From: Daniel Lenski <dlenski@gmail.com>
Date: Mon, 18 May 2020 05:46:28 +0000 (-0700)
Subject: change delay_tunnel → delay_tunnel_reason, use for DTLS MTU detection and GPST ESP... 
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=294534d5a2574cbe8b8054a0fa627cb72c10acd8;p=users%2Fdwmw2%2Fopenconnect.git

change delay_tunnel → delay_tunnel_reason, use for DTLS MTU detection and GPST ESP connection delays as well

As suggested here: https://gitlab.com/openconnect/openconnect/-/commit/55ffb457010974c05096a78ac917692b7fac664b#note_343873848

There's no clear rationale for using with Pulse/oNCP ESP setup (yet):
- We don't do any MTU detection
- Unlike GPST, we can start sending and receiving packets via the TLS tunnel
  immediately, while attempting to connect ESP as well.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
---

diff --git a/cstp.c b/cstp.c
index 138a5897..f223f71f 100644
--- a/cstp.c
+++ b/cstp.c
@@ -303,6 +303,8 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
 			buf_free(dtls12_cl);
 		}
 		append_compr_types(reqbuf, "DTLS", vpninfo->req_compr & ~COMPR_DEFLATE);
+
+		vpninfo->delay_tunnel_reason = "DTLS MTU detection";
 	}
 #endif
 	buf_append(reqbuf, "\r\n");
diff --git a/dtls.c b/dtls.c
index ca68fede..fc969a4d 100644
--- a/dtls.c
+++ b/dtls.c
@@ -287,6 +287,7 @@ int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
 
 	if (vpninfo->dtls_state == DTLS_CONNECTING) {
 		dtls_try_handshake(vpninfo);
+		vpninfo->delay_tunnel_reason = "DTLS MTU detection";
 		return 0;
 	}
 
@@ -712,4 +713,3 @@ void dtls_detect_mtu(struct openconnect_info *vpninfo)
  skip_mtu:
 	free(buf);
 }
-
diff --git a/gpst.c b/gpst.c
index 833e3bc8..eaabcc86 100644
--- a/gpst.c
+++ b/gpst.c
@@ -479,9 +479,11 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
 				}
 				if (openconnect_setup_esp_keys(vpninfo, 0))
 					vpn_progress(vpninfo, PRG_ERR, "Failed to setup ESP keys.\n");
-				else
+				else {
 					/* prevent race condition between esp_mainloop() and gpst_mainloop() timers */
 					vpninfo->dtls_times.last_rekey = time(&vpninfo->new_dtls_started);
+					vpninfo->delay_tunnel_reason = "awaiting GPST ESP connection";
+				}
 			}
 #else
 			vpn_progress(vpninfo, PRG_DEBUG, _("Ignoring ESP keys since ESP support not available in this build\n"));
@@ -1025,8 +1027,10 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
 	case DTLS_SECRET:
 	case DTLS_SLEEPING:
 		/* Allow 5 seconds after configuration for ESP to start */
-		if (!ka_check_deadline(timeout, time(NULL), vpninfo->new_dtls_started + 5))
+		if (!ka_check_deadline(timeout, time(NULL), vpninfo->new_dtls_started + 5)) {
+			vpninfo->delay_tunnel_reason = "awaiting GPST ESP connection";
 			return 0;
+		}
 
 		/* ... before we switch to HTTPS instead */
 		vpn_progress(vpninfo, PRG_ERR,
diff --git a/mainloop.c b/mainloop.c
index 13d45925..92f45f08 100644
--- a/mainloop.c
+++ b/mainloop.c
@@ -207,17 +207,11 @@ int openconnect_mainloop(struct openconnect_info *vpninfo,
 			timeout = 1000;
 
 		if (!tun_is_up(vpninfo)) {
-			if (vpninfo->delay_tunnel > 0) {
-				vpn_progress(vpninfo, PRG_DEBUG, _("Delaying tunnel by protocol request.\n"));
+			if (vpninfo->delay_tunnel_reason) {
+				vpn_progress(vpninfo, PRG_INFO, _("Delaying tunnel with reason: %s\n"),
+					     vpninfo->delay_tunnel_reason);
 				/* XX: don't let this spin forever */
-				if (--vpninfo->delay_tunnel > 0)
-					did_work++;
-			} else if (vpninfo->dtls_state == DTLS_CONNECTING) {
-				/* Postpone tun device creation after DTLS is connected so
-				 * we have a better knowledge of the link MTU. We also
-				 * force the creation if DTLS enters sleeping mode - i.e.,
-				 * we failed to connect on time. */
-				vpn_progress(vpninfo, PRG_DEBUG, _("Delaying tunnel until link MTU determined.\n"));
+				vpninfo->delay_tunnel_reason = NULL;
 			} else {
 				/* No DTLS, or DTLS failed; setup TUN device unconditionally */
 				ret = setup_tun_device(vpninfo);
@@ -247,10 +241,13 @@ int openconnect_mainloop(struct openconnect_info *vpninfo,
 		poll_cmd_fd(vpninfo, 0);
 		if (vpninfo->got_cancel_cmd) {
 			if (vpninfo->delay_close > 0) {
-				vpn_progress(vpninfo, PRG_DEBUG, _("Delaying cancel.\n"));
-				/* XX: don't let this spin forever */
-				if (--vpninfo->delay_close > 0)
+				if (vpninfo->delay_close > 1) {
+					vpn_progress(vpninfo, PRG_DEBUG, _("Delaying cancel (until we send again).\n"));
 					did_work++;
+				} else
+					vpn_progress(vpninfo, PRG_DEBUG, _("Delaying cancel (until we receive again).\n"));
+				/* XX: don't let this spin forever */
+				--vpninfo->delay_close;
 			} else if (vpninfo->cancel_type == OC_CMD_CANCEL) {
 				vpninfo->quit_reason = "Aborted by caller";
 				vpninfo->got_cancel_cmd = 0;
@@ -265,10 +262,14 @@ int openconnect_mainloop(struct openconnect_info *vpninfo,
 
 		if (vpninfo->got_pause_cmd) {
 			if (vpninfo->delay_close > 0) {
-				vpn_progress(vpninfo, PRG_DEBUG, _("Delaying pause.\n"));
 				 /* XX: don't let this spin forever */
-				if (--vpninfo->delay_close > 0)
+				if (vpninfo->delay_close > 1) {
+					vpn_progress(vpninfo, PRG_DEBUG, _("Delaying cancel (need to send again).\n"));
 					did_work++;
+				} else
+					vpn_progress(vpninfo, PRG_DEBUG, _("Delaying cancel (need to receive again).\n"));
+				/* XX: don't let this spin forever */
+				--vpninfo->delay_close;
 			} else {
 				/* close all connections and wait for the user to call
 				   openconnect_mainloop() again */
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 055ff6f1..4b00da59 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -649,8 +649,6 @@ struct openconnect_info {
 #endif
 	int ssl_fd;
 	int dtls_fd;
-	int delay_tunnel;	                /* Delay tunnel setup (2 for immediate callback, 1 for wait) */
-	int delay_close;	                /* Delay close of mainloop (2 for immediate callback, 1 for wait) */
 
 	int dtls_tos_current;
 	int dtls_pass_tos;
@@ -684,6 +682,8 @@ struct openconnect_info {
 	char *version_string;
 
 	const char *quit_reason;
+	const char *delay_tunnel_reason;        /* Delay tunnel setup */
+	int delay_close;	                /* Delay close of mainloop (2 for immediate callback, 1 for wait) */
 
 	int verbose;
 	void *cbdata;
diff --git a/ppp.c b/ppp.c
index 8b9d6e19..d5164b26 100644
--- a/ppp.c
+++ b/ppp.c
@@ -213,7 +213,7 @@ int openconnect_ppp_new(struct openconnect_info *vpninfo,
 		return -ENOMEM;
 
 	/* Delay tunnel setup during PPP negotiation */
-	vpninfo->delay_tunnel = 1;
+	vpninfo->delay_tunnel_reason = "PPP negotiation";
 
 	/* Nameservers to request from peer
 	 * (see https://tools.ietf.org/html/rfc1877#section-1) */
@@ -899,7 +899,7 @@ static int handle_state_transition(struct openconnect_info *vpninfo, int *timeou
 	}
 
 	/* Delay tunnel setup until after PPP negotiation */
-	vpninfo->delay_tunnel = (ppp->ppp_state == PPPS_NETWORK ? 0 : 1);
+	vpninfo->delay_tunnel_reason = (ppp->ppp_state == PPPS_NETWORK ? NULL : "PPP negotiation");
 
 	if (last_state != ppp->ppp_state) {
 		vpn_progress(vpninfo, PRG_DEBUG,