From: Daniel Lenski <dlenski@gmail.com>
Date: Tue, 9 Jan 2018 08:01:23 +0000 (-0800)
Subject: Use ESP replay protection with GlobalProtect
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=4e769c81415e90f1cc6f3267c235b78a22fd1010;p=users%2Fdwmw2%2Fopenconnect.git

Use ESP replay protection with GlobalProtect

GlobalProtect has the strange quirk that incoming (server → client) ESP
sequence numbers start at 1, not 0, but this just causes a one-time offset
for the replay protection checker.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---

diff --git a/gpst.c b/gpst.c
index 39fbd2a3..888b54af 100644
--- a/gpst.c
+++ b/gpst.c
@@ -428,6 +428,7 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
 	vpninfo->ip_info.domain = NULL;
 	vpninfo->ip_info.mtu = 0;
 	vpninfo->esp_magic = inet_addr(vpninfo->ip_info.gateway_addr);
+	vpninfo->esp_replay_protect = 1;
 	vpninfo->ssl_times.rekey_method = REKEY_NONE;
 	vpninfo->cstp_options = NULL;