openconnect-unknown/gpst.c

1 /*
2  * OpenConnect (SSL + DTLS) VPN client
3  *
4  * Copyright © 2016-2017 Daniel Lenski
5  *
6  * Author: Daniel Lenski <dlenski@gmail.com>
7  *
8  * This program is free software; you can redistribute it and/or
9  * modify it under the terms of the GNU Lesser General Public License
10  * version 2.1, as published by the Free Software Foundation.
11  *
12  * This program is distributed in the hope that it will be useful, but
13  * WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
15  * Lesser General Public License for more details.
16  */
17 
18 #include <config.h>
19 
20 #include <unistd.h>
21 #include <fcntl.h>
22 #include <time.h>
23 #include <string.h>
24 #include <ctype.h>
25 #include <errno.h>
26 #include <stdlib.h>
27 #include <stdio.h>
28 #include <sys/types.h>
29 #ifndef _WIN32
30 #include <sys/wait.h>
31 #endif
32 #include <stdarg.h>
33 #ifdef HAVE_LZ4
34 #include <lz4.h>
35 #endif
36 
37 #ifdef __FreeBSD__
38 #include <sys/types.h>
39 #include <netinet/in.h>
40 #endif
41 
42 #ifdef _WIN32
43 #include "win32-ipicmp.h"
44 #else
45 #include <netinet/ip.h>
46 #include <netinet/ip_icmp.h>
47 #endif
48 
49 #if defined(__linux__)
50 /* For TCP_INFO */
51 # include <linux/tcp.h>
52 #endif
53 
54 #include <assert.h>
55 
56 #include "openconnect-internal.h"
57 
58 /*
59  * Data packets are encapsulated in the SSL stream as follows:
60  *
61  * 0000: Magic "\x1a\x2b\x3c\x4d"
62  * 0004: Big-endian EtherType (0x0800 for IPv4)
63  * 0006: Big-endian 16-bit length (not including 16-byte header)
64  * 0008: Always "\x01\0\0\0\0\0\0\0"
65  * 0010: data payload
66  */
67 
68 /* Strange initialisers here to work around GCC PR#10676 (which was
69  * fixed in GCC 4.6 but it takes a while for some systems to catch
70  * up. */
71 static const struct pkt dpd_pkt = {
72 	.next = NULL,
73 	{ .gpst.hdr = { 0x1a, 0x2b, 0x3c, 0x4d } }
74 };
75 
76 /* similar to auth.c's xmlnode_get_text, including that *var should be freed by the caller,
77    but without the hackish param / %s handling that Cisco needs. And without freeing up
78    the old contents of *var, which is likely to lead to bugs? */
79 static int xmlnode_get_text(xmlNode *xml_node, const char *name, char **var)
80 {
81 	char *str;
82 
83 	if (name && !xmlnode_is_named(xml_node, name))
84 		return -EINVAL;
85 
86 	str = (char *)xmlNodeGetContent(xml_node);
87 	if (!str)
88 		return -ENOENT;
89 
90 	*var = str;
91 	return 0;
92 }
93 
94 /* We behave like CSTP — create a linked list in vpninfo->cstp_options
95  * with the strings containing the information we got from the server,
96  * and oc_ip_info contains const copies of those pointers.
97  *
98  * (unlike version in oncp.c, val is stolen rather than strdup'ed) */
99 
100 static const char *add_option(struct openconnect_info *vpninfo, const char *opt, char *val)
101 {
102 	struct oc_vpn_option *new = malloc(sizeof(*new));
103 	if (!new)
104 		return NULL;
105 
106 	new->option = strdup(opt);
107 	if (!new->option) {
108 		free(new);
109 		return NULL;
110 	}
111 	new->value = val;
112 	new->next = vpninfo->cstp_options;
113 	vpninfo->cstp_options = new;
114 
115 	return new->value;
116 }
117 
118 static int filter_opts(struct oc_text_buf *buf, const char *query, const char *incexc, int include)
119 {
120 	const char *f, *endf, *eq;
121 	const char *found, *comma;
122 
123 	for (f = query; *f; f=(*endf) ? endf+1 : endf) {
124 		endf = strchr(f, '&') ? : f+strlen(f);
125 		eq = strchr(f, '=');
126 		if (!eq || eq > endf)
127 			eq = endf;
128 
129 		for (found = incexc; *found; found=(*comma) ? comma+1 : comma) {
130 			comma = strchr(found, ',') ? : found+strlen(found);
131 			if (!strncmp(found, f, MAX(comma-found, eq-f)))
132 				break;
133 		}
134 
135 		if ((include && *found) || (!include && !*found)) {
136 			if (buf->pos && buf->data[buf->pos-1] != '?' && buf->data[buf->pos-1] != '&')
137 				buf_append(buf, "&");
138 			buf_append_bytes(buf, f, (int)(endf-f));
139 		}
140 	}
141 	return buf_error(buf);
142 }
143 
144 /* Parse this JavaScript-y mess:
145 
146 	"var respStatus = \"Challenge|Error\";\n"
147 	"var respMsg = \"<prompt>\";\n"
148 	"thisForm.inputStr.value = "<inputStr>";\n"
149 */
150 static int parse_javascript(char *buf, char **prompt, char **inputStr)
151 {
152 	const char *start, *end = buf;
153 	int status;
154 
155 	const char *pre_status = "var respStatus = \"",
156 	           *pre_prompt = "var respMsg = \"",
157 	           *pre_inputStr = "thisForm.inputStr.value = \"";
158 
159 	/* Status */
160 	while (isspace(*end))
161 		end++;
162 	if (strncmp(end, pre_status, strlen(pre_status)))
163 		goto err;
164 
165 	start = end+strlen(pre_status);
166 	end = strchr(start, '\n');
167 	if (!end || end[-1] != ';' || end[-2] != '"')
168 		goto err;
169 
170 	if (!strncmp(start, "Challenge", 8))    status = 0;
171 	else if (!strncmp(start, "Error", 5))   status = 1;
172 	else                                    goto err;
173 
174 	/* Prompt */
175 	while (isspace(*end))
176 		end++;
177 	if (strncmp(end, pre_prompt, strlen(pre_prompt)))
178 		goto err;
179 
180 	start = end+strlen(pre_prompt);
181 	end = strchr(start, '\n');
182 	if (!end || end[-1] != ';' || end[-2] != '"' || (end<start+2))
183 		goto err;
184 
185 	if (prompt)
186 		*prompt = strndup(start, end-start-2);
187 
188 	/* inputStr */
189 	while (isspace(*end))
190 		end++;
191 	if (strncmp(end, pre_inputStr, strlen(pre_inputStr)))
192 		goto err2;
193 
194 	start = end+strlen(pre_inputStr);
195 	end = strchr(start, '\n');
196 	if (!end || end[-1] != ';' || end[-2] != '"' || (end<start+2))
197 		goto err2;
198 
199 	if (inputStr)
200 		*inputStr = strndup(start, end-start-2);
201 
202 	while (isspace(*end))
203 		end++;
204 	if (*end != '\0')
205 		goto err3;
206 
207 	return status;
208 
209 err3:
210 	if (inputStr) free(*inputStr);
211 err2:
212 	if (prompt) free(*prompt);
213 err:
214 	return -EINVAL;
215 }
216 
217 int gpst_xml_or_error(struct openconnect_info *vpninfo, int result, char *response,
218 					  int (*xml_cb)(struct openconnect_info *, xmlNode *xml_node),
219 					  char **prompt, char **inputStr)
220 {
221 	xmlDocPtr xml_doc;
222 	xmlNode *xml_node;
223 	char *err = NULL;
224 
225 	/* custom error code returned by /ssl-vpn/login.esp and maybe others */
226 	if (result == -EACCES)
227 		vpn_progress(vpninfo, PRG_ERR, _("Invalid username or password.\n"));
228 
229 	if (result < 0)
230 		return result;
231 
232 	if (!response) {
233 		vpn_progress(vpninfo, PRG_DEBUG,
234 			     _("Empty response from server\n"));
235 		return -EINVAL;
236 	}
237 
238 	/* is it XML? */
239 	xml_doc = xmlReadMemory(response, strlen(response), "noname.xml", NULL,
240 				XML_PARSE_NOERROR);
241 	if (!xml_doc) {
242 		/* is it Javascript? */
243 		char *p, *i;
244 		result = parse_javascript(response, &p, &i);
245 		switch (result) {
246 		case 1:
247 			vpn_progress(vpninfo, PRG_ERR, _("%s\n"), p);
248 			break;
249 		case 0:
250 			vpn_progress(vpninfo, PRG_INFO, _("Challenge: %s\n"), p);
251 			if (prompt && inputStr) {
252 				*prompt=p;
253 				*inputStr=i;
254 				return -EAGAIN;
255 			}
256 			break;
257 		default:
258 			goto bad_xml;
259 		}
260 		free((char *)p);
261 		free((char *)i);
262 		goto out;
263 	}
264 
265 	xml_node = xmlDocGetRootElement(xml_doc);
266 
267 	/* is it <response status="error"><error>..</error></response> ? */
268 	if (xmlnode_is_named(xml_node, "response")
269 	    && !xmlnode_match_prop(xml_node, "status", "error")) {
270 		for (xml_node=xml_node->children; xml_node; xml_node=xml_node->next) {
271 			if (!xmlnode_get_text(xml_node, "error", &err))
272 				goto out;
273 		}
274 		goto bad_xml;
275 	}
276 
277 	/* is it <challenge><user>user.name</user><inputstr>...</inputstr><respmsg>...</respmsg></challenge> */
278 	if (xmlnode_is_named(xml_node, "challenge")) {
279 		for (xml_node=xml_node->children; xml_node; xml_node=xml_node->next) {
280 			if (inputStr && xmlnode_is_named(xml_node, "inputstr"))
281 				xmlnode_get_text(xml_node, "inputstr", inputStr);
282 			else if (prompt && xmlnode_is_named(xml_node, "respmsg"))
283 				xmlnode_get_text(xml_node, "respmsg", prompt);
284 			else if (xmlnode_is_named(xml_node, "user"))
285 				{} /* XXX: override the username passed to the next form? */
286 		}
287 		result = -EAGAIN;
288 		goto out;
289 	}
290 
291 	if (xml_cb)
292 		result = xml_cb(vpninfo, xml_node);
293 
294 	if (result == -EINVAL) {
295 	bad_xml:
296 		vpn_progress(vpninfo, PRG_ERR,
297 					 _("Failed to parse server response\n"));
298 		vpn_progress(vpninfo, PRG_DEBUG,
299 					 _("Response was:%s\n"), response);
300 	}
301 
302 out:
303 	if (err) {
304 		if (!strcmp(err, "GlobalProtect gateway does not exist")
305 		    || !strcmp(err, "GlobalProtect portal does not exist")) {
306 			vpn_progress(vpninfo, PRG_DEBUG, "%s\n", err);
307 			result = -EEXIST;
308 		} else if (!strcmp(err, "Invalid authentication cookie")) {
309 			vpn_progress(vpninfo, PRG_ERR, "%s\n", err);
310 			result = -EPERM;
311 		} else {
312 			vpn_progress(vpninfo, PRG_ERR, "%s\n", err);
313 			result = -EINVAL;
314 		}
315 		free(err);
316 	}
317 	if (xml_doc)
318 		xmlFreeDoc(xml_doc);
319 	return result;
320 }
321 
322 
323 #define ESP_HEADER_SIZE (4 /* SPI */ + 4 /* sequence number */)
324 #define ESP_FOOTER_SIZE (1 /* pad length */ + 1 /* next header */)
325 #define UDP_HEADER_SIZE 8
326 #define TCP_HEADER_SIZE 20 /* with no options */
327 #define IPV4_HEADER_SIZE 20
328 #define IPV6_HEADER_SIZE 40
329 
330 /* Based on cstp.c's calculate_mtu().
331  *
332  * With HTTPS tunnel, there are 21 bytes of overhead beyond the
333  * TCP MSS: 5 bytes for TLS and 16 for GPST.
334  */
335 static int calculate_mtu(struct openconnect_info *vpninfo, int can_use_esp)
336 {
337 	int mtu = vpninfo->reqmtu, base_mtu = vpninfo->basemtu;
338 	int mss = 0;
339 
340 #if defined(__linux__) && defined(TCP_INFO)
341 	if (!mtu) {
342 		struct tcp_info ti;
343 		socklen_t ti_size = sizeof(ti);
344 
345 		if (!getsockopt(vpninfo->ssl_fd, IPPROTO_TCP, TCP_INFO,
346 				&ti, &ti_size)) {
347 			vpn_progress(vpninfo, PRG_DEBUG,
348 				     _("TCP_INFO rcv mss %d, snd mss %d, adv mss %d, pmtu %d\n"),
349 				     ti.tcpi_rcv_mss, ti.tcpi_snd_mss, ti.tcpi_advmss, ti.tcpi_pmtu);
350 
351 			if (!base_mtu) {
352 				base_mtu = ti.tcpi_pmtu;
353 			}
354 
355 			/* XXX: GlobalProtect has no mechanism to inform the server about the
356 			 * desired MTU, so could just ignore the "incoming" MSS (tcpi_rcv_mss).
