openconnect-internal.h

   1 /*
   2  * OpenConnect (SSL + DTLS) VPN client
   3  *
   4  * Copyright © 2008-2012 Intel Corporation.
   5  * Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
   6  *
   7  * Author: David Woodhouse <dwmw2@infradead.org>
   8  *
   9  * This program is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU Lesser General Public License
  11  * version 2.1, as published by the Free Software Foundation.
  12  *
  13  * This program is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  16  * Lesser General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU Lesser General Public
  19  * License along with this library; if not, write to:
  20  *
  21  *   Free Software Foundation, Inc.
  22  *   51 Franklin Street, Fifth Floor,
  23  *   Boston, MA 02110-1301 USA
  24  */
  25
  26 #ifndef __OPENCONNECT_INTERNAL_H__
  27 #define __OPENCONNECT_INTERNAL_H__
  28
  29 #include "openconnect.h"
  30
  31 #if defined (OPENCONNECT_OPENSSL) || defined(DTLS_OPENSSL)
  32 #include <openssl/ssl.h>
  33 #include <openssl/err.h>
  34 /* Ick */
  35 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
  36 #define method_const const
  37 #else
  38 #define method_const
  39 #endif
  40 #endif /* OPENSSL */
  41
  42 #if defined (OPENCONNECT_GNUTLS)
  43 #include <gnutls/gnutls.h>
  44 #include <gnutls/abstract.h>
  45 #include <gnutls/x509.h>
  46 #ifdef HAVE_TROUSERS
  47 #include <trousers/tss.h>
  48 #include <trousers/trousers.h>
  49 #endif
  50 #endif
  51
  52 #include <zlib.h>
  53 #include <stdint.h>
  54 #include <sys/socket.h>
  55 #include <sys/select.h>
  56 #include <sys/time.h>
  57 #include <sys/types.h>
  58 #include <unistd.h>
  59
  60 #ifdef LIBPROXY_HDR
  61 #include LIBPROXY_HDR
  62 #endif
  63
  64 #ifdef ENABLE_NLS
  65 #include <locale.h>
  66 #include <libintl.h>
  67 #define _(s) dgettext("openconnect", s)
  68 #else
  69 #define _(s) s
  70 #endif
  71 #define N_(s) s
  72
  73 #define SHA1_SIZE 20
  74 #define MD5_SIZE 16
  75
  76 /****************************************************************************/
  77
  78 struct pkt {
  79         int len;
  80         struct pkt *next;
  81         unsigned char hdr[8];
  82         unsigned char data[];
  83 };
  84
  85 struct vpn_option {
  86         char *option;
  87         char *value;
  88         struct vpn_option *next;
  89 };
  90
  91 #define KA_NONE         0
  92 #define KA_DPD          1
  93 #define KA_DPD_DEAD     2
  94 #define KA_KEEPALIVE    3
  95 #define KA_REKEY        4
  96
  97 struct keepalive_info {
  98         int dpd;
  99         int keepalive;
 100         int rekey;
 101         time_t last_rekey;
 102         time_t last_tx;
 103         time_t last_rx;
 104         time_t last_dpd;
 105 };
 106
 107 struct split_include {
 108         char *route;
 109         struct split_include *next;
 110 };
 111
 112 struct pin_cache {
 113         struct pin_cache *next;
 114         char *token;
 115         char *pin;
 116 };
 117
 118 #define RECONNECT_INTERVAL_MIN  10
 119 #define RECONNECT_INTERVAL_MAX  100
 120
 121 #define CERT_TYPE_UNKNOWN       0
 122 #define CERT_TYPE_PEM           1
 123 #define CERT_TYPE_PKCS12        2
 124 #define CERT_TYPE_TPM           3
 125
 126 struct openconnect_info {
 127         char *redirect_url;
 128
 129         char *csd_token;
 130         char *csd_ticket;
 131         char *csd_stuburl;
 132         char *csd_starturl;
 133         char *csd_waiturl;
 134         char *csd_preurl;
 135
 136         char *csd_scriptname;
 137
 138 #ifdef LIBPROXY_HDR
 139         pxProxyFactory *proxy_factory;
 140 #endif
 141         char *proxy_type;
 142         char *proxy;
 143         int proxy_port;
 144
 145         const char *localname;
 146         char *hostname;
 147         int port;
 148         char *urlpath;
 149         int cert_expire_warning;
 150         const char *cert;
 151         const char *sslkey;
 152         int cert_type;
 153         char *cert_password;
 154         const char *cafile;
 155         const char *servercert;
 156         const char *xmlconfig;
 157         char xmlsha1[(SHA1_SIZE * 2) + 1];
 158         char *username;
 159         char *password;
 160         char *authgroup;
 161         int nopasswd;
 162         char *dtls_ciphers;
 163         uid_t uid_csd;
 164         char *csd_wrapper;
 165         int uid_csd_given;
 166         int no_http_keepalive;
 167
 168         OPENCONNECT_X509 *peer_cert;
 169
 170         char *cookie; /* Pointer to within cookies list */
 171         struct vpn_option *cookies;
