lp:~mamarley/openconnect/+git/gitlab-main

Owned by Michael Marley
Get this repository:
git clone https://git.launchpad.net/~mamarley/openconnect/+git/gitlab-main

Import details

Import Status: Reviewed

This repository is an import of the Git repository at https://gitlab.com/openconnect/openconnect.git.

The next import is scheduled to run .

Last successful import was .

Import started on juju-98ee42-prod-launchpad-codeimport-4 and finished taking 20 seconds — see the log
Import started on juju-98ee42-prod-launchpad-codeimport-4 and finished taking 25 seconds — see the log
Import started on juju-98ee42-prod-launchpad-codeimport-1 and finished taking 20 seconds — see the log
Import started on juju-98ee42-prod-launchpad-codeimport-0 and finished taking 25 seconds — see the log
Import started on juju-98ee42-prod-launchpad-codeimport-5 and finished taking 30 seconds — see the log
Import started on juju-98ee42-prod-launchpad-codeimport-5 and finished taking 20 seconds — see the log
Import started on juju-98ee42-prod-launchpad-codeimport-4 and finished taking 25 seconds — see the log
Import started on juju-98ee42-prod-launchpad-codeimport-1 and finished taking 25 seconds — see the log
Import started on juju-98ee42-prod-launchpad-codeimport-0 and finished taking 20 seconds — see the log
Import started on juju-98ee42-prod-launchpad-codeimport-0 and finished taking 25 seconds — see the log

Branches

Name Last Modified Last Commit
Update_Android 2024-04-05 19:04:09 UTC
DEBUG

Author: Dimitri Papadopoulos Orfanos
Author Date: 2024-04-05 19:03:26 UTC

DEBUG

Signed-off-by: Dimitri Papadopoulos Orfanos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>

ipv6-tests 2024-04-05 17:34:02 UTC
Allow tests to run over IPv6 as well as Legacy IP

Author: dwmw2
Author Date: 2024-04-05 16:23:22 UTC

Allow tests to run over IPv6 as well as Legacy IP

When run in an environment with no Legacy IP addresses, or no IPv6 addresses,
AI_ADDRCONFIG will cause getaddrinfo() not to return addresses of that type.

So when running in an IPv6-only environment, ocserv doesn't listen on Legacy
IP. And thus the tests fail. Fix this by using a hostname 'sockwrap' for the
test connections, and providing '--resolve' arguments for both the Legacy IP
and IPv6 addresses handled by libsocket_wrapper.

Some of the python test servers which don't use AI_ADDRCONFIG do still work
on Legacy IP, so leave those alone for now.

We recently added '-4' to the socat invocation for the nullppp tests, for
similar reasons (becaose socat started listening on IPv6 by default). We
can remove that now too.

Closes #721

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

script_setpgid 2024-04-05 16:14:59 UTC
Consistency between tun.c and script.c

Author: Dimitri Papadopoulos
Author Date: 2022-11-02 23:25:38 UTC

Consistency between tun.c and script.c

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>

bug-report 2024-04-05 16:06:22 UTC
Use new AC_INIT() arguments in actual code

Author: Dimitri Papadopoulos Orfanos
Author Date: 2024-01-06 20:55:19 UTC

Use new AC_INIT() arguments in actual code

Signed-off-by: Dimitri Papadopoulos Orfanos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>

master 2024-04-05 10:07:08 UTC
Merge branch 'Fedora_ppp-over-tls' into 'master'

Author: dwmw2
Author Date: 2024-04-05 10:07:08 UTC

Merge branch 'Fedora_ppp-over-tls' into 'master'

Verbose logs to debug and fix ppp-over-tls

Closes #720

See merge request openconnect/openconnect!548

coverity 2024-02-28 05:42:32 UTC
Merge branch 'rekey' into master

Author: Dan Lenski
Author Date: 2024-02-28 05:42:32 UTC

Merge branch 'rekey' into master

Fix logging of rekey / trojan invocation delay

See merge request openconnect/openconnect!539

test-remove-Fedora38-CI 2024-02-20 17:02:17 UTC
Try removing Fedora 38 CI image

Author: Dan Lenski
Author Date: 2024-02-20 17:02:17 UTC

Try removing Fedora 38 CI image

See discussion at https://gitlab.com/openconnect/openconnect/-/merge_requests/504#note_1781288802

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

tmp-latest-fedora 2024-01-15 22:06:47 UTC
Use latest fedora (39) for CI

Author: Nikos Mavrogiannopoulos
Author Date: 2023-11-21 14:09:53 UTC

Use latest fedora (39) for CI

This moves all CI images to Fedora39 except OpenSSL builds
that still use Fedora38 due to compatibility issues.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>

pulse_concatenated_and_split_packets 2024-01-06 21:13:45 UTC
Handle concatenated and/or split packets in Pulse TLS tunnel

Author: Dan Lenski
Author Date: 2022-06-21 00:27:00 UTC

Handle concatenated and/or split packets in Pulse TLS tunnel

Borrows the approach of ppp.c. Should fix #456.

I have managed to test the handling of both concatenated and
split packets against a "real" Pulse server.

I'm not precisely certain of the server version, but it's older than 9.1R14;
it doesn't show the modified 9.1R14+ config packet of
https://gitlab.com/openconnect/openconnect/-/merge_requests/331.

1. The test server can be induced to reply with concatenated packets by
   sending it fragmented Legacy IP datagrams. For example, with a tunnel
   MTU of 1400 bytes, send fragmented pings:
   `ping -s $((MTU - 28 + 1)) -c1 -M dont $IP`.

