1 /*
2 * OpenConnect (SSL + DTLS) VPN client
3 *
4 * Copyright © 2008-2015 Intel Corporation.
5 * Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
6 * Copyright © 2013 John Morrissey <jwm@horde.net>
7 *
8 * Author: David Woodhouse <dwmw2@infradead.org>
9 *
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU Lesser General Public License
12 * version 2.1, as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 */
19
20 #ifndef __OPENCONNECT_INTERNAL_H__
21 #define __OPENCONNECT_INTERNAL_H__
22
23 #define __OPENCONNECT_PRIVATE__
24
25 #ifdef _WIN32
26 #include <winsock2.h>
27 #include <ws2tcpip.h>
28 #ifndef SECURITY_WIN32
29 #define SECURITY_WIN32 1
30 #endif
31 #include <security.h>
32 #else
33 #include <sys/types.h>
34 #include <sys/socket.h>
35 #include <sys/select.h>
36 #include <netdb.h>
37 #include <netinet/in.h>
38 #include <arpa/inet.h>
39 #include <fcntl.h>
40 #endif
41
42 #include "openconnect.h"
43
44 #if defined(OPENCONNECT_OPENSSL)
45 #include <openssl/ssl.h>
46 #include <openssl/err.h>
47 /* Ick */
48 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
49 #define method_const const
50 #else
51 #define method_const
52 #endif
53 #endif /* OPENSSL */
54
55 #if defined(OPENCONNECT_GNUTLS)
56 #include <gnutls/gnutls.h>
57 #include <gnutls/abstract.h>
58 #include <gnutls/x509.h>
59 #include <gnutls/crypto.h>
60 #endif
61
62 #ifdef HAVE_ICONV
63 #include <langinfo.h>
64 #include <iconv.h>
65 #endif
66
67 #include <zlib.h>
68 #include <stdint.h>
69 #include <sys/time.h>
70 #include <sys/types.h>
71 #include <unistd.h>
72 #include <string.h>
73
74 #ifdef LIBPROXY_HDR
75 #include LIBPROXY_HDR
76 #endif
77
78 #ifdef HAVE_LIBSTOKEN
79 #include <stoken.h>
80 #endif
81
82 #ifdef HAVE_GSSAPI
83 #include GSSAPI_HDR
84 #endif
85
86 #ifdef HAVE_LIBPSKC
87 #include <pskc/pskc.h>
88 #endif
89
90 #ifdef HAVE_LIBP11
91 #include <libp11.h>
92 #endif
93
94 #ifdef ENABLE_NLS
95 #include <libintl.h>
96 #define _(s) dgettext("openconnect", s)
97 #else
98 #define _(s) ((char *)(s))
99 #endif
100 #define N_(s) s
101
102 #include <libxml/tree.h>
103
104 #define SHA256_SIZE 32
105 #define SHA1_SIZE 20
106 #define MD5_SIZE 16
107
108 /* FreeBSD provides this in <sys/param.h> */
109 #ifndef MAX
110 #define MAX(x,y) ((x)>(y))?(x):(y)
111 #endif
112 #ifndef MIN
113 #define MIN(x,y) ((x)<(y))?(x):(y)
114 #endif
115
116 /* At least MinGW headers seem not to provide IPPROTO_IPIP */
117 #ifndef IPPROTO_IPIP
118 #define IPPROTO_IPIP 0x04
119 #endif
120
121 /****************************************************************************/
122
123 struct pkt {
124 int len;
125 struct pkt *next;
126 union {
127 struct {
128 uint32_t spi;
129 uint32_t seq;
130 unsigned char iv[16];
131 unsigned char payload[];
132 } esp;
133 struct {
134 unsigned char pad[2];
135 unsigned char rec[2];
136 unsigned char kmp[20];
137 } oncp;
138 struct {
139 unsigned char pad[16];
140 unsigned char hdr[8];
141 } cstp;
142 struct {
143 unsigned char pad[8];
144 unsigned char hdr[16];
145 } gpst;
146 struct {
147 unsigned char pad[8];
148 uint32_t vendor;
149 uint32_t type;
150 uint32_t len;
151 uint32_t ident;
152 } pulse;
153 };
154 unsigned char data[];
155 };
156
157 #define REKEY_NONE 0
158 #define REKEY_TUNNEL 1
159 #define REKEY_SSL 2
160
161 #define KA_NONE 0
162 #define KA_DPD 1
163 #define KA_DPD_DEAD 2
164 #define KA_KEEPALIVE 3
165 #define KA_REKEY 4
166
167 #define DTLS_NOSECRET 0 /* Random secret has not been generated yet */
168 #define DTLS_SECRET 1 /* Secret is present, ready to attempt DTLS */
169 #define DTLS_DISABLED 2 /* DTLS was disabled on the *client* side */
170 #define DTLS_SLEEPING 3 /* For ESP, sometimes sending probes */
171 #define DTLS_CONNECTING 4 /* ESP probe received; must tell server */
172 #define DTLS_CONNECTED 5 /* Server informed and should be sending ESP */
173
174 #define COMPR_DEFLATE (1<<0)
175 #define COMPR_LZS (1<<1)
176 #define COMPR_LZ4 (1<<2)
177 #define COMPR_LZO (1<<3)
178 #define COMPR_MAX COMPR_LZO
179
180 #ifdef HAVE_LZ4
181 #define COMPR_STATELESS (COMPR_LZS | COMPR_LZ4 | COMPR_LZO)
182 #else
183 #define COMPR_STATELESS (COMPR_LZS)
184 #endif
185 #define COMPR_ALL (COMPR_STATELESS | COMPR_DEFLATE)
186
187 #define DTLS_APP_ID_EXT 48018
188
189 struct keepalive_info {
190 int dpd;
191 int keepalive;
192 int rekey;
193 int rekey_method;
194 time_t last_rekey;
195 time_t last_tx;
196 time_t last_rx;
197 time_t last_dpd;
198 };
199
200 struct pin_cache {
201 struct pin_cache *next;
202 char *token;
203 char *pin;
204 };
205
206 struct oc_text_buf {
207 char *data;
208 int pos;
209 int buf_len;
210 int error;
211 };
212
213 #define TLS_MASTER_KEY_SIZE 48
214
215 #define RECONNECT_INTERVAL_MIN 10
216 #define RECONNECT_INTERVAL_MAX 100
217
218 #define REDIR_TYPE_NONE 0
219 #define REDIR_TYPE_NEWHOST 1
220 #define REDIR_TYPE_LOCAL 2
221
222 #define AUTH_TYPE_GSSAPI 0
223 #define AUTH_TYPE_NTLM 1
224 #define AUTH_TYPE_DIGEST 2
225 #define AUTH_TYPE_BASIC 3
226 #define AUTH_TYPE_BEARER 4
227
228 #define MAX_AUTH_TYPES 5
229
230 #define AUTH_DEFAULT_DISABLED -3
231 #define AUTH_DISABLED -2
232 #define AUTH_FAILED -1 /* Failed */
233 #define AUTH_UNSEEN 0 /* Server has not offered it */
234 #define AUTH_AVAILABLE 1 /* Server has offered it, we have not tried it */
235 /* Individual auth types may use 2 onwards for their own state */
236 #define AUTH_IN_PROGRESS 2 /* In-progress attempt */
237
238 struct http_auth_state {
239 int state;
240 char *challenge;
241 union {
242 #ifdef HAVE_GSSAPI
243 struct {
244 gss_name_t gss_target_name;
245 gss_ctx_id_t gss_context;
246 };
247 #endif
248 #ifdef _WIN32
249 struct {
250 CredHandle ntlm_sspi_cred;
