NaCl needs to whitelist (split-exclude) the gateway's IP address,
because it doesn't have the option of whitelisting individual file
descriptors. Use vpninfo->ip_info.gateway_addr to track the
numeric representation of vpn->peer_addr.
Signed-off-by: Kevin Cernekee <cernekee at gmail.com>
---
java/src/com/example/LibTest.java | 1 +
java/src/org/infradead/libopenconnect/LibOpenConnect.java | 1 +
jni.c | 1 +
library.c | 13 +++++++++----
openconnect.h | 6 ++++++
script.c | 7 ++-----
ssl.c | 9 ++++++++-
7 files changed, 28 insertions(+), 10 deletions(-)
diff --git a/java/src/com/example/LibTest.java b/java/src/com/example/LibTest.java
index eae7692e9150..1219d938639e 100644
--- a/java/src/com/example/LibTest.java
+++ b/java/src/com/example/LibTest.java
@@ -184,6 +184,7 @@ public final class LibTest {
System.out.println("+-IPv6: " + ip.addr6 + " / " + ip.netmask6);
System.out.println("+-Domain: " + ip.domain);
System.out.println("+-proxy.pac: " + ip.proxyPac);
+ System.out.println("+-Gateway IP: " + ip.gatewayAddr);
System.out.println("+-MTU: " + ip.MTU);
printList("+-DNS", ip.DNS);
printList("+-NBNS", ip.NBNS);
diff --git a/java/src/org/infradead/libopenconnect/LibOpenConnect.java b/java/src/org/infradead/libopenconnect/LibOpenConnect.java
index c4a7792091b3..b65f15b4feb8 100644
--- a/java/src/org/infradead/libopenconnect/LibOpenConnect.java
+++ b/java/src/org/infradead/libopenconnect/LibOpenConnect.java
@@ -231,6 +231,7 @@ public abstract class LibOpenConnect {
public ArrayList<String> NBNS = new ArrayList<String>();
public String domain;
public String proxyPac;
+ public String gatewayAddr;
public int MTU;
public ArrayList<String> splitDNS = new ArrayList<String>();
diff --git a/jni.c b/jni.c
index 82e2e0f34438..f806a1b995e8 100644
--- a/jni.c
+++ b/jni.c
@@ -1254,6 +1254,7 @@ JNIEXPORT jobject JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_getIP
set_string(ctx, jobj, "netmask6", ip->netmask6) ||
set_string(ctx, jobj, "domain", ip->domain) ||
set_string(ctx, jobj, "proxyPac", ip->proxy_pac) ||
+ set_string(ctx, jobj, "gatewayAddr", ip->gateway_addr) ||
set_int(ctx, jobj, "MTU", ip->mtu))
return NULL;
diff --git a/library.c b/library.c
index cc0aaed9ab4e..3970ba0a0e64 100644
--- a/library.c
+++ b/library.c
@@ -252,6 +252,7 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
CloseHandle(vpninfo->dtls_event);
#endif
free(vpninfo->peer_addr);
+ free(vpninfo->ip_info.gateway_addr);
free_optlist(vpninfo->csd_env);
free_optlist(vpninfo->script_env);
free_optlist(vpninfo->cookies);
@@ -385,6 +386,8 @@ int openconnect_set_hostname(struct openconnect_info *vpninfo,
vpninfo->unique_hostname = NULL;
free(vpninfo->peer_addr);
vpninfo->peer_addr = NULL;
+ free(vpninfo->ip_info.gateway_addr);
+ vpninfo->ip_info.gateway_addr = NULL;
return 0;
}
@@ -521,10 +524,12 @@ void openconnect_reset_ssl(struct openconnect_info *vpninfo)
{
vpninfo->got_cancel_cmd = 0;
openconnect_close_https(vpninfo, 0);
- if (vpninfo->peer_addr) {
- free(vpninfo->peer_addr);
- vpninfo->peer_addr = NULL;
- }
+
+ free(vpninfo->peer_addr);
+ vpninfo->peer_addr = NULL;
+ free(vpninfo->ip_info.gateway_addr);
+ vpninfo->ip_info.gateway_addr = NULL;
+
openconnect_clear_cookies(vpninfo);
}
diff --git a/openconnect.h b/openconnect.h
index d8b94c20c911..7d0f0342f71f 100644
--- a/openconnect.h
+++ b/openconnect.h
@@ -41,6 +41,7 @@ extern "C" {
* - Add openconnect_get_cstp_compression().
* - Add openconnect_get_dtls_compression().
* - Add openconnect_disable_ipv6().
+ * - Add ip_info->gateway_addr.
*
* API version 5.2 (v7.05; 2015-03-10):
* - Add openconnect_set_http_auth(), openconnect_set_protocol().
@@ -248,6 +249,11 @@ struct oc_ip_info {
struct oc_split_include *split_dns;
struct oc_split_include *split_includes;
struct oc_split_include *split_excludes;
+
+ /* The elements above this line come from server-provided CSTP headers,
+ * so they should be handled with caution. gateway_addr is generated
+ * locally from getnameinfo(). */
+ char *gateway_addr;
};
struct oc_vpn_option {
diff --git a/script.c b/script.c
index 75f1b164026f..8300f012a5e9 100644
--- a/script.c
+++ b/script.c
@@ -210,11 +210,8 @@ static void set_banner(struct openconnect_info *vpninfo)
void prepare_script_env(struct openconnect_info *vpninfo)
{
- char host[80];
- int ret = getnameinfo(vpninfo->peer_addr, vpninfo->peer_addrlen, host,
- sizeof(host), NULL, 0, NI_NUMERICHOST);
- if (!ret)
- script_setenv(vpninfo, "VPNGATEWAY", host, 0);
+ if (vpninfo->ip_info.gateway_addr)
+ script_setenv(vpninfo, "VPNGATEWAY", vpninfo->ip_info.gateway_addr, 0);
set_banner(vpninfo);
script_setenv(vpninfo, "CISCO_SPLIT_INC", NULL, 0);
diff --git a/ssl.c b/ssl.c
index 21d90ade8fc1..55a1ecd36680 100644
--- a/ssl.c
+++ b/ssl.c
@@ -347,12 +347,17 @@ int connect_https_socket(struct openconnect_info *vpninfo)
if (!err) {
/* Store the peer address we actually used, so that DTLS can
use it again later */
- if (host[0])
+ free(vpninfo->ip_info.gateway_addr);
+ vpninfo->ip_info.gateway_addr = NULL;
+
+ if (host[0]) {
+ vpninfo->ip_info.gateway_addr = strdup(host);
vpn_progress(vpninfo, PRG_INFO, _("Connected to %s%s%s:%s\n"),
rp->ai_family == AF_INET6 ? "[" : "",
host,
rp->ai_family == AF_INET6 ? "]" : "",
port);
+ }
free(vpninfo->peer_addr);
vpninfo->peer_addrlen = 0;
@@ -423,6 +428,8 @@ int connect_https_socket(struct openconnect_info *vpninfo)
free(vpninfo->peer_addr);
vpninfo->peer_addr = 0;
vpninfo->peer_addrlen = 0;
+ free(vpninfo->ip_info.gateway_addr);
+ vpninfo->ip_info.gateway_addr = NULL;
}
}
freeaddrinfo(result);
--
2.7.0
