Startsida Utforska Hjälp
Logga in
vimacs
/
openconnect
Bevaka 1
Stjärnmärk 0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Gren: h3cssl
Grenar Taggar
openconnect
/
tun-win32.c

tun-win32.c 20 KB
Permalänk Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688 
  1. /*
    2. 

  2.  * OpenConnect (SSL + DTLS) VPN client
    3. 

  3.  *
    4. 

  4.  * Copyright © 2008-2015 Intel Corporation.
    5. 

  5.  *
    6. 

  6.  * Author: David Woodhouse <dwmw2@infradead.org>
    7. 

  7.  *
    8. 

  8.  * This program is free software; you can redistribute it and/or
    9. 

  9.  * modify it under the terms of the GNU Lesser General Public License
    10. 

  10.  * version 2.1, as published by the Free Software Foundation.
    11. 

  11.  *
    12. 

  12.  * This program is distributed in the hope that it will be useful, but
    13. 

  13.  * WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    15. 

  15.  * Lesser General Public License for more details.
    16. 

  16.  */
    17. 

  17. 

  18. #include <config.h>
    19. 

  19. 

  20. #include "openconnect-internal.h"
    21. 

  21. 

  22. #define WIN32_LEAN_AND_MEAN
    23. 

  23. #include <windows.h>
    24. 

  24. #include <winioctl.h>
    25. 

  25. /* must precede iphlpapi.h, per https://docs.microsoft.com/en-us/windows/win32/api/iptypes/ns-iptypes-ip_adapter_addresses_lh */
    26. 

  26. #include <winsock2.h>
    27. 

  27. #include <ws2ipdef.h>
    28. 

  28. #include <iphlpapi.h>
    29. 

  29. #include <netioapi.h>
    30. 

  30. 

  31. #include <errno.h>
    32. 

  32. #include <stdio.h>
    33. 

  33. 

  34. /*
    35. 

  35.  * TAP-Windows support inspired by http://i3.cs.berkeley.edu/ (v0.2) with
    36. 

  36.  * permission.
    37. 

  37.  */
    38. 

  38. #define _TAP_IOCTL(nr) CTL_CODE(FILE_DEVICE_UNKNOWN, nr, METHOD_BUFFERED, \
    39. 

  39. 				FILE_ANY_ACCESS)
    40. 

  40. 

  41. #define TAP_IOCTL_GET_MAC               _TAP_IOCTL(1)
    42. 

  42. #define TAP_IOCTL_GET_VERSION           _TAP_IOCTL(2)
    43. 

  43. #define TAP_IOCTL_GET_MTU               _TAP_IOCTL(3)
    44. 

  44. #define TAP_IOCTL_GET_INFO              _TAP_IOCTL(4)
    45. 

  45. #define TAP_IOCTL_CONFIG_POINT_TO_POINT _TAP_IOCTL(5)
    46. 

  46. #define TAP_IOCTL_SET_MEDIA_STATUS      _TAP_IOCTL(6)
    47. 

  47. #define TAP_IOCTL_CONFIG_DHCP_MASQ      _TAP_IOCTL(7)
    48. 

  48. #define TAP_IOCTL_GET_LOG_LINE          _TAP_IOCTL(8)
    49. 

  49. #define TAP_IOCTL_CONFIG_DHCP_SET_OPT   _TAP_IOCTL(9)
    50. 

  50. #define TAP_IOCTL_CONFIG_TUN            _TAP_IOCTL(10)
    51. 

  51. 

  52. #define TAP_COMPONENT_ID "tap0901"
    53. 

  53. 

  54. #define DEVTEMPLATE "\\\\.\\Global\\%s.tap"
    55. 

  55. 

  56. #define NETDEV_GUID "{4D36E972-E325-11CE-BFC1-08002BE10318}"
    57. 

  57. #define CONTROL_KEY "SYSTEM\\CurrentControlSet\\Control\\"
    58. 

  58. 

  59. #define ADAPTERS_KEY CONTROL_KEY "Class\\" NETDEV_GUID
    60. 

  60. #define CONNECTIONS_KEY CONTROL_KEY "Network\\" NETDEV_GUID
    61. 

  61. 

  62. #define ADAPTER_TUNTAP 0
    63. 

  63. #define ADAPTER_WINTUN 1
    64. 

  64. 

  65. typedef intptr_t (tap_callback)(struct openconnect_info *vpninfo, int type, char *idx, wchar_t *name);
    66. 

  66. 

  67. #define SEARCH_CONTINUE	0
    68. 

  68. #define SEARCH_DONE	1
    69. 

  69. 

  70. static intptr_t search_taps(struct openconnect_info *vpninfo, tap_callback *cb)
    71. 

  71. {
    72. 

  72. 	LONG status;
    73. 

  73. 	HKEY adapters_key, hkey;
    74. 

  74. 	DWORD len, type;
    75. 

  75. 	int adapter_type;
    76. 

  76. 	char buf[40];
    77. 

  77. 	wchar_t name[40];
    78. 

  78. 	char keyname[strlen(CONNECTIONS_KEY) + sizeof(buf) + 1 + strlen("\\Connection")];
    79. 

  79. 	int i = 0;
    80. 

