lp:~mamarley/openconnect/+git/gitlab-main

Author: Dan Lenski
Author Date: 2023-06-28 19:16:02 UTC

Update changelog

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dimitri Papadopoulos Orfanos
Author Date: 2024-04-05 19:03:26 UTC

DEBUG

Signed-off-by: Dimitri Papadopoulos Orfanos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>

Author: dwmw2
Author Date: 2024-04-05 16:23:22 UTC

Allow tests to run over IPv6 as well as Legacy IP

When run in an environment with no Legacy IP addresses, or no IPv6 addresses,
AI_ADDRCONFIG will cause getaddrinfo() not to return addresses of that type.

So when running in an IPv6-only environment, ocserv doesn't listen on Legacy
IP. And thus the tests fail. Fix this by using a hostname 'sockwrap' for the
test connections, and providing '--resolve' arguments for both the Legacy IP
and IPv6 addresses handled by libsocket_wrapper.

Some of the python test servers which don't use AI_ADDRCONFIG do still work
on Legacy IP, so leave those alone for now.

We recently added '-4' to the socat invocation for the nullppp tests, for
similar reasons (becaose socat started listening on IPv6 by default). We
can remove that now too.

Closes #721

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: Dimitri Papadopoulos
Author Date: 2022-11-02 23:25:38 UTC

Consistency between tun.c and script.c

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>

Author: Dimitri Papadopoulos Orfanos
Author Date: 2024-01-06 20:55:19 UTC

Use new AC_INIT() arguments in actual code

Signed-off-by: Dimitri Papadopoulos Orfanos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>

Author: dwmw2
Author Date: 2024-04-05 10:07:08 UTC

Merge branch 'Fedora_ppp-over-tls' into 'master'

Verbose logs to debug and fix ppp-over-tls

Closes #720

See merge request openconnect/openconnect!548

Author: Dan Lenski
Author Date: 2024-02-28 05:42:32 UTC

Merge branch 'rekey' into master

Fix logging of rekey / trojan invocation delay

See merge request openconnect/openconnect!539

Author: Dan Lenski
Author Date: 2024-02-20 17:02:17 UTC

Try removing Fedora 38 CI image

See discussion at https://gitlab.com/openconnect/openconnect/-/merge_requests/504#note_1781288802

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Nikos Mavrogiannopoulos
Author Date: 2023-11-21 14:09:53 UTC

Use latest fedora (39) for CI

This moves all CI images to Fedora39 except OpenSSL builds
that still use Fedora38 due to compatibility issues.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>

Author: Dan Lenski
Author Date: 2022-06-21 00:27:00 UTC

Handle concatenated and/or split packets in Pulse TLS tunnel

Borrows the approach of ppp.c. Should fix #456.

I have managed to test the handling of both concatenated and
split packets against a "real" Pulse server.

I'm not precisely certain of the server version, but it's older than 9.1R14;
it doesn't show the modified 9.1R14+ config packet of
https://gitlab.com/openconnect/openconnect/-/merge_requests/331.

1. The test server can be induced to reply with concatenated packets by
   sending it fragmented Legacy IP datagrams. For example, with a tunnel
   MTU of 1400 bytes, send fragmented pings:
   `ping -s $((MTU - 28 + 1)) -c1 -M dont $IP`.

   Resulting trace-level log messages:

   ```
   Sending IF-T/TLS data packet of 1396 bytes
   Sending IPv4 data packet of 1396 bytes
   Sending IF-T/TLS data packet of 25 bytes
   Sending IPv4 data packet of 25 bytes
   No work to do; sleeping for 2147483647 ms...
   Received packet of 1412 bytes with 41 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received IPv4 data packet of 25 bytes
   ```

2. Test server can be induced to reply with split packets by sending it
   fragmented Legacy IP datagrams such that the concatenated replies won't
   fit in a single TLS frame (16384 bytes). For example:
   `ping -s 16385 -c1 -M dont $IP`

