1 /*
2 * Copyright (C) 2013-2017 Nikos Mavrogiannopoulos
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of ocserv.
7 *
8 * ocserv is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 */
21 #ifndef VPN_H
22 #define VPN_H
23
24 #include <config.h>
25 #include <gnutls/gnutls.h>
26 #include <http_parser.h>
27 #include <ccan/htable/htable.h>
28 #include <ccan/list/list.h>
29 #include <sys/types.h>
30 #include <sys/socket.h>
31 #include <unistd.h>
32 #include <net/if.h>
33 #include <netinet/in.h>
34 #include <minmax.h>
35 #include <auth/common.h>
36
37 #include <ipc.pb-c.h>
38
39 #ifdef __GNUC__
40 # define _OCSERV_GCC_VERSION (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__)
41 # if _OCSERV_GCC_VERSION >= 30000
42 # define _ATTR_PACKED __attribute__ ((__packed__))
43 # endif
44 #endif /* __GNUC__ */
45
46 #ifndef _ATTR_PACKED
47 # define _ATTR_PACKED
48 #endif
49
50 #define MAX_MSG_SIZE 16*1024
51 #define DTLS_PROTO_INDICATOR "PSK-NEGOTIATE"
52
53
54 typedef enum {
55 SOCK_TYPE_TCP,
56 SOCK_TYPE_UDP,
57 SOCK_TYPE_UNIX
58 } sock_type_t;
59
60 typedef enum {
61 OC_COMP_NULL = 0,
62 OC_COMP_LZ4,
63 OC_COMP_LZS,
64 } comp_type_t;
65
66 typedef enum fw_proto_t {
67 PROTO_UDP,
68 PROTO_TCP,
69 PROTO_SCTP,
70 PROTO_ESP,
71 PROTO_ICMP,
72 PROTO_ICMPv6,
73
74 /* fix proto2str below if anything is added */
75 PROTO_MAX
76 } fw_proto_t;
77
78
proto_to_str(fw_proto_t proto)79 inline static const char *proto_to_str(fw_proto_t proto)
80 {
81 const char *proto2str[] = {
82 "udp",
83 "tcp",
84 "sctp",
85 "esp",
86 "icmp",
87 "icmpv6"
88 };
89
90 if ((int)proto < 0 || proto >= PROTO_MAX)
91 return "unknown";
92 return proto2str[proto];
93 }
94
95 /* Banning works with a point system. A wrong password
96 * attempt gives you PASSWORD_POINTS, and you are banned
97 * when the maximum ban score is reached.
98 */
99 #define DEFAULT_PASSWORD_POINTS 10
100 #define DEFAULT_CONNECT_POINTS 1
101 #define DEFAULT_KKDCP_POINTS 1
102 #define DEFAULT_MAX_BAN_SCORE (MAX_PASSWORD_TRIES*DEFAULT_PASSWORD_POINTS)
103 #define DEFAULT_BAN_RESET_TIME 300
104
105 #define MIN_NO_COMPRESS_LIMIT 64
106 #define DEFAULT_NO_COMPRESS_LIMIT 256
107
108 /* The time after which a user will be forced to authenticate
109 * or disconnect. */
110 #define DEFAULT_AUTH_TIMEOUT_SECS 1800
111
112 /* The time after a disconnection the cookie is valid */
113 #define DEFAULT_COOKIE_RECON_TIMEOUT 120
114
115
116 #define DEFAULT_DPD_TIME 600
117
118 #define AC_PKT_DATA 0 /* Uncompressed data */
119 #define AC_PKT_DPD_OUT 3 /* Dead Peer Detection */
120 #define AC_PKT_DPD_RESP 4 /* DPD response */
121 #define AC_PKT_DISCONN 5 /* Client disconnection notice */
122 #define AC_PKT_KEEPALIVE 7 /* Keepalive */
123 #define AC_PKT_COMPRESSED 8 /* Compressed data */
124 #define AC_PKT_TERM_SERVER 9 /* Server kick */
125
126 #define REKEY_METHOD_SSL 1
127 #define REKEY_METHOD_NEW_TUNNEL 2
128
129 extern int syslog_open;
130
131 /* the first is generic, for the methods that require a username password */
132 #define AUTH_TYPE_USERNAME_PASS (1<<0)
133 #define AUTH_TYPE_PAM (1<<1 | AUTH_TYPE_USERNAME_PASS)
134 #define AUTH_TYPE_PLAIN (1<<2 | AUTH_TYPE_USERNAME_PASS)
135 #define AUTH_TYPE_CERTIFICATE (1<<3)
136 #define AUTH_TYPE_RADIUS (1<<5 | AUTH_TYPE_USERNAME_PASS)
137 #define AUTH_TYPE_GSSAPI (1<<6)
138 #define AUTH_TYPE_OIDC (1<<7)
139
140 #define ALL_AUTH_TYPES ((AUTH_TYPE_PAM|AUTH_TYPE_PLAIN|AUTH_TYPE_CERTIFICATE|AUTH_TYPE_RADIUS|AUTH_TYPE_GSSAPI|AUTH_TYPE_OIDC) & (~AUTH_TYPE_USERNAME_PASS))
141 #define VIRTUAL_AUTH_TYPES (AUTH_TYPE_USERNAME_PASS)
142 #define CONFIDENTIAL_USER_NAME_AUTH_TYPES (AUTH_TYPE_GSSAPI | AUTH_TYPE_OIDC)
143
144 #define ACCT_TYPE_PAM (1<<1)
145 #define ACCT_TYPE_RADIUS (1<<2)
146
147 #include "defs.h"
148
149 /* Allow few seconds prior to cleaning up entries, to avoid any race
150 * conditions when session control is enabled, as well as to allow
151 * anyconnect clients to reconnect (they often drop the connection and
152 * to to re-establish using the same cookie).
153 */
154 #define AUTH_SLACK_TIME 15
155
156
157 #define MAX_CIPHERSUITE_NAME 64
158 #define SID_SIZE 32
159
160
161 struct vpn_st {
162 char name[IFNAMSIZ];
163 char *ipv4_netmask;
164 char *ipv4_network;
165 char *ipv4;
166 char *ipv4_local; /* local IPv4 address */
167 char *ipv6_network;
168 unsigned ipv6_prefix;
169
170 char *ipv6;
171 char *ipv6_local; /* local IPv6 address */
172 unsigned int mtu;
173 unsigned int ipv6_subnet_prefix; /* ipv6 subnet prefix to assign */
174
175 char **routes;
176 size_t routes_size;
177
178 /* excluded routes */
179 char **no_routes;
180 size_t no_routes_size;
181
182 char **dns;
183 size_t dns_size;
184
185 char **nbns;
186 size_t nbns_size;
187 };
188
189 #define MAX_AUTH_METHODS 4
190 #define MAX_KRB_REALMS 16
191
192 typedef struct auth_struct_st {
193 char *name;
194 char *additional;
195 unsigned type;
196 const struct auth_mod_st *amod;
197 void *auth_ctx;
198 void *dl_ctx;
199
200 bool enabled;
201 } auth_struct_st;
202
203 typedef struct acct_struct_st {
204 const char *name;
205 char *additional;
206 void *acct_ctx;
207 const struct acct_mod_st *amod;
208 } acct_struct_st;
209
210 typedef struct kkdcp_realm_st {
211 char *realm;
212 struct sockaddr_storage addr;
213 socklen_t addr_len;
214 int ai_family;
215 int ai_socktype;
216 int ai_protocol;
217 } kkdcp_realm_st;
218
219 typedef struct kkdcp_st {
220 char *url;
221 /* the supported realms by this URL */
222 kkdcp_realm_st realms[MAX_KRB_REALMS];
223 unsigned realms_size;
224 } kkdcp_st;
225
226 struct cfg_st {
227 unsigned int is_dyndns;
228 unsigned int listen_proxy_proto;
229 unsigned int stats_report_time;
230
231 kkdcp_st *kkdcp;
232 unsigned int kkdcp_size;
233
234 char *cert_user_oid; /* The OID that will be used to extract the username */
235 char *cert_group_oid; /* The OID that will be used to extract the groupname */
236
237
238 gnutls_certificate_request_t cert_req;
239 char *priorities;
240 #ifdef ENABLE_COMPRESSION
241 unsigned enable_compression;
242 unsigned no_compress_limit; /* under this size (in bytes) of data there will be no compression */
243 #endif
244 char *banner;
245 char *pre_login_banner;
246 char *ocsp_response; /* file with the OCSP response */
247 char *default_domain; /* domain to be advertised */
248
