/*
* OpenConnect (SSL + DTLS) VPN client
*
- * Copyright © 2008-2010 Intel Corporation.
+ * Copyright © 2008-2012 Intel Corporation.
* Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
*
* Author: David Woodhouse <dwmw2@infradead.org>
* Boston, MA 02110-1301 USA
*/
-#define _GNU_SOURCE
#include <netdb.h>
#include <unistd.h>
#include <fcntl.h>
#include <pwd.h>
#include <sys/stat.h>
#include <sys/types.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/engine.h>
+#include "openconnect-internal.h"
-#include "openconnect.h"
+static int proxy_write(struct openconnect_info *vpninfo, int fd,
+ unsigned char *buf, size_t len);
+static int proxy_read(struct openconnect_info *vpninfo, int fd,
+ unsigned char *buf, size_t len);
#define MAX_BUF_LEN 131072
/*
* provided by their caller.
*/
-int http_add_cookie(struct openconnect_info *vpninfo, const char *option, const char *value)
+static int http_add_cookie(struct openconnect_info *vpninfo,
+ const char *option, const char *value)
{
struct vpn_option *new, **this;
if (*value) {
new = malloc(sizeof(*new));
if (!new) {
- vpninfo->progress(vpninfo, PRG_ERR, "No memory for allocating cookies\n");
+ vpn_progress(vpninfo, PRG_ERR,
+ _("No memory for allocating cookies\n"));
return -ENOMEM;
}
new->next = NULL;
return 0;
}
+#define BODY_HTTP10 -1
+#define BODY_CHUNKED -2
+
static int process_http_response(struct openconnect_info *vpninfo, int *result,
int (*header_cb)(struct openconnect_info *, char *, char *),
- char *body, int buf_len)
+ char **body_ret)
{
char buf[MAX_BUF_LEN];
- int bodylen = 0;
+ char *body = NULL;
+ int bodylen = BODY_HTTP10;
int done = 0;
- int http10 = 0, closeconn = 0;
+ int closeconn = 0;
int i;
- if (openconnect_SSL_gets(vpninfo->https_ssl, buf, sizeof(buf)) < 0) {
- vpninfo->progress(vpninfo, PRG_ERR, "Error fetching HTTPS response\n");
+ cont:
+ if (openconnect_SSL_gets(vpninfo, buf, sizeof(buf)) < 0) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error fetching HTTPS response\n"));
return -EINVAL;
}
- cont:
- if (!strncmp(buf, "HTTP/1.0 ", 9)) {
- http10 = 1;
+ if (!strncmp(buf, "HTTP/1.0 ", 9))
closeconn = 1;
- }
-
- if ((!http10 && strncmp(buf, "HTTP/1.1 ", 9)) || !(*result = atoi(buf+9))) {
- vpninfo->progress(vpninfo, PRG_ERR, "Failed to parse HTTP response '%s'\n", buf);
+
+ if ((!closeconn && strncmp(buf, "HTTP/1.1 ", 9)) || !(*result = atoi(buf+9))) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Failed to parse HTTP response '%s'\n"), buf);
return -EINVAL;
}
- vpninfo->progress(vpninfo, PRG_TRACE, "Got HTTP response: %s\n", buf);
+ vpn_progress(vpninfo, (*result==200)?PRG_TRACE:PRG_INFO,
+ _("Got HTTP response: %s\n"), buf);
/* Eat headers... */
- while ((i = openconnect_SSL_gets(vpninfo->https_ssl, buf, sizeof(buf)))) {
+ while ((i = openconnect_SSL_gets(vpninfo, buf, sizeof(buf)))) {
char *colon;
- vpninfo->progress(vpninfo, PRG_TRACE, "%s\n", buf);
-
if (i < 0) {
- vpninfo->progress(vpninfo, PRG_ERR, "Error processing HTTP response\n");
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error processing HTTP response\n"));
return -EINVAL;
}
colon = strchr(buf, ':');
if (!colon) {
- vpninfo->progress(vpninfo, PRG_ERR, "Ignoring unknown HTTP response line '%s'\n", buf);
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Ignoring unknown HTTP response line '%s'\n"), buf);
continue;
}
*(colon++) = 0;
if (*colon == ' ')
colon++;
- if (!strcmp(buf, "Connection") && !strcmp(colon, "Close"))
- closeconn = 1;
-
- if (!strcmp(buf, "Location")) {
- vpninfo->redirect_url = strdup(colon);
- if (!vpninfo->redirect_url)
- return -ENOMEM;
- }
- if (!strcmp(buf, "Content-Length")) {
- bodylen = atoi(colon);
- if (bodylen < 0 || bodylen > buf_len) {
- vpninfo->progress(vpninfo, PRG_ERR, "Response body too large for buffer (%d > %d)\n",
- bodylen, buf_len);
- return -EINVAL;
- }
- }
- if (!strcmp(buf, "Set-Cookie")) {
+ /* Handle Set-Cookie first so that we can avoid printing the
+ webvpn cookie in the verbose debug output */
+ if (!strcasecmp(buf, "Set-Cookie")) {
char *semicolon = strchr(colon, ';');
+ const char *print_equals;
char *equals = strchr(colon, '=');
int ret;
*semicolon = 0;
if (!equals) {
- vpninfo->progress(vpninfo, PRG_ERR, "Invalid cookie offered: %s\n", buf);
