static int init_esp_ciphers(struct openconnect_info *vpninfo, struct esp *esp,
const EVP_MD *macalg, const EVP_CIPHER *encalg, int decrypt)
{
int ret;
destroy_esp_ciphers(esp);
EVP_CIPHER_CTX_init(&esp->cipher);
if (decrypt)
ret = EVP_DecryptInit_ex(&esp->cipher, encalg, NULL, esp->secrets, NULL);
else
ret = EVP_EncryptInit_ex(&esp->cipher, encalg, NULL, esp->secrets, NULL);
if (!ret) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to initialise ESP cipher:\n"));
openconnect_report_ssl_errors(vpninfo);
return -EIO;
}
EVP_CIPHER_CTX_set_padding(&esp->cipher, 0);
HMAC_CTX_init(&esp->hmac);
if (!HMAC_Init_ex(&esp->hmac, esp->secrets + EVP_CIPHER_key_length(encalg),
EVP_MD_size(macalg), macalg, NULL)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to initialize ESP HMAC\n"));
openconnect_report_ssl_errors(vpninfo);
destroy_esp_ciphers(esp);
}
esp->seq = 0;
esp->seq_backlog = 0;
return 0;
}
static int load_tpm_certificate(struct openconnect_info *vpninfo)
{
ENGINE *e;
EVP_PKEY *key;
UI_METHOD *meth = NULL;
int ret = 0;
ENGINE_load_builtin_engines();
e = ENGINE_by_id("tpm");
if (!e) {
vpn_progress(vpninfo, PRG_ERR, _("Can't load TPM engine.\n"));
openconnect_report_ssl_errors(vpninfo);
return -EINVAL;
}
if (!ENGINE_init(e) || !ENGINE_set_default_RSA(e) ||
!ENGINE_set_default_RAND(e)) {
vpn_progress(vpninfo, PRG_ERR, _("Failed to init TPM engine\n"));
openconnect_report_ssl_errors(vpninfo);
ENGINE_free(e);
return -EINVAL;
}
if (vpninfo->cert_password) {
if (!ENGINE_ctrl_cmd(e, "PIN", strlen(vpninfo->cert_password),
vpninfo->cert_password, NULL, 0)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to set TPM SRK password\n"));
openconnect_report_ssl_errors(vpninfo);
}
vpninfo->cert_password = NULL;
free(vpninfo->cert_password);
} else {
/* Provide our own UI method to handle the PIN callback. */
meth = create_openssl_ui(vpninfo);
}
key = ENGINE_load_private_key(e, vpninfo->sslkey, meth, NULL);
if (meth)
UI_destroy_method(meth);
if (!key) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to load TPM private key\n"));
openconnect_report_ssl_errors(vpninfo);
ret = -EINVAL;
goto out;
}
if (!SSL_CTX_use_PrivateKey(vpninfo->https_ctx, key)) {
vpn_progress(vpninfo, PRG_ERR, _("Add key from TPM failed\n"));
openconnect_report_ssl_errors(vpninfo);
ret = -EINVAL;
}
EVP_PKEY_free(key);
out:
ENGINE_finish(e);
ENGINE_free(e);
return ret;
}
int encrypt_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt)
{
int i, padlen;
const int blksize = 16;
unsigned int hmac_len = 20;
int crypt_len;
HMAC_CTX hmac_ctx;
/* This gets much more fun if the IV is variable-length */
pkt->esp.spi = vpninfo->esp_out.spi;
pkt->esp.seq = htonl(vpninfo->esp_out.seq++);
if (!RAND_bytes((void *)&pkt->esp.iv, sizeof(pkt->esp.iv))) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to generate random IV for ESP packet:\n"));
openconnect_report_ssl_errors(vpninfo);
return -EIO;
}
padlen = blksize - 1 - ((pkt->len + 1) % blksize);
for (i=0; i<padlen; i++)
pkt->data[pkt->len + i] = i + 1;
pkt->data[pkt->len + padlen] = padlen;
pkt->data[pkt->len + padlen + 1] = 0x04; /* Legacy IP */
if (!EVP_EncryptInit_ex(&vpninfo->esp_out.cipher, NULL, NULL, NULL,
pkt->esp.iv)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to set up encryption context for ESP packet:\n"));
openconnect_report_ssl_errors(vpninfo);
return -EINVAL;
}
crypt_len = pkt->len + padlen + 2;
if (!EVP_EncryptUpdate(&vpninfo->esp_out.cipher, pkt->data, &crypt_len,
pkt->data, crypt_len)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to encrypt ESP packet:\n"));
openconnect_report_ssl_errors(vpninfo);
return -EINVAL;
}
HMAC_CTX_copy(&hmac_ctx, &vpninfo->esp_out.hmac);
HMAC_Update(&hmac_ctx, (void *)&pkt->esp, sizeof(pkt->esp) + crypt_len);
HMAC_Final(&hmac_ctx, pkt->data + crypt_len, &hmac_len);
HMAC_CTX_cleanup(&hmac_ctx);
return sizeof(pkt->esp) + crypt_len + 12;
}
static int reload_pem_cert(struct openconnect_info *vpninfo)
{
BIO *b = BIO_new(BIO_s_file_internal());
char buf[200];
if (!b)
return -ENOMEM;
if (BIO_read_filename(b, vpninfo->cert) <= 0) {
err:
BIO_free(b);
vpn_progress(vpninfo, PRG_ERR,
_("Failed to reload X509 cert for expiry check\n"));
openconnect_report_ssl_errors(vpninfo);
return -EIO;
}
vpninfo->cert_x509 = PEM_read_bio_X509_AUX(b, NULL, NULL, NULL);
BIO_free(b);
if (!vpninfo->cert_x509)
goto err;
X509_NAME_oneline(X509_get_subject_name(vpninfo->cert_x509), buf, sizeof(buf));
vpn_progress(vpninfo, PRG_INFO,
_("Using client certificate '%s'\n"), buf);
return 0;
}
int openconnect_SSL_read(struct openconnect_info *vpninfo, char *buf, size_t len)
{
int done;
while ((done = SSL_read(vpninfo->https_ssl, buf, len)) == -1) {
int err = SSL_get_error(vpninfo->https_ssl, done);
fd_set wr_set, rd_set;
int maxfd = vpninfo->ssl_fd;
FD_ZERO(&wr_set);
FD_ZERO(&rd_set);
if (err == SSL_ERROR_WANT_READ)
FD_SET(vpninfo->ssl_fd, &rd_set);
else if (err == SSL_ERROR_WANT_WRITE)
FD_SET(vpninfo->ssl_fd, &wr_set);
else {
vpn_progress(vpninfo, PRG_ERR, _("Failed to read from SSL socket\n"));
openconnect_report_ssl_errors(vpninfo);
return -EIO;
}
cmd_fd_set(vpninfo, &rd_set, &maxfd);
select(maxfd + 1, &rd_set, &wr_set, NULL, NULL);
if (is_cancel_pending(vpninfo, &rd_set)) {
vpn_progress(vpninfo, PRG_ERR, _("SSL read cancelled\n"));
return -EINTR;
}
}
return done;
}
/* pkt->len shall be the *payload* length. Omitting the header and the 12-byte HMAC */
int decrypt_esp_packet(struct openconnect_info *vpninfo, struct esp *esp, struct pkt *pkt)
{
unsigned char hmac_buf[20];
unsigned int hmac_len = sizeof(hmac_buf);
int crypt_len = pkt->len;
HMAC_CTX hmac_ctx;
HMAC_CTX_copy(&hmac_ctx, &esp->hmac);
