static struct oc_text_buf *get_qs(char **str) { struct oc_text_buf *res; int escaped = 0; char *p = *str; if (*p != '\"') return NULL; res = buf_alloc(); while (*++p) { if (!escaped && *p == '\"') { *str = p+1; if (buf_error(res)) break; return res; } if (escaped) escaped = 0; else if (*p == '\\') escaped = 1; buf_append_bytes(res, p, 1); } buf_free(res); return NULL; }
static SSL_SESSION *generate_dtls_session(struct openconnect_info *vpninfo, int dtlsver, const SSL_CIPHER *cipher) { struct oc_text_buf *buf = buf_alloc(); SSL_SESSION *dtls_session; const unsigned char *asn; uint16_t cid; buf_append_bytes(buf, "\x30\x80", 2); // SEQUENCE, indeterminate length buf_append_INTEGER(buf, 1 /* SSL_SESSION_ASN1_VERSION */); buf_append_INTEGER(buf, dtlsver); store_be16(&cid, SSL_CIPHER_get_id(cipher) & 0xffff); buf_append_OCTET_STRING(buf, &cid, 2); buf_append_OCTET_STRING(buf, vpninfo->dtls_session_id, sizeof(vpninfo->dtls_session_id)); buf_append_OCTET_STRING(buf, vpninfo->dtls_secret, sizeof(vpninfo->dtls_secret)); /* If the length actually fits in one byte (which it should), do * it that way. Else, leave it indeterminate and add two * end-of-contents octets to mark the end of the SEQUENCE. */ if (!buf_error(buf) && buf->pos <= 0x80) buf->data[1] = buf->pos - 2; else buf_append_bytes(buf, "\0\0", 2); if (buf_error(buf)) { vpn_progress(vpninfo, PRG_ERR, _("Failed to create SSL_SESSION ASN.1 for OpenSSL: %s\n"), strerror(buf_error(buf))); buf_free(buf); return NULL; } asn = (void *)buf->data; dtls_session = d2i_SSL_SESSION(NULL, &asn, buf->pos); buf_free(buf); if (!dtls_session) { vpn_progress(vpninfo, PRG_ERR, _("OpenSSL failed to parse SSL_SESSION ASN.1\n")); openconnect_report_ssl_errors(vpninfo); return NULL; } return dtls_session; }
static void vdev_disk_io_intr(struct buf *bp, void *arg) { zio_t *zio = (zio_t *)arg; zio->io_error = buf_error(bp); if (zio->io_error == 0 && buf_resid(bp) != 0) { zio->io_error = EIO; } buf_free(bp); //zio_next_stage_async(zio); zio_interrupt(zio); }
static void vdev_disk_io_intr(struct buf *bp, void *arg) { zio_t *zio = (zio_t *)arg; /* * The rest of the zio stack only deals with EIO, ECKSUM, and ENXIO. * Rather than teach the rest of the stack about other error * possibilities (EFAULT, etc), we normalize the error value here. */ int error; error=buf_error(bp); zio->io_error = (error != 0 ? EIO : 0); if (zio->io_error == 0 && buf_resid(bp) != 0) { zio->io_error = EIO; } buf_free(bp); zio_delay_interrupt(zio); }
/* * Vnode op for write */ int spec_write(struct vnop_write_args *ap) { struct vnode *vp = ap->a_vp; struct uio *uio = ap->a_uio; struct buf *bp; daddr64_t bn; int bsize, blkmask, bscale; int io_sync; int devBlockSize=0; int n, on; int error = 0; dev_t dev; #if DIAGNOSTIC if (uio->uio_rw != UIO_WRITE) panic("spec_write mode"); if (UIO_SEG_IS_USER_SPACE(uio->uio_segflg)) panic("spec_write proc"); #endif switch (vp->v_type) { case VCHR: error = (*cdevsw[major(vp->v_rdev)].d_write) (vp->v_rdev, uio, ap->a_ioflag); return (error); case VBLK: if (uio_resid(uio) == 0) return (0); if (uio->uio_offset < 0) return (EINVAL); io_sync = (ap->a_ioflag & IO_SYNC); dev = (vp->v_rdev); devBlockSize = vp->v_specsize; if (devBlockSize > PAGE_SIZE) return(EINVAL); bscale = PAGE_SIZE / devBlockSize; blkmask = bscale - 1; bsize = bscale * devBlockSize; do { bn = (daddr64_t)((uio->uio_offset / devBlockSize) &~ blkmask); on = uio->uio_offset % bsize; n = min((unsigned)(bsize - on), uio_resid(uio)); /* * Use buf_getblk() as an optimization IFF: * * 1) We are reading exactly a block on a block * aligned boundary * 2) We know the size of the device from spec_open * 3) The read doesn't span the end of the device * * Otherwise, we fall back on buf_bread(). */ if (n == bsize && vp->v_specdevsize != (u_int64_t)0 && (uio->uio_offset + (u_int64_t)n) > vp->v_specdevsize) { /* reduce the size of the read to what is there */ n = (uio->uio_offset + (u_int64_t)n) - vp->v_specdevsize; } if (n == bsize) bp = buf_getblk(vp, bn, bsize, 0, 0, BLK_WRITE); else error = (int)buf_bread(vp, bn, bsize, NOCRED, &bp); /* Translate downstream error for upstream, if needed */ if (!error) error = (int)buf_error(bp); if (error) { buf_brelse(bp); return (error); } n = min(n, bsize - buf_resid(bp)); error = uiomove((char *)0 + buf_dataptr(bp) + on, n, uio); if (error) { buf_brelse(bp); return (error); } buf_markaged(bp); if (io_sync) error = buf_bwrite(bp); else { if ((n + on) == bsize) error = buf_bawrite(bp); else error = buf_bdwrite(bp); } } while (error == 0 && uio_resid(uio) > 0 && n != 0); return (error); default: panic("spec_write type"); } /* NOTREACHED */ return (0); }
struct dt_dentry * dtread_readfile(FILE *file, unsigned int *maxid, char *md5buf) { int c; char ch; struct buf_str *bs; struct cuckoo_ctx *cu; struct umd5_ctx md5; struct dtread_data *dr; struct dt_dentry *root = NULL; LOG_ASSERT(file != NULL, "Bad arguments\n"); if ((bs = buf_alloc()) == NULL) return NULL; if ((cu = cuckoo_alloc(0)) == NULL) goto clear_bs; umd5_init(&md5); while ((c = fgetc(file)) != EOF) { if (c == '\n') { if (buf_error(bs)) goto clear_cu; umd5_update(&md5, buf_string(bs), buf_strlen(bs)); umd5_update(&md5, "\n", 1); if (!dtread_readline(buf_string(bs), cu, maxid)) goto clear_cu; buf_clear(bs); } else { ch = c; buf_appendn(bs, &ch, 1); } } if (cuckoo_items(cu) != 1) { LOG_ERR("Some directories are left in cockoo tables\n"); goto clear_cu; } if ((dr = cuckoo_lookup(cu, 1)) == NULL) { LOG_ERR("No root node in cuckoo table\n"); goto clear_cu; } root = dr->de; cuckoo_delete(cu, 1); free(dr); umd5_finish(&md5); umd5_value(&md5, md5buf); clear_cu: cuckoo_rfree(cu, dtread_data_free); clear_bs: buf_free(bs); return root; }
int connect_https_socket(struct openconnect_info *vpninfo) { int ssl_sock = -1; int err; if (!vpninfo->port) vpninfo->port = 443; /* If we're talking to a server which told us it has dynamic DNS, don't just re-use its previous IP address. If we're talking to a proxy, we can use *its* previous IP address. We expect it'll re-do the DNS lookup for the server anyway. */ if (vpninfo->peer_addr && (!vpninfo->is_dyndns || vpninfo->proxy)) { reconnect: #ifdef SOCK_CLOEXEC ssl_sock = socket(vpninfo->peer_addr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_IP); if (ssl_sock < 0) #endif { ssl_sock = socket(vpninfo->peer_addr->sa_family, SOCK_STREAM, IPPROTO_IP); if (ssl_sock < 0) { #ifdef _WIN32 err = WSAGetLastError(); #else err = -errno; #endif goto reconn_err; } set_fd_cloexec(ssl_sock); } err = cancellable_connect(vpninfo, ssl_sock, vpninfo->peer_addr, vpninfo->peer_addrlen); if (err) { char *errstr; reconn_err: #ifdef _WIN32 if (err > 0) errstr = openconnect__win32_strerror(err); else #endif errstr = strerror(-err); if (vpninfo->proxy) { vpn_progress(vpninfo, PRG_ERR, _("Failed to reconnect to proxy %s: %s\n"), vpninfo->proxy, errstr); } else { vpn_progress(vpninfo, PRG_ERR, _("Failed to reconnect to host %s: %s\n"), vpninfo->hostname, errstr); } #ifdef _WIN32 if (err > 0) free(errstr); #endif if (ssl_sock >= 0) closesocket(ssl_sock); ssl_sock = -EINVAL; goto out; } } else { struct addrinfo hints, *result, *rp; char *hostname; char port[6]; memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_PASSIVE | AI_NUMERICSERV; hints.ai_protocol = 0; hints.ai_canonname = NULL; hints.ai_addr = NULL; hints.ai_next = NULL; /* The 'port' variable is a string because it's easier this way than if we pass NULL to getaddrinfo() and then try to fill in the numeric value into different types of returned sockaddr_in{6,}. */ #ifdef LIBPROXY_HDR if (vpninfo->proxy_factory) { struct oc_text_buf *url_buf = buf_alloc(); char **proxies; int i = 0; free(vpninfo->proxy_type); vpninfo->proxy_type = NULL; free(vpninfo->proxy); vpninfo->proxy = NULL; buf_append(url_buf, "https://%s", vpninfo->hostname); if (vpninfo->port != 443) buf_append(url_buf, ":%d", vpninfo->port); buf_append(url_buf, "/%s", vpninfo->urlpath?:""); if (buf_error(url_buf)) { buf_free(url_buf); ssl_sock = -ENOMEM; goto out; } proxies = px_proxy_factory_get_proxies(vpninfo->proxy_factory, url_buf->data); i = 0; while (proxies && proxies[i]) { if (!vpninfo->proxy && (!strncmp(proxies[i], "http://", 7) || !strncmp(proxies[i], "socks://", 8) || !strncmp(proxies[i], "socks5://", 9))) internal_parse_url(proxies[i], &vpninfo->proxy_type, &vpninfo->proxy, &vpninfo->proxy_port, NULL, 0); i++; } buf_free(url_buf); free(proxies); if (vpninfo->proxy) vpn_progress(vpninfo, PRG_DEBUG, _("Proxy from libproxy: %s://%s:%d/\n"), vpninfo->proxy_type, vpninfo->proxy, vpninfo->port); } #endif if (vpninfo->proxy) { hostname = vpninfo->proxy; snprintf(port, 6, "%d", vpninfo->proxy_port); } else { hostname = vpninfo->hostname; snprintf(port, 6, "%d", vpninfo->port); } if (hostname[0] == '[' && hostname[strlen(hostname)-1] == ']') { hostname = strndup(hostname + 1, strlen(hostname) - 2); if (!hostname) { ssl_sock = -ENOMEM; goto out; } hints.ai_flags |= AI_NUMERICHOST; } if (vpninfo->getaddrinfo_override) err = vpninfo->getaddrinfo_override(vpninfo->cbdata, hostname, port, &hints, &result); else err = getaddrinfo(hostname, port, &hints, &result); if (err) { vpn_progress(vpninfo, PRG_ERR, _("getaddrinfo failed for host '%s': %s\n"), hostname, gai_strerror(err)); if (hints.ai_flags & AI_NUMERICHOST) free(hostname); ssl_sock = -EINVAL; /* If we were just retrying for dynamic DNS, reconnct using the previously-known IP address */ if (vpninfo->peer_addr) { vpn_progress(vpninfo, PRG_ERR, _("Reconnecting to DynDNS server using previously cached IP address\n")); goto reconnect; } goto out; } if (hints.ai_flags & AI_NUMERICHOST) free(hostname); for (rp = result; rp ; rp = rp->ai_next) { char host[80]; host[0] = 0; if (!getnameinfo(rp->ai_addr, rp->ai_addrlen, host, sizeof(host), NULL, 0, NI_NUMERICHOST)) vpn_progress(vpninfo, PRG_DEBUG, vpninfo->proxy_type ? _("Attempting to connect to proxy %s%s%s:%s\n") : _("Attempting to connect to server %s%s%s:%s\n"), rp->ai_family == AF_INET6 ? "[" : "", host, rp->ai_family == AF_INET6 ? "]" : "", port); ssl_sock = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); if (ssl_sock < 0) continue; set_fd_cloexec(ssl_sock); err = cancellable_connect(vpninfo, ssl_sock, rp->ai_addr, rp->ai_addrlen); if (!err) { /* Store the peer address we actually used, so that DTLS can use it again later */ free(vpninfo->ip_info.gateway_addr); vpninfo->ip_info.gateway_addr = NULL; if (host[0]) { vpninfo->ip_info.gateway_addr = strdup(host); vpn_progress(vpninfo, PRG_INFO, _("Connected to %s%s%s:%s\n"), rp->ai_family == AF_INET6 ? "[" : "", host, rp->ai_family == AF_INET6 ? "]" : "", port); } free(vpninfo->peer_addr); vpninfo->peer_addrlen = 0; vpninfo->peer_addr = malloc(rp->ai_addrlen); if (!vpninfo->peer_addr) { vpn_progress(vpninfo, PRG_ERR, _("Failed to allocate sockaddr storage\n")); closesocket(ssl_sock); ssl_sock = -ENOMEM; goto out; } vpninfo->peer_addrlen = rp->ai_addrlen; memcpy(vpninfo->peer_addr, rp->ai_addr, rp->ai_addrlen); /* If no proxy, ensure that we output *this* IP address in * authentication results because we're going to need to * reconnect to the *same* server from the rotation. And with * some trick DNS setups, it might possibly be a "rotation" * even if we only got one result from getaddrinfo() this * time. * * If there's a proxy, we're kind of screwed; we can't know * which IP address we connected to. Perhaps we ought to do * the DNS lookup locally and connect to a specific IP? */ if (!vpninfo->proxy && host[0]) { char *p = malloc(strlen(host) + 3); if (p) { free(vpninfo->unique_hostname); vpninfo->unique_hostname = p; if (rp->ai_family == AF_INET6) *p++ = '['; memcpy(p, host, strlen(host)); p += strlen(host); if (rp->ai_family == AF_INET6) *p++ = ']'; *p = 0; } } break; } if (host[0]) { char *errstr; #ifdef _WIN32 if (err > 0) errstr = openconnect__win32_strerror(err); else #endif errstr = strerror(-err); vpn_progress(vpninfo, PRG_INFO, _("Failed to connect to %s%s%s:%s: %s\n"), rp->ai_family == AF_INET6 ? "[" : "", host, rp->ai_family == AF_INET6 ? "]" : "", port, errstr); #ifdef _WIN32 if (err > 0) free(errstr); #endif } closesocket(ssl_sock); ssl_sock = -1; /* If we're in DynDNS mode but this *was* the cached IP address, * don't bother falling back to it if it didn't work. */ if (vpninfo->peer_addr && vpninfo->peer_addrlen == rp->ai_addrlen && match_sockaddr(vpninfo->peer_addr, rp->ai_addr)) { vpn_progress(vpninfo, PRG_TRACE, _("Forgetting