change delay_tunnel → delay_tunnel_reason, use for DTLS MTU detection and GPST ESP...

As suggested here: https://gitlab.com/openconnect/openconnect/-/commit/55ffb457010974c05096a78ac917692b7fac664b#note_343873848

There's no clear rationale for using with Pulse/oNCP ESP setup (yet):
- We don't do any MTU detection
- Unlike GPST, we can start sending and receiving packets via the TLS tunnel
  immediately, while attempting to connect ESP as well.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/cstp.c b/cstp.c
index 138a5897b1ab9b01d7fabe1fa91275f0c1f6a82c..f223f71ffd51a638ecb67454d57f291447fb0de4 100644 (file)
--- a/cstp.c
+++ b/cstp.c
@@ -303,6 +303,8 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
                        buf_free(dtls12_cl);
                }
                append_compr_types(reqbuf, "DTLS", vpninfo->req_compr & ~COMPR_DEFLATE);
+
+               vpninfo->delay_tunnel_reason = "DTLS MTU detection";
        }
 #endif
        buf_append(reqbuf, "\r\n");

diff --git a/dtls.c b/dtls.c
index ca68fede05f44764ead361cf857f75ef20d25395..fc969a4de4450c673bb16da0c41adb9d1f04b925 100644 (file)
--- a/dtls.c
+++ b/dtls.c
@@ -287,6 +287,7 @@ int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
 
        if (vpninfo->dtls_state == DTLS_CONNECTING) {
                dtls_try_handshake(vpninfo);
+               vpninfo->delay_tunnel_reason = "DTLS MTU detection";
                return 0;
        }
 
@@ -712,4 +713,3 @@ void dtls_detect_mtu(struct openconnect_info *vpninfo)
  skip_mtu:
        free(buf);
 }
-

diff --git a/gpst.c b/gpst.c
index 833e3bc8feac1fbdca5c7fec0e17dbc6815dec65..eaabcc86dae4e2a652516b4f8bf29561706995c8 100644 (file)
--- a/gpst.c
+++ b/gpst.c
@@ -479,9 +479,11 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
                                }
                                if (openconnect_setup_esp_keys(vpninfo, 0))
                                        vpn_progress(vpninfo, PRG_ERR, "Failed to setup ESP keys.\n");
-                               else
+                               else {
                                        /* prevent race condition between esp_mainloop() and gpst_mainloop() timers */
                                        vpninfo->dtls_times.last_rekey = time(&vpninfo->new_dtls_started);
+                                       vpninfo->delay_tunnel_reason = "awaiting GPST ESP connection";
+                               }
                        }
 #else
                        vpn_progress(vpninfo, PRG_DEBUG, _("Ignoring ESP keys since ESP support not available in this build\n"));
@@ -1025,8 +1027,10 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
        case DTLS_SECRET:
        case DTLS_SLEEPING:
                /* Allow 5 seconds after configuration for ESP to start */
-               if (!ka_check_deadline(timeout, time(NULL), vpninfo->new_dtls_started + 5))
+               if (!ka_check_deadline(timeout, time(NULL), vpninfo->new_dtls_started + 5)) {
+                       vpninfo->delay_tunnel_reason = "awaiting GPST ESP connection";
                        return 0;
+               }
 
                /* ... before we switch to HTTPS instead */
                vpn_progress(vpninfo, PRG_ERR,

diff --git a/mainloop.c b/mainloop.c
index 13d4592526b8bc7ee1c7237106b1db2baa874e10..92f45f08ba9b6923867c699c0ac81ba5449737d3 100644 (file)
--- a/mainloop.c
+++ b/mainloop.c
@@ -207,17 +207,11 @@ int openconnect_mainloop(struct openconnect_info *vpninfo,
                        timeout = 1000;
 