HMAC_Update(&hmac_ctx, (void *)&pkt->esp, sizeof(pkt->esp) + pkt->len);
HMAC_Final(&hmac_ctx, hmac_buf, &hmac_len);
HMAC_CTX_cleanup(&hmac_ctx);
if (memcmp(hmac_buf, pkt->data + pkt->len, 12)) {
vpn_progress(vpninfo, PRG_DEBUG,
_("Received ESP packet with invalid HMAC\n"));
return -EINVAL;
}
/* Why in $DEITY's name would you ever *not* set this? Perhaps we
* should do th check anyway, but only warn instead of discarding
* the packet? */
if (vpninfo->esp_replay_protect &&
verify_packet_seqno(vpninfo, esp, ntohl(pkt->esp.seq)))
return -EINVAL;
if (!EVP_DecryptInit_ex(&esp->cipher, NULL, NULL, NULL,
pkt->esp.iv)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to set up decryption context for ESP packet:\n"));
openconnect_report_ssl_errors(vpninfo);
return -EINVAL;
}
if (!EVP_DecryptUpdate(&esp->cipher, pkt->data, &crypt_len,
pkt->data, pkt->len)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to decrypt ESP packet:\n"));
openconnect_report_ssl_errors(vpninfo);
return -EINVAL;
}
return 0;
}
int openconnect_SSL_gets(struct openconnect_info *vpninfo, char *buf, size_t len)
{
int i = 0;
int ret;
if (len < 2)
return -EINVAL;
while (1) {
ret = SSL_read(vpninfo->https_ssl, buf + i, 1);
if (ret == 1) {
if (buf[i] == '\n') {
buf[i] = 0;
if (i && buf[i-1] == '\r') {
buf[i-1] = 0;
i--;
}
return i;
}
i++;
if (i >= len - 1) {
buf[i] = 0;
return i;
}
} else {
fd_set rd_set, wr_set;
int maxfd = vpninfo->ssl_fd;
FD_ZERO(&rd_set);
FD_ZERO(&wr_set);
ret = SSL_get_error(vpninfo->https_ssl, ret);
if (ret == SSL_ERROR_WANT_READ)
FD_SET(vpninfo->ssl_fd, &rd_set);
else if (ret == SSL_ERROR_WANT_WRITE)
FD_SET(vpninfo->ssl_fd, &wr_set);
else {
vpn_progress(vpninfo, PRG_ERR, _("Failed to read from SSL socket\n"));
openconnect_report_ssl_errors(vpninfo);
ret = -EIO;
break;
}
cmd_fd_set(vpninfo, &rd_set, &maxfd);
select(maxfd + 1, &rd_set, &wr_set, NULL, NULL);
if (is_cancel_pending(vpninfo, &rd_set)) {
vpn_progress(vpninfo, PRG_ERR, _("SSL read cancelled\n"));
ret = -EINTR;
break;
}
}
}
buf[i] = 0;
return i ?: ret;
}
static SSL_SESSION *generate_dtls_session(struct openconnect_info *vpninfo,
int dtlsver, const SSL_CIPHER *cipher)
{
struct oc_text_buf *buf = buf_alloc();
SSL_SESSION *dtls_session;
const unsigned char *asn;
uint16_t cid;
buf_append_bytes(buf, "\x30\x80", 2); // SEQUENCE, indeterminate length
buf_append_INTEGER(buf, 1 /* SSL_SESSION_ASN1_VERSION */);
buf_append_INTEGER(buf, dtlsver);
store_be16(&cid, SSL_CIPHER_get_id(cipher) & 0xffff);
buf_append_OCTET_STRING(buf, &cid, 2);
buf_append_OCTET_STRING(buf, vpninfo->dtls_session_id,
sizeof(vpninfo->dtls_session_id));
buf_append_OCTET_STRING(buf, vpninfo->dtls_secret,
sizeof(vpninfo->dtls_secret));
/* If the length actually fits in one byte (which it should), do
* it that way. Else, leave it indeterminate and add two
* end-of-contents octets to mark the end of the SEQUENCE. */
if (!buf_error(buf) && buf->pos <= 0x80)
buf->data[1] = buf->pos - 2;
else
buf_append_bytes(buf, "\0\0", 2);
if (buf_error(buf)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to create SSL_SESSION ASN.1 for OpenSSL: %s\n"),
strerror(buf_error(buf)));
buf_free(buf);
return NULL;
}
asn = (void *)buf->data;
dtls_session = d2i_SSL_SESSION(NULL, &asn, buf->pos);
buf_free(buf);
if (!dtls_session) {
vpn_progress(vpninfo, PRG_ERR,
_("OpenSSL failed to parse SSL_SESSION ASN.1\n"));
openconnect_report_ssl_errors(vpninfo);
return NULL;
}
return dtls_session;
}
static int is_pem_password_error(struct openconnect_info *vpninfo)
{
unsigned long err = ERR_peek_error();
openconnect_report_ssl_errors(vpninfo);
#ifndef EVP_F_EVP_DECRYPTFINAL_EX
#define EVP_F_EVP_DECRYPTFINAL_EX EVP_F_EVP_DECRYPTFINAL
#endif
/* If the user fat-fingered the passphrase, try again */
if (ERR_GET_LIB(err) == ERR_LIB_EVP &&
ERR_GET_FUNC(err) == EVP_F_EVP_DECRYPTFINAL_EX &&
ERR_GET_REASON(err) == EVP_R_BAD_DECRYPT) {
vpn_progress(vpninfo, PRG_ERR,
_("Loading private key failed (wrong passphrase?)\n"));
ERR_clear_error();
return 1;
}
vpn_progress(vpninfo, PRG_ERR,
_("Loading private key failed (see above errors)\n"));
return 0;
}
static int load_pkcs12_certificate(struct openconnect_info *vpninfo, PKCS12 *p12)
{
EVP_PKEY *pkey = NULL;
X509 *cert = NULL;
STACK_OF(X509) *ca;
int ret = 0;
char *pass;
pass = vpninfo->cert_password;
vpninfo->cert_password = NULL;
retrypass:
/* We do this every time round the loop, to work around a bug in
OpenSSL < 1.0.0-beta2 -- where the stack at *ca will be freed
when PKCS12_parse() returns an error, but *ca is left pointing
to the freed memory. */
ca = NULL;
if (!pass && request_passphrase(vpninfo, "openconnect_pkcs12", &pass,
_("Enter PKCS#12 pass phrase:")) < 0) {
PKCS12_free(p12);
return -EINVAL;
}
if (!PKCS12_parse(p12, pass, &pkey, &cert, &ca)) {
unsigned long err = ERR_peek_error();
openconnect_report_ssl_errors(vpninfo);
if (ERR_GET_LIB(err) == ERR_LIB_PKCS12 &&
ERR_GET_FUNC(err) == PKCS12_F_PKCS12_PARSE &&
ERR_GET_REASON(err) == PKCS12_R_MAC_VERIFY_FAILURE) {
vpn_progress(vpninfo, PRG_ERR,
_("Parse PKCS#12 failed (wrong passphrase?)\n"));
free(pass);
pass = NULL;
goto retrypass;
}
vpn_progress(vpninfo, PRG_ERR,
_("Parse PKCS#12 failed (see above errors)\n"));
PKCS12_free(p12);
free(pass);
return -EINVAL;
}
free(pass);
if (cert) {
char buf[200];
vpninfo->cert_x509 = cert;
SSL_CTX_use_certificate(vpninfo->https_ctx, cert);
X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf));
vpn_progress(vpninfo, PRG_INFO,
_("Using client certificate '%s'\n"), buf);
} else {
vpn_progress(vpninfo, PRG_ERR,
_("PKCS#12 contained no certificate!"));
ret = -EINVAL;
}
if (pkey) {
SSL_CTX_use_PrivateKey(vpninfo->https_ctx, pkey);
EVP_PKEY_free(pkey);
} else {
vpn_progress(vpninfo, PRG_ERR,
