1 /*
2 * OpenConnect (SSL + DTLS) VPN client
3 *
4 * Copyright © 2016-2017 Daniel Lenski
5 *
6 * Author: Daniel Lenski <dlenski@gmail.com>
7 *
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1, as published by the Free Software Foundation.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 */
17
18 #include <config.h>
19
20 #include <unistd.h>
21 #include <fcntl.h>
22 #include <time.h>
23 #include <string.h>
24 #include <ctype.h>
25 #include <errno.h>
26 #include <stdlib.h>
27 #include <stdio.h>
28 #include <sys/types.h>
29 #ifndef _WIN32
30 #include <sys/wait.h>
31 #endif
32 #include <stdarg.h>
33 #ifdef HAVE_LZ4
34 #include <lz4.h>
35 #endif
36
37 #ifdef _WIN32
38 #include "win32-ipicmp.h"
39 #else
40 /* The BSDs require the first two headers before netinet/ip.h
41 * (Linux and macOS already #include them within netinet/ip.h)
42 */
43 #include <sys/types.h>
44 #include <netinet/in_systm.h>
45 #include <netinet/in.h>
46 #include <netinet/ip.h>
47 #include <netinet/ip_icmp.h>
48 #endif
49
50 #if defined(__linux__)
51 /* For TCP_INFO */
52 # include <linux/tcp.h>
53 #endif
54
55 #include <assert.h>
56
57 #include "openconnect-internal.h"
58
59 /*
60 * Data packets are encapsulated in the SSL stream as follows:
61 *
62 * 0000: Magic "\x1a\x2b\x3c\x4d"
63 * 0004: Big-endian EtherType (0x0800 for IPv4)
64 * 0006: Big-endian 16-bit length (not including 16-byte header)
65 * 0008: Always "\x01\0\0\0\0\0\0\0"
66 * 0010: data payload
67 */
68
69 /* Strange initialisers here to work around GCC PR#10676 (which was
70 * fixed in GCC 4.6 but it takes a while for some systems to catch
71 * up. */
72 static const struct pkt dpd_pkt = {
73 .next = NULL,
74 { .gpst.hdr = { 0x1a, 0x2b, 0x3c, 0x4d } }
75 };
76
77 /* We behave like CSTP — create a linked list in vpninfo->cstp_options
78 * with the strings containing the information we got from the server,
79 * and oc_ip_info contains const copies of those pointers.
80 *
81 * (unlike version in oncp.c, val is stolen rather than strdup'ed) */
82
add_option(struct openconnect_info * vpninfo,const char * opt,char ** val)83 static const char *add_option(struct openconnect_info *vpninfo, const char *opt, char **val)
84 {
85 struct oc_vpn_option *new = malloc(sizeof(*new));
86 if (!new)
87 return NULL;
88
89 new->option = strdup(opt);
90 if (!new->option) {
91 free(new);
92 return NULL;
93 }
94 new->value = *val;
95 *val = NULL;
96 new->next = vpninfo->cstp_options;
97 vpninfo->cstp_options = new;
98
99 return new->value;
100 }
101
filter_opts(struct oc_text_buf * buf,const char * query,const char * incexc,int include)102 static int filter_opts(struct oc_text_buf *buf, const char *query, const char *incexc, int include)
103 {
104 const char *f, *endf, *eq;
105 const char *found, *comma;
106
107 for (f = query; *f; f=(*endf) ? endf+1 : endf) {
108 endf = strchr(f, '&') ? : f+strlen(f);
109 eq = strchr(f, '=');
110 if (!eq || eq > endf)
111 eq = endf;
112
113 for (found = incexc; *found; found=(*comma) ? comma+1 : comma) {
114 comma = strchr(found, ',') ? : found+strlen(found);
115 if (!strncmp(found, f, MAX(comma-found, eq-f)))
116 break;
117 }
118
119 if ((include && *found) || (!include && !*found)) {
120 if (buf->pos && buf->data[buf->pos-1] != '?' && buf->data[buf->pos-1] != '&')
121 buf_append(buf, "&");
122 buf_append_bytes(buf, f, (int)(endf-f));
123 }
124 }
125 return buf_error(buf);
126 }
127
128 /* Parse this JavaScript-y mess:
129
130 "var respStatus = \"Challenge|Error\";\n"
131 "var respMsg = \"<prompt>\";\n"
132 "thisForm.inputStr.value = "<inputStr>";\n"
133 */
parse_javascript(char * buf,char ** prompt,char ** inputStr)134 static int parse_javascript(char *buf, char **prompt, char **inputStr)
135 {
136 const char *start, *end = buf;
137 int status;
138
139 const char *pre_status = "var respStatus = \"",
140 *pre_prompt = "var respMsg = \"",
141 *pre_inputStr = "thisForm.inputStr.value = \"";
142
143 /* Status */
144 while (isspace(*end))
145 end++;
146 if (strncmp(end, pre_status, strlen(pre_status)))
147 goto err;
148
149 start = end+strlen(pre_status);
150 end = strchr(start, '\n');
151 if (!end || end[-1] != ';' || end[-2] != '"')
152 goto err;
153
154 if (!strncmp(start, "Challenge", 8)) status = 0;
155 else if (!strncmp(start, "Error", 5)) status = 1;
156 else goto err;
157
158 /* Prompt */
159 while (isspace(*end))
160 end++;
161 if (strncmp(end, pre_prompt, strlen(pre_prompt)))
162 goto err;
163
164 start = end+strlen(pre_prompt);
165 end = strchr(start, '\n');
166 if (!end || end[-1] != ';' || end[-2] != '"' || (end<start+2))
167 goto err;
168
169 if (prompt)
170 *prompt = strndup(start, end-start-2);
171
172 /* inputStr */
173 while (isspace(*end))
174 end++;
175 if (strncmp(end, pre_inputStr, strlen(pre_inputStr)))
176 goto err2;
177
178 start = end+strlen(pre_inputStr);
179 end = strchr(start, '\n');
180 if (!end || end[-1] != ';' || end[-2] != '"' || (end<start+2))
181 goto err2;
182
183 if (inputStr)
184 *inputStr = strndup(start, end-start-2);
185
186 while (isspace(*end))
187 end++;
188 if (*end != '\0')
189 goto err3;
190
191 return status;
192
193 err3:
194 if (inputStr) free(*inputStr);
195 err2:
196 if (prompt) free(*prompt);
197 err:
198 return -EINVAL;
199 }
200
gpst_xml_or_error(struct openconnect_info * vpninfo,char * response,int (* xml_cb)(struct openconnect_info *,xmlNode * xml_node,void * cb_data),int (* challenge_cb)(struct openconnect_info *,char * prompt,char * inputStr,void * cb_data),void * cb_data)201 int gpst_xml_or_error(struct openconnect_info *vpninfo, char *response,
202 int (*xml_cb)(struct openconnect_info *, xmlNode *xml_node, void *cb_data),
203 int (*challenge_cb)(struct openconnect_info *, char *prompt, char *inputStr, void *cb_data),
204 void *cb_data)
205 {
206 xmlDocPtr xml_doc;
207 xmlNode *xml_node;
208 char *err = NULL;
209 char *prompt = NULL, *inputStr = NULL;
210 int result = -EINVAL;
211
212 if (!response) {
213 vpn_progress(vpninfo, PRG_ERR,
214 _("Empty response from server\n"));
215 return -EINVAL;
216 }
217
218 /* is it XML? */
219 xml_doc = xmlReadMemory(response, strlen(response), "noname.xml", NULL,
220 XML_PARSE_NOERROR);
221 if (!xml_doc) {
222 /* is it Javascript? */
223 result = parse_javascript(response, &prompt, &inputStr);
224 switch (result) {
225 case 1:
226 vpn_progress(vpninfo, PRG_ERR, _("%s\n"), prompt);
227 break;
228 case 0:
229 vpn_progress(vpninfo, PRG_INFO, _("Challenge: %s\n"), prompt);
230 result = challenge_cb ? challenge_cb(vpninfo, prompt, inputStr, cb_data) : -EINVAL;