251 CtxtHandle ntlm_sspi_ctx;
252 };
253 struct {
254 CredHandle sspi_cred;
255 CtxtHandle sspi_ctx;
256 SEC_WCHAR *sspi_target_name;
257 };
258 #else
259 struct {
260 int ntlm_helper_fd;
261 };
262 #endif
263 };
264 };
265
266 struct vpn_proto {
267 const char *name;
268 const char *pretty_name;
269 const char *description;
270 const char *udp_protocol;
271 unsigned int flags;
272 int (*vpn_close_session)(struct openconnect_info *vpninfo, const char *reason);
273
274 /* This does the full authentication, calling back as appropriate */
275 int (*obtain_cookie)(struct openconnect_info *vpninfo);
276
277 /* Establish the TCP connection (and obtain configuration) */
278 int (*tcp_connect)(struct openconnect_info *vpninfo);
279
280 int (*tcp_mainloop)(struct openconnect_info *vpninfo, int *timeout, int readable);
281
282 /* Add headers common to each HTTP request */
283 void (*add_http_headers)(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
284
285 /* Set up the UDP (DTLS) connection. Doesn't actually *start* it. */
286 int (*udp_setup)(struct openconnect_info *vpninfo, int attempt_period);
287
288 /* This will actually complete the UDP connection setup/handshake on the wire,
289 as well as transporting packets */
290 int (*udp_mainloop)(struct openconnect_info *vpninfo, int *timeout, int readable);
291
292 /* Close the connection but leave the session setup so it restarts */
293 void (*udp_close)(struct openconnect_info *vpninfo);
294
295 /* Close and destroy the (UDP) session */
296 void (*udp_shutdown)(struct openconnect_info *vpninfo);
297
298 /* Send probe packets to start or maintain the (UDP) session */
299 int (*udp_send_probes)(struct openconnect_info *vpninfo);
300
301 /* Catch probe packet confirming the (UDP) session */
302 int (*udp_catch_probe)(struct openconnect_info *vpninfo, struct pkt *p);
303 };
304
305 struct pkt_q {
306 struct pkt *head;
307 struct pkt **tail;
308 int count;
309 };
310
dequeue_packet(struct pkt_q * q)311 static inline struct pkt *dequeue_packet(struct pkt_q *q)
312 {
313 struct pkt *ret = q->head;
314
315 if (ret) {
316 q->head = ret->next;
317 if (!--q->count)
318 q->tail = &q->head;
319 }
320 return ret;
321 }
322
requeue_packet(struct pkt_q * q,struct pkt * p)323 static inline void requeue_packet(struct pkt_q *q, struct pkt *p)
324 {
325 p->next = q->head;
326 q->head = p;
327 if (!q->count++)
328 q->tail = &p->next;
329 }
330
queue_packet(struct pkt_q * q,struct pkt * p)331 static inline int queue_packet(struct pkt_q *q, struct pkt *p)
332 {
333 *(q->tail) = p;
334 p->next = NULL;
335 q->tail = &p->next;
336 return ++q->count;
337 }
338
init_pkt_queue(struct pkt_q * q)339 static inline void init_pkt_queue(struct pkt_q *q)
340 {
341 q->tail = &q->head;
342 }
343
344 #define DTLS_OVERHEAD (1 /* packet + header */ + 13 /* DTLS header */ + \
345 20 /* biggest supported MAC (SHA1) */ + 32 /* biggest supported IV (AES-256) */ + \
346 16 /* max padding */)
347
348 struct esp {
349 #if defined(OPENCONNECT_GNUTLS)
350 gnutls_cipher_hd_t cipher;
351 gnutls_hmac_hd_t hmac;
352 #elif defined(OPENCONNECT_OPENSSL)
353 HMAC_CTX *hmac;
354 EVP_CIPHER_CTX *cipher;
355 #endif
356 uint64_t seq_backlog;
357 uint64_t seq;
358 uint32_t spi; /* Stored network-endian */
359 unsigned char enc_key[0x40]; /* Encryption key */
360 unsigned char hmac_key[0x40]; /* HMAC key */
361 unsigned char iv[16];
362 };
363
364 struct oc_pcsc_ctx;
365 struct oc_tpm1_ctx;
366 struct oc_tpm2_ctx;
367
368 struct openconnect_info {
369 const struct vpn_proto *proto;
370
371 #ifdef HAVE_ICONV
372 iconv_t ic_legacy_to_utf8;
373 iconv_t ic_utf8_to_legacy;
374 #endif
375 char *redirect_url;
376 int redirect_type;
377
378 unsigned char esp_hmac;
379 unsigned char esp_enc;
380 unsigned char esp_compr;
381 uint32_t esp_replay_protect;
382 uint32_t esp_lifetime_bytes;
383 uint32_t esp_lifetime_seconds;
384 uint32_t esp_ssl_fallback;
385 int current_esp_in;
386 int old_esp_maxseq;
387 struct esp esp_in[2];
388 struct esp esp_out;
389 int enc_key_len;
390 int hmac_key_len;
391 int hmac_out_len;
392 uint32_t esp_magic; /* GlobalProtect magic ping address (network-endian) */
393
394 int tncc_fd; /* For Juniper TNCC */
395 const char *csd_xmltag;
396 int csd_nostub;
397 char *platname;
398 char *mobile_platform_version;
399 char *mobile_device_type;
400 char *mobile_device_uniqueid;
401 char *csd_token;
402 char *csd_ticket;
403 char *csd_stuburl;
404 char *csd_starturl;
405 char *csd_waiturl;
406 char *csd_preurl;
407
408 char *csd_scriptname;
409 xmlNode *opaque_srvdata;
410
411 char *profile_url;
412 char *profile_sha1;
413
414 #ifdef LIBPROXY_HDR
415 pxProxyFactory *proxy_factory;
416 #endif
417 char *proxy_type;
418 char *proxy;
419 int proxy_port;
420 int proxy_fd;
421 char *proxy_user;
422 char *proxy_pass;
423 char *bearer_token;
424 int proxy_close_during_auth;
425 int retry_on_auth_fail;
426 int try_http_auth;
427 struct http_auth_state http_auth[MAX_AUTH_TYPES];
428 struct http_auth_state proxy_auth[MAX_AUTH_TYPES];
429
430 char *localname;
431 char *hostname;
432 char *unique_hostname;
433 int port;
434 char *urlpath;
435 int cert_expire_warning;
436 char *cert;
437 char *sslkey;
438 char *cert_password;
439 char *cafile;
440 unsigned no_system_trust;
441 const char *xmlconfig;
442 char xmlsha1[(SHA1_SIZE * 2) + 1];
443 char *authgroup;
444 int nopasswd;
445 int xmlpost;
446 char *dtls_ciphers;
447 char *dtls12_ciphers;
448 char *csd_wrapper;
449 int trojan_interval;
450 time_t last_trojan;
451 int no_http_keepalive;
452 int dump_http_traffic;
453
454 int token_mode;
455 int token_bypassed;
456 int token_tries;
457 time_t token_time;
458 #ifdef HAVE_LIBSTOKEN
459 struct stoken_ctx *stoken_ctx;
460 char *stoken_pin;
461 int stoken_concat_pin;
462 int stoken_interval;
463 #endif
464 #ifdef HAVE_LIBPSKC
465 pskc_t *pskc;
466 pskc_key_t *pskc_key;
467 #endif
468 char *oath_secret;
469 size_t oath_secret_len;
470 enum {
471 OATH_ALG_HMAC_SHA1 = 0,
472 OATH_ALG_HMAC_SHA256,
473 OATH_ALG_HMAC_SHA512,
474 } oath_hmac_alg;
475 enum {
476 HOTP_SECRET_BASE32 = 1,
477 HOTP_SECRET_RAW,
478 HOTP_SECRET_HEX,
479 HOTP_SECRET_PSKC,
480 } hotp_secret_format; /* We need to give it back in the same form */
481
482 #ifdef HAVE_LIBPCSCLITE
483 struct oc_pcsc_ctx *pcsc;
484 unsigned char yubikey_pwhash[16];
485 #endif
486 openconnect_lock_token_vfn lock_token;
487 openconnect_unlock_token_vfn unlock_token;
488 void *tok_cbdata;
489
490 void *peer_cert;
491 /* The SHA1 and SHA256 hashes of the peer's public key */
492 uint8_t peer_cert_sha1_raw[SHA1_SIZE];
493 uint8_t peer_cert_sha256_raw[SHA256_SIZE];
494 /* this value is cache for openconnect_get_peer_cert_hash */
495 char *peer_cert_hash;
496 void *cert_list_handle;
497 int cert_list_size;
498
499 char *cookie; /* Pointer to within cookies list */
500 struct oc_vpn_option *cookies;
501 struct oc_vpn_option *cstp_options;
502 struct oc_vpn_option *dtls_options;
503
504 struct oc_vpn_option *script_env;
505 struct oc_vpn_option *csd_env;
506
507 unsigned pfs;
508 unsigned no_tls13;
509 #if defined(OPENCONNECT_OPENSSL)
510 #ifdef HAVE_LIBP11
511 PKCS11_CTX *pkcs11_ctx;
512 PKCS11_SLOT *pkcs11_slot_list;
513 unsigned int pkcs11_slot_count;
514 PKCS11_SLOT *pkcs11_cert_slot;
515 unsigned char *pkcs11_cert_id;
516 size_t pkcs11_cert_id_len;
517 #endif
518 X509 *cert_x509;
519 SSL_CTX *https_ctx;
520 SSL *https_ssl;
521 BIO_METHOD *ttls_bio_meth;
522 #elif defined(OPENCONNECT_GNUTLS)
523 gnutls_session_t https_sess;
524 gnutls_session_t eap_ttls_sess;
525 gnutls_certificate_credentials_t https_cred;
526 gnutls_psk_client_credentials_t psk_cred;
527 char local_cert_md5[MD5_SIZE * 2 + 1]; /* For CSD */
528 #ifdef HAVE_TROUSERS
529 struct oc_tpm1_ctx *tpm1;
530 #endif
531 #ifdef HAVE_TSS2
532 struct oc_tpm2_ctx *tpm2;
533 #endif
534 #endif /* OPENCONNECT_GNUTLS */
535 char ciphersuite_config[256];
536 struct oc_text_buf *ttls_pushbuf;
537 uint8_t ttls_eap_ident;
538 unsigned char *ttls_recvbuf;
539 int ttls_recvpos;
540 int ttls_recvlen;
541 uint32_t ttls_msgleft;
542
543 struct pin_cache *pin_cache;
544 struct keepalive_info ssl_times;
545 int owe_ssl_dpd_response;
546
547 int deflate_pkt_size; /* It may need to be larger than MTU */
548 struct pkt *deflate_pkt; /* For compressing outbound packets into */
549 struct pkt *pending_deflated_pkt; /* The original packet associated with above */
550 struct pkt *current_ssl_pkt; /* Partially sent SSL packet */
551 struct pkt_q oncp_control_queue; /* Control packets to be sent on oNCP next */
552 int oncp_rec_size; /* For packetising incoming oNCP stream */
553 /* Packet buffers for receiving into */
554 struct pkt *cstp_pkt;
555 struct pkt *dtls_pkt;
556 struct pkt *tun_pkt;
557 int pkt_trailer; /* How many bytes after payload for encryption (ESP HMAC) */
558
559 z_stream inflate_strm;
560 uint32_t inflate_adler32;
561 z_stream deflate_strm;
562 uint32_t deflate_adler32;
563
564 int disable_ipv6;
565 int reconnect_timeout;
566 int reconnect_interval;
567 int dtls_attempt_period;
568 time_t new_dtls_started;
569 #if defined(OPENCONNECT_OPENSSL)
570 SSL_CTX *dtls_ctx;
571 SSL *dtls_ssl;
572 #elif defined(OPENCONNECT_GNUTLS)
573 /* Call this dtls_ssl rather than dtls_sess because it's just a
574 pointer, and generic code in dtls.c wants to check if it's
575 NULL or not or pass it to DTLS_SEND/DTLS_RECV. This way we
576 have fewer ifdefs and accessor macros for it. */
577 gnutls_session_t dtls_ssl;
578 #endif
579 char *cstp_cipher; /* library-dependent description of TLS cipher */
580 char *dtls_cipher_desc; /* library-dependent description of DTLS cipher, cached for openconnect_get_dtls_cipher() */
581
582 int dtls_state;
583 int dtls_need_reconnect;
584 struct keepalive_info dtls_times;
585 unsigned char dtls_session_id[32];
586 unsigned char dtls_secret[TLS_MASTER_KEY_SIZE];
587 unsigned char dtls_app_id[32];
588 unsigned dtls_app_id_size;
589
590 uint32_t ift_seq;
591
592 int cisco_dtls12; /* If Cisco server sent X-DTLS12-CipherSuite header, rather than X-DTLS-CipherSuite */
593 char *dtls_cipher; /* Value of aforementioned header (PSK-NEGOTIATE, or an OpenSSL cipher name) */
594
595 char *vpnc_script;
596 #ifndef _WIN32
597 int uid_csd_given;
598 uid_t uid_csd;
599 gid_t gid_csd;
600 uid_t uid;
601 gid_t gid;
602 #endif
603 int use_tun_script;
604 int script_tun;
605 char *ifname;
606 char *cmd_ifname;
607
608 int reqmtu, basemtu; /* Local static configured values */
609 const char *banner;
610
611 struct oc_ip_info ip_info;
612 int cstp_basemtu; /* Returned by server */
613 int idle_timeout; /* Returned by server */
614
615 #ifdef _WIN32
616 long dtls_monitored, ssl_monitored, cmd_monitored, tun_monitored;
617 HANDLE dtls_event, ssl_event, cmd_event;
618 #else
619 int _select_nfds;
620 fd_set _select_rfds;
621 fd_set _select_wfds;
622 fd_set _select_efds;
623 #endif
624
625 #ifdef __sun__
626 int ip_fd;
627 int ip6_fd;
628 #endif
629 #ifdef _WIN32
630 HANDLE tun_fh;
631 OVERLAPPED tun_rd_overlap, tun_wr_overlap;
632 int tun_idx, tun_rd_pending;
633 #else
634 int tun_fd;
635 #endif
636 int ssl_fd;
637 int dtls_fd;
638
639 int dtls_tos_current;
640 int dtls_pass_tos;
641 int dtls_tos_proto, dtls_tos_optname;
642
643 int cmd_fd;
644 int cmd_fd_write;
645 int got_cancel_cmd;
646 int got_pause_cmd;
