Commit 64e97762 authored by Daniel Lenski's avatar Daniel Lenski

Merge branch 'GP_IPv6_baby_steps' into 'master'

GP: ESP debug messages and more IPv6 baby steps

See merge request openconnect/openconnect!155
parents 73410320 589a0a8f
......@@ -459,6 +459,7 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
char *s = NULL, *deferred_netmask = NULL;
struct oc_split_include *inc;
int split_route_is_default_route = 0;
int n_dns = 0, got_ipv6 = 0, got_esp = 0;
int ii;
if (!xml_node || !xmlnode_is_named(xml_node, "response"))
......@@ -522,10 +523,21 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
"gateway address (%s). Please report any this to\n"
"<openconnect-devel@lists.infradead.org>, including any problems\n"
"with ESP or other apparent loss of connectivity or performance.\n"), s, vpninfo->ip_info.gateway_addr);
} else if (xmlnode_is_named(xml_node, "dns-v6")) {
got_ipv6 |= 1;
goto handle_dns;
} else if (xmlnode_is_named(xml_node, "dns")) {
for (ii=0, member = xml_node->children; member && ii<3; member=member->next)
if (!xmlnode_get_val(member, "member", &s))
vpninfo->ip_info.dns[ii++] = add_option(vpninfo, "DNS", &s);
handle_dns:
for (member = xml_node->children; member && n_dns<3; member=member->next) {
if (!xmlnode_get_val(member, "member", &s)) {
for (ii=0; ii<n_dns; ii++)
/* XX: frequent duplicates between <dns> and <dns-v6> */
if (!strcmp(s, vpninfo->ip_info.dns[ii]))
break;
if (ii==n_dns)
vpninfo->ip_info.dns[n_dns++] = add_option(vpninfo, "DNS", &s);
}
}
} else if (xmlnode_is_named(xml_node, "wins")) {
for (ii=0, member = xml_node->children; member && ii<3; member=member->next)
if (!xmlnode_get_val(member, "member", &s))
......@@ -540,10 +552,14 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
vpninfo->ip_info.domain = add_option(vpninfo, "search", &domains->data);
}
buf_free(domains);
} else if (xmlnode_is_named(xml_node, "access-routes-v6") || xmlnode_is_named(xml_node, "exclude-access-routes-v6")) {
got_ipv6 |= 1;
goto handle_routes;
} else if (xmlnode_is_named(xml_node, "access-routes") || xmlnode_is_named(xml_node, "exclude-access-routes")) {
handle_routes:
for (member = xml_node->children; member; member=member->next) {
if (!xmlnode_get_val(member, "member", &s)) {
int is_inc = xmlnode_is_named(xml_node, "access-routes");
int is_inc = (xml_node->name[0] == 'a');
/* XX: if this is a default route jammed into the split-include
* routes, just mark it for now.
......@@ -585,9 +601,12 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
else if (!xmlnode_get_val(member, "ipsec-mode", &s) && strcmp(s, "esp-tunnel"))
vpn_progress(vpninfo, PRG_ERR, _("GlobalProtect config sent ipsec-mode=%s (expected esp-tunnel)\n"), s);
}
if (openconnect_setup_esp_keys(vpninfo, 0))
if (vpninfo->esp_enc > 0 && vpninfo->esp_hmac > 0 && vpninfo->enc_key_len > 0 && vpninfo->hmac_key_len > 0)
vpn_progress(vpninfo, PRG_ERR, "Server's ESP configuration is incomplete or uses unknown algorithms.\n");
else if (openconnect_setup_esp_keys(vpninfo, 0))
vpn_progress(vpninfo, PRG_ERR, "Failed to setup ESP keys.\n");
else {
got_esp = 1;
/* prevent race condition between esp_mainloop() and gpst_mainloop() timers */
vpninfo->dtls_times.last_rekey = time(&vpninfo->new_dtls_started);
vpninfo->delay_tunnel_reason = "awaiting GPST ESP connection";
......@@ -611,12 +630,10 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
*/
free(s);
s = (char *)xmlNodeGetContent(xml_node);
if (strchr((char *)xml_node->name, '6'))
vpn_progress(vpninfo, PRG_ERR, _("Potential IPv6-related GlobalProtect config tag <%s>: %s\n"
"This build does not support GlobalProtect IPv6 due to a lack of\n"
"of information on how it is configured. Please report this\n"
"to <openconnect-devel@lists.infradead.org>.\n"), xml_node->name, s);
else
if (strchr((char *)xml_node->name, '6')) {
got_ipv6 |= 2;
vpn_progress(vpninfo, PRG_ERR, _("Potential IPv6-related GlobalProtect config tag <%s>: %s\n"), xml_node->name, s);
} else
vpn_progress(vpninfo, PRG_DEBUG, _("Unknown GlobalProtect config tag <%s>: %s\n"), xml_node->name, s);
}
}
......@@ -655,6 +672,17 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
vpninfo->ssl_times.dpd = 10;
vpninfo->ssl_times.keepalive = vpninfo->esp_ssl_fallback = vpninfo->ssl_times.dpd;
/* Warn about IPv6 config, if present, and ESP config, if absent */
if (got_ipv6)
vpn_progress(vpninfo, PRG_ERR, _("GlobalProtect config includes IPv6, but this build does not support\n"
"it IPv6 due to a lack of information on how GlobalProtect configures it.\n"
"Please report this to <openconnect-devel@lists.infradead.org>.\n"));
#ifdef HAVE_ESP
if (!got_esp)
vpn_progress(vpninfo, vpninfo->dtls_state != DTLS_DISABLED ? PRG_ERR : PRG_DEBUG,
_("Did not receive ESP keys in GlobalProtect config; tunnel will be TLS only. "));
#endif
free(s);
return 0;
}
......
......@@ -21,6 +21,7 @@
<li><i>Explicitly disable 3DES and RC4, unless enabled with <tt>--allow-insecure-crypto</tt> (<a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/114">!114</a>)</i></li>
<li><i>Add obsolete-server-crypto test (<a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/114">!114</a>)</i></li>
<li>Allow protocols to delay tunnel setup and shutdown (<a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/117">!117</a>)</li>
<li>Incomplete, speculative support for GlobalProtect IPv6 (<a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/155">!155</a>; previous work in <a href="https://gitlab.com/openconnect/openconnect/commit/d6db0ec03394234d41fbec7ffc794ceeb486a8f0">d6db0ec</a>)</li>
</ul><br/>
</li>
<li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz">OpenConnect v8.10</a></b>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment