static int cancellable_connect(struct openconnect_info *vpninfo, int sockfd,
const struct sockaddr *addr, socklen_t addrlen)
{
struct sockaddr_storage peer;
socklen_t peerlen = sizeof(peer);
fd_set wr_set, rd_set;
int maxfd = sockfd;
set_sock_nonblock(sockfd);
if (vpninfo->protect_socket)
vpninfo->protect_socket(vpninfo->cbdata, sockfd);
if (connect(sockfd, addr, addrlen) < 0 && !connect_pending())
return -1;
do {
FD_ZERO(&wr_set);
FD_ZERO(&rd_set);
FD_SET(sockfd, &wr_set);
cmd_fd_set(vpninfo, &rd_set, &maxfd);
select(maxfd + 1, &rd_set, &wr_set, NULL, NULL);
if (is_cancel_pending(vpninfo, &rd_set)) {
vpn_progress(vpninfo, PRG_ERR, _("Socket connect cancelled\n"));
errno = EINTR;
return -1;
}
} while (!FD_ISSET(sockfd, &wr_set) && !vpninfo->got_pause_cmd);
/* Check whether connect() succeeded or failed by using
getpeername(). See http://cr.yp.to/docs/connect.html */
return getpeername(sockfd, (void *)&peer, &peerlen);
}
int openconnect_SSL_read(struct openconnect_info *vpninfo, char *buf, size_t len)
{
int done;
while ((done = SSL_read(vpninfo->https_ssl, buf, len)) == -1) {
int err = SSL_get_error(vpninfo->https_ssl, done);
fd_set wr_set, rd_set;
int maxfd = vpninfo->ssl_fd;
FD_ZERO(&wr_set);
FD_ZERO(&rd_set);
if (err == SSL_ERROR_WANT_READ)
FD_SET(vpninfo->ssl_fd, &rd_set);
else if (err == SSL_ERROR_WANT_WRITE)
FD_SET(vpninfo->ssl_fd, &wr_set);
else {
vpn_progress(vpninfo, PRG_ERR, _("Failed to read from SSL socket\n"));
openconnect_report_ssl_errors(vpninfo);
return -EIO;
}
cmd_fd_set(vpninfo, &rd_set, &maxfd);
select(maxfd + 1, &rd_set, &wr_set, NULL, NULL);
if (is_cancel_pending(vpninfo, &rd_set)) {
vpn_progress(vpninfo, PRG_ERR, _("SSL read cancelled\n"));
return -EINTR;
}
}
return done;
}
int openconnect_SSL_gets(struct openconnect_info *vpninfo, char *buf, size_t len)
{
int i = 0;
int ret;
if (len < 2)
return -EINVAL;
while (1) {
ret = SSL_read(vpninfo->https_ssl, buf + i, 1);
if (ret == 1) {
if (buf[i] == '\n') {
buf[i] = 0;
if (i && buf[i-1] == '\r') {
buf[i-1] = 0;
i--;
}
return i;
}
i++;
if (i >= len - 1) {
buf[i] = 0;
return i;
}
} else {
fd_set rd_set, wr_set;
int maxfd = vpninfo->ssl_fd;
FD_ZERO(&rd_set);
FD_ZERO(&wr_set);
ret = SSL_get_error(vpninfo->https_ssl, ret);
if (ret == SSL_ERROR_WANT_READ)
FD_SET(vpninfo->ssl_fd, &rd_set);
else if (ret == SSL_ERROR_WANT_WRITE)
FD_SET(vpninfo->ssl_fd, &wr_set);
else {
vpn_progress(vpninfo, PRG_ERR, _("Failed to read from SSL socket\n"));
openconnect_report_ssl_errors(vpninfo);
ret = -EIO;
break;
}
cmd_fd_set(vpninfo, &rd_set, &maxfd);
select(maxfd + 1, &rd_set, &wr_set, NULL, NULL);
if (is_cancel_pending(vpninfo, &rd_set)) {
vpn_progress(vpninfo, PRG_ERR, _("SSL read cancelled\n"));
ret = -EINTR;
break;
}
}
}
buf[i] = 0;
return i ?: ret;
}
int openconnect_open_https(struct openconnect_info *vpninfo)
{
method_const SSL_METHOD *ssl3_method;
SSL *https_ssl;
BIO *https_bio;
int ssl_sock;
int err;
if (vpninfo->https_ssl)
return 0;
