2 * Open AnyConnect (SSL + DTLS) client
4 * © 2008 David Woodhouse <dwmw2@infradead.org>
6 * Permission to use, copy, modify, and/or distribute this software
7 * for any purpose with or without fee is hereby granted, provided
8 * that the above copyright notice and this permission notice appear
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL
12 * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
13 * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
14 * AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
15 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
16 * OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
17 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
18 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 #include <sys/select.h>
26 #include <arpa/inet.h>
28 #include "anyconnect.h"
30 void queue_packet(struct pkt **q, struct pkt *new)
39 int queue_new_packet(struct pkt **q, int type, void *buf, int len)
41 struct pkt *new = malloc(sizeof(struct pkt) + len);
48 memcpy(new->data, buf, len);
53 int vpn_add_pollfd(struct anyconnect_info *vpninfo, int fd, short events)
56 vpninfo->pfds = realloc(vpninfo->pfds, sizeof(struct pollfd) * vpninfo->nfds);
58 fprintf(stderr, "Failed to reallocate pfds\n");
61 vpninfo->pfds[vpninfo->nfds - 1].fd = fd;
62 vpninfo->pfds[vpninfo->nfds - 1].events = events;
64 return vpninfo->nfds - 1;
69 static void handle_sigint(int sig)
74 int vpn_mainloop(struct anyconnect_info *vpninfo)
77 memset(&sa, 0, sizeof(sa));
78 sa.sa_handler = handle_sigint;
80 sigaction(SIGINT, &sa, NULL);
81 sigaction(SIGHUP, &sa, NULL);
83 while (!vpninfo->quit_reason) {
85 int timeout = INT_MAX;
87 if (vpninfo->new_dtls_ssl)
88 dtls_try_handshake(vpninfo);
90 if (!vpninfo->dtls_ssl && !vpninfo->new_dtls_ssl &&
91 vpninfo->new_dtls_started + vpninfo->dtls_attempt_period < time(NULL)) {
93 printf("Attempt new DTLS connection\n");
94 connect_dtls_socket(vpninfo);
96 if (vpninfo->dtls_ssl)
97 did_work += dtls_mainloop(vpninfo, &timeout);
99 if (vpninfo->quit_reason)
102 did_work += ssl_mainloop(vpninfo, &timeout);
103 if (vpninfo->quit_reason)
106 did_work += tun_mainloop(vpninfo, &timeout);
107 if (vpninfo->quit_reason)
111 if (killed == SIGHUP)
112 vpninfo->quit_reason = "Client received SIGHUP";
113 else if (killed == SIGINT)
114 vpninfo->quit_reason = "Client received SIGINT";
116 vpninfo->quit_reason = "Client killed";
124 printf("Did no work; sleeping for %d ms...\n", timeout);
126 poll(vpninfo->pfds, vpninfo->nfds, timeout);
127 if (vpninfo->pfds[vpninfo->ssl_pfd].revents & POLL_HUP) {
128 fprintf(stderr, "Server closed connection!\n");
129 /* OpenSSL doesn't seem to cope properly with this... */
134 ssl_bye(vpninfo, vpninfo->quit_reason);
135 printf("Sent quit message: %s\n", vpninfo->quit_reason);
137 if (vpninfo->vpnc_script) {
138 setenv("TUNDEV", vpninfo->ifname, 1);
139 setenv("reason", "disconnect", 1);
140 system(vpninfo->vpnc_script);
146 /* Called when the socket is unwritable, to get the deadline for DPD.
147 Returns 1 if DPD deadline has already arrived. */
148 int ka_stalled_dpd_time(struct keepalive_info *ka, int *timeout)
158 due = ka->last_rx + (2 * ka->dpd);
163 printf("ka_stalled in %d seconds\n", (int)(due - now));
164 if (*timeout > (due - now) * 1000)
165 *timeout = (due - now) * 1000;
171 int keepalive_action(struct keepalive_info *ka, int *timeout)
173 time_t now = time(NULL);
176 time_t due = ka->last_rekey + ka->rekey;
181 if (*timeout > (due - now) * 1000)
182 *timeout = (due - now) * 1000;
185 /* DPD is bidirectional -- PKT 3 out, PKT 4 back */
187 time_t due = ka->last_rx + ka->dpd;
188 time_t overdue = ka->last_rx + (2 * ka->dpd);
190 /* Peer didn't respond */
194 /* If we already have DPD outstanding, don't flood. Repeat by
195 all means, but only after half the DPD period. */
196 if (ka->last_dpd > ka->last_rx)
197 due = ka->last_dpd + ka->dpd / 2;
199 /* We haven't seen a packet from this host for $DPD seconds.
200 Prod it to see if it's still alive */
205 if (*timeout > (due - now) * 1000)
206 *timeout = (due - now) * 1000;
209 /* Keepalive is just client -> server */
211 time_t due = ka->last_tx + ka->keepalive;
213 /* If we haven't sent anything for $KEEPALIVE seconds, send a
214 dummy packet (which the server will discard) */
218 if (*timeout > (due - now) * 1000)
219 *timeout = (due - now) * 1000;