                if (!tun_is_up(vpninfo)) {
-                       if (vpninfo->delay_tunnel > 0) {
-                               vpn_progress(vpninfo, PRG_DEBUG, _("Delaying tunnel by protocol request.\n"));
+                       if (vpninfo->delay_tunnel_reason) {
+                               vpn_progress(vpninfo, PRG_INFO, _("Delaying tunnel with reason: %s\n"),
+                                            vpninfo->delay_tunnel_reason);
                                /* XX: don't let this spin forever */
-                               if (--vpninfo->delay_tunnel > 0)
-                                       did_work++;
-                       } else if (vpninfo->dtls_state == DTLS_CONNECTING) {
-                               /* Postpone tun device creation after DTLS is connected so
-                                * we have a better knowledge of the link MTU. We also
-                                * force the creation if DTLS enters sleeping mode - i.e.,
-                                * we failed to connect on time. */
-                               vpn_progress(vpninfo, PRG_DEBUG, _("Delaying tunnel until link MTU determined.\n"));
+                               vpninfo->delay_tunnel_reason = NULL;
                        } else {
                                /* No DTLS, or DTLS failed; setup TUN device unconditionally */
                                ret = setup_tun_device(vpninfo);
@@ -247,10 +241,13 @@ int openconnect_mainloop(struct openconnect_info *vpninfo,
                poll_cmd_fd(vpninfo, 0);
                if (vpninfo->got_cancel_cmd) {
                        if (vpninfo->delay_close > 0) {
-                               vpn_progress(vpninfo, PRG_DEBUG, _("Delaying cancel.\n"));
-                               /* XX: don't let this spin forever */
-                               if (--vpninfo->delay_close > 0)
+                               if (vpninfo->delay_close > 1) {
+                                       vpn_progress(vpninfo, PRG_DEBUG, _("Delaying cancel (until we send again).\n"));
                                        did_work++;
+                               } else
+                                       vpn_progress(vpninfo, PRG_DEBUG, _("Delaying cancel (until we receive again).\n"));
+                               /* XX: don't let this spin forever */
+                               --vpninfo->delay_close;
                        } else if (vpninfo->cancel_type == OC_CMD_CANCEL) {
                                vpninfo->quit_reason = "Aborted by caller";
                                vpninfo->got_cancel_cmd = 0;
@@ -265,10 +262,14 @@ int openconnect_mainloop(struct openconnect_info *vpninfo,
 
                if (vpninfo->got_pause_cmd) {
                        if (vpninfo->delay_close > 0) {
-                               vpn_progress(vpninfo, PRG_DEBUG, _("Delaying pause.\n"));
                                 /* XX: don't let this spin forever */
-                               if (--vpninfo->delay_close > 0)
+                               if (vpninfo->delay_close > 1) {
+                                       vpn_progress(vpninfo, PRG_DEBUG, _("Delaying cancel (need to send again).\n"));
                                        did_work++;
+                               } else
+                                       vpn_progress(vpninfo, PRG_DEBUG, _("Delaying cancel (need to receive again).\n"));
+                               /* XX: don't let this spin forever */
+                               --vpninfo->delay_close;
                        } else {
                                /* close all connections and wait for the user to call
                                   openconnect_mainloop() again */

diff --git a/openconnect-internal.h b/openconnect-internal.h
index 055ff6f15e2a1777c62ffb78a83ebbd8be61de79..4b00da59fb19b79b1ef75ab400685d6cf991f83b 100644 (file)
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -649,8 +649,6 @@ struct openconnect_info {
 #endif
        int ssl_fd;
        int dtls_fd;
-       int delay_tunnel;                       /* Delay tunnel setup (2 for immediate callback, 1 for wait) */
-       int delay_close;                        /* Delay close of mainloop (2 for immediate callback, 1 for wait) */
 
        int dtls_tos_current;
        int dtls_pass_tos;
@@ -684,6 +682,8 @@ struct openconnect_info {
        char *version_string;
 
        const char *quit_reason;
+       const char *delay_tunnel_reason;        /* Delay tunnel setup */
+       int delay_close;                        /* Delay close of mainloop (2 for immediate callback, 1 for wait) */
 
        int verbose;
        void *cbdata;

diff --git a/ppp.c b/ppp.c
index 8b9d6e19c8e7e4d59ccc463e6cf930df27bc6788..d5164b267a17ed935805a4c9be6e94ba5fc0ba09 100644 (file)
--- a/ppp.c
+++ b/ppp.c
@@ -213,7 +213,7 @@ int openconnect_ppp_new(struct openconnect_info *vpninfo,
                return -ENOMEM;
 
        /* Delay tunnel setup during PPP negotiation */
-       vpninfo->delay_tunnel = 1;
+       vpninfo->delay_tunnel_reason = "PPP negotiation";
 
        /* Nameservers to request from peer
         * (see https://tools.ietf.org/html/rfc1877#section-1) */
@@ -899,7 +899,7 @@ static int handle_state_transition(struct openconnect_info *vpninfo, int *timeou
        }
 
        /* Delay tunnel setup until after PPP negotiation */
-       vpninfo->delay_tunnel = (ppp->ppp_state == PPPS_NETWORK ? 0 : 1);
+       vpninfo->delay_tunnel_reason = (ppp->ppp_state == PPPS_NETWORK ? NULL : "PPP negotiation");
 
        if (last_state != ppp->ppp_state) {
                vpn_progress(vpninfo, PRG_DEBUG,