_("PKCS#12 contained no private key!"));
ret = -EINVAL;
}
/* Only include supporting certificates which are actually necessary */
if (ca) {
int i;
next:
for (i = 0; i < sk_X509_num(ca); i++) {
X509 *cert2 = sk_X509_value(ca, i);
if (X509_check_issued(cert2, cert) == X509_V_OK) {
char buf[200];
if (cert2 == cert)
break;
if (X509_check_issued(cert2, cert2) == X509_V_OK)
break;
X509_NAME_oneline(X509_get_subject_name(cert2),
buf, sizeof(buf));
vpn_progress(vpninfo, PRG_DEBUG,
_("Extra cert from PKCS#12: '%s'\n"), buf);
CRYPTO_add(&cert2->references, 1, CRYPTO_LOCK_X509);
SSL_CTX_add_extra_chain_cert(vpninfo->https_ctx, cert2);
cert = cert2;
goto next;
}
}
sk_X509_pop_free(ca, X509_free);
}
PKCS12_free(p12);
return ret;
}
int openconnect_open_https(struct openconnect_info *vpninfo)
{
method_const SSL_METHOD *ssl3_method;
SSL *https_ssl;
BIO *https_bio;
int ssl_sock;
int err;
if (vpninfo->https_ssl)
return 0;
if (vpninfo->peer_cert) {
X509_free(vpninfo->peer_cert);
vpninfo->peer_cert = NULL;
}
ssl_sock = connect_https_socket(vpninfo);
if (ssl_sock < 0)
return ssl_sock;
ssl3_method = TLSv1_client_method();
if (!vpninfo->https_ctx) {
vpninfo->https_ctx = SSL_CTX_new(ssl3_method);
/* Some servers (or their firewalls) really don't like seeing
extensions. */
#ifdef SSL_OP_NO_TICKET
SSL_CTX_set_options(vpninfo->https_ctx, SSL_OP_NO_TICKET);
#endif
if (vpninfo->cert) {
err = load_certificate(vpninfo);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Loading certificate failed. Aborting.\n"));
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return err;
}
check_certificate_expiry(vpninfo);
}
/* We just want to do:
SSL_CTX_set_purpose(vpninfo->https_ctx, X509_PURPOSE_ANY);
... but it doesn't work with OpenSSL < 0.9.8k because of
problems with inheritance (fixed in v1.1.4.6 of
crypto/x509/x509_vpm.c) so we have to play silly buggers
instead. This trick doesn't work _either_ in < 0.9.7 but
I don't know of _any_ workaround which will, and can't
be bothered to find out either. */
#if OPENSSL_VERSION_NUMBER >= 0x00908000
SSL_CTX_set_cert_verify_callback(vpninfo->https_ctx,
ssl_app_verify_callback, NULL);
#endif
SSL_CTX_set_default_verify_paths(vpninfo->https_ctx);
#ifdef ANDROID_KEYSTORE
if (vpninfo->cafile && !strncmp(vpninfo->cafile, "keystore:", 9)) {
STACK_OF(X509_INFO) *stack;
X509_STORE *store;
X509_INFO *info;
BIO *b = BIO_from_keystore(vpninfo, vpninfo->cafile);
if (!b) {
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return -EINVAL;
}
stack = PEM_X509_INFO_read_bio(b, NULL, NULL, NULL);
BIO_free(b);
if (!stack) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to read certs from CA file '%s'\n"),
vpninfo->cafile);
openconnect_report_ssl_errors(vpninfo);
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return -ENOENT;
}
store = SSL_CTX_get_cert_store(vpninfo->https_ctx);
while ((info = sk_X509_INFO_pop(stack))) {
if (info->x509)
X509_STORE_add_cert(store, info->x509);
if (info->crl)
X509_STORE_add_crl(store, info->crl);
X509_INFO_free(info);
}
sk_X509_INFO_free(stack);
} else
#endif
if (vpninfo->cafile) {
if (!SSL_CTX_load_verify_locations(vpninfo->https_ctx, vpninfo->cafile, NULL)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to open CA file '%s'\n"),
vpninfo->cafile);
openconnect_report_ssl_errors(vpninfo);
SSL_CTX_free(vpninfo->https_ctx);
vpninfo->https_ctx = NULL;
close(ssl_sock);
return -EINVAL;
}
}
}
https_ssl = SSL_new(vpninfo->https_ctx);
workaround_openssl_certchain_bug(vpninfo, https_ssl);
https_bio = BIO_new_socket(ssl_sock, BIO_NOCLOSE);
BIO_set_nbio(https_bio, 1);
SSL_set_bio(https_ssl, https_bio, https_bio);
vpn_progress(vpninfo, PRG_INFO, _("SSL negotiation with %s\n"),
vpninfo->hostname);
while ((err = SSL_connect(https_ssl)) <= 0) {
fd_set wr_set, rd_set;
int maxfd = ssl_sock;
FD_ZERO(&wr_set);
FD_ZERO(&rd_set);
err = SSL_get_error(https_ssl, err);
if (err == SSL_ERROR_WANT_READ)
FD_SET(ssl_sock, &rd_set);
else if (err == SSL_ERROR_WANT_WRITE)
FD_SET(ssl_sock, &wr_set);
else {
vpn_progress(vpninfo, PRG_ERR, _("SSL connection failure\n"));
openconnect_report_ssl_errors(vpninfo);
SSL_free(https_ssl);
close(ssl_sock);
return -EINVAL;
}
cmd_fd_set(vpninfo, &rd_set, &maxfd);
select(maxfd + 1, &rd_set, &wr_set, NULL, NULL);
if (is_cancel_pending(vpninfo, &rd_set)) {
vpn_progress(vpninfo, PRG_ERR, _("SSL connection cancelled\n"));
SSL_free(https_ssl);
close(ssl_sock);
return -EINVAL;
}
}
if (verify_peer(vpninfo, https_ssl)) {
SSL_free(https_ssl);
close(ssl_sock);
return -EINVAL;
}
vpninfo->ssl_fd = ssl_sock;
vpninfo->https_ssl = https_ssl;
/* Stash this now, because it might not be available later if the
server has disconnected. */
vpninfo->peer_cert = SSL_get_peer_certificate(vpninfo->https_ssl);
vpn_progress(vpninfo, PRG_INFO, _("Connected to HTTPS on %s\n"),
vpninfo->hostname);
return 0;
}
int dtls_try_handshake(struct openconnect_info *vpninfo)
{
int ret = SSL_do_handshake(vpninfo->new_dtls_ssl);
if (ret == 1) {
vpn_progress(vpninfo, PRG_INFO, _("Established DTLS connection (using OpenSSL)\n"));
dtls_close(vpninfo, 0);
vpninfo->dtls_ssl = vpninfo->new_dtls_ssl;
vpninfo->dtls_fd = vpninfo->new_dtls_fd;
vpninfo->new_dtls_ssl = NULL;
vpninfo->new_dtls_fd = -1;
vpninfo->dtls_times.last_rx = vpninfo->dtls_times.last_tx = time(NULL);
/* From about 8.4.1(11) onwards, the ASA seems to get
very unhappy if we resend ChangeCipherSpec messages
after the initial setup. This was "fixed" in OpenSSL
1.0.0e for RT#2505, but it's not clear if that was
the right fix. What happens if the original packet
*does* get lost? Surely we *wanted* the retransmits,
because without them the server will never be able
to decrypt anything we send?
