Distinguish between the different rekey methods.

AnyConnect allows for different rekey methods including new-tunnel and ssl (rehandshake). Currently only the new-tunnel is implemented in openconnect. Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
sailfishos-mirror · Feb 11, 2014 · b098d5b · b098d5b
1 parent a12ac9e
commit b098d5b
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 1 deletion.
diff --git a/cstp.c b/cstp.c
@@ -356,6 +356,13 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
 				vpninfo->ssl_times.dpd = j;
 		} else if (!strcmp(buf + 7, "Rekey-Time")) {
 			vpninfo->ssl_times.rekey = atol(colon);
+		} else if (!strcmp(buf + 7, "Rekey-Method")) {
+			if (!strcmp(colon, "new-tunnel"))
+				vpninfo->ssl_times.rekey_method = REKEY_TUNNEL;
+			else if (!strcmp(colon, "ssl"))
+				vpninfo->ssl_times.rekey_method = REKEY_SSL;
+			else
+				vpninfo->ssl_times.rekey_method = REKEY_NONE;
 		} else if (!strcmp(buf + 7, "Content-Encoding")) {
 			if (!strcmp(colon, "deflate"))
 				vpninfo->deflate = 1;

diff --git a/dtls.c b/dtls.c
@@ -600,6 +600,13 @@ int openconnect_setup_dtls(struct openconnect_info *vpninfo, int dtls_attempt_pe
 			int j = atol(dtls_opt->value);
 			if (j && (!vpninfo->dtls_times.dpd || j < vpninfo->dtls_times.dpd))
 				vpninfo->dtls_times.dpd = j;
+		} else if (!strcmp(dtls_opt->option + 7, "Rekey-Method")) {
+			if (!strcmp(dtls_opt->value, "new-tunnel"))
+				vpninfo->dtls_times.rekey_method = REKEY_TUNNEL;
+			else if (!strcmp(dtls_opt->value, "ssl"))
+				vpninfo->dtls_times.rekey_method = REKEY_SSL;
+			else
+				vpninfo->dtls_times.rekey_method = REKEY_NONE;
 		} else if (!strcmp(dtls_opt->option + 7, "Rekey-Time")) {
 			vpninfo->dtls_times.rekey = atol(dtls_opt->value);
 		} else if (!strcmp(dtls_opt->option + 7, "CipherSuite")) {

diff --git a/mainloop.c b/mainloop.c
@@ -169,7 +169,9 @@ int ka_stalled_action(struct keepalive_info *ka, int *timeout)
 {
 	time_t due, now = time(NULL);
 
-	if (ka->rekey) {
+	/* we only support the new-tunnel rekey method for
+	 * now */
+	if (ka->rekey && ka->rekey_method == REKEY_TUNNEL) {
 		due = ka->last_rekey + ka->rekey;
 
 		if (now >= due)

diff --git a/openconnect-internal.h b/openconnect-internal.h
@@ -94,6 +94,10 @@ struct pkt {
 	unsigned char data[];
 };
 
+#define REKEY_NONE      0
+#define REKEY_TUNNEL    1
+#define REKEY_SSL       2
+
 #define KA_NONE		0
 #define KA_DPD		1
 #define KA_DPD_DEAD	2
@@ -109,6 +113,7 @@ struct keepalive_info {
 	int dpd;
 	int keepalive;
 	int rekey;
+	int rekey_method;
 	time_t last_rekey;
 	time_t last_tx;
 	time_t last_rx;