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Invalid cookie offered: %s\n"), buf);
return -EINVAL;
}
*(equals++) = 0;
+ print_equals = equals;
+ /* Don't print the webvpn cookie unless it's empty; we don't
+ want people posting it in public with debugging output */
+ if (!strcmp(colon, "webvpn") && *equals)
+ print_equals = _("<elided>");
+ vpn_progress(vpninfo, PRG_TRACE, "%s: %s=%s%s%s\n",
+ buf, colon, print_equals, semicolon?";":"",
+ semicolon?(semicolon+1):"");
+
+ /* The server tends to ask for the username and password as
+ usual, even if we've already failed because it didn't like
+ our cert. Thankfully it does give us this hint... */
+ if (!strcmp(colon, "ClientCertAuthFailed"))
+ vpn_progress(vpninfo, PRG_ERR,
+ _("SSL certificate authentication failed\n"));
+
ret = http_add_cookie(vpninfo, colon, equals);
if (ret)
return ret;
+ } else {
+ vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);
}
- if (!strcmp(buf, "Transfer-Encoding")) {
- if (!strcmp(colon, "chunked"))
- bodylen = -1;
+
+ if (!strcasecmp(buf, "Connection")) {
+ if (!strcasecmp(colon, "Close"))
+ closeconn = 1;
+#if 0
+ /* This might seem reasonable, but in fact it breaks
+ certificate authentication with some servers. If
+ they give an HTTP/1.0 response, even if they
+ explicitly give a Connection: Keep-Alive header,
+ just close the connection. */
+ else if (!strcasecmp(colon, "Keep-Alive"))
+ closeconn = 0;
+#endif
+ }
+ if (!strcasecmp(buf, "Location")) {
+ vpninfo->redirect_url = strdup(colon);
+ if (!vpninfo->redirect_url)
+ return -ENOMEM;
+ }
+ if (!strcasecmp(buf, "Content-Length")) {
+ bodylen = atoi(colon);
+ if (bodylen < 0) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Response body has negative size (%d)\n"),
+ bodylen);
+ return -EINVAL;
+ }
+ }
+ if (!strcasecmp(buf, "Transfer-Encoding")) {
+ if (!strcasecmp(colon, "chunked"))
+ bodylen = BODY_CHUNKED;
else {
- vpninfo->progress(vpninfo, PRG_ERR, "Unknown Transfer-Encoding: %s\n", colon);
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Unknown Transfer-Encoding: %s\n"),
+ colon);
return -EINVAL;
}
}
goto cont;
/* Now the body, if there is one */
- if (!bodylen)
- goto fin;
+ vpn_progress(vpninfo, PRG_TRACE, _("HTTP body %s (%d)\n"),
+ bodylen==BODY_HTTP10?"http 1.0" :
+ bodylen==BODY_CHUNKED?"chunked" : "length: ",
+ bodylen);
- if (http10) {
- /* HTTP 1.0 response. Just eat all we can. */
- while (1) {
- i = SSL_read(vpninfo->https_ssl, body + done, bodylen - done);
- if (i < 0)
- goto fin;
- done += i;
- }
- }
/* If we were given Content-Length, it's nice and easy... */
if (bodylen > 0) {
+ body = malloc(bodylen + 1);
+ if (!body)
+ return -ENOMEM;
while (done < bodylen) {
- i = SSL_read(vpninfo->https_ssl, body + done, bodylen - done);
+ i = openconnect_SSL_read(vpninfo, body + done, bodylen - done);
if (i < 0) {
- vpninfo->progress(vpninfo, PRG_ERR, "Error reading HTTP response body\n");
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error reading HTTP response body\n"));
+ free(body);
return -EINVAL;
}
done += i;
}
- goto fin;
- }
+ } else if (bodylen == BODY_CHUNKED) {
+ /* ... else, chunked */
+ while ((i = openconnect_SSL_gets(vpninfo, buf, sizeof(buf)))) {
+ int chunklen, lastchunk = 0;
- /* ... else, chunked */
- while ((i = openconnect_SSL_gets(vpninfo->https_ssl, buf, sizeof(buf)))) {
- int chunklen, lastchunk = 0;
-
- if (i < 0) {
- vpninfo->progress(vpninfo, PRG_ERR, "Error fetching chunk header\n");
- exit(1);
- }
- chunklen = strtol(buf, NULL, 16);
- if (!chunklen) {
- lastchunk = 1;
- goto skip;
- }
- if (chunklen + done > buf_len) {
- vpninfo->progress(vpninfo, PRG_ERR, "Response body too large for buffer (%d > %d)\n",
- chunklen + done, buf_len);
- return -EINVAL;
- }
- while (chunklen) {
- i = SSL_read(vpninfo->https_ssl, body + done, chunklen);
if (i < 0) {
- vpninfo->progress(vpninfo, PRG_ERR, "Error reading HTTP response body\n");
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error fetching chunk header\n"));
+ return i;
+ }
+ chunklen = strtol(buf, NULL, 16);
+ if (!chunklen) {
+ lastchunk = 1;
+ goto skip;
+ }
+ body = realloc(body, done + chunklen + 1);
+ if (!body)
+ return -ENOMEM;
+ while (chunklen) {
+ i = openconnect_SSL_read(vpninfo, body + done, chunklen);
+ if (i < 0) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error reading HTTP response body\n"));