Oh well, our retransmitted packets upset the server
because we don't get the Cisco-compatibility right
(this is one of the areas in which Cisco's DTLS differs
from the RFC4347 spec), and DPD should help us notice
if *nothing* is getting through. */
#if OPENSSL_VERSION_NUMBER >= 0x1000005fL
/* OpenSSL 1.0.0e or above doesn't resend anyway; do nothing.
However, if we were *built* against 1.0.0e or newer, but at
runtime we find that we are being run against an older
version, warn about it. */
if (SSLeay() < 0x1000005fL) {
vpn_progress(vpninfo, PRG_ERR,
_("Your OpenSSL is older than the one you built against, so DTLS may fail!"));
}
#elif defined(HAVE_DTLS1_STOP_TIMER)
/*
* This works for any normal OpenSSL that supports
* Cisco DTLS compatibility (0.9.8m to 1.0.0d inclusive,
* and even later versions although it isn't needed there.
*/
dtls1_stop_timer(vpninfo->dtls_ssl);
#elif defined(BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT)
/*
* Debian restricts visibility of dtls1_stop_timer()
* so do it manually. This version also works on all
* sane versions of OpenSSL:
*/
memset(&(vpninfo->dtls_ssl->d1->next_timeout), 0,
sizeof((vpninfo->dtls_ssl->d1->next_timeout)));
vpninfo->dtls_ssl->d1->timeout_duration = 1;
BIO_ctrl(SSL_get_rbio(vpninfo->dtls_ssl),
BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
&(vpninfo->dtls_ssl->d1->next_timeout));
#elif defined(BIO_CTRL_DGRAM_SET_TIMEOUT)
/*
* OK, here it gets more fun... this shoul handle the case
* of older OpenSSL which has the Cisco DTLS compatibility
* backported, but *not* the fix for RT#1922.
*/
BIO_ctrl(SSL_get_rbio(vpninfo->dtls_ssl),
BIO_CTRL_DGRAM_SET_TIMEOUT, 0, NULL);
#else
/*
* And if they don't have any of the above, they probably
* don't have RT#1829 fixed either, but that's OK because
* that's the "fix" that *introduces* the timeout we're
* trying to disable. So do nothing...
*/
#endif
return 0;
}
ret = SSL_get_error(vpninfo->new_dtls_ssl, ret);
if (ret == SSL_ERROR_WANT_WRITE || ret == SSL_ERROR_WANT_READ) {
static int badossl_bitched = 0;
if (time(NULL) < vpninfo->new_dtls_started + 5)
return 0;
if (((OPENSSL_VERSION_NUMBER >= 0x100000b0L && OPENSSL_VERSION_NUMBER <= 0x100000c0L) || \
(OPENSSL_VERSION_NUMBER >= 0x10001040L && OPENSSL_VERSION_NUMBER <= 0x10001060L) || \
OPENSSL_VERSION_NUMBER == 0x10002000L) && !badossl_bitched) {
badossl_bitched = 1;
vpn_progress(vpninfo, PRG_ERR, _("DTLS handshake timed out\n"));
vpn_progress(vpninfo, PRG_ERR, _("This is probably because your OpenSSL is broken\n"
"See http://rt.openssl.org/Ticket/Display.html?id=2984\n"));
} else {
vpn_progress(vpninfo, PRG_TRACE, _("DTLS handshake timed out\n"));
}
}
vpn_progress(vpninfo, PRG_ERR, _("DTLS handshake failed: %d\n"), ret);
openconnect_report_ssl_errors(vpninfo);
/* Kill both the new (failed) connection and the old one too. The
only time there'll be a valid existing session is when it was a
rekey, and in that case it's time for the old one to die. */
dtls_close(vpninfo, 1);
time(&vpninfo->new_dtls_started);
return -EINVAL;
}
int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
{
STACK_OF(SSL_CIPHER) *ciphers;
method_const SSL_METHOD *dtls_method;
SSL_SESSION *dtls_session;
SSL *dtls_ssl;
BIO *dtls_bio;
int dtlsver = DTLS1_BAD_VER;
const char *cipher = vpninfo->dtls_cipher;
#ifdef HAVE_DTLS12
if (!strcmp(cipher, "OC-DTLS1_2-AES128-GCM")) {
dtlsver = DTLS1_2_VERSION;
cipher = "AES128-GCM-SHA256";
} else if (!strcmp(cipher, "OC-DTLS1_2-AES256-GCM")) {
dtlsver = DTLS1_2_VERSION;
cipher = "AES256-GCM-SHA384";
#ifndef OPENSSL_NO_PSK
} else if (!strcmp(cipher, "PSK-NEGOTIATE")) {
dtlsver = 0; /* Let it negotiate */
#endif
}
#endif
if (!vpninfo->dtls_ctx) {
#ifdef HAVE_DTLS12
dtls_method = DTLS_client_method();
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
if (dtlsver == DTLS1_BAD_VER)
dtls_method = DTLSv1_client_method();
#ifdef HAVE_DTLS12
else if (dtlsver == DTLS1_2_VERSION)
dtls_method = DTLSv1_2_client_method();
#endif
#endif
vpninfo->dtls_ctx = SSL_CTX_new(dtls_method);
if (!vpninfo->dtls_ctx) {
vpn_progress(vpninfo, PRG_ERR,
_("Initialise DTLSv1 CTX failed\n"));
openconnect_report_ssl_errors(vpninfo);
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
if (dtlsver) {
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
if (dtlsver == DTLS1_BAD_VER)
SSL_CTX_set_options(vpninfo->dtls_ctx, SSL_OP_CISCO_ANYCONNECT);
#else
if (!SSL_CTX_set_min_proto_version(vpninfo->dtls_ctx, dtlsver) ||
!SSL_CTX_set_max_proto_version(vpninfo->dtls_ctx, dtlsver)) {
vpn_progress(vpninfo, PRG_ERR,
_("Set DTLS CTX version failed\n"));
openconnect_report_ssl_errors(vpninfo);
SSL_CTX_free(vpninfo->dtls_ctx);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
#endif
#if defined (HAVE_DTLS12) && !defined(OPENSSL_NO_PSK)
} else {
SSL_CTX_set_psk_client_callback(vpninfo->dtls_ctx, psk_callback);
/* For PSK we override the DTLS master secret with one derived