647 char cancel_type;
648
649 struct pkt_q incoming_queue;
650 struct pkt_q outgoing_queue;
651 int max_qlen;
652 struct oc_stats stats;
653 openconnect_stats_vfn stats_handler;
654
655 socklen_t peer_addrlen;
656 struct sockaddr *peer_addr;
657 struct sockaddr *dtls_addr;
658
659 int dtls_local_port;
660
661 int req_compr; /* What we requested */
662 int cstp_compr; /* Accepted for CSTP */
663 int dtls_compr; /* Accepted for DTLS */
664
665 int is_dyndns; /* Attempt to redo DNS lookup on each CSTP reconnect */
666 char *useragent;
667 char *version_string;
668
669 const char *quit_reason;
670
671 int verbose;
672 void *cbdata;
673 openconnect_validate_peer_cert_vfn validate_peer_cert;
674 openconnect_write_new_config_vfn write_new_config;
675 openconnect_process_auth_form_vfn process_auth_form;
676 openconnect_progress_vfn progress;
677 openconnect_protect_socket_vfn protect_socket;
678 openconnect_getaddrinfo_vfn getaddrinfo_override;
679 openconnect_setup_tun_vfn setup_tun;
680 openconnect_reconnected_vfn reconnected;
681
682 int (*ssl_read)(struct openconnect_info *vpninfo, char *buf, size_t len);
683 int (*ssl_gets)(struct openconnect_info *vpninfo, char *buf, size_t len);
684 int (*ssl_write)(struct openconnect_info *vpninfo, char *buf, size_t len);
685 };
686
687 #ifdef _WIN32
688 #define monitor_read_fd(_v, _n) _v->_n##_monitored |= FD_READ
689 #define monitor_write_fd(_v, _n) _v->_n##_monitored |= FD_WRITE
690 #define monitor_except_fd(_v, _n) _v->_n##_monitored |= FD_CLOSE
691 #define unmonitor_read_fd(_v, _n) _v->_n##_monitored &= ~FD_READ
692 #define unmonitor_write_fd(_v, _n) _v->_n##_monitored &= ~FD_WRITE
693 #define unmonitor_except_fd(_v, _n) _v->_n##_monitored &= ~FD_CLOSE
694
695 #define monitor_fd_new(_v, _n) do { if (!_v->_n##_event) _v->_n##_event = CreateEvent(NULL, FALSE, FALSE, NULL); } while (0)
696 #define read_fd_monitored(_v, _n) (_v->_n##_monitored & FD_READ)
697
698 #else
699 #define monitor_read_fd(_v, _n) FD_SET(_v-> _n##_fd, &vpninfo->_select_rfds)
700 #define unmonitor_read_fd(_v, _n) FD_CLR(_v-> _n##_fd, &vpninfo->_select_rfds)
701 #define monitor_write_fd(_v, _n) FD_SET(_v-> _n##_fd, &vpninfo->_select_wfds)
702 #define unmonitor_write_fd(_v, _n) FD_CLR(_v-> _n##_fd, &vpninfo->_select_wfds)
703 #define monitor_except_fd(_v, _n) FD_SET(_v-> _n##_fd, &vpninfo->_select_efds)
704 #define unmonitor_except_fd(_v, _n) FD_CLR(_v-> _n##_fd, &vpninfo->_select_efds)
705
706 #define monitor_fd_new(_v, _n) do { \
707 if (_v->_select_nfds <= vpninfo->_n##_fd) \
708 vpninfo->_select_nfds = vpninfo->_n##_fd + 1; \
709 } while (0)
710
711 #define read_fd_monitored(_v, _n) FD_ISSET(_v->_n##_fd, &_v->_select_rfds)
712 #endif
713
714 /* Key material for DTLS-PSK */
715 #define PSK_LABEL "EXPORTER-openconnect-psk"
716 #define PSK_LABEL_SIZE sizeof(PSK_LABEL)-1
717 #define PSK_KEY_SIZE 32
718
719 /* Packet types */
720
721 #define AC_PKT_DATA 0 /* Uncompressed data */
722 #define AC_PKT_DPD_OUT 3 /* Dead Peer Detection */
723 #define AC_PKT_DPD_RESP 4 /* DPD response */
724 #define AC_PKT_DISCONN 5 /* Client disconnection notice */
725 #define AC_PKT_KEEPALIVE 7 /* Keepalive */
726 #define AC_PKT_COMPRESSED 8 /* Compressed data */
727 #define AC_PKT_TERM_SERVER 9 /* Server kick */
728
729 /* Encryption and HMAC algorithms (matching Juniper/Pulse binary encoding) */
730 #define ENC_AES_128_CBC 2
731 #define ENC_AES_256_CBC 5
732
733 #define HMAC_MD5 1
734 #define HMAC_SHA1 2
735 #define HMAC_SHA256 3
736
737 #define MAX_HMAC_SIZE 32 /* SHA256 */
738 #define MAX_IV_SIZE 16
739 #define MAX_ESP_PAD 17 /* Including the next-header field */
740
741 #define vpn_progress(_v, lvl, ...) do { \
742 if ((_v)->verbose >= (lvl)) \
743 (_v)->progress((_v)->cbdata, lvl, __VA_ARGS__); \
744 } while(0)
745 #define vpn_perror(vpninfo, msg) vpn_progress((vpninfo), PRG_ERR, "%s: %s\n", (msg), strerror(errno))
746
747 /****************************************************************************/
748 /* Oh Solaris how we hate thee! */
749 #ifdef HAVE_SUNOS_BROKEN_TIME
750 #define time(x) openconnect__time(x)
751 time_t openconnect__time(time_t *t);
752 #endif
753 #ifndef HAVE_VASPRINTF
754 #define vasprintf openconnect__vasprintf
755 int openconnect__vasprintf(char **strp, const char *fmt, va_list ap);
756 #endif
757 #ifndef HAVE_ASPRINTF
758 #define asprintf openconnect__asprintf
759 int openconnect__asprintf(char **strp, const char *fmt, ...);
760 #endif
761 #ifndef HAVE_GETLINE
762 #define getline openconnect__getline
763 ssize_t openconnect__getline(char **lineptr, size_t *n, FILE *stream);
764 #endif
765 #ifndef HAVE_STRCASESTR
766 #define strcasestr openconnect__strcasestr
767 char *openconnect__strcasestr(const char *haystack, const char *needle);
768 #endif
769 #ifndef HAVE_STRNDUP
770 #undef strndup
771 #define strndup openconnect__strndup
772 char *openconnect__strndup(const char *s, size_t n);
773 #endif
774
775 #ifndef HAVE_INET_ATON
776 #define inet_aton openconnect__inet_aton
777 int openconnect__inet_aton(const char *cp, struct in_addr *addr);
778 #endif
779
set_sock_nonblock(int fd)780 static inline int set_sock_nonblock(int fd)
781 {
782 #ifdef _WIN32
783 unsigned long mode = 1;
784 return ioctlsocket(fd, FIONBIO, &mode);
785 #else
786 return fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) | O_NONBLOCK);
787 #endif
788 }
set_fd_cloexec(int fd)789 static inline int set_fd_cloexec(int fd)
790 {
791 #ifdef _WIN32
792 return 0; /* Windows has O_INHERIT but... */
793 #else
794 int ret = fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
795 /*
796 * Coverity gets really sad if we don't check the error here.
