From b098d5bd5fc43d66de7d4528847aefb1119747ba Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 11 Feb 2014 16:29:06 +0100
Subject: [PATCH] Distinguish between the different rekey methods.

AnyConnect allows for different rekey methods including new-tunnel
and ssl (rehandshake). Currently only the new-tunnel is implemented
in openconnect.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 cstp.c                 | 7 +++++++
 dtls.c                 | 7 +++++++
 mainloop.c             | 4 +++-
 openconnect-internal.h | 5 +++++
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/cstp.c b/cstp.c
index dbc1ae10..5ee838d8 100644
--- a/cstp.c
+++ b/cstp.c
@@ -356,6 +356,13 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
 				vpninfo->ssl_times.dpd = j;
 		} else if (!strcmp(buf + 7, "Rekey-Time")) {
 			vpninfo->ssl_times.rekey = atol(colon);
+		} else if (!strcmp(buf + 7, "Rekey-Method")) {
+			if (!strcmp(colon, "new-tunnel"))
+				vpninfo->ssl_times.rekey_method = REKEY_TUNNEL;
+			else if (!strcmp(colon, "ssl"))
+				vpninfo->ssl_times.rekey_method = REKEY_SSL;
+			else
+				vpninfo->ssl_times.rekey_method = REKEY_NONE;
 		} else if (!strcmp(buf + 7, "Content-Encoding")) {
 			if (!strcmp(colon, "deflate"))
 				vpninfo->deflate = 1;
diff --git a/dtls.c b/dtls.c
index 8a6dbdf3..023c0f2a 100644
--- a/dtls.c
+++ b/dtls.c
@@ -600,6 +600,13 @@ int openconnect_setup_dtls(struct openconnect_info *vpninfo, int dtls_attempt_pe
 			int j = atol(dtls_opt->value);
 			if (j && (!vpninfo->dtls_times.dpd || j < vpninfo->dtls_times.dpd))
 				vpninfo->dtls_times.dpd = j;
+		} else if (!strcmp(dtls_opt->option + 7, "Rekey-Method")) {
+			if (!strcmp(dtls_opt->value, "new-tunnel"))
+				vpninfo->dtls_times.rekey_method = REKEY_TUNNEL;
+			else if (!strcmp(dtls_opt->value, "ssl"))
+				vpninfo->dtls_times.rekey_method = REKEY_SSL;
+			else
+				vpninfo->dtls_times.rekey_method = REKEY_NONE;
 		} else if (!strcmp(dtls_opt->option + 7, "Rekey-Time")) {
 			vpninfo->dtls_times.rekey = atol(dtls_opt->value);
 		} else if (!strcmp(dtls_opt->option + 7, "CipherSuite")) {
diff --git a/mainloop.c b/mainloop.c
index c6eb4b2d..05ddd788 100644
--- a/mainloop.c
+++ b/mainloop.c
@@ -169,7 +169,9 @@ int ka_stalled_action(struct keepalive_info *ka, int *timeout)
 {
 	time_t due, now = time(NULL);
 
-	if (ka->rekey) {
+	/* we only support the new-tunnel rekey method for
+	 * now */
+	if (ka->rekey && ka->rekey_method == REKEY_TUNNEL) {
 		due = ka->last_rekey + ka->rekey;
 
 		if (now >= due)
diff --git a/openconnect-internal.h b/openconnect-internal.h
index ce5d7c1b..c5959b57 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -94,6 +94,10 @@ struct pkt {
 	unsigned char data[];
 };
 
+#define REKEY_NONE      0
+#define REKEY_TUNNEL    1
+#define REKEY_SSL       2
+
 #define KA_NONE		0
 #define KA_DPD		1
 #define KA_DPD_DEAD	2
@@ -109,6 +113,7 @@ struct keepalive_info {
 	int dpd;
 	int keepalive;
 	int rekey;
+	int rekey_method;
 	time_t last_rekey;
 	time_t last_tx;
 	time_t last_rx;