Improve GPST/ESP not-stepping-on-toes tap dance

In preparation for adding re-key support, stop misusing ssl_times.last_rekey.
(This seems to fix a weird frantic mainloop-invoking bug I was running into as well.)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/gpst.c b/gpst.c
index 615dd27a34d716b0488355146bdbd2fb3a19378f..b0ab76447d31d003218fa6c26a3d114e28ca4686 100644 (file)
--- a/gpst.c
+++ b/gpst.c
@@ -500,7 +500,8 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
                                if (setup_esp_keys(vpninfo, 0))
                                        vpn_progress(vpninfo, PRG_ERR, "Failed to setup ESP keys.\n");
                                else
-                                       vpninfo->dtls_times.last_rekey = time(NULL);
+                                       /* prevent race condition between esp_mainloop() and gpst_mainloop() timers */
+                                       vpninfo->dtls_times.last_rekey = time(&vpninfo->new_dtls_started);
                        }
 #else
                        vpn_progress(vpninfo, PRG_DEBUG, _("Ignoring ESP keys since ESP support not available in this build\n"));
@@ -653,7 +654,7 @@ static int gpst_connect(struct openconnect_info *vpninfo)
                monitor_fd_new(vpninfo, ssl);
                monitor_read_fd(vpninfo, ssl);
                monitor_except_fd(vpninfo, ssl);
-               vpninfo->ssl_times.last_rekey = vpninfo->ssl_times.last_rx = vpninfo->ssl_times.last_tx = time(NULL);
+               vpninfo->ssl_times.last_rx = vpninfo->ssl_times.last_tx = time(NULL);
                if (vpninfo->dtls_state != DTLS_DISABLED)
                        vpninfo->dtls_state = DTLS_NOSECRET;
        }
@@ -875,17 +876,6 @@ int gpst_setup(struct openconnect_info *vpninfo)
         */
        if (vpninfo->dtls_state == DTLS_DISABLED || vpninfo->dtls_state == DTLS_NOSECRET)
                ret = gpst_connect(vpninfo);
-       else {
-               /* We want to prevent the mainloop timers from frantically
-                * calling the GPST mainloop.
-                */
-               vpninfo->ssl_times.last_rx = vpninfo->ssl_times.last_tx = time(NULL);
-
-               /* Using (abusing?) last_rekey as the time when the SSL tunnel
-                * was brought up.
-                */
-               vpninfo->ssl_times.last_rekey = 0;
-       }
 
 out:
        return ret;
@@ -911,10 +901,10 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout)
                return 0;
        case DTLS_SECRET:
        case DTLS_SLEEPING:
-               if (!ka_check_deadline(timeout, time(NULL), vpninfo->dtls_times.last_rekey + 5)) {
+               if (!ka_check_deadline(timeout, time(NULL), vpninfo->new_dtls_started + 5)) {
                        /* Allow 5 seconds after configuration for ESP to start */
                        return 0;
-               } else if (!vpninfo->ssl_times.last_rekey) {
+               } else {
                        /* ... before we switch to HTTPS instead */
                        vpn_progress(vpninfo, PRG_ERR,
                                     _("Failed to connect ESP tunnel; using HTTPS instead.\n"));