mainloop.c
2
* OpenConnect (SSL + DTLS) VPN client
4
* Copyright © 2008-2015 Intel Corporation.
6
7
8
* Author: David Woodhouse <dwmw2@infradead.org>
*
* This program is free software; you can redistribute it and/or
9
* modify it under the terms of the GNU Lesser General Public License
10
* version 2.1, as published by the Free Software Foundation.
12
* This program is distributed in the hope that it will be useful, but
13
14
15
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
16
17
*/
18
19
#include <config.h>
20
21
#include "openconnect-internal.h"
22
#include <unistd.h>
23
24
25
26
27
#ifndef _WIN32
/* for setgroups() */
# include <sys/types.h>
# include <grp.h>
#endif
29
30
31
32
#include <errno.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>
34
35
int queue_new_packet(struct openconnect_info *vpninfo,
struct pkt_q *q, void *buf, int len)
37
struct pkt *new = alloc_pkt(vpninfo, len);
38
if (!new)
39
40
return -ENOMEM;
41
42
43
44
new->len = len;
new->next = NULL;
memcpy(new->data, buf, len);
queue_packet(q, new);
45
46
47
return 0;
}
48
49
/* This is here because it's generic and hence can't live in either of the
tun*.c files for specific platforms */
50
int tun_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable, int did_work)
52
struct pkt *this;
53
54
int work_done = 0;
55
if (readable && read_fd_monitored(vpninfo, tun)) {
56
struct pkt *out_pkt = vpninfo->tun_pkt;
57
58
59
60
while (1) {
int len = vpninfo->ip_info.mtu;
if (!out_pkt) {
61
out_pkt = alloc_pkt(vpninfo, len + vpninfo->pkt_trailer);
62
if (!out_pkt) {
63
vpn_progress(vpninfo, PRG_ERR, _("Allocation failed\n"));
64
65
66
67
68
break;
}
out_pkt->len = len;
}
69
if (os_read_tun(vpninfo, out_pkt))
70
71
72
73
74
break;
vpninfo->stats.tx_pkts++;
vpninfo->stats.tx_bytes += out_pkt->len;
work_done = 1;
76
if (queue_packet(&vpninfo->outgoing_queue, out_pkt) +
77
vpninfo->tcp_control_queue.count >= vpninfo->max_qlen) {
78
out_pkt = NULL;
79
80
81
unmonitor_read_fd(vpninfo, tun);
break;
}
82
out_pkt = NULL;
84
vpninfo->tun_pkt = out_pkt;
85
} else if (vpninfo->outgoing_queue.count + vpninfo->tcp_control_queue.count < vpninfo->max_qlen) {
86
87
88
monitor_read_fd(vpninfo, tun);
}
89
while ((this = dequeue_packet(&vpninfo->incoming_queue))) {
91
92
unmonitor_write_fd(vpninfo, tun);
93
94
if (os_write_tun(vpninfo, this)) {
requeue_packet(&vpninfo->incoming_queue, this);
95
break;
97
98
99
100
vpninfo->stats.rx_pkts++;
vpninfo->stats.rx_bytes += this->len;
101
free_pkt(vpninfo, this);
102
103
104
105
106
}
/* Work is not done if we just got rid of packets off the queue */
return work_done;
}
107
108
109
110
static int setup_tun_device(struct openconnect_info *vpninfo)
{
int ret;
111
112
113
114
115
116
if (vpninfo->setup_tun) {
vpninfo->setup_tun(vpninfo->cbdata);
if (tun_is_up(vpninfo))
return 0;
}
117
118
119
120
#ifndef _WIN32
if (vpninfo->use_tun_script) {
ret = openconnect_setup_tun_script(vpninfo, vpninfo->vpnc_script);
if (ret) {
121
vpn_progress(vpninfo, PRG_ERR, _("Set up tun script failed\n"));
122
123
124
125
126
127
return ret;
}
} else
#endif
ret = openconnect_setup_tun_device(vpninfo, vpninfo->vpnc_script, vpninfo->ifname);
if (ret) {
128
vpn_progress(vpninfo, PRG_ERR, _("Set up tun device failed\n"));
129
130
if (!vpninfo->quit_reason)
vpninfo->quit_reason = "Set up tun device failed";
131
132
133
return ret;
}
134
#if !defined(_WIN32) && !defined(__native_client__)
135
if (vpninfo->uid != getuid()) {
136
if (setgid(vpninfo->gid)) {
137
vpn_progress(vpninfo, PRG_ERR, _("Failed to set gid %ld: %s\n"),
138
(long)vpninfo->gid, strerror(errno));
139
