oncp.c 37 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280
  1. /*
  2. * OpenConnect (SSL + DTLS) VPN client
  3. *
  4. * Copyright © 2008-2015 Intel Corporation.
  5. *
  6. * Author: David Woodhouse <dwmw2@infradead.org>
  7. *
  8. * This program is free software; you can redistribute it and/or
  9. * modify it under the terms of the GNU Lesser General Public License
  10. * version 2.1, as published by the Free Software Foundation.
  11. *
  12. * This program is distributed in the hope that it will be useful, but
  13. * WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  15. * Lesser General Public License for more details.
  16. */
  17. /*
  18. * Grateful thanks to Tiebing Zhang, who did much of the hard work
  19. * of analysing and decoding the protocol.
  20. */
  21. #include <config.h>
  22. #include "openconnect-internal.h"
  23. #include <unistd.h>
  24. #include <fcntl.h>
  25. #include <sys/types.h>
  26. #include <time.h>
  27. #include <string.h>
  28. #include <ctype.h>
  29. #include <errno.h>
  30. #include <stdlib.h>
  31. #include <stdio.h>
  32. #include <stdarg.h>
  33. static void buf_append_tlv(struct oc_text_buf *buf, uint16_t val, uint32_t len, void *data)
  34. {
  35. unsigned char b[6];
  36. store_be16(b, val);
  37. store_be32(b + 2, len);
  38. buf_append_bytes(buf, b, 6);
  39. if (len)
  40. buf_append_bytes(buf, data, len);
  41. }
  42. static void buf_append_tlv_be32(struct oc_text_buf *buf, uint16_t val, uint32_t data)
  43. {
  44. unsigned char d[4];
  45. store_be32(d, data);
  46. buf_append_tlv(buf, val, 4, d);
  47. }
  48. static const char authpkt_head[] = { 0x00, 0x04, 0x00, 0x00, 0x00 };
  49. static const char authpkt_tail[] = { 0xbb, 0x01, 0x00, 0x00, 0x00, 0x00 };
  50. #define GRP_ATTR(g, a) (((g) << 16) | (a))
  51. static int process_attr(struct openconnect_info *vpninfo,
  52. struct oc_vpn_option **new_opts, struct oc_ip_info *new_ip_info,
  53. int group, int attr, unsigned char *data, int attrlen)
  54. {
  55. char buf[80];
  56. int i;
  57. switch(GRP_ATTR(group, attr)) {
  58. case GRP_ATTR(6, 2):
  59. if (attrlen != 4) {
  60. badlen:
  61. vpn_progress(vpninfo, PRG_ERR,
  62. _("Unexpected length %d for TLV %d/%d\n"),
  63. attrlen, group, attr);
  64. return -EINVAL;
  65. }
  66. new_ip_info->mtu = load_be32(data);
  67. vpn_progress(vpninfo, PRG_DEBUG,
  68. _("Received MTU %d from server\n"),
  69. new_ip_info->mtu);
  70. break;
  71. case GRP_ATTR(2, 1):
  72. if (attrlen != 4)
  73. goto badlen;
  74. snprintf(buf, sizeof(buf), "%d.%d.%d.%d", data[0], data[1], data[2], data[3]);
  75. vpn_progress(vpninfo, PRG_DEBUG, _("Received DNS server %s\n"), buf);
  76. for (i = 0; i < 3; i++) {
  77. if (!new_ip_info->dns[i]) {
  78. new_ip_info->dns[i] = add_option_dup(new_opts, "DNS", buf, -1);
  79. break;
  80. }
  81. }
  82. break;
  83. case GRP_ATTR(2, 2):
  84. vpn_progress(vpninfo, PRG_DEBUG, _("Received DNS search domain %.*s\n"),
  85. attrlen, (char *)data);
  86. new_ip_info->domain = add_option_dup(new_opts, "search", (char *)data, attrlen);
  87. break;
  88. case GRP_ATTR(1, 1):
  89. if (attrlen != 4)
  90. goto badlen;
  91. snprintf(buf, sizeof(buf), "%d.%d.%d.%d", data[0], data[1], data[2], data[3]);
  92. vpn_progress(vpninfo, PRG_DEBUG, _("Received internal IP address %s\n"), buf);
  93. new_ip_info->addr = add_option_dup(new_opts, "ipaddr", buf, -1);
  94. break;
  95. case GRP_ATTR(1, 2):
  96. if (attrlen != 4)
  97. goto badlen;
  98. snprintf(buf, sizeof(buf), "%d.%d.%d.%d", data[0], data[1], data[2], data[3]);
  99. vpn_progress(vpninfo, PRG_DEBUG, _("Received netmask %s\n"), buf);
  100. new_ip_info->netmask = add_option_dup(new_opts, "netmask", buf, -1);
  101. break;
  102. case GRP_ATTR(1, 3):
  103. if (attrlen != 4)
  104. goto badlen;
  105. snprintf(buf, sizeof(buf), "%d.%d.%d.%d", data[0], data[1], data[2], data[3]);
  106. vpn_progress(vpninfo, PRG_DEBUG, _("Received internal gateway address %s\n"), buf);
  107. /* Hm, what are we supposed to do with this? It's a tunnel;
  108. having a gateway is meaningless. */
  109. add_option_dup(new_opts, "ipaddr", buf, -1);
  110. break;
  111. case GRP_ATTR(3, 3): {
  112. struct oc_split_include *inc;
  113. if (attrlen != 8)
  114. goto badlen;
  115. snprintf(buf, sizeof(buf), "%d.%d.%d.%d/%d.%d.%d.%d",
  116. data[0], data[1], data[2], data[3],
  117. data[4], data[5], data[6], data[7]);
  118. vpn_progress(vpninfo, PRG_DEBUG, _("Received split include route %s\n"), buf);
  119. inc = malloc(sizeof(*inc));
  120. if (inc) {
  121. inc->route = add_option_dup(new_opts, "split-include", buf, -1);
  122. if (inc->route) {
  123. inc->next = new_ip_info->split_includes;
  124. new_ip_info->split_includes = inc;
  125. } else
  126. free(inc);
  127. }
  128. break;
  129. }
  130. case GRP_ATTR(3, 4): {
  131. struct oc_split_include *exc;
  132. if (attrlen != 8)
  133. goto badlen;
  134. snprintf(buf, sizeof(buf), "%d.%d.%d.%d/%d.%d.%d.%d",
  135. data[0], data[1], data[2], data[3],
  136. data[4], data[5], data[6], data[7]);
  137. vpn_progress(vpninfo, PRG_DEBUG, _("Received split exclude route %s\n"), buf);
  138. exc = malloc(sizeof(*exc));
  139. if (exc) {
  140. exc->route = add_option_dup(new_opts, "split-exclude", buf, -1);
  141. if (exc->route) {
  142. exc->next = new_ip_info->split_excludes;
  143. new_ip_info->split_excludes = exc;
  144. } else
  145. free(exc);
  146. }
  147. break;
  148. }
  149. case GRP_ATTR(4, 1):
  150. if (attrlen != 4)
  151. goto badlen;
  152. snprintf(buf, sizeof(buf), "%d.%d.%d.%d", data[0], data[1], data[2], data[3]);
  153. vpn_progress(vpninfo, PRG_DEBUG, _("Received WINS server %s\n"), buf);
  154. for (i = 0; i < 3; i++) {
  155. if (!new_ip_info->nbns[i]) {
  156. new_ip_info->nbns[i] = add_option_dup(new_opts, "WINS", buf, -1);
  157. break;
  158. }
  159. }
  160. break;
  161. case GRP_ATTR(8, 1): {
  162. const char *enctype;
  163. if (attrlen != 1)
  164. goto badlen;
  165. if (data[0] == ENC_AES_128_CBC) {
  166. enctype = "AES-128";
  167. vpninfo->enc_key_len = 16;
  168. } else if (data[0] == ENC_AES_256_CBC) {
  169. enctype = "AES-256";
  170. vpninfo->enc_key_len = 32;
  171. } else
  172. enctype = "unknown";
  173. vpn_progress(vpninfo, PRG_DEBUG, _("ESP encryption: 0x%02x (%s)\n"),
  174. data[0], enctype);
  175. vpninfo->esp_enc = data[0];
  176. break;
  177. }
  178. case GRP_ATTR(8, 2): {
  179. const char *mactype;
  180. if (attrlen != 1)
  181. goto badlen;
  182. if (data[0] == HMAC_MD5) {
  183. mactype = "MD5";
  184. vpninfo->hmac_key_len = 16;
  185. } else if (data[0] == HMAC_SHA1) {
  186. mactype = "SHA1";
  187. vpninfo->hmac_key_len = 20;
  188. } else
  189. mactype = "unknown";
  190. vpn_progress(vpninfo, PRG_DEBUG, _("ESP HMAC: 0x%02x (%s)\n"),
  191. data[0], mactype);
  192. vpninfo->esp_hmac = data[0];
  193. break;
  194. }
  195. case GRP_ATTR(8, 3):
  196. if (attrlen != 1)
  197. goto badlen;
  198. vpninfo->esp_compr = data[0];
  199. vpninfo->dtls_compr = data[0] ? COMPR_LZO : 0;
  200. vpn_progress(vpninfo, PRG_DEBUG, _("ESP compression: %d\n"), data[0]);
  201. break;
  202. case GRP_ATTR(8, 4):
  203. if (attrlen != 2)
  204. goto badlen;
  205. i = load_be16(data);
  206. udp_sockaddr(vpninfo, i);
  207. vpn_progress(vpninfo, PRG_DEBUG, _("ESP port: %d\n"), i);
  208. break;
  209. case GRP_ATTR(8, 5):
  210. if (attrlen != 4)
  211. goto badlen;
  212. vpninfo->esp_lifetime_bytes = load_be32(data);
  213. vpn_progress(vpninfo, PRG_DEBUG, _("ESP key lifetime: %u bytes\n"),
  214. vpninfo->esp_lifetime_bytes);
  215. break;
  216. case GRP_ATTR(8, 6):
  217. if (attrlen != 4)
  218. goto badlen;
  219. vpninfo->esp_lifetime_seconds = load_be32(data);
  220. vpn_progress(vpninfo, PRG_DEBUG, _("ESP key lifetime: %u seconds\n"),
  221. vpninfo->esp_lifetime_seconds);
  222. break;
  223. case GRP_ATTR(8, 9):
  224. if (attrlen != 4)
  225. goto badlen;
  226. vpninfo->esp_ssl_fallback = load_be32(data);
  227. vpn_progress(vpninfo, PRG_DEBUG, _("ESP to SSL fallback: %u seconds\n"),
  228. vpninfo->esp_ssl_fallback);
  229. break;
  230. case GRP_ATTR(8, 10):
  231. if (attrlen != 4)
  232. goto badlen;
  233. vpninfo->esp_replay_protect = load_be32(data);
  234. vpn_progress(vpninfo, PRG_DEBUG, _("ESP replay protection: %d\n"),
  235. load_be32(data));
  236. break;
  237. case GRP_ATTR(7, 1):
  238. if (attrlen != 4)
  239. goto badlen;
  240. memcpy(&vpninfo->esp_out.spi, data, 4);
  241. vpn_progress(vpninfo, PRG_DEBUG, _("ESP SPI (outbound): %x\n"),
  242. load_be32(data));
  243. break;
  244. case GRP_ATTR(7, 2):
  245. if (attrlen != 0x40)
  246. goto badlen;
  247. /* data contains enc_key and hmac_key concatenated */
  248. memcpy(vpninfo->esp_out.enc_key, data, 0x40);
  249. vpn_progress(vpninfo, PRG_DEBUG, _("%d bytes of ESP secrets\n"),
  250. attrlen);
  251. break;
  252. default:
  253. buf[0] = 0;
  254. for (i=0; i < 16 && i < attrlen; i++)
  255. sprintf(buf + strlen(buf), " %02x", data[i]);
  256. if (attrlen > 16)
  257. sprintf(buf + strlen(buf), "...");
  258. vpn_progress(vpninfo, PRG_DEBUG,
  259. _("Unknown TLV group %d attr %d len %d:%s\n"),
  260. group, attr, attrlen, buf);
  261. }
  262. return 0;
  263. }
  264. static void put_len16(struct oc_text_buf *buf, int where)
  265. {
  266. int len = buf->pos - where;
  267. store_be16(buf->data + where - 2, len);
  268. }
  269. static void put_len32(struct oc_text_buf *buf, int where)
  270. {
  271. int len = buf->pos - where;
  272. store_be32(buf->data + where - 4, len);
  273. }
  274. /* We don't know what these are so just hope they never change */
  275. static const unsigned char kmp_head[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
  276. static const unsigned char kmp_tail[] = { 0x01, 0x00, 0x00, 0x00, 0x00,
  277. 0x00, 0x00, 0x00, 0x00, 0x00 };
  278. static const unsigned char kmp_tail_out[] = { 0x01, 0x00, 0x00, 0x00, 0x01,
  279. 0x00, 0x00, 0x00, 0x00, 0x00 };
  280. static const unsigned char data_hdr[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  281. 0x01, 0x2c, 0x01, 0x00, 0x00, 0x00,
  282. 0x01, 0x00, 0x00, 0x00, 0x00, 0x00 };
  283. #ifdef HAVE_ESP
  284. static const unsigned char esp_kmp_hdr[] = {