  80. 	intptr_t ret = OPEN_TUN_SOFTFAIL;
    81. 

  81. 

  82. 	status = RegOpenKeyExA(HKEY_LOCAL_MACHINE, ADAPTERS_KEY, 0,
    83. 

  83. 			       KEY_READ, &adapters_key);
    84. 

  84. 	if (status) {
    85. 

  85. 		vpn_progress(vpninfo, PRG_ERR,
    86. 

  86. 			     _("Error accessing registry key for network adapters\n"));
    87. 

  87. 		return -EIO;
    88. 

  88. 	}
    89. 

  89. 	while (ret == OPEN_TUN_SOFTFAIL) {
    90. 

  90. 		len = sizeof(buf);
    91. 

  91. 		status = RegEnumKeyExA(adapters_key, i++, buf, &len,
    92. 

  92. 				       NULL, NULL, NULL, NULL);
    93. 

  93. 		if (status) {
    94. 

  94. 			if (status != ERROR_NO_MORE_ITEMS)
    95. 

  95. 				ret = OPEN_TUN_HARDFAIL;
    96. 

  96. 			break;
    97. 

  97. 		}
    98. 

  98. 

  99. 		snprintf(keyname, sizeof(keyname), "%s\\%s",
    100. 

  100. 			 ADAPTERS_KEY, buf);
    101. 

  101. 

  102. 		status = RegOpenKeyExA(HKEY_LOCAL_MACHINE, keyname, 0,
    103. 

  103. 				       KEY_QUERY_VALUE, &hkey);
    104. 

  104. 		if (status)
    105. 

  105. 			continue;
    106. 

  106. 

  107. 		len = sizeof(buf);
    108. 

  108. 		status = RegQueryValueExA(hkey, "ComponentId", NULL, &type,
    109. 

  109. 					  (unsigned char *)buf, &len);
    110. 

  110. 		if (status || type != REG_SZ) {
    111. 

  111. 			vpn_progress(vpninfo, PRG_TRACE,
    112. 

  112. 				     _("Cannot read %s\\%s or is not string\n"),
    113. 

  113. 				     keyname, "ComponentId");
    114. 

  114. 			RegCloseKey(hkey);
    115. 

  115. 			continue;
    116. 

  116. 		}
    117. 

  117. 		if (!strcmp(buf, TAP_COMPONENT_ID) || !strcmp(buf, "root\\" TAP_COMPONENT_ID))
    118. 

  118. 			adapter_type = ADAPTER_TUNTAP;
    119. 

  119. 		else if (!strcmp(buf, "wintun"))
    120. 

  120. 			adapter_type = ADAPTER_WINTUN;
    121. 

  121. 		else {
    122. 

  122. 			vpn_progress(vpninfo, PRG_TRACE, _("%s\\ComponentId is unknown '%s'\n"),
    123. 

  123. 				     keyname, buf);
    124. 

  124. 			RegCloseKey(hkey);
    125. 

  125. 			continue;
    126. 

  126. 		}
    127. 

  127. 

  128. 		vpn_progress(vpninfo, PRG_TRACE, _("Found %s at %s\n"),
    129. 

  129. 			     buf, keyname);
    130. 

  130. 

  131. 		len = sizeof(buf);
    132. 

  132. 		status = RegQueryValueExA(hkey, "NetCfgInstanceId", NULL,
    133. 

  133. 					  &type, (unsigned char *)buf, &len);
    134. 

  134. 		RegCloseKey(hkey);
    135. 

  135. 		if (status || type != REG_SZ)
    136. 

  136. 			continue;
    137. 

  137. 

  138. 		snprintf(keyname, sizeof(keyname), "%s\\%s\\Connection",
    139. 

  139. 			 CONNECTIONS_KEY, buf);
    140. 

  140. 

  141. 		status = RegOpenKeyExA(HKEY_LOCAL_MACHINE, keyname, 0,
    142. 

  142. 				       KEY_QUERY_VALUE, &hkey);
    143. 

  143. 		if (status) {
    144. 

  144. 			vpn_progress(vpninfo, PRG_DEBUG,
    145. 

  145. 				     _("Cannot open registry key %s\n"),
    146. 

  146. 				     keyname);
    147. 

  147. 			continue;
    148. 

  148. 		}
    149. 

  149. 

  150. 		len = sizeof(name);
    151. 

  151. 		status = RegQueryValueExW(hkey, L"Name", NULL, &type,
    152. 

  152. 					 (unsigned char *)name, &len);
    153. 

  153. 		RegCloseKey(hkey);
    154. 

  154. 		if (status || type != REG_SZ) {
    155. 

  155. 			vpn_progress(vpninfo, PRG_INFO,
    156. 

  156. 				     _("Cannot read registry key %s\\%s or is not string\n"),
    157. 

  157. 				     keyname, "Name");
    158. 

  158. 			continue;
    159. 

  159. 		}
    160. 

  160. 

  161. 		ret = cb(vpninfo, adapter_type, buf, name);
    162. 

  162. 	}
    163. 

  163. 

  164. 	RegCloseKey(adapters_key);
    165. 

  165. 

  166. 	return ret;
    167. 

  167. }
    168. 

  168. 

