Skip to main content

Common Functionality Across All Platforms

This document describes functions and components that are present across all platforms (Linux x64/ARM64, Windows x64, macOS) in Cisco Secure Client 5.1.12.146.

VPN Connection Management

Core Connection Functions

Based on symbol analysis and string extraction from libvpnapi.so (1,019 exported functions), the following connection functions are implemented across all platforms:

// Connection lifecycle (decompiled signatures inferred from symbols)
int vpn_connect(const char* server, int port, ConnectProtocolType protocol);
int vpn_disconnect(void);
int vpn_reconnect(bool use_session_resume);

// Connection state management
ConnectState vpn_get_state(void);
bool vpn_is_connected(void);
int vpn_get_statistics(VpnStatistics* stats);

Evidence: Strings found in vpnagentd:

_ZN16CStartParameters10SetVpnTypeE19ConnectProtocolType
_ZN16CStartParameters10GetVpnTypeER19ConnectProtocolType
_ZN15CSessionInfoTlv14SetVpnProtocolE19ConnectProtocolType

Authentication Methods

All platforms support the following authentication methods:

1. HTTP Basic Authentication

int auth_http_basic(const char* username, const char* password);

2. HTTP Digest Authentication

int auth_http_digest(const char* username, const char* password,
                      const char* realm, const char* nonce);

3. Client Certificate Authentication

int auth_certificate(X509* cert, EVP_PKEY* privkey);

Evidence: libvpnapi.so exports:

  • d2i_X509@OPENSSL_1_1_0
  • EVP_PKEY_get0_EC_KEY@OPENSSL_1_1_0
  • EVP_PKEY_get0_RSA@OPENSSL_1_1_0

4. TOTP/OTP Verification

int auth_totp(const char* token);

5. SAML SSO Authentication

int auth_saml(const char* saml_response);

Evidence: Strings in libvpncommon.so reference SAML handling.

Authentication Flow Diagram

sequenceDiagram
    participant User
    participant Client as VPN Client
    participant Server as VPN Server
    participant IDP as Identity Provider

    User->>Client: Enter credentials
    Client->>Server: Connect request

    alt HTTP Basic/Digest
        Server-->>Client: 401 Unauthorized
        Client->>Server: Authorization: Basic/Digest
        Server-->>Client: 200 OK
    else Certificate
        Client->>Server: TLS ClientCertificate
        Server-->>Client: Certificate verified
    else SAML SSO
        Server-->>Client: 302 Redirect to IdP
        Client->>IDP: Authentication request
        User->>IDP: Enter SSO credentials
        IDP-->>Client: SAML Response
        Client->>Server: SAML Response
        Server-->>Client: 200 OK
    else TOTP/OTP
        Server-->>Client: Challenge
        User->>Client: Enter TOTP token
        Client->>Server: TOTP token
        Server-->>Client: Token verified
    end

    Server-->>Client: Session established

Protocol Implementation

CSTP (Cisco Secure Tunneling Protocol)

Functions (inferred from string analysis):

int cstp_establish_tunnel(const char* server);
int cstp_send_header(const char* header_name, const char* header_value);
int cstp_send_packet(const void* data, size_t len);
int cstp_receive_packet(void* buffer, size_t buflen);

Evidence from vpnagentd:

CSslProtocol
CSslProtocol::registerCertHooks()
CSslProtocol::resetRekeyTimer
SSL config empty, set min protocol to TLS 1.3
Failed to set minimum SSL protocol version
TLS 1.3+ config empty, set max protocol to TLS 1.2

Standard Headers (X-CSTP-* family):

  • X-CSTP-Version: 1
  • X-CSTP-MTU: 1399
  • X-CSTP-Accept-Encoding: deflate
  • X-CSTP-Address: <IPv4>
  • X-CSTP-Netmask: <IPv4>
  • X-CSTP-DNS: <IPv4>

DTLS (Datagram TLS)

Functions:

int dtls_establish_tunnel(const char* server, uint16_t port);
int dtls_send_header(const char* header_name, const char* header_value);
int dtls_send_packet(const void* data, size_t len);
int dtls_receive_packet(void* buffer, size_t buflen);

Evidence from vpnagentd and libacciscossl.so:

CDtlsProtocol
CTlsProtocol::resetRekeyTimer
DTLSv1_listen
DTLS_method
DTLS_server_method
DTLS_get_data_mtu
DTLS_set_timer_cb

Standard Headers (X-DTLS-* family):

  • X-DTLS-Version: 1
  • X-DTLS-MTU: 1399
  • X-DTLS-CipherSuite: <cipher>
  • X-DTLS-Accept-Encoding: lzs

