add auth_expiration (AnyConnect, GP, Pulse) and openconnect_get_auth_expiration() API function

• Add openconnect_get_auth_expiration function to library and JNI

  This allows protocols to save the moment when a session's authentication (vpninfo->cookie) is expected to expire and no longer be useful for reconnection.

  The motivation is to eventually allow front-ends to know whether reauthentication is needed, or whether they should try using a cached cookie.

  Current state:

  • AnyConnect protocol: expiration is determined from the CONNECT response header X-CSTP-Session-Timeout-Remaining, which decreases on subsequent reconnects (with X-CSTP-Session-Timeout as the starting value at the moment of authentication completion, to be used as an upper bound in its absence, with X-CSTP-Lease-Duration as a fallback in the absence of those fields).
  • GlobalProtect protocol: expiration is determined from the <lifetime> tag of the XML config, which decreases on subsequent reconnects.
  • Juniper Network Connect protocol: no currently known way to determine expiration. The DSID cookie is a standard HTTP cookie, so perhaps its expiration timestamp is intended for this purpose; however, I can find no real-world case where it has a timestamp set via expires or max-age.
  • None of the currently-supported protocols provide the expiration timestamp until the connection phase, so it can't be obtained for export by the --authenticate option.

• implement auth_expiration for Pulse protocol

  We have many examples of this field (AVP 0x583/0xd5c) being multiples of 60 or 3600, strongly suggesting that it's the remaining auth lifetime (or maybe the total auth lifetime, at least a working upper bound):

  • #98 (closed): AVP 0x583/0xd5c: 00 01 fa 40 (0x1fa40 seconds = 36 hours)
  • private communication: AVP 0x583/0xd5c: 00 00 a9 ec (0xa9ec seconds = 12 hours)
  • private communication: AVP 0x583/0xd5c: 00 00 0a 70 (0xa70 seconds = 44 minutes)