357 			 */
358 			mss = MIN(ti.tcpi_rcv_mss, ti.tcpi_snd_mss);
359 		}
360 	}
361 #endif
362 #ifdef TCP_MAXSEG
363 	if (!mtu && !mss) {
364 		socklen_t mss_size = sizeof(mss);
365 		if (!getsockopt(vpninfo->ssl_fd, IPPROTO_TCP, TCP_MAXSEG,
366 				&mss, &mss_size)) {
367 			vpn_progress(vpninfo, PRG_DEBUG, _("TCP_MAXSEG %d\n"), mss);
368 		}
369 	}
370 #endif
371 	if (!base_mtu) {
372 		/* Default */
373 		base_mtu = 1406;
374 	}
375 
376 	if (base_mtu < 1280)
377 		base_mtu = 1280;
378 
379 #ifdef HAVE_ESP
380 	/* If we can use the ESP tunnel then we should pick the optimal MTU for ESP. */
381 	if (!mtu && can_use_esp) {
382 		/* remove ESP, UDP, IP headers from base (wire) MTU */
383 		mtu = ( base_mtu - UDP_HEADER_SIZE - ESP_HEADER_SIZE
384 		        - 12 /* both supported algos (SHA1 and MD5) have 96-bit MAC lengths (RFC2403 and RFC2404) */
385 		        - (vpninfo->enc_key_len ? : 32) /* biggest supported IV (AES-256) */ );
386 		if (vpninfo->peer_addr->sa_family == AF_INET6)
387 			mtu -= IPV6_HEADER_SIZE;
388 		else
389 			mtu -= IPV4_HEADER_SIZE;
390 		/* round down to a multiple of blocksize */
391 		mtu -= mtu % (vpninfo->enc_key_len ? : 32);
392 		/* subtract ESP footer, which is included in the payload before padding to the blocksize */
393 		mtu -= ESP_FOOTER_SIZE;
394 
395 	} else
396 #endif
397 
398     /* We are definitely using the TLS tunnel, so we should base our MTU on the TCP MSS. */
399 	if (!mtu) {
400 		if (mss)
401 			mtu = mss - 21;
402 		else {
403 			mtu = base_mtu - TCP_HEADER_SIZE - 21;
404 			if (vpninfo->peer_addr->sa_family == AF_INET6)
405 				mtu -= IPV6_HEADER_SIZE;
406 			else
407 				mtu -= IPV4_HEADER_SIZE;
408 		}
409 	}
410 	return mtu;
411 }
412 
413 #ifdef HAVE_ESP
414 static int set_esp_algo(struct openconnect_info *vpninfo, const char *s, int hmac)
415 {
416 	if (hmac) {
417 		if (!strcmp(s, "sha1"))		{ vpninfo->esp_hmac = HMAC_SHA1; vpninfo->hmac_key_len = 20; return 0; }
418 		if (!strcmp(s, "md5"))		{ vpninfo->esp_hmac = HMAC_MD5;  vpninfo->hmac_key_len = 16; return 0; }
419 	} else {
420 		if (!strcmp(s, "aes128") || !strcmp(s, "aes-128-cbc"))
421 		                                { vpninfo->esp_enc = ENC_AES_128_CBC; vpninfo->enc_key_len = 16; return 0; }
422 		if (!strcmp(s, "aes-256-cbc"))	{ vpninfo->esp_enc = ENC_AES_256_CBC; vpninfo->enc_key_len = 32; return 0; }
423 	}
424 	vpn_progress(vpninfo, PRG_ERR, _("Unknown ESP %s algorithm: %s"), hmac ? "MAC" : "encryption", s);
425 	return -ENOENT;
426 }
427 
428 static int get_key_bits(xmlNode *xml_node, unsigned char *dest)
429 {
430 	int bits = -1;
431 	xmlNode *child;
432 	char *s, *p;
433 
434 	for (child = xml_node->children; child; child=child->next) {
435 		if (xmlnode_get_text(child, "bits", &s) == 0) {
436 			bits = atoi(s);
437 			free(s);
438 		} else if (xmlnode_get_text(child, "val", &s) == 0) {
439 			for (p=s; *p && *(p+1) && (bits-=8)>=0; p+=2)
440 				*dest++ = unhex(p);
441 			free(s);
442 		}
443 	}
444 	return (bits == 0) ? 0 : -EINVAL;
445 }
446 #endif
447 
448 /* Return value:
449  *  < 0, on error
450  *  = 0, on success; *form is populated
451  */
452 static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_node)
453 {
454 	xmlNode *member;
455 	char *s;
456 	int ii;
457 
458 	if (!xml_node || !xmlnode_is_named(xml_node, "response"))
459 		return -EINVAL;
460 
461 	/* Clear old options which will be overwritten */
462 	vpninfo->ip_info.addr = vpninfo->ip_info.netmask = NULL;
463 	vpninfo->ip_info.addr6 = vpninfo->ip_info.netmask6 = NULL;
464 	vpninfo->ip_info.domain = NULL;
465 	vpninfo->ip_info.mtu = 0;
466 	vpninfo->esp_magic = inet_addr(vpninfo->ip_info.gateway_addr);
467 	vpninfo->esp_replay_protect = 1;
468 	vpninfo->ssl_times.rekey_method = REKEY_NONE;
469 	vpninfo->cstp_options = NULL;
470 
471 	for (ii = 0; ii < 3; ii++)
472 		vpninfo->ip_info.dns[ii] = vpninfo->ip_info.nbns[ii] = NULL;
473 	free_split_routes(vpninfo);
474 
475 	/* Parse config */
476 	for (xml_node = xml_node->children; xml_node; xml_node=xml_node->next) {
477 		if (!xmlnode_get_text(xml_node, "ip-address", &s))
478 			vpninfo->ip_info.addr = add_option(vpninfo, "ipaddr", s);
479 		else if (!xmlnode_get_text(xml_node, "netmask", &s))
480 			vpninfo->ip_info.netmask = add_option(vpninfo, "netmask", s);
481 		else if (!xmlnode_get_text(xml_node, "mtu", &s)) {
482 			vpninfo->ip_info.mtu = atoi(s);
483 			free(s);
484 		} else if (!xmlnode_get_text(xml_node, "ssl-tunnel-url", &s)) {
485 			free(vpninfo->urlpath);
486 			vpninfo->urlpath = s;
487 			if (strcmp(s, "/ssl-tunnel-connect.sslvpn"))
488 				vpn_progress(vpninfo, PRG_INFO, _("Non-standard SSL tunnel path: %s\n"), s);
489 		} else if (!xmlnode_get_text(xml_node, "timeout", &s)) {
490 			int sec = atoi(s);
491 			vpn_progress(vpninfo, PRG_INFO, _("Tunnel timeout (rekey interval) is %d minutes.\n"), sec/60);
492 			vpninfo->ssl_times.last_rekey = time(NULL);
493 			vpninfo->ssl_times.rekey = sec - 60;
494 			vpninfo->ssl_times.rekey_method = REKEY_TUNNEL;
495 			free(s);
496 		} else if (!xmlnode_get_text(xml_node, "gw-address", &s)) {
497 			/* As remarked in oncp.c, "this is a tunnel; having a
498 			 * gateway is meaningless." See esp_send_probes_gp for the
499 			 * gory details of what this field actually means.