  169. #ifndef __LIST_TAPS__
    170. 

  170. 

  171. static int get_adapter_index(struct openconnect_info *vpninfo, char *guid)
    172. 

  172. {
    173. 

  173. 	struct oc_text_buf *buf = buf_alloc();
    174. 

  174. 	IP_ADAPTER_INFO *adapter;
    175. 

  175. 	void *adapters_buf;
    176. 

  176. 	ULONG idx;
    177. 

  177. 	DWORD status;
    178. 

  178. 	int ret = -EINVAL;
    179. 

  179. 

  180. 	vpninfo->tun_idx = -1;
    181. 

  181. 

  182. 	buf_append_utf16le(buf, "\\device\\tcpip_");
    183. 

  183. 	buf_append_utf16le(buf, guid);
    184. 

  184. 	if (buf_error(buf)) {
    185. 

  185. 		/* If we didn't manage to malloc for this, we're never
    186. 

  186. 		 * going to manage for GetAdaptersInfo(). Give up. */
    187. 

  187. 		return buf_free(buf);
    188. 

  188. 	}
    189. 

  189. 	status = GetAdapterIndex((void *)buf->data, &idx);
    190. 

  190. 	buf_free(buf);
    191. 

  191. 	if (status == NO_ERROR) {
    192. 

  192. 		vpninfo->tun_idx = idx;
    193. 

  193. 		return 0;
    194. 

  194. 	} else {
    195. 

  195. 		char *errstr = openconnect__win32_strerror(status);
    196. 

  196. 		vpn_progress(vpninfo, PRG_INFO,
    197. 

  197. 			     _("GetAdapterIndex() failed: %s\nFalling back to GetAdaptersInfo()\n"),
    198. 

  198. 			     errstr);
    199. 

  199. 		free(errstr);
    200. 

  200. 	}
    201. 

  201. 	idx = 0;
    202. 

  202. 	status = GetAdaptersInfo(NULL, &idx);
    203. 

  203. 	if (status != ERROR_BUFFER_OVERFLOW)
    204. 

  204. 		return -EIO;
    205. 

  205. 	adapters_buf = malloc(idx);
    206. 

  206. 	if (!adapters_buf)
    207. 

  207. 		return -ENOMEM;
    208. 

  208. 	status = GetAdaptersInfo(adapters_buf, &idx);
    209. 

  209. 	if (status != NO_ERROR) {
    210. 

  210. 		char *errstr = openconnect__win32_strerror(status);
    211. 

  211. 		vpn_progress(vpninfo, PRG_ERR, _("GetAdaptersInfo() failed: %s\n"), errstr);
    212. 

  212. 		free(errstr);
    213. 

  213. 		free(adapters_buf);
    214. 

  214. 		return -EIO;
    215. 

  215. 	}
    216. 

  216. 

  217. 	for (adapter = adapters_buf; adapter; adapter = adapter->Next) {
    218. 

  218. 		if (!strcmp(adapter->AdapterName, guid)) {
    219. 

  219. 			vpninfo->tun_idx = adapter->Index;
    220. 

  220. 			ret = 0;
    221. 

  221. 			break;
    222. 

  222. 		}
    223. 

  223. 	}
    224. 

  224. 	free(adapters_buf);
    225. 

  225. 	return ret;
    226. 

  226. }
    227. 

  227. 

  228. static int check_address_conflicts(struct openconnect_info *vpninfo)
    229. 

  229. {
    230. 

  230. 	ULONG bufSize = 15000;
    231. 

  231. 	PIP_ADAPTER_ADDRESSES addresses = NULL;
    232. 

  232. 	DWORD LastError;
    233. 

  233. 	int ret = 0;
    234. 

  234. 

  235. 	struct in_addr our_ipv4_addr;
    236. 

  236. 	struct in6_addr our_ipv6_addr;
    237. 

  237. 	if (vpninfo->ip_info.addr && !inet_aton(vpninfo->ip_info.addr, &our_ipv4_addr))
    238. 

  238. 		return -EINVAL;
    239. 

  239. 	if (vpninfo->ip_info.addr6 && !inet_pton(AF_INET6, vpninfo->ip_info.addr6, &our_ipv6_addr))
    240. 

  240. 		return -EINVAL;
    241. 

  241. 

  242. 	/* XX: repeat twice, because it may tell us we need a bigger buffer */
    243. 

  243. 	for (int tries=0; tries<2; tries++) {
    244. 

  244. 		free(addresses);
    245. 

  245. 		addresses = malloc(bufSize);
    246. 

  246. 		if (!addresses)
    247. 

  247. 			return -ENOMEM;
    248. 

  248. 

  249. 		/* AF_UNSPEC means both Legacy IP and IPv6 */
    250. 

  250. 		LastError = GetAdaptersAddresses(AF_UNSPEC,
    251. 

  251. 						 GAA_FLAG_SKIP_ANYCAST | GAA_FLAG_SKIP_MULTICAST,
    252. 

  252. 						 NULL, addresses, &bufSize);
    253. 

  253. 		if (LastError != ERROR_BUFFER_OVERFLOW)
    254. 

  254. 			break;
    255. 

  255. 	}
    256. 

  256. 	if (LastError != ERROR_SUCCESS) {
    257. 

