2 * OpenConnect (SSL + DTLS) VPN client
4 * Copyright © 2008-2010 Intel Corporation.
6 * Author: David Woodhouse <dwmw2@infradead.org>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1, as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to:
20 * Free Software Foundation, Inc.
21 * 51 Franklin Street, Fifth Floor,
22 * Boston, MA 02110-1301 USA
25 #include <sys/types.h>
27 #include <sys/socket.h>
28 #include <sys/ioctl.h>
34 #include <netinet/in_systm.h>
35 #include <netinet/in.h>
36 #include <netinet/ip.h>
38 #include <arpa/inet.h>
42 #include <sys/sockio.h>
45 #include "openconnect.h"
48 * If an if_tun.h include file was found anywhere (by the Makefile), it's
49 * included. Else, we end up assuming that we have BSD-style devices such
57 * The OS X tun/tap driver doesn't provide a header file; you're expected
58 * to define this for yourself.
61 #define TUNSIFHEAD _IOW('t', 96, int)
65 * OpenBSD always puts the protocol family prefix onto packets. Other
66 * systems let us enable that with the TUNSIFHEAD ioctl, and some of them
67 * (e.g. FreeBSD) _need_ it otherwise they'll interpret IPv6 packets as IPv4.
69 #if defined(__OpenBSD__) || defined(TUNSIFHEAD)
70 #define TUN_HAS_AF_PREFIX 1
74 static int local_config_tun(struct openconnect_info *vpninfo, int mtu_only)
77 vpninfo->progress(vpninfo, PRG_ERR,
78 "No vpnc-script configured. Need Solaris IP-setting code\n");
82 static int local_config_tun(struct openconnect_info *vpninfo, int mtu_only)
87 net_fd = socket(PF_INET, SOCK_DGRAM, 0);
92 memset(&ifr, 0, sizeof(ifr));
93 strncpy(ifr.ifr_name, vpninfo->ifname, sizeof(ifr.ifr_name) - 1);
96 struct sockaddr_in addr;
98 if (ioctl(net_fd, SIOCGIFFLAGS, &ifr) < 0)
99 perror("SIOCGIFFLAGS");
101 ifr.ifr_flags |= IFF_UP | IFF_POINTOPOINT;
102 if (ioctl(net_fd, SIOCSIFFLAGS, &ifr) < 0)
103 perror("SIOCSIFFLAGS");
105 addr.sin_family = AF_INET;
106 addr.sin_addr.s_addr = inet_addr(vpninfo->vpn_addr);
107 memcpy(&ifr.ifr_addr, &addr, sizeof(addr));
108 if (ioctl(net_fd, SIOCSIFADDR, &ifr) < 0)
109 perror("SIOCSIFADDR");
112 ifr.ifr_mtu = vpninfo->mtu;
113 if (ioctl(net_fd, SIOCSIFMTU, &ifr) < 0)
114 perror("SIOCSIFMTU");
122 static int setenv_int(const char *opt, int value)
125 sprintf(buf, "%d", value);
126 return setenv(opt, buf, 1);
129 static int netmasklen(struct in_addr addr)
133 for (masklen = 0; masklen < 32; masklen++) {
134 if (ntohl(addr.s_addr) >= (0xffffffff << masklen))
140 static int process_split_xxclude(struct openconnect_info *vpninfo,
141 char *in_ex, char *route, int *v4_incs,
148 slash = strchr(route, '/');
151 vpninfo->progress(vpninfo, PRG_ERR,
152 "Discard bad split %sclude: \"%s\"\n",
159 if (strchr(route, ':')) {
160 snprintf(envname, 79, "CISCO_IPV6_SPLIT_%sC_%d_ADDR", in_ex,
162 setenv(envname, route, 1);
164 snprintf(envname, 79, "CISCO_IPV6_SPLIT_%sC_%d_MASKLEN", in_ex,
166 setenv(envname, slash+1, 1);
172 if (!inet_aton(route, &addr)) {
178 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_ADDR", in_ex, *v4_incs);
