1 /*
2 * Copyright (C) 2013-2016 Nikos Mavrogiannopoulos
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of ocserv.
7 *
8 * ocserv is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 */
21 #ifndef WORKER_H
22 #define WORKER_H
23
24 #include <config.h>
25 #include <syslog.h>
26 #include <sys/types.h>
27 #include <sys/socket.h>
28
29 #include <unistd.h>
30 #include <net/if.h>
31 #include <vpn.h>
32 #include <tlslib.h>
33 #include <common.h>
34 #include <str.h>
35 #include <worker-bandwidth.h>
36 #include <stdbool.h>
37 #include <sys/un.h>
38 #include <sys/uio.h>
39 #include <hmac.h>
40 #include "vhost.h"
41 #include "ev.h"
42
43 // Name of environment variable used to pass worker_startup_msg
44 // between ocserv-main and ocserv-worker.
45 #define OCSERV_ENV_WORKER_STARTUP_MSG "OCSERV_WORKER_STARTUP_MSG"
46
47 typedef enum {
48 UP_DISABLED,
49 UP_WAIT_FD,
50 UP_SETUP,
51 UP_HANDSHAKE,
52 UP_INACTIVE,
53 UP_ACTIVE
54 } udp_port_state_t;
55
56 enum {
57 HEADER_COOKIE = 1,
58 HEADER_MASTER_SECRET,
59 HEADER_HOSTNAME,
60 HEADER_CSTP_MTU,
61 HEADER_CSTP_BASE_MTU,
62 HEADER_CSTP_ATYPE,
63 HEADER_DEVICE_TYPE,
64 HEADER_PLATFORM,
65 HEADER_DTLS_CIPHERSUITE,
66 HEADER_DTLS12_CIPHERSUITE,
67 HEADER_CONNECTION,
68 HEADER_FULL_IPV6,
69 HEADER_USER_AGENT,
70 HEADER_CSTP_ENCODING,
71 HEADER_DTLS_ENCODING,
72 HEADER_SUPPORT_SPNEGO,
73 HEADER_AUTHORIZATION
74 };
75
76 enum {
77 HTTP_HEADER_INIT = 0,
78 HTTP_HEADER_RECV,
79 HTTP_HEADER_VALUE_RECV
80 };
81
82 enum {
83 S_AUTH_INACTIVE = 0,
84 S_AUTH_INIT,
85 S_AUTH_REQ,
86 S_AUTH_COOKIE,
87 S_AUTH_COMPLETE
88 };
89
90 enum {
91 AGENT_UNKNOWN,
92 AGENT_OPENCONNECT_V3,
93 AGENT_OPENCONNECT,
94 AGENT_ANYCONNECT
95 };
96
97 typedef int (*decompress_fn)(void* dst, int maxDstSize, const void* src, int src_size);
98 typedef int (*compress_fn)(void* dst, int dst_size, const void* src, int src_size);
99
100 typedef struct compression_method_st {
101 comp_type_t id;
102 const char *name;
103 decompress_fn decompress;
104 compress_fn compress;
105 unsigned server_prio; /* the highest the more we want to negotiate that */
106 } compression_method_st;
107
108 typedef struct dtls_ciphersuite_st {
109 const char* oc_name;
110 const char* gnutls_name; /* the gnutls priority string to set */
111 unsigned dtls12_mode;
112 unsigned server_prio; /* the highest the more we want to negotiate that */
113 unsigned gnutls_cipher;
114 unsigned gnutls_kx;
115 unsigned gnutls_mac;
116 unsigned gnutls_version;
117 } dtls_ciphersuite_st;
118
119 #ifdef HAVE_GSSAPI
120 # include <libtasn1.h>
121 /* main has initialized that for us */
122 extern ASN1_TYPE _kkdcp_pkix1_asn;
123 #endif
124
125 struct http_req_st {
126 char url[256];
127
128 str_st header;
129 str_st value;
130 unsigned int header_state;
131
132 char devtype[MAX_AGENT_NAME]; /* Device-Type */
133 char devplatform[MAX_AGENT_NAME]; /* Device-Platform */
134 char hostname[MAX_HOSTNAME_SIZE];
135 char user_agent[MAX_AGENT_NAME];
136 unsigned user_agent_type;
137
138 unsigned int next_header;
139
140 bool is_mobile;
141 bool is_ios;
142 bool spnego_set;
143
144 unsigned char master_secret[TLS_MASTER_SIZE];
145 unsigned int master_secret_set;
146
147 char *body;
148 unsigned int body_length;
149