  257. 		char *errstr = openconnect__win32_strerror(LastError);
    258. 

  258. 		vpn_progress(vpninfo, PRG_ERR, _("GetAdaptersAddresses() failed: %s\n"), errstr);
    259. 

  259. 		ret = -EIO;
    260. 

  260. 		goto out;
    261. 

  261. 	}
    262. 

  262. 

  263. 	for (; addresses; addresses=addresses->Next) {
    264. 

  264. 		/* XX: skip "our own" adapter */
    265. 

  265. 		if (addresses->IfIndex == vpninfo->tun_idx)
    266. 

  266. 			continue;
    267. 

  267. 

  268. 		for (PIP_ADAPTER_UNICAST_ADDRESS ua = addresses->FirstUnicastAddress;
    269. 

  269. 		     ua; ua=ua->Next) {
    270. 

  270. 			struct sockaddr *a = ua->Address.lpSockaddr;
    271. 

  271. 			union {
    272. 

  272. 				struct sockaddr_in s4;
    273. 

  273. 				struct sockaddr_in6 s6;
    274. 

  274. 			} *sa = (void *)a;
    275. 

  275. 			int needs_reclaim = 0;
    276. 

  276. 

  277. 			if (a->sa_family == AF_INET) {
    278. 

  278. 				if (vpninfo->ip_info.addr && our_ipv4_addr.s_addr == sa->s4.sin_addr.s_addr)
    279. 

  279. 					needs_reclaim = 1;
    280. 

  280. 			} else if (a->sa_family == AF_INET6) {
    281. 

  281. 				if (vpninfo->ip_info.addr6 && !memcmp(&our_ipv6_addr, &sa->s6.sin6_addr, sizeof(sa->s6.sin6_addr)))
    282. 

  282. 					needs_reclaim = 1;
    283. 

  283. 			}
    284. 

  284. 

  285. 			if (needs_reclaim) {
    286. 

  286. 				if (addresses->OperStatus == IfOperStatusUp) {
    287. 

  287. 					/* XX: Interface is up. We shouldn't steal its address */
    288. 

  288. 					vpn_progress(vpninfo, PRG_ERR,
    289. 

  289. 						     _("Adapter \"%S\" / %ld is UP and using our IPv%d address. Cannot resolve.\n"),
    290. 

  290. 						     addresses->FriendlyName, addresses->IfIndex, a->sa_family == AF_INET ? 4 : 6);
    291. 

  291. 					ret = -ENOENT;
    292. 

  292. 					goto out;
    293. 

  293. 				} else {
    294. 

  294. 					/* XX: Interface is down */
    295. 

  295. 					vpn_progress(vpninfo, PRG_ERR,
    296. 

  296. 						     _("Adapter \"%S\" / %ld is DOWN and using our IPv%d address. We will reclaim the address from it.\n"),
    297. 

  297. 						     addresses->FriendlyName, addresses->IfIndex, a->sa_family == AF_INET ? 4 : 6);
    298. 

  298. 

  299. 					/* XX: In order to use DeleteUnicastIpAddressEntry(), we bizarrely have to iterate through a
    300. 

  300. 					 * whole different table of IP addresses to find the right row. I previously tried
    301. 

  301. 					 * faking/synthesizing the requisite MIB_UNICASTIPADDRESS_TABLE rows, and it did not
    302. 

  302. 					 * work.
    303. 

  303. 					 */
    304. 

  304. 					int found = 0;
    305. 

  305. 					PMIB_UNICASTIPADDRESS_TABLE pipTable = NULL;
    306. 

  306. 					LastError = GetUnicastIpAddressTable(AF_UNSPEC, &pipTable);
    307. 

  307. 					if (LastError != ERROR_SUCCESS) {
    308. 

  308. 						char *errstr = openconnect__win32_strerror(LastError);
    309. 

  309. 						vpn_progress(vpninfo, PRG_ERR, _("GetUnicastIpAddressTable() failed: %s\n"), errstr);
    310. 

  310. 						ret = -EIO;
    311. 

  311. 						goto out;
    312. 

  312. 					}
    313. 

  313. 					for (int i = 0; i < pipTable->NumEntries; i++) {
    314. 

  314. 						if (pipTable->Table[i].Address.si_family == AF_INET && a->sa_family == AF_INET) {
    315. 

  315. 							if (sa->s4.sin_addr.s_addr == pipTable->Table[i].Address.Ipv4.sin_addr.s_addr)
    316. 

  316. 								found = 1;
    317. 

  317. 						} else if (pipTable->Table[i].Address.si_family == AF_INET6 && a->sa_family == AF_INET6) {
    318. 

  318. 							if (!memcmp(&sa->s6.sin6_addr, &pipTable->Table[i].Address.Ipv6, sizeof(sa->s6.sin6_addr)))
    319. 

  319. 								found = 1;
    320. 

  320. 						}
    321. 

  321. 						if (found) {
    322. 

  322. 							LastError = DeleteUnicastIpAddressEntry(&pipTable->Table[i]);
    323. 

  323. 							break;
    324. 

  324. 						}
    325. 

  325. 					}
    326. 

  326. 					FreeMibTable(pipTable);
    327. 

  327. 

