2 * OpenConnect (SSL + DTLS) VPN client
4 * Copyright © 2008-2010 Intel Corporation.
6 * Author: David Woodhouse <dwmw2@infradead.org>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1, as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to:
20 * Free Software Foundation, Inc.
21 * 51 Franklin Street, Fifth Floor,
22 * Boston, MA 02110-1301 USA
25 #include <sys/types.h>
27 #include <sys/socket.h>
28 #include <sys/ioctl.h>
34 #include <netinet/in_systm.h>
35 #include <netinet/in.h>
36 #include <netinet/ip.h>
38 #include <arpa/inet.h>
43 #include <sys/sockio.h>
44 #include <net/if_tun.h>
46 #error "Install TAP driver from http://www.whiteboard.ne.jp/~admin2/tuntap/"
50 #include "openconnect-internal.h"
53 * If an if_tun.h include file was found anywhere (by the Makefile), it's
54 * included. Else, we end up assuming that we have BSD-style devices such
62 * The OS X tun/tap driver doesn't provide a header file; you're expected
63 * to define this for yourself.
66 #define TUNSIFHEAD _IOW('t', 96, int)
70 * OpenBSD always puts the protocol family prefix onto packets. Other
71 * systems let us enable that with the TUNSIFHEAD ioctl, and some of them
72 * (e.g. FreeBSD) _need_ it otherwise they'll interpret IPv6 packets as IPv4.
74 #if defined(__OpenBSD__) || defined(TUNSIFHEAD)
75 #define TUN_HAS_AF_PREFIX 1
78 static int set_tun_mtu(struct openconnect_info *vpninfo)
80 #ifndef __sun__ /* We don't know how to do this on Solaris */
84 net_fd = socket(PF_INET, SOCK_DGRAM, 0);
86 perror(_("open net"));
90 memset(&ifr, 0, sizeof(ifr));
91 strncpy(ifr.ifr_name, vpninfo->ifname, sizeof(ifr.ifr_name) - 1);
92 ifr.ifr_mtu = vpninfo->mtu;
94 if (ioctl(net_fd, SIOCSIFMTU, &ifr) < 0)
95 perror(_("SIOCSIFMTU"));
103 static int setenv_int(const char *opt, int value)
106 sprintf(buf, "%d", value);
107 return setenv(opt, buf, 1);
110 static int netmasklen(struct in_addr addr)
114 for (masklen = 0; masklen < 32; masklen++) {
115 if (ntohl(addr.s_addr) >= (0xffffffff << masklen))
121 static int process_split_xxclude(struct openconnect_info *vpninfo,
122 int include, const char *route, int *v4_incs,
126 const char *in_ex = include?"IN":"EX";
130 slash = strchr(route, '/');
134 vpn_progress(vpninfo, PRG_ERR,
135 _("Discard bad split include: \"%s\"\n"),
138 vpn_progress(vpninfo, PRG_ERR,
139 _("Discard bad split exclude: \"%s\"\n"),
146 if (strchr(route, ':')) {
147 snprintf(envname, 79, "CISCO_IPV6_SPLIT_%sC_%d_ADDR", in_ex,
149 setenv(envname, route, 1);
151 snprintf(envname, 79, "CISCO_IPV6_SPLIT_%sC_%d_MASKLEN", in_ex,
153 setenv(envname, slash+1, 1);
159 if (!inet_aton(route, &addr)) {
165 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_ADDR", in_ex, *v4_incs);
166 setenv(envname, route, 1);
168 /* Put it back how we found it */
171 if (!inet_aton(slash+1, &addr))
174 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_MASK", in_ex, *v4_incs);
175 setenv(envname, slash+1, 1);
177 snprintf(envname, 79, "CISCO_SPLIT_%sC_%d_MASKLEN", in_ex, *v4_incs);
178 setenv_int(envname, netmasklen(addr));
184 static int appendenv(const char *opt, const char *new)
187 char *old = getenv(opt);
191 snprintf(buf, 1023, "%s %s", old, new);
193 snprintf(buf, 1023, "%s", new);