797 * But really, we're doing this to be a 'good citizen' when
798 * running as a library, and we aren't even going to bother
799 * printing a debug message if it fails. We just don't care.
800 */
801 if (ret)
802 return ret;
803 return 0;
804 #endif
805 }
tun_is_up(struct openconnect_info * vpninfo)806 static inline int tun_is_up(struct openconnect_info *vpninfo)
807 {
808 #ifdef _WIN32
809 return vpninfo->tun_fh != NULL;
810 #else
811 return vpninfo->tun_fd != -1;
812 #endif
813 }
814
815 #ifdef _WIN32
816 #define pipe(fds) _pipe(fds, 4096, O_BINARY)
817 int openconnect__win32_sock_init();
818 char *openconnect__win32_strerror(DWORD err);
819 #undef inet_pton
820 #define inet_pton openconnect__win32_inet_pton
821 int openconnect__win32_inet_pton(int af, const char *src, void *dst);
822 #define OPENCONNECT_CMD_SOCKET SOCKET
823 OPENCONNECT_CMD_SOCKET dumb_socketpair(OPENCONNECT_CMD_SOCKET socks[2], int make_overlapped);
824 #else
825 #define closesocket close
826 #define OPENCONNECT_CMD_SOCKET int
827 #ifndef O_BINARY
828 #define O_BINARY 0
829 #endif
830 #endif
831
832 /* For systems that don't support O_CLOEXEC, just don't bother.
833 We don't keep files open for long anyway. */
834 #ifndef O_CLOEXEC
835 #define O_CLOEXEC 0
836 #endif
837
838 /* I always coded as if it worked like this. Now it does. */
839 #define realloc_inplace(p, size) do { \
840 void *__realloc_old = p; \
841 p = realloc(p, size); \
842 if (size && !p) \
843 free(__realloc_old); \
844 } while (0)
845
846 /****************************************************************************/
847
848 /* iconv.c */
849 #ifdef HAVE_ICONV
850 char *openconnect_utf8_to_legacy(struct openconnect_info *vpninfo, const char *utf8);
851 char *openconnect_legacy_to_utf8(struct openconnect_info *vpninfo, const char *legacy);
852 #else
853 #define openconnect_utf8_to_legacy(v, str) ((char *)str)
854 #define openconnect_legacy_to_utf8(v, str) ((char *)str)
855 #endif
856
857 /* script.c */
858 unsigned char unhex(const char *data);
859 int script_setenv(struct openconnect_info *vpninfo, const char *opt, const char *val, int trunc, int append);
860 int script_setenv_int(struct openconnect_info *vpninfo, const char *opt, int value);
861 void prepare_script_env(struct openconnect_info *vpninfo);
862 int script_config_tun(struct openconnect_info *vpninfo, const char *reason);
863 int apply_script_env(struct oc_vpn_option *envs);
864 void free_split_routes(struct openconnect_info *vpninfo);
865
866 /* tun.c / tun-win32.c */
867 void os_shutdown_tun(struct openconnect_info *vpninfo);
868 int os_read_tun(struct openconnect_info *vpninfo, struct pkt *pkt);
869 int os_write_tun(struct openconnect_info *vpninfo, struct pkt *pkt);
870 intptr_t os_setup_tun(struct openconnect_info *vpninfo);
871
872 /* {gnutls,openssl}-dtls.c */
873 int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd);
874 int dtls_try_handshake(struct openconnect_info *vpninfo);
875 unsigned dtls_set_mtu(struct openconnect_info *vpninfo, unsigned mtu);
876 void dtls_ssl_free(struct openconnect_info *vpninfo);
877
878 void *establish_eap_ttls(struct openconnect_info *vpninfo);
879 void destroy_eap_ttls(struct openconnect_info *vpninfo, void *sess);
880
881 /* dtls.c */
882 int dtls_setup(struct openconnect_info *vpninfo, int dtls_attempt_period);
883 int udp_tos_update(struct openconnect_info *vpninfo, struct pkt *pkt);
884 int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
885 void dtls_close(struct openconnect_info *vpninfo);
886 void dtls_shutdown(struct openconnect_info *vpninfo);
887 void gather_dtls_ciphers(struct openconnect_info *vpninfo, struct oc_text_buf *buf, struct oc_text_buf *buf12);
888 void dtls_detect_mtu(struct openconnect_info *vpninfo);
889 int openconnect_dtls_read(struct openconnect_info *vpninfo, void *buf, size_t len, unsigned ms);
890 int openconnect_dtls_write(struct openconnect_info *vpninfo, void *buf, size_t len);
891 char *openconnect_bin2hex(const char *prefix, const uint8_t *data, unsigned len);
892 char *openconnect_bin2base64(const char *prefix, const uint8_t *data, unsigned len);
893
894 /* cstp.c */
895 void cstp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
896 int cstp_connect(struct openconnect_info *vpninfo);
897 int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
898 int cstp_bye(struct openconnect_info *vpninfo, const char *reason);
899 int decompress_and_queue_packet(struct openconnect_info *vpninfo, int compr_type,
900 unsigned char *buf, int len);
901 int compress_packet(struct openconnect_info *vpninfo, int compr_type, struct pkt *this);
902
903 /* auth-juniper.c */
904 int oncp_obtain_cookie(struct openconnect_info *vpninfo);
905 int oncp_send_tncc_command(struct openconnect_info *vpninfo, int first);
906 void oncp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
907
908 /* oncp.c */
909 int oncp_connect(struct openconnect_info *vpninfo);
910 int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
911 int oncp_bye(struct openconnect_info *vpninfo, const char *reason);
912 void oncp_esp_close(struct openconnect_info *vpninfo);
913 int oncp_esp_send_probes(struct openconnect_info *vpninfo);
914 int oncp_esp_catch_probe(struct openconnect_info *vpninfo, struct pkt *pkt);
915
916 /* pulse.c */
917 int pulse_obtain_cookie(struct openconnect_info *vpninfo);
918 void pulse_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
919 int pulse_connect(struct openconnect_info *vpninfo);
920 int pulse_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
921 int pulse_bye(struct openconnect_info *vpninfo, const char *reason);
922 int pulse_eap_ttls_send(struct openconnect_info *vpninfo, const void *data, int len);
923 int pulse_eap_ttls_recv(struct openconnect_info *vpninfo, void *data, int len);