if (vpninfo->peer_cert) {
X509_free(vpninfo->peer_cert);
vpninfo->peer_cert = NULL;
}
ssl_sock = connect_https_socket(vpninfo);
if (ssl_sock < 0)
return ssl_sock;
ssl3_method = TLSv1_client_method();
if (!vpninfo->https_ctx) {
vpninfo->https_ctx = SSL_CTX_new(ssl3_method);
/* Some servers (or their firewalls) really don't like seeing
extensions. */
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(vpninfo->https_ctx, SSL_OP_NO_TICKET);
#endif
if (vpninfo->cert) {
err = load_certificate(vpninfo);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Loading certificate failed. Aborting.\n"));
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return err;
}
check_certificate_expiry(vpninfo);
}
/* We just want to do:
SSL_CTX_set_purpose(vpninfo->https_ctx, X509_PURPOSE_ANY);
... but it doesn't work with OpenSSL < 0.9.8k because of
problems with inheritance (fixed in v1.1.4.6 of
crypto/x509/x509_vpm.c) so we have to play silly buggers
instead. This trick doesn't work _either_ in < 0.9.7 but
I don't know of _any_ workaround which will, and can't
be bothered to find out either. */
#if OPENSSL_VERSION_NUMBER >= 0x00908000
SSL_CTX_set_cert_verify_callback(vpninfo->https_ctx,
ssl_app_verify_callback, NULL);
#endif
SSL_CTX_set_default_verify_paths(vpninfo->https_ctx);
#ifdef ANDROID_KEYSTORE
if (vpninfo->cafile && !strncmp(vpninfo->cafile, "keystore:", 9)) {
STACK_OF(X509_INFO) *stack;
X509_STORE *store;
X509_INFO *info;
BIO *b = BIO_from_keystore(vpninfo, vpninfo->cafile);
if (!b) {
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return -EINVAL;
}
stack = PEM_X509_INFO_read_bio(b, NULL, NULL, NULL);
BIO_free(b);
if (!stack) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to read certs from CA file '%s'\n"),
vpninfo->cafile);
openconnect_report_ssl_errors(vpninfo);
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return -ENOENT;
}
store = SSL_CTX_get_cert_store(vpninfo->https_ctx);
while ((info = sk_X509_INFO_pop(stack))) {
if (info->x509)
X509_STORE_add_cert(store, info->x509);
if (info->crl)
X509_STORE_add_crl(store, info->crl);
X509_INFO_free(info);
}
sk_X509_INFO_free(stack);
} else
#endif
if (vpninfo->cafile) {
if (!SSL_CTX_load_verify_locations(vpninfo->https_ctx, vpninfo->cafile, NULL)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to open CA file '%s'\n"),
vpninfo->cafile);
openconnect_report_ssl_errors(vpninfo);
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return -EINVAL;
}
}
}
https_ssl = SSL_new(vpninfo->https_ctx);
workaround_openssl_certchain_bug(vpninfo, https_ssl);
https_bio = BIO_new_socket(ssl_sock, BIO_NOCLOSE);
BIO_set_nbio(https_bio, 1);
SSL_set_bio(https_ssl, https_bio, https_bio);
vpn_progress(vpninfo, PRG_INFO, _("SSL negotiation with %s\n"),
vpninfo->hostname);
while ((err = SSL_connect(https_ssl)) <= 0) {
fd_set wr_set, rd_set;
int maxfd = ssl_sock;
FD_ZERO(&wr_set);
FD_ZERO(&rd_set);
err = SSL_get_error(https_ssl, err);
if (err == SSL_ERROR_WANT_READ)
