openconnect-internal.h

   1 /*
   2  * OpenConnect (SSL + DTLS) VPN client
   3  *
   4  * Copyright © 2008-2012 Intel Corporation.
   5  * Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
   6  *
   7  * Author: David Woodhouse <dwmw2@infradead.org>
   8  *
   9  * This program is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU Lesser General Public License
  11  * version 2.1, as published by the Free Software Foundation.
  12  *
  13  * This program is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public
  19  * License along with this library; if not, write to:
  20  *
  21  *   Free Software Foundation, Inc.
  22  *   51 Franklin Street, Fifth Floor,
  23  *   Boston, MA 02110-1301 USA
  24  */
  25
  26 #ifndef __OPENCONNECT_INTERNAL_H__
  27 #define __OPENCONNECT_INTERNAL_H__
  28
  29 #include "openconnect.h"
  30
  31 #if defined (OPENCONNECT_OPENSSL) || defined(DTLS_OPENSSL)
  32 #include <openssl/ssl.h>
  33 #include <openssl/err.h>
  34 #endif
  35 #if defined (OPENCONNECT_GNUTLS)
  36 #include <gnutls/gnutls.h>
  37 #include <gnutls/x509.h>
  38 #ifdef HAVE_TROUSERS
  39 #include <trousers/tss.h>
  40 #include <trousers/trousers.h>
  41 #endif
  42 #endif
  43
  44 #include <zlib.h>
  45 #include <stdint.h>
  46 #include <sys/socket.h>
  47 #include <sys/select.h>
  48 #include <sys/time.h>
  49 #include <sys/types.h>
  50 #include <unistd.h>
  51
  52 #ifdef LIBPROXY_HDR
  53 #include LIBPROXY_HDR
  54 #endif
  55
  56 #ifdef ENABLE_NLS
  57 #include <locale.h>
  58 #include <libintl.h>
  59 #define _(s) dgettext("openconnect", s)
  60 #else
  61 #define _(s) s
  62 #endif
  63 #define N_(s) s
  64
  65 #define SHA1_SIZE 20
  66 #define MD5_SIZE 16
  67
  68 /****************************************************************************/
  69
  70 struct pkt {
  71         int len;
  72         struct pkt *next;
  73         unsigned char hdr[8];
  74         unsigned char data[];
  75 };
  76
  77 struct vpn_option {
  78         char *option;
  79         char *value;
  80         struct vpn_option *next;
  81 };
  82
  83 #define KA_NONE         0
  84 #define KA_DPD          1
  85 #define KA_DPD_DEAD     2
  86 #define KA_KEEPALIVE    3
  87 #define KA_REKEY        4
  88
  89 struct keepalive_info {
  90         int dpd;
  91         int keepalive;
  92         int rekey;
  93         time_t last_rekey;
  94         time_t last_tx;
  95         time_t last_rx;
  96         time_t last_dpd;
  97 };
  98
  99 struct split_include {
 100         char *route;
 101         struct split_include *next;
 102 };
 103
 104 struct pin_cache {
 105         struct pin_cache *next;
 106         char *token;
 107         char *pin;
 108 };
 109
 110 #define RECONNECT_INTERVAL_MIN  10
 111 #define RECONNECT_INTERVAL_MAX  100
 112
 113 #define CERT_TYPE_UNKNOWN       0
 114 #define CERT_TYPE_PEM           1
 115 #define CERT_TYPE_PKCS12        2
 116 #define CERT_TYPE_TPM           3
 117
 118 struct openconnect_info {
 119         char *redirect_url;
 120
 121         char *csd_token;
 122         char *csd_ticket;
 123         char *csd_stuburl;
 124         char *csd_starturl;
 125         char *csd_waiturl;
 126         char *csd_preurl;
 127
 128         char *csd_scriptname;
 129
 130 #ifdef LIBPROXY_HDR
 131         pxProxyFactory *proxy_factory;
 132 #endif
 133         char *proxy_type;
 134         char *proxy;
 135         int proxy_port;
 136
 137         const char *localname;
 138         char *hostname;
 139         int port;
 140         char *urlpath;
 141         int cert_expire_warning;
 142         const char *cert;
 143         const char *sslkey;
 144         int cert_type;
 145         char *cert_password;
 146         const char *cafile;
 147         const char *servercert;
 148         const char *xmlconfig;
 149         char xmlsha1[(SHA1_SIZE * 2) + 1];
 150         char *username;
 151         char *password;
 152         char *authgroup;
 153         int nopasswd;
 154         char *dtls_ciphers;
 155         uid_t uid_csd;
 156         char *csd_wrapper;
 157         int uid_csd_given;
 158         int no_http_keepalive;
 159
 160         OPENCONNECT_X509 *peer_cert;
 161
 162         char *cookie; /* Pointer to within cookies list */
 163         struct vpn_option *cookies;
 164         struct vpn_option *cstp_options;
 165         struct vpn_option *dtls_options;
 166
 167 #if defined(OPENCONNECT_OPENSSL)
 168         X509 *cert_x509;
 169         SSL_CTX *https_ctx;
 170         SSL *https_ssl;
 171 #elif defined(OPENCONNECT_GNUTLS)
 172         gnutls_session_t https_sess;
 173         gnutls_certificate_credentials_t https_cred;
 174         struct pin_cache *pin_cache;
 175 #ifdef HAVE_TROUSERS
 176         TSS_HCONTEXT tpm_context;
 177         TSS_HKEY srk;
 178         TSS_HPOLICY srk_policy;
 179         TSS_HKEY tpm_key;
 180         TSS_HPOLICY tpm_key_policy;
 181 #endif
 182 #endif
 183         struct keepalive_info ssl_times;
 184         int owe_ssl_dpd_response;
 185         struct pkt *deflate_pkt;
 186         struct pkt *current_ssl_pkt;
 187         struct pkt *pending_deflated_pkt;
 188
 189         z_stream inflate_strm;
 190         uint32_t inflate_adler32;
 191         z_stream deflate_strm;
 192         uint32_t deflate_adler32;
 193
 194         int disable_ipv6;
 195         int reconnect_timeout;
 196         int reconnect_interval;
 197         int dtls_attempt_period;
 198         time_t new_dtls_started;
 199 #if defined(DTLS_OPENSSL)
 200         SSL_CTX *dtls_ctx;
 201         SSL *dtls_ssl;
 202         SSL *new_dtls_ssl;
 203         SSL_SESSION *dtls_session;
 204 #elif defined(DTLS_GNUTLS)
 205         /* Call these *_ssl rather than *_sess because they're just
 206            pointers, and generic code (in mainloop.c for example)
 207            wants to check if they're NULL or not. No point in being
 208            differently named to the OpenSSL variant, and forcing us to
 209            have ifdefs or accessor macros for them. */
 210         gnutls_session_t dtls_ssl;
 211         gnutls_session_t new_dtls_ssl;
 212 #endif
 213         struct keepalive_info dtls_times;
 214         unsigned char dtls_session_id[32];
 215         unsigned char dtls_secret[48];
 216
 217         char *dtls_cipher;
 218         const char *vpnc_script;
 219         int script_tun;
 220         char *ifname;
 221
 222         int mtu, basemtu;
 223         const char *banner;
 224         const char *vpn_addr;
 225         const char *vpn_netmask;
 226         const char *vpn_addr6;
 227         const char *vpn_netmask6;
 228         const char *vpn_dns[3];
 229         const char *vpn_nbns[3];
 230         const char *vpn_domain;
 231         const char *vpn_proxy_pac;
 232         struct split_include *split_dns;
 233         struct split_include *split_includes;
 234         struct split_include *split_excludes;
 235
 236         int select_nfds;
 237         fd_set select_rfds;
 238         fd_set select_wfds;
 239         fd_set select_efds;
 240
 241 #ifdef __sun__
 242         int ip_fd;
 243         int ip6_fd;
 244 #endif
 245         int tun_fd;
 246         int ssl_fd;
 247         int dtls_fd;
 248         int new_dtls_fd;
 249         int cancel_fd;
 250
 251         struct pkt *incoming_queue;
 252         struct pkt *outgoing_queue;
 253         int outgoing_qlen;
 254         int max_qlen;
 255
 256         socklen_t peer_addrlen;
 257         struct sockaddr *peer_addr;
 258         struct sockaddr *dtls_addr;
 259
 260         int deflate;
 261         char *useragent;
 262
 263         const char *quit_reason;
 264
 265         void *cbdata;
 266         openconnect_validate_peer_cert_vfn validate_peer_cert;
 267         openconnect_write_new_config_vfn write_new_config;
 268         openconnect_process_auth_form_vfn process_auth_form;
 269         openconnect_progress_vfn progress;
 270 };
 271
 272 #if (defined (DTLS_OPENSSL) && defined (SSL_OP_CISCO_ANYCONNECT)) || \
 273     (defined (DTLS_GNUTLS) && defined (HAVE_GNUTLS_SESSION_SET_PREMASTER))
 274 #define HAVE_DTLS 1
 275 #endif
 276
 277 /* Packet types */
 278
 279 #define AC_PKT_DATA             0       /* Uncompressed data */
 280 #define AC_PKT_DPD_OUT          3       /* Dead Peer Detection */
 281 #define AC_PKT_DPD_RESP         4       /* DPD response */
 282 #define AC_PKT_DISCONN          5       /* Client disconnection notice */
 283 #define AC_PKT_KEEPALIVE        7       /* Keepalive */
 284 #define AC_PKT_COMPRESSED       8       /* Compressed data */
 285 #define AC_PKT_TERM_SERVER      9       /* Server kick */
 286
 287 /* Ick */
 288 #ifdef DTLS_OPENSSL
 289 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
 290 #define method_const const
 291 #else
 292 #define method_const