  328. 					if (LastError != NO_ERROR) {
    329. 

  329. 						char *errstr = openconnect__win32_strerror(LastError);
    330. 

  330. 						vpn_progress(vpninfo, PRG_ERR, _("DeleteUnicastIpAddressEntry() failed: %s\n"), errstr);
    331. 

  331. 						ret = -EIO;
    332. 

  332. 						goto out;
    333. 

  333. 					}
    334. 

  334. 

  335. 					if (!found) {
    336. 

  336. 						vpn_progress(vpninfo, PRG_ERR,
    337. 

  337. 							     _("GetUnicastIpAddressTable() did not find matching address to reclaim\n"));
    338. 

  338. 						/* ret = -EIO;
    339. 

  339. 						   goto out; */
    340. 

  340. 					}
    341. 

  341. 

  342. 				}
    343. 

  343. 			}
    344. 

  344. 		}
    345. 

  345. 	}
    346. 

  346. 

  347.  out:
    348. 

  348. 	free(addresses);
    349. 

  349. 	return ret;
    350. 

  350. }
    351. 

  351. 

  352. static intptr_t open_tuntap(struct openconnect_info *vpninfo, char *guid, wchar_t *wname)
    353. 

  353. {
    354. 

  354. 	char devname[80];
    355. 

  355. 	HANDLE tun_fh;
    356. 

  356. 	ULONG data[3];
    357. 

  357. 	DWORD len;
    358. 

  358. 

  359. 	snprintf(devname, sizeof(devname), DEVTEMPLATE, guid);
    360. 

  360. 	tun_fh = CreateFileA(devname, GENERIC_WRITE|GENERIC_READ, 0, 0,
    361. 

  361. 			     OPEN_EXISTING,
    362. 

  362. 			     FILE_ATTRIBUTE_SYSTEM | FILE_FLAG_OVERLAPPED,
    363. 

  363. 			     0);
    364. 

  364. 	if (tun_fh == INVALID_HANDLE_VALUE) {
    365. 

  365. 		vpn_progress(vpninfo, PRG_ERR, _("Failed to open %s\n"),
    366. 

  366. 			     devname);
    367. 

  367. 		return OPEN_TUN_SOFTFAIL;
    368. 

  368. 

  369. 	}
    370. 

  370. 	vpn_progress(vpninfo, PRG_DEBUG, _("Opened tun device %S\n"), wname);
    371. 

  371. 

  372. 	if (!DeviceIoControl(tun_fh, TAP_IOCTL_GET_VERSION,
    373. 

  373. 			     data, sizeof(data), data, sizeof(data),
    374. 

  374. 			     &len, NULL)) {
    375. 

  375. 		char *errstr = openconnect__win32_strerror(GetLastError());
    376. 

  376. 

  377. 		vpn_progress(vpninfo, PRG_ERR,
    378. 

  378. 			     _("Failed to obtain TAP driver version: %s\n"), errstr);
    379. 

  379. 		free(errstr);
    380. 

  380. 		return OPEN_TUN_HARDFAIL;
    381. 

  381. 	}
    382. 

  382. 	if (data[0] < 9 || (data[0] == 9 && data[1] < 9)) {
    383. 

  383. 		vpn_progress(vpninfo, PRG_ERR,
    384. 

  384. 			     _("Error: TAP-Windows driver v9.9 or greater is required (found %ld.%ld)\n"),
    385. 

  385. 			     data[0], data[1]);
    386. 

  386. 		return -1;
    387. 

  387. 	}
    388. 

  388. 	vpn_progress(vpninfo, PRG_DEBUG, "TAP-Windows driver v%ld.%ld (%ld)\n",
    389. 

  389. 		     data[0], data[1], data[2]);
    390. 

  390. 

  391. 	data[0] = inet_addr(vpninfo->ip_info.addr);
    392. 

  392. 	/* Set network and mask both to 0.0.0.0. It's not about routing;
    393. 

  393. 	 * it just ensures that the TAP driver fakes ARP responses for
    394. 

  394. 	 * *everything* we throw at it, and we can just configure them
    395. 

  395. 	 * as on-link routes. */
    396. 

  396. 	data[1] = 0;
    397. 

  397. 	data[2] = 0;
    398. 

  398. 

  399. 	if (!DeviceIoControl(tun_fh, TAP_IOCTL_CONFIG_TUN,
    400. 

  400. 			     data, sizeof(data), data, sizeof(data),
    401. 

  401. 			     &len, NULL)) {
    402. 

  402. 		char *errstr = openconnect__win32_strerror(GetLastError());
    403. 

  403. 

  404. 		vpn_progress(vpninfo, PRG_ERR,
    405. 

  405. 			     _("Failed to set TAP IP addresses: %s\n"), errstr);
    406. 

  406. 		free(errstr);
    407. 

  407. 		return OPEN_TUN_HARDFAIL;
    408. 

  408. 	}
    409. 

  409. 

  410. 	data[0] = 1;
    411. 

  411. 	if (!DeviceIoControl(tun_fh, TAP_IOCTL_SET_MEDIA_STATUS,
    412. 

  412. 			     data, sizeof(data[0]), data, sizeof(data[0]),
    413. 

