openconnect-internal.h 58 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829
  1. /*
  2. * OpenConnect (SSL + DTLS) VPN client
  3. *
  4. * Copyright © 2008-2015 Intel Corporation.
  5. * Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
  6. * Copyright © 2013 John Morrissey <jwm@horde.net>
  7. *
  8. * Author: David Woodhouse <dwmw2@infradead.org>
  9. *
  10. * This program is free software; you can redistribute it and/or
  11. * modify it under the terms of the GNU Lesser General Public License
  12. * version 2.1, as published by the Free Software Foundation.
  13. *
  14. * This program is distributed in the hope that it will be useful, but
  15. * WITHOUT ANY WARRANTY; without even the implied warranty of
  16. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  17. * Lesser General Public License for more details.
  18. */
  19. #ifndef __OPENCONNECT_INTERNAL_H__
  20. #define __OPENCONNECT_INTERNAL_H__
  21. #define __OPENCONNECT_PRIVATE__
  22. /*
  23. * We need to include <winsock2.h> or <winsock.h> before openconnect.h.
  24. * Indeed openconnect.h is specifically intended not to be self-sufficient,
  25. * so that end-users can choose between <winsock.h> and <winsock2.h>.
  26. */
  27. #ifdef _WIN32
  28. #include <winsock2.h>
  29. #endif
  30. #include "openconnect.h"
  31. #include "json.h"
  32. #if defined(OPENCONNECT_OPENSSL)
  33. #include <openssl/ssl.h>
  34. #include <openssl/err.h>
  35. /* Ick */
  36. #if OPENSSL_VERSION_NUMBER >= 0x00909000L
  37. #define method_const const
  38. #else
  39. #define method_const
  40. #endif
  41. #endif
  42. #if defined(OPENCONNECT_GNUTLS)
  43. #include <gnutls/gnutls.h>
  44. #include <gnutls/abstract.h>
  45. #include <gnutls/x509.h>
  46. #include <gnutls/crypto.h>
  47. #endif
  48. #ifdef HAVE_ICONV
  49. #include <langinfo.h>
  50. #include <iconv.h>
  51. #endif
  52. #ifdef LIBPROXY_HDR
  53. #include LIBPROXY_HDR
  54. #endif
  55. #ifdef HAVE_LIBSTOKEN
  56. #include <stoken.h>
  57. #endif
  58. #ifdef HAVE_GSSAPI
  59. #include GSSAPI_HDR
  60. #endif
  61. #ifdef HAVE_LIBPSKC
  62. #include <pskc/pskc.h>
  63. #endif
  64. #ifdef HAVE_LIBP11
  65. #include <libp11.h>
  66. #endif
  67. #ifdef HAVE_EPOLL
  68. #include <sys/epoll.h>
  69. #endif
  70. #ifdef ENABLE_NLS
  71. #include <libintl.h>
  72. #define _(s) dgettext("openconnect", s)
  73. #else
  74. #define _(s) ((char *)(s))
  75. #endif
  76. #define N_(s) s
  77. #include <libxml/tree.h>
  78. #include <zlib.h>
  79. #ifdef _WIN32
  80. #ifndef _Out_cap_c_
  81. #define _Out_cap_c_(sz)
  82. #endif
  83. #ifndef _Ret_bytecount_
  84. #define _Ret_bytecount_(sz)
  85. #endif
  86. #ifndef _Post_maybenull_
  87. #define _Post_maybenull_
  88. #endif
  89. #include "wintun.h"
  90. #include <ws2tcpip.h>
  91. #ifndef SECURITY_WIN32
  92. #define SECURITY_WIN32 1
  93. #endif
  94. #include <security.h>
  95. #else
  96. #include <sys/socket.h>
  97. #include <sys/select.h>
  98. #include <netdb.h>
  99. #include <netinet/in.h>
  100. #include <arpa/inet.h>
  101. #include <fcntl.h>
  102. #endif
  103. #include <unistd.h>
  104. #include <sys/time.h>
  105. #include <sys/types.h>
  106. #include <stdint.h>
  107. #include <string.h>
  108. #include <errno.h>
  109. #ifdef HAVE_POSIX_SPAWN
  110. #ifdef __APPLE__
  111. #include <crt_externs.h>
  112. #define environ (*_NSGetEnviron())
  113. #endif
  114. #include <spawn.h>
  115. #endif
  116. /* Equivalent of "/dev/null" on Windows.
  117. * See https://stackoverflow.com/a/44163934
  118. */
  119. #ifdef _WIN32
  120. #define DEVNULL "NUL:"
  121. #else
  122. #define DEVNULL "/dev/null"
  123. #endif
  124. #define SHA512_SIZE 64
  125. #define SHA384_SIZE 48
  126. #define SHA256_SIZE 32
  127. #define SHA1_SIZE 20
  128. #define MD5_SIZE 16
  129. /* FreeBSD provides this in <sys/param.h> */
  130. #ifndef MAX
  131. #define MAX(x,y) (((x)>(y))?(x):(y))
  132. #endif
  133. #ifndef MIN
  134. #define MIN(x,y) (((x)<(y))?(x):(y))
  135. #endif
  136. /* At least MinGW headers seem not to provide IPPROTO_IPIP */
  137. #ifndef IPPROTO_IPIP
  138. #define IPPROTO_IPIP 0x04
  139. #endif
  140. #ifdef HAVE_VHOST
  141. #include <linux/virtio_net.h>
  142. #include <linux/vhost.h>
  143. struct oc_vring {
  144. struct vring_desc *desc;
  145. struct vring_avail *avail;
  146. struct vring_used *used;
  147. uint16_t seen_used;
  148. };
  149. #endif
  150. #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
  151. /****************************************************************************/
  152. struct pkt {
  153. int alloc_len;
  154. int len;
  155. struct pkt *next;
  156. union {
  157. struct {
  158. uint32_t spi;
  159. uint32_t seq;
  160. unsigned char iv[16];
  161. } esp;
  162. struct {
  163. unsigned char pad[2];
  164. unsigned char rec[2];
  165. unsigned char kmp[20];
  166. } oncp;
  167. struct {
  168. unsigned char pad[16];
  169. unsigned char hdr[8];
  170. } cstp;
  171. struct {
  172. unsigned char pad[8];
  173. unsigned char hdr[16];
  174. } gpst;
  175. struct {
  176. unsigned char pad[8];
  177. uint32_t vendor;
  178. uint32_t type;
  179. uint32_t len;
  180. uint32_t ident;
  181. } pulse;
  182. struct {
  183. uint32_t hlen; /* variable-length */
  184. uint16_t proto;
  185. unsigned char hdr[18];
  186. } ppp;
  187. struct {
  188. unsigned char pad[20];
  189. uint16_t type;
  190. uint16_t len;
  191. } h3c;
  192. #ifdef HAVE_VHOST
  193. struct {
  194. unsigned char pad[12];
  195. struct virtio_net_hdr_mrg_rxbuf h;
  196. } virtio;
  197. #endif
  198. };
  199. unsigned char data[];
  200. };
  201. #define pkt_offset(field) ((intptr_t)&((struct pkt *)NULL)->field)
  202. #define pkt_from_hdr(addr, field) ((struct pkt *) ((intptr_t)(addr) - pkt_offset(field) ))
  203. #define REKEY_NONE 0
  204. #define REKEY_TUNNEL 1
  205. #define REKEY_SSL 2
  206. #define KA_NONE 0
  207. #define KA_DPD 1
  208. #define KA_DPD_DEAD 2
  209. #define KA_KEEPALIVE 3
  210. #define KA_REKEY 4
  211. #define DTLS_NOSECRET 0 /* Random secret has not been generated yet */
  212. #define DTLS_SECRET 1 /* Secret is present, ready to attempt DTLS */
  213. #define DTLS_DISABLED 2 /* DTLS was disabled on the *client* side */
  214. #define DTLS_SLEEPING 3 /* For ESP, sometimes sending probes */
  215. #define DTLS_CONNECTING 4 /* DTLS (re)handshaking. Not used for ESP */
  216. #define DTLS_CONNECTED 5 /* Transport connected but not yet enabled */
  217. #define DTLS_ESTABLISHED 6 /* Data path fully established */
  218. /* Not to be confused with MULTICERT_PROTO_xxx flags which are library-visible */
  219. #define PROTO_ANYCONNECT 0
  220. #define PROTO_NC 1
  221. #define PROTO_GPST 2
  222. #define PROTO_PULSE 3
  223. #define PROTO_F5 4
  224. #define PROTO_FORTINET 5
  225. #define PROTO_NULLPPP 6
  226. #define PROTO_ARRAY 7
  227. #define PROTO_H3C 8
  228. /* All supported PPP packet framings/encapsulations */
  229. #define PPP_ENCAP_RFC1661 1 /* Plain/synchronous/pre-framed PPP (RFC1661) */
  230. #define PPP_ENCAP_RFC1662_HDLC 2 /* PPP with HDLC-like framing (RFC1662) */
  231. #define PPP_ENCAP_F5 3 /* F5 BigIP no HDLC */
  232. #define PPP_ENCAP_F5_HDLC 4 /* F5 BigIP HDLC */
  233. #define PPP_ENCAP_FORTINET 5 /* Fortinet no HDLC */
  234. #define PPP_ENCAP_MAX PPP_ENCAP_FORTINET
  235. #define COMPR_DEFLATE (1<<0)
  236. #define COMPR_LZS (1<<1)
  237. #define COMPR_LZ4 (1<<2)
  238. #define COMPR_LZO (1<<3)
  239. #define COMPR_MAX COMPR_LZO
  240. #ifdef HAVE_LZ4
  241. #define COMPR_STATELESS (COMPR_LZS | COMPR_LZ4 | COMPR_LZO)
  242. #else
  243. #define COMPR_STATELESS (COMPR_LZS)
  244. #endif
  245. #define COMPR_ALL (COMPR_STATELESS | COMPR_DEFLATE)
  246. #define DTLS_APP_ID_EXT 48018
  247. struct keepalive_info {
  248. int dpd;
  249. int keepalive;
  250. int rekey;
  251. int rekey_method;
  252. time_t last_rekey;
  253. time_t last_tx;
  254. time_t last_rx;
  255. time_t last_dpd;
  256. };
  257. struct pin_cache {
  258. struct pin_cache *next;
  259. char *token;
  260. char *pin;
  261. };
  262. struct oc_text_buf {
  263. char *data;
  264. int pos;
  265. int buf_len;
  266. int error;
  267. };
  268. #define TLS_MASTER_KEY_SIZE 48
  269. #define RECONNECT_INTERVAL_MIN 10
  270. #define RECONNECT_INTERVAL_MAX 100
  271. #define HTTP_NO_FLAGS 0
  272. #define HTTP_REDIRECT 1
  273. #define HTTP_REDIRECT_TO_GET 2
  274. #define HTTP_BODY_ON_ERROR 4
  275. #define REDIR_TYPE_NONE 0
  276. #define REDIR_TYPE_NEWHOST 1
  277. #define REDIR_TYPE_LOCAL 2
  278. #define AUTH_TYPE_GSSAPI 0
  279. #define AUTH_TYPE_NTLM 1
  280. #define AUTH_TYPE_DIGEST 2