179 setenv(envname, route, 1);
181 /* Put it back how we found it */
184 if (!inet_aton(slash+1, &addr))
187 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_MASK", in_ex, *v4_incs);
188 setenv(envname, slash+1, 1);
190 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_MASKLEN", in_ex, *v4_incs);
191 setenv_int(envname, netmasklen(addr));
197 static int appendenv(const char *opt, const char *new)
200 char *old = getenv(opt);
204 snprintf(buf, 1023, "%s %s", old, new);
206 snprintf(buf, 1023, "%s", new);
208 return setenv(opt, buf, 1);
211 static void setenv_cstp_opts(struct openconnect_info *vpninfo)
216 struct vpn_option *opt;
218 for (opt = vpninfo->cstp_options; opt; opt = opt->next)
219 buflen += 2 + strlen(opt->option) + strlen(opt->value);
221 env_buf = malloc(buflen + 1);
227 for (opt = vpninfo->cstp_options; opt; opt = opt->next)
228 bufofs += snprintf(env_buf + bufofs, buflen - bufofs,
229 "%s=%s\n", opt->option, opt->value);
231 setenv("CISCO_CSTP_OPTIONS", env_buf, 1);
235 static void set_banner(struct openconnect_info *vpninfo)
240 if (!vpninfo->banner || !(banner = malloc(strlen(vpninfo->banner)))) {
241 unsetenv("CISCO_BANNER");
248 if (*p == '%' && isxdigit(p[1]) && isxdigit(p[2])) {
249 *(q++) = unhex(p + 1);
255 setenv("CISCO_BANNER", banner, 1);
260 static void set_script_env(struct openconnect_info *vpninfo)
263 int ret = getnameinfo(vpninfo->peer_addr, vpninfo->peer_addrlen, host,
264 sizeof(host), NULL, 0, NI_NUMERICHOST);
266 setenv("VPNGATEWAY", host, 1);
268 setenv("reason", "connect", 1);
270 unsetenv("CISCO_SPLIT_INC");
271 unsetenv("CISCO_SPLIT_EXC");
273 setenv_int("INTERNAL_IP4_MTU", vpninfo->mtu);
275 if (vpninfo->vpn_addr) {
276 setenv("INTERNAL_IP4_ADDRESS", vpninfo->vpn_addr, 1);
277 if (vpninfo->vpn_netmask) {
281 if (inet_aton(vpninfo->vpn_addr, &addr) &&
282 inet_aton(vpninfo->vpn_netmask, &mask)) {
285 addr.s_addr &= mask.s_addr;
286 netaddr = inet_ntoa(addr);
288 setenv("INTERNAL_IP4_NETADDR", netaddr, 1);
289 setenv("INTERNAL_IP4_NETMASK", vpninfo->vpn_netmask, 1);
290 setenv_int("INTERNAL_IP4_NETMASKLEN", netmasklen(mask));
294 if (vpninfo->vpn_addr6) {
295 setenv("INTERNAL_IP6_ADDRESS", vpninfo->vpn_addr6, 1);
296 setenv("INTERNAL_IP6_NETMASK", vpninfo->vpn_netmask6, 1);
299 if (vpninfo->vpn_dns[0])
300 setenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[0], 1);
302 unsetenv("INTERNAL_IP4_DNS");
303 if (vpninfo->vpn_dns[1])
304 appendenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[1]);
305 if (vpninfo->vpn_dns[2])
306 appendenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[2]);
308 if (vpninfo->vpn_nbns[0])
309 setenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[0], 1);
311 unsetenv("INTERNAL_IP4_NBNS");
312 if (vpninfo->vpn_nbns[1])
313 appendenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[1]);
314 if (vpninfo->vpn_nbns[2])
315 appendenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[2]);
317 if (vpninfo->vpn_domain)
318 setenv("CISCO_DEF_DOMAIN", vpninfo->vpn_domain, 1);
