add 'nullppp' protocol for testing

Use `socat` to set up a PTY connected to a TLS socket (listening only on the local interface):

    socat -s -d -d \
      PTY,raw,b9600 \
      OPENSSL-LISTEN:5556,cert=tests/certs/server-cert.pem,key=tests/certs/server-key.pem,verify=0,so-bindtodevice=lo
    [ N PTY is /dev/pts/X ]

Connect the PTY to `pppd` (requires root):

    # Add 'sync' to disable HDLC framing
    sudo pppd /dev/pts/X 10.0.0.1:10.0.0.101 noauth debug dump logfd 2 local nodetach passive persist ms-dns 1.1.1.1 ms-wins 5.5.5.5 +ipv6

Connect OpenConnect to the TLS socket, and watch it negotiate LCP/IPCP/IP6CP with its peer, and reject CCP:

    # Add noipv4,noipv6 to cookie to try those
    ./openconnect --protocol=nullppp --cookie hdlc --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --dump localhost:5556

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/Makefile.am b/Makefile.am
index 1b632c6232663c02fd86ccb31defed53dd67ee3e..c293b20ab2099313c0a367ef4a9cb3688216ed6d 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -38,10 +38,11 @@ lib_srcs_globalprotect = gpst.c win32-ipicmp.h auth-globalprotect.c
 lib_srcs_oath = oath.c
 lib_srcs_oidc = oidc.c
 lib_srcs_ppp = ppp.c ppp.h
+lib_srcs_nullppp = nullppp.c
 
 library_srcs += $(lib_srcs_juniper) $(lib_srcs_cisco) $(lib_srcs_oath) \
                $(lib_srcs_globalprotect) $(lib_srcs_pulse) \
-               $(lib_srcs_oidc) $(lib_srcs_ppp)
+               $(lib_srcs_oidc) $(lib_srcs_ppp) $(lib_srcs_nullppp)
 
 
 lib_srcs_gnutls = gnutls.c gnutls_tpm.c gnutls_tpm2.c

diff --git a/library.c b/library.c
index f8e99a3832d7f50388f6b3bcbffb1175bf2b98ed..206949da97ba72da87926b2c5ab253971c30b278 100644 (file)
--- a/library.c
+++ b/library.c
@@ -188,6 +188,15 @@ static const struct vpn_proto openconnect_protos[] = {
                .udp_send_probes = oncp_esp_send_probes,
                .udp_catch_probe = oncp_esp_catch_probe,
 #endif
+       }, {
+               .name = "nullppp",
+               .pretty_name = N_("nullppp"),
+               .description = N_("Unauthenticated RFC1661/RFC1662 PPP over TLS, for testing"),
+               .flags = OC_PROTO_PROXY,
+               .tcp_connect = nullppp_connect,
+               .tcp_mainloop = ppp_mainloop,
+               .add_http_headers = http_common_headers,
+               .obtain_cookie = nullppp_obtain_cookie,
        }
 };
 

diff --git a/nullppp.c b/nullppp.c
new file mode 100644 (file)
index 0000000..bf2964b
--- /dev/null
+++ b/nullppp.c
@@ -0,0 +1,71 @@
+/*
+ * OpenConnect (SSL + DTLS) VPN client
+ *
+ * Copyright © 2020 David Woodhouse
+ *
+ * Author: David Woodhouse <dwmw2@infradead.org>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * version 2.1, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ */
+
+#include <config.h>
+
+#include <unistd.h>
+#include <fcntl.h>
+#include <time.h>
+#include <string.h>
+#include <ctype.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <stdarg.h>
+#include <sys/types.h>
+
+#include "openconnect-internal.h"
+
+int nullppp_obtain_cookie(struct openconnect_info *vpninfo)
+{
+       if (!(vpninfo->cookie = strdup("")))
+               return -ENOMEM;
+       return 0;
+}
+
+int nullppp_connect(struct openconnect_info *vpninfo)
+{
+       int ret;
+       int ipv4, ipv6, hdlc;
+
+       /* XX: cookie hack. Use -C hdlc,noipv4,noipv6 on the
+        * command line to set options. */
+       hdlc = strstr(vpninfo->cookie, "hdlc") ? 1 : 0;
+       ipv4 = strstr(vpninfo->cookie, "noipv4") ? 0 : 1;
+       ipv6 = strstr(vpninfo->cookie, "noipv6") ? 0 : 1;
+
+       /* Now establish the actual connection */
+       ret = openconnect_open_https(vpninfo);
+       if (ret)
+               goto out;
+
+       ret = openconnect_ppp_new(vpninfo,
+                                 hdlc ? PPP_ENCAP_RFC1662_HDLC : PPP_ENCAP_RFC1661,
+                                 ipv4, ipv6);
+
+ out:
+       if (ret)
+               openconnect_close_https(vpninfo, 0);
+       else {
+               monitor_fd_new(vpninfo, ssl);
+               monitor_read_fd(vpninfo, ssl);
+               monitor_except_fd(vpninfo, ssl);
+       }
+
+       return ret;
+}

diff --git a/openconnect-internal.h b/openconnect-internal.h
index da3166b5a176cc4d861aefcfe537bf1c83af87c7..72a3ad178b837e2804a1329d48f142e9dbf7e8ab 100644 (file)
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -977,6 +977,10 @@ int pulse_bye(struct openconnect_info *vpninfo, const char *reason);
 int pulse_eap_ttls_send(struct openconnect_info *vpninfo, const void *data, int len);
 int pulse_eap_ttls_recv(struct openconnect_info *vpninfo, void *data, int len);
 
+/* nullppp.c */
+int nullppp_obtain_cookie(struct openconnect_info *vpninfo);
+int nullppp_connect(struct openconnect_info *vpninfo);
+
 /* ppp.c */
 struct oc_ppp;
 void buf_append_ppphdlc(struct oc_text_buf *buf, const unsigned char *bytes, int len, uint32_t asyncmap);