150 const dtls_ciphersuite_st *selected_ciphersuite;
151 unsigned use_psk; /* i.e., ignore selected_ciphersuite */
152
153 unsigned int headers_complete;
154 unsigned int message_complete;
155 unsigned link_mtu;
156 unsigned tunnel_mtu;
157
158 unsigned no_ipv4;
159 unsigned no_ipv6;
160
161 char *authorization;
162 unsigned authorization_size;
163 };
164
165 typedef struct dtls_transport_ptr {
166 int fd;
167 UdpFdMsg *msg; /* holds the data of the first client hello */
168 int consumed;
169 #if defined(CAPTURE_LATENCY_SUPPORT)
170 struct timespec rx_time;
171 #endif
172 } dtls_transport_ptr;
173
174 typedef struct dtls_st {
175 ev_io io;
176 dtls_transport_ptr dtls_tptr;
177 gnutls_session_t dtls_session;
178 udp_port_state_t udp_state;
179 time_t last_dtls_rehandshake;
180 } dtls_st;
181
182 /* Given a base MTU, this macro provides the DTLS plaintext data we can send;
183 * the output value does not include the DTLS header */
184 #define DATA_MTU(ws,mtu) (mtu-ws->dtls_crypto_overhead-ws->dtls_proto_overhead)
185
186 typedef struct worker_st {
187 gnutls_session_t session;
188
189 auth_struct_st *selected_auth;
190 const compression_method_st *dtls_selected_comp;
191 const compression_method_st *cstp_selected_comp;
192
193 struct http_req_st req;
194
195 /* inique session identifier */
196 uint8_t sid[SID_SIZE];
197 unsigned int sid_set;
198
199 int cmd_fd;
200 int conn_fd;
201 sock_type_t conn_type; /* AF_UNIX or something else */
202
203 http_parser *parser;
204
205 struct list_head *vconfig;
206
207 /* pointer inside vconfig */
208 #define WSCREDS(ws) (&ws->vhost->creds)
209 #define WSCONFIG(ws) (ws->vhost->perm_config.config)
210 #define WSPCONFIG(ws) (&ws->vhost->perm_config)
211 struct vhost_cfg_st *vhost;
212
213 unsigned int auth_state; /* S_AUTH */
214
215 struct sockaddr_un secmod_addr; /* sec-mod unix address */
216 socklen_t secmod_addr_len;
217
218 struct sockaddr_storage our_addr; /* our address */
219 socklen_t our_addr_len;
220 struct sockaddr_storage remote_addr; /* peer's address */
221 socklen_t remote_addr_len;
222 char our_ip_str[MAX_IP_STR];
223 char remote_ip_str[MAX_IP_STR];
224 const uint8_t sec_auth_init_hmac[HMAC_DIGEST_SIZE];
225
226 int proto; /* AF_INET or AF_INET6 */
227
228 time_t session_start_time;
229
230 /* for dead peer detection */
231 time_t last_msg_udp;
232 time_t last_msg_tcp;
233
234 time_t last_nc_msg; /* last message that wasn't control, on any channel */
235
236 time_t last_periodic_check;
237
238 /* set after authentication */
239 time_t udp_recv_time; /* time last udp packet was received */
240 uint8_t dtls_active_session : 1;
241 dtls_st dtls[2];
242 #define DTLS_ACTIVE(ws) (&ws->dtls[ws->dtls_active_session])
243 #define DTLS_INACTIVE(ws) (&ws->dtls[ws->dtls_active_session ^ 1])
244
245 /* protection from multiple rehandshakes */
246 time_t last_tls_rehandshake;
247
248 /* the time the last stats message was sent */
249 time_t last_stats_msg;
250
251 /* for mtu trials */
252 unsigned last_good_mtu;
253 unsigned last_bad_mtu;
254
255 /* bandwidth stats */
256 bandwidth_st b_tx;
257 bandwidth_st b_rx;
258
259 /* ws->link_mtu: The MTU of the link of the connecting. The plaintext
260 * data we can send to the client (i.e., MTU of the tun device,