 172         struct vpn_option *cstp_options;
 173         struct vpn_option *dtls_options;
 174
 175 #if defined(OPENCONNECT_OPENSSL)
 176         X509 *cert_x509;
 177         SSL_CTX *https_ctx;
 178         SSL *https_ssl;
 179 #elif defined(OPENCONNECT_GNUTLS)
 180         gnutls_session_t https_sess;
 181         gnutls_certificate_credentials_t https_cred;
 182         struct pin_cache *pin_cache;
 183 #ifdef HAVE_TROUSERS
 184         TSS_HCONTEXT tpm_context;
 185         TSS_HKEY srk;
 186         TSS_HPOLICY srk_policy;
 187         TSS_HKEY tpm_key;
 188         TSS_HPOLICY tpm_key_policy;
 189 #endif
 190 #ifndef HAVE_GNUTLS_CERTIFICATE_SET_KEY
 191 #ifdef HAVE_P11KIT
 192         gnutls_pkcs11_privkey_t my_p11key;
 193 #endif
 194         gnutls_privkey_t my_pkey;
 195         gnutls_x509_crt_t *my_certs;
 196         unsigned int nr_my_certs;
 197 #endif
 198 #endif /* OPENCONNECT_GNUTLS */
 199         struct keepalive_info ssl_times;
 200         int owe_ssl_dpd_response;
 201         struct pkt *deflate_pkt;
 202         struct pkt *current_ssl_pkt;
 203         struct pkt *pending_deflated_pkt;
 204
 205         z_stream inflate_strm;
 206         uint32_t inflate_adler32;
 207         z_stream deflate_strm;
 208         uint32_t deflate_adler32;
 209
 210         int disable_ipv6;
 211         int reconnect_timeout;
 212         int reconnect_interval;
 213         int dtls_attempt_period;
 214         time_t new_dtls_started;
 215 #if defined(DTLS_OPENSSL)
 216         SSL_CTX *dtls_ctx;
 217         SSL *dtls_ssl;
 218         SSL *new_dtls_ssl;
 219         SSL_SESSION *dtls_session;
 220 #elif defined(DTLS_GNUTLS)
 221         /* Call these *_ssl rather than *_sess because they're just
 222            pointers, and generic code (in mainloop.c for example)
 223            wants to check if they're NULL or not. No point in being
 224            differently named to the OpenSSL variant, and forcing us to
 225            have ifdefs or accessor macros for them. */
 226         gnutls_session_t dtls_ssl;
 227         gnutls_session_t new_dtls_ssl;
 228 #endif
 229         struct keepalive_info dtls_times;
 230         unsigned char dtls_session_id[32];
 231         unsigned char dtls_secret[48];
 232
 233         char *dtls_cipher;
 234         const char *vpnc_script;
 235         int script_tun;
 236         char *ifname;
 237
 238         int mtu, basemtu;
 239         const char *banner;
 240         const char *vpn_addr;
 241         const char *vpn_netmask;
 242         const char *vpn_addr6;
 243         const char *vpn_netmask6;
 244         const char *vpn_dns[3];
 245         const char *vpn_nbns[3];
 246         const char *vpn_domain;
 247         const char *vpn_proxy_pac;
 248         struct split_include *split_dns;
 249         struct split_include *split_includes;
 250         struct split_include *split_excludes;
 251
 252         int select_nfds;
 253         fd_set select_rfds;
 254         fd_set select_wfds;
 255         fd_set select_efds;
 256
 257 #ifdef __sun__
 258         int ip_fd;
 259         int ip6_fd;
 260 #endif
 261         int tun_fd;
 262         int ssl_fd;
 263         int dtls_fd;
 264         int new_dtls_fd;
 265         int cancel_fd;
 266
 267         struct pkt *incoming_queue;
 268         struct pkt *outgoing_queue;
 269         int outgoing_qlen;
 270         int max_qlen;
 271
 272         socklen_t peer_addrlen;
 273         struct sockaddr *peer_addr;
 274         struct sockaddr *dtls_addr;
 275
 276         int deflate;
 277         char *useragent;
 278
 279         const char *quit_reason;
 280
 281         void *cbdata;
 282         openconnect_validate_peer_cert_vfn validate_peer_cert;
 283         openconnect_write_new_config_vfn write_new_config;
 284         openconnect_process_auth_form_vfn process_auth_form;
 285         openconnect_progress_vfn progress;
 286 };
 287
 288 #if (defined (DTLS_OPENSSL) && defined (SSL_OP_CISCO_ANYCONNECT)) || \
 289     (defined (DTLS_GNUTLS) && defined (HAVE_GNUTLS_SESSION_SET_PREMASTER))
 290 #define HAVE_DTLS 1
 291 #endif
 292
 293 /* Packet types */
 294
 295 #define AC_PKT_DATA             0       /* Uncompressed data */
 296 #define AC_PKT_DPD_OUT          3       /* Dead Peer Detection */
 297 #define AC_PKT_DPD_RESP         4       /* DPD response */
 298 #define AC_PKT_DISCONN          5       /* Client disconnection notice */
 299 #define AC_PKT_KEEPALIVE        7       /* Keepalive */
 300 #define AC_PKT_COMPRESSED       8       /* Compressed data */
 301 #define AC_PKT_TERM_SERVER      9       /* Server kick */
 302