+ free(body);
+ return -EINVAL;
+ }
+ chunklen -= i;
+ done += i;
+ }
+ skip:
+ if ((i = openconnect_SSL_gets(vpninfo, buf, sizeof(buf)))) {
+ if (i < 0) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error fetching HTTP response body\n"));
+ } else {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error in chunked decoding. Expected '', got: '%s'"),
+ buf);
+ }
+ free(body);
return -EINVAL;
}
- chunklen -= i;
- done += i;
+
+ if (lastchunk)
+ break;
}
- skip:
- if ((i = openconnect_SSL_gets(vpninfo->https_ssl, buf, sizeof(buf)))) {
- if (i < 0) {
- vpninfo->progress(vpninfo, PRG_ERR, "Error fetching HTTP response body\n");
- } else {
- vpninfo->progress(vpninfo, PRG_ERR, "Error in chunked decoding. Expected '', got: '%s'",
- buf);
- }
+ } else if (bodylen == BODY_HTTP10) {
+ if (!closeconn) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Cannot receive HTTP 1.0 body without closing connection\n"));
return -EINVAL;
}
- if (lastchunk)
- break;
- }
- fin:
- if (closeconn && vpninfo->https_ssl) {
- SSL_free(vpninfo->https_ssl);
- vpninfo->https_ssl = NULL;
- close(vpninfo->ssl_fd);
- vpninfo->ssl_fd = -1;
+ /* HTTP 1.0 response. Just eat all we can in 16KiB chunks */
+ while (1) {
+ body = realloc(body, done + 16384);
+ if (!body)
+ return -ENOMEM;
+ i = openconnect_SSL_read(vpninfo, body + done, 16384);
+ if (i > 0) {
+ /* Got more data */
+ done += i;
+ } else if (i < 0) {
+ /* Error */
+ free(body);
+ return i;
+ } else {
+ /* Connection closed. Reduce allocation to just what we need */
+ body = realloc(body, done + 1);
+ if (!body)
+ return -ENOMEM;
+ break;
+ }
+ }
}
- body[done] = 0;
+
+ if (closeconn || vpninfo->no_http_keepalive)
+ openconnect_close_https(vpninfo, 0);
+
+ if (body)
+ body[done] = 0;
+ *body_ret = body;
return done;
}
{
struct vpn_option *opt;
char buf[MAX_BUF_LEN];
+ char *config_buf = NULL;
int result, buflen;
- unsigned char local_sha1_bin[SHA_DIGEST_LENGTH];
- char local_sha1_ascii[(SHA_DIGEST_LENGTH * 2)+1];
- EVP_MD_CTX c;
+ unsigned char local_sha1_bin[SHA1_SIZE];
+ char local_sha1_ascii[(SHA1_SIZE * 2)+1];
int i;
+ if (openconnect_open_https(vpninfo)) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Failed to open HTTPS connection to %s\n"),
+ vpninfo->hostname);
+ return -EINVAL;
+ }
+
sprintf(buf, "GET %s%s HTTP/1.1\r\n", fu, bu);
sprintf(buf + strlen(buf), "Host: %s\r\n", vpninfo->hostname);
sprintf(buf + strlen(buf), "User-Agent: %s\r\n", vpninfo->useragent);
}
sprintf(buf + strlen(buf), "X-Transcend-Version: 1\r\n\r\n");
- SSL_write(vpninfo->https_ssl, buf, strlen(buf));
+ if (openconnect_SSL_write(vpninfo, buf, strlen(buf)) != strlen(buf)) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Failed to send GET request for new config\n"));
+ return -EIO;
+ }
- buflen = process_http_response(vpninfo, &result, NULL, buf, MAX_BUF_LEN);
+ buflen = process_http_response(vpninfo, &result, NULL, &config_buf);
if (buflen < 0) {
/* We'll already have complained about whatever offended us */
return -EINVAL;
}
- if (result != 200)
+ if (result != 200) {
+ free(config_buf);
return -EINVAL;
+ }
+ openconnect_sha1(local_sha1_bin, config_buf, buflen);
- EVP_MD_CTX_init(&c);
- EVP_Digest(buf, buflen, local_sha1_bin, NULL, EVP_sha1(), NULL);
- EVP_MD_CTX_cleanup(&c);
-
- for (i = 0; i < SHA_DIGEST_LENGTH; i++)
+ for (i = 0; i < SHA1_SIZE; i++)
sprintf(&local_sha1_ascii[i*2], "%02x", local_sha1_bin[i]);
if (strcasecmp(server_sha1, local_sha1_ascii)) {
- vpninfo->progress(vpninfo, PRG_ERR, "Downloaded config file did not match intended SHA1\n");
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Downloaded config file did not match intended SHA1\n"));
+ free(config_buf);
return -EINVAL;
}
- return vpninfo->write_new_config(vpninfo, buf, buflen);
+ result = vpninfo->write_new_config(vpninfo->cbdata, config_buf, buflen);
+ free(config_buf);
+ return result;
}
static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int buflen)
{
char fname[16];
- int fd;
+ int fd, ret;
- if (!vpninfo->uid_csd_given) {
- vpninfo->progress(vpninfo, PRG_ERR, "Error: You are trying to "
- "run insecure CSD code without specifying the CSD user.\n"
- " Use command line option \"--csd-user\"\n");
- exit(1);