500 			 */
501 			if (strcmp(s, vpninfo->ip_info.gateway_addr))
502 				vpn_progress(vpninfo, PRG_DEBUG,
503 							 _("Gateway address in config XML (%s) differs from external gateway address (%s).\n"), s, vpninfo->ip_info.gateway_addr);
504 			vpninfo->esp_magic = inet_addr(s);
505 			free(s);
506 		} else if (xmlnode_is_named(xml_node, "dns")) {
507 			for (ii=0, member = xml_node->children; member && ii<3; member=member->next)
508 				if (!xmlnode_get_text(member, "member", &s))
509 					vpninfo->ip_info.dns[ii++] = add_option(vpninfo, "DNS", s);
510 		} else if (xmlnode_is_named(xml_node, "wins")) {
511 			for (ii=0, member = xml_node->children; member && ii<3; member=member->next)
512 				if (!xmlnode_get_text(member, "member", &s))
513 					vpninfo->ip_info.nbns[ii++] = add_option(vpninfo, "WINS", s);
514 		} else if (xmlnode_is_named(xml_node, "dns-suffix")) {
515 			for (ii=0, member = xml_node->children; member && ii<1; member=member->next)
516 				if (!xmlnode_get_text(member, "member", &s)) {
517 					vpninfo->ip_info.domain = add_option(vpninfo, "search", s);
518 					ii++;
519 				}
520 		} else if (xmlnode_is_named(xml_node, "access-routes")) {
521 			for (member = xml_node->children; member; member=member->next) {
522 				if (!xmlnode_get_text(member, "member", &s)) {
523 					struct oc_split_include *inc = malloc(sizeof(*inc));
524 					if (!inc)
525 						continue;
526 					inc->route = add_option(vpninfo, "split-include", s);
527 					inc->next = vpninfo->ip_info.split_includes;
528 					vpninfo->ip_info.split_includes = inc;
529 				}
530 			}
531 		} else if (xmlnode_is_named(xml_node, "ipsec")) {
532 #ifdef HAVE_ESP
533 			if (vpninfo->dtls_state != DTLS_DISABLED) {
534 				int c = (vpninfo->current_esp_in ^= 1);
535 				vpninfo->old_esp_maxseq = vpninfo->esp_in[c^1].seq + 32;
536 				for (member = xml_node->children; member; member=member->next) {
537 					s = NULL;
538 					if (!xmlnode_get_text(member, "udp-port", &s))		udp_sockaddr(vpninfo, atoi(s));
539 					else if (!xmlnode_get_text(member, "enc-algo", &s)) 	set_esp_algo(vpninfo, s, 0);
540 					else if (!xmlnode_get_text(member, "hmac-algo", &s))	set_esp_algo(vpninfo, s, 1);
541 					else if (!xmlnode_get_text(member, "c2s-spi", &s))	vpninfo->esp_out.spi = htonl(strtoul(s, NULL, 16));
542 					else if (!xmlnode_get_text(member, "s2c-spi", &s))	vpninfo->esp_in[c].spi = htonl(strtoul(s, NULL, 16));
543 					else if (xmlnode_is_named(member, "ekey-c2s"))		get_key_bits(member, vpninfo->esp_out.enc_key);
544 					else if (xmlnode_is_named(member, "ekey-s2c"))		get_key_bits(member, vpninfo->esp_in[c].enc_key);
545 					else if (xmlnode_is_named(member, "akey-c2s"))		get_key_bits(member, vpninfo->esp_out.hmac_key);
546 					else if (xmlnode_is_named(member, "akey-s2c"))		get_key_bits(member, vpninfo->esp_in[c].hmac_key);
547 					else if (!xmlnode_get_text(member, "ipsec-mode", &s) && strcmp(s, "esp-tunnel"))
548 						vpn_progress(vpninfo, PRG_ERR, _("GlobalProtect config sent ipsec-mode=%s (expected esp-tunnel)\n"), s);
549 					free(s);
550 				}
551 				if (setup_esp_keys(vpninfo, 0))
552 					vpn_progress(vpninfo, PRG_ERR, "Failed to setup ESP keys.\n");
553 				else
554 					/* prevent race condition between esp_mainloop() and gpst_mainloop() timers */
555 					vpninfo->dtls_times.last_rekey = time(&vpninfo->new_dtls_started);
556 			}
557 #else
558 			vpn_progress(vpninfo, PRG_DEBUG, _("Ignoring ESP keys since ESP support not available in this build\n"));
559 #endif
560 		}
561 	}
562 
563 	/* No IPv6 support for SSL VPN:
564 	 * https://live.paloaltonetworks.com/t5/Learning-Articles/IPv6-Support-on-the-Palo-Alto-Networks-Firewall/ta-p/52994 */
565 	openconnect_disable_ipv6(vpninfo);
566 
567 	/* Set 10-second DPD/keepalive (same as Windows client) unless
568 	 * overridden with --force-dpd */
569 	if (!vpninfo->ssl_times.dpd)
570 		vpninfo->ssl_times.dpd = 10;
571 	vpninfo->ssl_times.keepalive = vpninfo->esp_ssl_fallback = vpninfo->ssl_times.dpd;
572 
573 	return 0;
574 }
575 
576 static int gpst_get_config(struct openconnect_info *vpninfo)
577 {
578 	char *orig_path;
579 	int result;
580 	struct oc_text_buf *request_body = buf_alloc();
581 	struct oc_vpn_option *old_cstp_opts = vpninfo->cstp_options;
582 	const char *old_addr = vpninfo->ip_info.addr, *old_netmask = vpninfo->ip_info.netmask;
583 	const char *request_body_type = "application/x-www-form-urlencoded";
584 	const char *method = "POST";
585 	char *xml_buf=NULL;
586 
587 	/* submit getconfig request */
588 	buf_append(request_body, "client-type=1&protocol-version=p1&app-version=3.0.1-10");
589 	append_opt(request_body, "os-version", vpninfo->platname);
590 	if (!strcmp(vpninfo->platname, "win"))
591 		append_opt(request_body, "clientos", "Windows");
592 	else
593 		append_opt(request_body, "clientos", vpninfo->platname);
594 	append_opt(request_body, "hmac-algo", "sha1,md5");
595 	append_opt(request_body, "enc-algo", "aes-128-cbc,aes-256-cbc");
596 	if (old_addr) {
597 		append_opt(request_body, "preferred-ip", old_addr);
598 		filter_opts(request_body, vpninfo->cookie, "preferred-ip", 0);
599 	} else
600 		buf_append(request_body, "&%s", vpninfo->cookie);
601 	if ((result = buf_error(request_body)))
602 		goto out;
603 
604 	orig_path = vpninfo->urlpath;
605 	vpninfo->urlpath = strdup("ssl-vpn/getconfig.esp");
606 	result = do_https_request(vpninfo, method, request_body_type, request_body,
607 				  &xml_buf, 0);
608 	free(vpninfo->urlpath);
609 	vpninfo->urlpath = orig_path;
610 
611 	if (result < 0)
612 		goto pre_opt_out;
613 
614 	/* parse getconfig result */
615 	result = gpst_xml_or_error(vpninfo, result, xml_buf, gpst_parse_config_xml, NULL, NULL);
616 	if (result)
617 		return result;
618 
619 	if (!vpninfo->ip_info.mtu) {
620 		/* FIXME: GP gateway config always seems to be <mtu>0</mtu> */
621 		char *no_esp_reason = NULL;