   Resulting trace-level log messages (omitting the outgoing bits for brevity):

   ```
   Received packet of 1412 bytes with 14972 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 13560 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 12148 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 10736 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 9324 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 7912 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 6500 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 5088 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 3676 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 2264 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received packet of 1412 bytes with 852 trailing bytes of concatenated packet.
   Received IPv4 data packet of 1396 bytes
   Received partial packet, 852 of 1293 bytes
   Received IPv4 data packet of 1277 bytes
   ```

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2023-09-25 14:14:37 UTC

Send 'cas-support=yes' in GlobalProtect prelogin request

Per https://gitlab.com/openconnect/openconnect/-/issues/651, some newer GP
servers are responding to prelogin.esp requests with an error:

    CAS is not supported by the client. Minimum client version is 6.0

It appears that CAS ("Central Authentication Server";
https://apereo.github.io/cas/index.html) is a standardized single-sign-on
protocol requiring an external browser.

Per https://gitlab.com/openconnect/openconnect/-/issues/651#note_1576596243,
the field 'cas-support=yes' needs to be sent in the POST *body* of the
prelogin request, in order to avoid this error message; the error message's
claim that a specific client software version is necessary isn't very
helpful.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Andreas Gnau
Author Date: 2023-09-14 12:13:49 UTC

Merge branch 'master' of gitlab.com:openconnect/openconnect

Author: Dan Lenski
Author Date: 2023-09-10 18:34:33 UTC

What is this 'static' doing there?

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2023-08-22 19:02:19 UTC

Shim for renaming of GNUTLS_NO_EXTENSIONS in GnuTLS v3.8.1

The constant `GNUTLS_NO_EXTENSIONS` was renamed in
https://gitlab.com/gnutls/gnutls/-/commit/a7c4a04e (released in v3.8.1), and
then a backwards-compatibility shim was belatedly added in
https://gitlab.com/gnutls/gnutls/-/commit/abfa8634, which has not yet been
released.

We need to re-add the constant ourselves in order to build correctly with
GnuTLS v3.8.1. This should fix
https://gitlab.com/openconnect/openconnect/-/issues/650.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2023-08-09 23:03:38 UTC

Reject HTML documents if charset from Content-Type isn't UTF-8/US-ASCII

We do not (yet) have a mechanism to convey the correct encoding to the
caller in this case.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2023-06-30 18:46:42 UTC

Update changelog

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-08-30 05:03:00 UTC

Set ipv[46]_unreachable flags for Pulse

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: dwmw2
Author Date: 2023-07-25 21:18:27 UTC

ESP reconnect hackery

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: Dan Lenski
Author Date: 2023-07-25 16:44:31 UTC

csd-post.sh: Unconditionally re-enable UnsafeLegacyRenegotiation for OpenSSL 3.x

Our csd-post.sh script (CSD Trojan emulation) uses cURL to submit its
responses to Cisco AnyConnect servers. However, many Cisco servers use
legacy TLS renegotiation (pre-RFC-5746), which is disabled by default in
OpenSSL 3.x

This causes csd-post.sh to fail without any clear explanation why. We
should unconditionally re-enable UnsafeLegacyRenegotiation for OpenSSL 3.x;
there is no reason why this is risky or unsafe with OpenConnect's usage.

In order to re-enable ULR, we need to create a custom OpenSSL configuration
file.

See https://gitlab.com/openconnect/openconnect/-/issues/451
and https://gitlab.com/openconnect/openconnect/-/issues/643.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2023-07-23 16:45:44 UTC

fake-juniper-server: Include literal values of realms in HTML, and test with non-ASCII values

This should help us debug
https://gitlab.com/openconnect/openconnect/-/issues/642, where it appears
that a non-ASCII realm string is being encoded incorrectly in the response
to the server.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: dwmw2
Author Date: 2023-06-13 14:25:02 UTC

Don't override Android toolchain dir

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2023-05-22 17:26:37 UTC

Don't use bash for symbols test

Might fix #614?
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2023-05-19 17:28:48 UTC

os-tcp-mtu.c: Explicitly include <netinet/in.h> for sockaddr_in(6|)

This doesn't get pulled in automatically in FreeBSD.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2023-05-19 11:14:17 UTC

Disable explict setting of IP_PMTUDISC_DO on MacOS

Fixes: #612
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2023-05-19 11:06:28 UTC

Fix time_t handling in parsing F5 session timeout

We can't assume that time_t is 'long'. When building for win64 we get:
../f5.c: In function 'f5_configure':
../f5.c:690:63: warning: format '%ld' expects argument of type 'long int *', but argument 6 has type 'time_t *' {aka 'long long int *'} [-Wformat=]
  690 | if (sscanf(cookie->value, "%dz%dz%dz%ldz%ld%c", &junk, &junk, &junk, &start, &dur, &c) >= 5
      | ~~^ ~~~~~~
      | | |
      | long int * time_t * {aka long long int *}
      | %lld
../f5.c:690:67: warning: format '%ld' expects argument of type 'long int *', but argument 7 has type 'time_t *' {aka 'long long int *'} [-Wformat=]
  690 | if (sscanf(cookie->value, "%dz%dz%dz%ldz%ld%c", &junk, &junk, &junk, &start, &dur, &c) >= 5
      | ~~^ ~~~~
      | | |
      | long int * time_t * {aka long long int *}
      | %lld

Make it explicitly 'unsigned long long' instead.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2023-05-18 15:49:29 UTC

Move openconnect_set_sni() to API v5.9

We retrospectively added openconnect_set_sni() with the @OPENCONNECT_5_8
symbol version, *long* after API v5.8 was set in stone with the v9.00
release in April 2022.

Fix that by retconning it into a @OPENCONNECT_5_9 version which will be
part of the *next* release.

We have a unit test to prevent us from doing it again, and this commit
is the exception to the general rule that we should *never* commit to
libopenconnect5.symbols except as a side-effect of 'make tag' creating
a new release.

Fixes: 494edf49e628 ("Add openconnect_set_sni API function and Java setSNI() wrapper")
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2023-05-17 08:51:48 UTC

Rebuild all test certificates

The CA has expired. Rebuild it (and remove the old GnuTLS CA from the
ca-key.pem file where it was just noise).

Rebuild all other certificates while we're at it, but leave the keys
as they were. Extend the validity to 10000 days which should expire
in 2050, by which time it probably won't be my problem.

Dan seems young and healthy; maybe he can thank me then for pedantially
scripting it all instead of doing it manually. Or maybe it'll have
bitrotted so much by then that it won't help.

Most of it worked out of the box this time, but I re-imported the certs
into SoftHSM manually because I didn't want to start from scratch using
the softhsm-setupX make targets. I think some of the behaviour of the
GnuTLS tools (not importing pubkeys, etc) has changed since I did this.

Arguably we should rewrite those rules to import things the same way
into each token and then explicitly tweak them, deleting the public
keys and explicitly marking objects public or private as needed for
each token.

The SoftHSM modifications also had to be done with an older version
of SoftHSM (I used 2.2.0 on Ubuntu 18.04) because doing it with a
newer version meant the newly-imported certs weren't visible in the
Ubuntu 18.04 or CentOS 9 test runs.

Fixes: #609
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2023-05-11 15:08:53 UTC

Attempt to spawn browser on Windows

Fixes: #553
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: Dan Lenski
Author Date: 2022-03-15 19:48:28 UTC

Warn about blocked DTLS 0.9/1.0 in recent builds of OpenSSL, suggest --allow-insecure-crypto

Recent distro builds of OpenSSL prevent the use of pre-1.2 TLS via default
security policies, along with pre-1.2 DTLS. This is a headache for VPNs
because many (most?) Cisco AnyConnect VPNs are still using Cisco's pre-1.0
DTLS (also known as "DTLS 0.9", or "bad DTLS" in OpenConnect).

