/*
* OpenConnect (SSL + DTLS) VPN client
*
- * Copyright © 2008-2010 Intel Corporation.
+ * Copyright © 2008-2012 Intel Corporation.
* Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
*
* Author: David Woodhouse <dwmw2@infradead.org>
#include <pwd.h>
#include <sys/stat.h>
#include <sys/types.h>
-
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-#include <openssl/engine.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
#include "openconnect-internal.h"
}
}
- if (closeconn || vpninfo->no_http_keepalive) {
- SSL_free(vpninfo->https_ssl);
- vpninfo->https_ssl = NULL;
- close(vpninfo->ssl_fd);
- vpninfo->ssl_fd = -1;
- }
+ if (closeconn || vpninfo->no_http_keepalive)
+ openconnect_close_https(vpninfo, 0);
if (body)
body[done] = 0;
char buf[MAX_BUF_LEN];
char *config_buf = NULL;
int result, buflen;
- unsigned char local_sha1_bin[SHA_DIGEST_LENGTH];
- char local_sha1_ascii[(SHA_DIGEST_LENGTH * 2)+1];
- EVP_MD_CTX c;
+ unsigned char local_sha1_bin[SHA1_SIZE];
+ char local_sha1_ascii[(SHA1_SIZE * 2)+1];
int i;
+ if (openconnect_open_https(vpninfo)) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Failed to open HTTPS connection to %s\n"),
+ vpninfo->hostname);
+ return -EINVAL;
+ }
+
sprintf(buf, "GET %s%s HTTP/1.1\r\n", fu, bu);
sprintf(buf + strlen(buf), "Host: %s\r\n", vpninfo->hostname);
sprintf(buf + strlen(buf), "User-Agent: %s\r\n", vpninfo->useragent);
}
sprintf(buf + strlen(buf), "X-Transcend-Version: 1\r\n\r\n");
- SSL_write(vpninfo->https_ssl, buf, strlen(buf));
+ if (openconnect_SSL_write(vpninfo, buf, strlen(buf)) != strlen(buf)) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Failed to send GET request for new config\n"));
+ return -EIO;
+ }
buflen = process_http_response(vpninfo, &result, NULL, &config_buf);
if (buflen < 0) {
return -EINVAL;
}
- EVP_MD_CTX_init(&c);
- EVP_Digest(config_buf, buflen, local_sha1_bin, NULL, EVP_sha1(), NULL);
- EVP_MD_CTX_cleanup(&c);
+ openconnect_sha1(local_sha1_bin, config_buf, buflen);
- for (i = 0; i < SHA_DIGEST_LENGTH; i++)
+ for (i = 0; i < SHA1_SIZE; i++)
sprintf(&local_sha1_ascii[i*2], "%02x", local_sha1_bin[i]);
if (strcasecmp(server_sha1, local_sha1_ascii)) {
if (ret) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to write temporary CSD script file: %s\n"),
- strerror(ret));
+ strerror(-ret));
return ret;
}
fchmod(fd, 0755);
close(fd);
if (!fork()) {
- X509 *scert = SSL_get_peer_certificate(vpninfo->https_ssl);
- X509 *ccert = SSL_get_certificate(vpninfo->https_ssl);
- char scertbuf[EVP_MAX_MD_SIZE * 2 + 1];
- char ccertbuf[EVP_MAX_MD_SIZE * 2 + 1];
+ char scertbuf[MD5_SIZE * 2 + 1];
+ char ccertbuf[MD5_SIZE * 2 + 1];
char *csd_argv[32];
int i = 0;
- if (vpninfo->uid_csd != getuid()) {
+ if (vpninfo->uid_csd_given && vpninfo->uid_csd != getuid()) {
struct passwd *pw;
if (setuid(vpninfo->uid_csd)) {
exit(1);
}
}
- if (vpninfo->uid_csd == 0 && !vpninfo->csd_wrapper) {
+ if (getuid() == 0 && !vpninfo->csd_wrapper) {
fprintf(stderr, _("Warning: you are running insecure "
"CSD code with root privileges\n"
"\t Use command line option \"--csd-user\"\n"));
}
- if (vpninfo->uid_csd_given == 2) {
+ if (vpninfo->uid_csd_given == 2) {
/* The NM tool really needs not to get spurious output
on stdout, which the CSD trojan spews. */
dup2(2, 1);
if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->authgroup?:"") == -1)
return -ENOMEM;
