/*
* OpenConnect (SSL + DTLS) VPN client
*
- * Copyright © 2008-2010 Intel Corporation.
+ * Copyright © 2008-2012 Intel Corporation.
* Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
*
* Author: David Woodhouse <dwmw2@infradead.org>
#include <time.h>
#include <string.h>
#include <ctype.h>
-
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/rand.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <stdarg.h>
#include "openconnect-internal.h"
.hdr = { 'S', 'T', 'F', 1, 0, 0, AC_PKT_DPD_RESP, 0 },
};
+static int __attribute__ ((format (printf, 3, 4)))
+ buf_append(char *buf, int len, const char *fmt, ...)
+{
+ int start = strlen(buf);
+ int ret;
+ va_list args;
+
+ if (start >= len)
+ return 0;
+
+ va_start(args, fmt);
+ ret = vsnprintf(buf + start, len - start, fmt, args);
+ va_end(args);
+
+ if (ret > len)
+ ret = len;
+
+ return ret;
+}
+
+/* Calculate MTU to request. Old servers simply use the X-CSTP-MTU: header,
+ * which represents the tunnel MTU, while new servers do calculations on the
+ * X-CSTP-Base-MTU: header which represents the cleartext MTU between client
+ * and server.
+ *
+ * If possible, the legacy MTU value should be the TCP MSS less 5 bytes of
+ * TLS and 8 bytes of CSTP overhead. We can get the MSS from either the
+ * TCP_INFO or TCP_MAXSEG sockopts.
+ *
+ * The base MTU comes from the TCP_INFO sockopt under Linux, but I don't know
+ * how to work it out on other systems. So leave it blank and do things the
+ * legacy way there. Contributions welcome...
+ *
+ * If we don't even have TCP_MAXSEG, then default to sending a legacy MTU of
+ * 1406 which is what we always used to do.
+ */
+static void calculate_mtu(struct openconnect_info *vpninfo, int *base_mtu, int *mtu)
+{
+ *mtu = vpninfo->reqmtu;
+ *base_mtu = vpninfo->basemtu;
+
+#if defined(__linux__) && defined(TCP_INFO)
+ if (!*mtu || !*base_mtu) {
+ struct tcp_info ti;
+ socklen_t ti_size = sizeof(ti);
+
+ if (!getsockopt(vpninfo->ssl_fd, IPPROTO_TCP, TCP_INFO,
+ &ti, &ti_size)) {
+ vpn_progress(vpninfo, PRG_TRACE,
+ _("TCP_INFO rcv mss %d, snd mss %d, adv mss %d, pmtu %d\n"),
+ ti.tcpi_rcv_mss, ti.tcpi_snd_mss, ti.tcpi_advmss, ti.tcpi_pmtu);
+ if (!*base_mtu) *base_mtu = ti.tcpi_pmtu;
+ if (!*mtu) {
+ if (ti.tcpi_rcv_mss < ti.tcpi_snd_mss)
+ *mtu = ti.tcpi_rcv_mss - 13;
+ else
+ *mtu = ti.tcpi_snd_mss - 13;
+ }
+ }
+ }
+#endif
+#ifdef TCP_MAXSEG
+ if (!*mtu) {
+ int mss;
+ socklen_t mss_size = sizeof(mss);
+ if (!getsockopt(vpninfo->ssl_fd, IPPROTO_TCP, TCP_MAXSEG,
+ &mss, &mss_size)) {
+ vpn_progress(vpninfo, PRG_TRACE, _("TCP_MAXSEG %d\n"), mss);
+ *mtu = mss - 13;
+ }
+ }
+#endif
+ if (!*mtu) {
+ /* Default */
+ *mtu = 1406;
+ }
+}
static int start_cstp_connection(struct openconnect_info *vpninfo)
{
const char *old_addr6 = vpninfo->vpn_addr6;
const char *old_netmask6 = vpninfo->vpn_netmask6;
struct split_include *inc;
+ int base_mtu, mtu;
/* Clear old options which will be overwritten */
vpninfo->vpn_addr = vpninfo->vpn_netmask = NULL;
free(inc);
inc = next;
}
- vpninfo->split_includes = vpninfo->split_excludes = NULL;
+ for (inc = vpninfo->split_dns; inc; ) {
+ struct split_include *next = inc->next;