  285. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x2e,
  286. 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, /* KMP header */
  287. 0x00, 0x56, /* KMP length */
  288. 0x00, 0x07, 0x00, 0x00, 0x00, 0x50, /* TLV group 7 */
  289. 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, /* Attr 1 (SPI) */
  290. };
  291. /* Followed by 4 bytes of SPI */
  292. static const unsigned char esp_kmp_part2[] = {
  293. 0x00, 0x02, 0x00, 0x00, 0x00, 0x40, /* Attr 2 (secrets) */
  294. };
  295. /* And now 0x40 bytes of random secret for encryption and HMAC key */
  296. #endif
  297. static const struct pkt esp_enable_pkt = {
  298. .next = NULL,
  299. { .oncp = { .rec = { 0x21, 0x00 },
  300. .kmp = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x2f,
  301. 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
  302. 0x00, 0x00, 0x00, 0x0d } }
  303. },
  304. .data = {
  305. 0x00, 0x06, 0x00, 0x00, 0x00, 0x07, /* Group 6, len 7 */
  306. 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, /* Attr 1, len 1 */
  307. 0x01
  308. },
  309. .len = 13
  310. };
  311. static int queue_esp_control(struct openconnect_info *vpninfo, int enable)
  312. {
  313. struct pkt *new = alloc_pkt(vpninfo, esp_enable_pkt.len);
  314. if (!new)
  315. return -ENOMEM;
  316. new->oncp = esp_enable_pkt.oncp;
  317. new->len = esp_enable_pkt.len;
  318. memcpy(new->data, esp_enable_pkt.data, esp_enable_pkt.len);
  319. new->data[12] = enable;
  320. queue_packet(&vpninfo->tcp_control_queue, new);
  321. return 0;
  322. }
  323. static int check_kmp_header(struct openconnect_info *vpninfo, unsigned char *bytes, int pktlen)
  324. {
  325. if (pktlen < 20 || memcmp(bytes, kmp_head, sizeof(kmp_head)) ||
  326. memcmp(bytes + 8, kmp_tail, sizeof(kmp_tail))) {
  327. vpn_progress(vpninfo, PRG_ERR,
  328. _("Failed to parse KMP header\n"));
  329. return -EINVAL;
  330. }
  331. return load_be16(bytes + 6);
  332. }
  333. static int parse_conf_pkt(struct openconnect_info *vpninfo, unsigned char *bytes, int pktlen, int kmp)
  334. {
  335. int kmplen, kmpend, grouplen, groupend, group, attr, attrlen;
  336. int ofs = 0;
  337. int split_enc_hmac_keys = 0;
  338. struct oc_vpn_option *new_opts = NULL;
  339. struct oc_ip_info new_ip_info = {};
  340. kmplen = load_be16(bytes + ofs + 18);
  341. kmpend = ofs + kmplen;
  342. if (kmpend > pktlen) {
  343. eparse:
  344. vpn_progress(vpninfo, PRG_ERR,
  345. _("Failed to parse KMP message\n"));
  346. dump_buf_hex(vpninfo, PRG_ERR, '<', bytes, pktlen);
  347. einval:
  348. free_optlist(new_opts);
  349. free_split_routes(&new_ip_info);
  350. return -EINVAL;
  351. }
  352. vpn_progress(vpninfo, PRG_DEBUG,
  353. _("Got KMP message %d of size %d\n"),
  354. kmp, kmplen);
  355. ofs += 0x14;
  356. while (ofs < kmpend) {
  357. if (ofs + 6 > kmpend)
  358. goto eparse;
  359. group = load_be16(bytes + ofs);
  360. grouplen = load_be32(bytes + ofs + 2);
  361. ofs += 6;
  362. groupend = ofs + grouplen;
  363. if (groupend > pktlen)
  364. goto eparse;
  365. if (kmp == 302 && group != 7 && group != 8) {
  366. vpn_progress(vpninfo, PRG_ERR,
  367. _("Received non-ESP TLVs (group %d) in ESP negotiation KMP\n"),
  368. group);
  369. goto einval;
  370. }
  371. while (ofs < groupend) {
  372. if (ofs + 6 > groupend)
  373. goto eparse;
  374. attr = load_be16(bytes + ofs);
  375. attrlen = load_be32(bytes + ofs + 2);
  376. ofs += 6;
  377. if (attrlen + ofs > groupend)
  378. goto eparse;
  379. if (process_attr(vpninfo, &new_opts, &new_ip_info,
  380. group, attr, bytes + ofs, attrlen))
  381. goto eparse;
  382. if (GRP_ATTR(group, attr)==GRP_ATTR(7, 2))
  383. split_enc_hmac_keys = 1;
  384. ofs += attrlen;
  385. }
  386. }
  387. /* The encryption and HMAC keys are sent concatenated together in a block of 0x40 bytes;
  388. we can't split them apart until we know how long the encryption key is. */
  389. if (split_enc_hmac_keys)
  390. memcpy(vpninfo->esp_out.hmac_key, vpninfo->esp_out.enc_key + vpninfo->enc_key_len, vpninfo->hmac_key_len);
  391. int ret = install_vpn_opts(vpninfo, new_opts, &new_ip_info);
  392. if (ret) {
  393. free_optlist(new_opts);
  394. free_split_routes(&new_ip_info);
  395. return ret;
  396. }
  397. return 0;
  398. }
  399. int oncp_connect(struct openconnect_info *vpninfo)
  400. {
  401. int ret, len, kmp, kmplen, group, check_len;
  402. struct oc_text_buf *reqbuf;
  403. unsigned char bytes[65536];
  404. if (!vpninfo->cookies) {
  405. /* XX: This will happen if authentication was separate/external */
  406. ret = internal_split_cookies(vpninfo, 0, "DSID");
  407. if (ret)
  408. return ret;
  409. }
  410. ret = openconnect_open_https(vpninfo);
  411. if (ret)
  412. return ret;
  413. reqbuf = buf_alloc();
  414. buf_append(reqbuf, "POST /dana/js?prot=1&svc=4 HTTP/1.1\r\n");
  415. /* The TLS socket actually remains open for use by the oNCP
  416. tunnel, but the "Connection: close" header is nevertheless
  417. required here. It appears to signal to the server to stop
  418. treating this as an HTTP connection and to start treating
  419. it as an oNCP connection.