FD_SET(ssl_sock, &rd_set);
else if (err == SSL_ERROR_WANT_WRITE)
FD_SET(ssl_sock, &wr_set);
else {
vpn_progress(vpninfo, PRG_ERR, _("SSL connection failure\n"));
openconnect_report_ssl_errors(vpninfo);
SSL_free(https_ssl);
close(ssl_sock);
return -EINVAL;
}
cmd_fd_set(vpninfo, &rd_set, &maxfd);
select(maxfd + 1, &rd_set, &wr_set, NULL, NULL);
if (is_cancel_pending(vpninfo, &rd_set)) {
vpn_progress(vpninfo, PRG_ERR, _("SSL connection cancelled\n"));
SSL_free(https_ssl);
close(ssl_sock);
return -EINVAL;
}
}
if (verify_peer(vpninfo, https_ssl)) {
SSL_free(https_ssl);
close(ssl_sock);
return -EINVAL;
}
vpninfo->ssl_fd = ssl_sock;
vpninfo->https_ssl = https_ssl;
/* Stash this now, because it might not be available later if the
server has disconnected. */
vpninfo->peer_cert = SSL_get_peer_certificate(vpninfo->https_ssl);
vpn_progress(vpninfo, PRG_INFO, _("Connected to HTTPS on %s\n"),
vpninfo->hostname);
return 0;
}
/* Windows is interminably horrid, and has disjoint errno spaces.
* So if we return a positive value, that's a WSA Error and should
* be handled with openconnect__win32_strerror(). But if we return a
* negative value, that's a normal errno and should be handled with
* strerror(). No, you can't just pass the latter value (negated) to
* openconnect__win32_strerror() because it gives nonsense results. */
static int cancellable_connect(struct openconnect_info *vpninfo, int sockfd,
const struct sockaddr *addr, socklen_t addrlen)
{
struct sockaddr_storage peer;
socklen_t peerlen = sizeof(peer);
fd_set wr_set, rd_set, ex_set;
int maxfd = sockfd;
int err;
set_sock_nonblock(sockfd);
if (vpninfo->protect_socket)
vpninfo->protect_socket(vpninfo->cbdata, sockfd);
if (connect(sockfd, addr, addrlen) < 0 && !connect_pending()) {
#ifdef _WIN32
return WSAGetLastError();
#else
return -errno;
#endif
}
do {
FD_ZERO(&wr_set);
FD_ZERO(&rd_set);
FD_ZERO(&ex_set);
FD_SET(sockfd, &wr_set);
#ifdef _WIN32 /* Windows indicates failure this way, not in wr_set */
FD_SET(sockfd, &ex_set);
#endif
cmd_fd_set(vpninfo, &rd_set, &maxfd);
select(maxfd + 1, &rd_set, &wr_set, &ex_set, NULL);
if (is_cancel_pending(vpninfo, &rd_set)) {
vpn_progress(vpninfo, PRG_ERR, _("Socket connect cancelled\n"));
return -EINTR;
}
} while (!FD_ISSET(sockfd, &wr_set) && !FD_ISSET(sockfd, &ex_set) &&
!vpninfo->got_pause_cmd);
/* Check whether connect() succeeded or failed by using
getpeername(). See http://cr.yp.to/docs/connect.html */
if (!getpeername(sockfd, (void *)&peer, &peerlen))
return 0;
#ifdef _WIN32 /* On Windows, use getsockopt() to determine the error.
* We don't ddo this on Windows because it just reports
* -ENOTCONN, which we already knew. */
err = WSAGetLastError();
if (err == WSAENOTCONN) {
socklen_t errlen = sizeof(err);
getsockopt(sockfd, SOL_SOCKET, SO_ERROR,
(void *)&err, &errlen);
}
#else
err = -errno;
if (err == -ENOTCONN) {
int ch;
if (read(sockfd, &ch, 1) < 0)
err = -errno;
/* It should *always* fail! */
}
#endif
return err;
}