+ free(inc);
+ inc = next;
+ }
+ vpninfo->split_dns = vpninfo->split_includes = vpninfo->split_excludes = NULL;
/* Create (new) random master key for DTLS connection, if needed */
if (vpninfo->dtls_times.last_rekey + vpninfo->dtls_times.rekey <
time(NULL) + 300 &&
- RAND_bytes(vpninfo->dtls_secret, sizeof(vpninfo->dtls_secret)) != 1) {
+ openconnect_random(vpninfo->dtls_secret, sizeof(vpninfo->dtls_secret))) {
fprintf(stderr, _("Failed to initialise DTLS secret\n"));
exit(1);
}
retry:
- /* We don't cope with nonblocking mode... yet */
- fcntl(vpninfo->ssl_fd, F_SETFL, fcntl(vpninfo->ssl_fd, F_GETFL) & ~O_NONBLOCK);
-
- openconnect_SSL_printf(vpninfo, "CONNECT /CSCOSSLC/tunnel HTTP/1.1\r\n");
- openconnect_SSL_printf(vpninfo, "Host: %s\r\n", vpninfo->hostname);
- openconnect_SSL_printf(vpninfo, "User-Agent: %s\r\n", vpninfo->useragent);
- openconnect_SSL_printf(vpninfo, "Cookie: webvpn=%s\r\n", vpninfo->cookie);
- openconnect_SSL_printf(vpninfo, "X-CSTP-Version: 1\r\n");
- openconnect_SSL_printf(vpninfo, "X-CSTP-Hostname: %s\r\n", vpninfo->localname);
- if (vpninfo->deflate)
- openconnect_SSL_printf(vpninfo, "X-CSTP-Accept-Encoding: deflate;q=1.0\r\n");
- openconnect_SSL_printf(vpninfo, "X-CSTP-MTU: %d\r\n", vpninfo->mtu);
- openconnect_SSL_printf(vpninfo, "X-CSTP-Address-Type: %s\r\n",
+ calculate_mtu(vpninfo, &base_mtu, &mtu);
+
+ buf[0] = 0;
+ buf_append(buf, sizeof(buf), "CONNECT /CSCOSSLC/tunnel HTTP/1.1\r\n");
+ buf_append(buf, sizeof(buf), "Host: %s\r\n", vpninfo->hostname);
+ buf_append(buf, sizeof(buf), "User-Agent: %s\r\n", vpninfo->useragent);
+ buf_append(buf, sizeof(buf), "Cookie: webvpn=%s\r\n", vpninfo->cookie);
+ buf_append(buf, sizeof(buf), "X-CSTP-Version: 1\r\n");
+ buf_append(buf, sizeof(buf), "X-CSTP-Hostname: %s\r\n", vpninfo->localname);
+ if (vpninfo->deflate && i < sizeof(buf))
+ buf_append(buf, sizeof(buf), "X-CSTP-Accept-Encoding: deflate;q=1.0\r\n");
+ if (base_mtu)
+ buf_append(buf, sizeof(buf), "X-CSTP-Base-MTU: %d\r\n", base_mtu);
+ buf_append(buf, sizeof(buf), "X-CSTP-MTU: %d\r\n", mtu);
+ buf_append(buf, sizeof(buf), "X-CSTP-Address-Type: %s\r\n",
vpninfo->disable_ipv6?"IPv4":"IPv6,IPv4");
- openconnect_SSL_printf(vpninfo, "X-DTLS-Master-Secret: ");
+ buf_append(buf, sizeof(buf), "X-DTLS-Master-Secret: ");
for (i = 0; i < sizeof(vpninfo->dtls_secret); i++)
- openconnect_SSL_printf(vpninfo, "%02X", vpninfo->dtls_secret[i]);
- openconnect_SSL_printf(vpninfo, "\r\nX-DTLS-CipherSuite: %s\r\n\r\n",
+ buf_append(buf, sizeof(buf), "%02X", vpninfo->dtls_secret[i]);
+ buf_append(buf, sizeof(buf), "\r\nX-DTLS-CipherSuite: %s\r\n\r\n",
vpninfo->dtls_ciphers?:"AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA");
- if (openconnect_SSL_gets(vpninfo, buf, 65536) < 0) {
+ openconnect_SSL_write(vpninfo, buf, strlen(buf));
+
+ if ((i = openconnect_SSL_gets(vpninfo, buf, 65536) < 0)) {
+ if (i == -EINTR)
+ return i;
vpn_progress(vpninfo, PRG_ERR,
_("Error fetching HTTPS response\n"));
if (!retried) {
retried = 1;
- openconnect_close_https(vpninfo);
+ openconnect_close_https(vpninfo, 0);
if (openconnect_open_https(vpninfo)) {
vpn_progress(vpninfo, PRG_ERR,
