Set ESP Next Header correctly for IPv6 again

This reverts commit a6fe0d0d8088c49b65df7ae2ea1ee254ab34639a, and allows
the protocol to be specified for the Pulse/NC probes.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/esp.c b/esp.c
index 1f276b05426ec124af8a748e85eb78b8ffc4c254..0b34c2ebc271bb2086ecbfe142ef4925b6038204 100644 (file)
--- a/esp.c
+++ b/esp.c
@@ -97,11 +97,18 @@ int esp_setup(struct openconnect_info *vpninfo, int dtls_attempt_period)
        return 0;
 }
 
-int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt)
+int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt, uint8_t next_hdr)
 {
        const int blksize = 16;
        int i, padlen, ret;
 
+       if (!next_hdr) {
+               if ((pkt->data[0] & 0xf0) == 0x60) /* iph->ip_v */
+                       next_hdr = IPPROTO_IPV6;
+               else
+                       next_hdr = IPPROTO_IPIP;
+       }
+
        /* This gets much more fun if the IV is variable-length */
        pkt->esp.spi = vpninfo->esp_out.spi;
        pkt->esp.seq = htonl(vpninfo->esp_out.seq++);
@@ -110,7 +117,7 @@ int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt)
        for (i=0; i<padlen; i++)
                pkt->data[pkt->len + i] = i + 1;
        pkt->data[pkt->len + padlen] = padlen;
-       pkt->data[pkt->len + padlen + 1] = 0x04; /* Legacy IP */
+       pkt->data[pkt->len + padlen + 1] = next_hdr;
 
        memcpy(pkt->esp.iv, vpninfo->esp_out.iv, sizeof(pkt->esp.iv));
 
@@ -299,7 +306,7 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable)
                        if (!this)
                                break;
 
-                       len = construct_esp_packet(vpninfo, this);
+                       len = construct_esp_packet(vpninfo, this, 0);
                        if (len < 0) {
                                /* Should we disable ESP? */
                                free(this);

diff --git a/gpst.c b/gpst.c
index 66f006665a983c59dacb36d780a8a4673d69bbd2..79a2170c583d7488df400d77105bfea9b18bf42f 100644 (file)
--- a/gpst.c
+++ b/gpst.c
@@ -1345,7 +1345,7 @@ int gpst_esp_send_probes(struct openconnect_info *vpninfo)
                memcpy(pmagic, magic_ping_payload, sizeof(magic_ping_payload)); /* required to get gateway to respond */
                icmph->icmp_cksum = csum((uint16_t *)icmph, (ICMP_MINLEN+sizeof(magic_ping_payload))/2);
 
-               pktlen = construct_esp_packet(vpninfo, pkt);
+               pktlen = construct_esp_packet(vpninfo, pkt, IPPROTO_IPIP);
                if (pktlen >= 0)
                        send(vpninfo->dtls_fd, (void *)&pkt->esp, pktlen, 0);
        }

diff --git a/oncp.c b/oncp.c
index 16fb8bd751be8615ee0ef78793f5dc067e9beaf2..ebb82481c3c2e2a8a2de5854275209d6f382882c 100644 (file)
--- a/oncp.c
+++ b/oncp.c
@@ -1305,7 +1305,7 @@ int oncp_esp_send_probes(struct openconnect_info *vpninfo)
        for (seq=1; seq <= (vpninfo->dtls_state==DTLS_CONNECTED ? 1 : 2); seq++) {
                pkt->len = 1;
                pkt->data[0] = 0;
-               pktlen = construct_esp_packet(vpninfo, pkt);
+               pktlen = construct_esp_packet(vpninfo, pkt, IPPROTO_IPIP);
                if (pktlen >= 0)
                        send(vpninfo->dtls_fd, (void *)&pkt->esp, pktlen, 0);
        }

diff --git a/openconnect-internal.h b/openconnect-internal.h
index 6127310772d2b48fb5f51f4c90015e4b8cc95528..21bd8853c6cdeb137e6d73f498d74f466c7514d0 100644 (file)
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -968,7 +968,7 @@ void esp_close(struct openconnect_info *vpninfo);
 void esp_shutdown(struct openconnect_info *vpninfo);
 int print_esp_keys(struct openconnect_info *vpninfo, const char *name, struct esp *esp);
 int openconnect_setup_esp_keys(struct openconnect_info *vpninfo, int new_keys);
-int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt);
+int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt, uint8_t next_hdr);
 
 /* {gnutls,openssl}-esp.c */
 void destroy_esp_ciphers(struct esp *esp);