  281. #define AUTH_TYPE_BASIC 3
  282. #define AUTH_TYPE_BEARER 4
  283. #define MAX_AUTH_TYPES 5
  284. #define AUTH_DEFAULT_DISABLED -3
  285. #define AUTH_DISABLED -2
  286. #define AUTH_FAILED -1 /* Failed */
  287. #define AUTH_UNSEEN 0 /* Server has not offered it */
  288. #define AUTH_AVAILABLE 1 /* Server has offered it, we have not tried it */
  289. /* Individual auth types may use 2 onwards for their own state */
  290. #define AUTH_IN_PROGRESS 2 /* In-progress attempt */
  291. struct http_auth_state {
  292. int state;
  293. char *challenge;
  294. union {
  295. #ifdef HAVE_GSSAPI
  296. struct {
  297. gss_name_t gss_target_name;
  298. gss_ctx_id_t gss_context;
  299. };
  300. #endif
  301. #ifdef _WIN32
  302. struct {
  303. CredHandle ntlm_sspi_cred;
  304. CtxtHandle ntlm_sspi_ctx;
  305. };
  306. struct {
  307. CredHandle sspi_cred;
  308. CtxtHandle sspi_ctx;
  309. SEC_WCHAR *sspi_target_name;
  310. };
  311. #else
  312. struct {
  313. int ntlm_helper_fd;
  314. };
  315. #endif
  316. };
  317. };
  318. #define TLS_OVERHEAD 5 /* packet + header */
  319. #define DTLS_OVERHEAD (1 /* packet + header */ + 13 /* DTLS header */ + \
  320. 20 /* biggest supported MAC (SHA1) */ + 32 /* biggest supported IV (AES-256) */ + \
  321. 16 /* max padding */)
  322. struct esp {
  323. #if defined(OPENCONNECT_GNUTLS)
  324. gnutls_cipher_hd_t cipher;
  325. gnutls_hmac_hd_t hmac;
  326. #elif defined(OPENCONNECT_OPENSSL)
  327. HMAC_CTX *hmac;
  328. EVP_CIPHER_CTX *cipher;
  329. #endif
  330. uint64_t seq_backlog;
  331. uint64_t seq;
  332. uint32_t spi; /* Stored network-endian */
  333. unsigned char enc_key[0x40]; /* Encryption key */
  334. unsigned char hmac_key[0x40]; /* HMAC key */
  335. unsigned char iv[16];
  336. };
  337. struct oc_pcsc_ctx;
  338. struct oc_tpm1_ctx;
  339. struct oc_tpm2_ctx;
  340. struct openconnect_info;
  341. struct cert_info {
  342. struct openconnect_info *vpninfo;
  343. char *cert;
  344. char *key;
  345. char *password;
  346. void *priv_info;
  347. #if defined(OPENCONNECT_GNUTLS) && defined(HAVE_TROUSERS)
  348. struct oc_tpm1_ctx *tpm1;
  349. #endif
  350. #if defined(OPENCONNECT_GNUTLS) && defined (HAVE_TSS2)
  351. struct oc_tpm2_ctx *tpm2;
  352. #endif
  353. };
  354. struct pkt_q {
  355. struct pkt *head;
  356. struct pkt **tail;
  357. int count;
  358. };
  359. struct vpn_proto;
  360. struct openconnect_info {
  361. const struct vpn_proto *proto;
  362. #ifdef HAVE_ICONV
  363. iconv_t ic_legacy_to_utf8;
  364. iconv_t ic_utf8_to_legacy;
  365. #endif
  366. char *redirect_url;
  367. int redirect_type;
  368. unsigned char esp_hmac;
  369. unsigned char esp_enc;
  370. unsigned char esp_compr;
  371. uint32_t esp_replay_protect;
  372. uint32_t esp_lifetime_bytes;
  373. uint32_t esp_lifetime_seconds;
  374. uint32_t esp_ssl_fallback;
  375. int current_esp_in;
  376. int old_esp_maxseq;
  377. struct esp esp_in[2];
  378. struct esp esp_out;
  379. int enc_key_len;
  380. int hmac_key_len;
  381. int hmac_out_len;
  382. int esp_magic_af;
  383. unsigned char esp_magic[16]; /* GlobalProtect magic ping address (network-endian) */
  384. struct oc_ppp *ppp;
  385. struct oc_text_buf *ppp_tls_connect_req;
  386. struct oc_text_buf *ppp_dtls_connect_req;
  387. int tncc_fd; /* For Juniper TNCC */
  388. char *platname;
  389. char *mobile_platform_version;
  390. char *mobile_device_type;
  391. char *mobile_device_uniqueid;
  392. char *csd_token;
  393. char *csd_ticket;
  394. char *csd_stuburl;
  395. char *csd_starturl;
  396. char *csd_waiturl;
  397. char *csd_preurl;
  398. char *csd_scriptname;
  399. xmlNode *opaque_srvdata;
  400. char *profile_url;
  401. char *profile_sha1;
  402. #ifdef LIBPROXY_HDR
  403. pxProxyFactory *proxy_factory;
  404. #endif
  405. char *proxy_type;
  406. char *proxy;
  407. int proxy_port;
  408. int proxy_fd;
  409. char *proxy_user;
  410. char *proxy_pass;
  411. char *bearer_token;
  412. int proxy_close_during_auth;
  413. int retry_on_auth_fail;
  414. int try_http_auth;
  415. struct http_auth_state http_auth[MAX_AUTH_TYPES];
  416. struct http_auth_state proxy_auth[MAX_AUTH_TYPES];
  417. char *localname;
  418. char *hostname; /* This is the original hostname (or IP address)
  419. * we were asked to connect to */
  420. char *unique_hostname; /* This is the IP address of the actual host
  421. * that we connected to; the result of the
  422. * DNS lookup. We do this so that we can be
  423. * sure we reconnect to the same server we
  424. * authenticated to. */
  425. int port;
  426. char *urlpath;
  427. /* The application might ask us to recreate a connection URL,
  428. * and we own the string so cache it for later freeing. */
  429. struct oc_text_buf *connect_urlbuf;
  430. int cert_expire_warning;
  431. struct cert_info certinfo[2];
  432. char *cafile;
  433. unsigned no_system_trust;
  434. const char *xmlconfig;
  435. char xmlsha1[(SHA1_SIZE * 2) + 1];
  436. char *authgroup;
  437. int nopasswd;
  438. int xmlpost;
  439. char *dtls_ciphers;
  440. char *dtls12_ciphers;
  441. char *csd_wrapper;
  442. int trojan_interval;
  443. time_t last_trojan;
  444. int no_http_keepalive;
  445. int dump_http_traffic;
  446. int token_mode;
  447. int token_bypassed;
  448. int token_tries;
  449. time_t token_time;
  450. #ifdef HAVE_LIBSTOKEN
  451. struct stoken_ctx *stoken_ctx;
  452. char *stoken_pin;
  453. int stoken_concat_pin;
  454. int stoken_interval;
  455. #endif
  456. #ifdef HAVE_LIBPSKC
  457. pskc_t *pskc;
  458. pskc_key_t *pskc_key;
  459. #endif
  460. char *oath_secret;
  461. size_t oath_secret_len;
  462. enum {
  463. OATH_ALG_HMAC_SHA1 = 0,
  464. OATH_ALG_HMAC_SHA256,
  465. OATH_ALG_HMAC_SHA512,
  466. } oath_hmac_alg;
  467. enum {
  468. HOTP_SECRET_BASE32 = 1,
  469. HOTP_SECRET_RAW,
  470. HOTP_SECRET_HEX,
  471. HOTP_SECRET_PSKC,
  472. } hotp_secret_format; /* We need to give it back in the same form */
  473. #ifdef HAVE_LIBPCSCLITE
  474. struct oc_pcsc_ctx *pcsc;
  475. unsigned char yubikey_pwhash[16];
  476. #endif
  477. openconnect_lock_token_vfn lock_token;
  478. openconnect_unlock_token_vfn unlock_token;
  479. void *tok_cbdata;
  480. void *peer_cert;
  481. /* The SHA1 and SHA256 hashes of the peer's public key */
  482. uint8_t peer_cert_sha1_raw[SHA1_SIZE];
  483. uint8_t peer_cert_sha256_raw[SHA256_SIZE];
  484. /* this value is cache for openconnect_get_peer_cert_hash */
  485. char *peer_cert_hash;
  486. void *cert_list_handle;
  487. int cert_list_size;
  488. char *cookie; /* Pointer to within cookies list */
  489. struct oc_vpn_option *cookies;
  490. struct oc_vpn_option *cstp_options;
  491. struct oc_vpn_option *dtls_options;
  492. struct oc_vpn_option *script_env;
  493. struct oc_vpn_option *csd_env;
  494. unsigned pfs;
  495. unsigned no_tls13;
  496. unsigned allow_insecure_crypto; /* Allow 3DES and RC4 (known-insecure, but the best that some ancient servers can do) */
  497. #if defined(OPENCONNECT_OPENSSL)
  498. #ifdef HAVE_LIBP11
  499. PKCS11_CTX *pkcs11_ctx;
  500. PKCS11_SLOT *pkcs11_slot_list;
  501. unsigned int pkcs11_slot_count;
  502. PKCS11_SLOT *pkcs11_cert_slot;
  503. unsigned char *pkcs11_cert_id;
  504. size_t pkcs11_cert_id_len;
  505. #endif
  506. X509 *cert_x509;
  507. SSL_CTX *https_ctx;
  508. SSL *https_ssl;
  509. BIO_METHOD *ttls_bio_meth;
  510. EC_KEY *strap_key;
  511. EC_KEY *strap_dh_key;
  512. #elif defined(OPENCONNECT_GNUTLS)
  513. gnutls_session_t https_sess;
  514. gnutls_session_t eap_ttls_sess;
  515. gnutls_certificate_credentials_t https_cred;
  516. gnutls_psk_client_credentials_t psk_cred;
  517. char local_cert_md5[MD5_SIZE * 2 + 1]; /* For CSD */
  518. gnutls_privkey_t strap_key;
  519. gnutls_privkey_t strap_dh_key;
  520. unsigned char finished[64];
  521. int finished_len;
  522. #endif /* OPENCONNECT_GNUTLS */
  523. char *strap_pubkey;
  524. char *strap_dh_pubkey;
  525. char *ciphersuite_config;
  526. struct oc_text_buf *ttls_pushbuf;
  527. uint8_t ttls_eap_ident;
  528. unsigned char *ttls_recvbuf;
  529. int ttls_recvpos;
  530. int ttls_recvlen;
  531. uint32_t ttls_msgleft;
  532. struct pin_cache *pin_cache;
  533. struct keepalive_info ssl_times;
  534. int owe_ssl_dpd_response;
  535. int deflate_pkt_size; /* It may need to be larger than MTU */
  536. struct pkt *deflate_pkt; /* For compressing outbound packets into */
  537. struct pkt *pending_deflated_pkt; /* The original packet associated with above */
  538. struct pkt *current_ssl_pkt; /* Partially sent SSL packet */
  539. int partial_rec_size; /* For tracking partially-received packets */
  540. /* Packet buffers for receiving into */
