int openconnect_parse_url(struct openconnect_info *vpninfo, const char *url)
{
char *scheme = NULL;
int ret;
UTF8CHECK(url);
openconnect_set_hostname(vpninfo, NULL);
free(vpninfo->urlpath);
vpninfo->urlpath = NULL;
ret = internal_parse_url(url, &scheme, &vpninfo->hostname,
&vpninfo->port, &vpninfo->urlpath, 443);
if (ret) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to parse server URL '%s'\n"),
url);
return ret;
}
if (scheme && strcmp(scheme, "https")) {
vpn_progress(vpninfo, PRG_ERR,
_("Only https:// permitted for server URL\n"));
ret = -EINVAL;
}
free(scheme);
return ret;
}
/* cf. RFC2818 and RFC2459 */
static int match_cert_hostname(struct openconnect_info *vpninfo, X509 *peer_cert)
{
STACK_OF(GENERAL_NAME) *altnames;
X509_NAME *subjname;
ASN1_STRING *subjasn1;
char *subjstr = NULL;
int addrlen = 0;
int i, altdns = 0;
char addrbuf[sizeof(struct in6_addr)];
int ret;
/* Allow GEN_IP in the certificate only if we actually connected
by IP address rather than by name. */
if (inet_pton(AF_INET, vpninfo->hostname, addrbuf) > 0)
addrlen = 4;
else if (inet_pton(AF_INET6, vpninfo->hostname, addrbuf) > 0)
addrlen = 16;
else if (vpninfo->hostname[0] == '[' &&
vpninfo->hostname[strlen(vpninfo->hostname)-1] == ']') {
char *p = &vpninfo->hostname[strlen(vpninfo->hostname)-1];
*p = 0;
if (inet_pton(AF_INET6, vpninfo->hostname + 1, addrbuf) > 0)
addrlen = 16;
*p = ']';
}
altnames = X509_get_ext_d2i(peer_cert, NID_subject_alt_name,
NULL, NULL);
for (i = 0; i < sk_GENERAL_NAME_num(altnames); i++) {
const GENERAL_NAME *this = sk_GENERAL_NAME_value(altnames, i);
if (this->type == GEN_DNS) {
char *str;
int len = ASN1_STRING_to_UTF8((void *)&str, this->d.ia5);
if (len < 0)
continue;
altdns = 1;
/* We don't like names with embedded NUL */
if (strlen(str) != len)
continue;
if (!match_hostname(vpninfo->hostname, str)) {
vpn_progress(vpninfo, PRG_TRACE,
_("Matched DNS altname '%s'\n"),
str);
GENERAL_NAMES_free(altnames);
OPENSSL_free(str);
return 0;
} else {
vpn_progress(vpninfo, PRG_TRACE,
_("No match for altname '%s'\n"),
str);
}
OPENSSL_free(str);
} else if (this->type == GEN_IPADD && addrlen) {
char host[80];
int family;
if (this->d.ip->length == 4) {
family = AF_INET;
} else if (this->d.ip->length == 16) {
family = AF_INET6;
} else {
vpn_progress(vpninfo, PRG_ERR,
_("Certificate has GEN_IPADD altname with bogus length %d\n"),
this->d.ip->length);
continue;
}
/* We only do this for the debug messages */
inet_ntop(family, this->d.ip->data, host, sizeof(host));
if (this->d.ip->length == addrlen &&
!memcmp(addrbuf, this->d.ip->data, addrlen)) {
vpn_progress(vpninfo, PRG_TRACE,
_("Matched %s address '%s'\n"),
(family == AF_INET6) ? "IPv6" : "IPv4",
host);
GENERAL_NAMES_free(altnames);
return 0;
} else {
vpn_progress(vpninfo, PRG_TRACE,
_("No match for %s address '%s'\n"),
(family == AF_INET6) ? "IPv6" : "IPv4",
host);
}
} else if (this->type == GEN_URI) {
char *str;
char *url_proto, *url_host, *url_path, *url_host2;
int url_port;