* Ubuntu's build of OpenSSL starting with 1.1.1f (https://packages.ubuntu.com/focal-updates/libssl-dev,
  see patch "tls1.2-min-seclevel2.patch")
* Debian's build of OpenSSL starting with 1.1.1k (https://sources.debian.org/patches/openssl/1.1.1k-1+deb11u1,
  see patch "set systemwide default settings for libssl users")

Discussion on mailing list at
http://lists.infradead.org/pipermail/openconnect-devel/2022-March/005103.html.

This adds a warning when DTLS handshake fails with OpenSSL 1.1.1f+, and
suggests the use of `--allow-insecure-crypto` which attempts to set the
OpenSSL security level (https://openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html)
to 0 as a workaround.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2023-05-08 02:51:21 UTC

Catch Fortinet DTLS heartbeat packets

This should fix https://gitlab.com/openconnect/openconnect/-/issues/251

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: dwmw2
Author Date: 2023-04-28 07:22:19 UTC

Rework ESP probe retries

We weren't attempting to resend ESP probes at all, except at the retry
interval of about a minute. In a lossy network, or perhaps when the
server is slow to configure its end and start accepting ESP probes,
this meant that users sometimes saw the ESP failing to establish for
a whole minute (or multiple thereof).

Drop the loops in the protocol-specific udp_send_probes() functions
which were a primitive attempt to handle packet loss, and instead
deliberately send one probe a second for five seconds, before giving
up for the remainder of the dtls_attempt_period.

Fix up the reconnect handling with vpninfo->dtls_need_reconnect while
we're at it; it looks like that would just cause us to keep sending
probes and the flag would never be cleared.

Fixes: #601
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2023-04-19 15:48:20 UTC

Fix oncp Legacy IP check

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2023-04-18 14:17:20 UTC

oNCP framing debug

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2023-04-18 13:40:26 UTC

Attempting to reject EAP-TLS request

If we claim to be a new enough client, and the Pulse server is configured
for *optional* certificates, then it tunnels EAP-TLS *through* the
established EAP-TTLS session if we didn't provide a certificate the first
time. I don't know why; we'll always have provided a client cert in the
outer EAP-TTLS session anyway.

Looks like rejecting it with EAP_TYPE_NAK, and even sending a fatal 'no
certificate' alert inside EAP-TLS, don't work. We might actually have to
go through with a full handshake.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2023-04-11 08:38:10 UTC

Ad --sudo argument to allow running authentication unprivileged

Actually I'm having second thoughts about this; there are multiple better
ways to do it. Most importantly, just precreating the tun device and then
using sudo for the vpnc-script, running all of openconnect unprivileged.

This hack works, but it's a bunch of work to make it *right*. We can't
just exec `openconnect -C $COOKIE` because that exposes the cookie to
ps on the command line, so we'd need to do something more complex and
feed it to stdin. And we'd *also* need to pass through a bunch more
arguments (like --vpnc-script and anything else that affects the
connecting process).

It's also fairly trivial to do this approach in a shell script using
first `openconnect --authenticate` and then `openconnect --cookie-on-stdin`
without having to write C code for it.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: Dan Lenski
Author Date: 2023-02-25 07:33:07 UTC

Tag version 9.02

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2023-03-18 00:06:28 UTC

Statistics on queue saturation

Our default maximum packet queue length (max_qlen) of 10 appears to be too
low on many modern systems.

FIXME/WHY??? Testing by dwmw2 in 2021 suggested queue length of 10 was
sufficient to saturate GbE:
https://gitlab.com/openconnect/openconnect/-/commit/c6ef1196934ad8ef71d9e6006ec4f4d969673901#733811436f39dfa8a597e73756d842a7f0cbf2a2

Add trace-level logging messages for when we hit the outgoing and incoming
queue limits ("Saturated {TX,RX} queue"), and report number of times we've
done this in stats.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dimitri Papadopoulos
Author Date: 2023-02-24 14:18:06 UTC

No need to change crypto-policies on Fedora

We do not test DSA keys, because they have been removed from the LEGACY
level in recent Fedora distributions.

Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>

Author: Dan Lenski
Author Date: 2023-03-01 01:25:59 UTC

Tell Apple users not to use '-i tunX', but '-i utunX' instead.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2020-12-16 21:45:15 UTC

allow --force-trojan to override TNCC interval with a shorter one

See https://gitlab.com/openconnect/openconnect/-/issues/209#note_468581026

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2022-11-05 04:28:00 UTC

Fortinet: Ensure that SVPNCOOKIE is not overwritten/deleted by config requests

This should fix #514

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2022-07-10 23:38:49 UTC

Distinguish XML and non-XML error paths in gpst_xml_or_error

This should help with debugging https://gitlab.com/openconnect/openconnect/-/issues/466

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2022-07-09 17:32:11 UTC

Persist Windows installer artifacts (openconnect-installer.exe) for tagged commits/releases

We shouldn't expire these, as explained in
https://gitlab.com/openconnect/openconnect/-/issues/463.

Solution is based on the Gitlab-CI formula described at
https://stackoverflow.com/a/65478446.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2022-06-21 00:27:00 UTC

Untested WIP: Handle concatenated and/or split packets in Pulse TLS tunnel

Borrows the approach of ppp.c, not tested at all yet. Ping #456

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2022-06-20 00:56:54 UTC

Tunnel MTU calculation diagrams

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2022-06-15 15:17:00 UTC

[QUICK-AND-DIRTY] Calculate Pulse MTU independently of the server and override if the server's value seems too high

See comments inline for what's going on here.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2022-05-28 21:37:44 UTC

Clearer error for list-system-keys on Unix-like platforms

It appears that the `gnutls_system_key*` functions are only implemented on
Windows currently. Lots of people are likely to test this executable on
Unix-y systems, so we should give a clearer error message.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: dwmw2
Author Date: 2022-05-26 10:11:15 UTC

Quick hack to test corking performance

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: Dan Lenski
Author Date: 2022-05-13 17:40:08 UTC

OpenConnect has too many slightly-varying and undocumented interfaces for external scripts with similar functions

Document them in 'What needs doing?' for now.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: dwmw2
Author Date: 2022-05-16 16:48:02 UTC

Assume success when a session-token is given

Should fix https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/72

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2022-05-16 15:36:16 UTC

Print full cert info

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: Dan Lenski
Author Date: 2022-05-11 15:43:00 UTC

Cisco STRAP key refinements

Sending STRAP keys appears to restrict the ability to reuse the webvpn cookie
on other cookies of the same VPN, as discussed on
https://gitlab.com/openconnect/openconnect/-/commit/8bacc334b9efb10371ec6777d7983a7d1bb99ca0#note_942004949

Therefore we should avoid generating and offering STRAP keys unless.

1. We are doing authentication and may potentially use external-browser-auth,
   which *requires* the STRAP keys, or
2. We already have STRAP keys from the authentication stage, in which case
   we have to continue sending them for verification along with the
   webvpn cookie, in order to prevent the server from rejecting it.
   (See https://gitlab.com/openconnect/openconnect/-/issues/410)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: dwmw2
Author Date: 2022-05-10 07:02:35 UTC

Fix ESP recv() error handling for Windows

Fixes: #427

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2022-04-28 18:45:21 UTC

Attempt to spawn browser on Windows.

Seems to fail with err 148. No idea why.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: Dan Lenski
Author Date: 2017-12-21 06:56:59 UTC

Add openconnect_set_requested_ip() and --request-ip to explicitly request specific IP addresses

Protocol support:

- GlobalProtect supports requesting either Legacy IP or IPv6 addresses.
- Some Cisco AnyConnect servers *maybe* support this, but ocserv does not.
- PPP-based protocols might support this for Legacy IP *if* their IP
  address negotiation is purely via PPP/IPCP; PPP/IP6CP can't actually
  request a complete 16-byte IPv6 address.
- No known way to provide it for Juniper, Pulse, Array.

Currently, this option is only a request. OpenConnect will print an error
message, but will not abort, if the server assigns a different IP address.

The openconnect_set_requested_ip() API function carefully parses user-input
requested IP addresses using inet_pton(), and then renormalizes them using
inet_ntop(). This will avoid warnings about IP address mismatch where the
requested address doesn't match the quad-dotted notation for IPv4 or CIDR
notation for IPv6.

We assume that any real VPN server that provides IP addresses in text form
adheres to one of these two normalizations (see
https://gitlab.com/openconnect/openconnect/merge_requests/35#note_174395447), but
perhaps we *should* do similar for server-provided IP addresses too,
since we've had problems with this in the past.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: dwmw2
Author Date: 2022-04-15 19:34:51 UTC

Import translations from GNOME

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2022-04-14 15:36:31 UTC

Increase server delay for fake server tests

Doesn't look like 1 second is enough of a delay in all cases.
Increase it and hopefully the tests will stop being so flaky.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: Dan Lenski
Author Date: 2022-04-08 18:10:42 UTC

Bugfix verbosity level

I messed things up in 48de4c0d240579fe8cfd71c5dff177ba14f78d3e
("Remove the 'verbose' global variable"), where I failed to account
for the fact that `vpninfo->verbose` defaults to `PRG_TRACE`, and that
it needs to be set (via `openconnect_set_loglevel`) immediately after
option parsing is complete.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-05-20 15:05:51 UTC

Update changelog

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2020-05-04 07:38:55 UTC

Update manual to include `--local-id` with examples thereof

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-12-31 19:06:24 UTC

dumb_socketpair(): extra debugging output via fprintf

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-10-14 02:17:06 UTC

Make install_vpn_opts tolerate missing IP addresses on reconnect

Some protocols don't always send IP address(es) in configuration packets in
the event of reconnection/rekey. It should be harmless for OpenConnect to
assume that the address(es) are staying the same when they aren't explicitly
specified as changing.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-08-31 17:13:22 UTC

Only log UDP SO_SNDBUF getsockopt() if it differs from intended value

Ping #299. (The increase in UDP sndbuf was added in d4ba1e1d.)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: dwmw2
Author Date: 2019-04-15 15:53:59 UTC

Add AES-NI ESP implementation

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2019-04-15 15:53:59 UTC

Add AES-NI ESP implementation

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2021-07-01 16:03:13 UTC

Clear epoll_fd after forking to background self

Otherwise we remove the events from the epoll_fd before we exit in
the parent process.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: Dan Lenski
Author Date: 2021-06-23 22:21:50 UTC

Speculative fix for #255

This field:

    AVP 79: 01 01 00 12 fe 00 0a 4c [00 00 00 05] 01 [00 11 5d bf 60]

… is very similar to the Juniper/2 PASSREQ case:

    AVP 79: 01 01 00 12 fe 00 0a 4c 00 00 00 02 01

… except for 2 → 5, and extra bytes at the end. Just log these bytes, and
treat it as if it were the "normal" Juniper/2 PASSREQ case, and see if that
gets us any further.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-06-17 23:06:38 UTC

CSTP: Always set Legacy IP netmask to 0.0.0.0 unless split-includes received

As described in the previous patch, we think that Cisco servers expect us to
set a default Legacy IP route if no split-includes are sent.

However, Cisco servers may also send another "main" Legacy IP route via
X-CSTP-Netmask. As already done for GP, oNCP, and Pulse, we should shunt
that other route to a split-include (unless it's a /32 route, effectively a
no-op).

Once this is merged, we'll be able to remove from vpnc-script the following
Cisco-specific assumption: that a lack of split-includes means we must set
a default Legacy IP route.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: dwmw2
Author Date: 2021-06-12 07:50:09 UTC

Unconditionally bypass system crypto policy

This makes me extremely sad, but they rolled it out with *no* way to
selectively allow the user to say "connect anyway", as we've always had
for "invalid" certificates, etc.

It's just unworkable and incomplete as currently implemented in the
distributions, so we have no choice except to bypass it and wait for
it to be fixed.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
(cherry picked from commit 7e862f2f0352409357fa7a4762481fde49909eb8
 and commit d29822cf30293d5f8b039baf3306eed2769fa0b5)

Author: Dan Lenski
Author Date: 2021-05-25 01:20:48 UTC

Use check_http_status in cstp.c

This function was added in d257a7e7cec848c58671ba7df8e035757bf10183
("Consolidate check_http_status from gpst.c and ppp.c").

With this change, there is no longer any place where OpenConnect *expects*
the exact string HTTP/1.1 from a server; it should now accept HTTP/%c.%c everywhere
(even in f5_dtls_catch_probe which handles HTTP-over-DTLS).

This simplifies fake-cisco-server.py, since we can now allow Flask to operate in
its default, naïve HTTP/1.0 mode, and not worry about the complicates of HTTP/1.1
connection reuse in this very simple server.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Andreas Gnau
Author Date: 2021-05-23 16:48:39 UTC

nx: Send X-NE-SESSIONPROMPT: true header

Apparently, X-NE-SESSIONPROMPT: true seems to be needed in some rare (?)
situations, where the tunnel will come up but no packets are
transferred. See:

https://github.com/abrasive/nxBender/commit/454dedc6c72fc62eedb7be18e62c6b7ee5f82bb3

Of all the clients tested, ONLY NetExtender for Windows sends this
header, so this behaviour might be related to some specific
(mis-)configuration of the server...

Signed-off-by: Andreas Gnau <rondom@rondom.de>

Author: dwmw2
Author Date: 2021-05-19 17:45:23 UTC

GnuTLS: Make load_certificate() return an allocate gtls_cert_info

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2021-05-19 17:45:23 UTC

GnuTLS: Make load_certificate() return an allocate gtls_cert_info

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: Dan Lenski
Author Date: 2021-03-31 17:39:37 UTC

centralize/simplify versioning in version.sh

Let's not make the Makefile jump through so many hoops to generate Windows-ified version strings.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-04-16 19:46:01 UTC

Add ASCII-art diagram of MTUs that OpenConnect needs to track

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2020-05-15 20:19:16 UTC

encourage use of this monstrosity if Juniper auth works, but tunnel isn't supported

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-04-14 22:33:49 UTC

Simplify resetting of delay_close and delay_tunnel_reason

When delay_close and delay_tunnel_reason were added in
4fb6ff704ef594c9a445f396ef79c94d59623735, the mainloop would only reset them
in specific branches (e.g. if the connection termination had been initiated
by OC_CMD_CANCEL or OC_CMD_PAUSE.

This ensures that they will be reset on each iteration, thereby making the
"spin forever" case more idiot-proof. (With me being the probable idiot.)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-02-03 07:43:17 UTC

clean up memory error (caught by static analyzer)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-04-04 17:14:14 UTC

juniper-sso-auth: fix Ubuntu CI

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: dwmw2
Author Date: 2021-03-31 13:35:33 UTC

Fix output redirection under Windows

If WriteConsoleW() fails, convert to the *console* code page and write to
stdout/stderr (as appropriate) with fwrite().

Mostly researched by bers in !177.

Fixes: #229

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: dwmw2
Author Date: 2021-03-30 22:23:29 UTC

Attempt to configure interface

vpnc-script-win.js seems to wait until the Legacy IP address of the
interface appears in 'route print' output. How that'll work in the
21st century when there's only IPv6 and no Legacy IP, I have no
idea. But set it for now like the old TAP driver did, and see if
we can make it work...