* from the HTTPS session. */
if (!SSL_export_keying_material(vpninfo->https_ssl,
vpninfo->dtls_secret, PSK_KEY_SIZE,
PSK_LABEL, PSK_LABEL_SIZE, NULL, 0, 0)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to generate DTLS key\n"));
openconnect_report_ssl_errors(vpninfo);
SSL_CTX_free(vpninfo->dtls_ctx);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
SSL_CTX_add_client_custom_ext(vpninfo->dtls_ctx, DTLS_APP_ID_EXT,
pskident_add, pskident_free, vpninfo,
pskident_parse, vpninfo);
/* For SSL_CTX_set_cipher_list() */
cipher = "PSK";
#endif
}
/* If we don't readahead, then we do short reads and throw
away the tail of data packets. */
SSL_CTX_set_read_ahead(vpninfo->dtls_ctx, 1);
if (!SSL_CTX_set_cipher_list(vpninfo->dtls_ctx, cipher)) {
vpn_progress(vpninfo, PRG_ERR,
_("Set DTLS cipher list failed\n"));
SSL_CTX_free(vpninfo->dtls_ctx);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
}
dtls_ssl = SSL_new(vpninfo->dtls_ctx);
SSL_set_connect_state(dtls_ssl);
SSL_set_app_data(dtls_ssl, vpninfo);
if (dtlsver) {
ciphers = SSL_get_ciphers(dtls_ssl);
if (dtlsver != 0 && sk_SSL_CIPHER_num(ciphers) != 1) {
vpn_progress(vpninfo, PRG_ERR, _("Not precisely one DTLS cipher\n"));
SSL_CTX_free(vpninfo->dtls_ctx);
SSL_free(dtls_ssl);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
/* We're going to "resume" a session which never existed. Fake it... */
dtls_session = generate_dtls_session(vpninfo, dtlsver,
sk_SSL_CIPHER_value(ciphers, 0));
if (!dtls_session) {
SSL_CTX_free(vpninfo->dtls_ctx);
SSL_free(dtls_ssl);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
/* Add the generated session to the SSL */
if (!SSL_set_session(dtls_ssl, dtls_session)) {
vpn_progress(vpninfo, PRG_ERR,
_("SSL_set_session() failed with old protocol version 0x%x\n"
"Are you using a version of OpenSSL older than 0.9.8m?\n"
"See http://rt.openssl.org/Ticket/Display.html?id=1751\n"
"Use the --no-dtls command line option to avoid this message\n"),
DTLS1_BAD_VER);
SSL_CTX_free(vpninfo->dtls_ctx);
SSL_free(dtls_ssl);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
SSL_SESSION_free(dtls_session);
return -EINVAL;
}
/* We don't need our own refcount on it any more */
SSL_SESSION_free(dtls_session);
}
dtls_bio = BIO_new_socket(dtls_fd, BIO_NOCLOSE);
/* Set non-blocking */
BIO_set_nbio(dtls_bio, 1);
SSL_set_bio(dtls_ssl, dtls_bio, dtls_bio);
vpninfo->dtls_ssl = dtls_ssl;
return 0;
}
int setup_esp_keys(struct openconnect_info *vpninfo)
{
struct esp *esp_in;
const EVP_CIPHER *encalg;
const EVP_MD *macalg;
int ret;
if (vpninfo->dtls_state == DTLS_DISABLED)
return -EOPNOTSUPP;
if (!vpninfo->dtls_addr)
return -EINVAL;
switch (vpninfo->esp_enc) {
case 0x02:
encalg = EVP_aes_128_cbc();
break;
case 0x05:
encalg = EVP_aes_256_cbc();
break;
default:
return -EINVAL;
}
switch (vpninfo->esp_hmac) {
case 0x01:
macalg = EVP_md5();
break;
case 0x02:
macalg = EVP_sha1();
break;
default:
return -EINVAL;
}
vpninfo->old_esp_maxseq = vpninfo->esp_in[vpninfo->current_esp_in].seq + 32;
vpninfo->current_esp_in ^= 1;
esp_in = &vpninfo->esp_in[vpninfo->current_esp_in];
if (!RAND_bytes((void *)&esp_in->spi, sizeof(esp_in->spi)) ||
!RAND_bytes((void *)&esp_in->secrets, sizeof(esp_in->secrets))) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to generate random keys for ESP:\n"));
openconnect_report_ssl_errors(vpninfo);
return -EIO;
}
ret = init_esp_ciphers(vpninfo, &vpninfo->esp_out, macalg, encalg, 0);
if (ret)
return ret;
ret = init_esp_ciphers(vpninfo, esp_in, macalg, encalg, 1);
if (ret) {
destroy_esp_ciphers(&vpninfo->esp_out);
return ret;
}
if (vpninfo->dtls_state == DTLS_NOSECRET)
vpninfo->dtls_state = DTLS_SECRET;
vpninfo->pkt_trailer = 16 + 20; /* 16 for pad, 20 for HMAC (of which we use 16) */
return 0;
}
int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout)
{
int work_done = 0;
char magic_pkt;
while (1) {
int len = vpninfo->ip_info.mtu;
unsigned char *buf;
if (!dtls_pkt || len > dtls_pkt_max) {
realloc_inplace(dtls_pkt, sizeof(struct pkt) + len);
if (!dtls_pkt) {
vpn_progress(vpninfo, PRG_ERR, "Allocation failed\n");
break;
}
dtls_pkt_max = len;
}
buf = dtls_pkt->data - 1;
len = DTLS_RECV(vpninfo->dtls_ssl, buf, len + 1);
if (len <= 0)
break;
vpn_progress(vpninfo, PRG_TRACE,
_("Received DTLS packet 0x%02x of %d bytes\n"),
buf[0], len);
vpninfo->dtls_times.last_rx = time(NULL);
switch (buf[0]) {
case AC_PKT_DATA:
dtls_pkt->len = len - 1;
queue_packet(&vpninfo->incoming_queue, dtls_pkt);
dtls_pkt = NULL;
work_done = 1;
break;
case AC_PKT_DPD_OUT:
vpn_progress(vpninfo, PRG_TRACE, _("Got DTLS DPD request\n"));
/* FIXME: What if the packet doesn't get through? */
magic_pkt = AC_PKT_DPD_RESP;
if (DTLS_SEND(vpninfo->dtls_ssl, &magic_pkt, 1) != 1)
vpn_progress(vpninfo, PRG_ERR,
_("Failed to send DPD response. Expect disconnect\n"));
continue;
case AC_PKT_DPD_RESP:
vpn_progress(vpninfo, PRG_TRACE, _("Got DTLS DPD response\n"));