  420. */
  421. buf_append(reqbuf, "Connection: close\r\n");
  422. oncp_common_headers(vpninfo, reqbuf);
  423. buf_append(reqbuf, "Content-Length: 256\r\n");
  424. buf_append(reqbuf, "\r\n");
  425. if (buf_error(reqbuf)) {
  426. vpn_progress(vpninfo, PRG_ERR,
  427. _("Error creating oNCP negotiation request\n"));
  428. ret = buf_error(reqbuf);
  429. goto out;
  430. }
  431. if (vpninfo->dump_http_traffic)
  432. dump_buf(vpninfo, '>', reqbuf->data);
  433. ret = vpninfo->ssl_write(vpninfo, reqbuf->data, reqbuf->pos);
  434. if (ret < 0)
  435. goto out;
  436. ret = process_http_response(vpninfo, 1, NULL, reqbuf);
  437. if (ret < 0)
  438. goto out;
  439. if (ret != 200) {
  440. vpn_progress(vpninfo, PRG_ERR,
  441. _("Unexpected %d result from server\n"),
  442. ret);
  443. ret = ((ret >= 400 && ret <= 499) || ret == 302) ? -EPERM : -EINVAL;
  444. goto out;
  445. }
  446. /* This is probably some kind of vestigial authentication packet, although
  447. * it's mostly obsolete now that the authentication is really done over
  448. * HTTP. We only send the hostname. */
  449. buf_truncate(reqbuf);
  450. buf_append_le16(reqbuf, sizeof(authpkt_head) + 2 +
  451. strlen(vpninfo->localname) + sizeof(authpkt_tail));
  452. buf_append_bytes(reqbuf, authpkt_head, sizeof(authpkt_head));
  453. buf_append_le16(reqbuf, strlen(vpninfo->localname));
  454. buf_append(reqbuf, "%s", vpninfo->localname);
  455. buf_append_bytes(reqbuf, authpkt_tail, sizeof(authpkt_tail));
  456. if (buf_error(reqbuf)) {
  457. vpn_progress(vpninfo, PRG_ERR,
  458. _("Error creating oNCP negotiation request\n"));
  459. ret = buf_error(reqbuf);
  460. goto out;
  461. }
  462. dump_buf_hex(vpninfo, PRG_DEBUG, '>', (void *)reqbuf->data, reqbuf->pos);
  463. ret = vpninfo->ssl_write(vpninfo, reqbuf->data, reqbuf->pos);
  464. if (ret != reqbuf->pos) {
  465. if (ret >= 0) {
  466. vpn_progress(vpninfo, PRG_ERR,
  467. _("Short write in oNCP negotiation\n"));
  468. ret = -EIO;
  469. }
  470. goto out;
  471. }
  472. /* Now we expect a three-byte response with what's presumably an
  473. error code */
  474. ret = vpninfo->ssl_read(vpninfo, (void *)bytes, 3);
  475. check_len = load_le16(bytes);
  476. if (ret < 0)
  477. goto out;
  478. vpn_progress(vpninfo, PRG_TRACE,
  479. _("Read %d bytes of SSL record\n"), ret);
  480. dump_buf_hex(vpninfo, PRG_TRACE, '<', (void *)bytes, ret);
  481. if (ret != 3 || check_len < 1) {
  482. vpn_progress(vpninfo, PRG_ERR,
  483. _("Unexpected response of size %d after hostname packet\n"),
  484. ret);
  485. ret = -EINVAL;
  486. goto out;
  487. }
  488. if (bytes[2]) {
  489. vpn_progress(vpninfo, PRG_ERR,
  490. _("Server response to hostname packet is error 0x%02x\n"),
  491. bytes[2]);
  492. if (bytes[2] == 0x08)
  493. vpn_progress(vpninfo, PRG_ERR,
  494. _("This seems to indicate that the server has disabled support for\n"
  495. "Juniper's older oNCP protocol, and only allows connections using\n"
  496. "the newer Junos Pulse protocol. This version of OpenConnect has\n"
  497. "EXPERIMENTAL support for Pulse using --prot=pulse\n"));
  498. ret = -EINVAL;
  499. goto out;
  500. }
  501. /* And then a KMP message 301 with the IP configuration.
  502. * Sometimes this arrives as a separate SSL record (with its own
  503. * 2-byte length prefix), and sometimes concatenated with the
  504. * previous 3-byte response).
  505. */
  506. if (check_len == 1) {
  507. len = vpninfo->ssl_read(vpninfo, (void *)bytes, sizeof(bytes));
  508. check_len = load_le16(bytes);
  509. } else {
  510. len = vpninfo->ssl_read(vpninfo, (void *)(bytes+2), sizeof(bytes)-2) + 2;
  511. check_len--;
  512. }
  513. if (len < 0) {
  514. ret = len;
  515. goto out;
  516. }
  517. vpn_progress(vpninfo, PRG_TRACE,
  518. _("Read %d bytes of SSL record\n"), len);
  519. if (len < 0x16 || check_len + 2 != len) {
  520. vpn_progress(vpninfo, PRG_ERR,
  521. _("Invalid packet waiting for KMP 301\n"));
  522. dump_buf_hex(vpninfo, PRG_ERR, '<', bytes, len);
  523. ret = -EINVAL;
  524. goto out;
  525. }
  526. ret = check_kmp_header(vpninfo, bytes + 2, len);
  527. if (ret < 0)
  528. goto out;
  529. /* We expect KMP message 301 here */
  530. if (ret != 301) {
  531. vpn_progress(vpninfo, PRG_ERR,
  532. _("Expected KMP message 301 from server but got %d\n"),
  533. ret);
  534. ret = -EINVAL;
  535. goto out;
  536. }
  537. kmplen = load_be16(bytes + 20);
  538. if (kmplen + 2 >= sizeof(bytes)) {
  539. vpn_progress(vpninfo, PRG_ERR,
  540. _("KMP message 301 from server too large (%d bytes)\n"),
  541. kmplen);
  542. ret = -EINVAL;
  543. goto out;
  544. }
  545. vpn_progress(vpninfo, PRG_TRACE,
  546. _("Got KMP message 301 of length %d\n"), kmplen);
  547. while (kmplen + 22 > len) {
  548. char l[2];
  549. int thislen;
  550. if (vpninfo->ssl_read(vpninfo, (void *)l, 2) != 2) {
  551. vpn_progress(vpninfo, PRG_ERR,
  552. _("Failed to read continuation record length\n"));
  553. ret = -EINVAL;
  554. goto out;
  555. }
  556. if (load_le16(l) + len > kmplen + 22) {
  557. vpn_progress(vpninfo, PRG_ERR,
  558. _("Record of additional %d bytes too large; would make %d\n"),
  559. load_le16(l), len + load_le16(l));
  560. ret = -EINVAL;
  561. goto out;
  562. }
  563. thislen = vpninfo->ssl_read(vpninfo, (void *)(bytes + len), load_le16(l));
  564. if (thislen != load_le16(l)) {
  565. vpn_progress(vpninfo, PRG_ERR,
  566. _("Failed to read continuation record of length %d\n"),
  567. load_le16(l));
  568. ret = -EINVAL;
  569. goto out;
  570. }
  571. vpn_progress(vpninfo, PRG_TRACE,
  572. _("Read additional %d bytes of KMP 301 message\n"),
  573. thislen);
  574. len += thislen;
  575. }
  576. ret = parse_conf_pkt(vpninfo, bytes + 2, len - 2, ret);
  577. if (ret)
  578. goto out;
  579. buf_truncate(reqbuf);
  580. buf_append_le16(reqbuf, 0); /* Length. We'll fix it later. */