  413. 			     &len, NULL)) {
    414. 

  414. 		char *errstr = openconnect__win32_strerror(GetLastError());
    415. 

  415. 

  416. 		vpn_progress(vpninfo, PRG_ERR,
    417. 

  417. 			     _("Failed to set TAP media status: %s\n"), errstr);
    418. 

  418. 		free(errstr);
    419. 

  419. 		return OPEN_TUN_HARDFAIL;
    420. 

  420. 	}
    421. 

  421. 

  422. 	return (intptr_t)tun_fh;
    423. 

  423. }
    424. 

  424. 

  425. static intptr_t open_tun(struct openconnect_info *vpninfo, int adapter_type, char *guid, wchar_t *wname)
    426. 

  426. {
    427. 

  427. 	intptr_t ret = -1;
    428. 

  428. 

  429. 	if (vpninfo->ifname_w && wcscmp(wname, vpninfo->ifname_w)) {
    430. 

  430. 		vpn_progress(vpninfo, PRG_DEBUG,
    431. 

  431. 			     _("Ignoring non-matching interface \"%S\"\n"),
    432. 

  432. 			     wname);
    433. 

  433. 		return 0;
    434. 

  434. 	}
    435. 

  435. 

  436. 	if (adapter_type == ADAPTER_TUNTAP)
    437. 

  437. 		ret = open_tuntap(vpninfo, guid, wname);
    438. 

  438. 	else
    439. 

  439. 		ret = open_wintun(vpninfo, guid, wname);
    440. 

  440. 

  441. 	if (ret == OPEN_TUN_SOFTFAIL || ret == OPEN_TUN_HARDFAIL)
    442. 

  442. 		return ret;
    443. 

  443. 

  444. 	/*
    445. 

  445. 	 * We have found the adapter and opened it successfully. Now set
    446. 

  446. 	 * vpninfo->ifname accordingly, if necessary, and find $TUNIDX
    447. 

  447. 	 * for the script to use to configure it.
    448. 

  448. 	 */
    449. 

  449. 	if (!vpninfo->ifname) {
    450. 

  450. 		struct oc_text_buf *namebuf = buf_alloc();
    451. 

  451. 

  452. 		buf_append_from_utf16le(namebuf, wname);
    453. 

  453. 		if (buf_error(namebuf)) {
    454. 

  454. 			vpn_progress(vpninfo, PRG_ERR, _("Could not convert interface name to UTF-8\n"));
    455. 

  455. 			os_shutdown_tun(vpninfo);
    456. 

  456. 

  457. 			buf_free(namebuf);
    458. 

  458. 			return OPEN_TUN_HARDFAIL;
    459. 

  459. 		}
    460. 

  460. 		vpninfo->ifname = namebuf->data;
    461. 

  461. 		namebuf->data = NULL;
    462. 

  462. 		buf_free(namebuf);
    463. 

  463. 	}
    464. 

  464. 

  465. 	get_adapter_index(vpninfo, guid);
    466. 

  466. 

  467. 	vpn_progress(vpninfo, adapter_type ? PRG_ERR : PRG_INFO,
    468. 

  468. 		     _("Using %s device '%s', index %d\n"),
    469. 

  469. 		     adapter_type ? "Wintun" : "TAP-Windows",
    470. 

  470. 		     vpninfo->ifname, vpninfo->tun_idx);
    471. 

  471. 	if (adapter_type == ADAPTER_WINTUN)
    472. 

  472. 		vpn_progress(vpninfo, PRG_ERR,
    473. 

  473. 			     _("WARNING: Support for Wintun is experimental and may be unstable. If you\n"
    474. 

  474. 			       "  encounter problems, install the TAP-Windows driver instead. See\n"
    475. 

  475. 			       "  %s\n"),
    476. 

  476. 			     "https://www.infradead.org/openconnect/building.html");
    477. 

  477. 

  478. 	return ret;
    479. 

  479. }
    480. 

  480. 

  481. static intptr_t create_ifname_w(struct openconnect_info *vpninfo,
    482. 

  482. 				const char *ifname)
    483. 

  483. {
    484. 

  484. 	struct oc_text_buf *ifname_buf = buf_alloc();
    485. 

  485. 

  486. 	buf_append_utf16le(ifname_buf, ifname);
    487. 

  487. 

  488. 	if (buf_error(ifname_buf)) {
    489. 

  489. 		vpn_progress(vpninfo, PRG_ERR, _("Could not construct interface name\n"));
    490. 

  490. 		return buf_free(ifname_buf);
    491. 

  491. 	}
    492. 

  492. 

  493. 	free(vpninfo->ifname_w);
    494. 

  494. 	vpninfo->ifname_w = (wchar_t *)ifname_buf->data;
    495. 

  495. 	ifname_buf->data = NULL;
    496. 

  496. 	buf_free(ifname_buf);
    497. 

  497. 	return 0;
    498. 

  498. }
    499. 

  499. 

  500. intptr_t os_setup_tun(struct openconnect_info *vpninfo)
    501. 

  501. {
    502. 

  502. 	intptr_t ret;
    503. 

  503. 

  504. 	if (vpninfo->ifname) {
    505. 