195 return setenv(opt, buf, 1);
198 static void setenv_cstp_opts(struct openconnect_info *vpninfo)
203 struct vpn_option *opt;
205 for (opt = vpninfo->cstp_options; opt; opt = opt->next)
206 buflen += 2 + strlen(opt->option) + strlen(opt->value);
208 env_buf = malloc(buflen + 1);
214 for (opt = vpninfo->cstp_options; opt; opt = opt->next)
215 bufofs += snprintf(env_buf + bufofs, buflen - bufofs,
216 "%s=%s\n", opt->option, opt->value);
218 setenv("CISCO_CSTP_OPTIONS", env_buf, 1);
222 static void set_banner(struct openconnect_info *vpninfo)
227 if (!vpninfo->banner || !(banner = malloc(strlen(vpninfo->banner)))) {
228 unsetenv("CISCO_BANNER");
235 if (*p == '%' && isxdigit((int)(unsigned char)p[1]) &&
236 isxdigit((int)(unsigned char)p[2])) {
237 *(q++) = unhex(p + 1);
243 setenv("CISCO_BANNER", banner, 1);
248 static void set_script_env(struct openconnect_info *vpninfo)
251 int ret = getnameinfo(vpninfo->peer_addr, vpninfo->peer_addrlen, host,
252 sizeof(host), NULL, 0, NI_NUMERICHOST);
254 setenv("VPNGATEWAY", host, 1);
257 unsetenv("CISCO_SPLIT_INC");
258 unsetenv("CISCO_SPLIT_EXC");
260 setenv_int("INTERNAL_IP4_MTU", vpninfo->mtu);
262 if (vpninfo->vpn_addr) {
263 setenv("INTERNAL_IP4_ADDRESS", vpninfo->vpn_addr, 1);
264 if (vpninfo->vpn_netmask) {
268 if (inet_aton(vpninfo->vpn_addr, &addr) &&
269 inet_aton(vpninfo->vpn_netmask, &mask)) {
272 addr.s_addr &= mask.s_addr;
273 netaddr = inet_ntoa(addr);
275 setenv("INTERNAL_IP4_NETADDR", netaddr, 1);
276 setenv("INTERNAL_IP4_NETMASK", vpninfo->vpn_netmask, 1);
277 setenv_int("INTERNAL_IP4_NETMASKLEN", netmasklen(mask));
281 if (vpninfo->vpn_addr6) {
282 setenv("INTERNAL_IP6_ADDRESS", vpninfo->vpn_addr6, 1);
283 setenv("INTERNAL_IP6_NETMASK", vpninfo->vpn_netmask6, 1);
286 if (vpninfo->vpn_dns[0])
287 setenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[0], 1);
289 unsetenv("INTERNAL_IP4_DNS");
290 if (vpninfo->vpn_dns[1])
291 appendenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[1]);
292 if (vpninfo->vpn_dns[2])
293 appendenv("INTERNAL_IP4_DNS", vpninfo->vpn_dns[2]);
295 if (vpninfo->vpn_nbns[0])
296 setenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[0], 1);
298 unsetenv("INTERNAL_IP4_NBNS");
299 if (vpninfo->vpn_nbns[1])
300 appendenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[1]);
301 if (vpninfo->vpn_nbns[2])
302 appendenv("INTERNAL_IP4_NBNS", vpninfo->vpn_nbns[2]);
304 if (vpninfo->vpn_domain)
305 setenv("CISCO_DEF_DOMAIN", vpninfo->vpn_domain, 1);
306 else unsetenv ("CISCO_DEF_DOMAIN");
308 if (vpninfo->vpn_proxy_pac)
309 setenv("CISCO_PROXY_PAC", vpninfo->vpn_proxy_pac, 1);
311 if (vpninfo->split_includes) {
312 struct split_include *this = vpninfo->split_includes;
313 int nr_split_includes = 0;
314 int nr_v6_split_includes = 0;
317 process_split_xxclude(vpninfo, 1, this->route,
319 &nr_v6_split_includes);
322 if (nr_split_includes)
323 setenv_int("CISCO_SPLIT_INC", nr_split_includes);
324 if (nr_v6_split_includes)
325 setenv_int("CISCO_IPV6_SPLIT_INC", nr_v6_split_includes);
327 if (vpninfo->split_excludes) {
328 struct split_include *this = vpninfo->split_excludes;
329 int nr_split_excludes = 0;
330 int nr_v6_split_excludes = 0;
333 process_split_xxclude(vpninfo, 0, this->route,