   Resulting trace-level log messages:

   ```
   Sending IF-T/TLS data packet of 1396 bytes
   Sending IPv4 data packet of 1396 bytes
   Sending IF-T/TLS data packet of 25 bytes
   Sending IPv4 data packet of 25 bytes
   No work to do; sleeping for 2147483647 ms...
   Received packet of 1412 bytes with 41 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received IPv4 data packet of 25 bytes
   ```

2. Test server can be induced to reply with split packets by sending it
   fragmented Legacy IP datagrams such that the concatenated replies won't
   fit in a single TLS frame (16384 bytes). For example:
   `ping -s 16385 -c1 -M dont $IP`

   Resulting trace-level log messages (omitting the outgoing bits for brevity):

   ```
   Received packet of 1412 bytes with 14972 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 13560 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 12148 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 10736 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 9324 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 7912 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 6500 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 5088 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 3676 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 2264 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 852 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received partial packet, 852 of 1293 bytes
   Received IPv4 data packet of 1277 bytes
   ```

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

GP_prelogin_cas_support 2023-09-25 17:10:10 UTC
Send 'cas-support=yes' in GlobalProtect prelogin request

Author: Dan Lenski
Author Date: 2023-09-25 14:14:37 UTC

Send 'cas-support=yes' in GlobalProtect prelogin request

Per https://gitlab.com/openconnect/openconnect/-/issues/651, some newer GP
servers are responding to prelogin.esp requests with an error:

    CAS is not supported by the client. Minimum client version is 6.0

It appears that CAS ("Central Authentication Server";
https://apereo.github.io/cas/index.html) is a standardized single-sign-on
protocol requiring an external browser.

Per https://gitlab.com/openconnect/openconnect/-/issues/651#note_1576596243,
the field 'cas-support=yes' needs to be sent in the POST *body* of the
prelogin request, in order to avoid this error message; the error message's
claim that a specific client software version is necessary isn't very
helpful.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

nx-merge-new-cherry-pick 2023-09-14 14:32:35 UTC
Merge branch 'master' of gitlab.com:openconnect/openconnect

Author: Andreas Gnau
Author Date: 2023-09-14 12:13:49 UTC

Merge branch 'master' of gitlab.com:openconnect/openconnect

jpfleischer-forkWindows 2023-09-10 18:34:33 UTC
What is this 'static' doing there?

Author: Dan Lenski
Author Date: 2023-09-10 18:34:33 UTC

What is this 'static' doing there?

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

658-anyconnect-cisco-secure-client 2023-09-02 05:37:28 UTC
Shim for renaming of GNUTLS_NO_EXTENSIONS in GnuTLS v3.8.1

Author: Dan Lenski
Author Date: 2023-08-22 19:02:19 UTC

Shim for renaming of GNUTLS_NO_EXTENSIONS in GnuTLS v3.8.1

The constant `GNUTLS_NO_EXTENSIONS` was renamed in
https://gitlab.com/gnutls/gnutls/-/commit/a7c4a04e (released in v3.8.1), and
then a backwards-compatibility shim was belatedly added in
https://gitlab.com/gnutls/gnutls/-/commit/abfa8634, which has not yet been
released.

We need to re-add the constant ourselves in order to build correctly with
GnuTLS v3.8.1. This should fix
https://gitlab.com/openconnect/openconnect/-/issues/650.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

parse_HTML_as_utf8 2023-08-09 23:03:38 UTC
Reject HTML documents if charset from Content-Type isn't UTF-8/US-ASCII

Author: Dan Lenski
Author Date: 2023-08-09 23:03:38 UTC

Reject HTML documents if charset from Content-Type isn't UTF-8/US-ASCII

We do not (yet) have a mechanism to convey the correct encoding to the
caller in this case.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

handle_Fortinet_DNS_domains_ASCII_escapes 2023-08-08 17:11:22 UTC
Update changelog

Author: Dan Lenski
Author Date: 2023-06-30 18:46:42 UTC

Update changelog

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

add_ipvX_unreachable_flags 2023-07-26 20:05:01 UTC
Set ipv[46]_unreachable flags for Pulse

Author: Dan Lenski
Author Date: 2021-08-30 05:03:00 UTC

Set ipv[46]_unreachable flags for Pulse

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

pulse-esp-off 2023-07-25 21:18:27 UTC
ESP reconnect hackery

Author: dwmw2
Author Date: 2023-07-25 21:18:27 UTC

ESP reconnect hackery

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

csd_post_reenable_legacy_regenegotiation_on_OpenSSL_3.0.0 2023-07-25 16:44:31 UTC
csd-post.sh: Unconditionally re-enable UnsafeLegacyRenegotiation for OpenSSL 3.x

Author: Dan Lenski
Author Date: 2023-07-25 16:44:31 UTC

csd-post.sh: Unconditionally re-enable UnsafeLegacyRenegotiation for OpenSSL 3.x

Our csd-post.sh script (CSD Trojan emulation) uses cURL to submit its
responses to Cisco AnyConnect servers. However, many Cisco servers use
legacy TLS renegotiation (pre-RFC-5746), which is disabled by default in
OpenSSL 3.x

This causes csd-post.sh to fail without any clear explanation why. We
should unconditionally re-enable UnsafeLegacyRenegotiation for OpenSSL 3.x;
there is no reason why this is risky or unsafe with OpenConnect's usage.

In order to re-enable ULR, we need to create a custom OpenSSL configuration
file.

See https://gitlab.com/openconnect/openconnect/-/issues/451
and https://gitlab.com/openconnect/openconnect/-/issues/643.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

test_non_ASCII_realm_values_with_Juniper 2023-07-23 18:22:09 UTC
fake-juniper-server: Include literal values of realms in HTML, and test with ...