/* We may have advertised it, but we only do it if the server agrees */
vpninfo->deflate = 0;
+ mtu = 0;
while ((i = openconnect_SSL_gets(vpninfo, buf, sizeof(buf)))) {
struct vpn_option *new_option;
- char *colon = strchr(buf, ':');
+ char *colon;
+
+ if (i < 0)
+ return i;
+
+ colon = strchr(buf, ':');
if (!colon)
continue;
if (!new_option->option || !new_option->value) {
vpn_progress(vpninfo, PRG_ERR, _("No memory for options\n"));
+ free(new_option->option);
+ free(new_option->value);
+ free(new_option);
return -ENOMEM;
}
*next_dtls_option = new_option;
next_dtls_option = &new_option->next;
- if (!strcmp(buf + 7, "Session-ID")) {
+ if (!strcmp(buf + 7, "MTU")) {
+ int dtlsmtu = atol(colon);
+ if (dtlsmtu > mtu)
+ mtu = dtlsmtu;
+ } else if (!strcmp(buf + 7, "Session-ID")) {
if (strlen(colon) != 64) {
vpn_progress(vpninfo, PRG_ERR,
_("X-DTLS-Session-ID not 64 characters; is: \"%s\"\n"),
return -EINVAL;
}
} else if (!strcmp(buf + 7, "MTU")) {
- vpninfo->mtu = atol(colon);
+ int cstpmtu = atol(colon);
+ if (cstpmtu > mtu)
+ mtu = cstpmtu;
} else if (!strcmp(buf + 7, "Address")) {
- if (strchr(new_option->value, ':'))
- vpninfo->vpn_addr6 = new_option->value;
- else
+ if (strchr(new_option->value, ':')) {
+ if (!vpninfo->disable_ipv6)
+ vpninfo->vpn_addr6 = new_option->value;
+ } else
vpninfo->vpn_addr = new_option->value;
} else if (!strcmp(buf + 7, "Netmask")) {
- if (strchr(new_option->value, ':'))
- vpninfo->vpn_netmask6 = new_option->value;
- else
+ if (strchr(new_option->value, ':')) {
+ if (!vpninfo->disable_ipv6)
+ vpninfo->vpn_netmask6 = new_option->value;
+ } else
vpninfo->vpn_netmask = new_option->value;
} else if (!strcmp(buf + 7, "DNS")) {
int j;
vpninfo->vpn_proxy_pac = new_option->value;
} else if (!strcmp(buf + 7, "Banner")) {
vpninfo->banner = new_option->value;
+ } else if (!strcmp(buf + 7, "Split-DNS")) {
+ struct split_include *dns = malloc(sizeof(*dns));
+ if (!dns)
+ continue;
+ dns->route = new_option->value;
+ dns->next = vpninfo->split_dns;
+ vpninfo->split_dns = dns;
} else if (!strcmp(buf + 7, "Split-Include")) {
struct split_include *inc = malloc(sizeof(*inc));
if (!inc)
}
}
+ if (!mtu) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("No MTU received. Aborting\n"));
+ return -EINVAL;
+ }
+ vpninfo->actual_mtu = mtu;
+
if (!vpninfo->vpn_addr && !vpninfo->vpn_addr6) {
vpn_progress(vpninfo, PRG_ERR,
_("No IP address received. Aborting\n"));
vpn_progress(vpninfo, PRG_INFO, _("CSTP connected. DPD %d, Keepalive %d\n"),
vpninfo->ssl_times.dpd, vpninfo->ssl_times.keepalive);
- BIO_set_nbio(SSL_get_rbio(vpninfo->https_ssl), 1);
- BIO_set_nbio(SSL_get_wbio(vpninfo->https_ssl), 1);
-
- fcntl(vpninfo->ssl_fd, F_SETFL, fcntl(vpninfo->ssl_fd, F_GETFL) | O_NONBLOCK);
if (vpninfo->select_nfds <= vpninfo->ssl_fd)
vpninfo->select_nfds = vpninfo->ssl_fd + 1;
{
int ret;
- if (!vpninfo->https_ssl && (ret = openconnect_open_https(vpninfo)))
+ ret = openconnect_open_https(vpninfo);
+ if (ret)
return ret;
if (vpninfo->deflate) {
int timeout;
int interval;
- openconnect_close_https(vpninfo);
+ openconnect_close_https(vpninfo, 0);
- /* Requeue the original packet that was deflated */