+ if (!vpninfo->uid_csd_given && !vpninfo->csd_wrapper) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error: Server asked us to download and run a 'Cisco Secure Desktop' trojan.\n"
+ "This facility is disabled by default for security reasons, so you may wish to enable it."));
+ return -EPERM;
}
#ifndef __linux__
- vpninfo->progress(vpninfo, PRG_INFO,
- "Trying to run Linux CSD trojan script.");
+ vpn_progress(vpninfo, PRG_INFO,
+ _("Trying to run Linux CSD trojan script."));
#endif
sprintf(fname, "/tmp/csdXXXXXX");
fd = mkstemp(fname);
if (fd < 0) {
int err = -errno;
- vpninfo->progress(vpninfo, PRG_ERR, "Failed to open temporary CSD script file: %s\n",
- strerror(errno));
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Failed to open temporary CSD script file: %s\n"),
+ strerror(errno));
return err;
}
- write(fd, buf, buflen);
+
+ ret = proxy_write(vpninfo, fd, (void *)buf, buflen);
+ if (ret) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Failed to write temporary CSD script file: %s\n"),
+ strerror(-ret));
+ return ret;
+ }
fchmod(fd, 0755);
close(fd);
if (!fork()) {
- X509 *scert = SSL_get_peer_certificate(vpninfo->https_ssl);
- X509 *ccert = SSL_get_certificate(vpninfo->https_ssl);
- char scertbuf[EVP_MAX_MD_SIZE * 2 + 1];
- char ccertbuf[EVP_MAX_MD_SIZE * 2 + 1];
+ char scertbuf[MD5_SIZE * 2 + 1];
+ char ccertbuf[MD5_SIZE * 2 + 1];
char *csd_argv[32];
int i = 0;
- if (vpninfo->uid_csd != getuid()) {
+ if (vpninfo->uid_csd_given && vpninfo->uid_csd != getuid()) {
struct passwd *pw;
if (setuid(vpninfo->uid_csd)) {
- fprintf(stderr, "Failed to set uid %d\n",
- vpninfo->uid_csd);
+ fprintf(stderr, _("Failed to set uid %ld\n"),
+ (long)vpninfo->uid_csd);
exit(1);
}
if (!(pw = getpwuid(vpninfo->uid_csd))) {
- fprintf(stderr, "Invalid user uid=%d\n",
- vpninfo->uid_csd);
+ fprintf(stderr, _("Invalid user uid=%ld\n"),
+ (long)vpninfo->uid_csd);
exit(1);
}
setenv("HOME", pw->pw_dir, 1);
- chdir(pw->pw_dir);
+ if (chdir(pw->pw_dir)) {
+ fprintf(stderr, _("Failed to change to CSD home directory '%s': %s\n"),
+ pw->pw_dir, strerror(errno));
+ exit(1);
+ }
}
- if (vpninfo->uid_csd == 0) {
- fprintf(stderr, "Warning: you are running insecure "
- "CSD code with root privileges\n"
- "\t Use command line option \"--csd-user\"\n");
+ if (getuid() == 0 && !vpninfo->csd_wrapper) {
+ fprintf(stderr, _("Warning: you are running insecure "
+ "CSD code with root privileges\n"
+ "\t Use command line option \"--csd-user\"\n"));
}
-
+ if (vpninfo->uid_csd_given == 2) {
+ /* The NM tool really needs not to get spurious output
+ on stdout, which the CSD trojan spews. */
+ dup2(2, 1);
+ }
+ if (vpninfo->csd_wrapper)
+ csd_argv[i++] = vpninfo->csd_wrapper;
csd_argv[i++] = fname;
- csd_argv[i++] = "-ticket";
- asprintf(&csd_argv[i++], "\"%s\"", vpninfo->csd_ticket);
- csd_argv[i++] = "-stub";
- csd_argv[i++] = "\"0\"";
- csd_argv[i++] = "-group";
- asprintf(&csd_argv[i++], "\"%s\"", vpninfo->authgroup?:"");
- get_cert_md5_fingerprint(vpninfo, scert, scertbuf);
- if (ccert)
- get_cert_md5_fingerprint(vpninfo, ccert, ccertbuf);
- else
- ccertbuf[0] = 0;
-
- csd_argv[i++] = "-certhash";
- asprintf(&csd_argv[i++], "\"%s:%s\"", scertbuf, ccertbuf);
- csd_argv[i++] = "-url";
- asprintf(&csd_argv[i++], "\"https://%s%s\"", vpninfo->hostname, vpninfo->csd_starturl);
- /* WTF would it want to know this for? */
- csd_argv[i++] = "-vpnclient";
- csd_argv[i++] = "\"/opt/cisco/vpn/bin/vpnui";
- csd_argv[i++] = "-connect";
- asprintf(&csd_argv[i++], "https://%s/%s", vpninfo->hostname, vpninfo->csd_preurl);
- csd_argv[i++] = "-connectparam";
- asprintf(&csd_argv[i++], "#csdtoken=%s\"", vpninfo->csd_token);
- csd_argv[i++] = "-langselen";
+ csd_argv[i++]= (char *)"-ticket";
+ if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->csd_ticket) == -1)
+ return -ENOMEM;
+ csd_argv[i++]= (char *)"-stub";
+ csd_argv[i++]= (char *)"\"0\"";
+ csd_argv[i++]= (char *)"-group";
+ if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->authgroup?:"") == -1)
+ return -ENOMEM;
+
+ openconnect_local_cert_md5(vpninfo, ccertbuf);
+ scertbuf[0] = 0;
+ get_cert_md5_fingerprint(vpninfo, vpninfo->peer_cert, scertbuf);
+ csd_argv[i++]= (char *)"-certhash";
+ if (asprintf(&csd_argv[i++], "\"%s:%s\"", scertbuf, ccertbuf) == -1)
+ return -ENOMEM;
+
+ csd_argv[i++]= (char *)"-url";