break;
case AC_PKT_KEEPALIVE:
vpn_progress(vpninfo, PRG_TRACE, _("Got DTLS Keepalive\n"));
break;
default:
vpn_progress(vpninfo, PRG_ERR,
_("Unknown DTLS packet type %02x, len %d\n"),
buf[0], len);
if (1) {
/* Some versions of OpenSSL have bugs with receiving out-of-order
* packets. Not only do they wrongly decide to drop packets if
* two packets get swapped in transit, but they also _fail_ to
* drop the packet in non-blocking mode; instead they return
* the appropriate length of garbage. So don't abort... for now. */
break;
} else {
vpninfo->quit_reason = "Unknown packet received";
return 1;
}
}
}
switch (keepalive_action(&vpninfo->dtls_times, timeout)) {
case KA_REKEY: {
int ret;
vpn_progress(vpninfo, PRG_INFO, _("DTLS rekey due\n"));
/* There ought to be a method of rekeying DTLS without tearing down
the CSTP session and restarting, but we don't (yet) know it */
ret = cstp_reconnect(vpninfo);
if (ret) {
vpn_progress(vpninfo, PRG_ERR, _("Reconnect failed\n"));
vpninfo->quit_reason = "CSTP reconnect failed";
return ret;
}
if (dtls_restart(vpninfo))
vpn_progress(vpninfo, PRG_ERR, _("DTLS rekey failed\n"));
return 1;
}
case KA_DPD_DEAD:
vpn_progress(vpninfo, PRG_ERR, _("DTLS Dead Peer Detection detected dead peer!\n"));
/* Fall back to SSL, and start a new DTLS connection */
dtls_restart(vpninfo);
return 1;
case KA_DPD:
vpn_progress(vpninfo, PRG_TRACE, _("Send DTLS DPD\n"));
magic_pkt = AC_PKT_DPD_OUT;
if (DTLS_SEND(vpninfo->dtls_ssl, &magic_pkt, 1) != 1)
vpn_progress(vpninfo, PRG_ERR,
_("Failed to send DPD request. Expect disconnect\n"));
/* last_dpd will just have been set */
vpninfo->dtls_times.last_tx = vpninfo->dtls_times.last_dpd;
work_done = 1;
break;
case KA_KEEPALIVE:
/* No need to send an explicit keepalive
if we have real data to send */
if (vpninfo->outgoing_queue)
break;
vpn_progress(vpninfo, PRG_TRACE, _("Send DTLS Keepalive\n"));
magic_pkt = AC_PKT_KEEPALIVE;
if (DTLS_SEND(vpninfo->dtls_ssl, &magic_pkt, 1) != 1)
vpn_progress(vpninfo, PRG_ERR,
_("Failed to send keepalive request. Expect disconnect\n"));
time(&vpninfo->dtls_times.last_tx);
work_done = 1;
break;
case KA_NONE:
;
}
/* Service outgoing packet queue */
FD_CLR(vpninfo->dtls_fd, &vpninfo->select_wfds);
while (vpninfo->outgoing_queue) {
struct pkt *this = vpninfo->outgoing_queue;
int ret;
vpninfo->outgoing_queue = this->next;
vpninfo->outgoing_qlen--;
/* One byte of header */
this->hdr[7] = AC_PKT_DATA;
#if defined(DTLS_OPENSSL)
ret = SSL_write(vpninfo->dtls_ssl, &this->hdr[7], this->len + 1);
if (ret <= 0) {
ret = SSL_get_error(vpninfo->dtls_ssl, ret);
if (ret == SSL_ERROR_WANT_WRITE) {
FD_SET(vpninfo->dtls_fd, &vpninfo->select_wfds);
vpninfo->outgoing_queue = this;
vpninfo->outgoing_qlen++;
} else if (ret != SSL_ERROR_WANT_READ) {
/* If it's a real error, kill the DTLS connection and
requeue the packet to be sent over SSL */
vpn_progress(vpninfo, PRG_ERR,
_("DTLS got write error %d. Falling back to SSL\n"),
ret);
openconnect_report_ssl_errors(vpninfo);
dtls_restart(vpninfo);
vpninfo->outgoing_queue = this;
vpninfo->outgoing_qlen++;
work_done = 1;
}
return work_done;
}
#elif defined(DTLS_GNUTLS)
ret = gnutls_record_send(vpninfo->dtls_ssl, &this->hdr[7], this->len + 1);
if (ret <= 0) {
if (ret != GNUTLS_E_AGAIN) {
vpn_progress(vpninfo, PRG_ERR,
_("DTLS got write error: %s. Falling back to SSL\n"),
gnutls_strerror(ret));
dtls_restart(vpninfo);
vpninfo->outgoing_queue = this;
vpninfo->outgoing_qlen++;
work_done = 1;
} else if (gnutls_record_get_direction(vpninfo->dtls_ssl)) {
FD_SET(vpninfo->dtls_fd, &vpninfo->select_wfds);
vpninfo->outgoing_queue = this;
vpninfo->outgoing_qlen++;
}
return work_done;
}
#endif
time(&vpninfo->dtls_times.last_tx);
vpn_progress(vpninfo, PRG_TRACE,
_("Sent DTLS packet of %d bytes; DTLS send returned %d\n"),
this->len, ret);
free(this);
}
return work_done;
}
int dtls_try_handshake(struct openconnect_info *vpninfo)
{
int ret = SSL_do_handshake(vpninfo->dtls_ssl);
if (ret == 1) {
const char *c;
if (!strcmp(vpninfo->dtls_cipher, "PSK-NEGOTIATE")) {
/* For PSK-NEGOTIATE, we have to determine the tunnel MTU
* for ourselves based on the base MTU */
int data_mtu = vpninfo->cstp_basemtu;
if (vpninfo->peer_addr->sa_family == IPPROTO_IPV6)
data_mtu -= 40; /* IPv6 header */
else
data_mtu -= 20; /* Legacy IP header */
data_mtu -= 8; /* UDP header */
if (data_mtu < 0) {
vpn_progress(vpninfo, PRG_ERR,
_("Peer MTU %d too small to allow DTLS\n"),
vpninfo->cstp_basemtu);
goto nodtls;
}
/* Reduce it by one because that's the payload header *inside*
* the encryption */
data_mtu = dtls_set_mtu(vpninfo, data_mtu) - 1;
if (data_mtu < 0)
goto nodtls;
if (data_mtu < vpninfo->ip_info.mtu) {
vpn_progress(vpninfo, PRG_INFO,
_("DTLS MTU reduced to %d\n"),
data_mtu);
vpninfo->ip_info.mtu = data_mtu;
}
} else if (!SSL_session_reused(vpninfo->dtls_ssl)) {
/* Someone attempting to hijack the DTLS session?
