From: Daniel Lenski <dlenski@gmail.com>
Date: Sat, 20 May 2017 22:43:25 +0000 (-0700)
Subject: tweak the dtls_state handling in preparation for supporting GlobalProtect ESP
X-Git-Tag: v8.00~134
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=cc6af8dd5818bde5a8fbaf23677da6c6ddf63238;p=users%2Fdwmw2%2Fopenconnect.git

tweak the dtls_state handling in preparation for supporting GlobalProtect ESP

If a protocol wishes to have dtls_state set to DTLS_SLEEPING after closing
UDP, then it must now do so explicitly, because the mainloop will no longer
set it.  This patch make both existing protocols set dtls_state explicitly
after closing the UDP connection.  (The nc protocol already did so
explicitly, but the anyconnect protocol didn't.)

The previous behavior, wherein dtls_state was *always* set to DTLS_SLEEPING
after closing UDP, was incompatible with the GlobalProtect VPN.
Disconnecting and reconnecting GlobalProtect VPN doesn't just require
require reconnecting the UDP socket and resending probes; it actually
invalidates any previously-obtained ESP secret.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---

diff --git a/dtls.c b/dtls.c
index c97d14d1..80d6c05a 100644
--- a/dtls.c
+++ b/dtls.c
@@ -169,6 +169,7 @@ void dtls_close(struct openconnect_info *vpninfo)
 		vpninfo->dtls_ssl = NULL;
 		vpninfo->dtls_fd = -1;
 	}
+	vpninfo->dtls_state = DTLS_SLEEPING;
 }
 
 static int dtls_reconnect(struct openconnect_info *vpninfo)
diff --git a/mainloop.c b/mainloop.c
index cc80d0e2..41245096 100644
--- a/mainloop.c
+++ b/mainloop.c
@@ -258,7 +258,6 @@ int openconnect_mainloop(struct openconnect_info *vpninfo,
 			openconnect_close_https(vpninfo, 0);
 			if (vpninfo->dtls_state > DTLS_DISABLED) {
 				vpninfo->proto->udp_close(vpninfo);
-				vpninfo->dtls_state = DTLS_SLEEPING;
 				vpninfo->new_dtls_started = 0;
 			}