249 char **group_list; /* select_group */
250 unsigned int group_list_size;
251
252 char **friendly_group_list; /* the same size as group_list_size */
253
254 char *default_select_group;
255
256 char **custom_header;
257 size_t custom_header_size;;
258
259 char **split_dns;
260 size_t split_dns_size;;
261
262 unsigned int append_routes; /* whether to append global routes to per-user config */
263 unsigned restrict_user_to_routes; /* whether the firewall script will be run for the user */
264 unsigned deny_roaming; /* whether a cookie is restricted to a single IP */
265 time_t cookie_timeout; /* in seconds */
266 time_t session_timeout; /* in seconds */
267 unsigned persistent_cookies; /* whether cookies stay valid after disconnect */
268
269 time_t rekey_time; /* in seconds */
270 unsigned rekey_method; /* REKEY_METHOD_ */
271
272 time_t min_reauth_time; /* after a failed auth, how soon one can reauthenticate -> in seconds */
273 unsigned max_ban_score; /* the score allowed before a user is banned (see vpn.h) */
274 int ban_reset_time;
275
276 unsigned ban_points_wrong_password;
277 unsigned ban_points_connect;
278 unsigned ban_points_kkdcp;
279
280 /* when using the new PSK DTLS negotiation make sure that
281 * the negotiated DTLS cipher/mac matches the TLS cipher/mac. */
282 unsigned match_dtls_and_tls;
283 unsigned dtls_psk; /* whether to enable DTLS-PSK */
284 unsigned dtls_legacy; /* whether to enable DTLS-LEGACY */
285
286 unsigned isolate; /* whether seccomp should be enabled or not */
287
288 unsigned auth_timeout; /* timeout of HTTP auth */
289 unsigned idle_timeout; /* timeout when idle */
290 unsigned mobile_idle_timeout; /* timeout when a mobile is idle */
291 unsigned switch_to_tcp_timeout; /* length of no traffic period to automatically switch to TCP */
292 unsigned keepalive;
293 unsigned dpd;
294 unsigned mobile_dpd;
295 unsigned max_clients;
296 unsigned max_same_clients;
297 unsigned use_utmp;
298 unsigned tunnel_all_dns;
299 unsigned use_occtl; /* whether support for the occtl tool will be enabled */
300
301 unsigned try_mtu; /* MTU discovery enabled */
302 unsigned cisco_client_compat; /* do not require client certificate,
303 * and allow auth to complete in different
304 * TCP sessions. */
305 unsigned rate_limit_ms; /* if non zero force a connection every rate_limit milliseconds if ocserv-sm is heavily loaded */
306 unsigned ping_leases; /* non zero if we need to ping prior to leasing */
307 unsigned server_drain_ms; /* how long to wait after we stop accepting new connections before closing old connections */
308
309 size_t rx_per_sec;
310 size_t tx_per_sec;
311 unsigned net_priority;
312
313 char *crl;
314
315 unsigned output_buffer;
316 unsigned default_mtu;
317 unsigned predictable_ips; /* boolean */
318
319 char *route_add_cmd;
320 char *route_del_cmd;
321
322 char *connect_script;
323 char *host_update_script;
324 char *disconnect_script;
325
326 char *cgroup;
327 char *proxy_url;
328
329 #ifdef ANYCONNECT_CLIENT_COMPAT
330 char *xml_config_file;
331 char *xml_config_hash;
332 #endif
333
334 unsigned client_bypass_protocol;
335
336 /* additional configuration files */