* A real server would never allow a full session
* establishment instead of the agreed resume. */
vpn_progress(vpninfo, PRG_ERR,
_("DTLS session resume failed; possible MITM attack. Disabling DTLS.\n"));
nodtls:
dtls_close(vpninfo);
SSL_CTX_free(vpninfo->dtls_ctx);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
vpninfo->dtls_state = DTLS_DISABLED;
return -EIO;
}
vpninfo->dtls_state = DTLS_CONNECTED;
vpn_progress(vpninfo, PRG_INFO,
_("Established DTLS connection (using OpenSSL). Ciphersuite %s.\n"),
SSL_get_cipher(vpninfo->dtls_ssl));
c = openconnect_get_dtls_compression(vpninfo);
if (c) {
vpn_progress(vpninfo, PRG_INFO,
_("DTLS connection compression using %s.\n"), c);
}
vpninfo->dtls_times.last_rekey = vpninfo->dtls_times.last_rx =
vpninfo->dtls_times.last_tx = time(NULL);
/* From about 8.4.1(11) onwards, the ASA seems to get
very unhappy if we resend ChangeCipherSpec messages
after the initial setup. This was "fixed" in OpenSSL
1.0.0e for RT#2505, but it's not clear if that was
the right fix. What happens if the original packet
*does* get lost? Surely we *wanted* the retransmits,
because without them the server will never be able
to decrypt anything we send?
Oh well, our retransmitted packets upset the server
because we don't get the Cisco-compatibility right
(this is one of the areas in which Cisco's DTLS differs
from the RFC4347 spec), and DPD should help us notice
if *nothing* is getting through. */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
/* OpenSSL 1.1.0 or above. Do nothing. The SSLeay() function
got renamed, and it's a pointless check in this case
anyway because there's *no* chance that we linked against
1.1.0 and are running against something older than 1.0.0e. */
#elif OPENSSL_VERSION_NUMBER >= 0x1000005fL
/* OpenSSL 1.0.0e or above doesn't resend anyway; do nothing.
However, if we were *built* against 1.0.0e or newer, but at
runtime we find that we are being run against an older
version, warn about it. */
if (SSLeay() < 0x1000005fL) {
vpn_progress(vpninfo, PRG_ERR,
_("Your OpenSSL is older than the one you built against, so DTLS may fail!"));
}
#elif defined(HAVE_DTLS1_STOP_TIMER)
/*
* This works for any normal OpenSSL that supports
* Cisco DTLS compatibility (0.9.8m to 1.0.0d inclusive,
* and even later versions although it isn't needed there.
*/
dtls1_stop_timer(vpninfo->dtls_ssl);
#elif defined(BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT)
/*
* Debian restricts visibility of dtls1_stop_timer()
* so do it manually. This version also works on all
* sane versions of OpenSSL:
*/
memset(&(vpninfo->dtls_ssl->d1->next_timeout), 0,
sizeof((vpninfo->dtls_ssl->d1->next_timeout)));
vpninfo->dtls_ssl->d1->timeout_duration = 1;
BIO_ctrl(SSL_get_rbio(vpninfo->dtls_ssl),
BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
&(vpninfo->dtls_ssl->d1->next_timeout));
#elif defined(BIO_CTRL_DGRAM_SET_TIMEOUT)
/*
* OK, here it gets more fun... this shoul handle the case
* of older OpenSSL which has the Cisco DTLS compatibility
* backported, but *not* the fix for RT#1922.
*/
BIO_ctrl(SSL_get_rbio(vpninfo->dtls_ssl),
BIO_CTRL_DGRAM_SET_TIMEOUT, 0, NULL);
#else
/*
* And if they don't have any of the above, they probably
* don't have RT#1829 fixed either, but that's OK because
* that's the "fix" that *introduces* the timeout we're
* trying to disable. So do nothing...
*/
#endif
dtls_detect_mtu(vpninfo);
return 0;
}
ret = SSL_get_error(vpninfo->dtls_ssl, ret);
if (ret == SSL_ERROR_WANT_WRITE || ret == SSL_ERROR_WANT_READ) {
static int badossl_bitched = 0;
if (time(NULL) < vpninfo->new_dtls_started + 12)
return 0;
if (((OPENSSL_VERSION_NUMBER >= 0x100000b0L && OPENSSL_VERSION_NUMBER <= 0x100000c0L) || \
(OPENSSL_VERSION_NUMBER >= 0x10001040L && OPENSSL_VERSION_NUMBER <= 0x10001060L) || \
OPENSSL_VERSION_NUMBER == 0x10002000L) && !badossl_bitched) {
badossl_bitched = 1;
vpn_progress(vpninfo, PRG_ERR, _("DTLS handshake timed out\n"));
vpn_progress(vpninfo, PRG_ERR, _("This is probably because your OpenSSL is broken\n"
"See http://rt.openssl.org/Ticket/Display.html?id=2984\n"));
} else {
vpn_progress(vpninfo, PRG_DEBUG, _("DTLS handshake timed out\n"));
}
}
vpn_progress(vpninfo, PRG_ERR, _("DTLS handshake failed: %d\n"), ret);
openconnect_report_ssl_errors(vpninfo);
dtls_close(vpninfo);
vpninfo->dtls_state = DTLS_SLEEPING;
time(&vpninfo->new_dtls_started);
return -EINVAL;
}
static int load_certificate(struct openconnect_info *vpninfo)
{
if (!strncmp(vpninfo->sslkey, "pkcs11:", 7) ||
!strncmp(vpninfo->cert, "pkcs11:", 7)) {
vpn_progress(vpninfo, PRG_ERR,
_("This binary built without PKCS#11 support\n"));
return -EINVAL;
}
vpn_progress(vpninfo, PRG_TRACE,
_("Using certificate file %s\n"), vpninfo->cert);
if (strncmp(vpninfo->cert, "keystore:", 9) &&
(vpninfo->cert_type == CERT_TYPE_PKCS12 ||
vpninfo->cert_type == CERT_TYPE_UNKNOWN)) {
FILE *f;
PKCS12 *p12;
f = fopen(vpninfo->cert, "r");
if (!f) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to open certificate file %s: %s\n"),
vpninfo->cert, strerror(errno));
return -ENOENT;
}
p12 = d2i_PKCS12_fp(f, NULL);
fclose(f);
if (p12)
return load_pkcs12_certificate(vpninfo, p12);
/* Not PKCS#12 */
if (vpninfo->cert_type == CERT_TYPE_PKCS12) {
vpn_progress(vpninfo, PRG_ERR, _("Read PKCS#12 failed\n"));
openconnect_report_ssl_errors(vpninfo);
return -EINVAL;
}
/* Clear error and fall through to see if it's a PEM file... */
ERR_clear_error();
}
/* It's PEM or TPM now, and either way we need to load the plain cert: */
#ifdef ANDROID_KEYSTORE
if (!strncmp(vpninfo->cert, "keystore:", 9)) {
BIO *b = BIO_from_keystore(vpninfo, vpninfo->cert);
if (!b)
return -EINVAL;
vpninfo->cert_x509 = PEM_read_bio_X509_AUX(b, NULL, pem_pw_cb, vpninfo);