Protocol Sequence Diagram

sequenceDiagram
    participant Client
    participant Server

    Note over Client,Server: CSTP (Control) Tunnel

    Client->>Server: CONNECT / HTTP/1.1
    Server-->>Client: HTTP/1.1 200 Connected

    Client->>Server: X-CSTP-Version: 1
    Client->>Server: X-CSTP-Accept-Encoding: deflate
    Server-->>Client: X-CSTP-Version: 1
    Server-->>Client: X-CSTP-MTU: 1399
    Server-->>Client: X-CSTP-Address: 192.168.50.10
    Server-->>Client: X-CSTP-Netmask: 255.255.255.0
    Server-->>Client: X-CSTP-DNS: 8.8.8.8

    Note over Client,Server: DTLS (Data) Tunnel

    Client->>Server: DTLS ClientHello (UDP)
    Server-->>Client: DTLS ServerHello
    Client->>Server: DTLS Certificate
    Server-->>Client: DTLS Finished

    Client->>Server: X-DTLS-Version: 1
    Client->>Server: X-DTLS-MTU: 1399
    Server-->>Client: X-DTLS-CipherSuite: AES256-GCM-SHA384

    Note over Client,Server: Data Transfer

    loop CSTP (TCP) - Control & Backup
        Client->>Server: Encrypted control packets
        Server-->>Client: Encrypted responses
    end

    loop DTLS (UDP) - Primary Data
        Client->>Server: Encrypted data packets
        Server-->>Client: Encrypted data packets
    end

TLS/DTLS Configuration

TLS Version Negotiation

Supported Versions (from libacciscossl.so analysis):

  1. TLS 1.3 (preferred, if server supports)
  2. TLS 1.2 (fallback)
  3. DTLS 1.2 (for UDP tunnel)

Configuration Logic (inferred from strings):

// Pseudo-code from string analysis
void configure_tls_protocol() {
    if (ssl_config_empty) {
        // Set minimum to TLS 1.3
        SSL_set_min_proto_version(ssl, TLS1_3_VERSION);
    }

    if (tls13_config_empty) {
        // Set maximum to TLS 1.2 (fallback mode)
        SSL_set_max_proto_version(ssl, TLS1_2_VERSION);
    }

    // Register certificate hooks
    CSslProtocol::registerCertHooks();
}

Cipher Suites

Based on OpenSSL integration in libacciscossl.so:

TLS 1.3 Cipher Suites:

  • TLS_AES_256_GCM_SHA384 (preferred)
  • TLS_AES_128_GCM_SHA256
  • TLS_CHACHA20_POLY1305_SHA256

TLS 1.2 Cipher Suites:

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-GCM-SHA384

Compression Support

Deflate Compression (CSTP)

int cstp_enable_compression(CompressionAlgorithm algo);

Evidence:

X-CSTP-Accept-Encoding: deflate
_ZN13CPhoneHomeVpn16AddTunnelConnectE... 15COMPR_ALGORITHM

Supported Algorithms:

  • deflate (zlib-based)
  • None (uncompressed)

LZS Compression (DTLS)

int dtls_enable_compression(CompressionAlgorithm algo);

Evidence:

X-DTLS-Accept-Encoding: lzs

Packet Format

CSTP Packet Structure

FieldBitsDescription
STX8Start of packet (0x02)
Packet Type8DATA=0x00, DPD-REQ=0x03, DPD-RESP=0x04
Length16Payload length (big-endian)
PayloadVariableVariable length encrypted data

DTLS Packet Structure

FieldBitsDescription
DTLS Header104Standard DTLS 1.2 header (13 bytes)
Encrypted PayloadVariableVariable length encrypted data
Authentication Tag128GCM authentication tag (16 bytes)

Dead Peer Detection (DPD)

DPD Protocol

Function:

int send_dpd_request(uint32_t sequence);
int receive_dpd_response(uint32_t* sequence);

Packet Types:

  • DPD-REQ (0x03) - Client-to-server keepalive
  • DPD-RESP (0x04) - Server-to-client response

Timing (typical):

  • Interval: 10 seconds
  • Timeout: 30 seconds
  • Max Failures: 3

DPD Sequence Diagram

sequenceDiagram
    participant Client
    participant Server

    Note over Client,Server: Normal Operation

    Client->>Server: DPD-REQ (seq=1)
    Server-->>Client: DPD-RESP (seq=1)

    Note over Client,Server: 10 seconds pass

    Client->>Server: DPD-REQ (seq=2)
    Server-->>Client: DPD-RESP (seq=2)

    Note over Client,Server: Server becomes unresponsive

    Client->>Server: DPD-REQ (seq=3)
    Note over Client: Wait 30s timeout
    Client->>Server: DPD-REQ (seq=4)
    Note over Client: Wait 30s timeout
    Client->>Server: DPD-REQ (seq=5)
    Note over Client: Wait 30s timeout