- get_cert_md5_fingerprint(vpninfo, scert, scertbuf);
- if (ccert)
- get_cert_md5_fingerprint(vpninfo, ccert, ccertbuf);
- else
- ccertbuf[0] = 0;
-
+ openconnect_local_cert_md5(vpninfo, ccertbuf);
+ scertbuf[0] = 0;
+ get_cert_md5_fingerprint(vpninfo, vpninfo->peer_cert, scertbuf);
csd_argv[i++]= (char *)"-certhash";
if (asprintf(&csd_argv[i++], "\"%s:%s\"", scertbuf, ccertbuf) == -1)
return -ENOMEM;
+
csd_argv[i++]= (char *)"-url";
if (asprintf(&csd_argv[i++], "\"https://%s%s\"", vpninfo->hostname, vpninfo->csd_starturl) == -1)
return -ENOMEM;
- /* WTF would it want to know this for? */
- csd_argv[i++]= (char *)"-vpnclient";
- csd_argv[i++]= (char *)"\"/opt/cisco/vpn/bin/vpnui";
- csd_argv[i++]= (char *)"-connect";
- if (asprintf(&csd_argv[i++], "https://%s/%s", vpninfo->hostname, vpninfo->csd_preurl) == -1)
- return -ENOMEM;
- csd_argv[i++]= (char *)"-connectparam";
- if (asprintf(&csd_argv[i++], "#csdtoken=%s\"", vpninfo->csd_token) == -1)
- return -ENOMEM;
+
csd_argv[i++]= (char *)"-langselen";
csd_argv[i++] = NULL;
return 0;
}
-#ifndef HAVE_STRCASESTR
-static char *openconnect__strcasestr(const char *haystack, const char *needle)
-{
- int hlen = strlen(haystack);
- int nlen = strlen(needle);
- int i, j;
-
- for (i = 0; i < hlen - nlen + 1; i++) {
- for (j = 0; j < nlen; j++) {
- if (tolower(haystack[i + j]) !=
- tolower(needle[j]))
- break;
- }
- if (j == nlen)
- return (char *)haystack + i;
- }
- return NULL;
-}
-#define strcasestr openconnect__strcasestr
-#endif
-
-
int internal_parse_url(char *url, char **res_proto, char **res_host,
int *res_port, char **res_path, int default_port)
{
/* Return value:
* < 0, on error
- * = 0, no cookie (user cancel)
- * = 1, obtained cookie
+ * > 0, no cookie (user cancel)
+ * = 0, obtained cookie
*/
int openconnect_obtain_cookie(struct openconnect_info *vpninfo)
{
const char *request_body_type = NULL;
const char *method = "GET";
+ if (vpninfo->use_stoken) {
+ result = prepare_stoken(vpninfo);
+ if (result)
+ return result;
+ }
+
retry:
if (form_buf) {
free(form_buf);
form_buf = NULL;
}
- if (!vpninfo->https_ssl && openconnect_open_https(vpninfo)) {
+ if (openconnect_open_https(vpninfo)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to open HTTPS connection to %s\n"),
vpninfo->hostname);
_("Failed to parse redirected URL '%s': %s\n"),
vpninfo->redirect_url, strerror(-ret));
free(vpninfo->redirect_url);
+ vpninfo->redirect_url = NULL;
free(form_buf);
return ret;
}
/* Kill the existing connection, and a new one will happen */
free(vpninfo->peer_addr);
vpninfo->peer_addr = NULL;
- if (vpninfo->https_ssl) {
- SSL_free(vpninfo->https_ssl);
- vpninfo->https_ssl = NULL;
- close(vpninfo->ssl_fd);
- vpninfo->ssl_fd = -1;
- }
+ openconnect_close_https(vpninfo, 0);
for (opt = vpninfo->cookies; opt; opt = next) {
next = opt->next;
vpninfo->redirect_url = NULL;
goto retry;
+ } else if (strstr(vpninfo->redirect_url, "://")) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Cannot follow redirection to non-https URL '%s'\n"),
+ vpninfo->redirect_url);
+ free(vpninfo->redirect_url);
+ vpninfo->redirect_url = NULL;
+ free(form_buf);
+ return -EINVAL;
} else if (vpninfo->redirect_url[0] == '/') {
/* Absolute redirect within same host */
free(vpninfo->urlpath);
fu = tok + 3;
else if (!strncmp(tok, "fh:", 3)) {
if (!strncasecmp(tok+3, vpninfo->xmlsha1,
- SHA_DIGEST_LENGTH * 2))
+ SHA1_SIZE * 2))
break;
sha = tok + 3;
}