924
925 /* auth-globalprotect.c */
926 int gpst_obtain_cookie(struct openconnect_info *vpninfo);
927 void gpst_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
928 int gpst_bye(struct openconnect_info *vpninfo, const char *reason);
929 const char *gpst_os_name(struct openconnect_info *vpninfo);
930
931 /* gpst.c */
932 int gpst_xml_or_error(struct openconnect_info *vpninfo, char *response,
933 int (*xml_cb)(struct openconnect_info *, xmlNode *xml_node, void *cb_data),
934 int (*challenge_cb)(struct openconnect_info *, char *prompt, char *inputStr, void *cb_data),
935 void *cb_data);
936 int gpst_setup(struct openconnect_info *vpninfo);
937 int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
938 int gpst_esp_send_probes(struct openconnect_info *vpninfo);
939 int gpst_esp_catch_probe(struct openconnect_info *vpninfo, struct pkt *pkt);
940
941 /* lzs.c */
942 int lzs_decompress(unsigned char *dst, int dstlen, const unsigned char *src, int srclen);
943 int lzs_compress(unsigned char *dst, int dstlen, const unsigned char *src, int srclen);
944
945 /* ssl.c */
946 unsigned string_is_hostname(const char* str);
947 int connect_https_socket(struct openconnect_info *vpninfo);
948 int __attribute__ ((format(printf, 4, 5)))
949 request_passphrase(struct openconnect_info *vpninfo, const char *label,
950 char **response, const char *fmt, ...);
951 int __attribute__ ((format (printf, 2, 3)))
952 openconnect_SSL_printf(struct openconnect_info *vpninfo, const char *fmt, ...);
953 int openconnect_print_err_cb(const char *str, size_t len, void *ptr);
954 #define openconnect_report_ssl_errors(v) ERR_print_errors_cb(openconnect_print_err_cb, (v))
955 #if defined(FAKE_ANDROID_KEYSTORE) || defined(__ANDROID__)
956 #define ANDROID_KEYSTORE
957 #endif
958 #ifdef ANDROID_KEYSTORE
959 const char *keystore_strerror(int err);
960 int keystore_fetch(const char *key, unsigned char **result);
961 #endif
962 void cmd_fd_set(struct openconnect_info *vpninfo, fd_set *fds, int *maxfd);
963 void check_cmd_fd(struct openconnect_info *vpninfo, fd_set *fds);
964 int is_cancel_pending(struct openconnect_info *vpninfo, fd_set *fds);
965 void poll_cmd_fd(struct openconnect_info *vpninfo, int timeout);
966 int openconnect_open_utf8(struct openconnect_info *vpninfo,
967 const char *fname, int mode);
968 FILE *openconnect_fopen_utf8(struct openconnect_info *vpninfo,
969 const char *fname, const char *mode);
970 ssize_t openconnect_read_file(struct openconnect_info *vpninfo, const char *fname,
971 char **ptr);
972 int udp_sockaddr(struct openconnect_info *vpninfo, int port);
973 int udp_connect(struct openconnect_info *vpninfo);
974 int ssl_reconnect(struct openconnect_info *vpninfo);
975 void openconnect_clear_cookies(struct openconnect_info *vpninfo);
976 int cancellable_gets(struct openconnect_info *vpninfo, int fd,
977 char *buf, size_t len);
978
979 int cancellable_send(struct openconnect_info *vpninfo, int fd,
980 char *buf, size_t len);
981 int cancellable_recv(struct openconnect_info *vpninfo, int fd,
982 char *buf, size_t len);
983 /* openssl-pkcs11.c */
984 int load_pkcs11_key(struct openconnect_info *vpninfo);
985 int load_pkcs11_certificate(struct openconnect_info *vpninfo);
986
987 /* esp.c */
988 int verify_packet_seqno(struct openconnect_info *vpninfo,
989 struct esp *esp, uint32_t seq);
990 int esp_setup(struct openconnect_info *vpninfo, int dtls_attempt_period);
991 int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
992 void esp_close(struct openconnect_info *vpninfo);
993 void esp_shutdown(struct openconnect_info *vpninfo);
994 int print_esp_keys(struct openconnect_info *vpninfo, const char *name, struct esp *esp);
995 int openconnect_setup_esp_keys(struct openconnect_info *vpninfo, int new_keys);
996 int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt, uint8_t next_hdr);
997
998 /* {gnutls,openssl}-esp.c */
999 void destroy_esp_ciphers(struct esp *esp);
1000 int init_esp_ciphers(struct openconnect_info *vpninfo, struct esp *out, struct esp *in);
1001 int decrypt_esp_packet(struct openconnect_info *vpninfo, struct esp *esp, struct pkt *pkt);
1002 int encrypt_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt, int crypt_len);
1003
1004 /* {gnutls,openssl}.c */
1005 const char *openconnect_get_tls_library_version();
1006 int ssl_nonblock_read(struct openconnect_info *vpninfo, void *buf, int maxlen);
1007 int ssl_nonblock_write(struct openconnect_info *vpninfo, void *buf, int buflen);
1008 int openconnect_open_https(struct openconnect_info *vpninfo);
1009 void openconnect_close_https(struct openconnect_info *vpninfo, int final);
1010 int cstp_handshake(struct openconnect_info *vpninfo, unsigned init);
1011 int get_cert_md5_fingerprint(struct openconnect_info *vpninfo, void *cert,
1012 char *buf);
1013 int openconnect_sha1(unsigned char *result, void *data, int len);
1014 int openconnect_sha256(unsigned char *result, void *data, int len);
1015 int openconnect_md5(unsigned char *result, void *data, int len);
1016 int openconnect_random(void *bytes, int len);
1017 int openconnect_local_cert_md5(struct openconnect_info *vpninfo,
1018 char *buf);
1019 int openconnect_yubikey_chalresp(struct openconnect_info *vpninfo,
1020 const void *challenge, int chall_len, void *result);
1021 int openconnect_hash_yubikey_password(struct openconnect_info *vpninfo,
1022 const char *password, int pwlen,
1023 const void *ident, int id_len);
1024 int hotp_hmac(struct openconnect_info *vpninfo, const void *challenge);
1025 #if defined(OPENCONNECT_OPENSSL)
1026 #define openconnect_https_connected(_v) ((_v)->https_ssl)
1027 #elif defined (OPENCONNECT_GNUTLS)
1028 #define openconnect_https_connected(_v) ((_v)->https_sess)
1029 #endif
1030
1031 /* mainloop.c */
