Log address family of ESP packets sent/received

Aids in debugging GlobalProtect IPv6+ESP. Signed-off-by: Daniel Lenski <dlenski@gmail.com>
sailfishos-mirror · Apr 28, 2021 · 35e3374 · 35e3374
1 parent 4b3c6c1
commit 35e3374
Showing 1 changed file with 21 additions and 12 deletions.
diff --git a/esp.c b/esp.c
@@ -167,8 +167,6 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
 		if (len <= 0)
 			break;
 
-		vpn_progress(vpninfo, PRG_TRACE, _("Received ESP packet of %d bytes\n"),
-			     len);
 		work_done = 1;
 
 		/* both supported algos (SHA1 and MD5) have 12-byte MAC lengths (RFC2403 and RFC2404) */
@@ -198,13 +196,21 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
 		/* Possible values of the Next Header field are:
 		   0x04: IP[v4]-in-IP
 		   0x05: supposed to mean Internet Stream Protocol
-		         (XXX: but used for LZO compressed packets by Juniper)
+		         (XXX: but used for LZO compressed IPv4 packets by Juniper)
 		   0x29: IPv6 encapsulation */
-		if (pkt->data[len - 1] != 0x04 && pkt->data[len - 1] != 0x29 &&
-		    pkt->data[len - 1] != 0x05) {
+		if (pkt->data[len - 1] == 0x04)
+			vpn_progress(vpninfo, PRG_TRACE, _("Received ESP Legacy IP packet of %d bytes\n"),
+				     len);
+		else if (pkt->data[len - 1] == 0x05)
+			vpn_progress(vpninfo, PRG_TRACE, _("Received ESP Legacy IP packet of %d bytes (LZO-compressed)\n"),
+				     len);
+		else if (pkt->data[len - 1] == 0x29)
+			vpn_progress(vpninfo, PRG_TRACE, _("Received ESP IPv6 packet of %d bytes\n"),
+				     len);
+		else {
 			vpn_progress(vpninfo, PRG_ERR,
-				     _("Received ESP packet with unrecognised payload type %02x\n"),
-				     pkt->data[len-1]);
+				     _("Received ESP packet of %d bytes with unrecognised payload type %02x\n"),
+				     len, pkt->data[len-1]);
 			continue;
 		}
 
@@ -295,14 +301,17 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
 	}
 	while (1) {
 		int len;
+		int ip_version;
 
 		if (vpninfo->deflate_pkt) {
 			this = vpninfo->deflate_pkt;
 			len = this->len;
+			ip_version = this->data[0] >> 4;
 		} else {
 			this = dequeue_packet(&vpninfo->outgoing_queue);
 			if (!this)
 				break;
+			ip_version = this->data[0] >> 4;
 
 			if (vpninfo->proto->proto == PROTO_NC ||
 			    vpninfo->proto->proto == PROTO_PULSE) {
@@ -311,11 +320,11 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
 				/* Pulse/NC can only accept ESP of the same protocol as the one
 				 * you connected to it with. The other has to go over IF-T/TLS. */
 				if (vpninfo->dtls_addr->sa_family == AF_INET6)
-					dontsend = 0x40;
+					dontsend = 4;
 				else
-					dontsend = 0x60;
+					dontsend = 6;
 
-				if ( (this->data[0] & 0xf0) == dontsend) {
+				if (ip_version == dontsend) {
 					store_be32(&this->pulse.vendor, 0xa4c);
 					store_be32(&this->pulse.type, 4);
 					store_be32(&this->pulse.len, this->len + 16);
@@ -362,8 +371,8 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
 		} else {
 			vpninfo->dtls_times.last_tx = time(NULL);
 
-			vpn_progress(vpninfo, PRG_TRACE, _("Sent ESP packet of %d bytes\n"),
-				     len);
+			vpn_progress(vpninfo, PRG_TRACE, _("Sent ESP IPv%d packet of %d bytes\n"),
+				     ip_version, len);
 		}
 		if (this == vpninfo->deflate_pkt) {
 			unmonitor_write_fd(vpninfo, dtls);