int len = ASN1_STRING_to_UTF8((void *)&str, this->d.ia5);
if (len < 0)
continue;
/* We don't like names with embedded NUL */
if (strlen(str) != len)
continue;
if (internal_parse_url(str, &url_proto, &url_host, &url_port, &url_path, 0)) {
OPENSSL_free(str);
continue;
}
if (!url_proto || strcasecmp(url_proto, "https"))
goto no_uri_match;
if (url_port != vpninfo->port)
goto no_uri_match;
/* Leave url_host as it was so that it can be freed */
url_host2 = url_host;
if (addrlen == 16 && vpninfo->hostname[0] != '[' &&
url_host[0] == '[' && url_host[strlen(url_host)-1] == ']') {
/* Cope with https://[IPv6]/ when the hostname is bare IPv6 */
url_host[strlen(url_host)-1] = 0;
url_host2++;
}
if (strcasecmp(vpninfo->hostname, url_host2))
goto no_uri_match;
if (url_path) {
vpn_progress(vpninfo, PRG_TRACE,
_("URI '%s' has non-empty path; ignoring\n"),
str);
goto no_uri_match_silent;
}
vpn_progress(vpninfo, PRG_TRACE,
_("Matched URI '%s'\n"),
str);
free(url_proto);
free(url_host);
free(url_path);
OPENSSL_free(str);
GENERAL_NAMES_free(altnames);
return 0;
no_uri_match:
vpn_progress(vpninfo, PRG_TRACE,
_("No match for URI '%s'\n"),
str);
no_uri_match_silent:
free(url_proto);
free(url_host);
free(url_path);
OPENSSL_free(str);
}
}
GENERAL_NAMES_free(altnames);
/* According to RFC2818, we don't use the legacy subject name if
there was an altname with DNS type. */
if (altdns) {
vpn_progress(vpninfo, PRG_ERR,
_("No altname in peer cert matched '%s'\n"),
vpninfo->hostname);
return -EINVAL;
}
subjname = X509_get_subject_name(peer_cert);
if (!subjname) {
vpn_progress(vpninfo, PRG_ERR,
_("No subject name in peer cert!\n"));
return -EINVAL;
}
/* Find the _last_ (most specific) commonName */
i = -1;
while (1) {
int j = X509_NAME_get_index_by_NID(subjname, NID_commonName, i);
if (j >= 0)
i = j;
else
break;
}
subjasn1 = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subjname, i));
i = ASN1_STRING_to_UTF8((void *)&subjstr, subjasn1);
if (!subjstr || strlen(subjstr) != i) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to parse subject name in peer cert\n"));
return -EINVAL;
}
ret = 0;
if (match_hostname(vpninfo->hostname, subjstr)) {
vpn_progress(vpninfo, PRG_ERR,
_("Peer cert subject mismatch ('%s' != '%s')\n"),
subjstr, vpninfo->hostname);
ret = -EINVAL;
} else {
vpn_progress(vpninfo, PRG_TRACE,
_("Matched peer certificate subject name '%s'\n"),
subjstr);
}
OPENSSL_free(subjstr);
return ret;
}
int connect_https_socket(struct openconnect_info *vpninfo)
{
int ssl_sock = -1;
int err;
if (!vpninfo->port)
vpninfo->port = 443;
if (vpninfo->peer_addr) {
reconnect:
#ifdef SOCK_CLOEXEC
ssl_sock = socket(vpninfo->peer_addr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_IP);
if (ssl_sock < 0)
#endif
{
ssl_sock = socket(vpninfo->peer_addr->sa_family, SOCK_STREAM, IPPROTO_IP);
if (ssl_sock < 0)
goto reconn_err;
set_fd_cloexec(ssl_sock);
}
if (cancellable_connect(vpninfo, ssl_sock, vpninfo->peer_addr, vpninfo->peer_addrlen)) {
reconn_err:
if (vpninfo->proxy) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to reconnect to proxy %s\n"),
vpninfo->proxy);
} else {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to reconnect to host %s\n"),
vpninfo->hostname);
}
if (ssl_sock >= 0)
closesocket(ssl_sock);
return -EINVAL;
}
} else {
struct addrinfo hints, *result, *rp;
char *hostname;
char port[6];
memset(&hints, 0, sizeof(struct addrinfo));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_PASSIVE | AI_NUMERICSERV;
hints.ai_protocol = 0;
hints.ai_canonname = NULL;
hints.ai_addr = NULL;
hints.ai_next = NULL;
/* The 'port' variable is a string because it's easier
this way than if we pass NULL to getaddrinfo() and
then try to fill in the numeric value into
different types of returned sockaddr_in{6,}. */
#ifdef LIBPROXY_HDR
if (vpninfo->proxy_factory) {
char *url;
char **proxies;
int i = 0;
free(vpninfo->proxy_type);
vpninfo->proxy_type = NULL;
free(vpninfo->proxy);
vpninfo->proxy = NULL;
if (vpninfo->port == 443)
i = asprintf(&url, "https://%s/%s", vpninfo->hostname,
vpninfo->urlpath?:"");
else
i = asprintf(&url, "https://%s:%d/%s", vpninfo->hostname,
vpninfo->port, vpninfo->urlpath?:"");
if (i == -1)
return -ENOMEM;
proxies = px_proxy_factory_get_proxies(vpninfo->proxy_factory,
url);
i = 0;
while (proxies && proxies[i]) {
if (!vpninfo->proxy &&
(!strncmp(proxies[i], "http://", 7) ||
!strncmp(proxies[i], "socks://", 8) ||
!strncmp(proxies[i], "socks5://", 9)))
internal_parse_url(proxies[i], &vpninfo->proxy_type,
&vpninfo->proxy, &vpninfo->proxy_port,
NULL, 0);
i++;
}
free(url);
free(proxies);
if (vpninfo->proxy)
vpn_progress(vpninfo, PRG_DEBUG,
_("Proxy from libproxy: %s://%s:%d/\n"),
vpninfo->proxy_type, vpninfo->proxy, vpninfo->port);
}
int connect_https_socket(struct openconnect_info *vpninfo)
{
int ssl_sock = -1;
int err;
if (!vpninfo->port)
vpninfo->port = 443;
/* If we're talking to a server which told us it has dynamic DNS, don't
just re-use its previous IP address. If we're talking to a proxy, we
can use *its* previous IP address. We expect it'll re-do the DNS
lookup for the server anyway. */
if (vpninfo->peer_addr && (!vpninfo->is_dyndns || vpninfo->proxy)) {
reconnect:
#ifdef SOCK_CLOEXEC
ssl_sock = socket(vpninfo->peer_addr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_IP);
if (ssl_sock < 0)
#endif
{
ssl_sock = socket(vpninfo->peer_addr->sa_family, SOCK_STREAM, IPPROTO_IP);
if (ssl_sock < 0) {
#ifdef _WIN32
err = WSAGetLastError();
#else
err = -errno;
#endif
goto reconn_err;
}
set_fd_cloexec(ssl_sock);
}
err = cancellable_connect(vpninfo, ssl_sock, vpninfo->peer_addr, vpninfo->peer_addrlen);
if (err) {
char *errstr;
reconn_err:
#ifdef _WIN32
if (err > 0)
errstr = openconnect__win32_strerror(err);
else
#endif
errstr = strerror(-err);
if (vpninfo->proxy) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to reconnect to proxy %s: %s\n"),
vpninfo->proxy, errstr);
} else {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to reconnect to host %s: %s\n"),