    Client->>Client: Max failures reached
    Client->>Client: Initiate reconnect

Session Management

Session Resumption

int save_session(const char* session_id);
int resume_session(const char* session_id);
int clear_session(void);

Benefits:

  • Faster reconnection (no full auth)
  • Preserved TCP connection state
  • Resume DTLS association

Session State Machine

stateDiagram-v2
    [*] --> NoSession

    NoSession --> NewSession: Full authentication
    NewSession --> ActiveSession: Tunnel established

    ActiveSession --> SessionSuspended: Connection lost
    SessionSuspended --> ActiveSession: Resume successful
    SessionSuspended --> NoSession: Resume failed/timeout

    ActiveSession --> SessionClosing: User disconnect
    SessionClosing --> NoSession: Cleanup complete

Key Management

Key Derivation

Based on libvpncommoncrypt.so (636 KB) and OpenSSL integration:

// Pseudo-code inferred from symbols
int derive_tunnel_keys(const uint8_t* master_secret,
                       uint8_t* cstp_key,
                       uint8_t* dtls_key);

int rotate_keys(void);  // Rekey operation

Evidence:

_ZN9CStateTlv23addTunnelProtocolCipherE14ProtocolCipher
_ZN9CStateTlv24addTunnelProtocolVersionE15ProtocolVersion
CSslProtocol::resetRekeyTimer
CTlsProtocol::resetRekeyTimer

IP Protocol Support

IPv4 and IPv6

int set_ip_protocol(ADDR_FAMILY family);  // AF_INET or AF_INET6
int get_combined_ip_protocols(ADDR_FAMILY* remote, ADDR_FAMILY* local);

Evidence:

_ZN13PreferenceMgr23GetSupportedIPProtocolsER11ADDR_FAMILYS1_RbS2_
_ZNK14CHostConfigMgr32GetCombinedRemotePeerIPProtocolsEv
_ZNK9CVpnParam28GetCombinedSGAddrIPProtocolsEv

Dual-Stack Support

All platforms support:

  • IPv4-only tunnels
  • IPv6-only tunnels
  • Dual-stack (IPv4 + IPv6) tunnels

Error Handling

Common Error Codes

enum VpnErrorCode {
    VPN_SUCCESS = 0,
    VPN_ERROR_AUTH_FAILED = 1,
    VPN_ERROR_CONNECTION_TIMEOUT = 2,
    VPN_ERROR_SERVER_UNREACHABLE = 3,
    VPN_ERROR_CERTIFICATE_INVALID = 4,
    VPN_ERROR_PROTOCOL_MISMATCH = 5,
    VPN_ERROR_TUNNEL_FAILED = 6,
    VPN_ERROR_SESSION_EXPIRED = 7
};

Evidence: Error strings found in binaries:

VPNMGR_ERROR_SESSION_INFO_REPORT_DELAYED
WINSECAPI_ERROR_LOGONUSER_FAILED
CERTSTORE_ERROR_COLLECTIVE_ALREADY_LOCKED_FOR_STORE

Configuration Management

Profile Loading

int load_profile(const char* profile_path);
int parse_xml_profile(const char* xml_data);

Evidence:

_ZN16XmlLocalACPolMgr25LoadLocalAnyConnectPolicyEv
AnyConnectProfile.xsd (XML Schema Definition)
AnyConnectLocalPolicy.xsd

Preference Management

int get_preference(const char* key, char* value, size_t len);
int set_preference(const char* key, const char* value);

Evidence:

_ZN13PreferenceMgr18GetCertificatePinsE...
_ZN13PreferenceMgr23GetSupportedIPProtocolsE...

Platform Abstraction

Common Interface Layer

All platform-specific implementations must provide:

// Network interface
int create_tunnel_device(const char* name);
int configure_tunnel_device(const char* name, const IPConfig* config);
int destroy_tunnel_device(const char* name);

// Routing
int add_route(const IPAddress* dest, const IPAddress* gateway);
int delete_route(const IPAddress* dest);

// DNS
int set_dns_servers(const IPAddress* servers, int count);

Platform Implementations:

  • Linux: TUN/TAP devices, netlink, systemd-resolved
  • Windows: NDIS drivers, routing table API, NRPT
  • macOS: utun devices, Network Extension framework

Summary

This common functionality layer provides:

  1. Unified API across all platforms (libvpnapi.so, vpnapi.dll, vpnapi.dylib)
  2. Protocol implementation (CSTP, DTLS, TLS 1.3/1.2)
  3. Authentication methods (Basic, Digest, Certificate, TOTP, SAML)
  4. Session management (connect, disconnect, resume)
  5. Crypto operations (OpenSSL 1.1.0+ integration)
  6. Error handling and logging
  7. Configuration management (XML profiles)

Total API Surface: 1,019 exported functions in libvpnapi.so

Next: Linux Platform-Specific Features