231 break;
232 default:
233 goto bad_xml;
234 }
235 free(prompt);
236 free(inputStr);
237 goto bad_xml;
238 }
239
240 xml_node = xmlDocGetRootElement(xml_doc);
241
242 /* is it <response status="error"><error>..</error></response> ? */
243 if (xmlnode_is_named(xml_node, "response")
244 && !xmlnode_match_prop(xml_node, "status", "error")) {
245 for (xml_node=xml_node->children; xml_node; xml_node=xml_node->next) {
246 if (!xmlnode_get_val(xml_node, "error", &err))
247 goto out;
248 }
249 goto bad_xml;
250 }
251
252 /* Is it <prelogin-response><status>Error</status><msg>..</msg></prelogin-response> ? */
253 if (xmlnode_is_named(xml_node, "prelogin-response")) {
254 char *s = NULL;
255 int has_err = 0;
256 xmlNode *x;
257 for (x=xml_node->children; x; x=x->next) {
258 if (!xmlnode_get_val(x, "status", &s))
259 has_err = strcmp(s, "Success");
260 else
261 xmlnode_get_val(x, "msg", &err);
262 }
263 free(s);
264 if (has_err)
265 goto out;
266 free(err);
267 err = NULL;
268 }
269
270 /* is it <challenge><user>user.name</user><inputstr>...</inputstr><respmsg>...</respmsg></challenge> */
271 if (xmlnode_is_named(xml_node, "challenge")) {
272 for (xml_node=xml_node->children; xml_node; xml_node=xml_node->next) {
273 xmlnode_get_val(xml_node, "inputstr", &inputStr);
274 xmlnode_get_val(xml_node, "respmsg", &prompt);
275 /* XXX: override the username passed to the next form from <user> ? */
276 }
277 result = challenge_cb ? challenge_cb(vpninfo, prompt, inputStr, cb_data) : -EINVAL;
278 free(prompt);
279 free(inputStr);
280 goto bad_xml;
281 }
282
283 /* if it's XML, invoke callback (or default to success) */
284 result = xml_cb ? xml_cb(vpninfo, xml_node, cb_data) : 0;
285
286 bad_xml:
287 if (result == -EINVAL) {
288 vpn_progress(vpninfo, PRG_ERR,
289 _("Failed to parse server response\n"));
290 vpn_progress(vpninfo, PRG_DEBUG,
291 _("Response was:%s\n"), response);
292 }
293
294 out:
295 if (err) {
296 if (!strcmp(err, "GlobalProtect gateway does not exist")
297 || !strcmp(err, "GlobalProtect portal does not exist")) {
298 vpn_progress(vpninfo, PRG_DEBUG, "%s\n", err);
299 result = -EEXIST;
300 } else if (!strcmp(err, "Invalid authentication cookie") /* equivalent to custom HTTP status 512 */
301 || !strcmp(err, "Valid client certificate is required") /* equivalent to custom HTTP status 513 */
302 || !strcmp(err, "Allow Automatic Restoration of SSL VPN is disabled")) {
303 /* Any of these errors indicates that retrying won't help us reconnect (EPERM signals this to mainloop.) */
304 vpn_progress(vpninfo, PRG_ERR, "%s\n", err);
305 result = -EPERM;
306 } else {
307 vpn_progress(vpninfo, PRG_ERR, "%s\n", err);
308 result = -EINVAL;
309 }
310 free(err);
311 }
312 if (xml_doc)
313 xmlFreeDoc(xml_doc);
314 return result;
315 }
316
317
318 #define ESP_HEADER_SIZE (4 /* SPI */ + 4 /* sequence number */)
319 #define ESP_FOOTER_SIZE (1 /* pad length */ + 1 /* next header */)
320 #define UDP_HEADER_SIZE 8
321 #define TCP_HEADER_SIZE 20 /* with no options */
322 #define IPV4_HEADER_SIZE 20
323 #define IPV6_HEADER_SIZE 40
324
325 /* Based on cstp.c's calculate_mtu().
326 *
327 * With HTTPS tunnel, there are 21 bytes of overhead beyond the
328 * TCP MSS: 5 bytes for TLS and 16 for GPST.
329 */
calculate_mtu(struct openconnect_info * vpninfo,int can_use_esp)330 static int calculate_mtu(struct openconnect_info *vpninfo, int can_use_esp)
331 {
332 int mtu = vpninfo->reqmtu, base_mtu = vpninfo->basemtu;
333 int mss = 0;
334
335 #if defined(__linux__) && defined(TCP_INFO)
336 if (!mtu) {
337 struct tcp_info ti;
338 socklen_t ti_size = sizeof(ti);
339
340 if (!getsockopt(vpninfo->ssl_fd, IPPROTO_TCP, TCP_INFO,
341 &ti, &ti_size)) {
342 vpn_progress(vpninfo, PRG_DEBUG,
343 _("TCP_INFO rcv mss %d, snd mss %d, adv mss %d, pmtu %d\n"),
344 ti.tcpi_rcv_mss, ti.tcpi_snd_mss, ti.tcpi_advmss, ti.tcpi_pmtu);
345
346 if (!base_mtu) {
347 base_mtu = ti.tcpi_pmtu;
348 }
349
350 /* XXX: GlobalProtect has no mechanism to inform the server about the
351 * desired MTU, so could just ignore the "incoming" MSS (tcpi_rcv_mss).
352 */
353 mss = MIN(ti.tcpi_rcv_mss, ti.tcpi_snd_mss);
354 }
355 }
356 #endif
357 #ifdef TCP_MAXSEG
358 if (!mtu && !mss) {
359 socklen_t mss_size = sizeof(mss);
360 if (!getsockopt(vpninfo->ssl_fd, IPPROTO_TCP, TCP_MAXSEG,
361 &mss, &mss_size)) {
362 vpn_progress(vpninfo, PRG_DEBUG, _("TCP_MAXSEG %d\n"), mss);
363 }
364 }
365 #endif
366 if (!base_mtu) {
367 /* Default */
368 base_mtu = 1406;
369 }
370
371 if (base_mtu < 1280)
372 base_mtu = 1280;
373
374 #ifdef HAVE_ESP
375 /* If we can use the ESP tunnel then we should pick the optimal MTU for ESP. */
376 if (!mtu && can_use_esp) {
377 /* remove ESP, UDP, IP headers from base (wire) MTU */
378 mtu = ( base_mtu - UDP_HEADER_SIZE - ESP_HEADER_SIZE
379 - vpninfo->hmac_out_len
380 - MAX_IV_SIZE);
381 if (vpninfo->peer_addr->sa_family == AF_INET6)
382 mtu -= IPV6_HEADER_SIZE;
383 else
384 mtu -= IPV4_HEADER_SIZE;
385 /* round down to a multiple of blocksize (16 bytes for both AES-128 and AES-256) */
386 mtu -= mtu % 16;
387 /* subtract ESP footer, which is included in the payload before padding to the blocksize */
388 mtu -= ESP_FOOTER_SIZE;
389
390 } else
391 #endif
392
393 /* We are definitely using the TLS tunnel, so we should base our MTU on the TCP MSS. */
394 if (!mtu) {
395 if (mss)
396 mtu = mss - 21;
397 else {
398 mtu = base_mtu - TCP_HEADER_SIZE - 21;
399 if (vpninfo->peer_addr->sa_family == AF_INET6)
400 mtu -= IPV6_HEADER_SIZE;
401 else
402 mtu -= IPV4_HEADER_SIZE;
403 }
404 }
405 return mtu;
406 }
407
408 #ifdef HAVE_ESP
check_hmac_algo(struct openconnect_info * v,const char * s)409 static int check_hmac_algo(struct openconnect_info *v, const char *s)
410 {
411 if (!strcmp(s, "sha1")) return HMAC_SHA1;
412 if (!strcmp(s, "md5")) return HMAC_MD5;
413 if (!strcmp(s, "sha256")) return HMAC_SHA256;
414 vpn_progress(v, PRG_ERR, _("Unknown ESP MAC algorithm: %s"), s);
415 return -ENOENT;
416 }
417
check_enc_algo(struct openconnect_info * v,const char * s)418 static int check_enc_algo(struct openconnect_info *v, const char *s)
419 {
420 if (!strcmp(s, "aes128") || !strcmp(s, "aes-128-cbc")) return ENC_AES_128_CBC;
421 if (!strcmp(s, "aes-256-cbc")) return ENC_AES_256_CBC;
422 vpn_progress(v, PRG_ERR, _("Unknown ESP encryption algorithm: %s"), s);
423 return -ENOENT;
424 }
425
426 /* Reads <KEYTAG/><bits>N</bits><val>hex digits</val></KEYTAG> and saves the
427 * key in dest, returning its length in bytes.
