From de987c497a83396cb8c11e4bcf20245b0964d8d9 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sat, 15 Nov 2014 16:02:19 +0100 Subject: [PATCH] force DTLS reconnect if the session ID we get from TLS changes Signed-off-by: Nikos Mavrogiannopoulos --- cstp.c | 15 ++++++++++++++- openconnect-internal.h | 1 + 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/cstp.c b/cstp.c index 2adef39..66a009f 100644 --- a/cstp.c +++ b/cstp.c @@ -322,6 +322,7 @@ static int start_cstp_connection(struct openconnect_info *vpninfo) if (dtlsmtu > mtu) mtu = dtlsmtu; } else if (!strcmp(buf + 7, "Session-ID")) { + unsigned char dtls_session_id[32]; if (strlen(colon) != 64) { vpn_progress(vpninfo, PRG_ERR, _("X-DTLS-Session-ID not 64 characters; is: \"%s\"\n"), @@ -330,8 +331,19 @@ static int start_cstp_connection(struct openconnect_info *vpninfo) return -EINVAL; } for (i = 0; i < 64; i += 2) - vpninfo->dtls_session_id[i/2] = unhex(colon + i); + dtls_session_id[i/2] = unhex(colon + i); sessid_found = 1; + if (vpninfo->dtls_session_id_set) { + if (memcmp(vpninfo->dtls_session_id, dtls_session_id, 32) != 0) { + if (vpninfo->dtls_state != DTLS_DISABLED) { + dtls_close(vpninfo); + vpninfo->dtls_state = DTLS_SLEEPING; + vpninfo->new_dtls_started = 0; + } + } + } + memcpy(vpninfo->dtls_session_id, dtls_session_id, 32); + vpninfo->dtls_session_id_set = 1; } continue; } @@ -505,6 +517,7 @@ static int start_cstp_connection(struct openconnect_info *vpninfo) vpninfo->ssl_times.last_rekey = vpninfo->ssl_times.last_rx = vpninfo->ssl_times.last_tx = time(NULL); + return 0; } diff --git a/openconnect-internal.h b/openconnect-internal.h index 3027b50..2d3c442 100644 --- a/openconnect-internal.h +++ b/openconnect-internal.h @@ -371,6 +371,7 @@ struct openconnect_info { int dtls_state; struct keepalive_info dtls_times; unsigned char dtls_session_id[32]; + unsigned int dtls_session_id_set; unsigned char dtls_secret[48]; char *dtls_cipher; -- 2.1.3