1032 int tun_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable);
1033 int queue_new_packet(struct pkt_q *q, void *buf, int len);
1034 int keepalive_action(struct keepalive_info *ka, int *timeout);
1035 int ka_stalled_action(struct keepalive_info *ka, int *timeout);
1036 int ka_check_deadline(int *timeout, time_t now, time_t due);
1037 int trojan_check_deadline(struct openconnect_info *vpninfo, int *timeout);
1038
1039 /* xml.c */
1040 int config_lookup_host(struct openconnect_info *vpninfo, const char *host);
1041
1042 /* oath.c */
1043 int set_oath_mode(struct openconnect_info *vpninfo, const char *token_str,
1044 oc_token_mode_t token_mode);
1045 int can_gen_totp_code(struct openconnect_info *vpninfo,
1046 struct oc_auth_form *form,
1047 struct oc_form_opt *opt);
1048 int can_gen_hotp_code(struct openconnect_info *vpninfo,
1049 struct oc_auth_form *form,
1050 struct oc_form_opt *opt);
1051 int do_gen_totp_code(struct openconnect_info *vpninfo,
1052 struct oc_auth_form *form,
1053 struct oc_form_opt *opt);
1054 int do_gen_hotp_code(struct openconnect_info *vpninfo,
1055 struct oc_auth_form *form,
1056 struct oc_form_opt *opt);
1057
1058 int set_oidc_token(struct openconnect_info *vpninfo,
1059 const char *token_str);
1060
1061 /* stoken.c */
1062 int prepare_stoken(struct openconnect_info *vpninfo);
1063 int set_libstoken_mode(struct openconnect_info *vpninfo, const char *token_str);
1064 int can_gen_stoken_code(struct openconnect_info *vpninfo,
1065 struct oc_auth_form *form,
1066 struct oc_form_opt *opt);
1067 int do_gen_stoken_code(struct openconnect_info *vpninfo,
1068 struct oc_auth_form *form,
1069 struct oc_form_opt *opt);
1070
1071 /* yubikey.c */
1072 int set_yubikey_mode(struct openconnect_info *vpninfo, const char *token_str);
1073 int can_gen_yubikey_code(struct openconnect_info *vpninfo,
1074 struct oc_auth_form *form,
1075 struct oc_form_opt *opt);
1076 int do_gen_yubikey_code(struct openconnect_info *vpninfo,
1077 struct oc_auth_form *form,
1078 struct oc_form_opt *opt);
1079 void release_pcsc_ctx(struct openconnect_info *info);
1080
1081 /* auth.c */
1082 int cstp_obtain_cookie(struct openconnect_info *vpninfo);
1083 int set_csd_user(struct openconnect_info *vpninfo);
1084
1085 /* auth-common.c */
1086 int xmlnode_is_named(xmlNode *xml_node, const char *name);
1087 int xmlnode_get_val(xmlNode *xml_node, const char *name, char **var);
1088 int xmlnode_get_prop(xmlNode *xml_node, const char *name, char **var);
1089 int xmlnode_match_prop(xmlNode *xml_node, const char *name, const char *match);
1090 int append_opt(struct oc_text_buf *body, const char *opt, const char *name);
1091 int append_form_opts(struct openconnect_info *vpninfo,
1092 struct oc_auth_form *form, struct oc_text_buf *body);
1093 void clear_mem(void *p, size_t s);
1094 void free_pass(char **p);
1095 void free_opt(struct oc_form_opt *opt);
1096 void free_auth_form(struct oc_auth_form *form);
1097 int do_gen_tokencode(struct openconnect_info *vpninfo,
1098 struct oc_auth_form *form);
1099 int can_gen_tokencode(struct openconnect_info *vpninfo,
1100 struct oc_auth_form *form,
1101 struct oc_form_opt *opt);
1102
1103 /* http.c */
1104 struct oc_text_buf *buf_alloc(void);
1105 void dump_buf(struct openconnect_info *vpninfo, char prefix, char *buf);
1106 void dump_buf_hex(struct openconnect_info *vpninfo, int loglevel, char prefix, unsigned char *buf, int len);
1107 int buf_ensure_space(struct oc_text_buf *buf, int len);
1108 void __attribute__ ((format (printf, 2, 3)))
1109 buf_append(struct oc_text_buf *buf, const char *fmt, ...);
1110 void buf_append_bytes(struct oc_text_buf *buf, const void *bytes, int len);
1111 void buf_append_hex(struct oc_text_buf *buf, const void *str, unsigned len);
1112 int buf_append_utf16le(struct oc_text_buf *buf, const char *utf8);
1113 int get_utf8char(const char **utf8);
1114 void buf_append_from_utf16le(struct oc_text_buf *buf, const void *utf16);
1115 void buf_truncate(struct oc_text_buf *buf);
1116 void buf_append_urlencoded(struct oc_text_buf *buf, const char *str);
1117 void buf_append_xmlescaped(struct oc_text_buf *buf, const char *str);
1118 int buf_error(struct oc_text_buf *buf);
1119 int buf_free(struct oc_text_buf *buf);
1120 char *openconnect_create_useragent(const char *base);
1121 int process_proxy(struct openconnect_info *vpninfo, int ssl_sock);
1122 int internal_parse_url(const char *url, char **res_proto, char **res_host,
1123 int *res_port, char **res_path, int default_port);
1124 int do_https_request(struct openconnect_info *vpninfo, const char *method,
1125 const char *request_body_type, struct oc_text_buf *request_body,
1126 char **form_buf, int fetch_redirect);
1127 int http_add_cookie(struct openconnect_info *vpninfo, const char *option,
1128 const char *value, int replace);
1129 int process_http_response(struct openconnect_info *vpninfo, int connect,
1130 int (*header_cb)(struct openconnect_info *, char *, char *),
1131 struct oc_text_buf *body);
1132 int handle_redirect(struct openconnect_info *vpninfo);
1133 void http_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
1134
1135 /* http-auth.c */
1136 void buf_append_base64(struct oc_text_buf *buf, const void *bytes, int len);
1137 void *openconnect_base64_decode(int *len, const char *in);
1138 void clear_auth_states(struct openconnect_info *vpninfo,
1139 struct http_auth_state *auth_states, int reset);
1140 int proxy_auth_hdrs(struct openconnect_info *vpninfo, char *hdr, char *val);
1141 int http_auth_hdrs(struct openconnect_info *vpninfo, char *hdr, char *val);
1142 int gen_authorization_hdr(struct openconnect_info *vpninfo, int proxy,
1143 struct oc_text_buf *buf);
1144 /* ntlm.c */
1145 int ntlm_authorization(struct openconnect_info *vpninfo, int proxy, struct http_auth_state *auth_state, struct oc_text_buf *buf);
1146 void cleanup_ntlm_auth(struct openconnect_info *vpninfo, struct http_auth_state *auth_state);
1147
1148 /* gssapi.c */
1149 int gssapi_authorization(struct openconnect_info *vpninfo, int proxy, struct http_auth_state *auth_state, struct oc_text_buf *buf);
1150 void cleanup_gssapi_auth(struct openconnect_info *vpninfo, struct http_auth_state *auth_state);
1151 int socks_gssapi_auth(struct openconnect_info *vpninfo);
1152
1153 /* digest.c */
1154 int digest_authorization(struct openconnect_info *vpninfo, int proxy, struct http_auth_state *auth_state, struct oc_text_buf *buf);
1155
1156 /* library.c */
1157 void nuke_opt_values(struct oc_form_opt *opt);
1158 void free_optlist(struct oc_vpn_option *opt);
1159 int process_auth_form(struct openconnect_info *vpninfo, struct oc_auth_form *form);
1160 /* This is private for now since we haven't yet worked out what the API will be */
1161 void openconnect_set_juniper(struct openconnect_info *vpninfo);
1162
1163 /* version.c */
1164 extern const char *openconnect_version_str;
1165
1166 /* strncasecmp() just checks that the first n characters match. This
1167 function ensures that the first n characters of the left-hand side
1168 are a *precise* match for the right-hand side. */
strprefix_match(const char * str,int len,const char * match)1169 static inline int strprefix_match(const char *str, int len, const char *match)
1170 {
1171 return len == strlen(match) && !strncasecmp(str, match, len);
1172 }
1173
1174 #define STRDUP(res, arg) \
1175 if (res != arg) { \
1176 free(res); \
1177 if (arg) { \
1178 res = strdup(arg); \
1179 if (res == NULL) return -ENOMEM; \
1180 } else res = NULL; \
1181 } while(0)
1182
1183 #define UTF8CHECK(arg) \
1184 if ((arg) && buf_append_utf16le(NULL, (arg))) { \
1185 vpn_progress(vpninfo, PRG_ERR, \
1186 _("ERROR: %s() called with invalid UTF-8 for '%s' argument\n"),\
1187 __func__, #arg); \
1188 return -EILSEQ; \
1189 }
1190
1191 #define UTF8CHECK_VOID(arg) \
1192 if ((arg) && buf_append_utf16le(NULL, (arg))) { \
1193 vpn_progress(vpninfo, PRG_ERR, \
1194 _("ERROR: %s() called with invalid UTF-8 for '%s' argument\n"),\
1195 __func__, #arg); \
1196 return; \
1197 }
1198
1199 /* Let's stop open-coding big-endian and little-endian loads/stores.
1200 *
1201 * Start with a packed structure so that we can let the compiler
1202 * decide whether the target CPU can cope with unaligned load/stores
1203 * or not. Then there are three cases to handle:
1204 * - For big-endian loads/stores, just use htons() et al.
1205 * - For little-endian when we *know* the CPU is LE, just load/store
1206 * - For little-endian otherwise, do the data acess byte-wise
1207 */
1208 struct oc_packed_uint32_t {
1209 uint32_t d;
1210 } __attribute__((packed));
1211 struct oc_packed_uint16_t {
1212 uint16_t d;
1213 } __attribute__((packed));
1214
load_be32(const void * _p)1215 static inline uint32_t load_be32(const void *_p)
1216 {
1217 const struct oc_packed_uint32_t *p = _p;
1218 return ntohl(p->d);
1219 }
1220
load_be16(const void * _p)1221 static inline uint16_t load_be16(const void *_p)
1222 {
1223 const struct oc_packed_uint16_t *p = _p;
1224 return ntohs(p->d);
1225 }
1226
store_be32(void * _p,uint32_t d)1227 static inline void store_be32(void *_p, uint32_t d)
1228 {
1229 struct oc_packed_uint32_t *p = _p;
1230 p->d = htonl(d);
1231 }
1232
store_be16(void * _p,uint16_t d)1233 static inline void store_be16(void *_p, uint16_t d)
1234 {
1235 struct oc_packed_uint16_t *p = _p;
1236 p->d = htons(d);
1237 }
1238
1239 /* It doesn't matter if we don't find one. It'll default to the
1240 * "not known to be little-endian" case, and do the bytewise
1241 * load/store. Modern compilers might even spot the pattern and
1242 * optimise it (see GCC PR#55177 around comment 15). */
1243 #ifdef ENDIAN_HDR
1244 #include ENDIAN_HDR
1245 #endif
1246
1247 #if defined(_WIN32) || \
1248 (defined(_LITTLE_ENDIAN) && !defined(_BIG_ENDIAN)) /* Solaris */ || \
1249 (defined(__LITTLE_ENDIAN) && defined(__BIG_ENDIAN) && defined(__BYTE_ORDER) \
1250 && __BYTE_ORDER == __LITTLE_ENDIAN) /* Linux */ || \
1251 (defined(LITTLE_ENDIAN) && defined(BIG_ENDIAN) && defined(BYTE_ORDER) \
1252 && BYTE_ORDER == LITTLE_ENDIAN) /* *BSD */
load_le32(const void * _p)1253 static inline uint32_t load_le32(const void *_p)
1254 {
1255 const struct oc_packed_uint32_t *p = _p;
1256 return p->d;
1257 }
1258
load_le16(const void * _p)1259 static inline uint16_t load_le16(const void *_p)
1260 {
1261 const struct oc_packed_uint16_t *p = _p;
1262 return p->d;
1263 }
1264
store_le32(void * _p,uint32_t d)1265 static inline void store_le32(void *_p, uint32_t d)
1266 {
1267 struct oc_packed_uint32_t *p = _p;
1268 p->d = d;
1269 }
1270
store_le16(void * _p,uint16_t d)1271 static inline void store_le16(void *_p, uint16_t d)
1272 {
1273 struct oc_packed_uint16_t *p = _p;
1274 p->d = d;
1275 }
1276 #else
load_le32(const void * _p)1277 static inline uint32_t load_le32(const void *_p)
1278 {
1279 const unsigned char *p = _p;
1280 return p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24);
1281 }
1282
load_le16(const void * _p)1283 static inline uint16_t load_le16(const void *_p)
1284 {
1285 const unsigned char *p = _p;
1286 return p[0] | (p[1] << 8);
1287 }
1288
store_le32(void * _p,uint32_t d)1289 static inline void store_le32(void *_p, uint32_t d)
1290 {
1291 unsigned char *p = _p;
1292 p[0] = d;
1293 p[1] = d >> 8;
1294 }
1295
store_le16(void * _p,uint16_t d)1296 static inline void store_le16(void *_p, uint16_t d)
1297 {
1298 unsigned char *p = _p;
1299 p[0] = d;
1300 p[1] = d >> 8;
1301 p[2] = d >> 16;
1302 p[3] = d >> 24;
1303 }
1304 #endif /* !Not known to be little-endian */
1305
1306 #endif /* __OPENCONNECT_INTERNAL_H__ */
1307