  505. 		ret = create_ifname_w(vpninfo, vpninfo->ifname);
    506. 

  506. 		if (ret)
    507. 

  507. 			return ret;
    508. 

  508. 	}
    509. 

  509. 

  510. 	ret = search_taps(vpninfo, open_tun);
    511. 

  511. 

  512. 	if (ret == OPEN_TUN_SOFTFAIL) {
    513. 

  513. 		if (!vpninfo->ifname_w) {
    514. 

  514. 			ret = create_ifname_w(vpninfo, vpninfo->hostname);
    515. 

  515. 			if (ret)
    516. 

  516. 				return ret;
    517. 

  517. 		}
    518. 

  518. 

  519. 		/* Try creating a Wintun instead of TAP */
    520. 

  520. 		int retw = create_wintun(vpninfo);
    521. 

  521. 		if (!retw) {
    522. 

  522. 			ret = search_taps(vpninfo, open_tun);
    523. 

  523. 

  524. 			if (ret == OPEN_TUN_SOFTFAIL)
    525. 

  525. 				ret = OPEN_TUN_HARDFAIL;
    526. 

  526. 			if (ret == OPEN_TUN_HARDFAIL)
    527. 

  527. 				os_shutdown_wintun(vpninfo);
    528. 

  528. 		} else if (retw == -EPERM) {
    529. 

  529. 			ret = OPEN_TUN_HARDFAIL;
    530. 

  530. 			vpn_progress(vpninfo, PRG_ERR,
    531. 

  531. 				     _("Access denied creating Wintun adapter. Are you running with Administrator privileges?\n"));
    532. 

  532. 		}
    533. 

  533. 	}
    534. 

  534. 

  535. 	if (ret == OPEN_TUN_SOFTFAIL) {
    536. 

  536. 		vpn_progress(vpninfo, PRG_ERR,
    537. 

  537. 			     _("Neither Windows-TAP nor Wintun adapters were found. Is the driver installed?\n"));
    538. 

  538. 		ret = OPEN_TUN_HARDFAIL;
    539. 

  539. 	}
    540. 

  540. 

  541. 	if (check_address_conflicts(vpninfo) < 0)
    542. 

  542. 		ret = OPEN_TUN_HARDFAIL; /* already complained about it */
    543. 

  543. 

  544. 	return ret;
    545. 

  545. }
    546. 

  546. 

  547. int os_read_tun(struct openconnect_info *vpninfo, struct pkt *pkt)
    548. 

  548. {
    549. 

  549. 	DWORD pkt_size;
    550. 

  550. 	if (vpninfo->wintun)
    551. 

  551. 		return os_read_wintun(vpninfo, pkt);
    552. 

  552. 

  553.  reread:
    554. 

  554. 	if (!vpninfo->tun_rd_pending &&
    555. 

  555. 	    !ReadFile(vpninfo->tun_fh, pkt->data, pkt->len, &pkt_size,
    556. 

  556. 		      &vpninfo->tun_rd_overlap)) {
    557. 

  557. 		DWORD err = GetLastError();
    558. 

  558. 

  559. 		if (err == ERROR_IO_PENDING)
    560. 

  560. 			vpninfo->tun_rd_pending = 1;
    561. 

  561. 		else if (err == ERROR_OPERATION_ABORTED) {
    562. 

  562. 			vpninfo->quit_reason = "TAP device aborted";
    563. 

  563. 			vpn_progress(vpninfo, PRG_ERR,
    564. 

  564. 				     _("TAP device aborted connectivity. Disconnecting.\n"));
    565. 

  565. 			return -1;
    566. 

  566. 		} else {
    567. 

  567. 			char *errstr = openconnect__win32_strerror(err);
    568. 

  568. 			vpn_progress(vpninfo, PRG_ERR,
    569. 

  569. 				     _("Failed to read from TAP device: %s\n"),
    570. 

  570. 				     errstr);
    571. 

  571. 			free(errstr);
    572. 

  572. 		}
    573. 

  573. 		return -1;
    574. 

  574. 	} else if (!GetOverlappedResult(vpninfo->tun_fh,
    575. 

  575. 					&vpninfo->tun_rd_overlap, &pkt_size,
    576. 

  576. 					FALSE)) {
    577. 

  577. 		DWORD err = GetLastError();
    578. 

  578. 

  579. 		if (err != ERROR_IO_INCOMPLETE) {
    580. 

  580. 			char *errstr = openconnect__win32_strerror(err);
    581. 

  581. 			vpninfo->tun_rd_pending = 0;
    582. 

  582. 			vpn_progress(vpninfo, PRG_ERR,
    583. 

  583. 				     _("Failed to complete read from TAP device: %s\n"),
    584. 

  584. 				     errstr);
    585. 

  585. 			free(errstr);
    586. 

  586. 			goto reread;
    587. 

  587. 		}
    588. 

  588. 		return -1;
    589. 

  589. 	}
    590. 

  590. 

  591. 	/* Either a straight ReadFile() or a subsequent GetOverlappedResult()
    592. 

  592. 	   succeeded... */
    593. 

  593. 	vpninfo->tun_rd_pending = 0;
    594. 

  594. 	pkt->len = pkt_size;
    595. 

  595. 	return 0;
    596. 

  596. }
    597. 

  597. 

  598. int os_write_tun(struct openconnect_info *vpninfo, struct pkt *pkt)
    599. 

  599. {
    600. 

  600. 	DWORD pkt_size = 0;
    601. 

  601. 	DWORD err;
    602. 

  602. 	char *errstr;
    603. 

  603. 

  604. 	if (vpninfo->wintun)
    605. 

  605. 		return os_write_wintun(vpninfo, pkt);
    606. 

  606. 

  607. 	if (WriteFile(vpninfo->tun_fh, pkt->data, pkt->len, &pkt_size, &vpninfo->tun_wr_overlap)) {
    608. 

  608. 		vpn_progress(vpninfo, PRG_TRACE,
    609. 

  609. 			     _("Wrote %ld bytes to tun\n"), pkt_size);
    610. 

  610. 		return 0;
    611. 

  611. 	}
    612. 

  612. 

  613. 	err = GetLastError();
    614. 

  614. 	if (err == ERROR_IO_PENDING) {
    615. 

  615. 		/* Theoretically we should let the mainloop handle this blocking,
    616. 

  616. 		   but that's non-trivial and it doesn't ever seem to happen in
    617. 

  617. 		   practice anyway. */
    618. 

  618. 		vpn_progress(vpninfo, PRG_TRACE,
    619. 

  619. 			     _("Waiting for tun write...\n"));
    620. 

  620. 		if (GetOverlappedResult(vpninfo->tun_fh, &vpninfo->tun_wr_overlap, &pkt_size, TRUE)) {
    621. 

  621. 			vpn_progress(vpninfo, PRG_TRACE,
    622. 

  622. 				     _("Wrote %ld bytes to tun after waiting\n"), pkt_size);
    623. 

  623. 			return 0;
    624. 

  624. 		}
    625. 

  625. 		err = GetLastError();
    626. 

  626. 	}
    627. 

  627. 	errstr = openconnect__win32_strerror(err);
    628. 

  628. 	vpn_progress(vpninfo, PRG_ERR,
    629. 

  629. 		     _("Failed to write to TAP device: %s\n"), errstr);
    630. 

  630. 	free(errstr);
    631. 

  631. 	return -1;
    632. 

  632. }
    633. 

  633. 

  634. void os_shutdown_tun(struct openconnect_info *vpninfo)
    635. 

  635. {
    636. 

  636. 	script_config_tun(vpninfo, "disconnect");
    637. 

  637. 

  638. 	if (vpninfo->wintun) {
    639. 

  639. 		os_shutdown_wintun(vpninfo);
    640. 

  640. 		return;
    641. 

  641. 	}
    642. 

  642. 

  643. 	CloseHandle(vpninfo->tun_fh);
    644. 

  644. 	vpninfo->tun_fh = NULL;
    645. 

  645. 	CloseHandle(vpninfo->tun_rd_overlap.hEvent);
    646. 

  646. 	vpninfo->tun_rd_overlap.hEvent = NULL;
    647. 

  647. }
    648. 

  648. 

  649. int openconnect_setup_tun_fd(struct openconnect_info *vpninfo, intptr_t tun_fd)
    650. 

  650. {
    651. 

  651. 	ULONG data;
    652. 

  652. 	DWORD len;
    653. 

  653. 

  654. 	if (vpninfo->wintun)
    655. 

  655. 		return setup_wintun_fd(vpninfo, tun_fd);
    656. 

  656. 

  657. 	/* Toggle media status so that network location awareness picks up all the configuration
    658. 

  658. 	   that occurred and properly assigns the network so the user can adjust firewall
    659. 

  659. 	   settings. */
    660. 

  660. 	for (data = 0; data <= 1; data++) {
    661. 

  661. 		if (!DeviceIoControl((HANDLE)tun_fd, TAP_IOCTL_SET_MEDIA_STATUS,
    662. 

  662. 					&data, sizeof(data), &data, sizeof(data), &len, NULL)) {
    663. 

  663. 			char *errstr = openconnect__win32_strerror(GetLastError());
    664. 

  664. 

  665. 			vpn_progress(vpninfo, PRG_ERR,
    666. 

  666. 					_("Failed to set TAP media status: %s\n"), errstr);
    667. 

  667. 			free(errstr);
    668. 

  668. 			return -1;
    669. 

  669. 		}
    670. 

  670. 	}
    671. 

  671. 

  672. 	vpninfo->tun_fh = (HANDLE)tun_fd;
    673. 

  673. 	vpninfo->tun_rd_overlap.hEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
    674. 

  674. 	monitor_read_fd(vpninfo, tun);
    675. 

  675. 

  676. 	return 0;
    677. 

  677. }
    678. 

  678. 

  679. int openconnect_setup_tun_script(struct openconnect_info *vpninfo,
    680. 

  680. 				 const char *tun_script)
    681. 

  681. {
    682. 

  682. 	vpn_progress(vpninfo, PRG_ERR,
    683. 

  683. 		     _("Spawning tunnel scripts is not yet supported on Windows\n"));
    684. 

  684. 	return -1;
    685. 

  685. }
    686. 

  686. 

  687. #endif /* __LIST_TAPS__ */
    688. 

  688.