319 else unsetenv ("CISCO_DEF_DOMAIN");
321 if (vpninfo->vpn_proxy_pac)
322 setenv("CISCO_PROXY_PAC", vpninfo->vpn_proxy_pac, 1);
324 if (vpninfo->split_includes) {
325 struct split_include *this = vpninfo->split_includes;
326 int nr_split_includes = 0;
327 int nr_v6_split_includes = 0;
330 process_split_xxclude(vpninfo, "IN", this->route,
332 &nr_v6_split_includes);
335 if (nr_split_includes)
336 setenv_int("CISCO_SPLIT_INC", nr_split_includes);
337 if (nr_v6_split_includes)
338 setenv_int("CISCO_IPV6_SPLIT_INC", nr_v6_split_includes);
340 if (vpninfo->split_excludes) {
341 struct split_include *this = vpninfo->split_excludes;
342 int nr_split_excludes = 0;
343 int nr_v6_split_excludes = 0;
346 process_split_xxclude(vpninfo, "EX", this->route,
348 &nr_v6_split_excludes);
351 if (nr_split_excludes)
352 setenv_int("CISCO_SPLIT_EXC", nr_split_excludes);
353 if (nr_v6_split_excludes)
354 setenv_int("CISCO_IPV6_SPLIT_EXC", nr_v6_split_excludes);
356 setenv_cstp_opts(vpninfo);
359 static int script_config_tun(struct openconnect_info *vpninfo)
361 if (system(vpninfo->vpnc_script)) {
363 vpninfo->progress(vpninfo, PRG_ERR,
364 "Failed to spawn script '%s': %s\n",
365 vpninfo->vpnc_script, strerror(e));
372 /* Set up a tuntap device. */
373 int setup_tun(struct openconnect_info *vpninfo)
377 set_script_env(vpninfo);
379 if (vpninfo->script_tun) {
383 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, fds)) {
384 perror("socketpair");
394 setenv_int("VPNFD", fds[1]);
395 execl("/bin/sh", "/bin/sh", "-c", vpninfo->vpnc_script, NULL);
400 vpninfo->script_tun = child;
401 vpninfo->ifname = "(script)";
403 #ifdef IFF_TUN /* Linux */
406 tun_fd = open("/dev/net/tun", O_RDWR);
408 vpninfo->progress(vpninfo, PRG_ERR,
409 "Failed to open tun device: %s\n",
413 memset(&ifr, 0, sizeof(ifr));
414 ifr.ifr_flags = IFF_TUN | IFF_NO_PI;
416 strncpy(ifr.ifr_name, vpninfo->ifname,
417 sizeof(ifr.ifr_name) - 1);
418 if (ioctl(tun_fd, TUNSETIFF, (void *) &ifr) < 0) {
419 vpninfo->progress(vpninfo, PRG_ERR,
420 "TUNSETIFF failed: %s\n",
424 if (!vpninfo->ifname)
425 vpninfo->ifname = strdup(ifr.ifr_name);
426 #elif defined (__sun__)
427 static char tun_name[80];
428 int tun2_fd, ip_fd = open("/dev/ip", O_RDWR);
433 perror("open /dev/ip");
437 tun_fd = open("/dev/tun", O_RDWR);
439 perror("open /dev/tun");
444 unit_nr = ioctl(tun_fd, TUNNEWPPA, -1);
446 perror("Failed to create new tun");
452 tun2_fd = open("/dev/tun", O_RDWR);
454 perror("open /dev/tun again");
459 if (ioctl(tun2_fd, I_PUSH, "ip") < 0) {
460 perror("Can't push IP");
466 if (ioctl(tun2_fd, IF_UNITSEL, &unit_nr) < 0) {
467 perror("Can't select unit");
473 mux_id = ioctl(ip_fd, I_PLINK, tun2_fd);
475 perror("Can't link tun to IP");
483 sprintf(tun_name, "tun%d", unit_nr);
484 vpninfo->ifname = tun_name;
486 memset(&ifr, 0, sizeof(ifr));
487 strcpy(ifr.ifr_name, tun_name);
488 ifr.ifr_ip_muxid = mux_id;
490 if (ioctl(ip_fd, SIOCSIFMUXID, &ifr) < 0) {
491 perror("Set mux id");