BIO_free(b);
if (!vpninfo->cert_x509) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to load X509 certificate from keystore\n"));
openconnect_report_ssl_errors(vpninfo);
return -EINVAL;
}
if (!SSL_CTX_use_certificate(vpninfo->https_ctx, vpninfo->cert_x509)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to use X509 certificate from keystore\n"));
openconnect_report_ssl_errors(vpninfo);
X509_free(vpninfo->cert_x509);
vpninfo->cert_x509 = NULL;
return -EINVAL;
}
} else
#endif /* ANDROID_KEYSTORE */
{
if (!SSL_CTX_use_certificate_chain_file(vpninfo->https_ctx,
vpninfo->cert)) {
vpn_progress(vpninfo, PRG_ERR,
_("Loading certificate failed\n"));
openconnect_report_ssl_errors(vpninfo);
return -EINVAL;
}
/* Ew, we can't get it back from the OpenSSL CTX in any sane fashion */
reload_pem_cert(vpninfo);
}
#ifdef ANDROID_KEYSTORE
if (!strncmp(vpninfo->sslkey, "keystore:", 9)) {
EVP_PKEY *key;
BIO *b;
again_android:
b = BIO_from_keystore(vpninfo, vpninfo->sslkey);
if (!b)
return -EINVAL;
key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, vpninfo);
BIO_free(b);
if (!key) {
if (is_pem_password_error(vpninfo))
goto again_android;
return -EINVAL;
}
if (!SSL_CTX_use_PrivateKey(vpninfo->https_ctx, key)) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to use private key from keystore\n"));
EVP_PKEY_free(key);
X509_free(vpninfo->cert_x509);
vpninfo->cert_x509 = NULL;
return -EINVAL;
}
return 0;
}
#endif /* ANDROID_KEYSTORE */
if (vpninfo->cert_type == CERT_TYPE_UNKNOWN) {
FILE *f = fopen(vpninfo->sslkey, "r");
char buf[256];
if (!f) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to open private key file %s: %s\n"),
vpninfo->cert, strerror(errno));
return -ENOENT;
}
buf[255] = 0;
while (fgets(buf, 255, f)) {
if (!strcmp(buf, "-----BEGIN TSS KEY BLOB-----\n")) {
vpninfo->cert_type = CERT_TYPE_TPM;
break;
} else if (!strcmp(buf, "-----BEGIN RSA PRIVATE KEY-----\n") ||
!strcmp(buf, "-----BEGIN DSA PRIVATE KEY-----\n") ||
!strcmp(buf, "-----BEGIN ENCRYPTED PRIVATE KEY-----\n")) {
vpninfo->cert_type = CERT_TYPE_PEM;
break;
}
}
fclose(f);
if (vpninfo->cert_type == CERT_TYPE_UNKNOWN) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to identify private key type in '%s'\n"),
vpninfo->sslkey);
return -EINVAL;
}
}
if (vpninfo->cert_type == CERT_TYPE_TPM)
return load_tpm_certificate(vpninfo);
/* Standard PEM certificate */
SSL_CTX_set_default_passwd_cb(vpninfo->https_ctx, pem_pw_cb);
SSL_CTX_set_default_passwd_cb_userdata(vpninfo->https_ctx, vpninfo);
again:
if (!SSL_CTX_use_RSAPrivateKey_file(vpninfo->https_ctx, vpninfo->sslkey,
SSL_FILETYPE_PEM)) {
if (is_pem_password_error(vpninfo))
goto again;
return -EINVAL;
}
return 0;
}
static int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
{
STACK_OF(SSL_CIPHER) *ciphers;
method_const SSL_METHOD *dtls_method;
SSL_CIPHER *dtls_cipher;
SSL *dtls_ssl;
BIO *dtls_bio;
if (!vpninfo->dtls_ctx) {
dtls_method = DTLSv1_client_method();
vpninfo->dtls_ctx = SSL_CTX_new(dtls_method);
if (!vpninfo->dtls_ctx) {
vpn_progress(vpninfo, PRG_ERR,
_("Initialise DTLSv1 CTX failed\n"));
openconnect_report_ssl_errors(vpninfo);
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
/* If we don't readahead, then we do short reads and throw
away the tail of data packets. */
SSL_CTX_set_read_ahead(vpninfo->dtls_ctx, 1);
if (!SSL_CTX_set_cipher_list(vpninfo->dtls_ctx, vpninfo->dtls_cipher)) {
vpn_progress(vpninfo, PRG_ERR,
_("Set DTLS cipher list failed\n"));
SSL_CTX_free(vpninfo->dtls_ctx);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
}
if (!vpninfo->dtls_session) {
/* We're going to "resume" a session which never existed. Fake it... */
vpninfo->dtls_session = SSL_SESSION_new();
if (!vpninfo->dtls_session) {
vpn_progress(vpninfo, PRG_ERR,
_("Initialise DTLSv1 session failed\n"));
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
vpninfo->dtls_session->ssl_version = 0x0100; /* DTLS1_BAD_VER */
}
/* Do this every time; it may have changed due to a rekey */
vpninfo->dtls_session->master_key_length = sizeof(vpninfo->dtls_secret);
memcpy(vpninfo->dtls_session->master_key, vpninfo->dtls_secret,
sizeof(vpninfo->dtls_secret));
vpninfo->dtls_session->session_id_length = sizeof(vpninfo->dtls_session_id);
memcpy(vpninfo->dtls_session->session_id, vpninfo->dtls_session_id,
sizeof(vpninfo->dtls_session_id));
dtls_ssl = SSL_new(vpninfo->dtls_ctx);
SSL_set_connect_state(dtls_ssl);
ciphers = SSL_get_ciphers(dtls_ssl);
if (sk_SSL_CIPHER_num(ciphers) != 1) {
vpn_progress(vpninfo, PRG_ERR, _("Not precisely one DTLS cipher\n"));
SSL_CTX_free(vpninfo->dtls_ctx);
SSL_free(dtls_ssl);
SSL_SESSION_free(vpninfo->dtls_session);
vpninfo->dtls_ctx = NULL;
vpninfo->dtls_session = NULL;
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
dtls_cipher = sk_SSL_CIPHER_value(ciphers, 0);
/* Set the appropriate cipher on our session to be resumed */
vpninfo->dtls_session->cipher = dtls_cipher;
vpninfo->dtls_session->cipher_id = dtls_cipher->id;
/* Add the generated session to the SSL */
if (!SSL_set_session(dtls_ssl, vpninfo->dtls_session)) {
vpn_progress(vpninfo, PRG_ERR,
_("SSL_set_session() failed with old protocol version 0x%x\n"
"Are you using a version of OpenSSL older than 0.9.8m?\n"
"See http://rt.openssl.org/Ticket/Display.html?id=1751\n"
"Use the --no-dtls command line option to avoid this message\n"),
vpninfo->dtls_session->ssl_version);
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
dtls_bio = BIO_new_socket(dtls_fd, BIO_NOCLOSE);
/* Set non-blocking */
BIO_set_nbio(dtls_bio, 1);
SSL_set_bio(dtls_ssl, dtls_bio, dtls_bio);
SSL_set_options(dtls_ssl, SSL_OP_CISCO_ANYCONNECT);
vpninfo->new_dtls_ssl = dtls_ssl;
return 0;
}