622 #ifdef HAVE_ESP
623 		if (vpninfo->dtls_state == DTLS_DISABLED)
624 			no_esp_reason = _("ESP disabled");
625 		else if (vpninfo->dtls_state == DTLS_NOSECRET)
626 			no_esp_reason = _("No ESP keys received");
627 #else
628 		no_esp_reason = _("ESP support not available in this build");
629 #endif
630 		vpninfo->ip_info.mtu = calculate_mtu(vpninfo, !no_esp_reason);
631 		vpn_progress(vpninfo, PRG_ERR,
632 			     _("No MTU received. Calculated %d for %s%s\n"), vpninfo->ip_info.mtu,
633 			     no_esp_reason ? "TLS tunnel. " : "ESP tunnel", no_esp_reason ? : "");
634 		/* return -EINVAL; */
635 	}
636 	if (!vpninfo->ip_info.addr) {
637 		vpn_progress(vpninfo, PRG_ERR,
638 			     _("No IP address received. Aborting\n"));
639 		result = -EINVAL;
640 		goto out;
641 	}
642 	if (old_addr) {
643 		if (strcmp(old_addr, vpninfo->ip_info.addr)) {
644 			vpn_progress(vpninfo, PRG_ERR,
645 				     _("Reconnect gave different Legacy IP address (%s != %s)\n"),
646 				     vpninfo->ip_info.addr, old_addr);
647 			result = -EINVAL;
648 			goto out;
649 		}
650 	}
651 	if (old_netmask) {
652 		if (strcmp(old_netmask, vpninfo->ip_info.netmask)) {
653 			vpn_progress(vpninfo, PRG_ERR,
654 				     _("Reconnect gave different Legacy IP netmask (%s != %s)\n"),
655 				     vpninfo->ip_info.netmask, old_netmask);
656 			result = -EINVAL;
657 			goto out;
658 		}
659 	}
660 
661 out:
662 	free_optlist(old_cstp_opts);
663 pre_opt_out:
664 	buf_free(request_body);
665 	free(xml_buf);
666 	return result;
667 }
668 
669 static int gpst_connect(struct openconnect_info *vpninfo)
670 {
671 	int ret;
672 	struct oc_text_buf *reqbuf;
673 	const char start_tunnel[12] = "START_TUNNEL"; /* NOT zero-terminated */
674 	char buf[256];
675 
676 	/* Connect to SSL VPN tunnel */
677 	vpn_progress(vpninfo, PRG_DEBUG,
678 		     _("Connecting to HTTPS tunnel endpoint ...\n"));
679 
680 	ret = openconnect_open_https(vpninfo);
681 	if (ret)
682 		return ret;
683 
684 	reqbuf = buf_alloc();
685 	buf_append(reqbuf, "GET %s?", vpninfo->urlpath);
686 	filter_opts(reqbuf, vpninfo->cookie, "user,authcookie", 1);
687 	buf_append(reqbuf, " HTTP/1.1\r\n\r\n");
688 	if ((ret = buf_error(reqbuf)))
689 		goto out;
690 
691 	if (vpninfo->dump_http_traffic)
692 		dump_buf(vpninfo, '>', reqbuf->data);
693 
694 	vpninfo->ssl_write(vpninfo, reqbuf->data, reqbuf->pos);
695 
696 	if ((ret = vpninfo->ssl_read(vpninfo, buf, 12)) < 0) {
697 		if (ret == -EINTR)
698 			goto out;
699 		vpn_progress(vpninfo, PRG_ERR,
700 		             _("Error fetching GET-tunnel HTTPS response.\n"));
701 		ret = -EINVAL;
702 		goto out;
703 	}
704 
705 	if (!strncmp(buf, start_tunnel, sizeof(start_tunnel))) {
706 		ret = 0;
707 	} else if (ret==0) {
708 		vpn_progress(vpninfo, PRG_ERR,
709 			     _("Gateway disconnected immediately after GET-tunnel request.\n"));
710 		ret = -EPIPE;
711 	} else {
712 		if (ret==sizeof(start_tunnel)) {
713 			ret = vpninfo->ssl_gets(vpninfo, buf+sizeof(start_tunnel), sizeof(buf)-sizeof(start_tunnel));
714 			ret = (ret>0 ? ret : 0) + sizeof(start_tunnel);
715 		}
716 		vpn_progress(vpninfo, PRG_ERR,
717 		             _("Got inappropriate HTTP GET-tunnel response: %.*s\n"), ret, buf);
718 		ret = -EINVAL;
719 	}
720 
721 	if (ret < 0)
722 		openconnect_close_https(vpninfo, 0);
723 	else {
724 		monitor_fd_new(vpninfo, ssl);
725 		monitor_read_fd(vpninfo, ssl);
726 		monitor_except_fd(vpninfo, ssl);
727 		vpninfo->ssl_times.last_rx = vpninfo->ssl_times.last_tx = time(NULL);
728 		/* connecting the HTTPS tunnel totally invalidates the ESP keys,
729 		   hence shutdown */
730 		if (vpninfo->proto->udp_shutdown)
731 			vpninfo->proto->udp_shutdown(vpninfo);
732 	}
733 
734 out:
735 	buf_free(reqbuf);
736 	return ret;
737 }
738 
739 static int parse_hip_report_check(struct openconnect_info *vpninfo, xmlNode *xml_node)
740 {
741 	char *s;
742 	int result = -EINVAL;
743 
744 	if (!xml_node || !xmlnode_is_named(xml_node, "response"))
745 		goto out;
746 
747 	for (xml_node = xml_node->children; xml_node; xml_node=xml_node->next) {
748 		if (!xmlnode_get_text(xml_node, "hip-report-needed", &s)) {
749 			if (!strcmp(s, "no"))
750 				result = 0;
751 			else if (!strcmp(s, "yes"))
752 				result = -EAGAIN;
753 			else
754 				result = -EINVAL;
755 			free(s);
756 			goto out;
757 		}
758 	}
759 
760 out:
761 	return result;
762 }
763 
764 /* Unlike CSD, the HIP security checker runs during the connection
765  * phase, not during the authentication phase.
766  *
767  * The HIP security checker will (probably) ask us to resubmit the
768  * HIP report if either of the following changes:
769  *   - Client IP address
770  *   - Client HIP report md5sum
771  *
772  * I'm not sure what the md5sum is computed over in the official
773  * client, but it doesn't really matter.
774  *
775  * We just need an identifier for the combination of the local host
776  * and the VPN gateway which won't change when our IP address
777  * or authcookie are changed.
778  */
779 static int build_csd_token(struct openconnect_info *vpninfo)
780 {
781 	struct oc_text_buf *buf;
782 	unsigned char md5[16];
783 	int i;
784 
785 	if (vpninfo->csd_token)
786 		return 0;
787 
788 	vpninfo->csd_token = malloc(MD5_SIZE * 2 + 1);
789 	if (!vpninfo->csd_token)
790 		return -ENOMEM;
791 
792 	/* use localname and cookie (excluding volatile authcookie and preferred-ip) to build md5sum */
793 	buf = buf_alloc();
794 	append_opt(buf, "computer", vpninfo->localname);
795 	filter_opts(buf, vpninfo->cookie, "authcookie,preferred-ip", 0);
796 	if (buf_error(buf))
797 		goto out;
798 
799 	/* save as csd_token */
800 	openconnect_md5(md5, buf->data, buf->pos);
801 	for (i=0; i < MD5_SIZE; i++)
802 		sprintf(&vpninfo->csd_token[i*2], "%02x", md5[i]);
803 
804 out:
805 	return buf_free(buf);
806 }
807 