  581. buf_append_bytes(reqbuf, kmp_head, sizeof(kmp_head));
  582. buf_append_be16(reqbuf, 303); /* KMP message 303 */
  583. buf_append_bytes(reqbuf, kmp_tail_out, sizeof(kmp_tail_out));
  584. buf_append_be16(reqbuf, 0); /* KMP message length */
  585. kmp = reqbuf->pos;
  586. buf_append_tlv(reqbuf, 6, 0, NULL); /* TLV group 6 */
  587. group = reqbuf->pos;
  588. buf_append_tlv_be32(reqbuf, 2, vpninfo->ip_info.mtu);
  589. if (buf_error(reqbuf)) {
  590. vpn_progress(vpninfo, PRG_ERR,
  591. _("Error creating oNCP negotiation request\n"));
  592. ret = buf_error(reqbuf);
  593. goto out;
  594. }
  595. put_len32(reqbuf, group);
  596. put_len16(reqbuf, kmp);
  597. #ifdef HAVE_ESP
  598. if (!openconnect_setup_esp_keys(vpninfo, 1)) {
  599. struct esp *esp = &vpninfo->esp_in[vpninfo->current_esp_in];
  600. /* Since we'll want to do this in the oncp_mainloop too, where it's easier
  601. * *not* to have an oc_text_buf and build it up manually, and since it's
  602. * all fixed size and fairly simple anyway, just hard-code the packet */
  603. buf_append_bytes(reqbuf, esp_kmp_hdr, sizeof(esp_kmp_hdr));
  604. buf_append_bytes(reqbuf, &esp->spi, sizeof(esp->spi));
  605. buf_append_bytes(reqbuf, esp_kmp_part2, sizeof(esp_kmp_part2));
  606. buf_append_bytes(reqbuf, &esp->enc_key, vpninfo->enc_key_len);
  607. buf_append_bytes(reqbuf, &esp->hmac_key, 0x40 - vpninfo->enc_key_len);
  608. if (buf_error(reqbuf)) {
  609. vpn_progress(vpninfo, PRG_ERR,
  610. _("Error negotiating ESP keys\n"));
  611. ret = buf_error(reqbuf);
  612. goto out;
  613. }
  614. }
  615. #endif
  616. /* Length at the start of the packet is little-endian */
  617. store_le16(reqbuf->data, reqbuf->pos - 2);
  618. vpn_progress(vpninfo, PRG_DEBUG, _("oNCP negotiation request outgoing:\n"));
  619. dump_buf_hex(vpninfo, PRG_DEBUG, '>', (void *)reqbuf->data, reqbuf->pos);
  620. ret = vpninfo->ssl_write(vpninfo, reqbuf->data, reqbuf->pos);
  621. if (ret != reqbuf->pos) {
  622. if (ret >= 0) {
  623. vpn_progress(vpninfo, PRG_ERR,
  624. _("Short write in oNCP negotiation\n"));
  625. ret = -EIO;
  626. }
  627. goto out;
  628. }
  629. ret = 0;
  630. out:
  631. if (ret)
  632. openconnect_close_https(vpninfo, 0);
  633. else {
  634. monitor_fd_new(vpninfo, ssl);
  635. monitor_read_fd(vpninfo, ssl);
  636. monitor_except_fd(vpninfo, ssl);
  637. }
  638. buf_free(reqbuf);
  639. vpninfo->partial_rec_size = 0;
  640. free_pkt(vpninfo, vpninfo->cstp_pkt);
  641. vpninfo->cstp_pkt = NULL;
  642. return ret;
  643. }
  644. static int oncp_receive_espkeys(struct openconnect_info *vpninfo, int len)
  645. {
  646. #ifdef HAVE_ESP
  647. int ret;
  648. ret = parse_conf_pkt(vpninfo, vpninfo->cstp_pkt->oncp.kmp, len + 20, 301);
  649. if (!ret)
  650. ret = openconnect_setup_esp_keys(vpninfo, 1);
  651. if (!ret) {
  652. struct esp *esp = &vpninfo->esp_in[vpninfo->current_esp_in];
  653. unsigned char *p = vpninfo->cstp_pkt->oncp.kmp;
  654. memcpy(p, esp_kmp_hdr, sizeof(esp_kmp_hdr));
  655. p += sizeof(esp_kmp_hdr);
  656. memcpy(p, &esp->spi, sizeof(esp->spi));
  657. p += sizeof(esp->spi);
  658. memcpy(p, esp_kmp_part2, sizeof(esp_kmp_part2));
  659. p += sizeof(esp_kmp_part2);
  660. memcpy(p, esp->enc_key, vpninfo->enc_key_len);
  661. memcpy(p+vpninfo->enc_key_len, esp->hmac_key, 0x40 - vpninfo->enc_key_len);
  662. p += 0x40;
  663. vpninfo->cstp_pkt->len = p - vpninfo->cstp_pkt->data;
  664. store_le16(vpninfo->cstp_pkt->oncp.rec,
  665. (p - vpninfo->cstp_pkt->oncp.kmp));
  666. queue_packet(&vpninfo->tcp_control_queue, vpninfo->cstp_pkt);
  667. vpninfo->cstp_pkt = NULL;
  668. print_esp_keys(vpninfo, _("new incoming"), esp);
  669. print_esp_keys(vpninfo, _("new outgoing"), &vpninfo->esp_out);
  670. }
  671. return ret;
  672. #else
  673. vpn_progress(vpninfo, PRG_DEBUG,
  674. _("Ignoring ESP keys since ESP support not available in this build\n"));
  675. return 0;
  676. #endif
  677. }
  678. static int oncp_record_read(struct openconnect_info *vpninfo, void *buf, int len)
  679. {
  680. int ret;
  681. if (!vpninfo->partial_rec_size) {
  682. unsigned char lenbuf[2];
  683. ret = ssl_nonblock_read(vpninfo, 0, lenbuf, 2);
  684. if (ret <= 0)
  685. return ret;
  686. if (ret == 1) {
  687. /* Surely at least *this* never happens? The two length bytes
  688. * of the oNCP record being split across multiple SSL records */
  689. vpn_progress(vpninfo, PRG_ERR,
  690. _("Read only 1 byte of oNCP length field\n"));
  691. return -EIO;
  692. }
  693. vpninfo->partial_rec_size = load_le16(lenbuf);
  694. if (!vpninfo->partial_rec_size) {
  695. ret = ssl_nonblock_read(vpninfo, 0, lenbuf, 1);
  696. if (ret == 1) {
  697. if (lenbuf[0] == 1) {
  698. vpn_progress(vpninfo, PRG_ERR,
  699. _("Server terminated connection (session expired)\n"));
  700. vpninfo->quit_reason = "VPN session expired";
  701. } else if (lenbuf[0] == 8) {
  702. vpn_progress(vpninfo, PRG_ERR,
  703. _("Server terminated connection (idle timeout)\n"));
  704. vpninfo->quit_reason = "Idle timeout";
  705. } else {
  706. vpn_progress(vpninfo, PRG_ERR,
  707. _("Server terminated connection (reason: %d)\n"),
  708. lenbuf[0]);
  709. vpninfo->quit_reason = "Server terminated connection";
  710. }
  711. return -EPIPE;
  712. } else {
  713. vpn_progress(vpninfo, PRG_ERR,
  714. _("Server sent zero-length oNCP record\n"));
  715. vpninfo->quit_reason = "Zero-length oNCP record";
  716. return -EIO;
  717. }
  718. }
  719. }
  720. if (len > vpninfo->partial_rec_size)
  721. len = vpninfo->partial_rec_size;
  722. ret = ssl_nonblock_read(vpninfo, 0, buf, len);
  723. if (ret > 0)
  724. vpninfo->partial_rec_size -= ret;
  725. return ret;
  726. }
  727. int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
  728. {
  729. int ret;
  730. int work_done = 0;
  731. /* Periodic TNCC */
  732. if (trojan_check_deadline(vpninfo, timeout)) {
  733. oncp_send_tncc_command(vpninfo, 0);
  734. return 1;
  735. }
  736. if (vpninfo->ssl_fd == -1)
  737. goto do_reconnect;
  738. /* FIXME: The poll() handling here is fairly simplistic. Actually,
  739. if the SSL connection stalls it could return a WANT_WRITE error
  740. on _either_ of the SSL_read() or SSL_write() calls. In that case,
  741. we should probably remove POLLIN from the events we're looking for,
  742. and add POLLOUT. As it is, though, it'll just chew CPU time in that
  743. fairly unlikely situation, until the write backlog clears. */
  744. while (readable) {
  745. int len, kmp, kmplen, iplen;
  746. /* Some servers send us packets that are larger than
  747. negotiated MTU. We reserve some extra space to
  748. handle that */
  749. int receive_mtu = MAX(16384, vpninfo->ip_info.mtu);
  750. len = receive_mtu + vpninfo->pkt_trailer;
  751. if (!vpninfo->cstp_pkt) {
  752. vpninfo->cstp_pkt = alloc_pkt(vpninfo, len);
  753. if (!vpninfo->cstp_pkt) {
  754. vpn_progress(vpninfo, PRG_ERR, _("Allocation failed\n"));
  755. break;
  756. }
  757. vpninfo->cstp_pkt->len = 0;
  758. }
  759. /*
  760. * This protocol is horrid. There are encapsulations within
  761. * encapsulations within encapsulations. Some of them entirely
  762. * gratuitous.
  763. *
  764. * First there's the SSL records which are a natural part of
  765. * using TLS as a transport. They appear to make no use of the
  766. * packetisation which these provide.
  767. *
  768. * Then within the TLS data stream there are "records" preceded
  769. * by a 16-bit little-endian length. It's not clear what these
  770. * records represent; they appear to be entirely gratuitous and
  771. * just need to be discarded. A record boundary sometimes falls
  772. * right in the middle of a data packet; there's no apparent
  773. * logic to it.
  774. *
  775. * Then there are the KMP packets themselves, each of which has
  776. * a length field of its own. There can be multiple KMP packets
  777. * in each of the above-mention "records", and as noted there
  778. * even be *partial* KMP packets in each record.
  779. *
  780. * Finally, a KMP data packet may actually contain multiple IP
  781. * packets, which need to be split apart by using the length
  782. * field in the IP header. This is Legacy IP only, never IPv6
  783. * for the Network Connect protocol.
  784. */
  785. /* Until we pass it up the stack, we use cstp_pkt->len to show
  786. * the amount of data received *including* the KMP header. */
  787. len = oncp_record_read(vpninfo,
  788. vpninfo->cstp_pkt->oncp.kmp + vpninfo->cstp_pkt->len,
  789. receive_mtu + 20 - vpninfo->cstp_pkt->len);
  790. if (!len)
  791. break;
  792. else if (len < 0) {
  793. if (vpninfo->quit_reason)
  794. return len;
  795. goto do_reconnect;
  796. }
  797. vpninfo->cstp_pkt->len += len;
  798. vpninfo->ssl_times.last_rx = time(NULL);
  799. if (vpninfo->cstp_pkt->len < 20)
  800. continue;
  801. next_kmp:
  802. /* Now we have a KMP header. It might already have been there */
  803. kmp = load_be16(vpninfo->cstp_pkt->oncp.kmp + 6);
  804. kmplen = load_be16(vpninfo->cstp_pkt->oncp.kmp + 18);
  805. if (len == vpninfo->cstp_pkt->len)
  806. vpn_progress(vpninfo, PRG_DEBUG, _("Incoming KMP message %d of size %d (got %d)\n"),
  807. kmp, kmplen, vpninfo->cstp_pkt->len - 20);
  808. else
  809. vpn_progress(vpninfo, PRG_DEBUG, _("Continuing to process KMP message %d now size %d (got %d)\n"),
  810. kmp, kmplen, vpninfo->cstp_pkt->len - 20);
  811. switch (kmp) {
  812. case 300:
  813. next_ip:
  814. /* Need at least 6 bytes of payload to check the IP packet length */
  815. if (vpninfo->cstp_pkt->len < 26)
  816. continue;
  817. switch(vpninfo->cstp_pkt->data[0] >> 4) {
  818. case 4:
  819. iplen = load_be16(vpninfo->cstp_pkt->data + 2);
  820. break;
  821. case 6:
  822. iplen = load_be16(vpninfo->cstp_pkt->data + 4) + 40;
  823. break;
  824. default:
  825. badiplen:
  826. vpn_progress(vpninfo, PRG_ERR,
  827. _("Unrecognised data packet\n"));
  828. goto unknown_pkt;
  829. }
  830. if (!iplen || iplen > receive_mtu || iplen > kmplen)
  831. goto badiplen;
  832. if (iplen > vpninfo->cstp_pkt->len - 20)
  833. continue;
  834. work_done = 1;
  835. vpn_progress(vpninfo, PRG_TRACE,
  836. _("Received uncompressed data packet of %d bytes\n"),
  837. iplen);
  838. /* If there's nothing after the IP packet, and it's the last (or
  839. * only) packet in this KMP300 so we don't need to keep the KMP
  840. * header either, then just queue it. */
  841. if (iplen == kmplen && iplen == vpninfo->cstp_pkt->len - 20) {
  842. vpninfo->cstp_pkt->len = iplen;
  843. queue_packet(&vpninfo->incoming_queue, vpninfo->cstp_pkt);
  844. vpninfo->cstp_pkt = NULL;
  845. continue;
  846. }
  847. /* OK, we have a whole packet, and we have stuff after it */
  848. queue_new_packet(vpninfo, &vpninfo->incoming_queue,
  849. vpninfo->cstp_pkt->data, iplen);
  850. kmplen -= iplen;
  851. if (kmplen) {
  852. /* Still data packets to come in this KMP300 */
  853. store_be16(vpninfo->cstp_pkt->oncp.kmp + 18, kmplen);
  854. vpninfo->cstp_pkt->len -= iplen;
  855. if (vpninfo->cstp_pkt->len > 20)
  856. memmove(vpninfo->cstp_pkt->data,
  857. vpninfo->cstp_pkt->data + iplen,
  858. vpninfo->cstp_pkt->len - 20);
  859. goto next_ip;
  860. }
  861. /* We have depleted the KMP300, and there are more bytes from
  862. * the next KMP message in the buffer. Move it up and process it */
  863. memmove(vpninfo->cstp_pkt->oncp.kmp,
  864. vpninfo->cstp_pkt->data + iplen,
  865. vpninfo->cstp_pkt->len - iplen - 20);
  866. vpninfo->cstp_pkt->len -= (iplen + 20);
  867. goto next_kmp;
  868. case 302:
  869. /* Should never happen; if it does we'll have to cope */
  870. if (kmplen > receive_mtu)
  871. goto unknown_pkt;
  872. /* Probably never happens. We need it in its own record.
  873. * If I fix oncp_receive_espkeys() not to reuse cstp_pkt
  874. * we can stop doing this. */
  875. if (vpninfo->cstp_pkt->len != kmplen + 20)
  876. goto unknown_pkt;
  877. ret = oncp_receive_espkeys(vpninfo, kmplen);
  878. if (ret) {
  879. vpn_progress(vpninfo, PRG_ERR, _("Failed to set up ESP: %s\n"),
  880. strerror(-ret));
  881. oncp_esp_close(vpninfo);
  882. }
  883. work_done = 1;
  884. break;
  885. default:
  886. unknown_pkt:
  887. vpn_progress(vpninfo, PRG_ERR,
  888. _("Unknown KMP message %d of size %d:\n"), kmp, kmplen);
  889. dump_buf_hex(vpninfo, PRG_ERR, '<', vpninfo->cstp_pkt->oncp.kmp,
  890. vpninfo->cstp_pkt->len);
  891. if (kmplen + 20 != vpninfo->cstp_pkt->len)
  892. vpn_progress(vpninfo, PRG_DEBUG,
  893. _(".... + %d more bytes unreceived\n"),
  894. kmplen + 20 - vpninfo->cstp_pkt->len);
  895. vpninfo->quit_reason = "Unknown packet received";
  896. return 1;
  897. }
  898. }
  899. /* If SSL_write() fails we are expected to try again. With exactly
  900. the same data, at exactly the same location. So we keep the
  901. packet we had before.... */
  902. if (vpninfo->current_ssl_pkt) {
  903. handle_outgoing:
  904. vpninfo->ssl_times.last_tx = time(NULL);
  905. unmonitor_write_fd(vpninfo, ssl);
  906. vpn_progress(vpninfo, PRG_TRACE, _("Packet outgoing:\n"));
  907. dump_buf_hex(vpninfo, PRG_TRACE, '>',
  908. vpninfo->current_ssl_pkt->oncp.rec,
  909. vpninfo->current_ssl_pkt->len + 22);
  910. ret = ssl_nonblock_write(vpninfo, 0,
  911. vpninfo->current_ssl_pkt->oncp.rec,
  912. vpninfo->current_ssl_pkt->len + 22);
  913. if (ret < 0) {
  914. do_reconnect:
  915. /* XXX: Do we have to do this or can we leave it open?
  916. * Perhaps we could even reconnect asynchronously while
  917. * the ESP is still running? */
  918. #ifdef HAVE_ESP
  919. esp_shutdown(vpninfo);
  920. #endif
  921. ret = ssl_reconnect(vpninfo);
  922. if (ret) {
  923. vpn_progress(vpninfo, PRG_ERR, _("Reconnect failed\n"));
  924. vpninfo->quit_reason = "oNCP reconnect failed";
  925. return ret;
  926. }
  927. vpninfo->dtls_need_reconnect = 1;
  928. return 1;
  929. } else if (!ret) {
  930. #if 0 /* Not for Juniper yet */
  931. /* -EAGAIN: ssl_nonblock_write() will have added the SSL
  932. fd to ->select_wfds if appropriate, so we can just
  933. return and wait. Unless it's been stalled for so long
  934. that DPD kicks in and we kill the connection. */
  935. switch (ka_stalled_action(&vpninfo->ssl_times, timeout)) {
  936. case KA_DPD_DEAD:
  937. goto peer_dead;
  938. case KA_REKEY:
  939. goto do_rekey;
  940. case KA_NONE:
  941. return work_done;
  942. default:
  943. /* This should never happen */
  944. break;
  945. }
  946. #else
  947. return work_done;
  948. #endif
  949. }
  950. if (ret != vpninfo->current_ssl_pkt->len + 22) {
  951. vpn_progress(vpninfo, PRG_ERR,
  952. _("SSL wrote too few bytes! Asked for %d, sent %d\n"),
  953. vpninfo->current_ssl_pkt->len + 22, ret);
  954. vpninfo->quit_reason = "Internal error";
  955. return 1;
  956. }
  957. /* Don't free the 'special' packets */
  958. if (vpninfo->current_ssl_pkt == vpninfo->deflate_pkt) {
  959. free_pkt(vpninfo, vpninfo->pending_deflated_pkt);
  960. vpninfo->pending_deflated_pkt = NULL;
  961. } else if (vpninfo->current_ssl_pkt == &esp_enable_pkt) {
  962. /* Only set the ESP state to connected and actually start
  963. sending packets on it once the enable message has been
  964. *sent* over the TCP channel. */
  965. vpn_progress(vpninfo, PRG_TRACE,
  966. _("Sent ESP enable control packet\n"));
  967. vpninfo->dtls_state = DTLS_ESTABLISHED;
  968. work_done = 1;
  969. } else {
  970. free_pkt(vpninfo, vpninfo->current_ssl_pkt);
  971. }
  972. vpninfo->current_ssl_pkt = NULL;
  973. }
  974. #if 0 /* Not understood for Juniper yet */
  975. if (vpninfo->owe_ssl_dpd_response) {
  976. vpninfo->owe_ssl_dpd_response = 0;
  977. vpninfo->current_ssl_pkt = (struct pkt *)&dpd_resp_pkt;
  978. goto handle_outgoing;
  979. }
  980. switch (keepalive_action(&vpninfo->ssl_times, timeout)) {
  981. case KA_REKEY:
  982. do_rekey:
  983. /* Not that this will ever happen; we don't even process
  984. the setting when we're asked for it. */
  985. vpn_progress(vpninfo, PRG_INFO, _("CSTP rekey due\n"));
  986. if (vpninfo->ssl_times.rekey_method == REKEY_TUNNEL)
  987. goto do_reconnect;
  988. else if (vpninfo->ssl_times.rekey_method == REKEY_SSL) {
  989. ret = cstp_handshake(vpninfo, 0);
  990. if (ret) {
  991. /* if we failed rehandshake try establishing a new-tunnel instead of failing */
  992. vpn_progress(vpninfo, PRG_ERR, _("Rehandshake failed; attempting new-tunnel\n"));
  993. goto do_reconnect;
  994. }
  995. goto do_dtls_reconnect;
  996. }
  997. break;
  998. case KA_DPD_DEAD:
  999. peer_dead:
  1000. vpn_progress(vpninfo, PRG_ERR,
  1001. _("CSTP Dead Peer Detection detected dead peer!\n"));
  1002. do_reconnect:
  1003. ret = cstp_reconnect(vpninfo);