vpninfo->hostname, errstr);
}
#ifdef _WIN32
if (err > 0)
free(errstr);
#endif
if (ssl_sock >= 0)
closesocket(ssl_sock);
ssl_sock = -EINVAL;
goto out;
}
} else {
struct addrinfo hints, *result, *rp;
char *hostname;
char port[6];
memset(&hints, 0, sizeof(struct addrinfo));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = AI_PASSIVE | AI_NUMERICSERV;
hints.ai_protocol = 0;
hints.ai_canonname = NULL;
hints.ai_addr = NULL;
hints.ai_next = NULL;
/* The 'port' variable is a string because it's easier
this way than if we pass NULL to getaddrinfo() and
then try to fill in the numeric value into
different types of returned sockaddr_in{6,}. */
#ifdef LIBPROXY_HDR
if (vpninfo->proxy_factory) {
struct oc_text_buf *url_buf = buf_alloc();
char **proxies;
int i = 0;
free(vpninfo->proxy_type);
vpninfo->proxy_type = NULL;
free(vpninfo->proxy);
vpninfo->proxy = NULL;
buf_append(url_buf, "https://%s", vpninfo->hostname);
if (vpninfo->port != 443)
buf_append(url_buf, ":%d", vpninfo->port);
buf_append(url_buf, "/%s", vpninfo->urlpath?:"");
if (buf_error(url_buf)) {
buf_free(url_buf);
ssl_sock = -ENOMEM;
goto out;
}
proxies = px_proxy_factory_get_proxies(vpninfo->proxy_factory,
url_buf->data);
i = 0;
while (proxies && proxies[i]) {
if (!vpninfo->proxy &&
(!strncmp(proxies[i], "http://", 7) ||
!strncmp(proxies[i], "socks://", 8) ||
!strncmp(proxies[i], "socks5://", 9)))
internal_parse_url(proxies[i], &vpninfo->proxy_type,
&vpninfo->proxy, &vpninfo->proxy_port,
NULL, 0);
i++;
}
buf_free(url_buf);
free(proxies);
if (vpninfo->proxy)
vpn_progress(vpninfo, PRG_DEBUG,
_("Proxy from libproxy: %s://%s:%d/\n"),
vpninfo->proxy_type, vpninfo->proxy, vpninfo->port);
}
#endif
if (vpninfo->proxy) {
hostname = vpninfo->proxy;
snprintf(port, 6, "%d", vpninfo->proxy_port);
} else {
hostname = vpninfo->hostname;
snprintf(port, 6, "%d", vpninfo->port);
}
if (hostname[0] == '[' && hostname[strlen(hostname)-1] == ']') {
hostname = strndup(hostname + 1, strlen(hostname) - 2);
if (!hostname) {
ssl_sock = -ENOMEM;
goto out;
}
hints.ai_flags |= AI_NUMERICHOST;
}
if (vpninfo->getaddrinfo_override)
err = vpninfo->getaddrinfo_override(vpninfo->cbdata, hostname, port, &hints, &result);
else
err = getaddrinfo(hostname, port, &hints, &result);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("getaddrinfo failed for host '%s': %s\n"),
hostname, gai_strerror(err));
if (hints.ai_flags & AI_NUMERICHOST)
free(hostname);
ssl_sock = -EINVAL;
/* If we were just retrying for dynamic DNS, reconnct using
the previously-known IP address */
if (vpninfo->peer_addr) {
vpn_progress(vpninfo, PRG_ERR,
_("Reconnecting to DynDNS server using previously cached IP address\n"));
goto reconnect;
}
goto out;
}
if (hints.ai_flags & AI_NUMERICHOST)
free(hostname);
for (rp = result; rp ; rp = rp->ai_next) {
char host[80];
host[0] = 0;
if (!getnameinfo(rp->ai_addr, rp->ai_addrlen, host,
sizeof(host), NULL, 0, NI_NUMERICHOST))
vpn_progress(vpninfo, PRG_DEBUG, vpninfo->proxy_type ?