335 &nr_v6_split_excludes);
338 if (nr_split_excludes)
339 setenv_int("CISCO_SPLIT_EXC", nr_split_excludes);
340 if (nr_v6_split_excludes)
341 setenv_int("CISCO_IPV6_SPLIT_EXC", nr_v6_split_excludes);
343 setenv_cstp_opts(vpninfo);
346 int script_config_tun(struct openconnect_info *vpninfo, const char *reason)
348 if (!vpninfo->vpnc_script)
351 setenv("reason", reason, 1);
352 if (system(vpninfo->vpnc_script)) {
354 vpn_progress(vpninfo, PRG_ERR,
355 _("Failed to spawn script '%s' for %s: %s\n"),
356 vpninfo->vpnc_script, reason, strerror(e));
363 static int link_proto(int unit_nr, const char *devname, uint64_t flags)
365 int ip_fd, mux_id, tun2_fd;
368 tun2_fd = open("/dev/tun", O_RDWR);
370 perror(_("Could not /dev/tun for plumbing"));
373 if (ioctl(tun2_fd, I_PUSH, "ip") < 0) {
374 perror(_("Can't push IP"));
379 sprintf(ifr.lifr_name, "tun%d", unit_nr);
380 ifr.lifr_ppa = unit_nr;
381 ifr.lifr_flags = flags;
383 if (ioctl(tun2_fd, SIOCSLIFNAME, &ifr) < 0) {
384 perror(_("Can't set ifname"));
389 ip_fd = open(devname, O_RDWR);
391 fprintf(stderr, _("Can't open %s: %s"), devname,
396 if (ioctl(ip_fd, I_PUSH, "arp") < 0) {
397 perror(_("Can't push ARP"));
403 mux_id = ioctl(ip_fd, I_LINK, tun2_fd);
405 fprintf(stderr, _("Can't plumb %s for IPv%d: %s\n"),
406 ifr.lifr_name, (flags == IFF_IPV4) ? 4 : 6,
419 static int os_setup_tun(struct openconnect_info *vpninfo)
423 #ifdef IFF_TUN /* Linux */
427 tun_fd = open("/dev/net/tun", O_RDWR);
429 /* Android has /dev/tun instead of /dev/net/tun
430 Since other systems might have too, just try it
431 as a fallback instead of using ifdef __ANDROID__ */
433 tun_fd = open("/dev/tun", O_RDWR);
436 /* If the error on /dev/tun is ENOENT, that's boring.
437 Use the error we got on /dev/net/tun instead */
438 if (errno != -ENOENT)
441 vpn_progress(vpninfo, PRG_ERR,
442 _("Failed to open tun device: %s\n"),
446 memset(&ifr, 0, sizeof(ifr));
447 ifr.ifr_flags = IFF_TUN | IFF_NO_PI;
449 strncpy(ifr.ifr_name, vpninfo->ifname,
450 sizeof(ifr.ifr_name) - 1);
451 if (ioctl(tun_fd, TUNSETIFF, (void *) &ifr) < 0) {
452 vpn_progress(vpninfo, PRG_ERR,
453 _("TUNSETIFF failed: %s\n"),
457 if (!vpninfo->ifname)
458 vpninfo->ifname = strdup(ifr.ifr_name);
459 #elif defined (__sun__)
460 static char tun_name[80];
463 tun_fd = open("/dev/tun", O_RDWR);
465 perror(_("open /dev/tun"));
469 unit_nr = ioctl(tun_fd, TUNNEWPPA, -1);
471 perror(_("Failed to create new tun"));
476 if (ioctl(tun_fd, I_SRDOPT, RMSGD) < 0) {
477 perror(_("Failed to put tun file descriptor into message-discard mode"));
482 sprintf(tun_name, "tun%d", unit_nr);
483 vpninfo->ifname = strdup(tun_name);
485 vpninfo->ip_fd = link_proto(unit_nr, "/dev/udp", IFF_IPV4);
486 if (vpninfo->ip_fd < 0) {
491 if (vpninfo->vpn_addr6) {
492 vpninfo->ip6_fd = link_proto(unit_nr, "/dev/udp6", IFF_IPV6);
493 if (vpninfo->ip6_fd < 0) {
495 close(vpninfo->ip_fd);
500 vpninfo->ip6_fd = -1;
502 #else /* BSD et al have /dev/tun$x devices */
503 static char tun_name[80];
505 for (i = 0; i < 255; i++) {
506 sprintf(tun_name, "/dev/tun%d", i);
507 tun_fd = open(tun_name, O_RDWR);
512 perror(_("open tun"));
515 vpninfo->ifname = strdup(tun_name + 5);
518 if (ioctl(tun_fd, TUNSIFHEAD, &i) < 0) {
