From a55fcd61f747ccaded20003b525f102eafdc4e28 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Mon, 6 Nov 2023 09:59:04 +0100 Subject: [PATCH] Change --no-sni to --sni * Option --sni requires a mandatory argument, a server name (SNI) to use during TLS handshake. * If omitted, openfortivpn will use the host argument instead. * Always set SNI during TLS handshake, using the SNI passed with option --sni, or the host argument. --- src/config.c | 18 ++++++------------ src/config.h | 2 +- src/main.c | 20 +++++++------------- src/tunnel.c | 19 +++++++++---------- 4 files changed, 23 insertions(+), 36 deletions(-) diff --git a/src/config.c b/src/config.c index aaaa6a32..b1c8bb35 100644 --- a/src/config.c +++ b/src/config.c @@ -52,7 +52,7 @@ const struct vpn_config invalid_cfg = { .pinentry = NULL, .realm = {'\0'}, .iface_name = {'\0'}, - .use_sni = -1, + .sni = {'\0'}, .set_routes = -1, .set_dns = -1, .pppd_use_peerdns = -1, @@ -299,15 +299,9 @@ int load_config(struct vpn_config *cfg, const char *filename) continue; } cfg->set_dns = set_dns; - } else if (strcmp(key, "use-sni") == 0) { - int use_sni = strtob(val); - - if (use_sni < 0) { - log_warn("Bad use-sni in configuration file: \"%s\".\n", - val); - continue; - } - cfg->use_sni = use_sni; + } else if (strcmp(key, "sni") == 0) { + free(cfg->sni); + cfg->sni = strdup(val); } else if (strcmp(key, "set-routes") == 0) { int set_routes = strtob(val); @@ -546,8 +540,8 @@ void merge_config(struct vpn_config *dst, struct vpn_config *src) strcpy(dst->realm, src->realm); if (src->iface_name[0]) strcpy(dst->iface_name, src->iface_name); - if (src->use_sni != invalid_cfg.use_sni) - dst->use_sni = src->use_sni; + if (src->sni[0]) + strcpy(dst->sni, src->sni); if (src->set_routes != invalid_cfg.set_routes) dst->set_routes = src->set_routes; if (src->set_dns != invalid_cfg.set_dns) diff --git a/src/config.h b/src/config.h index 4f0cccb5..0c5386b3 100644 --- a/src/config.h +++ b/src/config.h @@ -98,7 +98,7 @@ struct vpn_config { char iface_name[IF_NAMESIZE]; char realm[REALM_SIZE + 1]; - int use_sni; + char *sni; int set_routes; int set_dns; int pppd_use_peerdns; diff --git a/src/main.c b/src/main.c index 98149cea..41e5fbe6 100644 --- a/src/main.c +++ b/src/main.c @@ -126,7 +126,8 @@ PPPD_USAGE \ " --ifname= Bind to interface.\n" \ " --set-routes=[01] Set if openfortivpn should configure routes\n" \ " when tunnel is up.\n" \ -" --no-sni Do not send SNI in ClientHello, same as --use-sni=0.\n" \ +" --sni= Specify a different server name (SNI) than the host argument\n" \ +" during TLS handshake." \ " --no-routes Do not configure routes, same as --set-routes=0.\n" \ " --half-internet-routes=[01] Add two 0.0.0.0/1 and 128.0.0.0/1 routes with higher\n" \ " priority instead of replacing the default route.\n" \ @@ -231,7 +232,7 @@ int main(int argc, char **argv) .pinentry = NULL, .realm = {'\0'}, .iface_name = {'\0'}, - .use_sni = 1, + .sni = NULL, .set_routes = 1, .set_dns = 1, .use_syslog = 0, @@ -291,7 +292,7 @@ int main(int argc, char **argv) {"no-ftm-push", no_argument, &cli_cfg.no_ftm_push, 1}, {"ifname", required_argument, NULL, 0}, {"set-routes", required_argument, NULL, 0}, - {"no-sni", no_argument, &cli_cfg.use_sni, 0}, + {"sni", required_argument, &cli_cfg.sni, 0}, {"no-routes", no_argument, &cli_cfg.set_routes, 0}, {"half-internet-routes", required_argument, NULL, 0}, {"set-dns", required_argument, NULL, 0}, @@ -520,16 +521,9 @@ int main(int argc, char **argv) break; } if (strcmp(long_options[option_index].name, - "use-sni") == 0) { - int use_sni = strtob(optarg); - - if (use_sni < 0) { - log_warn("Bad use-sni option: \"%s\"\n", - optarg); - break; - } - cli_cfg.use_sni = use_sni; - break; + "sni") == 0) { + cli_cfg.sni = strdup(optarg); + break; } if (strcmp(long_options[option_index].name, "set-routes") == 0) { diff --git a/src/tunnel.c b/src/tunnel.c index 0a7882a1..d38f9330 100644 --- a/src/tunnel.c +++ b/src/tunnel.c @@ -1269,16 +1269,15 @@ int ssl_connect(struct tunnel *tunnel) SSL_set_mode(tunnel->ssl_handle, SSL_MODE_AUTO_RETRY); - // Set SNI for the session - if (tunnel->config->use_sni) { - log_debug("SNI set: %s", tunnel->config->gateway_host); - - if (SSL_set_tlsext_host_name(tunnel->ssl_handle, tunnel->config->gateway_host) != 1) { - log_warn("SSL_set_tlsext_host_name('%s'): %s\n", - tunnel->config->gateway_host, - ERR_error_string(ERR_peek_last_error(), NULL)); - } - } + // Set SNI for the session + const char *sni = tunnel->config->sni ? \ + tunnel->config->sni : tunnel->config->gateway_host; + if (SSL_set_tlsext_host_name(tunnel->ssl_handle, sni) != 1) + log_warn("SSL_set_tlsext_host_name('%s'): %s\n", + sni, + ERR_error_string(ERR_peek_last_error(), NULL)); + else + log_debug("Set SNU TLS handshake: %s\n", sni); // Initiate SSL handshake if (SSL_connect(tunnel->ssl_handle) != 1) {