+ if (asprintf(&csd_argv[i++], "\"https://%s%s\"", vpninfo->hostname, vpninfo->csd_starturl) == -1)
+ return -ENOMEM;
+
+ csd_argv[i++]= (char *)"-langselen";
csd_argv[i++] = NULL;
- execv(fname, csd_argv);
- vpninfo->progress(vpninfo, PRG_ERR, "Failed to exec CSD script %s\n", fname);
+ execv(csd_argv[0], csd_argv);
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Failed to exec CSD script %s\n"), csd_argv[0]);
exit(1);
}
return 0;
}
-#ifdef __sun__
-char *local_strcasestr(const char *haystack, const char *needle)
-{
- int hlen = strlen(haystack);
- int nlen = strlen(needle);
- int i, j;
-
- for (i = 0; i < hlen - nlen + 1; i++) {
- for (j = 0; j < nlen; j++) {
- if (tolower(haystack[i + j]) !=
- tolower(needle[j]))
- break;
- }
- if (j == nlen)
- return (char *)haystack + i;
- }
- return NULL;
-}
-#define strcasestr local_strcasestr
-#endif
-
-int parse_url(char *url, char **res_proto, char **res_host, int *res_port,
- char **res_path, int default_port)
+int internal_parse_url(char *url, char **res_proto, char **res_host,
+ int *res_port, char **res_path, int default_port)
{
char *proto = url;
char *host, *path, *port_str;
}
path = strchr(host, '/');
- if (path) {
+ if (path)
*(path++) = 0;
- if (!*path)
- path = NULL;
- }
port_str = strrchr(host, ':');
if (port_str) {
if (res_port)
*res_port = port;
if (res_path)
- *res_path = path ? strdup(path) : NULL;
+ *res_path = (path && *path) ? strdup(path) : NULL;
+
+ /* Undo the damage we did to the original string */
+ if (port_str)
+ *(port_str) = ':';
+ if (path)
+ *(path - 1) = '/';
+ if (proto)
+ *(host - 3) = ':';
return 0;
}
/* Return value:
* < 0, on error
- * = 0, no cookie (user cancel)
- * = 1, obtained cookie
+ * > 0, no cookie (user cancel)
+ * = 0, obtained cookie
*/
int openconnect_obtain_cookie(struct openconnect_info *vpninfo)
{
struct vpn_option *opt, *next;
char buf[MAX_BUF_LEN];
+ char *form_buf = NULL;
int result, buflen;
char request_body[2048];
- char *request_body_type = NULL;
- char *method = "GET";
+ const char *request_body_type = NULL;
+ const char *method = "GET";
+
+ if (vpninfo->use_stoken) {
+ result = prepare_stoken(vpninfo);
+ if (result)
+ return result;
+ }
retry:
- if (!vpninfo->https_ssl && openconnect_open_https(vpninfo)) {
- vpninfo->progress(vpninfo, PRG_ERR, "Failed to open HTTPS connection to %s\n",
- vpninfo->hostname);
+ if (form_buf) {
+ free(form_buf);
+ form_buf = NULL;
+ }
+ if (openconnect_open_https(vpninfo)) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Failed to open HTTPS connection to %s\n"),
+ vpninfo->hostname);
return -EINVAL;
}
sprintf(buf + strlen(buf), "%s", request_body);
if (vpninfo->port == 443)
- vpninfo->progress(vpninfo, PRG_INFO, "%s https://%s/%s\n",
- method, vpninfo->hostname,
- vpninfo->urlpath ?: "");
+ vpn_progress(vpninfo, PRG_INFO, "%s https://%s/%s\n",
+ method, vpninfo->hostname,
+ vpninfo->urlpath ?: "");
else
- vpninfo->progress(vpninfo, PRG_INFO, "%s https://%s:%d/%s\n",
- method, vpninfo->hostname, vpninfo->port,
- vpninfo->urlpath ?: "");
+ vpn_progress(vpninfo, PRG_INFO, "%s https://%s:%d/%s\n",
+ method, vpninfo->hostname, vpninfo->port,
+ vpninfo->urlpath ?: "");
- SSL_write(vpninfo->https_ssl, buf, strlen(buf));
+ result = openconnect_SSL_write(vpninfo, buf, strlen(buf));
+ if (result < 0)
+ return result;
- buflen = process_http_response(vpninfo, &result, NULL, buf, MAX_BUF_LEN);
+ buflen = process_http_response(vpninfo, &result, NULL, &form_buf);
if (buflen < 0) {
/* We'll already have complained about whatever offended us */
- exit(1);
+ return buflen;
}
if (result != 200 && vpninfo->redirect_url) {
free(vpninfo->urlpath);
vpninfo->urlpath = NULL;
- ret = parse_url(vpninfo->redirect_url, NULL, &host, &port, &vpninfo->urlpath, 0);
+ ret = internal_parse_url(vpninfo->redirect_url, NULL, &host, &port, &vpninfo->urlpath, 0);
if (ret) {
- vpninfo->progress(vpninfo, PRG_ERR, "Failed to parse redirected URL '%s': %s\n",
- vpninfo->redirect_url, strerror(-ret));
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Failed to parse redirected URL '%s': %s\n"),
+ vpninfo->redirect_url, strerror(-ret));
free(vpninfo->redirect_url);
+ vpninfo->redirect_url = NULL;
+ free(form_buf);
return ret;
}
- if (strcmp(vpninfo->hostname, host) || port != vpninfo->port) {