Author: Dan Lenski
Author Date: 2023-07-23 16:45:44 UTC

fake-juniper-server: Include literal values of realms in HTML, and test with non-ASCII values

This should help us debug
https://gitlab.com/openconnect/openconnect/-/issues/642, where it appears
that a non-ASCII realm string is being encoded incorrectly in the response
to the server.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

workaround_missed_ESP_key_updates_in_oNCP 2023-06-30 21:21:37 UTC
Update changelog

Author: Dan Lenski
Author Date: 2023-06-28 19:16:02 UTC

Update changelog

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

android_ndk_update 2023-06-13 14:25:02 UTC
Don't override Android toolchain dir

Author: dwmw2
Author Date: 2023-06-13 14:25:02 UTC

Don't override Android toolchain dir

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

nobash 2023-05-22 17:27:06 UTC
Don't use bash for symbols test

Author: dwmw2
Author Date: 2023-05-22 17:26:37 UTC

Don't use bash for symbols test

Might fix #614?
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

freebsd 2023-05-19 17:28:48 UTC
os-tcp-mtu.c: Explicitly include <netinet/in.h> for sockaddr_in(6|)

Author: dwmw2
Author Date: 2023-05-19 17:28:48 UTC

os-tcp-mtu.c: Explicitly include <netinet/in.h> for sockaddr_in(6|)

This doesn't get pulled in automatically in FreeBSD.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

mac-no-pmtu-sockopt 2023-05-19 11:15:45 UTC
Disable explict setting of IP_PMTUDISC_DO on MacOS

Author: dwmw2
Author Date: 2023-05-19 11:14:17 UTC

Disable explict setting of IP_PMTUDISC_DO on MacOS

Fixes: #612
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

time_T 2023-05-19 11:07:56 UTC
Fix time_t handling in parsing F5 session timeout

Author: dwmw2
Author Date: 2023-05-19 11:06:28 UTC

Fix time_t handling in parsing F5 session timeout

We can't assume that time_t is 'long'. When building for win64 we get:
../f5.c: In function 'f5_configure':
../f5.c:690:63: warning: format '%ld' expects argument of type 'long int *', but argument 6 has type 'time_t *' {aka 'long long int *'} [-Wformat=]
  690 | if (sscanf(cookie->value, "%dz%dz%dz%ldz%ld%c", &junk, &junk, &junk, &start, &dur, &c) >= 5
      | ~~^ ~~~~~~
      | | |
      | long int * time_t * {aka long long int *}
      | %lld
../f5.c:690:67: warning: format '%ld' expects argument of type 'long int *', but argument 7 has type 'time_t *' {aka 'long long int *'} [-Wformat=]
  690 | if (sscanf(cookie->value, "%dz%dz%dz%ldz%ld%c", &junk, &junk, &junk, &start, &dur, &c) >= 5
      | ~~^ ~~~~
      | | |
      | long int * time_t * {aka long long int *}
      | %lld

Make it explicitly 'unsigned long long' instead.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

checksyms 2023-05-18 17:21:28 UTC
Move openconnect_set_sni() to API v5.9

Author: dwmw2
Author Date: 2023-05-18 15:49:29 UTC

Move openconnect_set_sni() to API v5.9

We retrospectively added openconnect_set_sni() with the @OPENCONNECT_5_8
symbol version, *long* after API v5.8 was set in stone with the v9.00
release in April 2022.

Fix that by retconning it into a @OPENCONNECT_5_9 version which will be
part of the *next* release.

We have a unit test to prevent us from doing it again, and this commit
is the exception to the general rule that we should *never* commit to
libopenconnect5.symbols except as a side-effect of 'make tag' creating
a new release.

Fixes: 494edf49e628 ("Add openconnect_set_sni API function and Java setSNI() wrapper")
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

newca 2023-05-17 08:53:17 UTC
Rebuild all test certificates

Author: dwmw2
Author Date: 2023-05-17 08:51:48 UTC

Rebuild all test certificates

The CA has expired. Rebuild it (and remove the old GnuTLS CA from the
ca-key.pem file where it was just noise).

Rebuild all other certificates while we're at it, but leave the keys
as they were. Extend the validity to 10000 days which should expire
in 2050, by which time it probably won't be my problem.

Dan seems young and healthy; maybe he can thank me then for pedantially
scripting it all instead of doing it manually. Or maybe it'll have
bitrotted so much by then that it won't help.

Most of it worked out of the box this time, but I re-imported the certs
into SoftHSM manually because I didn't want to start from scratch using
the softhsm-setupX make targets. I think some of the behaviour of the
GnuTLS tools (not importing pubkeys, etc) has changed since I did this.

Arguably we should rewrite those rules to import things the same way
into each token and then explicitly tweak them, deleting the public
keys and explicitly marking objects public or private as needed for
each token.

The SoftHSM modifications also had to be done with an older version
of SoftHSM (I used 2.2.0 on Ubuntu 18.04) because doing it with a
newer version meant the newly-imported certs weren't visible in the
Ubuntu 18.04 or CentOS 9 test runs.

Fixes: #609
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

win32-extbrowser 2023-05-11 16:59:54 UTC
Attempt to spawn browser on Windows

Author: dwmw2
Author Date: 2023-05-11 15:08:53 UTC

Attempt to spawn browser on Windows

Fixes: #553
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

warn_about_blocked_DTLS_0.9_in_recent_OpenSSL 2023-05-09 05:28:47 UTC
Warn about blocked DTLS 0.9/1.0 in recent builds of OpenSSL, suggest --allow-...

Author: Dan Lenski
Author Date: 2022-03-15 19:48:28 UTC

Warn about blocked DTLS 0.9/1.0 in recent builds of OpenSSL, suggest --allow-insecure-crypto

Recent distro builds of OpenSSL prevent the use of pre-1.2 TLS via default
security policies, along with pre-1.2 DTLS. This is a headache for VPNs
because many (most?) Cisco AnyConnect VPNs are still using Cisco's pre-1.0
DTLS (also known as "DTLS 0.9", or "bad DTLS" in OpenConnect).

* Ubuntu's build of OpenSSL starting with 1.1.1f (https://packages.ubuntu.com/focal-updates/libssl-dev,
  see patch "tls1.2-min-seclevel2.patch")
* Debian's build of OpenSSL starting with 1.1.1k (https://sources.debian.org/patches/openssl/1.1.1k-1+deb11u1,
  see patch "set systemwide default settings for libssl users")

Discussion on mailing list at
http://lists.infradead.org/pipermail/openconnect-devel/2022-March/005103.html.