  1004. if (ret) {
  1005. vpn_progress(vpninfo, PRG_ERR, _("Reconnect failed\n"));
  1006. vpninfo->quit_reason = "CSTP reconnect failed";
  1007. return ret;
  1008. }
  1009. do_dtls_reconnect:
  1010. /* succeeded, let's rekey DTLS, if it is not rekeying
  1011. * itself. */
  1012. if (vpninfo->dtls_state > DTLS_SLEEPING &&
  1013. vpninfo->dtls_times.rekey_method == REKEY_NONE) {
  1014. vpninfo->dtls_need_reconnect = 1;
  1015. }
  1016. return 1;
  1017. case KA_DPD:
  1018. vpn_progress(vpninfo, PRG_DEBUG, _("Send CSTP DPD\n"));
  1019. vpninfo->current_ssl_pkt = (struct pkt *)&dpd_pkt;
  1020. goto handle_outgoing;
  1021. case KA_KEEPALIVE:
  1022. /* No need to send an explicit keepalive
  1023. if we have real data to send */
  1024. if (vpninfo->dtls_state != DTLS_ESTABLISHED && vpninfo->outgoing_queue)
  1025. break;
  1026. vpn_progress(vpninfo, PRG_DEBUG, _("Send CSTP Keepalive\n"));
  1027. vpninfo->current_ssl_pkt = (struct pkt *)&keepalive_pkt;
  1028. goto handle_outgoing;
  1029. case KA_NONE:
  1030. ;
  1031. }
  1032. #endif
  1033. /* Queue the ESP enable message. We will start sending packets
  1034. * via ESP once the enable message has been *sent* over the
  1035. * TCP channel. Assign it directly to current_ssl_pkt so that
  1036. * we can use it in-place and match against it above. */
  1037. if (vpninfo->dtls_state == DTLS_CONNECTED) {
  1038. vpninfo->current_ssl_pkt = (struct pkt *)&esp_enable_pkt;
  1039. goto handle_outgoing;
  1040. }
  1041. vpninfo->current_ssl_pkt = dequeue_packet(&vpninfo->tcp_control_queue);
  1042. if (vpninfo->current_ssl_pkt)
  1043. goto handle_outgoing;
  1044. /* Service outgoing packet queue, if no DTLS */
  1045. while (vpninfo->dtls_state != DTLS_ESTABLISHED &&
  1046. (vpninfo->current_ssl_pkt = dequeue_packet(&vpninfo->outgoing_queue))) {
  1047. struct pkt *this = vpninfo->current_ssl_pkt;
  1048. /* Little-endian overall record length */
  1049. store_le16(this->oncp.rec, (this->len + 20));
  1050. memcpy(this->oncp.kmp, data_hdr, 18);
  1051. /* Big-endian length in KMP message header */
  1052. store_be16(this->oncp.kmp + 18, this->len);
  1053. vpn_progress(vpninfo, PRG_TRACE,
  1054. _("Sending uncompressed data packet of %d bytes\n"),
  1055. this->len);
  1056. goto handle_outgoing;
  1057. }
  1058. /* Work is not done if we just got rid of packets off the queue */
  1059. return work_done;
  1060. }
  1061. int oncp_bye(struct openconnect_info *vpninfo, const char *reason)
  1062. {
  1063. char *orig_path;
  1064. char *res_buf=NULL;
  1065. int ret;
  1066. /* We need to close and reopen the HTTPS connection (to kill
  1067. * the oncp tunnel) and submit a new HTTPS request to logout.
  1068. */
  1069. openconnect_close_https(vpninfo, 0);
  1070. orig_path = vpninfo->urlpath;
  1071. vpninfo->urlpath = strdup("dana-na/auth/logout.cgi"); /* redirect segfaults without strdup */
  1072. ret = do_https_request(vpninfo, "GET", NULL, NULL, &res_buf, NULL, HTTP_NO_FLAGS);
  1073. free(vpninfo->urlpath);
  1074. vpninfo->urlpath = orig_path;
  1075. if (ret < 0)
  1076. vpn_progress(vpninfo, PRG_ERR, _("Logout failed.\n"));
  1077. else
  1078. vpn_progress(vpninfo, PRG_INFO, _("Logout successful.\n"));
  1079. free(res_buf);
  1080. return ret;
  1081. }
  1082. #ifdef HAVE_ESP
  1083. void oncp_esp_close(struct openconnect_info *vpninfo)
  1084. {
  1085. /* Tell server to stop sending on ESP channel */
  1086. if (vpninfo->dtls_state >= DTLS_CONNECTED)
  1087. queue_esp_control(vpninfo, 0);
  1088. esp_close(vpninfo);
  1089. }
  1090. int oncp_esp_send_probes(struct openconnect_info *vpninfo)
  1091. {
  1092. struct pkt *pkt;
  1093. int pktlen, seq;
  1094. if (vpninfo->dtls_fd == -1) {
  1095. int fd = udp_connect(vpninfo);
  1096. if (fd < 0)
  1097. return fd;
  1098. /* We are not connected until we get an ESP packet back */
  1099. vpninfo->dtls_state = DTLS_SLEEPING;
  1100. vpninfo->dtls_fd = fd;
  1101. monitor_fd_new(vpninfo, dtls);
  1102. monitor_read_fd(vpninfo, dtls);
  1103. monitor_except_fd(vpninfo, dtls);
  1104. }
  1105. pkt = alloc_pkt(vpninfo, 1 + vpninfo->pkt_trailer);
  1106. if (!pkt)
  1107. return -ENOMEM;
  1108. for (seq=1; seq <= (vpninfo->dtls_state==DTLS_ESTABLISHED ? 1 : 2); seq++) {
  1109. pkt->len = 1;
  1110. pkt->data[0] = 0;
  1111. pktlen = construct_esp_packet(vpninfo, pkt,
  1112. vpninfo->dtls_addr->sa_family == AF_INET6 ? IPPROTO_IPV6 : IPPROTO_IPIP);
  1113. if (pktlen < 0 ||
  1114. send(vpninfo->dtls_fd, (void *)&pkt->esp, pktlen, 0) < 0)
  1115. vpn_progress(vpninfo, PRG_DEBUG, _("Failed to send ESP probe\n"));
  1116. }
  1117. free_pkt(vpninfo, pkt);
  1118. vpninfo->dtls_times.last_tx = time(&vpninfo->new_dtls_started);
  1119. return 0;
  1120. };
  1121. int oncp_esp_catch_probe(struct openconnect_info *vpninfo, struct pkt *pkt)
  1122. {
  1123. return (pkt->len == 1 && pkt->data[0] == 0);
  1124. }
  1125. #endif /* HAVE_ESP */