  541. struct pkt *cstp_pkt;
  542. struct pkt *dtls_pkt;
  543. struct pkt *tun_pkt;
  544. int pkt_trailer; /* How many bytes after payload for encryption (ESP HMAC) */
  545. z_stream inflate_strm;
  546. uint32_t inflate_adler32;
  547. z_stream deflate_strm;
  548. uint32_t deflate_adler32;
  549. int disable_ipv6;
  550. int reconnect_timeout;
  551. int reconnect_interval;
  552. int dtls_attempt_period;
  553. time_t auth_expiration;
  554. time_t new_dtls_started;
  555. #if defined(OPENCONNECT_OPENSSL)
  556. SSL_CTX *dtls_ctx;
  557. SSL *dtls_ssl;
  558. #elif defined(OPENCONNECT_GNUTLS)
  559. /* Call this dtls_ssl rather than dtls_sess because it's just a
  560. pointer, and generic code in dtls.c wants to check if it's
  561. NULL or not or pass it to DTLS_SEND/DTLS_RECV. This way we
  562. have fewer ifdefs and accessor macros for it. */
  563. gnutls_session_t dtls_ssl;
  564. #endif
  565. char *cstp_cipher; /* library-dependent description of TLS cipher */
  566. char *dtls_cipher_desc; /* library-dependent description of DTLS cipher, cached for openconnect_get_dtls_cipher() */
  567. int dtls_state;
  568. int dtls_need_reconnect;
  569. int tcp_blocked_for_udp; /* Some protocols explicitly *tell* the server
  570. * over the TCP channel to switch to UDP. */
  571. struct keepalive_info dtls_times;
  572. unsigned char dtls_session_id[32];
  573. unsigned char dtls_secret[TLS_MASTER_KEY_SIZE];
  574. unsigned char dtls_app_id[32];
  575. unsigned dtls_app_id_size;
  576. uint32_t ift_seq;
  577. int dtls12; /* For PPP protocols with anonymous DTLS, this being zero indicates that
  578. * the server *cannot* handle DTLSv1.2 and we mustn't even try to negotiate
  579. * it (e.g. F5 BIG-IP v15 and lower). If it's 1, we can try anything;
  580. * even DTLSv1.3.
  581. *
  582. * For AnyConnect, it means the Cisco server sent the X-DTLS12-CipherSuite
  583. * header, rather than X-DTLS-CipherSuite which indicates their DTLSv0.9.
  584. */
  585. char *dtls_cipher; /* Only set for AnyConnect. Defines the session to be "resumed"
  586. * ("PSK-NEGOTIATE", or an OpenSSL cipher name). */
  587. char *vpnc_script;
  588. #ifndef _WIN32
  589. int uid_csd_given;
  590. uid_t uid_csd;
  591. gid_t gid_csd;
  592. uid_t uid;
  593. gid_t gid;
  594. #endif
  595. int use_tun_script;
  596. int script_tun;
  597. char *ifname;
  598. char *cmd_ifname;
  599. int reqmtu, basemtu; /* Local static configured values */
  600. const char *banner;
  601. struct oc_ip_info ip_info;
  602. int cstp_basemtu; /* Returned by server */
  603. int idle_timeout; /* Returned by server */
  604. #ifdef _WIN32
  605. long dtls_monitored, ssl_monitored, cmd_monitored, tun_monitored;
  606. HANDLE dtls_event, ssl_event, cmd_event;
  607. #else
  608. int _select_nfds;
  609. fd_set _select_rfds;
  610. fd_set _select_wfds;
  611. fd_set _select_efds;
  612. #ifdef HAVE_EPOLL
  613. int epoll_fd;
  614. int epoll_update;
  615. uint32_t tun_epoll, ssl_epoll, dtls_epoll, cmd_epoll;
  616. #ifdef HAVE_VHOST
  617. uint32_t vhost_call_epoll;
  618. #endif
  619. #endif
  620. #endif
  621. #ifdef __sun__
  622. int ip_fd;
  623. int ip6_fd;
  624. #endif
  625. #ifdef HAVE_VHOST
  626. int vhost_ring_size;
  627. int vhost_fd, vhost_call_fd, vhost_kick_fd;
  628. struct oc_vring tx_vring, rx_vring;
  629. #endif
  630. #ifdef _WIN32
  631. HMODULE wintun;
  632. wchar_t *ifname_w;
  633. WINTUN_ADAPTER_HANDLE wintun_adapter;
  634. WINTUN_SESSION_HANDLE wintun_session;
  635. HANDLE tun_fh;
  636. OVERLAPPED tun_rd_overlap, tun_wr_overlap;
  637. int tun_idx, tun_rd_pending;
  638. #else
  639. int tun_fd;
  640. #endif
  641. int ssl_fd;
  642. int dtls_fd;
  643. int dtls_tos_current;
  644. int dtls_pass_tos;
  645. int dtls_tos_proto, dtls_tos_optname;
  646. /* An optimisation for the case where our own code is the only
  647. * thing that *could* write to the cmd_fd, to avoid constantly
  648. * polling on it while we're busy shovelling packets. */
  649. int need_poll_cmd_fd;
  650. int cmd_fd_internal;
  651. int cmd_fd;
  652. int cmd_fd_write;
  653. int got_cancel_cmd;
  654. int got_pause_cmd;
  655. char cancel_type;
  656. struct pkt_q free_queue;
  657. struct pkt_q incoming_queue;
  658. struct pkt_q outgoing_queue;
  659. struct pkt_q tcp_control_queue; /* Control packets to be sent via TCP */
  660. int max_qlen;
  661. struct oc_stats stats;
  662. openconnect_stats_vfn stats_handler;
  663. socklen_t peer_addrlen;
  664. struct sockaddr *peer_addr;
  665. struct sockaddr *dtls_addr;
  666. int dtls_local_port;
  667. int req_compr; /* What we requested */
  668. int cstp_compr; /* Accepted for CSTP */
  669. int dtls_compr; /* Accepted for DTLS */
  670. int is_dyndns; /* Attempt to redo DNS lookup on each CSTP reconnect */
  671. char *useragent;
  672. char *version_string;
  673. const char *quit_reason;
  674. const char *delay_tunnel_reason; /* If non-null, provides a reason why protocol is not yet ready for tunnel setup */
  675. enum {
  676. NO_DELAY_CLOSE = 0,
  677. DELAY_CLOSE_WAIT,
  678. DELAY_CLOSE_IMMEDIATE_CALLBACK,
  679. } delay_close; /* Delay close of mainloop */
  680. char *sso_login;
  681. char *sso_login_final;
  682. char *sso_username;
  683. char *sso_token_cookie;
  684. char *sso_error_cookie;
  685. char *sso_cookie_value;
  686. char *sso_browser_mode;
  687. int verbose;
  688. void *cbdata;
  689. openconnect_validate_peer_cert_vfn validate_peer_cert;
  690. openconnect_write_new_config_vfn write_new_config;
  691. openconnect_open_webview_vfn open_webview;
  692. openconnect_open_webview_vfn open_ext_browser;
  693. openconnect_process_auth_form_vfn process_auth_form;
  694. openconnect_progress_vfn progress;
  695. openconnect_protect_socket_vfn protect_socket;
  696. openconnect_getaddrinfo_vfn getaddrinfo_override;
  697. openconnect_setup_tun_vfn setup_tun;
  698. openconnect_reconnected_vfn reconnected;
  699. int (*ssl_read)(struct openconnect_info *vpninfo, char *buf, size_t len);
  700. int (*ssl_gets)(struct openconnect_info *vpninfo, char *buf, size_t len);
  701. int (*ssl_write)(struct openconnect_info *vpninfo, char *buf, size_t len);
  702. };
  703. struct vpn_proto {
  704. const char *name;
  705. const char *pretty_name;
  706. const char *description;
  707. const char *secure_cookie;
  708. const char *udp_protocol;
  709. int proto;
  710. unsigned int flags;
  711. int (*vpn_close_session)(struct openconnect_info *vpninfo, const char *reason);
  712. /* This does the full authentication, calling back as appropriate */
  713. int (*obtain_cookie)(struct openconnect_info *vpninfo);
  714. /* This checks if SSO authentication is complete */
  715. int (*sso_detect_done)(struct openconnect_info *vpninfo, const struct oc_webview_result *result);
  716. /* Establish the TCP connection (and obtain configuration) */
  717. int (*tcp_connect)(struct openconnect_info *vpninfo);
  718. int (*tcp_mainloop)(struct openconnect_info *vpninfo, int *timeout, int readable);
  719. /* Add headers common to each HTTP request */
  720. void (*add_http_headers)(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
  721. /* Set up the UDP (DTLS) connection. Doesn't actually *start* it. */
  722. int (*udp_setup)(struct openconnect_info *vpninfo);
  723. /* This will actually complete the UDP connection setup/handshake on the wire,
  724. as well as transporting packets */
  725. int (*udp_mainloop)(struct openconnect_info *vpninfo, int *timeout, int readable);
  726. /* Close the connection but leave the session setup so it restarts */
  727. void (*udp_close)(struct openconnect_info *vpninfo);
  728. /* Close and destroy the (UDP) session */
  729. void (*udp_shutdown)(struct openconnect_info *vpninfo);
  730. /* Send probe packets to start or maintain the (UDP) session */
  731. int (*udp_send_probes)(struct openconnect_info *vpninfo);
  732. /* Catch probe packet confirming the (UDP) session */
  733. int (*udp_catch_probe)(struct openconnect_info *vpninfo, struct pkt *p);
  734. };
  735. static inline struct pkt *dequeue_packet(struct pkt_q *q)
  736. {
  737. struct pkt *ret = q->head;
  738. if (ret) {
  739. struct pkt *next = ret->next;
  740. if (!--q->count)
  741. q->tail = &q->head;
  742. q->head = next;
  743. }
  744. return ret;
  745. }
  746. static inline void requeue_packet(struct pkt_q *q, struct pkt *p)
  747. {
  748. p->next = q->head;
  749. q->head = p;
  750. if (!q->count++)
  751. q->tail = &p->next;
  752. }
  753. static inline int queue_packet(struct pkt_q *q, struct pkt *p)
  754. {
  755. *(q->tail) = p;
  756. p->next = NULL;
