From 3552c16f3edf206a249af543f0cecddea6088227 Mon Sep 17 00:00:00 2001 From: Corey Wright Date: Mon, 23 Sep 2019 00:37:53 -0500 Subject: [PATCH] GlobalProtect: Insure timeout is less than DPD when DTLS connecting When transitioning from DTLS_CONNECTING to DTLS_CONNECTED ensure that the current timeout is less than or equal to 10-second DTLS DPD otherwise timeout might be greater than 2x DPD, eg set to 60-second DTLS attempt period from the ESP main loop where we were "connecting", and we might sleep right through the DTLS DPD period and falsely detect a dead peer and needlessly fall back to HTTPS. This is only relevant to reconnects because during the initial connection the timeout is artificially set low, ie 1 second, by the OpenConnect mainloop because the TUN device is not yet up. Signed-off-by: Corey Wright --- gpst.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/gpst.c b/gpst.c index 91b57cba..827bf2b0 100644 --- a/gpst.c +++ b/gpst.c @@ -1055,6 +1055,13 @@ int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable) vpn_progress(vpninfo, PRG_INFO, _("ESP tunnel connected; exiting HTTPS mainloop.\n")); vpninfo->dtls_state = DTLS_CONNECTED; + /* Now that we are connected, let's ensure timeout is less than + * or equal to DTLS DPD/keepalive else we might over sleep, eg + * if timeout is set to DTLS attempt period from ESP mainloop, + * and falsely detect dead peer. */ + if (vpninfo->dtls_times.dpd) + if (*timeout > vpninfo->dtls_times.dpd * 1000) + *timeout = vpninfo->dtls_times.dpd * 1000; /* fall through */ case DTLS_CONNECTED: /* Rekey if needed */ -- GitLab