~mamarley/openconnect/+git/gitlab-main:apple_utun_clue

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

7c19669... by Dan Lenski on 2023-03-01

Tell Apple users not to use '-i tunX', but '-i utunX' instead.

Signed-off-by: Daniel Lenski <email address hidden>

f24634c... by Dan Lenski on 2023-02-25

Small additions to changelog before release

Signed-off-by: Daniel Lenski <email address hidden>

ec4b1df... by Dan Lenski on 2023-02-25

Merge branch 'Pulse_unstupid_ESP' into 'master'

IPv6-related improvements for Pulse

See merge request openconnect/openconnect!414

9ba9726... by Dan Lenski on 2023-02-25

Document the potential need for an EAP-TLS-within-EAP-TTLS workaround for Pulse

See https://gitlab.com/openconnect/openconnect/-/merge_requests/414#note_1149887354
for a more thorough description of this problem by dwmw.

He commented about it in the source code very early on in the development of
the Pulse protocol support, specifically in
https://gitlab.com/openconnect/openconnect/commit/3fb7645608e49c875c20f55352990c7c883bbf96.

Signed-off-by: Daniel Lenski <email address hidden>

9779f57... by Dan Lenski on 2022-10-24

Pulse needs an 'official' version string in IF/T-T establishment to support IPv6

According to end-user testing in
https://gitlab.com/openconnect/openconnect/-/issues/506#note_1145946165 and
https://gitlab.com/openconnect/openconnect/-/issues/506#note_1146848739,
recent Pulse servers will not send correct IPv6 settings, or simply will not
enable IPv6 traffic, unless the client version string sent in the IF/T
session establishment begins with "Pulse-Secure/" followed by a digit >=8.

From Ivanti/Pulse documentation at
https://help.ivanti.com/ps/help/en_US/PCS/9.1R14/ag/network_n_host_admin.htm#network_and_host_administration_1399867268_681155:

> Only the Pulse client supports IPv6.

> Ivanti Connect Secure release 8.0 and later supports Pulse client access
> to the IPv6 corporate network using VPN Tunneling Connection Profile
> features.

In order to enable IPv6 support, while not misinforming the server about its
identity to an unnecessary disagree, OpenConnect should therefore include an
official-looking prefix ("Pulse-Secure/9.0.3.1667 " for now) in front of its
default user-agent string.

Signed-off-by: Daniel Lenski <email address hidden>

7bbbc9c... by Dan Lenski on 2022-10-23

Newer Pulse servers can disable their ESP protocol layering malpractice

See b4f50f8bd5da7e6ac926ddd5095501edbc204cd0 for the way that the Pulse ESP
tunnel is mangled. In brief, if the Pulse ESP tunnel is running over IPvX,
then it will only transport tunnelled packets of address family IPvX;
tunnelled packets of IPvY must go over the TLS/TCP tunnel.

In addition to being a complete inversion of the abstraction of a protocol
with independent layers:

- This results in poor performance for tunnelled IPvY packets (TCP-over-TCP)
- Our original implementation of this caused a regression for the
  Juniper/NC ESP tunnel (fixed in 3d1ec6e0a126d4b9fdd18473558cf816d2045b76).

As reported in http://lists.infradead.org/pipermail/openconnect-devel/2020-October/004934.html
and https://gitlab.com/openconnect/openconnect/-/issues/506, newer Pulse
servers starting with 9.1R9 can apparently use the ESP tunnel in a sane way,
if the administrator sets a flag labelled "Use ESP tunnel for 6in4 and 4in6
traffic".

OpenConnect should try to coax the server to use this saner tunnel setup
if possible.

Signed-off-by: Daniel Lenski <email address hidden>

46420c0... by Dan Lenski on 2023-01-15

Add FTM-push token mode for Fortinet

If the server sends a "tokeninfo-style" 2FA request (`ret=N,…,tokeninfo=…`)
with the special value `tokeninfo=ftm_push`, then it means that it
can (optionally!) use mobile-device "push"-based authentication instead of
having the user enter a token code.

If (and only if) the user leaves the token code blank, we must (1) remove
`magic` from the response and (2) add `ftmpush=1`, in order to trigger the
correct response.

This also adds a "type_2fa=ftmpush" mode to our fake Fortinet server, and
simulates this option in our tests.

Thanks to Ivan Futivić for the very useful and detailed report in
https://gitlab.com/openconnect/openconnect/-/issues/555#note_1239886436.

Signed-off-by: Daniel Lenski <email address hidden>

3ad74a2... by Dan Lenski on 2023-02-24

Update .mailmap

Include full names of a few recent contributors.

Signed-off-by: Daniel Lenski <email address hidden>

89d6017... by Dan Lenski on 2023-02-24

Merge branch 'tap_wintun' into 'master'

Remove TAP-Windows driver from installer, and update docs to reference Wintun's default inclusion

See merge request openconnect/openconnect!427

bd7ef8b... by Andy Teijelo <email address hidden> on 2023-02-10

Use the timeout command in csd-wrapper.sh

The timeout command (from coreutils) can replace the more complex
job-control-based approach which we current use to limit the execution time
of the Trojan binary (`cstub`).

Signed-off-by: Andy Teijelo Pérez <email address hidden>
Signed-off-by: Daniel Lenski <email address hidden>