+ if (strcasecmp(vpninfo->hostname, host) || port != vpninfo->port) {
free(vpninfo->hostname);
vpninfo->hostname = host;
vpninfo->port = port;
/* Kill the existing connection, and a new one will happen */
free(vpninfo->peer_addr);
vpninfo->peer_addr = NULL;
- SSL_free(vpninfo->https_ssl);
- vpninfo->https_ssl = NULL;
- close(vpninfo->ssl_fd);
- vpninfo->ssl_fd = -1;
+ openconnect_close_https(vpninfo, 0);
for (opt = vpninfo->cookies; opt; opt = next) {
next = opt->next;
vpninfo->redirect_url = NULL;
goto retry;
+ } else if (strstr(vpninfo->redirect_url, "://")) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Cannot follow redirection to non-https URL '%s'\n"),
+ vpninfo->redirect_url);
+ free(vpninfo->redirect_url);
+ vpninfo->redirect_url = NULL;
+ free(form_buf);
+ return -EINVAL;
} else if (vpninfo->redirect_url[0] == '/') {
/* Absolute redirect within same host */
free(vpninfo->urlpath);
vpninfo->redirect_url = NULL;
goto retry;
} else {
- vpninfo->progress(vpninfo, PRG_ERR, "Relative redirect (to '%s') not supported\n",
- vpninfo->redirect_url);
- return -EINVAL;
+ char *lastslash = NULL;
+ if (vpninfo->urlpath)
+ lastslash = strrchr(vpninfo->urlpath, '/');
+ if (!lastslash) {
+ free(vpninfo->urlpath);
+ vpninfo->urlpath = vpninfo->redirect_url;
+ vpninfo->redirect_url = NULL;
+ } else {
+ char *oldurl = vpninfo->urlpath;
+ *lastslash = 0;
+ vpninfo->urlpath = NULL;
+ if (asprintf(&vpninfo->urlpath, "%s/%s",
+ oldurl, vpninfo->redirect_url) == -1) {
+ int err = -errno;
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Allocating new path for relative redirect failed: %s\n"),
+ strerror(-err));
+ return err;
+ }
+ free(oldurl);
+ free(vpninfo->redirect_url);
+ vpninfo->redirect_url = NULL;
+ }
+ goto retry;
}
}
-
+ if (!form_buf || result != 200) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Unexpected %d result from server\n"),
+ result);
+ free(form_buf);
+ return -EINVAL;
+ }
if (vpninfo->csd_stuburl) {
/* This is the CSD stub script, which we now need to run */
- result = run_csd_script(vpninfo, buf, buflen);
- if (result)
+ result = run_csd_script(vpninfo, form_buf, buflen);
+ if (result) {
+ free(form_buf);
return result;
+ }
/* Now we'll be redirected to the waiturl */
goto retry;
}
- if (strncmp(buf, "<?xml", 5)) {
+ if (strncmp(form_buf, "<?xml", 5)) {
/* Not XML? Perhaps it's HTML with a refresh... */
- if (strcasestr(buf, "http-equiv=\"refresh\"")) {
- vpninfo->progress(vpninfo, PRG_INFO, "Refreshing %s after 1 second...\n",
- vpninfo->urlpath);
+ if (strcasestr(form_buf, "http-equiv=\"refresh\"")) {
+ vpn_progress(vpninfo, PRG_INFO,
+ _("Refreshing %s after 1 second...\n"),
+ vpninfo->urlpath);
sleep(1);
goto retry;
}
- vpninfo->progress(vpninfo, PRG_ERR, "Unknown response from server\n");
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Unknown response from server\n"));
+ free(form_buf);
return -EINVAL;
}
request_body[0] = 0;
- result = parse_xml_response(vpninfo, buf, request_body, sizeof(request_body),
+ result = parse_xml_response(vpninfo, form_buf, request_body, sizeof(request_body),
&method, &request_body_type);
+
if (!result)
goto redirect;
+ free(form_buf);
+
if (result != 2)
return result;
+
/* A return value of 2 means the XML form indicated
success. We _should_ have a cookie... */
fu = tok + 3;
else if (!strncmp(tok, "fh:", 3)) {
if (!strncasecmp(tok+3, vpninfo->xmlsha1,
- SHA_DIGEST_LENGTH * 2))
+ SHA1_SIZE * 2))
break;
sha = tok + 3;
}
return 0;
}
-char *openconnect_create_useragent(char *base)
+char *openconnect_create_useragent(const char *base)
{
char *uagent;
- if (asprintf(&uagent, "%s %s", base, openconnect_version) < 0)
+ if (asprintf(&uagent, "%s %s", base, openconnect_version_str) < 0)
return NULL;
return uagent;
}
-static int proxy_gets(int fd, char *buf, size_t len)
+static int proxy_gets(struct openconnect_info *vpninfo, int fd,
+ char *buf, size_t len)
{
int i = 0;
int ret;
if (len < 2)
return -EINVAL;
- while ( (ret = read(fd, buf + i, 1)) == 1) {
+ while ( (ret = proxy_read(vpninfo, fd, (void *)(buf + i), 1)) == 0) {
if (buf[i] == '\n') {
buf[i] = 0;
if (i && buf[i-1] == '\r') {
return i;
}
}
- if (ret < 0)
- ret = -errno;
-
buf[i] = 0;
return i ?: ret;
}
+static int proxy_write(struct openconnect_info *vpninfo, int fd,
+ unsigned char *buf, size_t len)
+{
+ size_t count;
+
+ for (count = 0; count < len; ) {
+ fd_set rd_set, wr_set;
+ int maxfd = fd;
+ int i;
+
+ FD_ZERO(&wr_set);
+ FD_ZERO(&rd_set);
+ FD_SET(fd, &wr_set);
+ if (vpninfo->cancel_fd != -1) {
+ FD_SET(vpninfo->cancel_fd, &rd_set);
+ if (vpninfo->cancel_fd > fd)
+ maxfd = vpninfo->cancel_fd;
+ }
+
+ select(maxfd + 1, &rd_set, &wr_set, NULL, NULL);
+ if (vpninfo->cancel_fd != -1 &&
+ FD_ISSET(vpninfo->cancel_fd, &rd_set))
+ return -EINTR;
+
+ /* Not that this should ever be able to happen... */
+ if (!FD_ISSET(fd, &wr_set))
+ continue;
+
+ i = write(fd, buf + count, len - count);
+ if (i < 0)
+ return -errno;
-int process_http_proxy(struct openconnect_info *vpninfo, int ssl_sock)
+ count += i;
+ }
+ return 0;
+}
+
+static int proxy_read(struct openconnect_info *vpninfo, int fd,
+ unsigned char *buf, size_t len)
+{
+ size_t count;
+
+ for (count = 0; count < len; ) {
+ fd_set rd_set;
+ int maxfd = fd;
+ int i;
+
+ FD_ZERO(&rd_set);
+ FD_SET(fd, &rd_set);
+ if (vpninfo->cancel_fd != -1) {
+ FD_SET(vpninfo->cancel_fd, &rd_set);
+ if (vpninfo->cancel_fd > fd)
+ maxfd = vpninfo->cancel_fd;
+ }
+
+ select(maxfd + 1, &rd_set, NULL, NULL, NULL);
+ if (vpninfo->cancel_fd != -1 &&
+ FD_ISSET(vpninfo->cancel_fd, &rd_set))
+ return -EINTR;
+
+ /* Not that this should ever be able to happen... */
+ if (!FD_ISSET(fd, &rd_set))
+ continue;
+
+ i = read(fd, buf + count, len - count);
+ if (i < 0)
+ return -errno;
+
+ count += i;
+ }
+ return 0;
+}
+
+static const char *socks_errors[] = {
+ N_("request granted"),
+ N_("general failure"),
+ N_("connection not allowed by ruleset"),
+ N_("network unreachable"),
+ N_("host unreachable"),
+ N_("connection refused by destination host"),
+ N_("TTL expired"),
+ N_("command not supported / protocol error"),
+ N_("address type not supported")
+};
+
+static int process_socks_proxy(struct openconnect_info *vpninfo, int ssl_sock)
+{
+ unsigned char buf[1024];
+ int i;
+
+ buf[0] = 5; /* SOCKS version */
+ buf[1] = 1; /* # auth methods */
+ buf[2] = 0; /* No auth supported */
+
+ if ((i = proxy_write(vpninfo, ssl_sock, buf, 3))) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error writing auth request to SOCKS proxy: %s\n"),
+ strerror(-i));
+ return i;
+ }
+
+ if ((i = proxy_read(vpninfo, ssl_sock, buf, 2))) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error reading auth response from SOCKS proxy: %s\n"),
+ strerror(-i));
+ return i;
+ }
+ if (buf[0] != 5) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Unexpected auth response from SOCKS proxy: %02x %02x\n"),
+ buf[0], buf[1]);
+ return -EIO;
+ }
+ if (buf[1]) {
+ socks_err:
+ if (buf[1] < sizeof(socks_errors) / sizeof(socks_errors[0]))
+ vpn_progress(vpninfo, PRG_ERR,
+ _("SOCKS proxy error %02x: %s\n"),
+ buf[1], _(socks_errors[buf[1]]));
+ else
+ vpn_progress(vpninfo, PRG_ERR,
+ _("SOCKS proxy error %02x\n"),
+ buf[1]);
+ return -EIO;
+ }
+
+ vpn_progress(vpninfo, PRG_INFO,
+ _("Requesting SOCKS proxy connection to %s:%d\n"),
+ vpninfo->hostname, vpninfo->port);
+
+ buf[0] = 5; /* SOCKS version */
+ buf[1] = 1; /* CONNECT */
+ buf[2] = 0; /* Reserved */
+ buf[3] = 3; /* Address type is domain name */
+ buf[4] = strlen(vpninfo->hostname);
+ strcpy((char *)buf + 5, vpninfo->hostname);
+ i = strlen(vpninfo->hostname) + 5;
+ buf[i++] = vpninfo->port >> 8;
+ buf[i++] = vpninfo->port & 0xff;
+
+ if ((i = proxy_write(vpninfo, ssl_sock, buf, i))) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error writing connect request to SOCKS proxy: %s\n"),
+ strerror(-i));
+ return i;
+ }
+ /* Read 5 bytes -- up to and including the first byte of the returned
+ address (which might be the length byte of a domain name) */
+ if ((i = proxy_read(vpninfo, ssl_sock, buf, 5))) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error reading connect response from SOCKS proxy: %s\n"),
+ strerror(-i));
+ return i;
+ }
+ if (buf[0] != 5) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Unexpected connect response from SOCKS proxy: %02x %02x...\n"),
+ buf[0], buf[1]);
+ return -EIO;
+ }
+ if (buf[1])
+ goto socks_err;
+
+ /* Connect responses contain an address */
+ switch(buf[3]) {
+ case 1: /* Legacy IP */
+ i = 5;
+ break;
+ case 3: /* Domain name */
+ i = buf[4] + 2;
+ break;
+ case 4: /* IPv6 */
+ i = 17;
+ break;
+ default:
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Unexpected address type %02x in SOCKS connect response\n"),
+ buf[3]);
+ return -EIO;
+ }
+
+ if ((i = proxy_read(vpninfo, ssl_sock, buf, i))) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error reading connect response from SOCKS proxy: %s\n"),
+ strerror(-i));
+ return i;
+ }
+ return 0;
+}
+
+static int process_http_proxy(struct openconnect_info *vpninfo, int ssl_sock)
{
char buf[MAX_BUF_LEN];
- int count, buflen, result;
+ int buflen, result;
sprintf(buf, "CONNECT %s:%d HTTP/1.1\r\n", vpninfo->hostname, vpninfo->port);
sprintf(buf + strlen(buf), "Host: %s\r\n", vpninfo->hostname);
sprintf(buf + strlen(buf), "Accept-Encoding: identity\r\n");
sprintf(buf + strlen(buf), "\r\n");
- vpninfo->progress(vpninfo, PRG_INFO, "Requesting proxy connection to %s:%d\n",
- vpninfo->hostname, vpninfo->port);
+ vpn_progress(vpninfo, PRG_INFO,
+ _("Requesting HTTP proxy connection to %s:%d\n"),
+ vpninfo->hostname, vpninfo->port);
- buflen = strlen(buf);
- for (count = 0; count < buflen; ) {
- int i = write(ssl_sock, buf + count, buflen - count);
- if (i < 0) {
- i = -errno;
- vpninfo->progress(vpninfo, PRG_ERR, "Sending proxy request failed: %s\n",
- strerror(errno));
- return i;
- }
- count += i;
+ result = proxy_write(vpninfo, ssl_sock, (unsigned char *)buf, strlen(buf));
+ if (result) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Sending proxy request failed: %s\n"),
+ strerror(-result));
+ return result;
}
- if (proxy_gets(ssl_sock, buf, sizeof(buf)) < 0) {
- vpninfo->progress(vpninfo, PRG_ERR, "Error fetching proxy response\n");
+ if (proxy_gets(vpninfo, ssl_sock, buf, sizeof(buf)) < 0) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Error fetching proxy response\n"));
return -EIO;
}
if (strncmp(buf, "HTTP/1.", 7) || (buf[7] != '0' && buf[7] != '1') ||
buf[8] != ' ' || !(result = atoi(buf+9))) {
- vpninfo->progress(vpninfo, PRG_ERR, "Failed to parse proxy response '%s'\n",
- buf);
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Failed to parse proxy response '%s'\n"), buf);
return -EINVAL;
}
if (result != 200) {
- vpninfo->progress(vpninfo, PRG_ERR, "Proxy CONNECT request failed: %s\n",
- buf);
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Proxy CONNECT request failed: %s\n"), buf);
return -EIO;
}
- while ((count = proxy_gets(ssl_sock, buf, sizeof(buf)))) {
- if (count < 0) {
- vpninfo->progress(vpninfo, PRG_ERR, "Failed to read proxy response\n");
+ while ((buflen = proxy_gets(vpninfo, ssl_sock, buf, sizeof(buf)))) {
+ if (buflen < 0) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Failed to read proxy response\n"));
return -EIO;
}
- vpninfo->progress(vpninfo, PRG_ERR,
- "Unexpected continuation line after CONNECT response: '%s'\n",
- buf);
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Unexpected continuation line after CONNECT response: '%s'\n"),
+ buf);
}
return 0;
}
+
+int process_proxy(struct openconnect_info *vpninfo, int ssl_sock)
+{
+ if (!vpninfo->proxy_type || !strcmp(vpninfo->proxy_type, "http"))
+ return process_http_proxy(vpninfo, ssl_sock);
+
+ if (!strcmp(vpninfo->proxy_type, "socks") ||
+ !strcmp(vpninfo->proxy_type, "socks5"))
+ return process_socks_proxy(vpninfo, ssl_sock);
+
+ vpn_progress(vpninfo, PRG_ERR, _("Unknown proxy type '%s'\n"),
+ vpninfo->proxy_type);
+ return -EIO;
+}
+
+int openconnect_set_http_proxy(struct openconnect_info *vpninfo, char *proxy)
+{
+ char *url = proxy;
+ int ret;
+
+ if (!url)
+ return -ENOMEM;
+
+ free(vpninfo->proxy_type);
+ vpninfo->proxy_type = NULL;
+ free(vpninfo->proxy);
+ vpninfo->proxy = NULL;
+
+ ret = internal_parse_url(url, &vpninfo->proxy_type, &vpninfo->proxy,
+ &vpninfo->proxy_port, NULL, 80);
+ if (ret)
+ goto out;
+
+ if (vpninfo->proxy_type &&
+ strcmp(vpninfo->proxy_type, "http") &&
+ strcmp(vpninfo->proxy_type, "socks") &&
+ strcmp(vpninfo->proxy_type, "socks5")) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Only http or socks(5) proxies supported\n"));
+ free(vpninfo->proxy_type);
+ vpninfo->proxy_type = NULL;
+ free(vpninfo->proxy);
+ vpninfo->proxy = NULL;
+ return -EINVAL;
+ }
+ out:
+ free(url);
+ return ret;
+}
projects / platform / upstream / openconnect.git / blobdiff