140
141
142
return -EPERM;
}
if (setgroups(1, &vpninfo->gid)) {
143
vpn_progress(vpninfo, PRG_ERR, _("Failed to set groups to %ld: %s\n"),
144
(long)vpninfo->gid, strerror(errno));
145
146
147
return -EPERM;
}
148
if (setuid(vpninfo->uid)) {
149
vpn_progress(vpninfo, PRG_ERR, _("Failed to set uid %ld: %s\n"),
150
(long)vpninfo->uid, strerror(errno));
151
152
153
154
155
156
157
return -EPERM;
}
}
#endif
return 0;
}
158
/* Return value:
159
* = 0, when successfully paused (may call again)
160
161
* = -EINTR, if aborted locally via OC_CMD_CANCEL
* = -ECONNABORTED, if aborted locally via OC_CMD_DETACH
162
163
164
165
* = -EPIPE, if the remote end explicitly terminated the session
* = -EPERM, if the gateway sent 401 Unauthorized (cookie expired)
* < 0, for any other error
*/
166
167
168
int openconnect_mainloop(struct openconnect_info *vpninfo,
int reconnect_timeout,
int reconnect_interval)
170
int ret = 0;
171
int tun_r = 1, udp_r = 1, tcp_r = 1;
172
173
174
175
#ifdef HAVE_VHOST
int vhost_r = 0;
#endif
176
177
178
vpninfo->reconnect_timeout = reconnect_timeout;
vpninfo->reconnect_interval = reconnect_interval;
179
if (vpninfo->cmd_fd != -1) {
180
181
monitor_fd_new(vpninfo, cmd);
monitor_read_fd(vpninfo, cmd);
184
while (!vpninfo->quit_reason) {
185
int did_work = 0;
186
int timeout;
187
188
189
190
#ifdef _WIN32
HANDLE events[4];
int nr_events = 0;
#else
191
192
struct timeval tv;
fd_set rfds, wfds, efds;
193
#endif
195
196
/* If tun is not up, loop more often to detect
* a DTLS timeout (due to a firewall block) as soon. */
197
if (tun_is_up(vpninfo))
198
199
200
201
timeout = INT_MAX;
else
timeout = 1000;
202
if (!tun_is_up(vpninfo)) {
203
if (vpninfo->delay_tunnel_reason) {
204
205
vpn_progress(vpninfo, PRG_TRACE, _("Delaying tunnel with reason: %s\n"),
vpninfo->delay_tunnel_reason);
206
207
208
209
210
211
/* XX: don't let this spin forever */
vpninfo->delay_tunnel_reason = NULL;
} else {
/* No DTLS, or DTLS failed; setup TUN device unconditionally */
ret = setup_tun_device(vpninfo);
if (ret)
212
213
break;
}
216
if (vpninfo->dtls_state > DTLS_DISABLED) {
217
ret = vpninfo->proto->udp_mainloop(vpninfo, &timeout, udp_r);
218
219
220
221
if (vpninfo->quit_reason)
break;
did_work += ret;
}
223
ret = vpninfo->proto->tcp_mainloop(vpninfo, &timeout, tcp_r);
224
225
if (vpninfo->quit_reason)
break;
226
did_work += ret;
229
230
/* Tun must be last because it will set/clear its bit
in the select_rfds according to the queue length */
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
if (!tun_is_up(vpninfo)) {
struct pkt *this;
/* no tun yet; clear any queued packets */
while ((this = dequeue_packet(&vpninfo->incoming_queue)))
free_pkt(vpninfo, this);
#ifdef HAVE_VHOST
} else if (vpninfo->vhost_fd != -1) {
did_work += vhost_tun_mainloop(vpninfo, &timeout, vhost_r, did_work);
/* If it returns zero *then* it will have read the eventfd
* and there's no need to do so again until we poll again. */
if (!did_work)
vhost_r = 0;
#endif
} else {
did_work += tun_mainloop(vpninfo, &timeout, tun_r, did_work);
}
247
248
249
if (vpninfo->quit_reason)
break;
250
251
252
if (vpninfo->need_poll_cmd_fd)
poll_cmd_fd(vpninfo, 0);
253
if (vpninfo->got_cancel_cmd) {
254
255
if (vpninfo->delay_close != NO_DELAY_CLOSE) {
if (vpninfo->delay_close == DELAY_CLOSE_IMMEDIATE_CALLBACK) {
256
vpn_progress(vpninfo, PRG_TRACE, _("Delaying cancel (immediate callback).\n"));
257
258
did_work++;
} else
259
vpn_progress(vpninfo, PRG_TRACE, _("Delaying cancel.\n"));
260
261
262
/* XX: don't let this spin forever */
vpninfo->delay_close = NO_DELAY_CLOSE;
} else if (vpninfo->cancel_type == OC_CMD_CANCEL) {
263
vpninfo->quit_reason = "Aborted by caller";
264
vpninfo->got_cancel_cmd = 0;
265
ret = -EINTR;
266
break;
267
} else {
268
vpninfo->got_cancel_cmd = 0;
269
ret = -ECONNABORTED;
270
break;
274
if (vpninfo->got_pause_cmd) {
275
276
277
if (vpninfo->delay_close != NO_DELAY_CLOSE) {
/* XX: don't let this spin forever */
if (vpninfo->delay_close == DELAY_CLOSE_IMMEDIATE_CALLBACK) {
278
vpn_progress(vpninfo, PRG_TRACE, _("Delaying pause (immediate callback).\n"));
279
280
did_work++;
} else
281
vpn_progress(vpninfo, PRG_TRACE, _("Delaying pause.\n"));
282
283
284
285
286
287
288
289
290
291
/* XX: don't let this spin forever */
vpninfo->delay_close = NO_DELAY_CLOSE;
} else {
/* close all connections and wait for the user to call
openconnect_mainloop() again */
openconnect_close_https(vpninfo, 0);
if (vpninfo->dtls_state > DTLS_DISABLED) {
vpninfo->proto->udp_close(vpninfo);
vpninfo->new_dtls_started = 0;
}
293
294
vpninfo->got_pause_cmd = 0;
vpn_progress(vpninfo, PRG_INFO, _("Caller paused the connection\n"));
295
296
297
298
if (vpninfo->cmd_fd >= 0)
unmonitor_fd(vpninfo, cmd);
299
300
return 0;
}
303
304
305
if (did_work)
continue;
306
vpn_progress(vpninfo, PRG_TRACE,
307
_("No work to do; sleeping for %d ms...\n"), timeout);
308
309
310
311
312
313
314
315
316
317
318
319
320
321
#ifdef _WIN32
if (vpninfo->dtls_monitored) {
WSAEventSelect(vpninfo->dtls_fd, vpninfo->dtls_event, vpninfo->dtls_monitored);
events[nr_events++] = vpninfo->dtls_event;
}
if (vpninfo->ssl_monitored) {
WSAEventSelect(vpninfo->ssl_fd, vpninfo->ssl_event, vpninfo->ssl_monitored);
events[nr_events++] = vpninfo->ssl_event;
}
if (vpninfo->cmd_monitored) {
WSAEventSelect(vpninfo->cmd_fd, vpninfo->cmd_event, vpninfo->cmd_monitored);
events[nr_events++] = vpninfo->cmd_event;
}
322
323
324
if (vpninfo->tun_monitored) {
events[nr_events++] = vpninfo->tun_rd_overlap.hEvent;
}
325
if (WaitForMultipleObjects(nr_events, events, FALSE, timeout) == WAIT_FAILED) {
326
char *errstr = openconnect__win32_strerror(GetLastError());
327
vpn_progress(vpninfo, PRG_ERR,
328
329
330
_("WaitForMultipleObjects failed: %s\n"),
errstr);
free(errstr);
331
332
}
#else
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
#ifdef HAVE_EPOLL
if (vpninfo->epoll_fd >= 0) {
struct epoll_event evs[5];
/* During busy periods, monitor_read_fd() and unmonitor_read_fd()
* may get called multiple times as we go round and round the
* loop and queues get full then have space again. In the past
* with the select() loop, that was only a bitflip in the fd_set
* and didn't cost much. With epoll() it's actually a system
* call, so don't do it every time. Wait until we're about to
* sleep, and *then* ensure that we call epoll_ctl() to sync the
* set of events that we care about, if it's changed. */
if (vpninfo->epoll_update) {
update_epoll_fd(vpninfo, tun);
update_epoll_fd(vpninfo, ssl);
update_epoll_fd(vpninfo, cmd);
update_epoll_fd(vpninfo, dtls);
350
351
352
#ifdef HAVE_VHOST
update_epoll_fd(vpninfo, vhost_call);
#endif
353
354
355
}
tun_r = udp_r = tcp_r = 0;
356
357
358
#ifdef HAVE_VHOST
vhost_r = 0;
#endif
359
360
361
362
363
364
365
366
367
368
369
int nfds = epoll_wait(vpninfo->epoll_fd, evs, 5, timeout);
if (nfds < 0) {
if (errno != EINTR) {
ret = -errno;
vpn_perror(vpninfo, _("Failed epoll_wait() in mainloop"));
break;
}
nfds = 0;
}
while (nfds--) {
370
if (evs[nfds].events & (EPOLLIN|EPOLLERR)) {
371
372
373
374
375
376
if (evs[nfds].data.fd == vpninfo->tun_fd)
tun_r = 1;
else if (evs[nfds].data.fd == vpninfo->ssl_fd)
tcp_r = 1;
else if (evs[nfds].data.fd == vpninfo->dtls_fd)