  757. q->tail = &p->next;
  758. return ++q->count;
  759. }
  760. static inline void init_pkt_queue(struct pkt_q *q)
  761. {
  762. q->tail = &q->head;
  763. }
  764. static inline struct pkt *alloc_pkt(struct openconnect_info *vpninfo, int len)
  765. {
  766. int alloc_len = sizeof(struct pkt) + len;
  767. if (vpninfo->free_queue.head &&
  768. vpninfo->free_queue.head->alloc_len >= alloc_len)
  769. return dequeue_packet(&vpninfo->free_queue);
  770. if (alloc_len < 2048)
  771. alloc_len = 2048;
  772. struct pkt *pkt = malloc(alloc_len);
  773. if (pkt)
  774. pkt->alloc_len = alloc_len;
  775. return pkt;
  776. }
  777. static inline void free_pkt(struct openconnect_info *vpninfo, struct pkt *pkt)
  778. {
  779. if (!pkt)
  780. return;
  781. if (vpninfo->free_queue.count < vpninfo->max_qlen * 2)
  782. requeue_packet(&vpninfo->free_queue, pkt);
  783. else
  784. free(pkt);
  785. }
  786. #define vpn_progress(_v, lvl, ...) do { \
  787. if ((_v)->verbose >= (lvl)) \
  788. (_v)->progress((_v)->cbdata, lvl, __VA_ARGS__); \
  789. } while(0)
  790. #define vpn_perror(vpninfo, msg) vpn_progress((vpninfo), PRG_ERR, "%s: %s\n", (msg), strerror(errno))
  791. #ifdef _WIN32
  792. #define monitor_read_fd(_v, _n) (_v->_n##_monitored |= FD_READ)
  793. #define monitor_write_fd(_v, _n) (_v->_n##_monitored |= FD_WRITE)
  794. #define monitor_except_fd(_v, _n) (_v->_n##_monitored |= FD_CLOSE)
  795. #define unmonitor_read_fd(_v, _n) (_v->_n##_monitored &= ~FD_READ)
  796. #define unmonitor_write_fd(_v, _n) (_v->_n##_monitored &= ~FD_WRITE)
  797. #define unmonitor_except_fd(_v, _n) (_v->_n##_monitored &= ~FD_CLOSE)
  798. #define monitor_fd_new(_v, _n) do { if (!_v->_n##_event) _v->_n##_event = CreateEvent(NULL, FALSE, FALSE, NULL); } while (0)
  799. #define read_fd_monitored(_v, _n) (_v->_n##_monitored & FD_READ)
  800. #define __unmonitor_fd(_v, _n) do { CloseHandle(_v->_n##_event); \
  801. _v->_n##_event = (HANDLE)0; \
  802. } while(0)
  803. #else
  804. #ifdef HAVE_EPOLL
  805. static inline void __sync_epoll_fd(struct openconnect_info *vpninfo, int fd, uint32_t *fd_evts)
  806. {
  807. if (vpninfo->epoll_fd >= 0 && fd >= 0) {
  808. struct epoll_event ev = { 0 };
  809. ev.data.fd = fd;
  810. if (FD_ISSET(fd, &vpninfo->_select_rfds))
  811. ev.events |= EPOLLIN;
  812. if (FD_ISSET(fd, &vpninfo->_select_wfds))
  813. ev.events |= EPOLLOUT;
  814. if (ev.events != *fd_evts) {
  815. if (epoll_ctl(vpninfo->epoll_fd, EPOLL_CTL_MOD, fd, &ev)) {
  816. vpn_perror(vpninfo, "EPOLL_CTL_MOD");
  817. close(vpninfo->epoll_fd);
  818. vpninfo->epoll_fd = -1;
  819. }
  820. *fd_evts = ev.events;
  821. }
  822. }
  823. }
  824. #define update_epoll_fd(_v, _n) __sync_epoll_fd(_v, _v->_n##_fd, &_v->_n##_epoll)
  825. static inline void __remove_epoll_fd(struct openconnect_info *vpninfo, int fd)
  826. {
  827. struct epoll_event ev = { 0 };
  828. if (vpninfo->epoll_fd >= 0 &&
  829. epoll_ctl(vpninfo->epoll_fd, EPOLL_CTL_DEL, fd, &ev) < 0 &&
  830. errno != ENOENT)
  831. vpn_perror(vpninfo, "EPOLL_CTL_DEL");
  832. /* No other action on error; if it truly matters we'll bail later
  833. * and fall back to select(). We also explicitly ignore ENOENT
  834. * because openconnect_close_https() will always unmonitor the
  835. * ssl_fd even when we never got to the point of using it in the
  836. * main loop and actually monitoring it. */
  837. }
  838. #define __unmonitor_fd(_v, _n) do { \
  839. __remove_epoll_fd(_v, _v->_n##_fd); \
  840. _v->_n##_epoll = 0; } while(0)
  841. #else /* !HAVE_POLL */
  842. #define __unmonitor_fd(_v, _n) do { } while(0)
  843. #endif
  844. static inline void __monitor_fd_event(struct openconnect_info *vpninfo,
  845. int fd, fd_set *set)
  846. {
  847. if (fd < 0 || FD_ISSET(fd, set))
  848. return;
  849. FD_SET(fd, set);
  850. #ifdef HAVE_EPOLL
  851. vpninfo->epoll_update = 1;
  852. #endif
  853. }
  854. static inline void __unmonitor_fd_event(struct openconnect_info *vpninfo,
  855. int fd, fd_set *set)
  856. {
  857. if (fd < 0 || !FD_ISSET(fd, set))
  858. return;
  859. FD_CLR(fd, set);
  860. #ifdef HAVE_EPOLL
  861. vpninfo->epoll_update = 1;
  862. #endif
  863. }
  864. #define monitor_read_fd(_v, _n) __monitor_fd_event(_v, _v->_n##_fd, &_v->_select_rfds)
  865. #define unmonitor_read_fd(_v, _n) __unmonitor_fd_event(_v, _v->_n##_fd, &_v->_select_rfds)
  866. #define monitor_write_fd(_v, _n) __monitor_fd_event(_v, _v->_n##_fd, &_v->_select_wfds)
  867. #define unmonitor_write_fd(_v, _n) __unmonitor_fd_event(_v, _v->_n##_fd, &_v->_select_wfds)
  868. #define monitor_except_fd(_v, _n) __monitor_fd_event(_v, _v->_n##_fd, &_v->_select_efds)
  869. #define unmonitor_except_fd(_v, _n) __unmonitor_fd_event(_v, _v->_n##_fd, &_v->_select_efds)
  870. static inline void __monitor_fd_new(struct openconnect_info *vpninfo,
  871. int fd)
  872. {
  873. if (vpninfo->_select_nfds <= fd)
  874. vpninfo->_select_nfds = fd + 1;
  875. #ifdef HAVE_EPOLL
  876. if (vpninfo->epoll_fd >= 0) {
  877. struct epoll_event ev = { 0 };
  878. ev.data.fd = fd;
  879. if (epoll_ctl(vpninfo->epoll_fd, EPOLL_CTL_ADD, fd, &ev)) {
  880. vpn_perror(vpninfo, "EPOLL_CTL_ADD");
  881. close(vpninfo->epoll_fd);
  882. vpninfo->epoll_fd = -1;
  883. }
  884. }
  885. #endif
  886. }
  887. #define monitor_fd_new(_v, _n) __monitor_fd_new(_v, _v->_n##_fd)
  888. #define read_fd_monitored(_v, _n) FD_ISSET(_v->_n##_fd, &_v->_select_rfds)
  889. #endif /* !WIN32 */
  890. /* This is for all platforms */
  891. #define unmonitor_fd(_v, _n) do { \
  892. unmonitor_read_fd(_v, _n); \
  893. unmonitor_write_fd(_v, _n); \
  894. unmonitor_except_fd(_v, _n); \
  895. __unmonitor_fd(_v, _n); \
  896. } while(0)
  897. /* Key material for DTLS-PSK */
  898. #define PSK_LABEL "EXPORTER-openconnect-psk"
  899. #define PSK_LABEL_SIZE (sizeof(PSK_LABEL) - 1)
  900. #define PSK_KEY_SIZE 32
  901. /* Packet types */
  902. #define AC_PKT_DATA 0 /* Uncompressed data */
  903. #define AC_PKT_DPD_OUT 3 /* Dead Peer Detection */
  904. #define AC_PKT_DPD_RESP 4 /* DPD response */
  905. #define AC_PKT_DISCONN 5 /* Client disconnection notice */
  906. #define AC_PKT_KEEPALIVE 7 /* Keepalive */
  907. #define AC_PKT_COMPRESSED 8 /* Compressed data */
  908. #define AC_PKT_TERM_SERVER 9 /* Server kick */
  909. /* Encryption and HMAC algorithms (matching Juniper/Pulse binary encoding) */
  910. #define ENC_AES_128_CBC 2
  911. #define ENC_AES_256_CBC 5
  912. #define HMAC_MD5 1
  913. #define HMAC_SHA1 2
  914. #define HMAC_SHA256 3
  915. #define MAX_HMAC_SIZE 32 /* SHA256 */
  916. #define MAX_IV_SIZE 16
  917. #define MAX_ESP_PAD 17 /* Including the next-header field */
  918. /****************************************************************************/
  919. /* Oh Solaris how we hate thee! */
  920. #ifdef HAVE_SUNOS_BROKEN_TIME
  921. #define time(x) openconnect__time(x)
  922. time_t openconnect__time(time_t *t);
  923. #endif
  924. #ifndef HAVE_VASPRINTF
  925. #define vasprintf openconnect__vasprintf
  926. int openconnect__vasprintf(char **strp, const char *fmt, va_list ap);
  927. #endif
  928. #ifndef HAVE_ASPRINTF
  929. #define asprintf openconnect__asprintf
  930. int openconnect__asprintf(char **strp, const char *fmt, ...);
  931. #endif
  932. #ifndef HAVE_GETLINE
  933. #define getline openconnect__getline
  934. ssize_t openconnect__getline(char **lineptr, size_t *n, FILE *stream);
  935. #endif
  936. #ifndef HAVE_STRCASESTR
  937. #define strcasestr openconnect__strcasestr
  938. char *openconnect__strcasestr(const char *haystack, const char *needle);
  939. #endif
  940. #ifndef HAVE_STRNDUP
  941. #undef strndup
  942. #define strndup openconnect__strndup
  943. char *openconnect__strndup(const char *s, size_t n);
  944. #endif
  945. #ifndef HAVE_STRCHRNUL
  946. #undef strchrnul
  947. #define strchrnul openconnect__strchrnul
  948. const char *openconnect__strchrnul(const char *s, int c);
  949. #endif
  950. #ifndef HAVE_INET_ATON
  951. #define inet_aton openconnect__inet_aton
  952. int openconnect__inet_aton(const char *cp, struct in_addr *addr);
  953. #endif
  954. static inline int set_sock_nonblock(int fd)
  955. {
  956. #ifdef _WIN32
  957. unsigned long mode = 1;
  958. return ioctlsocket(fd, FIONBIO, &mode);
  959. #else
  960. return fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
  961. #endif
  962. }
  963. static inline int set_fd_cloexec(int fd)
  964. {
  965. #ifdef _WIN32
  966. return 0; /* Windows has O_INHERIT but... */
  967. #else
  968. int ret = fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
  969. /*
  970. * Coverity gets really sad if we don't check the error here.
