2 * Open AnyConnect (SSL + DTLS) client
4 * © 2008 David Woodhouse <dwmw2@infradead.org>
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public License
8 * as published by the Free Software Foundation; either version 2.1 of
9 * the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to:
19 * Free Software Foundation, Inc.
20 * 51 Franklin Street, Fifth Floor,
21 * Boston, MA 02110-1301 USA
27 #include <sys/select.h>
29 #include <arpa/inet.h>
32 #include "openconnect.h"
34 void queue_packet(struct pkt **q, struct pkt *new)
43 int queue_new_packet(struct pkt **q, int type, void *buf, int len)
45 struct pkt *new = malloc(sizeof(struct pkt) + len);
52 memcpy(new->data, buf, len);
57 int vpn_add_pollfd(struct openconnect_info *vpninfo, int fd, short events)
60 vpninfo->pfds = realloc(vpninfo->pfds, sizeof(struct pollfd) * vpninfo->nfds);
62 vpninfo->progress(vpninfo, PRG_ERR, "Failed to reallocate pfds\n");
65 vpninfo->pfds[vpninfo->nfds - 1].fd = fd;
66 vpninfo->pfds[vpninfo->nfds - 1].events = events;
68 return vpninfo->nfds - 1;
73 static void handle_sigint(int sig)
78 int vpn_mainloop(struct openconnect_info *vpninfo)
81 memset(&sa, 0, sizeof(sa));
82 sa.sa_handler = handle_sigint;
84 sigaction(SIGINT, &sa, NULL);
85 sigaction(SIGHUP, &sa, NULL);
87 while (!vpninfo->quit_reason) {
89 int timeout = INT_MAX;
91 if (vpninfo->new_dtls_ssl)
92 dtls_try_handshake(vpninfo);
94 if (vpninfo->dtls_attempt_period && !vpninfo->dtls_ssl && !vpninfo->new_dtls_ssl &&
95 vpninfo->new_dtls_started + vpninfo->dtls_attempt_period < time(NULL)) {
96 vpninfo->progress(vpninfo, PRG_TRACE, "Attempt new DTLS connection\n");
97 connect_dtls_socket(vpninfo);
99 if (vpninfo->dtls_ssl)
100 did_work += dtls_mainloop(vpninfo, &timeout);
102 if (vpninfo->quit_reason)
105 did_work += cstp_mainloop(vpninfo, &timeout);
106 if (vpninfo->quit_reason)
109 did_work += tun_mainloop(vpninfo, &timeout);
110 if (vpninfo->quit_reason)
114 if (killed == SIGHUP)
115 vpninfo->quit_reason = "Client received SIGHUP";
116 else if (killed == SIGINT)
117 vpninfo->quit_reason = "Client received SIGINT";
119 vpninfo->quit_reason = "Client killed";
126 vpninfo->progress(vpninfo, PRG_TRACE,
127 "Did no work; sleeping for %d ms...\n", timeout);
129 poll(vpninfo->pfds, vpninfo->nfds, timeout);
130 if (vpninfo->pfds[vpninfo->ssl_pfd].revents & POLL_HUP) {
131 vpninfo->progress(vpninfo, PRG_ERR, "Server closed connection!\n");
132 /* OpenSSL doesn't seem to cope properly with this... */
137 cstp_bye(vpninfo, vpninfo->quit_reason);
138 vpninfo->progress(vpninfo, PRG_INFO, "Sent quit message: %s\n", vpninfo->quit_reason);
140 if (vpninfo->vpnc_script) {
141 if (vpninfo->script_tun) {
142 kill(vpninfo->script_tun, SIGHUP);
143 close(vpninfo->tun_fd);
145 setenv("TUNDEV", vpninfo->ifname, 1);
146 setenv("reason", "disconnect", 1);
147 system(vpninfo->vpnc_script);
154 /* Called when the socket is unwritable, to get the deadline for DPD.
155 Returns 1 if DPD deadline has already arrived. */
156 int ka_stalled_dpd_time(struct keepalive_info *ka, int *timeout)
164 due = ka->last_rx + (2 * ka->dpd);
169 if (*timeout > (due - now) * 1000)
170 *timeout = (due - now) * 1000;
176 int keepalive_action(struct keepalive_info *ka, int *timeout)
178 time_t now = time(NULL);
181 time_t due = ka->last_rekey + ka->rekey;
186 if (*timeout > (due - now) * 1000)
187 *timeout = (due - now) * 1000;
190 /* DPD is bidirectional -- PKT 3 out, PKT 4 back */
192 time_t due = ka->last_rx + ka->dpd;
193 time_t overdue = ka->last_rx + (2 * ka->dpd);
195 /* Peer didn't respond */
199 /* If we already have DPD outstanding, don't flood. Repeat by
200 all means, but only after half the DPD period. */
201 if (ka->last_dpd > ka->last_rx)
202 due = ka->last_dpd + ka->dpd / 2;
204 /* We haven't seen a packet from this host for $DPD seconds.
205 Prod it to see if it's still alive */
210 if (*timeout > (due - now) * 1000)
211 *timeout = (due - now) * 1000;
214 /* Keepalive is just client -> server */
216 time_t due = ka->last_tx + ka->keepalive;
218 /* If we haven't sent anything for $KEEPALIVE seconds, send a
219 dummy packet (which the server will discard) */
223 if (*timeout > (due - now) * 1000)
224 *timeout = (due - now) * 1000;