Skip to content

Commit

Permalink
tweak the dtls_state handling in preparation for supporting GlobalPro…
Browse files Browse the repository at this point in the history 
…tect ESP

If a protocol wishes to have dtls_state set to DTLS_SLEEPING after closing
UDP, then it must now do so explicitly, because the mainloop will no longer
set it.  This patch make both existing protocols set dtls_state explicitly
after closing the UDP connection.  (The nc protocol already did so
explicitly, but the anyconnect protocol didn't.)

The previous behavior, wherein dtls_state was *always* set to DTLS_SLEEPING
after closing UDP, was incompatible with the GlobalProtect VPN.
Disconnecting and reconnecting GlobalProtect VPN doesn't just require
require reconnecting the UDP socket and resending probes; it actually
invalidates any previously-obtained ESP secret.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
  • Loading branch information
@dlenski @dwmw2
dlenski authored and dwmw2 committed Aug 14, 2017
1 parent 342a85b commit cc6af8d
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 1 deletion.
1 change: 1 addition & 0 deletions dtls.c
View file
Expand Up @@ -169,6 +169,7 @@ void dtls_close(struct openconnect_info *vpninfo)
vpninfo->dtls_ssl = NULL;
vpninfo->dtls_fd = -1;
}
vpninfo->dtls_state = DTLS_SLEEPING;
}

static int dtls_reconnect(struct openconnect_info *vpninfo)
Expand Down
1 change: 0 additions & 1 deletion mainloop.c
View file
Expand Up @@ -258,7 +258,6 @@ int openconnect_mainloop(struct openconnect_info *vpninfo,
openconnect_close_https(vpninfo, 0);
if (vpninfo->dtls_state > DTLS_DISABLED) {
vpninfo->proto->udp_close(vpninfo);
vpninfo->dtls_state = DTLS_SLEEPING;
vpninfo->new_dtls_started = 0;
}

Expand Down

0 comments on commit cc6af8d

Please sign in to comment.