if (vpninfo->dtls_state == DTLS_CONNECTING) {
dtls_try_handshake(vpninfo, timeout);
- vpninfo->delay_tunnel_reason = "DTLS MTU detection";
- return 0;
+ if (vpninfo->dtls_state != DTLS_CONNECTED) {
+ vpninfo->delay_tunnel_reason = "DTLS MTU detection";
+ return 0;
+ }
+ return 1;
}
if (vpninfo->dtls_state == DTLS_SLEEPING) {
return 0;
}
+ /* Nothing to do here for Cisco DTLS as it is preauthenticated */
+ if (vpninfo->dtls_state == DTLS_CONNECTED)
+ vpninfo->dtls_state = DTLS_ESTABLISHED;
+
while (readable) {
int len = MAX(16384, vpninfo->ip_info.mtu);
unsigned char *buf;
if (vpninfo->dtls_state == DTLS_SLEEPING) {
vpn_progress(vpninfo, PRG_INFO,
_("ESP session established with server\n"));
- vpninfo->dtls_state = DTLS_CONNECTING;
+ vpninfo->dtls_state = DTLS_CONNECTED;
}
continue;
}
}
}
- if (vpninfo->dtls_state != DTLS_CONNECTED)
+ if (vpninfo->dtls_state != DTLS_ESTABLISHED)
return 0;
switch (keepalive_action(&vpninfo->dtls_times, timeout)) {
* it if the ESP tunnel is connected or connecting.
*/
switch (vpninfo->dtls_state) {
- case DTLS_CONNECTING:
+ case DTLS_CONNECTING: /* Can never happen */
+ case DTLS_CONNECTED:
openconnect_close_https(vpninfo, 0); /* don't keep stale HTTPS socket */
vpn_progress(vpninfo, PRG_INFO,
_("ESP tunnel connected; exiting HTTPS mainloop.\n"));
- vpninfo->dtls_state = DTLS_CONNECTED;
+ vpninfo->dtls_state = DTLS_ESTABLISHED;
/* Now that we are connected, let's ensure timeout is less than
* or equal to DTLS DPD/keepalive else we might over sleep, eg
* if timeout is set to DTLS attempt period from ESP mainloop,
if (*timeout > vpninfo->dtls_times.dpd * 1000)
*timeout = vpninfo->dtls_times.dpd * 1000;
/* fall through */
- case DTLS_CONNECTED:
+ case DTLS_ESTABLISHED:
/* Rekey or check-and-resubmit HIP if needed */
if (keepalive_action(&vpninfo->ssl_times, timeout) == KA_REKEY)
goto do_rekey;
case KA_KEEPALIVE:
/* No need to send an explicit keepalive
if we have real data to send */
- if (vpninfo->dtls_state != DTLS_CONNECTED &&
+ if (vpninfo->dtls_state != DTLS_ESTABLISHED &&
vpninfo->outgoing_queue.head)
break;
/* fall through */
/* Service outgoing packet queue */
- while (vpninfo->dtls_state != DTLS_CONNECTED &&
+ while (vpninfo->dtls_state != DTLS_ESTABLISHED &&
(vpninfo->current_ssl_pkt = dequeue_packet(&vpninfo->outgoing_queue))) {
struct pkt *this = vpninfo->current_ssl_pkt;
monitor_except_fd(vpninfo, dtls);
}
- for (seq=1; seq <= (vpninfo->dtls_state==DTLS_CONNECTED ? 1 : 3); seq++) {
+ for (seq=1; seq <= (vpninfo->dtls_state==DTLS_ESTABLISHED ? 1 : 3); seq++) {
memset(pkt, 0, sizeof(*pkt) + sizeof(*iph) + ICMP_MINLEN + sizeof(magic_ping_payload));
pkt->len = sizeof(struct ip) + ICMP_MINLEN + sizeof(magic_ping_payload);
const char *openconnect_get_dtls_cipher(struct openconnect_info *vpninfo)
{
- if (vpninfo->dtls_state != DTLS_CONNECTED || !vpninfo->dtls_ssl) {
+ if (vpninfo->dtls_state < DTLS_CONNECTED || !vpninfo->dtls_ssl) {
#if defined(OPENCONNECT_GNUTLS)
gnutls_free(vpninfo->dtls_cipher_desc);
#else
*sent* over the TCP channel. */
vpn_progress(vpninfo, PRG_TRACE,
_("Sent ESP enable control packet\n"));
- vpninfo->dtls_state = DTLS_CONNECTED;
