[PATCH 2/3] Add support for tunnel-based rekey for GlobalProtect
Daniel Lenski
dlenski at gmail.com
Sun Dec 17 14:33:20 PST 2017
This simply means re-pulling the getconfig.esp tunnel configuration
and thereby acquiring new ESP keys and extending the lifetime of the
authentication cookie, before the <timeout> elapses.
Signed-off-by: Daniel Lenski <dlenski at gmail.com>
---
gpst.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/gpst.c b/gpst.c
index 0544edb..a4ec789 100644
--- a/gpst.c
+++ b/gpst.c
@@ -394,6 +394,7 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
vpninfo->ip_info.domain = NULL;
vpninfo->ip_info.mtu = 0;
vpninfo->esp_magic = inet_addr(vpninfo->ip_info.gateway_addr);
+ vpninfo->ssl_times.rekey_method = REKEY_NONE;
vpninfo->cstp_options = NULL;
for (ii = 0; ii < 3; ii++)
@@ -409,6 +410,13 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
else if (!xmlnode_get_text(xml_node, "mtu", &s)) {
vpninfo->ip_info.mtu = atoi(s);
free(s);
+ } else if (!xmlnode_get_text(xml_node, "timeout", &s)) {
+ int sec = atoi(s);
+ vpn_progress(vpninfo, PRG_INFO, _("Tunnel timeout (rekey interval) is %d minutes.\n"), sec/60);
+ vpninfo->ssl_times.last_rekey = time(NULL);
+ vpninfo->ssl_times.rekey = sec - 60;
+ vpninfo->ssl_times.rekey_method = REKEY_TUNNEL;
+ free(s);
} else if (!xmlnode_get_text(xml_node, "gw-address", &s)) {
/* As remarked in oncp.c, "this is a tunnel; having a
* gateway is meaningless." See esp_send_probes_gp for the
@@ -659,6 +667,9 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout)
_("ESP tunnel connected; exiting HTTPS mainloop.\n"));
vpninfo->dtls_state = DTLS_CONNECTED;
case DTLS_CONNECTED:
+ /* Rekey if needed */
+ if (keepalive_action(&vpninfo->ssl_times, timeout) == KA_REKEY)
+ goto do_rekey;
return 0;
case DTLS_SECRET:
case DTLS_SLEEPING:
@@ -781,6 +792,8 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout)
goto do_reconnect;
else if (!ret) {
switch (ka_stalled_action(&vpninfo->ssl_times, timeout)) {
+ case KA_REKEY:
+ goto do_rekey;
case KA_DPD_DEAD:
goto peer_dead;
case KA_NONE:
@@ -803,6 +816,11 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout)
}
switch (keepalive_action(&vpninfo->ssl_times, timeout)) {
+ case KA_REKEY:
+ do_rekey:
+ vpn_progress(vpninfo, PRG_INFO, _("GlobalProtect rekey due\n"));
+ goto do_reconnect;
+
case KA_DPD_DEAD:
peer_dead:
vpn_progress(vpninfo, PRG_ERR,
--
2.7.4
More information about the openconnect-devel
mailing list