- if (vpninfo->current_ssl_pkt == vpninfo->deflate_pkt) {
- vpninfo->current_ssl_pkt = NULL;
- queue_packet(&vpninfo->outgoing_queue, vpninfo->pending_deflated_pkt);
- vpninfo->pending_deflated_pkt = NULL;
- }
if (vpninfo->deflate) {
+ /* Requeue the original packet that was deflated */
+ if (vpninfo->current_ssl_pkt == vpninfo->deflate_pkt) {
+ vpninfo->current_ssl_pkt = NULL;
+ queue_packet(&vpninfo->outgoing_queue, vpninfo->pending_deflated_pkt);
+ vpninfo->pending_deflated_pkt = NULL;
+ }
inflateEnd(&vpninfo->inflate_strm);
deflateEnd(&vpninfo->deflate_strm);
}
static int inflate_and_queue_packet(struct openconnect_info *vpninfo,
unsigned char *buf, int len)
{
- struct pkt *new = malloc(sizeof(struct pkt) + vpninfo->mtu);
+ struct pkt *new = malloc(sizeof(struct pkt) + vpninfo->actual_mtu);
uint32_t pkt_sum;
if (!new)
vpninfo->inflate_strm.avail_in = len - 4;
vpninfo->inflate_strm.next_out = new->data;
- vpninfo->inflate_strm.avail_out = vpninfo->mtu;
+ vpninfo->inflate_strm.avail_out = vpninfo->actual_mtu;
vpninfo->inflate_strm.total_out = 0;
if (inflate(&vpninfo->inflate_strm, Z_SYNC_FLUSH)) {
return 0;
}
+#if defined (OPENCONNECT_OPENSSL)
+static int cstp_read(struct openconnect_info *vpninfo, void *buf, int maxlen)
+{
+ int len, ret;
+
+ len = SSL_read(vpninfo->https_ssl, buf, maxlen);
+ if (len > 0)
+ return len;
+
+ ret = SSL_get_error(vpninfo->https_ssl, len);
+ if (ret == SSL_ERROR_SYSCALL || ret == SSL_ERROR_ZERO_RETURN) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("SSL read error %d (server probably closed connection); reconnecting.\n"),
+ ret);
+ return -EIO;
+ }
+ return 0;
+}
+
+static int cstp_write(struct openconnect_info *vpninfo, void *buf, int buflen)
+{
+ int ret;
+
+ ret = SSL_write(vpninfo->https_ssl, buf, buflen);
+ if (ret > 0)
+ return ret;
+
+ ret = SSL_get_error(vpninfo->https_ssl, ret);
+ switch (ret) {
+ case SSL_ERROR_WANT_WRITE:
+ /* Waiting for the socket to become writable -- it's
+ probably stalled, and/or the buffers are full */
+ FD_SET(vpninfo->ssl_fd, &vpninfo->select_wfds);
+ case SSL_ERROR_WANT_READ:
+ return 0;
+
+ default:
+ vpn_progress(vpninfo, PRG_ERR, _("SSL_write failed: %d\n"), ret);
+ openconnect_report_ssl_errors(vpninfo);
+ return -1;
+ }
+}
+#elif defined (OPENCONNECT_GNUTLS)
+static int cstp_read(struct openconnect_info *vpninfo, void *buf, int maxlen)
+{
+ int ret;
+
+ ret = gnutls_record_recv(vpninfo->https_sess, buf, maxlen);
+ if (ret > 0)
+ return ret;
+
+ if (ret != GNUTLS_E_AGAIN) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("SSL read error: %s; reconnecting.\n"),
+ gnutls_strerror(ret));
+ return -EIO;
+ }
+ return 0;
+}
+
+static int cstp_write(struct openconnect_info *vpninfo, void *buf, int buflen)
+{
+ int ret;
+
+ ret = gnutls_record_send(vpninfo->https_sess, buf, buflen);
+ if (ret > 0)
+ return ret;
+
+ if (ret == GNUTLS_E_AGAIN) {
+ if (gnutls_record_get_direction(vpninfo->https_sess)) {
+ /* Waiting for the socket to become writable -- it's
+ probably stalled, and/or the buffers are full */
+ FD_SET(vpninfo->ssl_fd, &vpninfo->select_wfds);
+ }
+ return 0;
+ }
+ vpn_progress(vpninfo, PRG_ERR, _("SSL send failed: %s\n"),
+ gnutls_strerror(ret));
+ return -1;
+}
+#endif
+
int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout)
{
unsigned char buf[16384];
we should probably remove POLLIN from the events we're looking for,
and add POLLOUT. As it is, though, it'll just chew CPU time in that
fairly unlikely situation, until the write backlog clears. */
- while ( (len = SSL_read(vpninfo->https_ssl, buf, sizeof(buf))) > 0) {
+ while ( (len = cstp_read(vpninfo, buf, sizeof(buf))) > 0) {
int payload_len;
if (buf[0] != 'S' || buf[1] != 'T' ||
vpninfo->quit_reason = "Unknown packet received";
return 1;
}
-
- ret = SSL_get_error(vpninfo->https_ssl, len);
- if (ret == SSL_ERROR_SYSCALL || ret == SSL_ERROR_ZERO_RETURN) {
- vpn_progress(vpninfo, PRG_ERR,
- _("SSL read error %d (server probably closed connection); reconnecting.\n"),
- ret);
- goto do_reconnect;
- }
+ if (len < 0)
+ goto do_reconnect;
/* If SSL_write() fails we are expected to try again. With exactly
handle_outgoing:
vpninfo->ssl_times.last_tx = time(NULL);
FD_CLR(vpninfo->ssl_fd, &vpninfo->select_wfds);
- ret = SSL_write(vpninfo->https_ssl,
- vpninfo->current_ssl_pkt->hdr,
- vpninfo->current_ssl_pkt->len + 8);
- if (ret <= 0) {
- ret = SSL_get_error(vpninfo->https_ssl, ret);
- switch (ret) {
- case SSL_ERROR_WANT_WRITE:
- /* Waiting for the socket to become writable -- it's
- probably stalled, and/or the buffers are full */
- FD_SET(vpninfo->ssl_fd, &vpninfo->select_wfds);
-
- case SSL_ERROR_WANT_READ:
- if (ka_stalled_dpd_time(&vpninfo->ssl_times, timeout))
- goto peer_dead;
+
+ ret = cstp_write(vpninfo,
+ vpninfo->current_ssl_pkt->hdr,
+ vpninfo->current_ssl_pkt->len + 8);
+ if (ret < 0)
+ goto do_reconnect;
+ else if (!ret) {
+ /* -EAGAIN: cstp_write() will have added the SSL fd to
+ ->select_wfds if appropriate, so we can just return
+ and wait. Unless it's been stalled for so long that
+ DPD kicks in and we kill the connection. */
+ switch (ka_stalled_action(&vpninfo->ssl_times, timeout)) {
+ case KA_DPD_DEAD:
+ goto peer_dead;
+ case KA_REKEY:
+ goto do_rekey;
+ case KA_NONE:
return work_done;
default:
- vpn_progress(vpninfo, PRG_ERR, _("SSL_write failed: %d\n"), ret);
- report_ssl_errors(vpninfo);
- goto do_reconnect;
+ /* This should never happen */
+ ;
}
}
+
if (ret != vpninfo->current_ssl_pkt->len + 8) {
vpn_progress(vpninfo, PRG_ERR,
_("SSL wrote too few bytes! Asked for %d, sent %d\n"),
switch (keepalive_action(&vpninfo->ssl_times, timeout)) {
case KA_REKEY:
+ do_rekey:
/* Not that this will ever happen; we don't even process
the setting when we're asked for it. */
vpn_progress(vpninfo, PRG_INFO, _("CSTP rekey due\n"));
int reason_len;
/* already lost connection? */
+#if defined (OPENCONNECT_OPENSSL)
if (!vpninfo->https_ssl)
return 0;
+#elif defined (OPENCONNECT_GNUTLS)
+ if (!vpninfo->https_sess)
+ return 0;
+#endif
reason_len = strlen(reason);
bye_pkt = malloc(reason_len + 9);
bye_pkt[6] = AC_PKT_DISCONN;
bye_pkt[8] = 0xb0;
- SSL_write(vpninfo->https_ssl, bye_pkt, reason_len + 9);
- free(bye_pkt);
-
vpn_progress(vpninfo, PRG_INFO,
_("Send BYE packet: %s\n"), reason);
+ cstp_write(vpninfo, bye_pkt, reason_len + 9);
+ free(bye_pkt);
+
return 0;
}