[PATCH] move sending of ONCP control packets for enabling/disabling ESP into oncp.c

Daniel Lenski dlenski at gmail.com
Sun Apr 15 16:47:59 PDT 2018 

This is another small case of Juniper-specific handling in the ESP code.
The ONCP protocol needs to tell the server to explicitly enable or disable
the ESP tunnel.

I don't really understand why the separate oncp_control_queue is needed,
since these control packets only get sent when dtls_state != DTLS_CONNECTED
and therefore they would always automatically get sent via the ONCP tunnel
instead of the ESP tunnel anyway.

Signed-off-by: Daniel Lenski <dlenski at gmail.com>
---
 esp.c                  |  8 ++++----
 library.c              |  2 +-
 oncp.c                 | 15 ++++++++++++++-
 openconnect-internal.h |  2 +-
 4 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/esp.c b/esp.c
index 5cea3fb..4557b79 100644
--- a/esp.c
+++ b/esp.c
@@ -192,7 +192,6 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 				if (vpninfo->dtls_state == DTLS_SLEEPING) {
 					vpn_progress(vpninfo, PRG_INFO,
 						     _("ESP session established with server\n"));
-					queue_esp_control(vpninfo, 1);
 					vpninfo->dtls_state = DTLS_CONNECTING;
 				}
 				continue;
@@ -234,8 +233,8 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 
 	case KA_DPD_DEAD:
 		vpn_progress(vpninfo, PRG_ERR, _("ESP detected dead peer\n"));
-		queue_esp_control(vpninfo, 0);
-		esp_close(vpninfo);
+		if (vpninfo->proto->udp_close)
+			vpninfo->proto->udp_close(vpninfo);
 		if (vpninfo->proto->udp_send_probes)
 			vpninfo->proto->udp_send_probes(vpninfo);
 		return 1;
@@ -310,5 +309,6 @@ void esp_shutdown(struct openconnect_info *vpninfo)
 	destroy_esp_ciphers(&vpninfo->esp_in[0]);
 	destroy_esp_ciphers(&vpninfo->esp_in[1]);
 	destroy_esp_ciphers(&vpninfo->esp_out);
-	esp_close(vpninfo);
+	if (vpninfo->proto->udp_close)
+		vpninfo->proto->udp_close(vpninfo);
 }
diff --git a/library.c b/library.c
index b0d635b..4826c66 100644
--- a/library.c
+++ b/library.c
@@ -136,7 +136,7 @@ const struct vpn_proto openconnect_protos[] = {
 #ifdef HAVE_ESP
 		.udp_setup = esp_setup,
 		.udp_mainloop = esp_mainloop,
-		.udp_close = esp_close,
+		.udp_close = oncp_esp_close,
 		.udp_shutdown = esp_shutdown,
 		.udp_send_probes = oncp_esp_send_probes,
 		.udp_catch_probe = oncp_esp_catch_probe,
diff --git a/oncp.c b/oncp.c
index bc01a3f..dbfb1ef 100644
--- a/oncp.c
+++ b/oncp.c
@@ -452,7 +452,7 @@ static const struct pkt esp_enable_pkt = {
 	.len = 13
 };
 
-int queue_esp_control(struct openconnect_info *vpninfo, int enable)
+static int queue_esp_control(struct openconnect_info *vpninfo, int enable)
 {
 	struct pkt *new = malloc(sizeof(*new) + 13);
 	if (!new)
@@ -931,6 +931,12 @@ int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 	if (vpninfo->ssl_fd == -1)
 		goto do_reconnect;
 
+	/* Queue the ESP enable message. We will start sending packets
+	   via ESP once the enable message has been *sent* over the
+	   TCP channel. */
+	if (vpninfo->dtls_state == DTLS_CONNECTING)
+		queue_esp_control(vpninfo, 1);
+
 	/* FIXME: The poll() handling here is fairly simplistic. Actually,
 	   if the SSL connection stalls it could return a WANT_WRITE error
 	   on _either_ of the SSL_read() or SSL_write() calls. In that case,
@@ -1303,6 +1309,13 @@ int oncp_bye(struct openconnect_info *vpninfo, const char *reason)
 }
 
 #ifdef HAVE_ESP
+void oncp_esp_close(struct openconnect_info *vpninfo)
+{
+	/* Tell server to stop sending on ESP channel */
+	queue_esp_control(vpninfo, 0);
+	esp_close(vpninfo);
+}
+
 int oncp_esp_send_probes(struct openconnect_info *vpninfo)
 {
 	struct pkt *pkt;
diff --git a/openconnect-internal.h b/openconnect-internal.h
index e96610b..9890ff6 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -853,10 +853,10 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo);
 void oncp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
 
 /* oncp.c */
-int queue_esp_control(struct openconnect_info *vpninfo, int enable);
 int oncp_connect(struct openconnect_info *vpninfo);
 int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout);
 int oncp_bye(struct openconnect_info *vpninfo, const char *reason);
+void oncp_esp_close(struct openconnect_info *vpninfo);
 int oncp_esp_send_probes(struct openconnect_info *vpninfo);
 int oncp_esp_catch_probe(struct openconnect_info *vpninfo, struct pkt *pkt);
 
-- 
2.7.4

More information about the openconnect-devel mailing list