nr_split_includes)
351 setenv_int("CISCO_SPLIT_INC", nr_split_includes);
352 if (nr_v6_split_includes)
353 setenv_int("CISCO_IPV6_SPLIT_INC", nr_v6_split_includes);
355 if (vpninfo->split_excludes) {
356 struct split_include *this = vpninfo->split_excludes;
357 int nr_split_excludes = 0;
358 int nr_v6_split_excludes = 0;
361 process_split_xxclude(vpninfo, 0, this->route,
363 &nr_v6_split_excludes);
366 if (nr_split_excludes)
367 setenv_int("CISCO_SPLIT_EXC", nr_split_excludes);
368 if (nr_v6_split_excludes)
369 setenv_int("CISCO_IPV6_SPLIT_EXC", nr_v6_split_excludes);
371 setenv_cstp_opts(vpninfo);
374 static int script_config_tun(struct openconnect_info *vpninfo)
376 if (system(vpninfo->vpnc_script)) {
378 vpn_progress(vpninfo, PRG_ERR,
379 _("Failed to spawn script '%s': %s\n"),
380 vpninfo->vpnc_script, strerror(e));
386 void script_reconnect (struct openconnect_info *vpninfo)
388 setenv("reason", "reconnect", 1);
389 script_config_tun(vpninfo);
393 static int link_proto(int unit_nr, const char *devname, uint64_t flags)
395 int ip_fd, mux_id, tun2_fd;
398 tun2_fd = open("/dev/tun", O_RDWR);
400 perror(_("Could not /dev/tun for plumbing"));
403 if (ioctl(tun2_fd, I_PUSH, "ip") < 0) {
404 perror(_("Can't push IP"));
409 sprintf(ifr.lifr_name, "tun%d", unit_nr);
410 ifr.lifr_ppa = unit_nr;
411 ifr.lifr_flags = flags;
413 if (ioctl(tun2_fd, SIOCSLIFNAME, &ifr) < 0) {
414 perror(_("Can't set ifname"));
419 ip_fd = open(devname, O_RDWR);
421 fprintf(stderr, _("Can't open %s: %s"), devname,
426 if (ioctl(ip_fd, I_PUSH, "arp") < 0) {
427 perror(_("Can't push ARP"));
433 mux_id = ioctl(ip_fd, I_LINK, tun2_fd);
435 fprintf(stderr, _("Can't plumb %s for IPv%d: %s\n"),
436 ifr.lifr_name, (flags == IFF_IPV4) ? 4 : 6,
448 /* Set up a tuntap device. */
449 int setup_tun(struct openconnect_info *vpninfo)
453 set_script_env(vpninfo);
455 if (vpninfo->script_tun) {
459 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, fds)) {
460 perror(_("socketpair"));
470 setenv_int("VPNFD", fds[1]);
471 execl("/bin/sh", "/bin/sh", "-c", vpninfo->vpnc_script, NULL);
476 vpninfo->script_tun = child;
477 vpninfo->ifname = strdup(_("(script)"));
479 #ifdef IFF_TUN /* Linux */
483 tun_fd = open("/dev/net/tun", O_RDWR);
485 /* Android has /dev/tun instead of /dev/net/tun
486 Since other systems might have too, just try it
487 as a fallback instead of using ifdef __ANDROID__ */
489 tun_fd = open("/dev/tun", O_RDWR);
492 /* If the error on /dev/tun is ENOENT, that's boring.
493 Use the error we got on /dev/net/tun instead */
494 if (errno != -ENOENT)
497 vpn_progress(vpninfo, PRG_ERR,
498 _("Failed to open tun device: %s\n"),
502 memset(&ifr, 0, sizeof(ifr));
503 ifr.ifr_flags = IFF_TUN | IFF_NO_PI;
505 strncpy(ifr.ifr_name, vpninfo->ifname,
506 sizeof(ifr.ifr_name) - 1);
507 if (ioctl(tun_fd, TUNSETIFF, (void *) &ifr) < 0) {
508 vpn_progress(vpninfo, PRG_ERR,
509 _("TUNSETIFF failed: %s\n"),
513 if (!vpninfo->ifname)
514 vpninfo->ifname = strdup(ifr.ifr_name);
515 #elif defined (__sun__)
516 static char tun_name[80];
519 tun_fd = open("/dev/tun", O_RDWR);
521 perror(_("open /dev/tun"));
525 unit_nr = ioctl(tun_fd, TUNNEWPPA, -1);
527 perror(_("Failed to create new tun"));
532 sprintf(tun_name, "tun%d", unit_nr);
533 vpninfo->ifname = strdup(tun_name);
535 vpninfo->ip_fd = link_proto(unit_nr, "/dev/udp", IFF_IPV4);
536 if (vpninfo->ip_fd < 0) {
541 if (vpninfo->vpn_addr6) {
542 vpninfo->ip6_fd = link_proto(unit_nr, "/dev/udp6", IFF_IPV6);
543 if (vpninfo->ip6_fd < 0) {
545 close(vpninfo->ip_fd);
550 vpninfo->ip6_fd = -1;
552 #else /* BSD et al have /dev/tun$x devices */
553 static char tun_name[80];
555 for (i = 0; i < 255; i++) {
556 sprintf(tun_name, "/dev/tun%d", i);
557 tun_fd = open(tun_name, O_RDWR);
562 perror(_("open tun"));
565 vpninfo->ifname = strdup(tun_name + 5);
568 if (ioctl(tun_fd, TUNSIFHEAD, &i) < 0) {
569 perror(_("TUNSIFHEAD"));
574 if (vpninfo->vpnc_script) {
575 setenv("TUNDEV", vpninfo->ifname, 1);
576 script_config_tun(vpninfo);
577 /* We have to set the MTU for ourselves, because the script doesn't */
578 local_config_tun(vpninfo, 1);
580 local_config_tun(vpninfo, 0);
583 fcntl(tun_fd, F_SETFD, FD_CLOEXEC);
585 vpninfo->tun_fd = tun_fd;
587 if (vpninfo->select_nfds <= tun_fd)
588 vpninfo->select_nfds = tun_fd + 1;
590 FD_SET(tun_fd, &vpninfo->select_rfds);
592 fcntl(vpninfo->tun_fd, F_SETFL, fcntl(vpninfo->tun_fd, F_GETFL) | O_NONBLOCK);
597 static struct pkt *out_pkt;
599 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout)
604 if (FD_ISSET(vpninfo->tun_fd, &vpninfo->select_rfds)) {
606 int len = vpninfo->mtu;
609 out_pkt = malloc(sizeof(struct pkt) + len);
611 vpn_progress(vpninfo, PRG_ERR, "Allocation failed\n");
617 /* On Solaris, if we're actually using tuntap and *not* just
618 passing packets through a UNIX socket to a child process,
619 we have to use getmsg() to ensure that we only get *one*
621 if (!vpninfo->script_tun) {
626 strb.buf = (caddr_t)out_pkt->data;
629 ret = getmsg(vpninfo->tun_fd, NULL, &strb, &flags);
633 if (!(ret & MOREDATA))
635 out_pkt->len = strb.len;
637 #endif /* __sun__ ... */
639 len = read(vpninfo->tun_fd, out_pkt->data - AF_PREFIX_SIZE, len + AF_PREFIX_SIZE);
643 out_pkt->len = len - AF_PREFIX_SIZE;
646 queue_packet(&vpninfo->outgoing_queue, out_pkt);
650 vpninfo->outgoing_qlen++;
651 if (vpninfo->outgoing_qlen == vpninfo->max_qlen) {
652 FD_CLR(vpninfo->tun_fd, &vpninfo->select_rfds);
656 } else if (vpninfo->outgoing_qlen < vpninfo->max_qlen) {
657 FD_SET(vpninfo->tun_fd, &vpninfo->select_rfds);
660 /* The kernel returns -ENOMEM when the queue is full, so theoretically
661 we could handle that and retry... but it doesn't let us poll() for
662 the no-longer-full situation, so let's not bother. */
663 while (vpninfo->incoming_queue) {
664 struct pkt *this = vpninfo->incoming_queue;
665 unsigned char *data = this->data;
668 #ifdef TUN_HAS_AF_PREFIX
669 if (!vpninfo->script_tun) {
670 struct ip *iph = (void *)data;
675 else if (iph->ip_v == 4)
678 static int complained = 0;
681 vpn_progress(vpninfo, PRG_ERR,
682 _("Unknown packet (len %d) received: %02x %02x %02x %02x...\n"),
683 len, data[0], data[1], data[2], data[3]);
690 *(int *)data = htonl(type);
693 vpninfo->incoming_queue = this->next;
695 if (write(vpninfo->tun_fd, data, len) < 0) {
696 /* Handle death of "script" socket */
697 if (vpninfo->script_tun && errno == ENOTCONN) {
698 vpninfo->quit_reason = "Client connection terminated";
701 vpn_progress(vpninfo, PRG_ERR,
702 _("Failed to write incoming packet: %s\n"),
707 /* Work is not done if we just got rid of packets off the queue */
711 void shutdown_tun(struct openconnect_info *vpninfo)
713 if (vpninfo->script_tun) {
714 kill(vpninfo->script_tun, SIGHUP);
716 if (vpninfo->vpnc_script) {
717 setenv("reason", "disconnect", 1);
718 if (system(vpninfo->vpnc_script) == -1) {
719 vpn_progress(vpninfo, PRG_ERR,
720 _("Failed to spawn script '%s': %s\n"),
721 vpninfo->vpnc_script,
726 close(vpninfo->ip_fd);
728 if (vpninfo->ip6_fd != -1) {
729 close(vpninfo->ip6_fd);
730 vpninfo->ip6_fd = -1;
735 close(vpninfo->tun_fd);
736 vpninfo->tun_fd = -1;