261 * can be accessed using the DATA_MTU() macro and this value. */
262 unsigned link_mtu;
263 unsigned adv_link_mtu; /* the MTU advertized on connection setup */
264
265 unsigned cstp_crypto_overhead; /* estimated overhead of DTLS ciphersuite + DTLS CSTP HEADER */
266 unsigned cstp_proto_overhead; /* UDP + IP header size */
267
268 unsigned dtls_crypto_overhead; /* estimated overhead of DTLS ciphersuite + DTLS CSTP HEADER */
269 unsigned dtls_proto_overhead; /* UDP + IP header size */
270
271 /* Indicates whether the new IPv6 headers will
272 * be sent or the old */
273 unsigned full_ipv6;
274
275 /* Buffer used by worker */
276 uint8_t buffer[16*1024];
277 /* Buffer used for decompression */
278 uint8_t decomp[16*1024];
279 unsigned buffer_size;
280
281 /* the following are set only if authentication is complete */
282
283 char username[MAX_USERNAME_SIZE];
284 char groupname[MAX_GROUPNAME_SIZE];
285
286 char cert_username[MAX_USERNAME_SIZE];
287 char **cert_groups;
288 unsigned cert_groups_size;
289
290 char hostname[MAX_HOSTNAME_SIZE];
291 uint8_t cookie[SID_SIZE];
292
293 unsigned int cookie_set;
294
295 GroupCfgSt *user_config;
296
297 uint8_t master_secret[TLS_MASTER_SIZE];
298 uint8_t session_id[GNUTLS_MAX_SESSION_ID];
299 unsigned cert_auth_ok;
300 int tun_fd;
301
302 /* ban points to be sent on exit */
303 unsigned ban_points;
304
305 /* tun device stats */
306 uint64_t tun_bytes_in;
307 uint64_t tun_bytes_out;
308
309 /* information on the tun device addresses and network */
310 struct vpn_st vinfo;
311 unsigned default_route;
312
313 void *main_pool; /* to be used only on deinitialization */
314
315 #if defined(CAPTURE_LATENCY_SUPPORT)
316 /* latency stats */
317 struct {
318 uint64_t median_total;
319 uint64_t rms_total;
320 uint64_t sample_set_count;
321 size_t next_sample;
322 time_t last_stats_msg;
323 uint32_t samples[LATENCY_SAMPLE_SIZE];
324 } latency;
325 #endif
326 } worker_st;
327
328 void vpn_server(struct worker_st* ws);
329
330 int auth_cookie(worker_st *ws, void* cookie, size_t cookie_size);
331 int auth_user_deinit(worker_st *ws);
332
333 int get_auth_handler(worker_st *server, unsigned http_ver);
334 int post_auth_handler(worker_st *server, unsigned http_ver);
335 int post_kkdcp_handler(worker_st *server, unsigned http_ver);
336 int get_cert_handler(worker_st * ws, unsigned http_ver);
337 int get_cert_der_handler(worker_st * ws, unsigned http_ver);
338 int get_ca_handler(worker_st * ws, unsigned http_ver);
339 int get_ca_der_handler(worker_st * ws, unsigned http_ver);
340
341 int response_404(worker_st *ws, unsigned http_ver);
342 int get_empty_handler(worker_st *server, unsigned http_ver);
343 #ifdef ANYCONNECT_CLIENT_COMPAT
344 int get_config_handler(worker_st *ws, unsigned http_ver);
345 #endif
346 int get_string_handler(worker_st *ws, unsigned http_ver);
347 int get_dl_handler(worker_st *ws, unsigned http_ver);
348 int get_cert_names(worker_st * ws, const gnutls_datum_t * raw);
349
350 void set_resume_db_funcs(gnutls_session_t);
351
352
353 void __attribute__ ((format(printf, 3, 4)))
354 _oclog(const worker_st * server, int priority, const char *fmt, ...);
355
356 #ifdef UNDER_TEST
357 # define oclog(...)