This adds a warning when DTLS handshake fails with OpenSSL 1.1.1f+, and
suggests the use of `--allow-insecure-crypto` which attempts to set the
OpenSSL security level (https://openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html)
to 0 as a workaround.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

catch-fortinet-DTLS-heartbeat-packets 2023-05-08 18:51:59 UTC
Catch Fortinet DTLS heartbeat packets

Author: Dan Lenski
Author Date: 2023-05-08 02:51:21 UTC

Catch Fortinet DTLS heartbeat packets

This should fix https://gitlab.com/openconnect/openconnect/-/issues/251

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

esp-probes 2023-04-28 07:22:19 UTC
Rework ESP probe retries

Author: dwmw2
Author Date: 2023-04-28 07:22:19 UTC

Rework ESP probe retries

We weren't attempting to resend ESP probes at all, except at the retry
interval of about a minute. In a lossy network, or perhaps when the
server is slow to configure its end and start accepting ESP probes,
this meant that users sometimes saw the ESP failing to establish for
a whole minute (or multiple thereof).

Drop the loops in the protocol-specific udp_send_probes() functions
which were a primitive attempt to handle packet loss, and instead
deliberately send one probe a second for five seconds, before giving
up for the remainder of the dtls_attempt_period.

Fix up the reconnect handling with vpninfo->dtls_need_reconnect while
we're at it; it looks like that would just cause us to keep sending
probes and the flag would never be cleared.

Fixes: #601
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

oncp-braindamage 2023-04-19 15:48:20 UTC
Fix oncp Legacy IP check

Author: dwmw2
Author Date: 2023-04-19 15:48:20 UTC

Fix oncp Legacy IP check

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

oncp-debug 2023-04-18 14:17:20 UTC
oNCP framing debug

Author: dwmw2
Author Date: 2023-04-18 14:17:20 UTC

oNCP framing debug

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

eap-tls 2023-04-18 13:40:26 UTC
Attempting to reject EAP-TLS request

Author: dwmw2
Author Date: 2023-04-18 13:40:26 UTC

Attempting to reject EAP-TLS request

If we claim to be a new enough client, and the Pulse server is configured
for *optional* certificates, then it tunnels EAP-TLS *through* the
established EAP-TTLS session if we didn't provide a certificate the first
time. I don't know why; we'll always have provided a client cert in the
outer EAP-TTLS session anyway.

Looks like rejecting it with EAP_TYPE_NAK, and even sending a fatal 'no
certificate' alert inside EAP-TLS, don't work. We might actually have to
go through with a full handshake.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

sudo 2023-04-11 08:38:10 UTC
Ad --sudo argument to allow running authentication unprivileged

Author: dwmw2
Author Date: 2023-04-11 08:38:10 UTC

Ad --sudo argument to allow running authentication unprivileged

Actually I'm having second thoughts about this; there are multiple better
ways to do it. Most importantly, just precreating the tun device and then
using sudo for the vpnc-script, running all of openconnect unprivileged.

This hack works, but it's a bunch of work to make it *right*. We can't
just exec `openconnect -C $COOKIE` because that exposes the cookie to
ps on the command line, so we'd need to do something more complex and
feed it to stdin. And we'd *also* need to pass through a bunch more
arguments (like --vpnc-script and anything else that affects the
connecting process).

It's also fairly trivial to do this approach in a shell script using
first `openconnect --authenticate` and then `openconnect --cookie-on-stdin`
without having to write C code for it.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

proposed-9.02 2023-04-10 18:42:47 UTC
Tag version 9.02

Author: Dan Lenski
Author Date: 2023-02-25 07:33:07 UTC

Tag version 9.02

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

queue_saturation_stats 2023-03-18 17:36:46 UTC
Statistics on queue saturation

Author: Dan Lenski
Author Date: 2023-03-18 00:06:28 UTC

Statistics on queue saturation

Our default maximum packet queue length (max_qlen) of 10 appears to be too
low on many modern systems.

FIXME/WHY??? Testing by dwmw2 in 2021 suggested queue length of 10 was
sufficient to saturate GbE:
https://gitlab.com/openconnect/openconnect/-/commit/c6ef1196934ad8ef71d9e6006ec4f4d969673901#733811436f39dfa8a597e73756d842a7f0cbf2a2

Add trace-level logging messages for when we hit the outgoing and incoming
queue limits ("Saturated {TX,RX} queue"), and report number of times we've
done this in stats.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Ubuntu_22.04 2023-03-06 06:37:59 UTC
No need to change crypto-policies on Fedora

Author: Dimitri Papadopoulos
Author Date: 2023-02-24 14:18:06 UTC

No need to change crypto-policies on Fedora

We do not test DSA keys, because they have been removed from the LEGACY
level in recent Fedora distributions.

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>

apple_utun_clue 2023-03-01 01:26:10 UTC
Tell Apple users not to use '-i tunX', but '-i utunX' instead.

Author: Dan Lenski
Author Date: 2023-03-01 01:25:59 UTC

Tell Apple users not to use '-i tunX', but '-i utunX' instead.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

periodic_TNCC_fix_2023 2023-01-28 01:03:53 UTC
allow --force-trojan to override TNCC interval with a shorter one

Author: Dan Lenski
Author Date: 2020-12-16 21:45:15 UTC

allow --force-trojan to override TNCC interval with a shorter one

See https://gitlab.com/openconnect/openconnect/-/issues/209#note_468581026

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

preserve_Fortinet_SVPNCOOKIE_during_config_requests 2022-11-05 04:29:41 UTC
Fortinet: Ensure that SVPNCOOKIE is not overwritten/deleted by config requests

Author: Dan Lenski
Author Date: 2022-11-05 04:28:00 UTC

Fortinet: Ensure that SVPNCOOKIE is not overwritten/deleted by config requests

This should fix #514

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

debug_466 2022-07-10 23:38:54 UTC
Distinguish XML and non-XML error paths in gpst_xml_or_error

Author: Dan Lenski
Author Date: 2022-07-10 23:38:49 UTC

Distinguish XML and non-XML error paths in gpst_xml_or_error

This should help with debugging https://gitlab.com/openconnect/openconnect/-/issues/466

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

tags/FAKE_FAKE_FAKE_test_for_persist-windows-builds 2022-07-09 17:49:24 UTC
Persist Windows installer artifacts (openconnect-installer.exe) for tagged co...

Author: Dan Lenski
Author Date: 2022-07-09 17:32:11 UTC

Persist Windows installer artifacts (openconnect-installer.exe) for tagged commits/releases

We shouldn't expire these, as explained in
https://gitlab.com/openconnect/openconnect/-/issues/463.

Solution is based on the Gitlab-CI formula described at
https://stackoverflow.com/a/65478446.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

handle_Pulse_concatenated_and_split_packets 2022-06-21 00:28:41 UTC
Untested WIP: Handle concatenated and/or split packets in Pulse TLS tunnel

Author: Dan Lenski
Author Date: 2022-06-21 00:27:00 UTC

Untested WIP: Handle concatenated and/or split packets in Pulse TLS tunnel

Borrows the approach of ppp.c, not tested at all yet. Ping #456

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

check_tcp_mtu_tool 2022-06-20 00:56:54 UTC
Tunnel MTU calculation diagrams

Author: Dan Lenski
Author Date: 2022-06-20 00:56:54 UTC

Tunnel MTU calculation diagrams

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

calculate_Pulse_MTU_independently_of_the_server 2022-06-15 22:04:57 UTC
[QUICK-AND-DIRTY] Calculate Pulse MTU independently of the server and overrid...

Author: Dan Lenski
Author Date: 2022-06-15 15:17:00 UTC

[QUICK-AND-DIRTY] Calculate Pulse MTU independently of the server and override if the server's value seems too high

See comments inline for what's going on here.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

clearer_error_for_list-system-keys_on_Unix 2022-05-28 21:39:36 UTC
Clearer error for list-system-keys on Unix-like platforms

Author: Dan Lenski
Author Date: 2022-05-28 21:37:44 UTC

Clearer error for list-system-keys on Unix-like platforms

It appears that the `gnutls_system_key*` functions are only implemented on
Windows currently. Lots of people are likely to test this executable on
Unix-y systems, so we should give a clearer error message.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

arraymulti 2022-05-26 10:11:15 UTC
Quick hack to test corking performance

Author: dwmw2
Author Date: 2022-05-26 10:11:15 UTC

Quick hack to test corking performance

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

too_many_script_interface 2022-05-17 22:21:32 UTC
OpenConnect has too many slightly-varying and undocumented interfaces for ext...

Author: Dan Lenski
Author Date: 2022-05-13 17:40:08 UTC

OpenConnect has too many slightly-varying and undocumented interfaces for external scripts with similar functions

Document them in 'What needs doing?' for now.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

no-success-auth 2022-05-16 16:48:49 UTC
Assume success when a session-token is given

Author: dwmw2
Author Date: 2022-05-16 16:48:02 UTC

Assume success when a session-token is given

Should fix https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/72

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

list-system-keys 2022-05-16 15:36:16 UTC
Print full cert info

Author: dwmw2
Author Date: 2022-05-16 15:36:16 UTC

Print full cert info

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

ext_browser_auth_and_STRAP_key_refinements 2022-05-12 03:10:46 UTC
Cisco STRAP key refinements

Author: Dan Lenski
Author Date: 2022-05-11 15:43:00 UTC

Cisco STRAP key refinements

Sending STRAP keys appears to restrict the ability to reuse the webvpn cookie
on other cookies of the same VPN, as discussed on
https://gitlab.com/openconnect/openconnect/-/commit/8bacc334b9efb10371ec6777d7983a7d1bb99ca0#note_942004949

Therefore we should avoid generating and offering STRAP keys unless.

1. We are doing authentication and may potentially use external-browser-auth,
   which *requires* the STRAP keys, or
2. We already have STRAP keys from the authentication stage, in which case
   we have to continue sending them for verification along with the
   webvpn cookie, in order to prevent the server from rejecting it.
   (See https://gitlab.com/openconnect/openconnect/-/issues/410)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

winesp 2022-05-10 07:02:37 UTC
Fix ESP recv() error handling for Windows

Author: dwmw2
Author Date: 2022-05-10 07:02:35 UTC

Fix ESP recv() error handling for Windows

Fixes: #427

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

hpke-win32 2022-04-28 18:45:21 UTC
Attempt to spawn browser on Windows.

Author: dwmw2
Author Date: 2022-04-28 18:45:21 UTC

Attempt to spawn browser on Windows.

Seems to fail with err 148. No idea why.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

request_specific_ip_new 2022-04-22 21:36:11 UTC
Add openconnect_set_requested_ip() and --request-ip to explicitly request spe...

Author: Dan Lenski
Author Date: 2017-12-21 06:56:59 UTC

Add openconnect_set_requested_ip() and --request-ip to explicitly request specific IP addresses

Protocol support:

- GlobalProtect supports requesting either Legacy IP or IPv6 addresses.
- Some Cisco AnyConnect servers *maybe* support this, but ocserv does not.
- PPP-based protocols might support this for Legacy IP *if* their IP
  address negotiation is purely via PPP/IPCP; PPP/IP6CP can't actually
  request a complete 16-byte IPv6 address.
- No known way to provide it for Juniper, Pulse, Array.

Currently, this option is only a request. OpenConnect will print an error
message, but will not abort, if the server assigns a different IP address.

The openconnect_set_requested_ip() API function carefully parses user-input
requested IP addresses using inet_pton(), and then renormalizes them using
inet_ntop(). This will avoid warnings about IP address mismatch where the
requested address doesn't match the quad-dotted notation for IPv4 or CIDR
notation for IPv6.

We assume that any real VPN server that provides IP addresses in text form
adheres to one of these two normalizations (see
https://gitlab.com/openconnect/openconnect/merge_requests/35#note_174395447), but
perhaps we *should* do similar for server-provided IP addresses too,
since we've had problems with this in the past.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

translations 2022-04-15 19:34:51 UTC
Import translations from GNOME

Author: dwmw2
Author Date: 2022-04-15 19:34:51 UTC

Import translations from GNOME

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

multicert 2022-04-14 15:50:25 UTC
Increase server delay for fake server tests

Author: dwmw2
Author Date: 2022-04-14 15:36:31 UTC

Increase server delay for fake server tests

Doesn't look like 1 second is enough of a delay in all cases.
Increase it and hopefully the tests will stop being so flaky.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

verbosity_fix 2022-04-08 18:10:42 UTC
Bugfix verbosity level

Author: Dan Lenski
Author Date: 2022-04-08 18:10:42 UTC

Bugfix verbosity level

I messed things up in 48de4c0d240579fe8cfd71c5dff177ba14f78d3e
("Remove the 'verbose' global variable"), where I failed to account
for the fact that `vpninfo->verbose` defaults to `PRG_TRACE`, and that
it needs to be set (via `openconnect_set_loglevel`) immediately after
option parsing is complete.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

oNCP_allow_default_route_as_split_route 2022-02-07 22:36:00 UTC
Update changelog

Author: Dan Lenski
Author Date: 2021-05-20 15:05:51 UTC

Update changelog

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

add_local_id_option 2022-02-03 20:05:40 UTC
Update manual to include `--local-id` with examples thereof

Author: Dan Lenski
Author Date: 2020-05-04 07:38:55 UTC

Update manual to include `--local-id` with examples thereof

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Windows_10_has_AF_UNIX_socket_w_debug_fprintf 2022-01-13 05:51:04 UTC
dumb_socketpair(): extra debugging output via fprintf

Author: Dan Lenski
Author Date: 2021-12-31 19:06:24 UTC

dumb_socketpair(): extra debugging output via fprintf

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

install_vpn_opts_allow_no_ip 2021-10-14 02:17:06 UTC
Make install_vpn_opts tolerate missing IP addresses on reconnect

Author: Dan Lenski
Author Date: 2021-10-14 02:17:06 UTC

Make install_vpn_opts tolerate missing IP addresses on reconnect

Some protocols don't always send IP address(es) in configuration packets in
the event of reconnection/rekey. It should be harmless for OpenConnect to
assume that the address(es) are staying the same when they aren't explicitly
specified as changing.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

less_noisy_epoll_and_UDP_sndbuf 2021-08-31 20:53:10 UTC
Only log UDP SO_SNDBUF getsockopt() if it differs from intended value

Author: Dan Lenski
Author Date: 2021-08-31 17:13:22 UTC

Only log UDP SO_SNDBUF getsockopt() if it differs from intended value

Ping #299. (The increase in UDP sndbuf was added in d4ba1e1d.)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

aesni 2021-07-02 09:16:46 UTC
Add AES-NI ESP implementation

Author: dwmw2
Author Date: 2019-04-15 15:53:59 UTC

Add AES-NI ESP implementation

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

hacks2 2021-07-01 21:04:03 UTC
Add AES-NI ESP implementation

Author: dwmw2
Author Date: 2019-04-15 15:53:59 UTC

Add AES-NI ESP implementation

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

epoll 2021-07-01 16:04:20 UTC
Clear epoll_fd after forking to background self

Author: dwmw2
Author Date: 2021-07-01 16:03:13 UTC

Clear epoll_fd after forking to background self

Otherwise we remove the events from the epoll_fd before we exit in
the parent process.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

pulse_Juniper2_password_request_case5 2021-06-23 22:24:25 UTC
Speculative fix for #255

Author: Dan Lenski
Author Date: 2021-06-23 22:21:50 UTC

Speculative fix for #255

This field:

    AVP 79: 01 01 00 12 fe 00 0a 4c [00 00 00 05] 01 [00 11 5d bf 60]

… is very similar to the Juniper/2 PASSREQ case:

    AVP 79: 01 01 00 12 fe 00 0a 4c 00 00 00 02 01

… except for 2 → 5, and extra bytes at the end. Just log these bytes, and
treat it as if it were the "normal" Juniper/2 PASSREQ case, and see if that
gets us any further.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

IP_and_routing_configuration_simplification 2021-06-17 23:12:51 UTC
CSTP: Always set Legacy IP netmask to 0.0.0.0 unless split-includes received

Author: Dan Lenski
Author Date: 2021-06-17 23:06:38 UTC

CSTP: Always set Legacy IP netmask to 0.0.0.0 unless split-includes received

As described in the previous patch, we think that Cisco servers expect us to
set a default Legacy IP route if no split-includes are sent.

However, Cisco servers may also send another "main" Legacy IP route via
X-CSTP-Netmask. As already done for GP, oNCP, and Pulse, we should shunt
that other route to a split-include (unless it's a /32 route, effectively a
no-op).

Once this is merged, we'll be able to remove from vpnc-script the following
Cisco-specific assumption: that a lack of split-includes means we must set
a default Legacy IP route.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

811 2021-06-12 09:43:31 UTC
Unconditionally bypass system crypto policy

Author: dwmw2
Author Date: 2021-06-12 07:50:09 UTC

Unconditionally bypass system crypto policy

This makes me extremely sad, but they rolled it out with *no* way to
selectively allow the user to say "connect anyway", as we've always had
for "invalid" certificates, etc.

It's just unworkable and incomplete as currently implemented in the
distributions, so we have no choice except to bypass it and wait for
it to be fixed.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
(cherry picked from commit 7e862f2f0352409357fa7a4762481fde49909eb8
 and commit d29822cf30293d5f8b039baf3306eed2769fa0b5)

add_fake-cisco-server.py 2021-05-25 01:20:48 UTC
Use check_http_status in cstp.c

Author: Dan Lenski
Author Date: 2021-05-25 01:20:48 UTC

Use check_http_status in cstp.c

This function was added in d257a7e7cec848c58671ba7df8e035757bf10183
("Consolidate check_http_status from gpst.c and ppp.c").

