This is an optional call; the default is "no DTLS."
Signed-off-by: Kevin Cernekee <cernekee at gmail.com>
---
dtls.c | 8 ++++++--
libopenconnect.map.in | 1 +
library.c | 1 -
main.c | 5 +++--
openconnect-internal.h | 1 -
openconnect.h | 3 +++
6 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/dtls.c b/dtls.c
index 47e97d9..e08b2bf 100644
--- a/dtls.c
+++ b/dtls.c
@@ -615,11 +615,15 @@ static int dtls_restart(struct openconnect_info *vpninfo)
}
-int setup_dtls(struct openconnect_info *vpninfo)
+int openconnect_setup_dtls(struct openconnect_info *vpninfo, int dtls_attempt_period)
{
struct vpn_option *dtls_opt = vpninfo->dtls_options;
int dtls_port = 0;
+ vpninfo->dtls_attempt_period = dtls_attempt_period;
+ if (!dtls_attempt_period)
+ return 0;
+
#if defined(OPENCONNECT_GNUTLS) && defined(DTLS_OPENSSL)
/* If we're using GnuTLS for authentication but OpenSSL for DTLS,
we'll need to initialise OpenSSL now... */
@@ -874,7 +878,7 @@ int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout)
}
#else /* !HAVE_DTLS */
#warning Your SSL library does not seem to support Cisco DTLS compatibility
-int setup_dtls(struct openconnect_info *vpninfo)
+int openconnect_setup_dtls(struct openconnect_info *vpninfo, int dtls_attempt_period)
{
vpn_progress(vpninfo, PRG_ERR,
_("Built against SSL library with no Cisco DTLS support\n"));
diff --git a/libopenconnect.map.in b/libopenconnect.map.in
index 72dbd84..f941e8f 100644
--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
@@ -50,6 +50,7 @@ OPENCONNECT_2.3 {
openconnect_setup_tun_device;
openconnect_setup_tun_script;
openconnect_setup_tun_fd;
+ openconnect_setup_dtls;
} OPENCONNECT_2.2;
OPENCONNECT_PRIVATE {
diff --git a/library.c b/library.c
index 726e4dd..869f3d7 100644
--- a/library.c
+++ b/library.c
@@ -57,7 +57,6 @@ struct openconnect_info *openconnect_vpninfo_new(char *useragent,
vpninfo->cancel_fd = vpninfo->cancel_fd_write = -1;
vpninfo->cert_expire_warning = 60 * 86400;
vpninfo->deflate = 1;
- vpninfo->dtls_attempt_period = 60;
vpninfo->max_qlen = 10;
vpninfo->reconnect_interval = RECONNECT_INTERVAL_MIN;
vpninfo->reconnect_timeout = 300;
diff --git a/main.c b/main.c
index faf0448..f3bd972 100644
--- a/main.c
+++ b/main.c
@@ -491,6 +491,7 @@ int main(int argc, char **argv)
uid_t uid = getuid();
int opt;
char *pidfile = NULL;
+ int use_dtls = 1;
FILE *fp = NULL;
char *config_arg;
char *token_str = NULL;
@@ -552,7 +553,7 @@ int main(int argc, char **argv)
vpninfo->servercert = keep_config_arg();
break;
case OPT_NO_DTLS:
- vpninfo->dtls_attempt_period = 0;
+ use_dtls = 0;
break;
case OPT_COOKIEONLY:
cookieonly = 1;
@@ -900,7 +901,7 @@ int main(int argc, char **argv)
}
}
- if (vpninfo->dtls_attempt_period && setup_dtls(vpninfo))
+ if (use_dtls && openconnect_setup_dtls(vpninfo, 60))
fprintf(stderr, _("Set up DTLS failed; using SSL instead\n"));
vpn_progress(vpninfo, PRG_INFO,
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 226cd72..b731f0d 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -402,7 +402,6 @@ int script_config_tun(struct openconnect_info *vpninfo, const char *reason);
/* dtls.c */
unsigned char unhex(const char *data);
-int setup_dtls(struct openconnect_info *vpninfo);
int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
int dtls_try_handshake(struct openconnect_info *vpninfo);
int connect_dtls_socket(struct openconnect_info *vpninfo);
diff --git a/openconnect.h b/openconnect.h
index 5641656..1f9e0c5 100644
--- a/openconnect.h
+++ b/openconnect.h
@@ -234,6 +234,9 @@ int openconnect_setup_tun_script(struct openconnect_info *vpninfo, char *tun_scr
/* Caller will provide a file descriptor for the tunnel traffic. */
int openconnect_setup_tun_fd(struct openconnect_info *vpninfo, int tun_fd);
+/* Optional call to enable DTLS on the connection. */
+int openconnect_setup_dtls(struct openconnect_info *vpninfo, int dtls_attempt_period);
+
/* Start the main loop; exits if data is received on cancel_fd or the remote
site aborts. */
int openconnect_mainloop(struct openconnect_info *vpninfo);
--
1.7.9.5