udp_r = 1;
377
378
379
380
#ifdef HAVE_VHOST
else if (evs[nfds].data.fd == vpninfo->vhost_call_fd)
vhost_r = 1;
#endif
381
382
383
384
385
}
}
continue;
}
#endif
386
387
388
memcpy(&rfds, &vpninfo->_select_rfds, sizeof(rfds));
memcpy(&wfds, &vpninfo->_select_wfds, sizeof(wfds));
memcpy(&efds, &vpninfo->_select_efds, sizeof(efds));
389
390
tv.tv_sec = timeout / 1000;
391
tv.tv_usec = (timeout % 1000) * 1000;
393
394
if (select(vpninfo->_select_nfds, &rfds, &wfds, &efds, &tv) < 0 &&
errno != EINTR) {
395
ret = -errno;
396
vpn_perror(vpninfo, _("Failed select() in mainloop"));
397
398
break;
}
399
400
401
402
#ifdef HAVE_VHOST
if (vpninfo->vhost_call_fd >= 0)
vhost_r = FD_ISSET(vpninfo->vhost_call_fd, &rfds);
#endif
403
404
405
406
407
408
if (vpninfo->tun_fd >= 0)
tun_r = FD_ISSET(vpninfo->tun_fd, &rfds);
if (vpninfo->dtls_fd >= 0)
udp_r = FD_ISSET(vpninfo->dtls_fd, &rfds);
if (vpninfo->ssl_fd >= 0)
tcp_r = FD_ISSET(vpninfo->ssl_fd, &rfds);
409
#endif
412
413
if (vpninfo->quit_reason && vpninfo->proto->vpn_close_session)
vpninfo->proto->vpn_close_session(vpninfo, vpninfo->quit_reason);
415
if (tun_is_up(vpninfo))
416
os_shutdown_tun(vpninfo);
417
418
419
420
if (vpninfo->cmd_fd >= 0)
unmonitor_fd(vpninfo, cmd);
421
return ret < 0 ? ret : -EIO;
424
int ka_check_deadline(int *timeout, time_t now, time_t due)
425
426
427
428
429
430
431
432
{
if (now >= due)
return 1;
if (*timeout > (due - now) * 1000)
*timeout = (due - now) * 1000;
return 0;
}
433
434
/* Called when the socket is unwritable, to get the deadline for DPD.
Returns 1 if DPD deadline has already arrived. */
435
int ka_stalled_action(struct keepalive_info *ka, int *timeout)
437
time_t now = time(NULL);
439
/* We only support the new-tunnel rekey method for now. */
440
441
442
if (ka->rekey_method != REKEY_NONE &&
ka_check_deadline(timeout, now, ka->last_rekey + ka->rekey)) {
ka->last_rekey = now;
443
return KA_REKEY;
446
447
if (ka->dpd &&
ka_check_deadline(timeout, now, ka->last_rx + (2 * ka->dpd)))
448
return KA_DPD_DEAD;
450
return KA_NONE;
451
452
453
}
454
int keepalive_action(struct keepalive_info *ka, int *timeout)
455
456
457
{
time_t now = time(NULL);
458
if (ka->rekey_method != REKEY_NONE &&
459
460
461
ka_check_deadline(timeout, now, ka->last_rekey + ka->rekey)) {
ka->last_rekey = now;
return KA_REKEY;
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
}
/* DPD is bidirectional -- PKT 3 out, PKT 4 back */
if (ka->dpd) {
time_t due = ka->last_rx + ka->dpd;
time_t overdue = ka->last_rx + (2 * ka->dpd);
/* Peer didn't respond */
if (now > overdue)
return KA_DPD_DEAD;
/* If we already have DPD outstanding, don't flood. Repeat by
all means, but only after half the DPD period. */
if (ka->last_dpd > ka->last_rx)
due = ka->last_dpd + ka->dpd / 2;
/* We haven't seen a packet from this host for $DPD seconds.
Prod it to see if it's still alive */
480
if (ka_check_deadline(timeout, now, due)) {
481
482
483
484
485
ka->last_dpd = now;
return KA_DPD;
}
}
486
487
488
489
490
491
/* Keepalive is just client -> server.
If we haven't sent anything for $KEEPALIVE seconds, send a
dummy packet (which the server will discard) */
if (ka->keepalive &&
ka_check_deadline(timeout, now, ka->last_tx + ka->keepalive))
return KA_KEEPALIVE;
492
493
494
return KA_NONE;
}
495
496
497
498
499
500
501
502
503
504
505
506
507
508
int trojan_check_deadline(struct openconnect_info *vpninfo, int *timeout)
{
time_t now = time(NULL);
if (vpninfo->trojan_interval &&
ka_check_deadline(timeout, now,
vpninfo->last_trojan + vpninfo->trojan_interval)) {
vpninfo->last_trojan = now;
return 1;
} else {
return 0;
}
}