337 char *per_group_dir;
338 char *per_user_dir;
339 char *default_group_conf;
340 char *default_user_conf;
341
342 bool gssapi_no_local_user_map;
343
344 /* known iroutes - only sent to the users who are not registering them
345 */
346 char **known_iroutes;
347 size_t known_iroutes_size;
348
349 FwPortSt **fw_ports;
350 size_t n_fw_ports;
351
352 /* the tun network */
353 struct vpn_st network;
354
355 /* holds a usage count of holders of pointers in this struct */
356 int *usage_count;
357 };
358
359 struct perm_cfg_st {
360 /* gets reloaded */
361 struct cfg_st *config;
362
363 /* stuff here don't change on reload */
364 auth_struct_st auth[MAX_AUTH_METHODS];
365 unsigned auth_methods;
366 acct_struct_st acct;
367 unsigned int sup_config_type; /* one of SUP_CONFIG_ */
368
369 char *chroot_dir; /* where the xml files are served from */
370 char* occtl_socket_file;
371 char* socket_file_prefix;
372
373 uid_t uid;
374 gid_t gid;
375
376 char *key_pin;
377 char *srk_pin;
378
379 char *pin_file;
380 char *srk_pin_file;
381 char **cert;
382 size_t cert_size;
383 char **key;
384 size_t key_size;
385 #ifdef ANYCONNECT_CLIENT_COMPAT
386 char *cert_hash;
387 #endif
388 unsigned int stats_reset_time;
389 unsigned foreground;
390 unsigned no_chdir;
391 unsigned debug;
392 unsigned pr_dumpable;
393
394 char *ca;
395 char *dh_params_file;
396
397 char *listen_host;
398 char *udp_listen_host;
399 char *listen_netns_name;
400 unsigned int port;
401 unsigned int udp_port;
402
403 unsigned int sec_mod_scale;
404
405 /* for testing ocserv only */
406 unsigned debug_no_secmod_stats;
407
408 /* attic, where old config allocated values are stored */
409 struct list_head attic;
410 };
411
412 typedef struct attic_entry_st {
413 struct list_node list;
414 int *usage_count;
415 } attic_entry_st;
416
417
418 /* generic thing to stop complaints */
419 struct worker_st;
420 struct main_server_st;
421 struct dtls_st;
422
423 #define MAX_BANNER_SIZE 256
424 #define MAX_USERNAME_SIZE 64
425 #define MAX_AGENT_NAME 64
426 #define MAX_DEVICE_TYPE 64
427 #define MAX_DEVICE_PLATFORM 64
428 #define MAX_PASSWORD_SIZE 64
429 #define TLS_MASTER_SIZE 48
430 #define MAX_HOSTNAME_SIZE MAX_USERNAME_SIZE
431 #define MAX_GROUPNAME_SIZE MAX_USERNAME_SIZE
432 #define MAX_SESSION_DATA_SIZE (4*1024)
433
434 #if defined(CAPTURE_LATENCY_SUPPORT)
435 #define LATENCY_SAMPLE_SIZE 1024
436 #define LATENCY_WORKER_AGGREGATION_TIME 60
437 #endif
438
439 #define DEFAULT_CONFIG_ENTRIES 96
440
441 #include <tun.h>
442
443 unsigned extract_prefix(char *network);
444
445 /* macros */
446 #define TOS_PACK(x) (x<<4)
447 #define TOS_UNPACK(x) (x>>4)
448 #define IS_TOS(x) ((x&0x0f)==0)
449
450 /* Helper structures */
451 enum option_types { OPTION_NUMERIC, OPTION_STRING, OPTION_BOOLEAN, OPTION_MULTI_LINE };
452
453 #include <ip-util.h>
454
455 void reload_cfg_file(void *pool, struct list_head *configs, unsigned sec_mod);
456 void clear_old_configs(struct list_head *configs);
457 void write_pid_file(void);
458 void remove_pid_file(void);
459
460 unsigned switch_comp_priority(void *pool, const char *modstring);
461
462 extern sigset_t sig_default_set;
463
464 #endif
465