2 * OpenConnect (SSL + DTLS) VPN client
4 * Copyright © 2008 Intel Corporation.
6 * Author: David Woodhouse <dwmw2@infradead.org>
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * version 2.1, as published by the Free Software Foundation.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to:
20 * Free Software Foundation, Inc.
21 * 51 Franklin Street, Fifth Floor,
22 * Boston, MA 02110-1301 USA
28 #include <sys/select.h>
30 #include <arpa/inet.h>
34 #include <openssl/ssl.h>
36 #include "openconnect.h"
38 void queue_packet(struct pkt **q, struct pkt *new)
47 int queue_new_packet(struct pkt **q, int type, void *buf, int len)
49 struct pkt *new = malloc(sizeof(struct pkt) + len);
56 memcpy(new->data, buf, len);
63 static void handle_sigint(int sig)
68 int vpn_mainloop(struct openconnect_info *vpninfo)
71 memset(&sa, 0, sizeof(sa));
72 sa.sa_handler = handle_sigint;
74 sigaction(SIGTERM, &sa, NULL);
75 sigaction(SIGINT, &sa, NULL);
76 sigaction(SIGHUP, &sa, NULL);
78 while (!vpninfo->quit_reason) {
80 int timeout = INT_MAX;
82 fd_set rfds, wfds, efds;
84 #ifdef SSL_F_DTLS1_CONNECT
85 if (vpninfo->new_dtls_ssl)
86 dtls_try_handshake(vpninfo);
88 if (vpninfo->dtls_attempt_period && !vpninfo->dtls_ssl && !vpninfo->new_dtls_ssl &&
89 vpninfo->new_dtls_started + vpninfo->dtls_attempt_period < time(NULL)) {
90 vpninfo->progress(vpninfo, PRG_TRACE, "Attempt new DTLS connection\n");
91 connect_dtls_socket(vpninfo);
93 if (vpninfo->dtls_ssl)
94 did_work += dtls_mainloop(vpninfo, &timeout);
96 if (vpninfo->quit_reason)
99 did_work += cstp_mainloop(vpninfo, &timeout);
100 if (vpninfo->quit_reason)
103 /* Tun must be last because it will set/clear its bit
104 in the select_rfds according to the queue length */
105 did_work += tun_mainloop(vpninfo, &timeout);
106 if (vpninfo->quit_reason)
110 if (killed == SIGHUP)
111 vpninfo->quit_reason = "Client received SIGHUP";
112 else if (killed == SIGINT)
113 vpninfo->quit_reason = "Client received SIGINT";
115 vpninfo->quit_reason = "Client killed";
122 vpninfo->progress(vpninfo, PRG_TRACE,
123 "Did no work; sleeping for %d ms...\n", timeout);
124 memcpy(&rfds, &vpninfo->select_rfds, sizeof(rfds));
125 memcpy(&wfds, &vpninfo->select_wfds, sizeof(wfds));
126 memcpy(&efds, &vpninfo->select_efds, sizeof(efds));
128 tv.tv_sec = timeout / 1000;
129 tv.tv_usec = (timeout % 1000) * 1000;
131 select(vpninfo->select_nfds, &rfds, &wfds, &efds, &tv);
134 cstp_bye(vpninfo, vpninfo->quit_reason);
136 if (vpninfo->vpnc_script) {
137 if (vpninfo->script_tun) {
138 kill(vpninfo->script_tun, SIGHUP);
139 close(vpninfo->tun_fd);
141 setenv("TUNDEV", vpninfo->ifname, 1);
142 setenv("reason", "disconnect", 1);
143 system(vpninfo->vpnc_script);
150 /* Called when the socket is unwritable, to get the deadline for DPD.
151 Returns 1 if DPD deadline has already arrived. */
152 int ka_stalled_dpd_time(struct keepalive_info *ka, int *timeout)
160 due = ka->last_rx + (2 * ka->dpd);
165 if (*timeout > (due - now) * 1000)
166 *timeout = (due - now) * 1000;
172 int keepalive_action(struct keepalive_info *ka, int *timeout)
174 time_t now = time(NULL);
177 time_t due = ka->last_rekey + ka->rekey;
182 if (*timeout > (due - now) * 1000)
183 *timeout = (due - now) * 1000;
186 /* DPD is bidirectional -- PKT 3 out, PKT 4 back */
188 time_t due = ka->last_rx + ka->dpd;
189 time_t overdue = ka->last_rx + (2 * ka->dpd);
191 /* Peer didn't respond */
195 /* If we already have DPD outstanding, don't flood. Repeat by
196 all means, but only after half the DPD period. */
197 if (ka->last_dpd > ka->last_rx)
198 due = ka->last_dpd + ka->dpd / 2;
200 /* We haven't seen a packet from this host for $DPD seconds.
201 Prod it to see if it's still alive */
206 if (*timeout > (due - now) * 1000)
207 *timeout = (due - now) * 1000;
210 /* Keepalive is just client -> server */
212 time_t due = ka->last_tx + ka->keepalive;
214 /* If we haven't sent anything for $KEEPALIVE seconds, send a
215 dummy packet (which the server will discard) */
219 if (*timeout > (due - now) * 1000)
220 *timeout = (due - now) * 1000;