[PATCH 08/10] Add support for tunnel-based rekey for GlobalProtect

Daniel Lenski dlenski at gmail.com
Tue Jan 9 00:01:22 PST 2018


This simply means re-pulling the getconfig.esp tunnel configuration
and thereby acquiring new ESP keys and extending the lifetime of the
authentication cookie, before the <timeout> elapses.

Signed-off-by: Daniel Lenski <dlenski at gmail.com>
---
 gpst.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/gpst.c b/gpst.c
index 092dcca..009a244 100644
--- a/gpst.c
+++ b/gpst.c
@@ -421,6 +421,7 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
 	vpninfo->ip_info.domain = NULL;
 	vpninfo->ip_info.mtu = 0;
 	vpninfo->esp_magic = inet_addr(vpninfo->ip_info.gateway_addr);
+	vpninfo->ssl_times.rekey_method = REKEY_NONE;
 	vpninfo->cstp_options = NULL;
 
 	for (ii = 0; ii < 3; ii++)
@@ -436,6 +437,13 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
 		else if (!xmlnode_get_text(xml_node, "mtu", &s)) {
 			vpninfo->ip_info.mtu = atoi(s);
 			free(s);
+		} else if (!xmlnode_get_text(xml_node, "timeout", &s)) {
+			int sec = atoi(s);
+			vpn_progress(vpninfo, PRG_INFO, _("Tunnel timeout (rekey interval) is %d minutes.\n"), sec/60);
+			vpninfo->ssl_times.last_rekey = time(NULL);
+			vpninfo->ssl_times.rekey = sec - 60;
+			vpninfo->ssl_times.rekey_method = REKEY_TUNNEL;
+			free(s);
 		} else if (!xmlnode_get_text(xml_node, "gw-address", &s)) {
 			/* As remarked in oncp.c, "this is a tunnel; having a
 			 * gateway is meaningless." See esp_send_probes_gp for the
@@ -475,6 +483,7 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
 #ifdef HAVE_ESP
 			if (vpninfo->dtls_state != DTLS_DISABLED) {
 				int c = (vpninfo->current_esp_in ^= 1);
+				vpninfo->old_esp_maxseq = vpninfo->esp_in[c^1].seq + 32;
 				for (member = xml_node->children; member; member=member->next) {
 					s = NULL;
 					if (!xmlnode_get_text(member, "udp-port", &s))		udp_sockaddr(vpninfo, atoi(s));
@@ -890,6 +899,9 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout)
 			     _("ESP tunnel connected; exiting HTTPS mainloop.\n"));
 		vpninfo->dtls_state = DTLS_CONNECTED;
 	case DTLS_CONNECTED:
+		/* Rekey if needed */
+		if (keepalive_action(&vpninfo->ssl_times, timeout) == KA_REKEY)
+			goto do_rekey;
 		return 0;
 	case DTLS_SECRET:
 	case DTLS_SLEEPING:
@@ -1012,6 +1024,8 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout)
 			goto do_reconnect;
 		else if (!ret) {
 			switch (ka_stalled_action(&vpninfo->ssl_times, timeout)) {
+			case KA_REKEY:
+				goto do_rekey;
 			case KA_DPD_DEAD:
 				goto peer_dead;
 			case KA_NONE:
@@ -1034,6 +1048,10 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout)
 	}
 
 	switch (keepalive_action(&vpninfo->ssl_times, timeout)) {
+	case KA_REKEY:
+	do_rekey:
+		vpn_progress(vpninfo, PRG_INFO, _("GlobalProtect rekey due\n"));
+		goto do_reconnect;
 	case KA_DPD_DEAD:
 	peer_dead:
 		vpn_progress(vpninfo, PRG_ERR,
-- 
2.7.4




More information about the openconnect-devel mailing list