358 #else
359 # ifdef __GNUC__
360 # define oclog(server, prio, fmt, ...) \
361 (prio==LOG_ERR)?_oclog(server, prio, "%s:%d: "fmt, __FILE__, __LINE__, ##__VA_ARGS__): \
362 _oclog(server, prio, fmt, ##__VA_ARGS__)
363 # else
364 # define oclog _oclog
365 # endif
366 #endif
367
368 void oclog_hex(const worker_st* ws, int priority,
369 const char *prefix, uint8_t* bin, unsigned bin_size, unsigned b64);
370
371 typedef int (*url_handler_fn) (worker_st *, unsigned http_ver);
372 int http_url_cb(http_parser * parser, const char *at, size_t length);
373 int http_header_value_cb(http_parser * parser, const char *at, size_t length);
374 int http_header_field_cb(http_parser * parser, const char *at, size_t length);
375 int http_header_complete_cb(http_parser * parser);
376 int http_message_complete_cb(http_parser * parser);
377 int http_body_cb(http_parser * parser, const char *at, size_t length);
378 void http_req_deinit(worker_st * ws);
379 void http_req_reset(worker_st * ws);
380 void http_req_init(worker_st * ws);
381
382 unsigned valid_hostname(const char *host);
383
384 url_handler_fn http_get_url_handler(const char *url);
385 url_handler_fn http_post_url_handler(worker_st * ws, const char *url);
386
387 int complete_vpn_info(worker_st * ws,
388 struct vpn_st* vinfo);
389
390 int send_tun_mtu(worker_st *ws, unsigned int mtu);
391 int handle_commands_from_main(struct worker_st *ws);
392 int disable_system_calls(struct worker_st *ws);
393 void ocsigaltstack(struct worker_st *ws);
394
395 void exit_worker(worker_st * ws);
396 void exit_worker_reason(worker_st * ws, unsigned reason);
397
398 int ws_switch_auth_to(struct worker_st *ws, unsigned auth);
399 int ws_switch_auth_to_next(struct worker_st *ws);
400 void ws_add_score_to_ip(worker_st *ws, unsigned points, unsigned final, unsigned discon_reason);
401
402 int connect_to_secmod(worker_st * ws);
403 inline static
send_msg_to_secmod(worker_st * ws,int sd,uint8_t cmd,const void * msg,pack_size_func get_size,pack_func pack)404 int send_msg_to_secmod(worker_st * ws, int sd, uint8_t cmd,
405 const void *msg, pack_size_func get_size, pack_func pack)
406 {
407 oclog(ws, LOG_DEBUG, "sending message '%s' to secmod",
408 cmd_request_to_str(cmd));
409
410 return send_msg(ws, sd, cmd, msg, get_size, pack);
411 }
412
413 inline static
send_msg_to_main(worker_st * ws,uint8_t cmd,const void * msg,pack_size_func get_size,pack_func pack)414 int send_msg_to_main(worker_st *ws, uint8_t cmd,
415 const void* msg, pack_size_func get_size, pack_func pack)
416 {
417 oclog(ws, LOG_DEBUG, "sending message '%s' to main", cmd_request_to_str(cmd));
418 return send_msg(ws, ws->cmd_fd, cmd, msg, get_size, pack);
419 }
420
421 int parse_proxy_proto_header(struct worker_st *ws, int fd);
422
423 void cookie_authenticate_or_exit(worker_st *ws);
424
425 int add_owasp_headers(worker_st * ws);
426
427 /* after that time (secs) of inactivity in the UDP part, connection switches to
428 * TCP (if activity occurs there).
429 */
430 #define UDP_SWITCH_TIME 15
431
432 #endif
433