With this change, there is no longer any place where OpenConnect *expects*
the exact string HTTP/1.1 from a server; it should now accept HTTP/%c.%c everywhere
(even in f5_dtls_catch_probe which handles HTTP-over-DTLS).

This simplifies fake-cisco-server.py, since we can now allow Flask to operate in
its default, naïve HTTP/1.0 mode, and not worry about the complicates of HTTP/1.1
connection reuse in this very simple server.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

nx 2021-05-23 16:48:39 UTC
nx: Send X-NE-SESSIONPROMPT: true header

Author: Andreas Gnau
Author Date: 2021-05-23 16:48:39 UTC

nx: Send X-NE-SESSIONPROMPT: true header

Apparently, X-NE-SESSIONPROMPT: true seems to be needed in some rare (?)
situations, where the tunnel will come up but no packets are
transferred. See:

https://github.com/abrasive/nxBender/commit/454dedc6c72fc62eedb7be18e62c6b7ee5f82bb3

Of all the clients tested, ONLY NetExtender for Windows sends this
header, so this behaviour might be related to some specific
(mis-)configuration of the server...

Signed-off-by: Andreas Gnau <rondom@rondom.de>

test 2021-05-19 17:53:52 UTC
GnuTLS: Make load_certificate() return an allocate gtls_cert_info

Author: dwmw2
Author Date: 2021-05-19 17:45:23 UTC

GnuTLS: Make load_certificate() return an allocate gtls_cert_info

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

alloccertinfo 2021-05-19 17:53:52 UTC
GnuTLS: Make load_certificate() return an allocate gtls_cert_info

Author: dwmw2
Author Date: 2021-05-19 17:45:23 UTC

GnuTLS: Make load_certificate() return an allocate gtls_cert_info

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

simplify_version_strings 2021-05-10 17:30:54 UTC
centralize/simplify versioning in version.sh

Author: Dan Lenski
Author Date: 2021-03-31 17:39:37 UTC

centralize/simplify versioning in version.sh

Let's not make the Makefile jump through so many hoops to generate Windows-ified version strings.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

extreme_mtu_makeover 2021-04-20 17:12:24 UTC
Add ASCII-art diagram of MTUs that OpenConnect needs to track

Author: Dan Lenski
Author Date: 2021-04-16 19:46:01 UTC

Add ASCII-art diagram of MTUs that OpenConnect needs to track

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

jun2pulse_hybrid_mode 2021-04-17 10:46:07 UTC
encourage use of this monstrosity if Juniper auth works, but tunnel isn't sup...

Author: Dan Lenski
Author Date: 2020-05-15 20:19:16 UTC

encourage use of this monstrosity if Juniper auth works, but tunnel isn't supported

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

fix_delay_close 2021-04-14 23:09:59 UTC
Simplify resetting of delay_close and delay_tunnel_reason

Author: Dan Lenski
Author Date: 2021-04-14 22:33:49 UTC

Simplify resetting of delay_close and delay_tunnel_reason

When delay_close and delay_tunnel_reason were added in
4fb6ff704ef594c9a445f396ef79c94d59623735, the mainloop would only reset them
in specific branches (e.g. if the connection termination had been initiated
by OC_CMD_CANCEL or OC_CMD_PAUSE.

This ensures that they will be reset on each iteration, thereby making the
"spin forever" case more idiot-proof. (With me being the probable idiot.)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

new_nx 2021-04-12 17:27:20 UTC
clean up memory error (caught by static analyzer)

Author: Dan Lenski
Author Date: 2021-02-03 07:43:17 UTC

clean up memory error (caught by static analyzer)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

temp/Ubuntu_CI_futzing 2021-04-04 17:14:14 UTC
juniper-sso-auth: fix Ubuntu CI

Author: Dan Lenski
Author Date: 2021-04-04 17:14:14 UTC

juniper-sso-auth: fix Ubuntu CI

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Windows_redirection_fix 2021-03-31 13:46:50 UTC
Fix output redirection under Windows

Author: dwmw2
Author Date: 2021-03-31 13:35:33 UTC

Fix output redirection under Windows

If WriteConsoleW() fails, convert to the *console* code page and write to
stdout/stderr (as appropriate) with fwrite().

Mostly researched by bers in !177.

Fixes: #229

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

wintun 2021-03-30 22:23:29 UTC
Attempt to configure interface

Author: dwmw2
Author Date: 2021-03-30 22:23:29 UTC

Attempt to configure interface

vpnc-script-win.js seems to wait until the Legacy IP address of the
interface appears in 'route print' output. How that'll work in the
21st century when there's only IPv6 and no Legacy IP, I have no
idea. But set it for now like the old TAP driver did, and see if
we can make it work...

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

temp/FIXME_Centos7_f5forti_tests 2021-03-29 04:04:08 UTC
FIXME Centos7 f5/forti tests

Author: Dan Lenski
Author Date: 2021-03-29 03:41:59 UTC

FIXME Centos7 f5/forti tests

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

disable_stdout_buffering_on_Windows 2021-03-25 22:38:14 UTC
disable stdout buffering on Windows

Author: Dan Lenski
Author Date: 2021-03-25 22:38:14 UTC

disable stdout buffering on Windows

See https://gitlab.com/openconnect/openconnect/-/issues/229#note_537286029 for how this may fix some stdout/stderr redirection problems.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

explicit_http_keepalive_header 2021-03-23 17:52:26 UTC
HTTP requests: add explicit 'Connection: keep-alive' header unless --no-http-...

Author: Dan Lenski
Author Date: 2021-03-21 03:47:14 UTC

HTTP requests: add explicit 'Connection: keep-alive' header unless --no-http-keepalive specified

This is *supposed* to be the HTTP/1.1 default, but some servers appear not to follow it unless explicitly requested.

