Commit a750105d authored by Steven Ihde's avatar Steven Ihde Committed by David Woodhouse

Add source port option for DTLS

Signed-off-by: default avatarSteven Ihde <sihde@hamachi.us>
Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
parent 6c00a178
......@@ -492,6 +492,37 @@ int connect_dtls_socket(struct openconnect_info *vpninfo)
return -EINVAL;
}
if (vpninfo->dtls_local_port) {
struct sockaddr_storage dtls_bind_addr;
int dtls_bind_addrlen;
memset(&dtls_bind_addr, 0, sizeof(dtls_bind_addr));
if (vpninfo->peer_addr->sa_family == AF_INET) {
struct sockaddr_in *addr = (struct sockaddr_in *)&dtls_bind_addr;
dtls_bind_addrlen = sizeof(*addr);
addr->sin_family = AF_INET;
addr->sin_addr.s_addr = INADDR_ANY;
addr->sin_port = htons(vpninfo->dtls_local_port);
} else if (vpninfo->peer_addr->sa_family == AF_INET6) {
struct sockaddr_in6 *addr = (struct sockaddr_in6 *)&dtls_bind_addr;
dtls_bind_addrlen = sizeof(*addr);
addr->sin6_family = AF_INET6;
addr->sin6_addr = in6addr_any;
addr->sin6_port = htons(vpninfo->dtls_local_port);
} else {
vpn_progress(vpninfo, PRG_ERR,
_("Unknown protocol family %d. Cannot do DTLS\n"),
vpninfo->peer_addr->sa_family);
vpninfo->dtls_attempt_period = 0;
return -EINVAL;
}
if (bind(dtls_fd, (struct sockaddr *)&dtls_bind_addr, dtls_bind_addrlen)) {
perror(_("Bind UDP socket for DTLS"));
return -EINVAL;
}
}
if (connect(dtls_fd, vpninfo->dtls_addr, vpninfo->peer_addrlen)) {
perror(_("UDP (DTLS) connect:\n"));
close(dtls_fd);
......
......@@ -107,6 +107,7 @@ enum {
OPT_SERVERCERT,
OPT_USERAGENT,
OPT_NON_INTER,
OPT_DTLS_LOCAL_PORT,
};
#ifdef __sun__
......@@ -169,6 +170,7 @@ static struct option long_options[] = {
OPTION("no-cert-check", 0, OPT_NO_CERT_CHECK),
OPTION("force-dpd", 1, OPT_FORCE_DPD),
OPTION("non-inter", 0, OPT_NON_INTER),
OPTION("dtls-local-port", 1, OPT_DTLS_LOCAL_PORT),
OPTION(NULL, 0, 0)
};
......@@ -273,6 +275,7 @@ static void usage(void)
printf(" --reconnect-timeout %s\n", _("Connection retry timeout in seconds"));
printf(" --servercert=FINGERPRINT %s\n", _("Server's certificate SHA1 fingerprint"));
printf(" --useragent=STRING %s\n", _("HTTP header User-Agent: field"));
printf(" --dtls-local-port=PORT %s\n", _("Set local port for DTLS datagrams"));
printf("\n");
helpmessage();
......@@ -684,6 +687,9 @@ int main(int argc, char **argv)
case OPT_FORCE_DPD:
vpninfo->dtls_times.dpd = vpninfo->ssl_times.dpd = atoi(config_arg);
break;
case OPT_DTLS_LOCAL_PORT:
vpninfo->dtls_local_port = atoi(config_arg);
break;
default:
usage();
}
......
......@@ -273,6 +273,8 @@ struct openconnect_info {
struct sockaddr *peer_addr;
struct sockaddr *dtls_addr;
int dtls_local_port;
int deflate;
char *useragent;
......
......@@ -42,6 +42,7 @@ openconnect \- Connect to Cisco AnyConnect VPN
.OP \-\-cafile file
.OP \-\-disable\-ipv6
.OP \-\-dtls\-ciphers list
.OP \-\-dtls\-local\-port port
.OP \-\-no\-cert\-check
.OP \-\-no\-dtls
.OP \-\-no\-http\-keepalive
......@@ -335,6 +336,11 @@ Use
.I STRING
as 'User\-Agent:' field value in HTTP header.
(e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
.TP
.B \-\-dtls\-local\-port=PORT
Use
.I PORT
as the local port for DTLS datagrams
.SH LIMITATIONS
Note that although IPv6 has been tested on all platforms on which
......
......@@ -17,6 +17,7 @@
<ul>
<li><b>OpenConnect HEAD</b>
<ul>
<li>Add <tt>--dtls-local-port</tt> option.</li>
<li>Print correct error when <tt>/dev/net/tun</tt> cannot be opened.</li>
<li>Fix <tt>openconnect.pc</tt> pkg-config file not to require <tt>zlib.pc</tt> on systems which lack it (like RHEL5).</li>
</ul><br/>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment