tweak the dtls_state handling in preparation for supporting GlobalProtect ESP

If a protocol wishes to have dtls_state set to DTLS_SLEEPING after closing
UDP, then it must now do so explicitly, because the mainloop will no longer
set it.  This patch make both existing protocols set dtls_state explicitly
after closing the UDP connection.  (The nc protocol already did so
explicitly, but the anyconnect protocol didn't.)

The previous behavior, wherein dtls_state was *always* set to DTLS_SLEEPING
after closing UDP, was incompatible with the GlobalProtect VPN.
Disconnecting and reconnecting GlobalProtect VPN doesn't just require
require reconnecting the UDP socket and resending probes; it actually
invalidates any previously-obtained ESP secret.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/dtls.c b/dtls.c
index c97d14d15a53bb9b53ca5297ccc617e17359ec10..80d6c05a73e8315a8963e5a4af1b6a595c80b142 100644 (file)
--- a/dtls.c
+++ b/dtls.c
@@ -169,6 +169,7 @@ void dtls_close(struct openconnect_info *vpninfo)
                vpninfo->dtls_ssl = NULL;
                vpninfo->dtls_fd = -1;
        }
+       vpninfo->dtls_state = DTLS_SLEEPING;
 }
 
 static int dtls_reconnect(struct openconnect_info *vpninfo)

diff --git a/mainloop.c b/mainloop.c
index cc80d0e26ca093a41ded151039a8f574acff8f7f..41245096f707696e476b0ed97352c88331267114 100644 (file)
--- a/mainloop.c
+++ b/mainloop.c
@@ -258,7 +258,6 @@ int openconnect_mainloop(struct openconnect_info *vpninfo,
                        openconnect_close_https(vpninfo, 0);
                        if (vpninfo->dtls_state > DTLS_DISABLED) {
                                vpninfo->proto->udp_close(vpninfo);
-                               vpninfo->dtls_state = DTLS_SLEEPING;
                                vpninfo->new_dtls_started = 0;
                        }