diff --git a/gpst.c b/gpst.c index aedff46e..761a9142 100644 --- a/gpst.c +++ b/gpst.c @@ -459,6 +459,7 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_ char *s = NULL, *deferred_netmask = NULL; struct oc_split_include *inc; int split_route_is_default_route = 0; + int n_dns = 0, got_ipv6 = 0, got_esp = 0; int ii; if (!xml_node || !xmlnode_is_named(xml_node, "response")) @@ -522,10 +523,21 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_ "gateway address (%s). Please report any this to\n" ", including any problems\n" "with ESP or other apparent loss of connectivity or performance.\n"), s, vpninfo->ip_info.gateway_addr); + } else if (xmlnode_is_named(xml_node, "dns-v6")) { + got_ipv6 |= 1; + goto handle_dns; } else if (xmlnode_is_named(xml_node, "dns")) { - for (ii=0, member = xml_node->children; member && ii<3; member=member->next) - if (!xmlnode_get_val(member, "member", &s)) - vpninfo->ip_info.dns[ii++] = add_option(vpninfo, "DNS", &s); + handle_dns: + for (member = xml_node->children; member && n_dns<3; member=member->next) { + if (!xmlnode_get_val(member, "member", &s)) { + for (ii=0; ii and */ + if (!strcmp(s, vpninfo->ip_info.dns[ii])) + break; + if (ii==n_dns) + vpninfo->ip_info.dns[n_dns++] = add_option(vpninfo, "DNS", &s); + } + } } else if (xmlnode_is_named(xml_node, "wins")) { for (ii=0, member = xml_node->children; member && ii<3; member=member->next) if (!xmlnode_get_val(member, "member", &s)) @@ -540,10 +552,14 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_ vpninfo->ip_info.domain = add_option(vpninfo, "search", &domains->data); } buf_free(domains); + } else if (xmlnode_is_named(xml_node, "access-routes-v6") || xmlnode_is_named(xml_node, "exclude-access-routes-v6")) { + got_ipv6 |= 1; + goto handle_routes; } else if (xmlnode_is_named(xml_node, "access-routes") || xmlnode_is_named(xml_node, "exclude-access-routes")) { + handle_routes: for (member = xml_node->children; member; member=member->next) { if (!xmlnode_get_val(member, "member", &s)) { - int is_inc = xmlnode_is_named(xml_node, "access-routes"); + int is_inc = (xml_node->name[0] == 'a'); /* XX: if this is a default route jammed into the split-include * routes, just mark it for now. @@ -585,9 +601,12 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_ else if (!xmlnode_get_val(member, "ipsec-mode", &s) && strcmp(s, "esp-tunnel")) vpn_progress(vpninfo, PRG_ERR, _("GlobalProtect config sent ipsec-mode=%s (expected esp-tunnel)\n"), s); } - if (openconnect_setup_esp_keys(vpninfo, 0)) + if (vpninfo->esp_enc > 0 && vpninfo->esp_hmac > 0 && vpninfo->enc_key_len > 0 && vpninfo->hmac_key_len > 0) + vpn_progress(vpninfo, PRG_ERR, "Server's ESP configuration is incomplete or uses unknown algorithms.\n"); + else if (openconnect_setup_esp_keys(vpninfo, 0)) vpn_progress(vpninfo, PRG_ERR, "Failed to setup ESP keys.\n"); else { + got_esp = 1; /* prevent race condition between esp_mainloop() and gpst_mainloop() timers */ vpninfo->dtls_times.last_rekey = time(&vpninfo->new_dtls_started); vpninfo->delay_tunnel_reason = "awaiting GPST ESP connection"; @@ -611,12 +630,10 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_ */ free(s); s = (char *)xmlNodeGetContent(xml_node); - if (strchr((char *)xml_node->name, '6')) - vpn_progress(vpninfo, PRG_ERR, _("Potential IPv6-related GlobalProtect config tag <%s>: %s\n" - "This build does not support GlobalProtect IPv6 due to a lack of\n" - "of information on how it is configured. Please report this\n" - "to .\n"), xml_node->name, s); - else + if (strchr((char *)xml_node->name, '6')) { + got_ipv6 |= 2; + vpn_progress(vpninfo, PRG_ERR, _("Potential IPv6-related GlobalProtect config tag <%s>: %s\n"), xml_node->name, s); + } else vpn_progress(vpninfo, PRG_DEBUG, _("Unknown GlobalProtect config tag <%s>: %s\n"), xml_node->name, s); } } @@ -655,6 +672,17 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_ vpninfo->ssl_times.dpd = 10; vpninfo->ssl_times.keepalive = vpninfo->esp_ssl_fallback = vpninfo->ssl_times.dpd; + /* Warn about IPv6 config, if present, and ESP config, if absent */ + if (got_ipv6) + vpn_progress(vpninfo, PRG_ERR, _("GlobalProtect config includes IPv6, but this build does not support\n" + "it IPv6 due to a lack of information on how GlobalProtect configures it.\n" + "Please report this to .\n")); +#ifdef HAVE_ESP + if (!got_esp) + vpn_progress(vpninfo, vpninfo->dtls_state != DTLS_DISABLED ? PRG_ERR : PRG_DEBUG, + _("Did not receive ESP keys in GlobalProtect config; tunnel will be TLS only. ")); +#endif + free(s); return 0; } diff --git a/www/changelog.xml b/www/changelog.xml index 02d81373..827cac2d 100644 --- a/www/changelog.xml +++ b/www/changelog.xml @@ -21,6 +21,7 @@
  • Explicitly disable 3DES and RC4, unless enabled with --allow-insecure-crypto (!114)
  • Add obsolete-server-crypto test (!114)
  • Allow protocols to delay tunnel setup and shutdown (!117)
    • +
  • Incomplete, speculative support for GlobalProtect IPv6 (!155; previous work in d6db0ec)

  • OpenConnect v8.10