NaCl needs to whitelist (split-exclude) the gateway's IP address, because it doesn't have the option of whitelisting individual file descriptors. Use vpninfo->ip_info.gateway_addr to track the numeric representation of vpn->peer_addr. This is just an RFC, so the standard API change procedure hasn't been completed yet. Also, this field winds up being NULL on CrOS anyway, probably because getnameinfo() isn't implemented yet. Signed-off-by: Kevin Cernekee <cernekee at gmail.com> --- library.c | 13 +++++++++---- openconnect.h | 5 +++++ script.c | 7 ++----- ssl.c | 9 ++++++++- 4 files changed, 24 insertions(+), 10 deletions(-) diff --git a/library.c b/library.c index cc0aaed..3970ba0 100644 --- a/library.c +++ b/library.c @@ -252,6 +252,7 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo) CloseHandle(vpninfo->dtls_event); #endif free(vpninfo->peer_addr); + free(vpninfo->ip_info.gateway_addr); free_optlist(vpninfo->csd_env); free_optlist(vpninfo->script_env); free_optlist(vpninfo->cookies); @@ -385,6 +386,8 @@ int openconnect_set_hostname(struct openconnect_info *vpninfo, vpninfo->unique_hostname = NULL; free(vpninfo->peer_addr); vpninfo->peer_addr = NULL; + free(vpninfo->ip_info.gateway_addr); + vpninfo->ip_info.gateway_addr = NULL; return 0; } @@ -521,10 +524,12 @@ void openconnect_reset_ssl(struct openconnect_info *vpninfo) { vpninfo->got_cancel_cmd = 0; openconnect_close_https(vpninfo, 0); - if (vpninfo->peer_addr) { - free(vpninfo->peer_addr); - vpninfo->peer_addr = NULL; - } + + free(vpninfo->peer_addr); + vpninfo->peer_addr = NULL; + free(vpninfo->ip_info.gateway_addr); + vpninfo->ip_info.gateway_addr = NULL; + openconnect_clear_cookies(vpninfo); } diff --git a/openconnect.h b/openconnect.h index d8b94c2..1dd683f 100644 --- a/openconnect.h +++ b/openconnect.h @@ -248,6 +248,11 @@ struct oc_ip_info { struct oc_split_include *split_dns; struct oc_split_include *split_includes; struct oc_split_include *split_excludes; + + /* The elements above this line come from server-provided CSTP headers, + * so they should be handled with caution. gateway_addr is generated + * locally from getnameinfo(). */ + char *gateway_addr; }; struct oc_vpn_option { diff --git a/script.c b/script.c index 75f1b16..8300f01 100644 --- a/script.c +++ b/script.c @@ -210,11 +210,8 @@ static void set_banner(struct openconnect_info *vpninfo) void prepare_script_env(struct openconnect_info *vpninfo) { - char host[80]; - int ret = getnameinfo(vpninfo->peer_addr, vpninfo->peer_addrlen, host, - sizeof(host), NULL, 0, NI_NUMERICHOST); - if (!ret) - script_setenv(vpninfo, "VPNGATEWAY", host, 0); + if (vpninfo->ip_info.gateway_addr) + script_setenv(vpninfo, "VPNGATEWAY", vpninfo->ip_info.gateway_addr, 0); set_banner(vpninfo); script_setenv(vpninfo, "CISCO_SPLIT_INC", NULL, 0); diff --git a/ssl.c b/ssl.c index 21d90ad..55a1ecd 100644 --- a/ssl.c +++ b/ssl.c @@ -347,12 +347,17 @@ int connect_https_socket(struct openconnect_info *vpninfo) if (!err) { /* Store the peer address we actually used, so that DTLS can use it again later */ - if (host[0]) + free(vpninfo->ip_info.gateway_addr); + vpninfo->ip_info.gateway_addr = NULL; + + if (host[0]) { + vpninfo->ip_info.gateway_addr = strdup(host); vpn_progress(vpninfo, PRG_INFO, _("Connected to %s%s%s:%s\n"), rp->ai_family == AF_INET6 ? "[" : "", host, rp->ai_family == AF_INET6 ? "]" : "", port); + } free(vpninfo->peer_addr); vpninfo->peer_addrlen = 0; @@ -423,6 +428,8 @@ int connect_https_socket(struct openconnect_info *vpninfo) free(vpninfo->peer_addr); vpninfo->peer_addr = 0; vpninfo->peer_addrlen = 0; + free(vpninfo->ip_info.gateway_addr); + vpninfo->ip_info.gateway_addr = NULL; } } freeaddrinfo(result); -- 1.9.1