From c649d85f70f1a968dfa1f7f70413edc400a91990 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Tue, 19 May 2020 14:36:48 -0700 Subject: [PATCH] add 'nullppp' protocol for testing Use `socat` to set up a PTY connected to a TLS socket (listening only on the local interface): socat -s -d -d \ PTY,raw,b9600 \ OPENSSL-LISTEN:5556,cert=tests/certs/server-cert.pem,key=tests/certs/server-key.pem,verify=0,so-bindtodevice=lo [ N PTY is /dev/pts/X ] Connect the PTY to `pppd` (requires root): # Add 'sync' to disable HDLC framing sudo pppd /dev/pts/X 10.0.0.1:10.0.0.101 noauth debug dump logfd 2 local nodetach passive persist ms-dns 1.1.1.1 ms-wins 5.5.5.5 +ipv6 Connect OpenConnect to the TLS socket, and watch it negotiate LCP/IPCP/IP6CP with its peer, and reject CCP: # Add noipv4,noipv6 to cookie to try those ./openconnect --protocol=nullppp --cookie hdlc --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --dump localhost:5556 Signed-off-by: Daniel Lenski --- Makefile.am | 3 +- library.c | 9 ++++++ nullppp.c | 71 ++++++++++++++++++++++++++++++++++++++++++ openconnect-internal.h | 4 +++ 4 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 nullppp.c diff --git a/Makefile.am b/Makefile.am index fcbee700..7e733642 100644 --- a/Makefile.am +++ b/Makefile.am @@ -32,6 +32,7 @@ lib_srcs_cisco = auth.c cstp.c lib_srcs_juniper = oncp.c lzo.c auth-juniper.c lib_srcs_nx = nx.c lib_srcs_pulse = pulse.c +lib_srcs_nullppp = nullppp.c lib_srcs_f5 = f5.c lib_srcs_ppp = ppp.c ppp.h lib_srcs_fortinet = fortinet.c @@ -42,7 +43,7 @@ lib_srcs_oidc = oidc.c library_srcs += $(lib_srcs_juniper) $(lib_srcs_cisco) $(lib_srcs_oath) \ $(lib_srcs_globalprotect) $(lib_srcs_pulse) $(lib_srcs_f5) \ $(lib_srcs_ppp) $(lib_srcs_fortinet) $(lib_srcs_nx) \ - $(lib_srcs_oidc) + $(lib_srcs_nullppp) $(lib_srcs_oidc) lib_srcs_gnutls = gnutls.c gnutls_tpm.c gnutls_tpm2.c diff --git a/library.c b/library.c index b988ad4c..912af639 100644 --- a/library.c +++ b/library.c @@ -237,6 +237,15 @@ static const struct vpn_proto openconnect_protos[] = { .udp_send_probes = oncp_esp_send_probes, .udp_catch_probe = oncp_esp_catch_probe, #endif + }, { + .name = "nullppp", + .pretty_name = N_("nullppp"), + .description = N_("nullppp"), + .flags = OC_PROTO_PROXY, + .tcp_connect = nullppp_connect, + .tcp_mainloop = ppp_mainloop, + .add_http_headers = http_common_headers, + .obtain_cookie = nullppp_obtain_cookie, }, }; diff --git a/nullppp.c b/nullppp.c new file mode 100644 index 00000000..bf2964b4 --- /dev/null +++ b/nullppp.c @@ -0,0 +1,71 @@ +/* + * OpenConnect (SSL + DTLS) VPN client + * + * Copyright © 2020 David Woodhouse + * + * Author: David Woodhouse + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * version 2.1, as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + */ + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "openconnect-internal.h" + +int nullppp_obtain_cookie(struct openconnect_info *vpninfo) +{ + if (!(vpninfo->cookie = strdup(""))) + return -ENOMEM; + return 0; +} + +int nullppp_connect(struct openconnect_info *vpninfo) +{ + int ret; + int ipv4, ipv6, hdlc; + + /* XX: cookie hack. Use -C hdlc,noipv4,noipv6 on the + * command line to set options. */ + hdlc = strstr(vpninfo->cookie, "hdlc") ? 1 : 0; + ipv4 = strstr(vpninfo->cookie, "noipv4") ? 0 : 1; + ipv6 = strstr(vpninfo->cookie, "noipv6") ? 0 : 1; + + /* Now establish the actual connection */ + ret = openconnect_open_https(vpninfo); + if (ret) + goto out; + + ret = openconnect_ppp_new(vpninfo, + hdlc ? PPP_ENCAP_RFC1662_HDLC : PPP_ENCAP_RFC1661, + ipv4, ipv6); + + out: + if (ret) + openconnect_close_https(vpninfo, 0); + else { + monitor_fd_new(vpninfo, ssl); + monitor_read_fd(vpninfo, ssl); + monitor_except_fd(vpninfo, ssl); + } + + return ret; +} diff --git a/openconnect-internal.h b/openconnect-internal.h index 4e88f91c..0d1e8517 100644 --- a/openconnect-internal.h +++ b/openconnect-internal.h @@ -951,6 +951,10 @@ int pulse_bye(struct openconnect_info *vpninfo, const char *reason); int pulse_eap_ttls_send(struct openconnect_info *vpninfo, const void *data, int len); int pulse_eap_ttls_recv(struct openconnect_info *vpninfo, void *data, int len); +/* nullppp.c */ +int nullppp_obtain_cookie(struct openconnect_info *vpninfo); +int nullppp_connect(struct openconnect_info *vpninfo); + /* f5.c */ int f5_obtain_cookie(struct openconnect_info *vpninfo); int f5_connect(struct openconnect_info *vpninfo); -- 2.49.0