use delay_tunnel_reason for OC DTLS MTU detection and GPST ESP connection delays

As suggested here: https://gitlab.com/openconnect/openconnect/-/commit/55ffb457010974c05096a78ac917692b7fac664b#note_343873848

There's no clear rationale for using with Pulse/oNCP ESP setup (yet):
- We don't do any MTU detection
- Unlike GPST, we can start sending and receiving packets via the TLS tunnel
  immediately, while attempting to connect ESP as well.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/cstp.c b/cstp.c
index 1e38f56efbd95e5ad0a3481b0cef4d107e265437..79e37bacd03313290e2e0053eaf5e6d70edd4d0c 100644 (file)
--- a/cstp.c
+++ b/cstp.c
@@ -303,6 +303,8 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
                        buf_free(dtls12_cl);
                }
                append_compr_types(reqbuf, "DTLS", vpninfo->req_compr & ~COMPR_DEFLATE);
+
+               vpninfo->delay_tunnel_reason = "DTLS MTU detection";
        }
 #endif
        buf_append(reqbuf, "\r\n");

diff --git a/dtls.c b/dtls.c
index 5025f6b07d4da319b4fb2fe3f1050c1f8f2cac65..fc969a4de4450c673bb16da0c41adb9d1f04b925 100644 (file)
--- a/dtls.c
+++ b/dtls.c
@@ -287,6 +287,7 @@ int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
 
        if (vpninfo->dtls_state == DTLS_CONNECTING) {
                dtls_try_handshake(vpninfo);
+               vpninfo->delay_tunnel_reason = "DTLS MTU detection";
                return 0;
        }
 

diff --git a/gpst.c b/gpst.c
index a32668773addf45a8a8c05005ee2ea8a58c57722..b100f4a21d7e72e0e3ca63b8694d09c898d435c8 100644 (file)
--- a/gpst.c
+++ b/gpst.c
@@ -567,9 +567,11 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
                                }
                                if (openconnect_setup_esp_keys(vpninfo, 0))
                                        vpn_progress(vpninfo, PRG_ERR, "Failed to setup ESP keys.\n");
-                               else
+                               else {
                                        /* prevent race condition between esp_mainloop() and gpst_mainloop() timers */
                                        vpninfo->dtls_times.last_rekey = time(&vpninfo->new_dtls_started);
+                                       vpninfo->delay_tunnel_reason = "awaiting GPST ESP connection";
+                               }
                        }
 #else
                        vpn_progress(vpninfo, PRG_DEBUG, _("Ignoring ESP keys since ESP support not available in this build\n"));
@@ -1105,8 +1107,10 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
        case DTLS_SECRET:
        case DTLS_SLEEPING:
                /* Allow 5 seconds after configuration for ESP to start */
-               if (!ka_check_deadline(timeout, time(NULL), vpninfo->new_dtls_started + 5))
+               if (!ka_check_deadline(timeout, time(NULL), vpninfo->new_dtls_started + 5)) {
+                       vpninfo->delay_tunnel_reason = "awaiting GPST ESP connection";
                        return 0;
+               }
 
                /* ... before we switch to HTTPS instead */
                vpn_progress(vpninfo, PRG_ERR,

diff --git a/mainloop.c b/mainloop.c
index e2afe4437c1a265ae223b5690283b608ebfa136e..c158f63ab360303995258bde0a6c276825801b7c 100644 (file)
--- a/mainloop.c
+++ b/mainloop.c
@@ -205,16 +205,7 @@ int openconnect_mainloop(struct openconnect_info *vpninfo,
                        timeout = 1000;
 
                if (!tun_is_up(vpninfo)) {
-                       /* Postpone tun device creation after DTLS is connected so
-                        * we have a better knowledge of the link MTU. We also
-                        * force the creation if DTLS enters sleeping mode - i.e.,
-                        * we failed to connect on time. */
-                       if (!tun_is_up(vpninfo) && (vpninfo->dtls_state == DTLS_CONNECTED ||
-                           vpninfo->dtls_state == DTLS_SLEEPING)) {
-                               ret = setup_tun_device(vpninfo);
-                               if (ret)
-                                       break;
-                       } else if (vpninfo->delay_tunnel_reason) {
+                       if (vpninfo->delay_tunnel_reason) {
                                vpn_progress(vpninfo, PRG_INFO, _("Delaying tunnel for %d ms with reason: %s\n"),
                                             timeout, vpninfo->delay_tunnel_reason);
                                /* XX: don't let this spin forever */