493 ioctl(ip_fd, I_PUNLINK, mux_id);
497 /* Solaris tunctl needs this in order to tear it down */
498 vpninfo->progress(vpninfo, PRG_DEBUG, "mux id is %d\n", mux_id);
499 vpninfo->tun_muxid = mux_id;
500 vpninfo->ip_fd = ip_fd;
502 #else /* BSD et al have /dev/tun$x devices */
503 static char tun_name[80];
505 for (i = 0; i < 255; i++) {
506 sprintf(tun_name, "/dev/tun%d", i);
507 tun_fd = open(tun_name, O_RDWR);
515 vpninfo->ifname = tun_name + 5;
518 if (ioctl(tun_fd, TUNSIFHEAD, &i) < 0) {
519 perror("TUNSIFHEAD");
524 if (vpninfo->vpnc_script) {
525 setenv("TUNDEV", vpninfo->ifname, 1);
526 script_config_tun(vpninfo);
527 /* We have to set the MTU for ourselves, because the script doesn't */
528 local_config_tun(vpninfo, 1);
530 local_config_tun(vpninfo, 0);
533 fcntl(tun_fd, F_SETFD, FD_CLOEXEC);
535 vpninfo->tun_fd = tun_fd;
537 if (vpninfo->select_nfds <= tun_fd)
538 vpninfo->select_nfds = tun_fd + 1;
540 FD_SET(tun_fd, &vpninfo->select_rfds);
542 fcntl(vpninfo->tun_fd, F_SETFL, fcntl(vpninfo->tun_fd, F_GETFL) | O_NONBLOCK);
547 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout)
549 unsigned char buf[2000];
553 if (FD_ISSET(vpninfo->tun_fd, &vpninfo->select_rfds)) {
554 while ((len = read(vpninfo->tun_fd, buf, sizeof(buf))) > 0) {
555 unsigned char *pkt = buf;
556 #ifdef TUN_HAS_AF_PREFIX
560 if (queue_new_packet(&vpninfo->outgoing_queue, pkt,
565 vpninfo->outgoing_qlen++;
566 if (vpninfo->outgoing_qlen == vpninfo->max_qlen) {
567 FD_CLR(vpninfo->tun_fd, &vpninfo->select_rfds);
571 } else if (vpninfo->outgoing_qlen < vpninfo->max_qlen) {
572 FD_SET(vpninfo->tun_fd, &vpninfo->select_rfds);
575 /* The kernel returns -ENOMEM when the queue is full, so theoretically
576 we could handle that and retry... but it doesn't let us poll() for
577 the no-longer-full situation, so let's not bother. */
578 while (vpninfo->incoming_queue) {
579 struct pkt *this = vpninfo->incoming_queue;
580 unsigned char *data = this->data;
583 #ifdef TUN_HAS_AF_PREFIX
584 struct ip *iph = (void *)data;
589 else if (iph->ip_v == 4)
592 static int complained = 0;
595 vpninfo->progress(vpninfo, PRG_ERR,
596 "Unknown packet (len %d) received: %02x %02x %02x %02x...\n",
597 len, data[0], data[1], data[2], data[3]);
604 *(int *)data = htonl(type);
606 vpninfo->incoming_queue = this->next;
608 if (write(vpninfo->tun_fd, data, len) < 0 &&
610 vpninfo->quit_reason = "Client connection terminated";
615 /* Work is not done if we just got rid of packets off the queue */
619 void shutdown_tun(struct openconnect_info *vpninfo)
621 if (vpninfo->script_tun) {
622 kill(vpninfo->script_tun, SIGHUP);
624 if (vpninfo->vpnc_script) {
625 setenv("reason", "disconnect", 1);
626 if (system(vpninfo->vpnc_script) == -1) {
627 vpninfo->progress(vpninfo, PRG_ERR,
628 "Failed to spawn script '%s': %s\n",
629 vpninfo->vpnc_script,
634 if (ioctl(vpninfo->ip_fd, I_PUNLINK, vpninfo->tun_muxid) < 0)
635 perror("ioctl(I_PUNLINK)");
637 close(vpninfo->ip_fd);
642 close(vpninfo->tun_fd);
643 vpninfo->tun_fd = -1;