  971. * But really, we're doing this to be a 'good citizen' when
  972. * running as a library, and we aren't even going to bother
  973. * printing a debug message if it fails. We just don't care.
  974. */
  975. if (ret)
  976. return ret;
  977. return 0;
  978. #endif
  979. }
  980. static inline int tun_is_up(struct openconnect_info *vpninfo)
  981. {
  982. #ifdef _WIN32
  983. return vpninfo->tun_fh != NULL;
  984. #else
  985. return vpninfo->tun_fd != -1;
  986. #endif
  987. }
  988. #ifdef _WIN32
  989. #define pipe(fds) _pipe(fds, 4096, O_BINARY)
  990. int openconnect__win32_sock_init(void);
  991. char *openconnect__win32_strerror(DWORD err);
  992. #undef setenv
  993. #define setenv openconnect__win32_setenv
  994. int openconnect__win32_setenv(const char *name, const char *value, int overwrite);
  995. #undef inet_pton
  996. #define inet_pton openconnect__win32_inet_pton
  997. int openconnect__win32_inet_pton(int af, const char *src, void *dst);
  998. #define OPENCONNECT_CMD_SOCKET SOCKET
  999. int dumb_socketpair(OPENCONNECT_CMD_SOCKET socks[2], int make_overlapped);
  1000. #else
  1001. #define closesocket close
  1002. #define OPENCONNECT_CMD_SOCKET int
  1003. #ifndef O_BINARY
  1004. #define O_BINARY 0
  1005. #endif
  1006. #endif
  1007. /* For systems that don't support O_CLOEXEC, just don't bother.
  1008. We don't keep files open for long anyway. */
  1009. #ifndef O_CLOEXEC
  1010. #define O_CLOEXEC 0
  1011. #endif
  1012. /* I always coded as if it worked like this. Now it does. */
  1013. #define realloc_inplace(p, size) do { \
  1014. void *__realloc_old = p; \
  1015. p = realloc(p, size); \
  1016. if (size && !p) \
  1017. free(__realloc_old); \
  1018. } while (0)
  1019. /****************************************************************************/
  1020. typedef enum {
  1021. MULTICERT_COMPAT = (1<<0),
  1022. } cert_flag_t;
  1023. typedef enum {
  1024. CERT_FORMAT_ASN1 = 0,
  1025. CERT_FORMAT_PEM = 1,
  1026. } cert_format_t;
  1027. typedef enum {
  1028. OPENCONNECT_HASH_UNKNOWN = 0,
  1029. #define OPENCONNECT_HASH_NONE OPENCONNECT_HASH_NONE
  1030. OPENCONNECT_HASH_SHA256 = 1,
  1031. #define OPENCONNECT_HASH_SHA256 OPENCONNECT_HASH_SHA256
  1032. OPENCONNECT_HASH_SHA384 = 2,
  1033. #define OPENCONNECT_HASH_SHA384 OPENCONNECT_HASH_SHA384
  1034. OPENCONNECT_HASH_SHA512 = 3,
  1035. #define OPENCONNECT_HASH_SHA512 OPENCONNECT_HASH_SHA512
  1036. OPENCONNECT_HASH_MAX = OPENCONNECT_HASH_SHA512
  1037. } openconnect_hash_type;
  1038. int load_certificate(struct openconnect_info *, struct cert_info *, int flags);
  1039. void unload_certificate(struct cert_info *, int final);
  1040. int export_certificate_pkcs7(struct openconnect_info *, struct cert_info *, cert_format_t format, struct oc_text_buf **);
  1041. /* multiple certificate authentication */
  1042. #define MULTICERT_HASH_FLAG(v) ((v)?(1<<((v)-1)):0)
  1043. int multicert_sign_data(struct openconnect_info *, struct cert_info *certinfo, unsigned int hashes,
  1044. const void *data, size_t datalen, struct oc_text_buf **signature);
  1045. const char *multicert_hash_get_name(int id);
  1046. openconnect_hash_type multicert_hash_get_id(const char *name);
  1047. /* iconv.c */
  1048. #ifdef HAVE_ICONV
  1049. char *openconnect_utf8_to_legacy(struct openconnect_info *vpninfo, const char *utf8);
  1050. char *openconnect_legacy_to_utf8(struct openconnect_info *vpninfo, const char *legacy);
  1051. #else
  1052. #define openconnect_utf8_to_legacy(v, str) ((char *)str)
  1053. #define openconnect_legacy_to_utf8(v, str) ((char *)str)
  1054. #endif
  1055. /* script.c */
  1056. unsigned char unhex(const char *data);
  1057. int script_setenv(struct openconnect_info *vpninfo, const char *opt, const char *val, int trunc, int append);
  1058. int script_setenv_int(struct openconnect_info *vpninfo, const char *opt, int value);
  1059. void prepare_script_env(struct openconnect_info *vpninfo);
  1060. int script_config_tun(struct openconnect_info *vpninfo, const char *reason);
  1061. int apply_script_env(struct oc_vpn_option *envs);
  1062. void free_split_routes(struct oc_ip_info *ip_info);
  1063. int install_vpn_opts(struct openconnect_info *vpninfo, struct oc_vpn_option *opt,
  1064. struct oc_ip_info *ip_info);
  1065. /* vhost.h */
  1066. int setup_vhost(struct openconnect_info *vpninfo, int tun_fd);
  1067. void shutdown_vhost(struct openconnect_info *vpninfo);
  1068. int vhost_tun_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable, int did_work);
  1069. /* tun.c / tun-win32.c */
  1070. void os_shutdown_tun(struct openconnect_info *vpninfo);
  1071. int os_read_tun(struct openconnect_info *vpninfo, struct pkt *pkt);
  1072. int os_write_tun(struct openconnect_info *vpninfo, struct pkt *pkt);
  1073. intptr_t os_setup_tun(struct openconnect_info *vpninfo);
  1074. #ifdef _WIN32
  1075. #define OPEN_TUN_SOFTFAIL 0
  1076. #define OPEN_TUN_HARDFAIL -1
  1077. /* wintun.c */
  1078. void os_shutdown_wintun(struct openconnect_info *vpninfo);
  1079. int os_read_wintun(struct openconnect_info *vpninfo, struct pkt *pkt);
  1080. int os_write_wintun(struct openconnect_info *vpninfo, struct pkt *pkt);
  1081. intptr_t os_setup_wintun(struct openconnect_info *vpninfo);
  1082. int setup_wintun_fd(struct openconnect_info *vpninfo, intptr_t tun_fd);
  1083. intptr_t open_wintun(struct openconnect_info *vpninfo, char *guid, wchar_t *wname);
  1084. int create_wintun(struct openconnect_info *vpninfo);
  1085. #endif
  1086. /* {gnutls,openssl}-dtls.c */
  1087. int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd);
  1088. int dtls_try_handshake(struct openconnect_info *vpninfo, int *timeout);
  1089. unsigned dtls_set_mtu(struct openconnect_info *vpninfo, unsigned mtu);
  1090. void dtls_ssl_free(struct openconnect_info *vpninfo);
  1091. void *establish_eap_ttls(struct openconnect_info *vpninfo);
  1092. void destroy_eap_ttls(struct openconnect_info *vpninfo, void *sess);
  1093. /* dtls.c */
  1094. int dtls_setup(struct openconnect_info *vpninfo);
  1095. int dtls_reconnect(struct openconnect_info *vpninfo, int *timeout);
  1096. int udp_tos_update(struct openconnect_info *vpninfo, struct pkt *pkt);
  1097. int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
  1098. void dtls_close(struct openconnect_info *vpninfo);
  1099. void dtls_shutdown(struct openconnect_info *vpninfo);
  1100. void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf, struct oc_text_buf *buf12);
  1101. void dtls_detect_mtu(struct openconnect_info *vpninfo);
  1102. int openconnect_dtls_read(struct openconnect_info *vpninfo, void *buf, size_t len, unsigned ms);
  1103. int openconnect_dtls_write(struct openconnect_info *vpninfo, void *buf, size_t len);
  1104. char *openconnect_bin2hex(const char *prefix, const uint8_t *data, unsigned len);
  1105. char *openconnect_bin2base64(const char *prefix, const uint8_t *data, unsigned len);
  1106. /* mtucalc.c */
  1107. int calculate_mtu(struct openconnect_info *vpninfo, int is_udp, int unpadded_overhead, int padded_overhead, int block_size);
  1108. /* cstp.c */
  1109. void cstp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
  1110. int cstp_connect(struct openconnect_info *vpninfo);
  1111. int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
  1112. int cstp_bye(struct openconnect_info *vpninfo, const char *reason);
  1113. int decompress_and_queue_packet(struct openconnect_info *vpninfo, int compr_type,
  1114. unsigned char *buf, int len);
  1115. int compress_packet(struct openconnect_info *vpninfo, int compr_type, struct pkt *this);
  1116. int cstp_sso_detect_done(struct openconnect_info *vpninfo, const struct oc_webview_result *result);
  1117. /* auth-html.c */
  1118. xmlNodePtr htmlnode_next(xmlNodePtr top, xmlNodePtr node);
  1119. xmlNodePtr htmlnode_dive(xmlNodePtr top, xmlNodePtr node);
  1120. xmlNodePtr find_form_node(xmlDocPtr doc);
  1121. int parse_input_node(struct openconnect_info *vpninfo, struct oc_auth_form *form,
  1122. xmlNodePtr node, const char *submit_button,
  1123. int (*can_gen_tokencode)(struct openconnect_info *vpninfo, struct oc_auth_form *form, struct oc_form_opt *opt));
  1124. int parse_select_node(struct openconnect_info *vpninfo, struct oc_auth_form *form,
  1125. xmlNodePtr node);
  1126. struct oc_auth_form *parse_form_node(struct openconnect_info *vpninfo,