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Author: Dan Lenski
Author Date: 2021-03-29 03:41:59 UTC

FIXME Centos7 f5/forti tests

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-03-25 22:38:14 UTC

disable stdout buffering on Windows

See https://gitlab.com/openconnect/openconnect/-/issues/229#note_537286029 for how this may fix some stdout/stderr redirection problems.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-03-21 03:47:14 UTC

HTTP requests: add explicit 'Connection: keep-alive' header unless --no-http-keepalive specified

This is *supposed* to be the HTTP/1.1 default, but some servers appear not to follow it unless explicitly requested.

The oNCP protocol includes one request (GET-tunnel) which unconditionally requires the header 'Connection: close' to work properly.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-02-26 02:24:54 UTC

centos6 ppp test flailing

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-02-22 19:57:43 UTC

why Centos7 failing now?

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-02-20 01:08:30 UTC

redirect all ftp/http/https links to Gitlab rather than infradead.org

Except for past release tarballs and their signatures. TODO: figure out if we can do signed releases on Gitlab.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2021-02-09 00:08:17 UTC

Ubuntu test --enable-ppp-tests

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2020-12-16 21:45:15 UTC

allow --force-trojan to override TNCC interval with a shorter one

See https://gitlab.com/openconnect/openconnect/-/issues/209#note_468581026

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2020-11-30 05:16:50 UTC

update man-page caveat regarding IPv6 and vpnc-script

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2020-05-04 04:12:12 UTC

CSD XML tag and nostub are entirely protocol-specific and used in only one place

This patch replaces them with inline functions (modeled after gpst_os_name),
instead of storing them in the global `struct openconnect_info` object.

TODO: further clarify, separate, and consolidate protocol-specific data in
`struct openconnect_info`.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2020-11-29 21:41:32 UTC

fix memory leaks (start and dns) caught by static analyzer

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2020-10-15 05:01:34 UTC

finesse the URL-decoding of the GP login args

Unsurprisingly, it's messier than I thought it was. Some of them definitely
need to be URL-decoded, and some definitely shouldn't be.
https://gitlab.com/openconnect/openconnect/-/issues/147#note_429943037

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2020-05-22 20:03:08 UTC

add tests/obsolete-server-crypto to XFAIL on all CI using OpenSSL 1.1.0+

OpenSSL 1.1.0+ removes 3DES and RC4 from the default build: https://www.openssl.org/blog/blog/2016/08/24/sweet32/

There is no way to re-enable without rebuilding from source.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2020-10-07 00:37:00 UTC

handle <dynamic-split-include-domains> (from authentication-response <opaque>)

See https://github.com/dlenski/vpn-slice/issues/68 and https://gitlab.com/openconnect/vpnc-scripts/-/issues/5

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Andreas Gnau
Author Date: 2020-05-23 20:54:43 UTC

nx: Implement logout

Signed-off-by: Andreas Gnau <rondom@rondom.de>

Author: Dan Lenski
Author Date: 2020-05-20 16:41:40 UTC

make Mingw32/64 CI happy

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: dwmw2
Author Date: 2020-05-15 16:26:51 UTC

Merge branch 'multiple_auth_feature' of gitlab.com:incentive.design/openconnect

Author: Dan Lenski
Author Date: 2020-04-04 16:59:16 UTC

stop sending 'PAN GlobalProtect' as UA; recent server versions don't appear to enforce this

Add a comment in the manual about older servers where spoofing this value may still may be necessary.

See https://gitlab.com/openconnect/openconnect/-/issues/118#note_317598039
for one reason why spoofing official UAs is counterproductive.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Author: Dan Lenski
Author Date: 2020-04-04 22:49:25 UTC

explain exit status in HIP/CSD scripts

Follow-up to b2a2c7a9c2445057f8ed22192486480c431d0438.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>