808 /* check if HIP report is needed (to ssl-vpn/hipreportcheck.esp) or submit HIP report contents (to ssl-vpn/hipreport.esp) */
809 static int check_or_submit_hip_report(struct openconnect_info *vpninfo, const char *report)
810 {
811 	int result;
812 
813 	struct oc_text_buf *request_body = buf_alloc();
814 	const char *request_body_type = "application/x-www-form-urlencoded";
815 	const char *method = "POST";
816 	char *xml_buf=NULL, *orig_path;
817 
818 	/* cookie gives us these fields: authcookie, portal, user, domain, and (maybe the unnecessary) preferred-ip */
819 	buf_append(request_body, "client-role=global-protect-full&%s", vpninfo->cookie);
820 	append_opt(request_body, "computer", vpninfo->localname);
821 	append_opt(request_body, "client-ip", vpninfo->ip_info.addr);
822 	if (report) {
823 		/* XML report contains many characters requiring URL-encoding (%xx) */
824 		buf_ensure_space(request_body, strlen(report)*3);
825 		append_opt(request_body, "report", report);
826 	} else {
827 		result = build_csd_token(vpninfo);
828 		if (result)
829 			goto out;
830 		append_opt(request_body, "md5", vpninfo->csd_token);
831 	}
832 	if ((result = buf_error(request_body)))
833 		goto out;
834 
835 	orig_path = vpninfo->urlpath;
836 	vpninfo->urlpath = strdup(report ? "ssl-vpn/hipreport.esp" : "ssl-vpn/hipreportcheck.esp");
837 	result = do_https_request(vpninfo, method, request_body_type, request_body,
838 				  &xml_buf, 0);
839 	free(vpninfo->urlpath);
840 	vpninfo->urlpath = orig_path;
841 
842 	result = gpst_xml_or_error(vpninfo, result, xml_buf, report ? NULL : parse_hip_report_check, NULL, NULL);
843 
844 out:
845 	buf_free(request_body);
846 	free(xml_buf);
847 	return result;
848 }
849 
850 static int run_hip_script(struct openconnect_info *vpninfo)
851 {
852 #if !defined(_WIN32) && !defined(__native_client__)
853 	int pipefd[2];
854 	int ret;
855 	pid_t child;
856 #endif
857 
858 	if (!vpninfo->csd_wrapper) {
859 		vpn_progress(vpninfo, PRG_ERR,
860 		             _("WARNING: Server asked us to submit HIP report with md5sum %s.\n"
861 		               "VPN connectivity may be disabled or limited without HIP report submission.\n"
862 		               "You need to provide a --csd-wrapper argument with the HIP report submission script.\n"),
863 		             vpninfo->csd_token);
864 		/* XXX: Many GlobalProtect VPNs work fine despite allegedly requiring HIP report submission */
865 		return 0;
866 	}
867 
868 #if defined(_WIN32) || defined(__native_client__)
869 	vpn_progress(vpninfo, PRG_ERR,
870 		     _("Error: Running the 'HIP Report' script on this platform is not yet implemented.\n"));
871 	return -EPERM;
872 #else
873 	if (pipe(pipefd) == -1)
874 		goto out;
875 	child = fork();
876 	if (child == -1) {
877 		goto out;
878 	} else if (child > 0) {
879 		/* in parent: read report from child */
880 		struct oc_text_buf *report_buf = buf_alloc();
881 		char b[256];
882 		int i, status;
883 		close(pipefd[1]);
884 
885 		buf_truncate(report_buf);
886 		while ((i = read(pipefd[0], b, sizeof(b))) > 0)
887 			buf_append_bytes(report_buf, b, i);
888 
889 		waitpid(child, &status, 0);
890 		if (status != 0) {
891 			vpn_progress(vpninfo, PRG_ERR,
892 						 _("HIP script returned non-zero status: %d\n"), status);
893 			ret = -EINVAL;
894 		} else {
895 			ret = check_or_submit_hip_report(vpninfo, report_buf->data);
896 			if (ret < 0)
897 				vpn_progress(vpninfo, PRG_ERR, _("HIP report submission failed.\n"));
898 			else {
899 				vpn_progress(vpninfo, PRG_INFO, _("HIP report submitted successfully.\n"));
900 				ret = 0;
901 			}
902 		}
903 		buf_free(report_buf);
904 		return ret;
905 	} else {
906 		/* in child: run HIP script */
907 		char *hip_argv[32];
908 		int i = 0;
909 		close(pipefd[0]);
910 		dup2(pipefd[1], 1);
911 
912 		hip_argv[i++] = openconnect_utf8_to_legacy(vpninfo, vpninfo->csd_wrapper);
913 		hip_argv[i++] = (char *)"--cookie";
914 		hip_argv[i++] = vpninfo->cookie;
915 		hip_argv[i++] = (char *)"--computer";
916 		hip_argv[i++] = vpninfo->localname;
917 		hip_argv[i++] = (char *)"--client-ip";
918 		hip_argv[i++] = (char *)vpninfo->ip_info.addr;
919 		hip_argv[i++] = (char *)"--md5";
920 		hip_argv[i++] = vpninfo->csd_token;
921 		hip_argv[i++] = NULL;
922 		execv(hip_argv[0], hip_argv);
923 
924 	out:
925 		vpn_progress(vpninfo, PRG_ERR,
926 				 _("Failed to exec HIP script %s\n"), hip_argv[0]);
927 		exit(1);
928 	}
929 
930 #endif /* !_WIN32 && !__native_client__ */
931 }
932 
933 int gpst_setup(struct openconnect_info *vpninfo)
934 {
935 	int ret;
936 
937 	/* ESP keys are invalid as soon as we (re-)fetch the configuration, hence shutdown */
938 	if (vpninfo->proto->udp_shutdown)
939 		vpninfo->proto->udp_shutdown(vpninfo);
940 
941 	/* Get configuration */
942 	ret = gpst_get_config(vpninfo);
943 	if (ret)
944 		goto out;
945 
946 	/* Check HIP */
947 	ret = check_or_submit_hip_report(vpninfo, NULL);
948 	if (ret == -EAGAIN) {
949 		vpn_progress(vpninfo, PRG_DEBUG,
950 					 _("Gateway says HIP report submission is needed.\n"));
951 		ret = run_hip_script(vpninfo);
952 		if (ret != 0)
953 			goto out;
954 	} else if (ret == 0)
955 		vpn_progress(vpninfo, PRG_DEBUG,
956 					 _("Gateway says no HIP report submission is needed.\n"));
957 
958 	/* We do NOT actually start the HTTPS tunnel yet if we want to
959 	 * use ESP, because the ESP tunnel won't work if the HTTPS tunnel
960 	 * is connected! >:-(
961 	 */
962 	if (vpninfo->dtls_state == DTLS_DISABLED || vpninfo->dtls_state == DTLS_NOSECRET)
963 		ret = gpst_connect(vpninfo);
964 
965 out:
966 	return ret;
967 }
968 
969 int gpst_mainloop(struct openconnect_info *vpninfo, int *timeout)
970 {
971 	int ret;
972 	int work_done = 0;
973 	uint16_t ethertype;
974 	uint32_t one, zero, magic;
975 
976 	/* Starting the HTTPS tunnel kills ESP, so we avoid starting
977 	 * it if the ESP tunnel is connected or connecting.