428 */
xml_to_key(xmlNode * xml_node,unsigned char * dest,int dest_size)429 static int xml_to_key(xmlNode *xml_node, unsigned char *dest, int dest_size)
430 {
431 int explen = -1, len = 0;
432 xmlNode *child;
433 char *p, *s = NULL;
434
435 for (child = xml_node->children; child; child=child->next) {
436 if (xmlnode_get_val(child, "bits", &s) == 0) {
437 explen = atoi(s);
438 if (explen & 0x07) goto out;
439 explen >>= 3;
440 } else if (xmlnode_get_val(child, "val", &s) == 0) {
441 for (p=s; p[0] && p[1]; p+=2)
442 if (len++ < dest_size)
443 *dest++ = unhex(p);
444 }
445 }
446 out:
447 free(s);
448 return (len == explen) ? len : -EINVAL;
449 }
450 #endif
451
452 /* Return value:
453 * < 0, on error
454 * = 0, on success; *form is populated
455 */
gpst_parse_config_xml(struct openconnect_info * vpninfo,xmlNode * xml_node,void * cb_data)456 static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_node, void *cb_data)
457 {
458 xmlNode *member;
459 char *s = NULL;
460 int ii;
461
462 if (!xml_node || !xmlnode_is_named(xml_node, "response"))
463 return -EINVAL;
464
465 /* Clear old options which will be overwritten */
466 vpninfo->ip_info.addr = vpninfo->ip_info.netmask = NULL;
467 vpninfo->ip_info.addr6 = vpninfo->ip_info.netmask6 = NULL;
468 vpninfo->ip_info.domain = NULL;
469 vpninfo->ip_info.mtu = 0;
470 vpninfo->esp_magic = inet_addr(vpninfo->ip_info.gateway_addr);
471 vpninfo->esp_replay_protect = 1;
472 vpninfo->ssl_times.rekey_method = REKEY_NONE;
473 vpninfo->cstp_options = NULL;
474
475 for (ii = 0; ii < 3; ii++)
476 vpninfo->ip_info.dns[ii] = vpninfo->ip_info.nbns[ii] = NULL;
477 free_split_routes(vpninfo);
478
479 /* Parse config */
480 for (xml_node = xml_node->children; xml_node; xml_node=xml_node->next) {
481 if (!xmlnode_get_val(xml_node, "ip-address", &s))
482 vpninfo->ip_info.addr = add_option(vpninfo, "ipaddr", &s);
483 else if (!xmlnode_get_val(xml_node, "netmask", &s))
484 vpninfo->ip_info.netmask = add_option(vpninfo, "netmask", &s);
485 else if (!xmlnode_get_val(xml_node, "mtu", &s))
486 vpninfo->ip_info.mtu = atoi(s);
487 else if (!xmlnode_get_val(xml_node, "lifetime", &s))
488 vpn_progress(vpninfo, PRG_INFO, _("Session will expire after %d minutes.\n"), atoi(s)/60);
489 else if (!xmlnode_get_val(xml_node, "disconnect-on-idle", &s)) {
490 int sec = atoi(s);
491 vpn_progress(vpninfo, PRG_INFO, _("Idle timeout is %d minutes.\n"), sec/60);
492 vpninfo->idle_timeout = sec;
493 } else if (!xmlnode_get_val(xml_node, "ssl-tunnel-url", &s)) {
494 free(vpninfo->urlpath);
495 vpninfo->urlpath = s;
496 if (strcmp(s, "/ssl-tunnel-connect.sslvpn"))
497 vpn_progress(vpninfo, PRG_INFO, _("Non-standard SSL tunnel path: %s\n"), s);
498 s = NULL;
499 } else if (!xmlnode_get_val(xml_node, "timeout", &s)) {
500 int sec = atoi(s);
501 vpn_progress(vpninfo, PRG_INFO, _("Tunnel timeout (rekey interval) is %d minutes.\n"), sec/60);
502 vpninfo->ssl_times.last_rekey = time(NULL);
503 vpninfo->ssl_times.rekey = sec - 60;
504 vpninfo->ssl_times.rekey_method = REKEY_TUNNEL;
505 } else if (!xmlnode_get_val(xml_node, "gw-address", &s)) {
506 /* As remarked in oncp.c, "this is a tunnel; having a
507 * gateway is meaningless." See esp_send_probes_gp for the
508 * gory details of what this field actually means.
509 */
510 if (strcmp(s, vpninfo->ip_info.gateway_addr))
511 vpn_progress(vpninfo, PRG_DEBUG,
512 _("Gateway address in config XML (%s) differs from external gateway address (%s).\n"), s, vpninfo->ip_info.gateway_addr);
513 vpninfo->esp_magic = inet_addr(s);
514 } else if (xmlnode_is_named(xml_node, "dns")) {
515 for (ii=0, member = xml_node->children; member && ii<3; member=member->next)
516 if (!xmlnode_get_val(member, "member", &s))
517 vpninfo->ip_info.dns[ii++] = add_option(vpninfo, "DNS", &s);
518 } else if (xmlnode_is_named(xml_node, "wins")) {
519 for (ii=0, member = xml_node->children; member && ii<3; member=member->next)
520 if (!xmlnode_get_val(member, "member", &s))
521 vpninfo->ip_info.nbns[ii++] = add_option(vpninfo, "WINS", &s);
522 } else if (xmlnode_is_named(xml_node, "dns-suffix")) {
523 struct oc_text_buf *domains = buf_alloc();
524 for (member = xml_node->children; member; member=member->next)
525 if (!xmlnode_get_val(member, "member", &s))
526 buf_append(domains, "%s ", s);
527 if (buf_error(domains) == 0 && domains->pos > 0) {
528 domains->data[domains->pos-1] = '\0';
529 vpninfo->ip_info.domain = add_option(vpninfo, "search", &domains->data);
530 }
531 buf_free(domains);
532 } else if (xmlnode_is_named(xml_node, "access-routes") || xmlnode_is_named(xml_node, "exclude-access-routes")) {
533 for (member = xml_node->children; member; member=member->next) {
534 if (!xmlnode_get_val(member, "member", &s)) {
535 struct oc_split_include *inc = malloc(sizeof(*inc));
536 if (!inc)
537 continue;
538 if (xmlnode_is_named(xml_node, "access-routes")) {
539 inc->route = add_option(vpninfo, "split-include", &s);
540 inc->next = vpninfo->ip_info.split_includes;
541 vpninfo->ip_info.split_includes = inc;
542 } else {
543 inc->route = add_option(vpninfo, "split-exclude", &s);
544 inc->next = vpninfo->ip_info.split_excludes;
545 vpninfo->ip_info.split_excludes = inc;
546 }
547 }
548 }
549 } else if (xmlnode_is_named(xml_node, "ipsec")) {
550 #ifdef HAVE_ESP
551 if (vpninfo->dtls_state != DTLS_DISABLED) {
552 int c = (vpninfo->current_esp_in ^= 1);
553 struct esp *ei = &vpninfo->esp_in[c], *eo = &vpninfo->esp_out;
554 vpninfo->old_esp_maxseq = vpninfo->esp_in[c^1].seq + 32;
555 for (member = xml_node->children; member; member=member->next) {
556 if (!xmlnode_get_val(member, "udp-port", &s)) udp_sockaddr(vpninfo, atoi(s));
557 else if (!xmlnode_get_val(member, "enc-algo", &s)) vpninfo->esp_enc = check_enc_algo(vpninfo, s);
558 else if (!xmlnode_get_val(member, "hmac-algo", &s)) vpninfo->esp_hmac = check_hmac_algo(vpninfo, s);
559 else if (!xmlnode_get_val(member, "c2s-spi", &s)) eo->spi = htonl(strtoul(s, NULL, 16));
560 else if (!xmlnode_get_val(member, "s2c-spi", &s)) ei->spi = htonl(strtoul(s, NULL, 16));
561 else if (xmlnode_is_named(member, "ekey-c2s")) vpninfo->enc_key_len = xml_to_key(member, eo->enc_key, sizeof(eo->enc_key));
562 else if (xmlnode_is_named(member, "ekey-s2c")) vpninfo->enc_key_len = xml_to_key(member, ei->enc_key, sizeof(ei->enc_key));
563 else if (xmlnode_is_named(member, "akey-c2s")) vpninfo->hmac_key_len = xml_to_key(member, eo->hmac_key, sizeof(eo->hmac_key));
564 else if (xmlnode_is_named(member, "akey-s2c")) vpninfo->hmac_key_len = xml_to_key(member, ei->hmac_key, sizeof(ei->hmac_key));
565 else if (!xmlnode_get_val(member, "ipsec-mode", &s) && strcmp(s, "esp-tunnel"))
566 vpn_progress(vpninfo, PRG_ERR, _("GlobalProtect config sent ipsec-mode=%s (expected esp-tunnel)\n"), s);
567 }
568 if (openconnect_setup_esp_keys(vpninfo, 0))
569 vpn_progress(vpninfo, PRG_ERR, "Failed to setup ESP keys.\n");
570 else
571 /* prevent race condition between esp_mainloop() and gpst_mainloop() timers */
572 vpninfo->dtls_times.last_rekey = time(&vpninfo->new_dtls_started);
573 }
574 #else
575 vpn_progress(vpninfo, PRG_DEBUG, _("Ignoring ESP keys since ESP support not available in this build\n"));
576 #endif
577 } else if (xmlnode_is_named(xml_node, "need-tunnel")
578 || xmlnode_is_named(xml_node, "bw-c2s")
579 || xmlnode_is_named(xml_node, "bw-s2c")
580 || xmlnode_is_named(xml_node, "default-gateway")
581 || xmlnode_is_named(xml_node, "no-direct-access-to-local-network")
582 || xmlnode_is_named(xml_node, "ip-address-preferred")
583 || xmlnode_is_named(xml_node, "portal")
584 || xmlnode_is_named(xml_node, "user")) {
585 /* XX: Do these have any potential value at all for routing configuration or diagnostics? */
586 } else if (xml_node->type == XML_ELEMENT_NODE) {
587 /* XX: Don't know what tags are used for IPv6 addresses and networks, since
588 * we haven't yet seen a real GlobalProtect VPN with IPv6 internal addresses.
589 */
590 free(s);
591 s = (char *)xmlNodeGetContent(xml_node);
592 if (strchr((char *)xml_node->name, '6'))
593 vpn_progress(vpninfo, PRG_ERR, _("Potential IPv6-related GlobalProtect config tag <%s>: %s\n"
594 "This build does not support GlobalProtect IPv6 due to a lack of\n"
595 "of information on how it is configured. Please report this\n"
596 "to <openconnect-devel@lists.infradead.org>.\n"), xml_node->name, s);
597 else
598 vpn_progress(vpninfo, PRG_DEBUG, _("Unknown GlobalProtect config tag <%s>: %s\n"), xml_node->name, s);
599 }
600 }
601
602 /* Set 10-second DPD/keepalive (same as Windows client) unless
603 * overridden with --force-dpd */
604 if (!vpninfo->ssl_times.dpd)
605 vpninfo->ssl_times.dpd = 10;
606 vpninfo->ssl_times.keepalive = vpninfo->esp_ssl_fallback = vpninfo->ssl_times.dpd;
607
608 free(s);
609 return 0;
610 }
611
gpst_get_config(struct openconnect_info * vpninfo)612 static int gpst_get_config(struct openconnect_info *vpninfo)
613 {
614 char *orig_path;
615 int result;
616 struct oc_text_buf *request_body = buf_alloc();
617 struct oc_vpn_option *old_cstp_opts = vpninfo->cstp_options;
618 const char *old_addr = vpninfo->ip_info.addr, *old_netmask = vpninfo->ip_info.netmask;
619 const char *old_addr6 = vpninfo->ip_info.addr6, *old_netmask6 = vpninfo->ip_info.netmask6;
620 const char *request_body_type = "application/x-www-form-urlencoded";
621 const char *method = "POST";
622 char *xml_buf=NULL;
623 vpninfo->cstp_options = NULL;
624
625 /* submit getconfig request */
626 buf_append(request_body, "client-type=1&protocol-version=p1&app-version=4.0.5-8");
627 append_opt(request_body, "clientos", gpst_os_name(vpninfo));
628 append_opt(request_body, "os-version", vpninfo->platname);
629 append_opt(request_body, "hmac-algo", "sha1,md5,sha256");
630 append_opt(request_body, "enc-algo", "aes-128-cbc,aes-256-cbc");
631 if (old_addr || old_addr6) {
632 append_opt(request_body, "preferred-ip", old_addr);
633 append_opt(request_body, "preferred-ipv6", old_addr6);
634 filter_opts(request_body, vpninfo->cookie, "preferred-ip,preferred-ipv6", 0);
635 } else
636 buf_append(request_body, "&%s", vpninfo->cookie);
637 if ((result = buf_error(request_body)))
638 goto out;
639
640 orig_path = vpninfo->urlpath;
641 vpninfo->urlpath = strdup("ssl-vpn/getconfig.esp");
642 result = do_https_request(vpninfo, method, request_body_type, request_body,
643 &xml_buf, 0);
644 free(vpninfo->urlpath);
645 vpninfo->urlpath = orig_path;
646
647 /* parse getconfig result */
648 if (result >= 0)
649 result = gpst_xml_or_error(vpninfo, xml_buf, gpst_parse_config_xml, NULL, NULL);
650 if (result)
651 goto out;
652
653 if (!vpninfo->ip_info.mtu) {
654 /* FIXME: GP gateway config always seems to be <mtu>0</mtu> */
655 char *no_esp_reason = NULL;
656 #ifdef HAVE_ESP
657 if (vpninfo->dtls_state == DTLS_DISABLED)
658 no_esp_reason = _("ESP disabled");
659 else if (vpninfo->dtls_state == DTLS_NOSECRET)
660 no_esp_reason = _("No ESP keys received");
661 #else
662 no_esp_reason = _("ESP support not available in this build");
663 #endif
664 vpninfo->ip_info.mtu = calculate_mtu(vpninfo, !no_esp_reason);
665 vpn_progress(vpninfo, PRG_ERR,
666 _("No MTU received. Calculated %d for %s%s\n"), vpninfo->ip_info.mtu,
667 no_esp_reason ? "SSL tunnel. " : "ESP tunnel", no_esp_reason ? : "");
668 /* return -EINVAL; */
669 }
670 if (!vpninfo->ip_info.addr && !vpninfo->ip_info.addr6 &&
671 !vpninfo->ip_info.netmask6) {
672 vpn_progress(vpninfo, PRG_ERR,
673 _("No IP address received. Aborting\n"));
674 result = -EINVAL;
675 goto out;
676 }
677 if (old_addr) {
678 if (!vpninfo->ip_info.addr || strcmp(old_addr, vpninfo->ip_info.addr)) {
679 vpn_progress(vpninfo, PRG_ERR,
680 _("Reconnect gave different Legacy IP address (%s != %s)\n"),
681 vpninfo->ip_info.addr, old_addr);
682 result = -EINVAL;
683 goto out;
684 }
685 }
686 if (old_netmask) {
687 if (!vpninfo->ip_info.netmask || strcmp(old_netmask, vpninfo->ip_info.netmask)) {
688 vpn_progress(vpninfo, PRG_ERR,
689 _("Reconnect gave different Legacy IP netmask (%s != %s)\n"),
690 vpninfo->ip_info.netmask, old_netmask);
691 result = -EINVAL;
692 goto out;
693 }
694 }
695 if (old_addr6) {
696 if (!vpninfo->ip_info.addr6 || strcmp(old_addr6, vpninfo->ip_info.addr6)) {
697 vpn_progress(vpninfo, PRG_ERR,
698 _("Reconnect gave different IPv6 address (%s != %s)\n"),
699 vpninfo->ip_info.addr6, old_addr6);
700 return -EINVAL;
701 }
702 }
703 if (old_netmask6) {
704 if (!vpninfo->ip_info.netmask6 || strcmp(old_netmask6, vpninfo->ip_info.netmask6)) {
705 vpn_progress(vpninfo, PRG_ERR,
706 _("Reconnect gave different IPv6 netmask (%s != %s)\n"),
707 vpninfo->ip_info.netmask6, old_netmask6);
708 return -EINVAL;
709 }
710 }
711
712 out:
713 free_optlist(old_cstp_opts);
714 buf_free(request_body);
715 free(xml_buf);
716 return result;
717 }
718
gpst_connect(struct openconnect_info * vpninfo)719 static int gpst_connect(struct openconnect_info *vpninfo)
720 {
721 int ret;
722 struct oc_text_buf *reqbuf;
723 const char start_tunnel[12] = "START_TUNNEL"; /* NOT zero-terminated */
724 char buf[256];
725
726 /* We do NOT actually start the HTTPS tunnel if ESP is enabled and we received
727 * ESP keys, because the ESP keys become invalid as soon as the HTTPS tunnel
728 * is connected! >:-(
729 */
730 if (vpninfo->dtls_state != DTLS_DISABLED && vpninfo->dtls_state != DTLS_NOSECRET)
731 return 0;
732
733 /* Connect to SSL VPN tunnel */
734 vpn_progress(vpninfo, PRG_DEBUG,
735 _("Connecting to HTTPS tunnel endpoint ...\n"));
736
737 ret = openconnect_open_https(vpninfo);
738 if (ret)
739 return ret;
740
741 reqbuf = buf_alloc();
742 buf_append(reqbuf, "GET %s?", vpninfo->urlpath);
743 filter_opts(reqbuf, vpninfo->cookie, "user,authcookie", 1);
744 buf_append(reqbuf, " HTTP/1.1\r\n\r\n");
745 if ((ret = buf_error(reqbuf)))
746 goto out;
747
748 if (vpninfo->dump_http_traffic)
749 dump_buf(vpninfo, '>', reqbuf->data);
750
