If a protocol wishes to have dtls_state set to DTLS_SLEEPING after closing
UDP, then it must now do so explicitly, because the mainloop will no longer
set it. This patch make both existing protocols set dtls_state explicitly
after closing the UDP connection. (The nc protocol already did so
explicitly, but the anyconnect protocol didn't.)
The previous behavior, wherein dtls_state was *always* set to DTLS_SLEEPING
after closing UDP, was incompatible with the GlobalProtect VPN.
Disconnecting and reconnecting GlobalProtect VPN doesn't just require
require reconnecting the UDP socket and resending probes; it actually
invalidates any previously-obtained ESP secret.
Signed-off-by: Daniel Lenski <dlenski at gmail.com>
---
dtls.c | 1 +
mainloop.c | 1 -
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/dtls.c b/dtls.c
index c97d14d..80d6c05 100644
--- a/dtls.c
+++ b/dtls.c
@@ -169,6 +169,7 @@ void dtls_close(struct openconnect_info *vpninfo)
vpninfo->dtls_ssl = NULL;
vpninfo->dtls_fd = -1;
}
+ vpninfo->dtls_state = DTLS_SLEEPING;
}
static int dtls_reconnect(struct openconnect_info *vpninfo)
diff --git a/mainloop.c b/mainloop.c
index cc80d0e..4124509 100644
--- a/mainloop.c
+++ b/mainloop.c
@@ -258,7 +258,6 @@ int openconnect_mainloop(struct openconnect_info *vpninfo,
openconnect_close_https(vpninfo, 0);
if (vpninfo->dtls_state > DTLS_DISABLED) {
vpninfo->proto->udp_close(vpninfo);
- vpninfo->dtls_state = DTLS_SLEEPING;
vpninfo->new_dtls_started = 0;
}
--
2.7.4