978 	 */
979 	switch (vpninfo->dtls_state) {
980 	case DTLS_CONNECTING:
981 		openconnect_close_https(vpninfo, 0); /* don't keep stale HTTPS socket */
982 		vpn_progress(vpninfo, PRG_INFO,
983 			     _("ESP tunnel connected; exiting HTTPS mainloop.\n"));
984 		vpninfo->dtls_state = DTLS_CONNECTED;
985 		/* fall through */
986 	case DTLS_CONNECTED:
987 		/* Rekey if needed */
988 		if (keepalive_action(&vpninfo->ssl_times, timeout) == KA_REKEY)
989 			goto do_rekey;
990 		return 0;
991 	case DTLS_SECRET:
992 	case DTLS_SLEEPING:
993 		if (!ka_check_deadline(timeout, time(NULL), vpninfo->new_dtls_started + 5)) {
994 			/* Allow 5 seconds after configuration for ESP to start */
995 			return 0;
996 		} else {
997 			/* ... before we switch to HTTPS instead */
998 			vpn_progress(vpninfo, PRG_ERR,
999 				     _("Failed to connect ESP tunnel; using HTTPS instead.\n"));
1000 			if (gpst_connect(vpninfo)) {
1001 				vpninfo->quit_reason = "GPST connect failed";
1002 				return 1;
1003 			}
1004 		}
1005 		break;
1006 	case DTLS_NOSECRET:
1007 		/* HTTPS tunnel already started, or getconfig.esp did not provide any ESP keys */
1008 	case DTLS_DISABLED:
1009 		/* ESP is disabled */
1010 		;
1011 	}
1012 
1013 	if (vpninfo->ssl_fd == -1)
1014 		goto do_reconnect;
1015 
1016 	while (1) {
1017 		int receive_mtu = MAX(2048, vpninfo->ip_info.mtu + 256);
1018 		int len, payload_len;
1019 
1020 		if (!vpninfo->cstp_pkt) {
1021 			vpninfo->cstp_pkt = malloc(sizeof(struct pkt) + receive_mtu);
1022 			if (!vpninfo->cstp_pkt) {
1023 				vpn_progress(vpninfo, PRG_ERR, _("Allocation failed\n"));
1024 				break;
1025 			}
1026 		}
1027 
1028 		len = ssl_nonblock_read(vpninfo, vpninfo->cstp_pkt->gpst.hdr, receive_mtu + 16);
1029 		if (!len)
1030 			break;
1031 		if (len < 0) {
1032 			vpn_progress(vpninfo, PRG_ERR, _("Packet receive error: %s\n"), strerror(-len));
1033 			goto do_reconnect;
1034 		}
1035 		if (len < 16) {
1036 			vpn_progress(vpninfo, PRG_ERR, _("Short packet received (%d bytes)\n"), len);
1037 			vpninfo->quit_reason = "Short packet received";
1038 			return 1;
1039 		}
1040 
1041 		/* check packet header */
1042 		magic = load_be32(vpninfo->cstp_pkt->gpst.hdr);
1043 		ethertype = load_be16(vpninfo->cstp_pkt->gpst.hdr + 4);
1044 		payload_len = load_be16(vpninfo->cstp_pkt->gpst.hdr + 6);
1045 		one = load_le32(vpninfo->cstp_pkt->gpst.hdr + 8);
1046 		zero = load_le32(vpninfo->cstp_pkt->gpst.hdr + 12);
1047 
1048 		if (magic != 0x1a2b3c4d)
1049 			goto unknown_pkt;
1050 
1051 		if (len != 16 + payload_len) {
1052 			vpn_progress(vpninfo, PRG_ERR,
1053 				     _("Unexpected packet length. SSL_read returned %d (includes 16 header bytes) but header payload_len is %d\n"),
1054 			             len, payload_len);
1055 			dump_buf_hex(vpninfo, PRG_ERR, '<', vpninfo->cstp_pkt->gpst.hdr, 16);
1056 			continue;
1057 		}
1058 
1059 		vpninfo->ssl_times.last_rx = time(NULL);
1060 		switch (ethertype) {
1061 		case 0:
1062 			vpn_progress(vpninfo, PRG_DEBUG,
1063 				     _("Got GPST DPD/keepalive response\n"));
1064 
1065 			if (one != 0 || zero != 0) {
1066 				vpn_progress(vpninfo, PRG_DEBUG,
1067 					     _("Expected 0000000000000000 as last 8 bytes of DPD/keepalive packet header, but got:\n"));
1068 				dump_buf_hex(vpninfo, PRG_DEBUG, '<', vpninfo->cstp_pkt->gpst.hdr + 8, 8);
1069 			}
1070 			continue;
1071 		case 0x0800:
1072 			vpn_progress(vpninfo, PRG_TRACE,
1073 				     _("Received data packet of %d bytes\n"),
1074 				     payload_len);
1075 			vpninfo->cstp_pkt->len = payload_len;
1076 			queue_packet(&vpninfo->incoming_queue, vpninfo->cstp_pkt);
1077 			vpninfo->cstp_pkt = NULL;
1078 			work_done = 1;
1079 
1080 			if (one != 1 || zero != 0) {
1081 				vpn_progress(vpninfo, PRG_DEBUG,
1082 					     _("Expected 0100000000000000 as last 8 bytes of data packet header, but got:\n"));
1083 				dump_buf_hex(vpninfo, PRG_DEBUG, '<', vpninfo->cstp_pkt->gpst.hdr + 8, 8);
1084 			}
1085 			continue;
1086 		}
1087 
1088 	unknown_pkt:
1089 		vpn_progress(vpninfo, PRG_ERR,
1090 			     _("Unknown packet. Header dump follows:\n"));
1091 		dump_buf_hex(vpninfo, PRG_ERR, '<', vpninfo->cstp_pkt->gpst.hdr, 16);
1092 		vpninfo->quit_reason = "Unknown packet received";
1093 		return 1;
1094 	}
1095 
1096 
1097 	/* If SSL_write() fails we are expected to try again. With exactly
1098 	   the same data, at exactly the same location. So we keep the
1099 	   packet we had before.... */
1100 	if (vpninfo->current_ssl_pkt) {
1101 	handle_outgoing:
1102 		vpninfo->ssl_times.last_tx = time(NULL);
1103 		unmonitor_write_fd(vpninfo, ssl);
1104 
1105 		ret = ssl_nonblock_write(vpninfo,
1106 					 vpninfo->current_ssl_pkt->gpst.hdr,
1107 					 vpninfo->current_ssl_pkt->len + 16);
1108 		if (ret < 0)
1109 			goto do_reconnect;
1110 		else if (!ret) {
1111 			switch (ka_stalled_action(&vpninfo->ssl_times, timeout)) {
1112 			case KA_REKEY:
1113 				goto do_rekey;
1114 			case KA_DPD_DEAD:
1115 				goto peer_dead;
1116 			case KA_NONE:
1117 				return work_done;
1118 			}
1119 		}
1120 
1121 		if (ret != vpninfo->current_ssl_pkt->len + 16) {
1122 			vpn_progress(vpninfo, PRG_ERR,
1123 				     _("SSL wrote too few bytes! Asked for %d, sent %d\n"),
1124 				     vpninfo->current_ssl_pkt->len + 16, ret);
1125 			vpninfo->quit_reason = "Internal error";
1126 			return 1;
1127 		}
1128 		/* Don't free the 'special' packets */
1129 		if (vpninfo->current_ssl_pkt != &dpd_pkt)
1130 			free(vpninfo->current_ssl_pkt);
1131 
1132 		vpninfo->current_ssl_pkt = NULL;
1133 	}
1134 
1135 	switch (keepalive_action(&vpninfo->ssl_times, timeout)) {
1136 	case KA_REKEY:
1137 	do_rekey:
1138 		vpn_progress(vpninfo, PRG_INFO, _("GlobalProtect rekey due\n"));
