Do not try to establish DTLS on reconnect if it wasn't established before

Currently when TCP SSL fails reconnect attempt happens. This attempts tries to establish DTLS connection regadless if it existed before. Code ends up in infinite loop doing that.
This changes fixes this by disabling DTLS at startup if DTLS connection cannot be established.
Also change ESP handling code to not reenable DTLS on ESP close.

Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/dtls.c b/dtls.c
index df104ed583a9b90d9e26e3020e5f8d31837779b5..28088fb8362b8d9dc493edee90674ef5e8381515 100644 (file)
--- a/dtls.c
+++ b/dtls.c
@@ -154,6 +154,10 @@ void dtls_close(struct openconnect_info *vpninfo)
 static int dtls_reconnect(struct openconnect_info *vpninfo)
 {
        dtls_close(vpninfo);
+
+       if (vpninfo->dtls_state == DTLS_DISABLED)
+               return -EINVAL;
+
        vpninfo->dtls_state = DTLS_SLEEPING;
        return connect_dtls_socket(vpninfo);
 }

diff --git a/esp.c b/esp.c
index 44c94077c6a90e6e10c674aab1f05c4df265b5d1..57ff6cf167f1a82830bc5113c35059b18ddc0bdd 100644 (file)
--- a/esp.c
+++ b/esp.c
@@ -341,7 +341,8 @@ void esp_close(struct openconnect_info *vpninfo)
                unmonitor_except_fd(vpninfo, dtls);
                vpninfo->dtls_fd = -1;
        }
-       vpninfo->dtls_state = DTLS_SLEEPING;
+       if (vpninfo->dtls_state > DTLS_DISABLED)
+               vpninfo->dtls_state = DTLS_SLEEPING;
 }
 
 void esp_shutdown(struct openconnect_info *vpninfo)

diff --git a/main.c b/main.c
index 2210bdf22ff91bd16cee4f0edb19f6644eddeaf9..fd0fb708b9aab43c9a553169abc589b527ae0cdc 100644 (file)
--- a/main.c
+++ b/main.c
@@ -1521,8 +1521,13 @@ int main(int argc, char **argv)
        STRDUP(vpninfo->vpnc_script, vpnc_script);
 
        if (vpninfo->dtls_state != DTLS_DISABLED &&
-           openconnect_setup_dtls(vpninfo, 60))
+           openconnect_setup_dtls(vpninfo, 60)) {
+               /* Disable DTLS if we cannot set it up, otherwise
+                * reconnects end up in infinite loop trying to connect
+                * to non existing DTLS */
+               vpninfo->dtls_state = DTLS_DISABLED;
                fprintf(stderr, _("Set up DTLS failed; using SSL instead\n"));
+       }
 
        openconnect_get_ip_info(vpninfo, &ip_info, NULL, NULL);