  1127. xmlNodePtr node, const char *submit_button,
  1128. int (*can_gen_tokencode)(struct openconnect_info *vpninfo, struct oc_auth_form *form, struct oc_form_opt *opt));
  1129. /* auth-juniper.c */
  1130. int oncp_obtain_cookie(struct openconnect_info *vpninfo);
  1131. int oncp_send_tncc_command(struct openconnect_info *vpninfo, int first);
  1132. void oncp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
  1133. /* oncp.c */
  1134. int oncp_connect(struct openconnect_info *vpninfo);
  1135. int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
  1136. int oncp_bye(struct openconnect_info *vpninfo, const char *reason);
  1137. void oncp_esp_close(struct openconnect_info *vpninfo);
  1138. int oncp_esp_send_probes(struct openconnect_info *vpninfo);
  1139. int oncp_esp_catch_probe(struct openconnect_info *vpninfo, struct pkt *pkt);
  1140. /* pulse.c */
  1141. int pulse_obtain_cookie(struct openconnect_info *vpninfo);
  1142. void pulse_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
  1143. int pulse_connect(struct openconnect_info *vpninfo);
  1144. int pulse_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
  1145. int pulse_bye(struct openconnect_info *vpninfo, const char *reason);
  1146. int pulse_eap_ttls_send(struct openconnect_info *vpninfo, const void *data, int len);
  1147. int pulse_eap_ttls_recv(struct openconnect_info *vpninfo, void *data, int len);
  1148. /* nullppp.c */
  1149. int nullppp_obtain_cookie(struct openconnect_info *vpninfo);
  1150. int nullppp_connect(struct openconnect_info *vpninfo);
  1151. int nullppp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
  1152. /* f5.c */
  1153. int f5_obtain_cookie(struct openconnect_info *vpninfo);
  1154. int f5_connect(struct openconnect_info *vpninfo);
  1155. int f5_bye(struct openconnect_info *vpninfo, const char *reason);
  1156. int f5_dtls_catch_probe(struct openconnect_info *vpninfo, struct pkt *pkt);
  1157. /* fortinet.c */
  1158. void fortinet_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
  1159. int fortinet_obtain_cookie(struct openconnect_info *vpninfo);
  1160. int fortinet_connect(struct openconnect_info *vpninfo);
  1161. int fortinet_bye(struct openconnect_info *vpninfo, const char *reason);
  1162. int fortinet_dtls_catch_svrhello(struct openconnect_info *vpninfo, struct pkt *pkt);
  1163. /* h3c.c */
  1164. int h3c_connect(struct openconnect_info *vpninfo);
  1165. int h3c_bye(struct openconnect_info *vpninfo, const char *reason);
  1166. int h3c_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
  1167. void h3c_http_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
  1168. int h3c_obtain_cookie(struct openconnect_info *vpninfo);
  1169. /* ppp.c */
  1170. struct oc_ppp;
  1171. void buf_append_ppphdlc(struct oc_text_buf *buf, const unsigned char *bytes, int len, uint32_t asyncmap);
  1172. void buf_append_ppp_hdr(struct oc_text_buf *buf, struct oc_ppp *ppp, uint16_t proto, uint8_t code, uint8_t id);
  1173. int ppp_negotiate_config(struct openconnect_info *vpninfo);
  1174. int ppp_tcp_should_connect(struct openconnect_info *vpninfo);
  1175. int ppp_start_tcp_mainloop(struct openconnect_info *vpninfo);
  1176. int ppp_tcp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
  1177. int ppp_udp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
  1178. int openconnect_ppp_new(struct openconnect_info *vpninfo, int encap, int want_ipv4, int want_ipv6);
  1179. int ppp_reset(struct openconnect_info *vpninfo);
  1180. int check_http_status(const char *buf, int len);
  1181. /* array.c */
  1182. int array_obtain_cookie(struct openconnect_info *vpninfo);
  1183. int array_connect(struct openconnect_info *vpninfo);
  1184. int array_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
  1185. int array_dtls_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
  1186. int array_bye(struct openconnect_info *vpninfo, const char *reason);
  1187. /* auth-globalprotect.c */
  1188. int gpst_obtain_cookie(struct openconnect_info *vpninfo);
  1189. void gpst_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
  1190. int gpst_bye(struct openconnect_info *vpninfo, const char *reason);
  1191. const char *gpst_os_name(struct openconnect_info *vpninfo);
  1192. /* gpst.c */
  1193. int gpst_xml_or_error(struct openconnect_info *vpninfo, char *response,
  1194. int (*xml_cb)(struct openconnect_info *, xmlNode *xml_node, void *cb_data),
  1195. int (*challenge_cb)(struct openconnect_info *, char *prompt, char *inputStr, void *cb_data),
  1196. void *cb_data);
  1197. int gpst_setup(struct openconnect_info *vpninfo);
  1198. int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
  1199. int gpst_esp_send_probes(struct openconnect_info *vpninfo);
  1200. int gpst_esp_catch_probe(struct openconnect_info *vpninfo, struct pkt *pkt);
  1201. int gpst_sso_detect_done(struct openconnect_info *vpninfo, const struct oc_webview_result *result);
  1202. /* lzs.c */
  1203. int lzs_decompress(unsigned char *dst, int dstlen, const unsigned char *src, int srclen);
  1204. int lzs_compress(unsigned char *dst, int dstlen, const unsigned char *src, int srclen);
  1205. /* ssl.c */
  1206. unsigned string_is_hostname(const char *str);
  1207. int connect_https_socket(struct openconnect_info *vpninfo);
  1208. int __attribute__ ((format(printf, 4, 5)))
  1209. request_passphrase(struct openconnect_info *vpninfo, const char *label,
  1210. char **response, const char *fmt, ...);
  1211. int __attribute__ ((format (printf, 2, 3)))
  1212. openconnect_SSL_printf(struct openconnect_info *vpninfo, const char *fmt, ...);
  1213. int openconnect_print_err_cb(const char *str, size_t len, void *ptr);
  1214. #define openconnect_report_ssl_errors(v) ERR_print_errors_cb(openconnect_print_err_cb, (v))
  1215. #if defined(FAKE_ANDROID_KEYSTORE) || defined(__ANDROID__)
  1216. #define ANDROID_KEYSTORE
  1217. #endif
  1218. #ifdef ANDROID_KEYSTORE
  1219. const char *keystore_strerror(int err);
  1220. int keystore_fetch(const char *key, unsigned char **result);
  1221. #endif
  1222. void cmd_fd_set(struct openconnect_info *vpninfo, fd_set *fds, int *maxfd);
  1223. void check_cmd_fd(struct openconnect_info *vpninfo, fd_set *fds);
  1224. int is_cancel_pending(struct openconnect_info *vpninfo, fd_set *fds);
  1225. void poll_cmd_fd(struct openconnect_info *vpninfo, int timeout);
  1226. int openconnect_open_utf8(struct openconnect_info *vpninfo,
  1227. const char *fname, int mode);
  1228. FILE *openconnect_fopen_utf8(struct openconnect_info *vpninfo,
  1229. const char *fname, const char *mode);
  1230. ssize_t openconnect_read_file(struct openconnect_info *vpninfo, const char *fname,
  1231. char **ptr);
  1232. int udp_sockaddr(struct openconnect_info *vpninfo, int port);
  1233. int udp_connect(struct openconnect_info *vpninfo);
  1234. int ssl_reconnect(struct openconnect_info *vpninfo);
  1235. void openconnect_clear_cookies(struct openconnect_info *vpninfo);
  1236. int cancellable_gets(struct openconnect_info *vpninfo, int fd,
  1237. char *buf, size_t len);
  1238. int cancellable_send(struct openconnect_info *vpninfo, int fd,
  1239. const char *buf, size_t len);
  1240. int cancellable_recv(struct openconnect_info *vpninfo, int fd,
  1241. char *buf, size_t len);
  1242. int cancellable_accept(struct openconnect_info *vpninfo, int fd);
  1243. #if defined(OPENCONNECT_OPENSSL)
  1244. /* openssl-pkcs11.c */
  1245. int load_pkcs11_key(struct openconnect_info *vpninfo, struct cert_info *certinfo, EVP_PKEY **keyp);
  1246. int load_pkcs11_certificate(struct openconnect_info *vpninfo, struct cert_info *certinfo, X509 **certp);
  1247. #endif
  1248. /* esp.c */
  1249. int verify_packet_seqno(struct openconnect_info *vpninfo,
  1250. struct esp *esp, uint32_t seq);
  1251. int esp_setup(struct openconnect_info *vpninfo);
  1252. int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
  1253. void esp_close(struct openconnect_info *vpninfo);
  1254. void esp_shutdown(struct openconnect_info *vpninfo);
  1255. int print_esp_keys(struct openconnect_info *vpninfo, const char *name, struct esp *esp);
  1256. int openconnect_setup_esp_keys(struct openconnect_info *vpninfo, int new_keys);
  1257. int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt, uint8_t next_hdr);
  1258. /* {gnutls,openssl}-esp.c */
