From 59d1622992aaec2955a6775235e275967724261b Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Tue, 16 Jul 2019 10:41:44 +0100 Subject: [PATCH] Set ESP Next Header correctly for IPv6 again This reverts commit a6fe0d0d8088c49b65df7ae2ea1ee254ab34639a, and allows the protocol to be specified for the Pulse/NC probes. Signed-off-by: David Woodhouse --- esp.c | 13 ++++++++++--- gpst.c | 2 +- oncp.c | 2 +- openconnect-internal.h | 2 +- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/esp.c b/esp.c index 1f276b05..0b34c2eb 100644 --- a/esp.c +++ b/esp.c @@ -97,11 +97,18 @@ int esp_setup(struct openconnect_info *vpninfo, int dtls_attempt_period) return 0; } -int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt) +int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt, uint8_t next_hdr) { const int blksize = 16; int i, padlen, ret; + if (!next_hdr) { + if ((pkt->data[0] & 0xf0) == 0x60) /* iph->ip_v */ + next_hdr = IPPROTO_IPV6; + else + next_hdr = IPPROTO_IPIP; + } + /* This gets much more fun if the IV is variable-length */ pkt->esp.spi = vpninfo->esp_out.spi; pkt->esp.seq = htonl(vpninfo->esp_out.seq++); @@ -110,7 +117,7 @@ int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt) for (i=0; idata[pkt->len + i] = i + 1; pkt->data[pkt->len + padlen] = padlen; - pkt->data[pkt->len + padlen + 1] = 0x04; /* Legacy IP */ + pkt->data[pkt->len + padlen + 1] = next_hdr; memcpy(pkt->esp.iv, vpninfo->esp_out.iv, sizeof(pkt->esp.iv)); @@ -299,7 +306,7 @@ int esp_mainloop(struct openconnect_info *vpninfo, int *timeout, int readable) if (!this) break; - len = construct_esp_packet(vpninfo, this); + len = construct_esp_packet(vpninfo, this, 0); if (len < 0) { /* Should we disable ESP? */ free(this); diff --git a/gpst.c b/gpst.c index 66f00666..79a2170c 100644 --- a/gpst.c +++ b/gpst.c @@ -1345,7 +1345,7 @@ int gpst_esp_send_probes(struct openconnect_info *vpninfo) memcpy(pmagic, magic_ping_payload, sizeof(magic_ping_payload)); /* required to get gateway to respond */ icmph->icmp_cksum = csum((uint16_t *)icmph, (ICMP_MINLEN+sizeof(magic_ping_payload))/2); - pktlen = construct_esp_packet(vpninfo, pkt); + pktlen = construct_esp_packet(vpninfo, pkt, IPPROTO_IPIP); if (pktlen >= 0) send(vpninfo->dtls_fd, (void *)&pkt->esp, pktlen, 0); } diff --git a/oncp.c b/oncp.c index 16fb8bd7..ebb82481 100644 --- a/oncp.c +++ b/oncp.c @@ -1305,7 +1305,7 @@ int oncp_esp_send_probes(struct openconnect_info *vpninfo) for (seq=1; seq <= (vpninfo->dtls_state==DTLS_CONNECTED ? 1 : 2); seq++) { pkt->len = 1; pkt->data[0] = 0; - pktlen = construct_esp_packet(vpninfo, pkt); + pktlen = construct_esp_packet(vpninfo, pkt, IPPROTO_IPIP); if (pktlen >= 0) send(vpninfo->dtls_fd, (void *)&pkt->esp, pktlen, 0); } diff --git a/openconnect-internal.h b/openconnect-internal.h index 61273107..21bd8853 100644 --- a/openconnect-internal.h +++ b/openconnect-internal.h @@ -968,7 +968,7 @@ void esp_close(struct openconnect_info *vpninfo); void esp_shutdown(struct openconnect_info *vpninfo); int print_esp_keys(struct openconnect_info *vpninfo, const char *name, struct esp *esp); int openconnect_setup_esp_keys(struct openconnect_info *vpninfo, int new_keys); -int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt); +int construct_esp_packet(struct openconnect_info *vpninfo, struct pkt *pkt, uint8_t next_hdr); /* {gnutls,openssl}-esp.c */ void destroy_esp_ciphers(struct esp *esp); -- 2.49.0