519 perror(_("TUNSIFHEAD"));
527 /* Set up a tuntap device. */
528 int setup_tun(struct openconnect_info *vpninfo)
532 set_script_env(vpninfo);
534 if (vpninfo->script_tun) {
538 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, fds)) {
539 perror(_("socketpair"));
549 setenv_int("VPNFD", fds[1]);
550 execl("/bin/sh", "/bin/sh", "-c", vpninfo->vpnc_script, NULL);
555 vpninfo->script_tun = child;
556 vpninfo->ifname = strdup(_("(script)"));
558 script_config_tun(vpninfo, "pre-init");
560 tun_fd = os_setup_tun(vpninfo);
564 setenv("TUNDEV", vpninfo->ifname, 1);
565 script_config_tun(vpninfo, "connect");
567 /* Ancient vpnc-scripts might not get this right */
568 set_tun_mtu(vpninfo);
571 fcntl(tun_fd, F_SETFD, FD_CLOEXEC);
573 vpninfo->tun_fd = tun_fd;
575 if (vpninfo->select_nfds <= tun_fd)
576 vpninfo->select_nfds = tun_fd + 1;
578 FD_SET(tun_fd, &vpninfo->select_rfds);
580 fcntl(vpninfo->tun_fd, F_SETFL, fcntl(vpninfo->tun_fd, F_GETFL) | O_NONBLOCK);
585 static struct pkt *out_pkt;
587 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout)
592 #ifdef TUN_HAS_AF_PREFIX
593 if (!vpninfo->script_tun)
594 prefix_size = sizeof(int);
597 if (FD_ISSET(vpninfo->tun_fd, &vpninfo->select_rfds)) {
599 int len = vpninfo->mtu;
602 out_pkt = malloc(sizeof(struct pkt) + len);
604 vpn_progress(vpninfo, PRG_ERR, "Allocation failed\n");
609 len = read(vpninfo->tun_fd, out_pkt->data - prefix_size, len + prefix_size);
610 if (len <= prefix_size)
612 out_pkt->len = len - prefix_size;
614 queue_packet(&vpninfo->outgoing_queue, out_pkt);
618 vpninfo->outgoing_qlen++;
619 if (vpninfo->outgoing_qlen == vpninfo->max_qlen) {
620 FD_CLR(vpninfo->tun_fd, &vpninfo->select_rfds);
624 } else if (vpninfo->outgoing_qlen < vpninfo->max_qlen) {
625 FD_SET(vpninfo->tun_fd, &vpninfo->select_rfds);
628 /* The kernel returns -ENOMEM when the queue is full, so theoretically
629 we could handle that and retry... but it doesn't let us poll() for
630 the no-longer-full situation, so let's not bother. */
631 while (vpninfo->incoming_queue) {
632 struct pkt *this = vpninfo->incoming_queue;
633 unsigned char *data = this->data;
636 #ifdef TUN_HAS_AF_PREFIX
637 if (!vpninfo->script_tun) {
638 struct ip *iph = (void *)data;
643 else if (iph->ip_v == 4)
646 static int complained = 0;
649 vpn_progress(vpninfo, PRG_ERR,
650 _("Unknown packet (len %d) received: %02x %02x %02x %02x...\n"),
651 len, data[0], data[1], data[2], data[3]);
658 *(int *)data = htonl(type);
661 vpninfo->incoming_queue = this->next;
663 if (write(vpninfo->tun_fd, data, len) < 0) {
664 /* Handle death of "script" socket */
665 if (vpninfo->script_tun && errno == ENOTCONN) {
666 vpninfo->quit_reason = "Client connection terminated";
669 vpn_progress(vpninfo, PRG_ERR,
670 _("Failed to write incoming packet: %s\n"),
675 /* Work is not done if we just got rid of packets off the queue */
679 void shutdown_tun(struct openconnect_info *vpninfo)
681 if (vpninfo->script_tun) {
682 kill(vpninfo->script_tun, SIGHUP);
684 script_config_tun(vpninfo, "disconnect");
686 close(vpninfo->ip_fd);
688 if (vpninfo->ip6_fd != -1) {
689 close(vpninfo->ip6_fd);
690 vpninfo->ip6_fd = -1;
695 close(vpninfo->tun_fd);
696 vpninfo->tun_fd = -1;