  1259. void destroy_esp_ciphers(struct esp *esp);
  1260. int init_esp_ciphers(struct openconnect_info *vpninfo, struct esp *out, struct esp *in);
  1261. int decrypt_esp_packet(struct openconnect_info *vpninfo, struct esp *esp, struct pkt *pkt);
  1262. int encrypt_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt, int crypt_len);
  1263. /* {gnutls,openssl}.c */
  1264. const char *openconnect_get_tls_library_version(void);
  1265. int can_enable_insecure_crypto(void);
  1266. int ssl_nonblock_read(struct openconnect_info *vpninfo, int dtls, void *buf, int maxlen);
  1267. int ssl_nonblock_write(struct openconnect_info *vpninfo, int dtls, void *buf, int buflen);
  1268. int openconnect_open_https(struct openconnect_info *vpninfo);
  1269. void openconnect_close_https(struct openconnect_info *vpninfo, int final);
  1270. int cstp_handshake(struct openconnect_info *vpninfo, unsigned init);
  1271. int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, void *cert,
  1272. char *buf);
  1273. int openconnect_sha1(unsigned char *result, void *data, int len);
  1274. int openconnect_sha256(unsigned char *result, void *data, int len);
  1275. int openconnect_md5(unsigned char *result, void *data, int len);
  1276. int openconnect_random(void *bytes, int len);
  1277. int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
  1278. char *buf);
  1279. int openconnect_yubikey_chalresp(struct openconnect_info *vpninfo,
  1280. const void *challenge, int chall_len, void *result);
  1281. int openconnect_hash_yubikey_password(struct openconnect_info *vpninfo,
  1282. const char *password, int pwlen,
  1283. const void *ident, int id_len);
  1284. int hotp_hmac(struct openconnect_info *vpninfo, const void *challenge);
  1285. #if defined(OPENCONNECT_OPENSSL)
  1286. #define openconnect_https_connected(_v) ((_v)->https_ssl)
  1287. #elif defined (OPENCONNECT_GNUTLS)
  1288. #define openconnect_https_connected(_v) ((_v)->https_sess)
  1289. #endif
  1290. #ifdef OPENCONNECT_OPENSSL
  1291. int openconnect_install_ctx_verify(struct openconnect_info *vpninfo,
  1292. SSL_CTX *ctx);
  1293. #endif
  1294. void free_strap_keys(struct openconnect_info *vpninfo);
  1295. int generate_strap_keys(struct openconnect_info *vpninfo);
  1296. int ecdh_compute_secp256r1(struct openconnect_info *vpninfo, const unsigned char *pubkey,
  1297. int pubkey_len, unsigned char *secret);
  1298. int hkdf_sha256_extract_expand(struct openconnect_info *vpninfo, unsigned char *buf,
  1299. const unsigned char *info, int infolen);
  1300. int aes_256_gcm_decrypt(struct openconnect_info *vpninfo, unsigned char *key,
  1301. unsigned char *data, int len,
  1302. unsigned char *iv, unsigned char *tag);
  1303. void append_strap_verify(struct openconnect_info *vpninfo, struct oc_text_buf *buf, int rekey);
  1304. void append_strap_privkey(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
  1305. int ingest_strap_privkey(struct openconnect_info *vpninfo, unsigned char *der, int len);
  1306. /* mainloop.c */
  1307. int tun_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable, int did_work);
  1308. int queue_new_packet(struct openconnect_info *vpninfo,
  1309. struct pkt_q *q, void *buf, int len);
  1310. int keepalive_action(struct keepalive_info *ka, int *timeout);
  1311. int ka_stalled_action(struct keepalive_info *ka, int *timeout);
  1312. int ka_check_deadline(int *timeout, time_t now, time_t due);
  1313. int trojan_check_deadline(struct openconnect_info *vpninfo, int *timeout);
  1314. /* xml.c */
  1315. int config_lookup_host(struct openconnect_info *vpninfo, const char *host);
  1316. /* oath.c */
  1317. int set_oath_mode(struct openconnect_info *vpninfo, const char *token_str,
  1318. oc_token_mode_t token_mode);
  1319. int can_gen_totp_code(struct openconnect_info *vpninfo,
  1320. struct oc_auth_form *form,
  1321. struct oc_form_opt *opt);
  1322. int can_gen_hotp_code(struct openconnect_info *vpninfo,
  1323. struct oc_auth_form *form,
  1324. struct oc_form_opt *opt);
  1325. int do_gen_totp_code(struct openconnect_info *vpninfo,
  1326. struct oc_auth_form *form,
  1327. struct oc_form_opt *opt);
  1328. int do_gen_hotp_code(struct openconnect_info *vpninfo,
  1329. struct oc_auth_form *form,
  1330. struct oc_form_opt *opt);
  1331. int set_oidc_token(struct openconnect_info *vpninfo,
  1332. const char *token_str);
  1333. /* stoken.c */
  1334. int prepare_stoken(struct openconnect_info *vpninfo);
  1335. int set_libstoken_mode(struct openconnect_info *vpninfo, const char *token_str);
  1336. int can_gen_stoken_code(struct openconnect_info *vpninfo,
  1337. struct oc_auth_form *form,
  1338. struct oc_form_opt *opt);
  1339. int do_gen_stoken_code(struct openconnect_info *vpninfo,
  1340. struct oc_auth_form *form,
  1341. struct oc_form_opt *opt);
  1342. /* yubikey.c */
  1343. int set_yubikey_mode(struct openconnect_info *vpninfo, const char *token_str);
  1344. int can_gen_yubikey_code(struct openconnect_info *vpninfo,
  1345. struct oc_auth_form *form,
  1346. struct oc_form_opt *opt);
  1347. int do_gen_yubikey_code(struct openconnect_info *vpninfo,
  1348. struct oc_auth_form *form,
  1349. struct oc_form_opt *opt);
  1350. void release_pcsc_ctx(struct openconnect_info *info);
  1351. /* auth.c */
  1352. int cstp_obtain_cookie(struct openconnect_info *vpninfo);
  1353. int set_csd_user(struct openconnect_info *vpninfo);
  1354. /* auth-common.c */
  1355. int xmlnode_is_named(xmlNode *xml_node, const char *name);
  1356. int xmlnode_get_val(xmlNode *xml_node, const char *name, char **var);
  1357. int xmlnode_get_prop(xmlNode *xml_node, const char *name, char **var);
  1358. int xmlnode_match_prop(xmlNode *xml_node, const char *name, const char *match);
  1359. int append_opt(struct oc_text_buf *body, const char *opt, const char *name);
  1360. int append_form_opts(struct openconnect_info *vpninfo,
  1361. struct oc_auth_form *form, struct oc_text_buf *body);
  1362. void clear_mem(void *p, size_t s);
  1363. void free_pass(char **p);
  1364. void free_opt(struct oc_form_opt *opt);
  1365. void free_auth_form(struct oc_auth_form *form);
  1366. int do_gen_tokencode(struct openconnect_info *vpninfo,
  1367. struct oc_auth_form *form);
  1368. int can_gen_tokencode(struct openconnect_info *vpninfo,
  1369. struct oc_auth_form *form,
  1370. struct oc_form_opt *opt);
  1371. /* textbuf,c */
  1372. struct oc_text_buf *buf_alloc(void);
  1373. int buf_error(struct oc_text_buf *buf);
  1374. int buf_free(struct oc_text_buf *buf);
  1375. void buf_truncate(struct oc_text_buf *buf);
  1376. int buf_ensure_space(struct oc_text_buf *buf, int len);
  1377. void buf_append_bytes(struct oc_text_buf *buf, const void *bytes, int len);
  1378. void __attribute__ ((format (printf, 2, 3)))
  1379. buf_append(struct oc_text_buf *buf, const char *fmt, ...);
  1380. void buf_append_urlencoded(struct oc_text_buf *buf, const char *str);
  1381. void buf_append_xmlescaped(struct oc_text_buf *buf, const char *str);
  1382. void buf_append_be16(struct oc_text_buf *buf, uint16_t val);
  1383. void buf_append_be32(struct oc_text_buf *buf, uint32_t val);
  1384. void buf_append_le16(struct oc_text_buf *buf, uint16_t val);
  1385. void buf_append_hex(struct oc_text_buf *buf, const void *str, unsigned len);
  1386. int buf_append_utf16le(struct oc_text_buf *buf, const char *utf8);
  1387. int get_utf8char(const char **utf8);
  1388. void buf_append_from_utf16le(struct oc_text_buf *buf, const void *utf16);
  1389. void buf_append_base64(struct oc_text_buf *buf, const void *bytes, int len, int line_len);
  1390. /* http.c */
  1391. void do_dump_buf(struct openconnect_info *vpninfo, char prefix, char *buf);
  1392. void do_dump_buf_hex(struct openconnect_info *vpninfo, int loglevel, char prefix, unsigned char *buf, int len);
  1393. char *openconnect_create_useragent(const char *base);
  1394. int process_proxy(struct openconnect_info *vpninfo, int ssl_sock);
  1395. int internal_parse_url(const char *url, char **res_proto, char **res_host,
  1396. int *res_port, char **res_path, int default_port);
  1397. char *internal_get_url(struct openconnect_info *vpninfo);
  1398. int do_https_request(struct openconnect_info *vpninfo, const char *method, const char *request_body_type,
  1399. struct oc_text_buf *request_body, char **form_buf,
  1400. int (*header_cb)(struct openconnect_info *, char *, char *), int flags);