 303 #define vpn_progress(vpninfo, ...) (vpninfo)->progress ((vpninfo)->cbdata, __VA_ARGS__)
 304
 305 /****************************************************************************/
 306 /* Oh Solaris how we hate thee! */
 307 #ifdef __sun__
 308 #define time(x) openconnect__time(x)
 309 time_t openconnect__time(time_t *t);
 310 #endif
 311 #ifndef HAVE_ASPRINTF
 312 #define asprintf openconnect__asprintf
 313 int openconnect__asprintf(char **strp, const char *fmt, ...);
 314 #endif
 315 #ifndef HAVE_GETLINE
 316 #define getline openconnect__getline
 317 ssize_t openconnect__getline(char **lineptr, size_t *n, FILE *stream);
 318 #endif
 319
 320 /****************************************************************************/
 321
 322 /* tun.c */
 323 int setup_tun(struct openconnect_info *vpninfo);
 324 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout);
 325 void shutdown_tun(struct openconnect_info *vpninfo);
 326 int script_config_tun (struct openconnect_info *vpninfo, const char *reason);
 327
 328 /* dtls.c */
 329 unsigned char unhex(const char *data);
 330 int setup_dtls(struct openconnect_info *vpninfo);
 331 int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
 332 int dtls_try_handshake(struct openconnect_info *vpninfo);
 333 int connect_dtls_socket(struct openconnect_info *vpninfo);
 334
 335 /* cstp.c */
 336 int make_cstp_connection(struct openconnect_info *vpninfo);
 337 int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout);
 338 int cstp_bye(struct openconnect_info *vpninfo, const char *reason);
 339 int cstp_reconnect(struct openconnect_info *vpninfo);
 340
 341 /* ssl.c */
 342 int connect_https_socket(struct openconnect_info *vpninfo);
 343 int request_passphrase(struct openconnect_info *vpninfo, const char *label,
 344                        char **response, const char *fmt, ...);
 345 int  __attribute__ ((format (printf, 2, 3)))
 346     openconnect_SSL_printf(struct openconnect_info *vpninfo, const char *fmt, ...);
 347 int openconnect_print_err_cb(const char *str, size_t len, void *ptr);
 348 #define openconnect_report_ssl_errors(v) ERR_print_errors_cb(openconnect_print_err_cb, (v))
 349 #ifdef FAKE_ANDROID_KEYSTORE
 350 #define ANDROID_KEYSTORE
 351 #endif
 352 #ifdef ANDROID_KEYSTORE
 353 char *keystore_strerror(int err);
 354 int keystore_fetch(const char *key, unsigned char **result);
 355 #endif
 356
 357 /* ${SSL_LIBRARY}.c */
 358 int openconnect_SSL_gets(struct openconnect_info *vpninfo, char *buf, size_t len);
 359 int openconnect_SSL_write(struct openconnect_info *vpninfo, char *buf, size_t len);
 360 int openconnect_SSL_read(struct openconnect_info *vpninfo, char *buf, size_t len);
 361 int openconnect_open_https(struct openconnect_info *vpninfo);
 362 void openconnect_close_https(struct openconnect_info *vpninfo, int final);
 363 int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, OPENCONNECT_X509 *cert,
 364                              char *buf);
 365 int openconnect_sha1(unsigned char *result, void *data, int len);
 366 int openconnect_random(void *bytes, int len);
 367 int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
 368                                char *buf);
 369
 370 /* mainloop.c */
 371 int vpn_add_pollfd(struct openconnect_info *vpninfo, int fd, short events);
 372 int vpn_mainloop(struct openconnect_info *vpninfo);
 373 int queue_new_packet(struct pkt **q, void *buf, int len);
 374 void queue_packet(struct pkt **q, struct pkt *new);
 375 int keepalive_action(struct keepalive_info *ka, int *timeout);
 376 int ka_stalled_dpd_time(struct keepalive_info *ka, int *timeout);
 377
 378 extern int killed;
 379
 380 /* xml.c */
 381 int config_lookup_host(struct openconnect_info *vpninfo, const char *host);
 382
 383 /* auth.c */
 384 int parse_xml_response(struct openconnect_info *vpninfo, char *response,
 385                        char *request_body, int req_len, const char **method,
 386                        const char **request_body_type);
 387
 388 /* http.c */
 389 char *openconnect_create_useragent(const char *base);
 390 int process_proxy(struct openconnect_info *vpninfo, int ssl_sock);
 391 int internal_parse_url(char *url, char **res_proto, char **res_host,
 392                        int *res_port, char **res_path, int default_port);
 393
 394 /* ssl_ui.c */
 395 int set_openssl_ui(void);
 396
 397 /* securid.c */
 398 int generate_securid_tokencodes(struct openconnect_info *vpninfo);
 399 int add_securid_pin(char *token, char *pin);
 400
 401 /* version.c */
 402 extern const char *openconnect_version_str;
 403
 404 #endif /* __OPENCONNECT_INTERNAL_H__ */