The oNCP protocol includes one request (GET-tunnel) which unconditionally requires the header 'Connection: close' to work properly.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

temp-centos6 2021-02-26 02:24:54 UTC
centos6 ppp test flailing

Author: Dan Lenski
Author Date: 2021-02-26 02:24:54 UTC

centos6 ppp test flailing

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

temp-test-centos7 2021-02-22 20:33:41 UTC
why Centos7 failing now?

Author: Dan Lenski
Author Date: 2021-02-22 19:57:43 UTC

why Centos7 failing now?

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

change_all_links_to_Gitlab_pages_rather_than_infradead 2021-02-20 01:40:07 UTC
redirect all ftp/http/https links to Gitlab rather than infradead.org

Author: Dan Lenski
Author Date: 2021-02-20 01:08:30 UTC

redirect all ftp/http/https links to Gitlab rather than infradead.org

Except for past release tarballs and their signatures. TODO: figure out if we can do signed releases on Gitlab.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

temp_test 2021-02-09 01:13:22 UTC
Ubuntu test --enable-ppp-tests

Author: Dan Lenski
Author Date: 2021-02-09 00:08:17 UTC

Ubuntu test --enable-ppp-tests

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

periodic_TNCC_fix 2020-12-16 21:53:41 UTC
allow --force-trojan to override TNCC interval with a shorter one

Author: Dan Lenski
Author Date: 2020-12-16 21:45:15 UTC

allow --force-trojan to override TNCC interval with a shorter one

See https://gitlab.com/openconnect/openconnect/-/issues/209#note_468581026

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

the_great_renaming 2020-12-08 23:44:14 UTC
update man-page caveat regarding IPv6 and vpnc-script

Author: Dan Lenski
Author Date: 2020-11-30 05:16:50 UTC

update man-page caveat regarding IPv6 and vpnc-script

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

remove_protocol_specific_values_from_global_state_object 2020-11-30 03:12:10 UTC
CSD XML tag and nostub are entirely protocol-specific and used in only one place

Author: Dan Lenski
Author Date: 2020-05-04 04:12:12 UTC

CSD XML tag and nostub are entirely protocol-specific and used in only one place

This patch replaces them with inline functions (modeled after gpst_os_name),
instead of storing them in the global `struct openconnect_info` object.

TODO: further clarify, separate, and consolidate protocol-specific data in
`struct openconnect_info`.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

gp_handle_include-split-tunneling-domain 2020-11-29 22:09:51 UTC
fix memory leaks (start and dns) caught by static analyzer

Author: Dan Lenski
Author Date: 2020-11-29 21:41:32 UTC

fix memory leaks (start and dns) caught by static analyzer

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

dlenski-master 2020-10-15 05:01:37 UTC
finesse the URL-decoding of the GP login args

Author: Dan Lenski
Author Date: 2020-10-15 05:01:34 UTC

finesse the URL-decoding of the GP login args

Unsurprisingly, it's messier than I thought it was. Some of them definitely
need to be URL-decoded, and some definitely shouldn't be.
https://gitlab.com/openconnect/openconnect/-/issues/147#note_429943037

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

temp-force-ci 2020-10-15 02:31:40 UTC
add tests/obsolete-server-crypto to XFAIL on all CI using OpenSSL 1.1.0+

Author: Dan Lenski
Author Date: 2020-05-22 20:03:08 UTC

add tests/obsolete-server-crypto to XFAIL on all CI using OpenSSL 1.1.0+

OpenSSL 1.1.0+ removes 3DES and RC4 from the default build: https://www.openssl.org/blog/blog/2016/08/24/sweet32/

There is no way to re-enable without rebuilding from source.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

handle-dynamic-split-include-domains 2020-10-06 19:40:49 UTC
handle <dynamic-split-include-domains> (from authentication-response <opaque>)

Author: Dan Lenski
Author Date: 2020-10-07 00:37:00 UTC

handle <dynamic-split-include-domains> (from authentication-response <opaque>)

See https://github.com/dlenski/vpn-slice/issues/68 and https://gitlab.com/openconnect/vpnc-scripts/-/issues/5

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

f5 2020-05-24 21:50:42 UTC
nx: Implement logout

Author: Andreas Gnau
Author Date: 2020-05-23 20:54:43 UTC

nx: Implement logout

Signed-off-by: Andreas Gnau <rondom@rondom.de>

delay_tunnel_and_close 2020-05-20 16:46:33 UTC
make Mingw32/64 CI happy

Author: Dan Lenski
Author Date: 2020-05-20 16:41:40 UTC

make Mingw32/64 CI happy

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

multiple_auth_feature 2020-05-15 16:26:51 UTC
Merge branch 'multiple_auth_feature' of gitlab.com:incentive.design/openconnect

Author: dwmw2
Author Date: 2020-05-15 16:26:51 UTC

Merge branch 'multiple_auth_feature' of gitlab.com:incentive.design/openconnect

stop_hardcoding_GP_UA_by_default 2020-05-05 22:27:01 UTC
stop sending 'PAN GlobalProtect' as UA; recent server versions don't appear t...

Author: Dan Lenski
Author Date: 2020-04-04 16:59:16 UTC

stop sending 'PAN GlobalProtect' as UA; recent server versions don't appear to enforce this

Add a comment in the manual about older servers where spoofing this value may still may be necessary.

See https://gitlab.com/openconnect/openconnect/-/issues/118#note_317598039
for one reason why spoofing official UAs is counterproductive.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

explain_exit_status_in_HIP_and_CSD_scripts 2020-04-21 23:25:17 UTC
explain exit status in HIP/CSD scripts

Author: Dan Lenski
Author Date: 2020-04-04 22:49:25 UTC

explain exit status in HIP/CSD scripts

Follow-up to b2a2c7a9c2445057f8ed22192486480c431d0438.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

1100 of 120 results
This repository contains Public information 
Everyone can see this information.

Subscribers