  1401. int http_add_cookie(struct openconnect_info *vpninfo, const char *option,
  1402. const char *value, int replace);
  1403. const char *http_get_cookie(struct openconnect_info *vpninfo, const char *name);
  1404. int internal_split_cookies(struct openconnect_info *vpninfo, int replace, const char *def_cookie);
  1405. int urldecode_inplace(char *p);
  1406. int process_http_response(struct openconnect_info *vpninfo, int connect,
  1407. int (*header_cb)(struct openconnect_info *, char *, char *),
  1408. struct oc_text_buf *body);
  1409. int handle_redirect(struct openconnect_info *vpninfo);
  1410. void http_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
  1411. #define dump_buf(vpninfo, prefix, buf) do { \
  1412. if ((vpninfo)->verbose >= PRG_DEBUG) { \
  1413. do_dump_buf(vpninfo, prefix, buf); \
  1414. } \
  1415. } while(0)
  1416. #define dump_buf_hex(vpninfo, loglevel, prefix, buf, len) do { \
  1417. if ((vpninfo)->verbose >= (loglevel)) { \
  1418. do_dump_buf_hex(vpninfo, loglevel, prefix, buf, len); \
  1419. } \
  1420. } while(0)
  1421. /* http-auth.c */
  1422. void *openconnect_base64_decode(int *len, const char *in);
  1423. void clear_auth_states(struct openconnect_info *vpninfo,
  1424. struct http_auth_state *auth_states, int reset);
  1425. int proxy_auth_hdrs(struct openconnect_info *vpninfo, char *hdr, char *val);
  1426. int http_auth_hdrs(struct openconnect_info *vpninfo, char *hdr, char *val);
  1427. int gen_authorization_hdr(struct openconnect_info *vpninfo, int proxy,
  1428. struct oc_text_buf *buf);
  1429. /* ntlm.c */
  1430. int ntlm_authorization(struct openconnect_info *vpninfo, int proxy, struct http_auth_state *auth_state, struct oc_text_buf *buf);
  1431. void cleanup_ntlm_auth(struct openconnect_info *vpninfo, struct http_auth_state *auth_state);
  1432. /* gssapi.c */
  1433. int gssapi_authorization(struct openconnect_info *vpninfo, int proxy, struct http_auth_state *auth_state, struct oc_text_buf *buf);
  1434. void cleanup_gssapi_auth(struct openconnect_info *vpninfo, struct http_auth_state *auth_state);
  1435. int socks_gssapi_auth(struct openconnect_info *vpninfo);
  1436. /* digest.c */
  1437. int digest_authorization(struct openconnect_info *vpninfo, int proxy, struct http_auth_state *auth_state, struct oc_text_buf *buf);
  1438. /* jsondump.c */
  1439. void dump_json(struct openconnect_info *vpninfo, int lvl, json_value *value);
  1440. /* library.c */
  1441. void nuke_opt_values(struct oc_form_opt *opt);
  1442. const char *add_option_dup(struct oc_vpn_option **list, const char *opt, const char *val, int val_len);
  1443. const char *add_option_steal(struct oc_vpn_option **list, const char *opt, char **val);
  1444. const char *add_option_ipaddr(struct oc_vpn_option **list, const char *opt, int af, void *addr);
  1445. void free_optlist(struct oc_vpn_option *opt);
  1446. int process_auth_form(struct openconnect_info *vpninfo, struct oc_auth_form *form);
  1447. /* This is private for now since we haven't yet worked out what the API will be */
  1448. void openconnect_set_juniper(struct openconnect_info *vpninfo);
  1449. /* hpke.c */
  1450. int handle_external_browser(struct openconnect_info *vpninfo);
  1451. /* version.c */
  1452. extern const char openconnect_version_str[];
  1453. static inline int certinfo_is_primary(struct cert_info *certinfo)
  1454. {
  1455. return certinfo == &certinfo->vpninfo->certinfo[0];
  1456. }
  1457. static inline int certinfo_is_secondary(struct cert_info *certinfo)
  1458. {
  1459. return certinfo == &certinfo->vpninfo->certinfo[1];
  1460. }
  1461. #define certinfo_string(ci, strA, strB) (certinfo_is_primary(ci) ? (strA) : (strB))
  1462. /* strncasecmp() just checks that the first n characters match. This
  1463. function ensures that the first n characters of the left-hand side
  1464. are a *precise* match for the right-hand side. */
  1465. static inline int strprefix_match(const char *str, int len, const char *match)
  1466. {
  1467. return len == strlen(match) && !strncasecmp(str, match, len);
  1468. }
  1469. #define STRDUP(res, arg) \
  1470. do { \
  1471. if (res != arg) { \
  1472. free(res); \
  1473. if (arg) { \
  1474. res = strdup(arg); \
  1475. if (res == NULL) return -ENOMEM; \
  1476. } else res = NULL; \
  1477. } \
  1478. } while(0)
  1479. #define UTF8CHECK(arg) \
  1480. do { \
  1481. if ((arg) && buf_append_utf16le(NULL, (arg))) { \
  1482. vpn_progress(vpninfo, PRG_ERR, \
  1483. _("ERROR: %s() called with invalid UTF-8 for '%s' argument\n"),\
  1484. __func__, #arg); \
  1485. return -EILSEQ; \
  1486. } \
  1487. } while(0)
  1488. #define UTF8CHECK_VOID(arg) \
  1489. do { \
  1490. if ((arg) && buf_append_utf16le(NULL, (arg))) { \
  1491. vpn_progress(vpninfo, PRG_ERR, \
  1492. _("ERROR: %s() called with invalid UTF-8 for '%s' argument\n"),\
  1493. __func__, #arg); \
  1494. return; \
  1495. } \
  1496. } while(0)
  1497. /* Let's stop open-coding big-endian and little-endian loads/stores.
  1498. *
  1499. * Start with a packed structure so that we can let the compiler
  1500. * decide whether the target CPU can cope with unaligned load/stores
  1501. * or not. Then there are three cases to handle:
  1502. * - For big-endian loads/stores, just use htons() et al.
  1503. * - For little-endian when we *know* the CPU is LE, just load/store
  1504. * - For little-endian otherwise, do the data access byte-wise
  1505. */
  1506. struct oc_packed_uint32_t {
  1507. uint32_t d;
  1508. } __attribute__((packed));
  1509. struct oc_packed_uint16_t {
  1510. uint16_t d;
  1511. } __attribute__((packed));
  1512. static inline uint32_t load_be32(const void *_p)
  1513. {
  1514. const struct oc_packed_uint32_t *p = _p;
  1515. return ntohl(p->d);
  1516. }
  1517. static inline uint16_t load_be16(const void *_p)
  1518. {
  1519. const struct oc_packed_uint16_t *p = _p;
  1520. return ntohs(p->d);
  1521. }
  1522. static inline void store_be32(void *_p, uint32_t d)
  1523. {
  1524. struct oc_packed_uint32_t *p = _p;
  1525. p->d = htonl(d);
  1526. }
  1527. static inline void store_be16(void *_p, uint16_t d)
  1528. {
  1529. struct oc_packed_uint16_t *p = _p;
  1530. p->d = htons(d);
  1531. }
  1532. /* It doesn't matter if we don't find one. It'll default to the
  1533. * "not known to be little-endian" case, and do the bytewise
  1534. * load/store. Modern compilers might even spot the pattern and
  1535. * optimise it (see GCC PR#55177 around comment 15). */
  1536. #ifdef ENDIAN_HDR
  1537. #include ENDIAN_HDR
  1538. #endif
  1539. #if defined(_WIN32) || \
  1540. (defined(_LITTLE_ENDIAN) && !defined(_BIG_ENDIAN)) /* Solaris */ || \
  1541. (defined(__LITTLE_ENDIAN) && defined(__BIG_ENDIAN) && defined(__BYTE_ORDER) \
  1542. && __BYTE_ORDER == __LITTLE_ENDIAN) /* Linux */ || \
  1543. (defined(LITTLE_ENDIAN) && defined(BIG_ENDIAN) && defined(BYTE_ORDER) \
  1544. && BYTE_ORDER == LITTLE_ENDIAN) /* *BSD */
  1545. static inline uint32_t load_le32(const void *_p)
  1546. {
  1547. const struct oc_packed_uint32_t *p = _p;
  1548. return p->d;
  1549. }
  1550. static inline uint16_t load_le16(const void *_p)
  1551. {
  1552. const struct oc_packed_uint16_t *p = _p;
  1553. return p->d;
  1554. }
  1555. static inline void store_le32(void *_p, uint32_t d)
  1556. {
  1557. struct oc_packed_uint32_t *p = _p;
  1558. p->d = d;
  1559. }
  1560. static inline void store_le16(void *_p, uint16_t d)
  1561. {
  1562. struct oc_packed_uint16_t *p = _p;
  1563. p->d = d;
  1564. }
  1565. #else
  1566. static inline uint32_t load_le32(const void *_p)
  1567. {
  1568. const unsigned char *p = _p;
  1569. return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
  1570. }
  1571. static inline uint16_t load_le16(const void *_p)
  1572. {
  1573. const unsigned char *p = _p;
  1574. return p[0] | (p[1] << 8);
  1575. }
  1576. static inline void store_le16(void *_p, uint16_t d)
  1577. {
  1578. unsigned char *p = _p;
  1579. p[0] = d;
  1580. p[1] = d >> 8;
  1581. }
  1582. static inline void store_le32(void *_p, uint32_t d)
  1583. {
  1584. unsigned char *p = _p;
  1585. p[0] = d;
  1586. p[1] = d >> 8;
  1587. p[2] = d >> 16;
  1588. p[3] = d >> 24;
  1589. }
  1590. #endif /* !Not known to be little-endian */
  1591. #endif /* __OPENCONNECT_INTERNAL_H__ */