simplify ESP disabling for GP, because esp_shutdown() always destroys…

… the keying material Signed-off-by: Daniel Lenski <dlenski@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
sailfishos-mirror · May 31, 2018 · 78091bb · 78091bb
1 parent dd53d48
commit 78091bb
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 14 deletions.
diff --git a/esp.c b/esp.c
@@ -308,18 +308,13 @@ void esp_close(struct openconnect_info *vpninfo)
 		vpninfo->dtls_state = DTLS_SLEEPING;
 }
 
-void esp_close_secret(struct openconnect_info *vpninfo)
-{
-	esp_close(vpninfo);
-	if (vpninfo->dtls_state > DTLS_DISABLED)
-		vpninfo->dtls_state = DTLS_NOSECRET;
-}
-
 void esp_shutdown(struct openconnect_info *vpninfo)
 {
 	destroy_esp_ciphers(&vpninfo->esp_in[0]);
 	destroy_esp_ciphers(&vpninfo->esp_in[1]);
 	destroy_esp_ciphers(&vpninfo->esp_out);
 	if (vpninfo->proto->udp_close)
 		vpninfo->proto->udp_close(vpninfo);
+	if (vpninfo->dtls_state != DTLS_DISABLED)
+		vpninfo->dtls_state = DTLS_NOSECRET;
 }
diff --git a/gpst.c b/gpst.c
@@ -711,8 +711,10 @@ static int gpst_connect(struct openconnect_info *vpninfo)
 		monitor_read_fd(vpninfo, ssl);
 		monitor_except_fd(vpninfo, ssl);
 		vpninfo->ssl_times.last_rx = vpninfo->ssl_times.last_tx = time(NULL);
-		if (vpninfo->proto->udp_close)
-			vpninfo->proto->udp_close(vpninfo);
+		/* connecting the HTTPS tunnel totally invalidates the ESP keys,
+		   hence shutdown */
+		if (vpninfo->proto->udp_shutdown)
+			vpninfo->proto->udp_shutdown(vpninfo);
 	}
 
 out:
@@ -918,9 +920,9 @@ int gpst_setup(struct openconnect_info *vpninfo)
 {
 	int ret;
 
-	/* ESP tunnel is unusable as soon as we (re-)fetch the configuration */
-	if (vpninfo->proto->udp_close)
-		vpninfo->proto->udp_close(vpninfo);
+	/* ESP keys are invalid as soon as we (re-)fetch the configuration, hence shutdown */
+	if (vpninfo->proto->udp_shutdown)
+		vpninfo->proto->udp_shutdown(vpninfo);
 
 	/* Get configuration */
 	ret = gpst_get_config(vpninfo);

diff --git a/library.c b/library.c
@@ -154,7 +154,7 @@ const struct vpn_proto openconnect_protos[] = {
 #ifdef HAVE_ESP
 		.udp_setup = esp_setup,
 		.udp_mainloop = esp_mainloop,
-		.udp_close = esp_close_secret,
+		.udp_close = esp_close,
 		.udp_shutdown = esp_shutdown,
 		.udp_send_probes = gpst_esp_send_probes,
 		.udp_catch_probe = gpst_esp_catch_probe,

diff --git a/openconnect-internal.h b/openconnect-internal.h
@@ -923,7 +923,6 @@ int verify_packet_seqno(struct openconnect_info *vpninfo,
 int esp_setup(struct openconnect_info *vpninfo, int dtls_attempt_period);
 int esp_mainloop(struct openconnect_info *vpninfo, int *timeout);
 void esp_close(struct openconnect_info *vpninfo);
-void esp_close_secret(struct openconnect_info *vpninfo);
 void esp_shutdown(struct openconnect_info *vpninfo);
 int print_esp_keys(struct openconnect_info *vpninfo, const char *name, struct esp *esp);