 293 #endif
 294 #endif
 295
 296 #define vpn_progress(vpninfo, ...) (vpninfo)->progress ((vpninfo)->cbdata, __VA_ARGS__)
 297
 298 /****************************************************************************/
 299 /* Oh Solaris how we hate thee! */
 300 #ifdef __sun__
 301 #define time(x) openconnect__time(x)
 302 time_t openconnect__time(time_t *t);
 303 #endif
 304 #ifndef HAVE_ASPRINTF
 305 #define asprintf openconnect__asprintf
 306 int openconnect__asprintf(char **strp, const char *fmt, ...);
 307 #endif
 308 #ifndef HAVE_GETLINE
 309 #define getline openconnect__getline
 310 ssize_t openconnect__getline(char **lineptr, size_t *n, FILE *stream);
 311 #endif
 312
 313 /****************************************************************************/
 314
 315 /* tun.c */
 316 int setup_tun(struct openconnect_info *vpninfo);
 317 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout);
 318 void shutdown_tun(struct openconnect_info *vpninfo);
 319 int script_config_tun (struct openconnect_info *vpninfo, const char *reason);
 320
 321 /* dtls.c */
 322 unsigned char unhex(const char *data);
 323 int setup_dtls(struct openconnect_info *vpninfo);
 324 int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
 325 int dtls_try_handshake(struct openconnect_info *vpninfo);
 326 int connect_dtls_socket(struct openconnect_info *vpninfo);
 327
 328 /* cstp.c */
 329 int make_cstp_connection(struct openconnect_info *vpninfo);
 330 int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout);
 331 int cstp_bye(struct openconnect_info *vpninfo, const char *reason);
 332 int cstp_reconnect(struct openconnect_info *vpninfo);
 333
 334 /* ssl.c */
 335 int connect_https_socket(struct openconnect_info *vpninfo);
 336 int request_passphrase(struct openconnect_info *vpninfo,
 337                        char **response, const char *fmt, ...);
 338 int  __attribute__ ((format (printf, 2, 3)))
 339     openconnect_SSL_printf(struct openconnect_info *vpninfo, const char *fmt, ...);
 340 #if defined(OPENCONNECT_OPENSSL) || defined (DTLS_OPENSSL)
 341 void openconnect_report_ssl_errors(struct openconnect_info *vpninfo);
 342 #endif
 343
 344 /* ${SSL_LIBRARY}.c */
 345 int openconnect_SSL_gets(struct openconnect_info *vpninfo, char *buf, size_t len);
 346 int openconnect_SSL_write(struct openconnect_info *vpninfo, char *buf, size_t len);
 347 int openconnect_SSL_read(struct openconnect_info *vpninfo, char *buf, size_t len);
 348 int openconnect_open_https(struct openconnect_info *vpninfo);
 349 void openconnect_close_https(struct openconnect_info *vpninfo, int final);
 350 int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, OPENCONNECT_X509 *cert,
 351                              char *buf);
 352 int openconnect_sha1(unsigned char *result, void *data, int len);
 353 int openconnect_random(void *bytes, int len);
 354 int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
 355                                char *buf);
 356
 357 /* mainloop.c */
 358 int vpn_add_pollfd(struct openconnect_info *vpninfo, int fd, short events);
 359 int vpn_mainloop(struct openconnect_info *vpninfo);
 360 int queue_new_packet(struct pkt **q, void *buf, int len);
 361 void queue_packet(struct pkt **q, struct pkt *new);
 362 int keepalive_action(struct keepalive_info *ka, int *timeout);
 363 int ka_stalled_dpd_time(struct keepalive_info *ka, int *timeout);
 364
 365 extern int killed;
 366
 367 /* xml.c */
 368 int config_lookup_host(struct openconnect_info *vpninfo, const char *host);
 369
 370 /* auth.c */
 371 int parse_xml_response(struct openconnect_info *vpninfo, char *response,
 372                        char *request_body, int req_len, const char **method,
 373                        const char **request_body_type);
 374
 375 /* http.c */
 376 char *openconnect_create_useragent(const char *base);
 377 int process_proxy(struct openconnect_info *vpninfo, int ssl_sock);
 378 int internal_parse_url(char *url, char **res_proto, char **res_host,
 379                        int *res_port, char **res_path, int default_port);
 380
 381 /* ssl_ui.c */
 382 int set_openssl_ui(void);
 383
 384 /* securid.c */
 385 int generate_securid_tokencodes(struct openconnect_info *vpninfo);
 386 int add_securid_pin(char *token, char *pin);
 387
 388 /* version.c */
 389 extern const char *openconnect_version_str;
 390
 391 #endif /* __OPENCONNECT_INTERNAL_H__ */