+ vpninfo->dtls_state = DTLS_ESTABLISHED;
work_done = 1;
} else {
free(vpninfo->current_ssl_pkt);
case KA_KEEPALIVE:
/* No need to send an explicit keepalive
if we have real data to send */
- if (vpninfo->dtls_state != DTLS_CONNECTED && vpninfo->outgoing_queue)
+ if (vpninfo->dtls_state != DTLS_ESTABLISHED && vpninfo->outgoing_queue)
break;
vpn_progress(vpninfo, PRG_DEBUG, _("Send CSTP Keepalive\n"));
* via ESP once the enable message has been *sent* over the
* TCP channel. Assign it directly to current_ssl_pkt so that
* we can use it in-place and match against it above. */
- if (vpninfo->dtls_state == DTLS_CONNECTING) {
+ if (vpninfo->dtls_state == DTLS_CONNECTED) {
vpninfo->current_ssl_pkt = (struct pkt *)&esp_enable_pkt;
goto handle_outgoing;
}
goto handle_outgoing;
/* Service outgoing packet queue, if no DTLS */
- while (vpninfo->dtls_state != DTLS_CONNECTED &&
+ while (vpninfo->dtls_state != DTLS_ESTABLISHED &&
(vpninfo->current_ssl_pkt = dequeue_packet(&vpninfo->outgoing_queue))) {
struct pkt *this = vpninfo->current_ssl_pkt;
void oncp_esp_close(struct openconnect_info *vpninfo)
{
/* Tell server to stop sending on ESP channel */
- if (vpninfo->dtls_state >= DTLS_CONNECTING)
+ if (vpninfo->dtls_state >= DTLS_CONNECTED)
queue_esp_control(vpninfo, 0);
esp_close(vpninfo);
}
if (!pkt)
return -ENOMEM;
- for (seq=1; seq <= (vpninfo->dtls_state==DTLS_CONNECTED ? 1 : 2); seq++) {
+ for (seq=1; seq <= (vpninfo->dtls_state==DTLS_ESTABLISHED ? 1 : 2); seq++) {
pkt->len = 1;
pkt->data[0] = 0;
pktlen = construct_esp_packet(vpninfo, pkt,
#define DTLS_SECRET 1 /* Secret is present, ready to attempt DTLS */
#define DTLS_DISABLED 2 /* DTLS was disabled on the *client* side */
#define DTLS_SLEEPING 3 /* For ESP, sometimes sending probes */
-#define DTLS_CONNECTING 4 /* ESP probe received; must tell server */
-#define DTLS_CONNECTED 5 /* Server informed and should be sending ESP */
+#define DTLS_CONNECTING 4 /* DTLS (re)handshaking. Not used for ESP */
+#define DTLS_CONNECTED 5 /* Transport connected but not yet enabled */
+#define DTLS_ESTABLISHED 6 /* Data path fully established */
/* Not to be confused with OC_PROTO_xxx flags which are library-visible */
#define PROTO_ANYCONNECT 0
case KA_KEEPALIVE:
/* No need to send an explicit keepalive
if we have real data to send */
- if (vpninfo->dtls_state != DTLS_CONNECTED &&
+ if (vpninfo->dtls_state != DTLS_ESTABLISHED &&
vpninfo->outgoing_queue.head)
break;
;
}
#endif
- if (vpninfo->dtls_state == DTLS_CONNECTING) {
+ if (vpninfo->dtls_state == DTLS_CONNECTED) {
/* We don't currently do anything to make the server start sending
* data packets in ESP instead of over IF-T/TLS. Just go straight
* to CONNECTED mode. */
- vpninfo->dtls_state = DTLS_CONNECTED;
+ vpninfo->dtls_state = DTLS_ESTABLISHED;
work_done = 1;
}
}
/* Service outgoing packet queue, if no DTLS */
- while (vpninfo->dtls_state != DTLS_CONNECTED &&
+ while (vpninfo->dtls_state != DTLS_ESTABLISHED &&
(vpninfo->current_ssl_pkt = dequeue_packet(&vpninfo->outgoing_queue))) {
struct pkt *this = vpninfo->current_ssl_pkt;
projects / users / dwmw2 / openconnect.git / commitdiff