751 vpninfo->ssl_write(vpninfo, reqbuf->data, reqbuf->pos);
752
753 if ((ret = vpninfo->ssl_read(vpninfo, buf, 12)) < 0) {
754 if (ret == -EINTR)
755 goto out;
756 vpn_progress(vpninfo, PRG_ERR,
757 _("Error fetching GET-tunnel HTTPS response.\n"));
758 ret = -EINVAL;
759 goto out;
760 }
761
762 if (!strncmp(buf, start_tunnel, sizeof(start_tunnel))) {
763 ret = 0;
764 } else if (ret==0) {
765 vpn_progress(vpninfo, PRG_ERR,
766 _("Gateway disconnected immediately after GET-tunnel request.\n"));
767 ret = -EPIPE;
768 } else {
769 if (ret==sizeof(start_tunnel)) {
770 ret = vpninfo->ssl_gets(vpninfo, buf+sizeof(start_tunnel), sizeof(buf)-sizeof(start_tunnel));
771 ret = (ret>0 ? ret : 0) + sizeof(start_tunnel);
772 }
773 vpn_progress(vpninfo, PRG_ERR,
774 _("Got inappropriate HTTP GET-tunnel response: %.*s\n"), ret, buf);
775 ret = -EINVAL;
776 }
777
778 if (ret < 0)
779 openconnect_close_https(vpninfo, 0);
780 else {
781 monitor_fd_new(vpninfo, ssl);
782 monitor_read_fd(vpninfo, ssl);
783 monitor_except_fd(vpninfo, ssl);
784 vpninfo->ssl_times.last_rx = vpninfo->ssl_times.last_tx = time(NULL);
785 /* connecting the HTTPS tunnel totally invalidates the ESP keys,
786 hence shutdown */
787 if (vpninfo->proto->udp_shutdown)
788 vpninfo->proto->udp_shutdown(vpninfo);
789 }
790
791 out:
792 buf_free(reqbuf);
793 return ret;
794 }
795
parse_hip_report_check(struct openconnect_info * vpninfo,xmlNode * xml_node,void * cb_data)796 static int parse_hip_report_check(struct openconnect_info *vpninfo, xmlNode *xml_node, void *cb_data)
797 {
798 char *s = NULL;
799 int result = -EINVAL;
800
801 if (!xml_node || !xmlnode_is_named(xml_node, "response"))
802 goto out;
803
804 for (xml_node = xml_node->children; xml_node; xml_node=xml_node->next) {
805 if (!xmlnode_get_val(xml_node, "hip-report-needed", &s)) {
806 if (!strcmp(s, "no"))
807 result = 0;
808 else if (!strcmp(s, "yes"))
809 result = -EAGAIN;
810 else
811 result = -EINVAL;
812 goto out;
813 }
814 }
815
816 out:
817 free(s);
818 return result;
819 }
820
821 /* Unlike CSD, the HIP security checker runs during the connection
822 * phase, not during the authentication phase.
823 *
824 * The HIP security checker will (probably) ask us to resubmit the
825 * HIP report if either of the following changes:
826 * - Client IP address
827 * - Client HIP report md5sum
828 *
829 * I'm not sure what the md5sum is computed over in the official
830 * client, but it doesn't really matter.
831 *
832 * We just need an identifier for the combination of the local host
833 * and the VPN gateway which won't change when our IP address
834 * or authcookie are changed.
835 */
build_csd_token(struct openconnect_info * vpninfo)836 static int build_csd_token(struct openconnect_info *vpninfo)
837 {
838 struct oc_text_buf *buf;
839 unsigned char md5[16];
840 int i;
841
842 if (vpninfo->csd_token)
843 return 0;
844
845 vpninfo->csd_token = malloc(MD5_SIZE * 2 + 1);
846 if (!vpninfo->csd_token)
847 return -ENOMEM;
848
849 /* use cookie (excluding volatile authcookie and preferred-ip) to build md5sum */
850 buf = buf_alloc();
851 filter_opts(buf, vpninfo->cookie, "authcookie,preferred-ip", 0);
852 if (buf_error(buf))
853 goto out;
854
855 /* save as csd_token */
856 openconnect_md5(md5, buf->data, buf->pos);
857 for (i=0; i < MD5_SIZE; i++)
858 sprintf(&vpninfo->csd_token[i*2], "%02x", md5[i]);
859
860 out:
861 return buf_free(buf);
862 }
863
864 /* check if HIP report is needed (to ssl-vpn/hipreportcheck.esp) or submit HIP report contents (to ssl-vpn/hipreport.esp) */
check_or_submit_hip_report(struct openconnect_info * vpninfo,const char * report)865 static int check_or_submit_hip_report(struct openconnect_info *vpninfo, const char *report)
866 {
867 int result;
868
869 struct oc_text_buf *request_body = buf_alloc();
870 const char *request_body_type = "application/x-www-form-urlencoded";
871 const char *method = "POST";
872 char *xml_buf=NULL, *orig_path;
873
874 /* cookie gives us these fields: authcookie, portal, user, domain, computer, and (maybe the unnecessary) preferred-ip */
875 buf_append(request_body, "client-role=global-protect-full&%s", vpninfo->cookie);
876 if (vpninfo->ip_info.addr)
877 append_opt(request_body, "client-ip", vpninfo->ip_info.addr);
878 if (vpninfo->ip_info.addr6)
879 append_opt(request_body, "client-ipv6", vpninfo->ip_info.addr6);
880 if (report) {
881 /* XML report contains many characters requiring URL-encoding (%xx) */
882 buf_ensure_space(request_body, strlen(report)*3);
883 append_opt(request_body, "report", report);
884 } else {
885 result = build_csd_token(vpninfo);
886 if (result)
887 goto out;
888 append_opt(request_body, "md5", vpninfo->csd_token);
889 }
890 if ((result = buf_error(request_body)))
891 goto out;
892
893 orig_path = vpninfo->urlpath;
894 vpninfo->urlpath = strdup(report ? "ssl-vpn/hipreport.esp" : "ssl-vpn/hipreportcheck.esp");
895 result = do_https_request(vpninfo, method, request_body_type, request_body,
896 &xml_buf, 0);
897 free(vpninfo->urlpath);
898 vpninfo->urlpath = orig_path;
899
900 if (result >= 0)
901 result = gpst_xml_or_error(vpninfo, xml_buf, report ? NULL : parse_hip_report_check, NULL, NULL);
902
903 out:
904 buf_free(request_body);
905 free(xml_buf);
906 return result;
907 }
908
run_hip_script(struct openconnect_info * vpninfo)909 static int run_hip_script(struct openconnect_info *vpninfo)
910 {
911 #if !defined(_WIN32) && !defined(__native_client__)
912 int pipefd[2];
913 int ret;
914 pid_t child;
915 #endif
916
917 if (!vpninfo->csd_wrapper) {
918 /* Only warn once */
919 if (!vpninfo->last_trojan) {
920 vpn_progress(vpninfo, PRG_ERR,
921 _("WARNING: Server asked us to submit HIP report with md5sum %s.\n"
922 " VPN connectivity may be disabled or limited without HIP report submission.\n %s\n"),
923 vpninfo->csd_token,
924 #if defined(_WIN32) || defined(__native_client__)
925 _("However, running the HIP report submission script on this platform is not yet implemented.")
926 #else
927 _("You need to provide a --csd-wrapper argument with the HIP report submission script.")
928 #endif
929 );
930 /* XXX: Many GlobalProtect VPNs work fine despite allegedly requiring HIP report submission */
931 }
932 return 0;
933 }
934
935 #if defined(_WIN32) || defined(__native_client__)
936 vpn_progress(vpninfo, PRG_ERR,
937 _("Error: Running the 'HIP Report' script on this platform is not yet implemented.\n"));
938 return -EPERM;
939 #else
940 #ifdef __linux__
941 if (pipe2(pipefd, O_CLOEXEC))
942 #endif
943 {
944 if (pipe(pipefd))
945 goto out;
946 set_fd_cloexec(pipefd[0]);
947 set_fd_cloexec(pipefd[1]);
948 }
949 child = fork();
950 if (child == -1) {
951 goto out;
952 } else if (child > 0) {
953 /* in parent: read report from child */
954 struct oc_text_buf *report_buf = buf_alloc();
955 char b[256];
956 int i, status;
957 close(pipefd[1]);
958
959 buf_truncate(report_buf);
960 while ((i = read(pipefd[0], b, sizeof(b))) > 0)
961 buf_append_bytes(report_buf, b, i);
962
963 waitpid(child, &status, 0);
964 if (!WIFEXITED(status)) {
965 vpn_progress(vpninfo, PRG_ERR,
966 _("HIP script '%s' exited abnormally\n"),
967 vpninfo->csd_wrapper);
968 ret = -EINVAL;
969 } else if (WEXITSTATUS(status) != 0) {
970 vpn_progress(vpninfo, PRG_ERR,
971 _("HIP script '%s' returned non-zero status: %d\n"),
972 vpninfo->csd_wrapper, WEXITSTATUS(status));
973 ret = -EINVAL;
974 } else {
975 ret = check_or_submit_hip_report(vpninfo, report_buf->data);
976 if (ret < 0)
977 vpn_progress(vpninfo, PRG_ERR, _("HIP report submission failed.\n"));
978 else {
979 vpn_progress(vpninfo, PRG_INFO, _("HIP report submitted successfully.\n"));
980 ret = 0;
981 }
982 }
983 buf_free(report_buf);
984 return ret;
985 } else {
986 /* in child: run HIP script */
987 const char *hip_argv[32];
988 int i = 0;
989 close(pipefd[0]);
990 /* The duplicated fd does not have O_CLOEXEC */
991 dup2(pipefd[1], 1);
992
993 if (set_csd_user(vpninfo) < 0)
994 exit(1);
995
996 hip_argv[i++] = openconnect_utf8_to_legacy(vpninfo, vpninfo->csd_wrapper);
997 hip_argv[i++] = "--cookie";
998 hip_argv[i++] = vpninfo->cookie;
999 if (vpninfo->ip_info.addr) {
1000 hip_argv[i++] = "--client-ip";
1001 hip_argv[i++] = vpninfo->ip_info.addr;
1002 }
1003 if (vpninfo->ip_info.addr6) {
1004 hip_argv[i++] = "--client-ipv6";
1005 hip_argv[i++] = vpninfo->ip_info.addr6;
1006 }
1007 hip_argv[i++] = "--md5";
1008 hip_argv[i++] = vpninfo->csd_token;
1009 hip_argv[i++] = NULL;
1010 execv(hip_argv[0], (char **)hip_argv);
1011
1012 out:
1013 vpn_progress(vpninfo, PRG_ERR,
1014 _("Failed to exec HIP script %s\n"), hip_argv[0]);
1015 exit(1);
1016 }
1017
1018 #endif /* !_WIN32 && !__native_client__ */
1019 }
1020
check_and_maybe_submit_hip_report(struct openconnect_info * vpninfo)1021 static int check_and_maybe_submit_hip_report(struct openconnect_info *vpninfo)
1022 {
1023 int ret;
1024
1025 ret = check_or_submit_hip_report(vpninfo, NULL);
1026 if (ret == -EAGAIN) {
1027 vpn_progress(vpninfo, PRG_DEBUG,
1028 _("Gateway says HIP report submission is needed.\n"));
1029 ret = run_hip_script(vpninfo);
1030 } else if (ret == 0)
1031 vpn_progress(vpninfo, PRG_DEBUG,
1032 _("Gateway says no HIP report submission is needed.\n"));
1033
1034 return ret;
1035 }
1036
gpst_setup(struct openconnect_info * vpninfo)1037 int gpst_setup(struct openconnect_info *vpninfo)
1038 {
1039 int ret;
1040
1041 /* ESP keys are invalid as soon as we (re-)fetch the configuration, hence shutdown */
1042 if (vpninfo->proto->udp_shutdown)
1043 vpninfo->proto->udp_shutdown(vpninfo);
1044
1045 /* Get configuration */
1046 ret = gpst_get_config(vpninfo);
1047 if (ret)
1048 goto out;
1049
1050 /* Always check HIP after getting configuration */
1051 ret = check_and_maybe_submit_hip_report(vpninfo);
1052 if (ret)
1053 goto out;
1054
1055 /* XX: last_trojan is used both as a sentinel to detect the
1056 * first time we check/submit HIP, and for the mainloop to timeout
1057 * when periodic re-checking is required.
1058 */
1059 vpninfo->last_trojan = time(NULL);
1060
1061 /* Default HIP re-checking to 3600 seconds unless already set by
1062 * --force-trojan or portal config.
1063 */
1064 if (!vpninfo->trojan_interval)
1065 vpninfo->trojan_interval = 3600;
1066
1067 /* Connect tunnel immediately if ESP is not going to be used */
1068 ret = gpst_connect(vpninfo);
1069
1070 out:
1071 return ret;
1072 }
1073
gpst_mainloop(struct openconnect_info * vpninfo,int * timeout,int readable)1074 int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
1075 {
1076 int ret;
1077 int work_done = 0;
1078 uint16_t ethertype;
1079 uint32_t one, zero, magic;
1080
1081 /* Starting the HTTPS tunnel kills ESP, so we avoid starting
1082 * it if the ESP tunnel is connected or connecting.
