Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
When CSTP rehandshake or reconnection succeeds, reconnect DTLS.
That only occurs when DTLS doesn't have it's owner timer and
mechanism for rehandshake. In that case we replicate the Anyconnect
clients' behavior, by reconnecting DTLS just after the CSTP reconnect.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
  • Loading branch information
Nikos Mavrogiannopoulos committed Feb 17, 2014
1 parent 57bf2a4 commit 14d807f
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 7 deletions.
12 changes: 10 additions & 2 deletions cstp.c
Expand Up @@ -898,6 +898,8 @@ int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout)
vpn_progress(vpninfo, PRG_ERR, _("Rehandshake failed; attempting new-tunnel\n"));
goto do_reconnect;
}

goto do_dtls_reconnect;
}
break;

Expand All @@ -912,8 +914,14 @@ int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout)
vpninfo->quit_reason = "CSTP reconnect failed";
return ret;
}
/* I think we can leave DTLS to its own devices; when we reconnect
with the same master secret, we do seem to get the same sessid */

do_dtls_reconnect:
/* succeeded, let's rekey DTLS, if it is not rekeying
* itself. */
if (vpninfo->dtls_times.rekey_method == REKEY_NONE) {
dtls_reconnect(vpninfo);
}

return 1;

case KA_DPD:
Expand Down
10 changes: 5 additions & 5 deletions dtls.c
Expand Up @@ -562,7 +562,7 @@ void dtls_close(struct openconnect_info *vpninfo)
}
}

static int dtls_restart(struct openconnect_info *vpninfo)
int dtls_reconnect(struct openconnect_info *vpninfo)
{
dtls_close(vpninfo);
vpninfo->dtls_state = DTLS_SLEEPING;
Expand Down Expand Up @@ -770,7 +770,7 @@ int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout)
return ret;
}

if (dtls_restart(vpninfo))
if (dtls_reconnect(vpninfo))
vpn_progress(vpninfo, PRG_ERR, _("DTLS rekey failed\n"));
}

Expand All @@ -780,7 +780,7 @@ int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout)
case KA_DPD_DEAD:
vpn_progress(vpninfo, PRG_ERR, _("DTLS Dead Peer Detection detected dead peer!\n"));
/* Fall back to SSL, and start a new DTLS connection */
dtls_restart(vpninfo);
dtls_reconnect(vpninfo);
return 1;

case KA_DPD:
Expand Down Expand Up @@ -845,7 +845,7 @@ int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout)
_("DTLS got write error %d. Falling back to SSL\n"),
ret);
openconnect_report_ssl_errors(vpninfo);
dtls_restart(vpninfo);
dtls_reconnect(vpninfo);
vpninfo->outgoing_queue = this;
vpninfo->outgoing_qlen++;
work_done = 1;
Expand All @@ -859,7 +859,7 @@ int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout)
vpn_progress(vpninfo, PRG_ERR,
_("DTLS got write error: %s. Falling back to SSL\n"),
gnutls_strerror(ret));
dtls_restart(vpninfo);
dtls_reconnect(vpninfo);
vpninfo->outgoing_queue = this;
vpninfo->outgoing_qlen++;
work_done = 1;
Expand Down
1 change: 1 addition & 0 deletions openconnect-internal.h
Expand Up @@ -463,6 +463,7 @@ int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
int dtls_try_handshake(struct openconnect_info *vpninfo);
int connect_dtls_socket(struct openconnect_info *vpninfo);
void dtls_close(struct openconnect_info *vpninfo);
int dtls_reconnect(struct openconnect_info *vpninfo);

/* cstp.c */
int cstp_mainloop(struct openconnect_info *vpninfo, int *timeout);
Expand Down

0 comments on commit 14d807f

Please sign in to comment.