1139 		goto do_reconnect;
1140 	case KA_DPD_DEAD:
1141 	peer_dead:
1142 		vpn_progress(vpninfo, PRG_ERR,
1143 			     _("GPST Dead Peer Detection detected dead peer!\n"));
1144 	do_reconnect:
1145 		ret = ssl_reconnect(vpninfo);
1146 		if (ret) {
1147 			vpn_progress(vpninfo, PRG_ERR, _("Reconnect failed\n"));
1148 			vpninfo->quit_reason = "GPST reconnect failed";
1149 			return ret;
1150 		}
1151 		if (vpninfo->proto->udp_setup)
1152 			vpninfo->proto->udp_setup(vpninfo, vpninfo->dtls_attempt_period);
1153 		return 1;
1154 
1155 	case KA_KEEPALIVE:
1156 		/* No need to send an explicit keepalive
1157 		   if we have real data to send */
1158 		if (vpninfo->dtls_state != DTLS_CONNECTED &&
1159 		    vpninfo->outgoing_queue.head)
1160 			break;
1161 		/* fall through */
1162 	case KA_DPD:
1163 		vpn_progress(vpninfo, PRG_DEBUG, _("Send GPST DPD/keepalive request\n"));
1164 
1165 		vpninfo->current_ssl_pkt = (struct pkt *)&dpd_pkt;
1166 		goto handle_outgoing;
1167 	}
1168 
1169 
1170 	/* Service outgoing packet queue */
1171 	while (vpninfo->dtls_state != DTLS_CONNECTED &&
1172 	       (vpninfo->current_ssl_pkt = dequeue_packet(&vpninfo->outgoing_queue))) {
1173 		struct pkt *this = vpninfo->current_ssl_pkt;
1174 
1175 		/* store header */
1176 		store_be32(this->gpst.hdr, 0x1a2b3c4d);
1177 		store_be16(this->gpst.hdr + 4, 0x0800); /* IPv4 EtherType */
1178 		store_be16(this->gpst.hdr + 6, this->len);
1179 		store_le32(this->gpst.hdr + 8, 1);
1180 		store_le32(this->gpst.hdr + 12, 0);
1181 
1182 		vpn_progress(vpninfo, PRG_TRACE,
1183 			     _("Sending data packet of %d bytes\n"),
1184 			     this->len);
1185 
1186 		goto handle_outgoing;
1187 	}
1188 
1189 	/* Work is not done if we just got rid of packets off the queue */
1190 	return work_done;
1191 }
1192 
1193 #ifdef HAVE_ESP
1194 static uint16_t csum(uint16_t *buf, int nwords)
1195 {
1196 	uint32_t sum = 0;
1197 	for(sum=0; nwords>0; nwords--)
1198 		sum += ntohs(*buf++);
1199 	sum = (sum >> 16) + (sum &0xffff);
1200 	sum += (sum >> 16);
1201 	return htons((uint16_t)(~sum));
1202 }
1203 
1204 int gpst_esp_send_probes(struct openconnect_info *vpninfo)
1205 {
1206 	/* The GlobalProtect VPN initiates and maintains the ESP connection
1207 	 * using specially-crafted ICMP ("ping") packets.
1208 	 *
1209 	 * 1) These ping packets have a special magic payload. It must
1210 	 *    include at least the 16 bytes below. The Windows client actually
1211 	 *    sends this 56-byte version, but the remaining bytes don't
1212 	 *    seem to matter:
1213 	 *
1214 	 *    "monitor\x00\x00pan ha 0123456789:;<=>? !\"#$%&\'()*+,-./\x10\x11\x12\x13\x14\x15\x16\x18";
1215 	 *
1216 	 * 2) The ping packets are addressed to the IP supplied in the
1217 	 *    config XML as as <gw-address>. In most cases, this is the
1218 	 *    same as the *external* IP address of the VPN gateway
1219 	 *    (vpninfo->ip_info.gateway_addr), but in some cases it is a
1220 	 *    separate address.
1221 	 *
1222 	 *    Don't blame me. I didn't design this.
1223 	 */
1224 	static char magic[16] = "monitor\x00\x00pan ha ";
1225 
1226 	int pktlen, seq;
1227 	struct pkt *pkt = malloc(sizeof(*pkt) + sizeof(struct ip) + ICMP_MINLEN + sizeof(magic) + vpninfo->pkt_trailer);
1228 	struct ip *iph = (void *)pkt->data;
1229 	struct icmp *icmph = (void *)(pkt->data + sizeof(*iph));
1230 	char *pmagic = (void *)(pkt->data + sizeof(*iph) + ICMP_MINLEN);
1231 	if (!pkt)
1232 		return -ENOMEM;
1233 
1234 	if (vpninfo->dtls_fd == -1) {
1235 		int fd = udp_connect(vpninfo);
1236 		if (fd < 0)
1237 			return fd;
1238 
1239 		/* We are not connected until we get an ESP packet back */
1240 		vpninfo->dtls_state = DTLS_SLEEPING;
1241 		vpninfo->dtls_fd = fd;
1242 		monitor_fd_new(vpninfo, dtls);
1243 		monitor_read_fd(vpninfo, dtls);
1244 		monitor_except_fd(vpninfo, dtls);
1245 	}
1246 
1247 	for (seq=1; seq <= (vpninfo->dtls_state==DTLS_CONNECTED ? 1 : 3); seq++) {
1248 		memset(pkt, 0, sizeof(*pkt) + sizeof(*iph) + ICMP_MINLEN + sizeof(magic));
1249 		pkt->len = sizeof(struct ip) + ICMP_MINLEN + sizeof(magic);
1250 
1251 		/* IP Header */
1252 		iph->ip_hl = 5;
1253 		iph->ip_v = 4;
1254 		iph->ip_len = htons(sizeof(*iph) + ICMP_MINLEN + sizeof(magic));
1255 		iph->ip_id = htons(0x4747); /* what the Windows client uses */
1256 		iph->ip_off = htons(IP_DF); /* don't fragment, frag offset = 0 */
1257 		iph->ip_ttl = 64; /* hops */
1258 		iph->ip_p = 1; /* ICMP */
1259 		iph->ip_src.s_addr = inet_addr(vpninfo->ip_info.addr);
1260 		iph->ip_dst.s_addr = vpninfo->esp_magic;
1261 		iph->ip_sum = csum((uint16_t *)iph, sizeof(*iph)/2);
1262 
1263 		/* ICMP echo request */
1264 		icmph->icmp_type = ICMP_ECHO;
1265 		icmph->icmp_hun.ih_idseq.icd_id = htons(0x4747);
1266 		icmph->icmp_hun.ih_idseq.icd_seq = htons(seq);
1267 		memcpy(pmagic, magic, sizeof(magic)); /* required to get gateway to respond */
1268 		icmph->icmp_cksum = csum((uint16_t *)icmph, (ICMP_MINLEN+sizeof(magic))/2);
1269 
1270 		pktlen = encrypt_esp_packet(vpninfo, pkt);
1271 		if (pktlen >= 0)
1272 			send(vpninfo->dtls_fd, (void *)&pkt->esp, pktlen, 0);
1273 	}
1274 
1275 	free(pkt);
1276 
1277 	vpninfo->dtls_times.last_tx = time(&vpninfo->new_dtls_started);
1278 
1279 	return 0;
1280 }
1281 
1282 int gpst_esp_catch_probe(struct openconnect_info *vpninfo, struct pkt *pkt)
1283 {
1284 	struct ip *iph = (void *)(pkt->data);
1285 	return ( pkt->len >= 21
1286 		 && iph->ip_p==1 /* IPv4 protocol field == ICMP */
1287 		 && iph->ip_src.s_addr == vpninfo->esp_magic /* source == magic address */
1288 		 && pkt->len >= (iph->ip_hl<<2)+1 /* No short-packet segfaults */
1289 		 && pkt->data[iph->ip_hl<<2]==0 /* ICMP reply */ );
1290 }
1291 #endif /* HAVE_ESP */