1083 */
1084 switch (vpninfo->dtls_state) {
1085 case DTLS_CONNECTING:
1086 openconnect_close_https(vpninfo, 0); /* don't keep stale HTTPS socket */
1087 vpn_progress(vpninfo, PRG_INFO,
1088 _("ESP tunnel connected; exiting HTTPS mainloop.\n"));
1089 vpninfo->dtls_state = DTLS_CONNECTED;
1090 /* Now that we are connected, let's ensure timeout is less than
1091 * or equal to DTLS DPD/keepalive else we might over sleep, eg
1092 * if timeout is set to DTLS attempt period from ESP mainloop,
1093 * and falsely detect dead peer. */
1094 if (vpninfo->dtls_times.dpd)
1095 if (*timeout > vpninfo->dtls_times.dpd * 1000)
1096 *timeout = vpninfo->dtls_times.dpd * 1000;
1097 /* fall through */
1098 case DTLS_CONNECTED:
1099 /* Rekey or check-and-resubmit HIP if needed */
1100 if (keepalive_action(&vpninfo->ssl_times, timeout) == KA_REKEY)
1101 goto do_rekey;
1102 else if (trojan_check_deadline(vpninfo, timeout))
1103 goto do_recheck_hip;
1104 return 0;
1105 case DTLS_SECRET:
1106 case DTLS_SLEEPING:
1107 /* Allow 5 seconds after configuration for ESP to start */
1108 if (!ka_check_deadline(timeout, time(NULL), vpninfo->new_dtls_started + 5))
1109 return 0;
1110
1111 /* ... before we switch to HTTPS instead */
1112 vpn_progress(vpninfo, PRG_ERR,
1113 _("Failed to connect ESP tunnel; using HTTPS instead.\n"));
1114 /* XX: gpst_connect does nothing if ESP is enabled and has secrets */
1115 vpninfo->dtls_state = DTLS_NOSECRET;
1116 if (gpst_connect(vpninfo)) {
1117 vpninfo->quit_reason = "GPST connect failed";
1118 return 1;
1119 }
1120 break;
1121 case DTLS_NOSECRET:
1122 /* HTTPS tunnel already started, or getconfig.esp did not provide any ESP keys */
1123 case DTLS_DISABLED:
1124 /* ESP is disabled */
1125 ;
1126 }
1127
1128 if (vpninfo->ssl_fd == -1)
1129 goto do_reconnect;
1130
1131 while (readable) {
1132 /* Some servers send us packets that are larger than
1133 negotiated MTU. We reserve some extra space to
1134 handle that */
1135 int receive_mtu = MAX(16384, vpninfo->ip_info.mtu);
1136 int len, payload_len;
1137
1138 if (!vpninfo->cstp_pkt) {
1139 vpninfo->cstp_pkt = malloc(sizeof(struct pkt) + receive_mtu);
1140 if (!vpninfo->cstp_pkt) {
1141 vpn_progress(vpninfo, PRG_ERR, _("Allocation failed\n"));
1142 break;
1143 }
1144 }
1145
1146 len = ssl_nonblock_read(vpninfo, vpninfo->cstp_pkt->gpst.hdr, receive_mtu + 16);
1147 if (!len)
1148 break;
1149 if (len < 0) {
1150 vpn_progress(vpninfo, PRG_ERR, _("Packet receive error: %s\n"), strerror(-len));
1151 goto do_reconnect;
1152 }
1153 if (len < 16) {
1154 vpn_progress(vpninfo, PRG_ERR, _("Short packet received (%d bytes)\n"), len);
1155 vpninfo->quit_reason = "Short packet received";
1156 return 1;
1157 }
1158
1159 /* check packet header */
1160 magic = load_be32(vpninfo->cstp_pkt->gpst.hdr);
1161 ethertype = load_be16(vpninfo->cstp_pkt->gpst.hdr + 4);
1162 payload_len = load_be16(vpninfo->cstp_pkt->gpst.hdr + 6);
1163 one = load_le32(vpninfo->cstp_pkt->gpst.hdr + 8);
1164 zero = load_le32(vpninfo->cstp_pkt->gpst.hdr + 12);
1165
1166 if (magic != 0x1a2b3c4d)
1167 goto unknown_pkt;
1168
1169 if (len != 16 + payload_len) {
1170 vpn_progress(vpninfo, PRG_ERR,
1171 _("Unexpected packet length. SSL_read returned %d (includes 16 header bytes) but header payload_len is %d\n"),
1172 len, payload_len);
1173 dump_buf_hex(vpninfo, PRG_ERR, '<', vpninfo->cstp_pkt->gpst.hdr, 16);
1174 continue;
1175 }
1176
1177 vpninfo->ssl_times.last_rx = time(NULL);
1178 switch (ethertype) {
1179 case 0:
1180 vpn_progress(vpninfo, PRG_DEBUG,
1181 _("Got GPST DPD/keepalive response\n"));
1182
1183 if (one != 0 || zero != 0) {
1184 vpn_progress(vpninfo, PRG_DEBUG,
1185 _("Expected 0000000000000000 as last 8 bytes of DPD/keepalive packet header, but got:\n"));
1186 dump_buf_hex(vpninfo, PRG_DEBUG, '<', vpninfo->cstp_pkt->gpst.hdr + 8, 8);
1187 }
1188 continue;
1189 case 0x0800:
1190 case 0x86DD:
1191 vpn_progress(vpninfo, PRG_TRACE,
1192 _("Received IPv%d data packet of %d bytes\n"),
1193 ethertype == 0x86DD ? 6 : 4, payload_len);
1194
1195 if (one != 1 || zero != 0) {
1196 vpn_progress(vpninfo, PRG_DEBUG,
1197 _("Expected 0100000000000000 as last 8 bytes of data packet header, but got:\n"));
1198 dump_buf_hex(vpninfo, PRG_DEBUG, '<', vpninfo->cstp_pkt->gpst.hdr + 8, 8);
1199 }
1200
1201 vpninfo->cstp_pkt->len = payload_len;
1202 queue_packet(&vpninfo->incoming_queue, vpninfo->cstp_pkt);
1203 vpninfo->cstp_pkt = NULL;
1204 work_done = 1;
1205 continue;
1206 }
1207
1208 unknown_pkt:
1209 vpn_progress(vpninfo, PRG_ERR,
1210 _("Unknown packet. Header dump follows:\n"));
1211 dump_buf_hex(vpninfo, PRG_ERR, '<', vpninfo->cstp_pkt->gpst.hdr, 16);
1212 vpninfo->quit_reason = "Unknown packet received";
1213 return 1;
1214 }
1215
1216
1217 /* If SSL_write() fails we are expected to try again. With exactly
1218 the same data, at exactly the same location. So we keep the
1219 packet we had before.... */
1220 if (vpninfo->current_ssl_pkt) {
1221 handle_outgoing:
1222 vpninfo->ssl_times.last_tx = time(NULL);
1223 unmonitor_write_fd(vpninfo, ssl);
1224
1225 ret = ssl_nonblock_write(vpninfo,
1226 vpninfo->current_ssl_pkt->gpst.hdr,
1227 vpninfo->current_ssl_pkt->len + 16);
1228 if (ret < 0)
1229 goto do_reconnect;
1230 else if (!ret) {
1231 switch (ka_stalled_action(&vpninfo->ssl_times, timeout)) {
1232 case KA_REKEY:
1233 goto do_rekey;
1234 case KA_DPD_DEAD:
1235 goto peer_dead;
1236 case KA_NONE:
1237 return work_done;
1238 }
1239 }
1240
1241 if (ret != vpninfo->current_ssl_pkt->len + 16) {
1242 vpn_progress(vpninfo, PRG_ERR,
1243 _("SSL wrote too few bytes! Asked for %d, sent %d\n"),
1244 vpninfo->current_ssl_pkt->len + 16, ret);
1245 vpninfo->quit_reason = "Internal error";
1246 return 1;
1247 }
1248 /* Don't free the 'special' packets */
1249 if (vpninfo->current_ssl_pkt != &dpd_pkt)
1250 free(vpninfo->current_ssl_pkt);
1251
1252 vpninfo->current_ssl_pkt = NULL;
1253 }
1254
1255 if (trojan_check_deadline(vpninfo, timeout)) {
1256 do_recheck_hip:
1257 vpn_progress(vpninfo, PRG_INFO, _("GlobalProtect HIP check due\n"));
1258 /* We could just be lazy and treat this as a reconnect, but that
1259 * would require us to repull the routing configuration and new ESP
1260 * keys, instead of just redoing the HIP check/submission.
1261 *
1262 * Therefore we'll just close the HTTPS tunnel (if up),
1263 * redo the HIP check/submission, and reconnect the HTTPS tunnel
1264 * if needed.
1265 */
1266 openconnect_close_https(vpninfo, 0);
1267 ret = check_and_maybe_submit_hip_report(vpninfo);
1268 if (ret) {
1269 vpn_progress(vpninfo, PRG_ERR, _("HIP check or report failed\n"));
1270 vpninfo->quit_reason = "HIP check or report failed";
1271 return ret;
1272 }
1273 if (gpst_connect(vpninfo))
1274 vpninfo->quit_reason = "GPST connect failed";
1275 return 1;
1276 }
1277
1278 switch (keepalive_action(&vpninfo->ssl_times, timeout)) {
1279 case KA_REKEY:
1280 do_rekey:
1281 vpn_progress(vpninfo, PRG_INFO, _("GlobalProtect rekey due\n"));
1282 goto do_reconnect;
1283 case KA_DPD_DEAD:
1284 peer_dead:
1285 vpn_progress(vpninfo, PRG_ERR,
1286 _("GPST Dead Peer Detection detected dead peer!\n"));
1287 do_reconnect:
1288 ret = ssl_reconnect(vpninfo);
1289 if (ret) {
1290 vpn_progress(vpninfo, PRG_ERR, _("Reconnect failed\n"));
1291 vpninfo->quit_reason = "GPST reconnect failed";
1292 return ret;
1293 }
1294 if (vpninfo->proto->udp_setup)
1295 vpninfo->proto->udp_setup(vpninfo, vpninfo->dtls_attempt_period);
1296 return 1;
1297
1298 case KA_KEEPALIVE:
1299 /* No need to send an explicit keepalive
1300 if we have real data to send */
1301 if (vpninfo->dtls_state != DTLS_CONNECTED &&
1302 vpninfo->outgoing_queue.head)
1303 break;
1304 /* fall through */
1305 case KA_DPD:
1306 vpn_progress(vpninfo, PRG_DEBUG, _("Send GPST DPD/keepalive request\n"));
1307
1308 vpninfo->current_ssl_pkt = (struct pkt *)&dpd_pkt;
1309 goto handle_outgoing;
1310 }
1311
1312
1313 /* Service outgoing packet queue */
1314 while (vpninfo->dtls_state != DTLS_CONNECTED &&
1315 (vpninfo->current_ssl_pkt = dequeue_packet(&vpninfo->outgoing_queue))) {
1316 struct pkt *this = vpninfo->current_ssl_pkt;
1317
1318 /* IPv4 or IPv6 EtherType */
1319 int ethertype = this->len && (this->data[0] & 0xF0) == 0x60 ? 0x86DD : 0x0800;
1320
1321 /* store header */
1322 store_be32(this->gpst.hdr, 0x1a2b3c4d);
1323 store_be16(this->gpst.hdr + 4, ethertype);
1324 store_be16(this->gpst.hdr + 6, this->len);
1325 store_le32(this->gpst.hdr + 8, 1);
1326 store_le32(this->gpst.hdr + 12, 0);
1327
1328 vpn_progress(vpninfo, PRG_TRACE,
1329 _("Sending IPv%d data packet of %d bytes\n"),
1330 (ethertype == 0x86DD ? 6 : 4), this->len);
1331
1332 goto handle_outgoing;
1333 }
1334
1335 /* Work is not done if we just got rid of packets off the queue */
1336 return work_done;
1337 }
1338
1339 #ifdef HAVE_ESP
csum(uint16_t * buf,int nwords)1340 static uint16_t csum(uint16_t *buf, int nwords)
1341 {
1342 uint32_t sum = 0;
1343 for(sum=0; nwords>0; nwords--)
1344 sum += ntohs(*buf++);
1345 sum = (sum >> 16) + (sum &0xffff);
1346 sum += (sum >> 16);
1347 return htons((uint16_t)(~sum));
1348 }
1349
1350 static char magic_ping_payload[16] = "monitor\x00\x00pan ha ";
1351
gpst_esp_send_probes(struct openconnect_info * vpninfo)1352 int gpst_esp_send_probes(struct openconnect_info *vpninfo)
1353 {
1354 /* The GlobalProtect VPN initiates and maintains the ESP connection
1355 * using specially-crafted ICMP ("ping") packets.
1356 *
1357 * 1) These ping packets have a special magic payload. It must
1358 * include at least the 16 bytes below. The Windows client actually
1359 * sends this 56-byte version, but the remaining bytes don't
1360 * seem to matter:
1361 *
1362 * "monitor\x00\x00pan ha 0123456789:;<=>? !\"#$%&\'()*+,-./\x10\x11\x12\x13\x14\x15\x16\x18";
1363 *
1364 * 2) The ping packets are addressed to the IP supplied in the
1365 * config XML as as <gw-address>. In most cases, this is the
1366 * same as the *external* IP address of the VPN gateway
1367 * (vpninfo->ip_info.gateway_addr), but in some cases it is a
1368 * separate address.
1369 *
1370 * Don't blame me. I didn't design this.
1371 */
1372 int pktlen, seq;
1373 struct pkt *pkt = malloc(sizeof(*pkt) + sizeof(struct ip) + ICMP_MINLEN + sizeof(magic_ping_payload) + vpninfo->pkt_trailer);
1374 struct ip *iph = (void *)pkt->data;
1375 struct icmp *icmph = (void *)(pkt->data + sizeof(*iph));
1376 char *pmagic = (void *)(pkt->data + sizeof(*iph) + ICMP_MINLEN);
1377 if (!pkt)
1378 return -ENOMEM;
1379
1380 if (vpninfo->dtls_fd == -1) {
1381 int fd = udp_connect(vpninfo);
1382 if (fd < 0) {
1383 free(pkt);
1384 return fd;
1385 }
1386 /* We are not connected until we get an ESP packet back */
1387 vpninfo->dtls_state = DTLS_SLEEPING;
1388 vpninfo->dtls_fd = fd;
1389 monitor_fd_new(vpninfo, dtls);
1390 monitor_read_fd(vpninfo, dtls);
1391 monitor_except_fd(vpninfo, dtls);
1392 }
1393
1394 for (seq=1; seq <= (vpninfo->dtls_state==DTLS_CONNECTED ? 1 : 3); seq++) {
1395 memset(pkt, 0, sizeof(*pkt) + sizeof(*iph) + ICMP_MINLEN + sizeof(magic_ping_payload));
1396 pkt->len = sizeof(struct ip) + ICMP_MINLEN + sizeof(magic_ping_payload);
1397
1398 /* IP Header */
1399 iph->ip_hl = 5;
1400 iph->ip_v = 4;
1401 iph->ip_len = htons(sizeof(*iph) + ICMP_MINLEN + sizeof(magic_ping_payload));
1402 iph->ip_id = htons(0x4747); /* what the Windows client uses */
1403 iph->ip_off = htons(IP_DF); /* don't fragment, frag offset = 0 */
1404 iph->ip_ttl = 64; /* hops */
1405 iph->ip_p = IPPROTO_ICMP;
1406 iph->ip_src.s_addr = inet_addr(vpninfo->ip_info.addr);
1407 iph->ip_dst.s_addr = vpninfo->esp_magic;
1408 iph->ip_sum = csum((uint16_t *)iph, sizeof(*iph)/2);
1409
1410 /* ICMP echo request */
1411 icmph->icmp_type = ICMP_ECHO;
1412 icmph->icmp_hun.ih_idseq.icd_id = htons(0x4747);
1413 icmph->icmp_hun.ih_idseq.icd_seq = htons(seq);
1414 memcpy(pmagic, magic_ping_payload, sizeof(magic_ping_payload)); /* required to get gateway to respond */
1415 icmph->icmp_cksum = csum((uint16_t *)icmph, (ICMP_MINLEN+sizeof(magic_ping_payload))/2);
1416
1417 pktlen = construct_esp_packet(vpninfo, pkt, IPPROTO_IPIP);
1418 if (pktlen < 0 ||
1419 send(vpninfo->dtls_fd, (void *)&pkt->esp, pktlen, 0) < 0)
1420 vpn_progress(vpninfo, PRG_DEBUG, _("Failed to send ESP probe\n"));
1421 }
1422
1423 free(pkt);
1424
1425 vpninfo->dtls_times.last_tx = time(&vpninfo->new_dtls_started);
1426
1427 return 0;
1428 }
1429
gpst_esp_catch_probe(struct openconnect_info * vpninfo,struct pkt * pkt)1430 int gpst_esp_catch_probe(struct openconnect_info *vpninfo, struct pkt *pkt)
1431 {
1432 struct ip *iph = (void *)(pkt->data);
1433
1434 return ( pkt->len >= 21 && iph->ip_v==4 /* IPv4 header */
1435 && iph->ip_p==IPPROTO_ICMP /* IPv4 protocol field == ICMP */
1436 && iph->ip_src.s_addr == vpninfo->esp_magic /* source == magic address */
1437 && pkt->len >= (iph->ip_hl<<2) + ICMP_MINLEN + sizeof(magic_ping_payload) /* No short-packet segfaults */
1438 && pkt->data[iph->ip_hl<<2]==ICMP_ECHOREPLY /* ICMP reply */
1439 && !memcmp(&pkt->data[(iph->ip_hl<<2) + ICMP_MINLEN], magic_ping_payload, sizeof(magic_ping_payload)) /* Same magic payload in response */
1440 );
1441 }
1442 #endif /* HAVE_ESP */
1443