_("Attempting to connect to proxy %s%s%s:%s\n") :
_("Attempting to connect to server %s%s%s:%s\n"),
rp->ai_family == AF_INET6 ? "[" : "",
host,
rp->ai_family == AF_INET6 ? "]" : "",
port);
ssl_sock = socket(rp->ai_family, rp->ai_socktype,
rp->ai_protocol);
if (ssl_sock < 0)
continue;
set_fd_cloexec(ssl_sock);
err = cancellable_connect(vpninfo, ssl_sock, rp->ai_addr, rp->ai_addrlen);
if (!err) {
/* Store the peer address we actually used, so that DTLS can
use it again later */
free(vpninfo->ip_info.gateway_addr);
vpninfo->ip_info.gateway_addr = NULL;
if (host[0]) {
vpninfo->ip_info.gateway_addr = strdup(host);
vpn_progress(vpninfo, PRG_INFO, _("Connected to %s%s%s:%s\n"),
rp->ai_family == AF_INET6 ? "[" : "",
host,
rp->ai_family == AF_INET6 ? "]" : "",
port);
}
free(vpninfo->peer_addr);
vpninfo->peer_addrlen = 0;
vpninfo->peer_addr = malloc(rp->ai_addrlen);
if (!vpninfo->peer_addr) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to allocate sockaddr storage\n"));
closesocket(ssl_sock);
ssl_sock = -ENOMEM;
goto out;
}
vpninfo->peer_addrlen = rp->ai_addrlen;
memcpy(vpninfo->peer_addr, rp->ai_addr, rp->ai_addrlen);
/* If no proxy, ensure that we output *this* IP address in
* authentication results because we're going to need to
* reconnect to the *same* server from the rotation. And with
* some trick DNS setups, it might possibly be a "rotation"
* even if we only got one result from getaddrinfo() this
* time.
*
* If there's a proxy, we're kind of screwed; we can't know
* which IP address we connected to. Perhaps we ought to do
* the DNS lookup locally and connect to a specific IP? */
if (!vpninfo->proxy && host[0]) {
char *p = malloc(strlen(host) + 3);
if (p) {
free(vpninfo->unique_hostname);
vpninfo->unique_hostname = p;
if (rp->ai_family == AF_INET6)
*p++ = '[';
memcpy(p, host, strlen(host));
p += strlen(host);
if (rp->ai_family == AF_INET6)
*p++ = ']';
*p = 0;
}
}
break;
}
if (host[0]) {
char *errstr;
#ifdef _WIN32
if (err > 0)
errstr = openconnect__win32_strerror(err);
else
#endif
errstr = strerror(-err);
vpn_progress(vpninfo, PRG_INFO, _("Failed to connect to %s%s%s:%s: %s\n"),
rp->ai_family == AF_INET6 ? "[" : "",
host,
rp->ai_family == AF_INET6 ? "]" : "",
port, errstr);
#ifdef _WIN32
if (err > 0)
free(errstr);
#endif
}
closesocket(ssl_sock);
ssl_sock = -1;
/* If we're in DynDNS mode but this *was* the cached IP address,
* don't bother falling back to it if it didn't work. */
if (vpninfo->peer_addr && vpninfo->peer_addrlen == rp->ai_addrlen &&
match_sockaddr(vpninfo->peer_addr, rp->ai_addr)) {
vpn_progress(vpninfo, PRG_TRACE,
_("Forgetting non-functional previous peer address\n"));
free(vpninfo->peer_addr);
vpninfo->peer_addr = 0;
vpninfo->peer_addrlen = 0;
free(vpninfo->ip_info.gateway_addr);
vpninfo->ip_info.gateway_addr = NULL;
}
}
freeaddrinfo(result);
if (ssl_sock < 0) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to connect to host %s\n"),
vpninfo->proxy?:vpninfo->hostname);
ssl_sock = -EINVAL;
if (vpninfo->peer_addr) {
vpn_progress(vpninfo, PRG_ERR,
_("Reconnecting to DynDNS server using previously cached IP address\n"));
goto reconnect;
}
goto out;
}
}
