[PATCH 00/10] GPST patches, trying again

Daniel Lenski dlenski at gmail.com
Tue Jan 9 00:01:14 PST 2018 

Here is a new, cleaned-up set of GlobalProtect patches.

These apply and build cleanly on top of the David's gpst
(currently at 82d4430da8f593109f90637fafb799a41a937330,
http://git.infradead.org/users/dwmw2/openconnect.git/shortlog/refs/heads/gpst)
*after* merging the upstream master
(currently at fdaba772b27d66f92a3d035d18d7b4e15292f6b9,
http://git.infradead.org/users/dwmw2/openconnect.git/shortlog).

These patches add three new feature not yet included in the gpst
branch:

1. HIP report spoofing/submission (~ GP version of ~CSD, ~TNCC)
2. Tunnel-based rekey
3. Replay protection with GlobalProtect ESP (just sets the appropriate flag :-D)

They also include a lot of cleanup and bug fixing:

1. Less dodgy XML and query string handling.
2. Fixing compilation *without* HAVE_ESP.
3. Fixing bugs in the tap-dance required to prevent the GPST and
   ESP tunnels from running simultaneously, including a very subtle
   one that would only occur when the ESP tunnel failed and then
   the connection was rekeyed or restarted... and would cause CPU
   usage to spike.

Thanks,
Dan



Daniel Lenski (10):
  Unfortunately, xmlNodeGetContent can't be avoided
  Add buf_append_xmlescaped() and use it to build GP XML config
  Clean up dodgy query-string building in gpst.c
  Add support for checking and submitting HIP reports
  Use ka_check_deadline() to simplify gpst_mainloop() and esp_mainloop()
    timers
  Improve GPST/ESP not-stepping-on-toes tap dance
  Fix a really subtle bug causing 100% CPU utilization after ESP tunnel
    failure, and subsequent reconnect
  Add support for tunnel-based rekey for GlobalProtect
  Use ESP replay protection with GlobalProtect
  Fix compilation without HAVE_ESP, and conditionally compile more
    functions that are only used for ESP

 auth-globalprotect.c   |  20 ++--
 esp.c                  |  10 +-
 gpst.c                 | 289 +++++++++++++++++++++++++++++++++++++++++++++----
 hipreport.sh           | 185 +++++++++++++++++++++++++++++++
 http.c                 |  13 +++
 mainloop.c             |   2 +-
 openconnect-internal.h |   2 +
 www/Makefile.am        |   2 +-
 www/features.xml       |   2 +-
 www/globalprotect.xml  |   7 ++
 www/hip.xml            |  89 +++++++++++++++
 11 files changed, 578 insertions(+), 43 deletions(-)
 create mode 100755 hipreport.sh
 create mode 100644 www/hip.xml

-- 
2.7.4

More information about the openconnect-devel mailing list