non-functional previous peer address\n")); free(vpninfo->peer_addr); vpninfo->peer_addr = 0; vpninfo->peer_addrlen = 0; free(vpninfo->ip_info.gateway_addr); vpninfo->ip_info.gateway_addr = NULL; } } freeaddrinfo(result); if (ssl_sock < 0) { vpn_progress(vpninfo, PRG_ERR, _("Failed to connect to host %s\n"), vpninfo->proxy?:vpninfo->hostname); ssl_sock = -EINVAL; if (vpninfo->peer_addr) { vpn_progress(vpninfo, PRG_ERR, _("Reconnecting to DynDNS server using previously cached IP address\n")); goto reconnect; } goto out; } }
static wchar_t *create_script_env(struct openconnect_info *vpninfo) { struct oc_vpn_option *opt; struct oc_text_buf *envbuf; wchar_t **oldenv, **p, *newenv = NULL; int nr_envs = 0, i; /* _wenviron is NULL until we call _wgetenv() */ (void)_wgetenv(L"PATH"); /* Take a copy of _wenviron (but not of its strings) */ for (p = _wenviron; *p; p++) nr_envs++; oldenv = malloc(nr_envs * sizeof(*oldenv)); if (!oldenv) return NULL; memcpy(oldenv, _wenviron, nr_envs * sizeof(*oldenv)); envbuf = buf_alloc(); /* Add the script environment variables, prodding out any members of oldenv which are obsoleted by them. */ for (opt = vpninfo->script_env; opt && !buf_error(envbuf); opt = opt->next) { struct oc_text_buf *buf; buf = buf_alloc(); buf_append_utf16le(buf, opt->option); buf_append_utf16le(buf, "="); if (buf_error(buf)) { buf_free(buf); goto err; } /* See if we can find it in the existing environment */ for (i = 0; i < nr_envs; i++) { if (oldenv[i] && !wcsncmp((wchar_t *)buf->data, oldenv[i], buf->pos / 2)) { oldenv[i] = NULL; break; } } if (opt->value) { buf_append_bytes(envbuf, buf->data, buf->pos); buf_append_utf16le(envbuf, opt->value); buf_append_bytes(envbuf, "\0\0", 2); } buf_free(buf); } for (i = 0; i < nr_envs && !buf_error(envbuf); i++) { if (oldenv[i]) buf_append_bytes(envbuf, oldenv[i], (wcslen(oldenv[i]) + 1) * sizeof(wchar_t)); } buf_append_bytes(envbuf, "\0\0", 2); if (!buf_error(envbuf)) { newenv = (wchar_t *)envbuf->data; envbuf->data = NULL; } err: free(oldenv); buf_free(envbuf); return newenv; }
int digest_authorization(struct openconnect_info *vpninfo, int proxy, struct http_auth_state *auth_state, struct oc_text_buf *hdrbuf) { char *chall; int ret = -EINVAL; int algo = ALGO_MD5; int qop_auth = 0; int nc = 1; struct oc_text_buf *realm = NULL, *nonce = NULL, *opaque = NULL; struct oc_text_buf *a1 = NULL, *a2 = NULL, *kd = NULL; struct oc_text_buf *cnonce = NULL; unsigned char cnonce_random[32]; const char *user, *pass; if (proxy) { user = vpninfo->proxy_user; pass = vpninfo->proxy_pass; } else { /* Need to parse this out of the URL */ return -EINVAL; } if (!user || !pass) return -EINVAL; if (auth_state->state < AUTH_AVAILABLE) return -EINVAL; if (auth_state->state == AUTH_IN_PROGRESS) { auth_state->state = AUTH_FAILED; return -EAGAIN; } chall = auth_state->challenge; if (!chall) return -EINVAL; while (*chall) { if (!realm && !strncmp(chall, "realm=", 6)) { chall += 6; realm = get_qs(&chall); if (!realm) goto err; } else if (!nonce && !strncmp(chall, "nonce=", 6)) { chall += 6; nonce = get_qs(&chall); if (!nonce) goto err; } else if (!strncmp(chall, "qop=", 4)) { chall += 4; if (strncmp(chall, "\"auth\"", 6)) { /* We don't support "auth-int" */ goto err; } qop_auth = 1; chall += 6; } else if (!opaque && !strncmp(chall, "opaque=", 7)) { chall += 7; opaque = get_qs(&chall); if (!opaque) goto err; } else if (!strncmp(chall, "algorithm=", 10)) { chall += 10; if (!strncmp(chall, "MD5-sess", 8)) { algo = ALGO_MD5_SESS; chall += 8; } else if (!strncmp(chall, "MD5", 3)) { algo = ALGO_MD5; chall += 3; } } else { char *p = strchr(chall, '='); if (!p) goto err; p++; if (*p == '\"') { /* Eat and discard a quoted-string */ int escaped = 0; p++; do { if (escaped) escaped = 0; else if (*p == '\\') escaped = 1; if (!*p) goto err; } while (escaped || *p != '\"'); chall = p+1; } else { /* Not quoted. Just find the next comma (or EOL) */ p = strchr(p, ','); if (!p) break; chall = p; } } while (isspace((int)(unsigned char)*chall)) chall++; if (!*chall) break; if (*chall != ',') goto err; chall++; while (isspace((int)(unsigned char)*chall)) chall++; if (!*chall) break; } if (!nonce || !realm) goto err; if (openconnect_random(&cnonce_random, sizeof(cnonce_random))) goto err; cnonce = buf_alloc(); buf_append_base64(cnonce, cnonce_random, sizeof(cnonce_random)); if (buf_error(cnonce)) goto err; /* * According to RFC2617 §3.2.2.2: * A1 = unq(username-value) ":" unq(realm-value) ":" passwd * So the username is escaped, while the password isn't. */ a1 = buf_alloc(); buf_append_unq(a1, user); buf_append(a1, ":%s:%s", realm->data, pass); if (buf_error(a1)) goto err; if (algo == ALGO_MD5_SESS) { struct oc_text_buf *old_a1 = a1; a1 = buf_alloc(); buf_append_md5(a1, old_a1->data, old_a1->pos); buf_free(old_a1); buf_append(a1, ":%s:%s\n", nonce->data, cnonce->data); if (buf_error(a1)) goto err; } a2 = buf_alloc(); buf_append(a2, "CONNECT:%s:%d", vpninfo->hostname, vpninfo->port); if (buf_error(a2)) goto err; kd = buf_alloc(); buf_append_md5(kd, a1->data, a1->pos); buf_append(kd, ":%s:", nonce->data); if (qop_auth) { buf_append(kd, "%08x:%s:auth:", nc, cnonce->data); } buf_append_md5(kd, a2->data, a2->pos); if (buf_error(kd)) goto err; buf_append(hdrbuf, "%sAuthorization: Digest username=\"", proxy ? "Proxy-" : ""); buf_append_unq(hdrbuf, user); buf_append(hdrbuf, "\", realm=\"%s\", nonce=\"%s\", uri=\"%s:%d\", ", realm->data, nonce->data, vpninfo->hostname, vpninfo->port); if (qop_auth) buf_append(hdrbuf, "cnonce=\"%s\", nc=%08x, qop=auth, ", cnonce->data, nc); if (opaque) buf_append(hdrbuf, "opaque=\"%s\", ", opaque->data); buf_append(hdrbuf, "response=\""); buf_append_md5(hdrbuf, kd->data, kd->pos); buf_append(hdrbuf, "\"\r\n"); ret = 0; auth_state->state = AUTH_IN_PROGRESS; if (proxy) vpn_progress(vpninfo, PRG_INFO, _("Attempting Digest authentication to proxy\n")); else vpn_progress(vpninfo, PRG_INFO, _("Attempting Digest authentication to server '%s'\n"), vpninfo->hostname); err: if (a1 && a1->data) memset(a1->data, 0, a1->pos); buf_free(a1); buf_free(a2); buf_free(kd); buf_free(realm); buf_free(nonce); buf_free(cnonce); buf_free(opaque); return ret; }