OpenConnect

~mamarley/openconnect/+git/gitlab-main:fix_delay_close

  1. Git
  2. lp:~mamarley/openconnect/+git/gitlab-main
  3. fix_delay_close
Last commit made on 2021-04-14
Get this branch:
git clone -b fix_delay_close https://git.launchpad.net/~mamarley/openconnect/+git/gitlab-main

Branch merges

Branch information

Name:
fix_delay_close
Repository:
lp:~mamarley/openconnect/+git/gitlab-main

Recent commits

e0652f7... by Dan Lenski

Simplify resetting of delay_close and delay_tunnel_reason

When delay_close and delay_tunnel_reason were added in
4fb6ff704ef594c9a445f396ef79c94d59623735, the mainloop would only reset them
in specific branches (e.g. if the connection termination had been initiated
by OC_CMD_CANCEL or OC_CMD_PAUSE.

This ensures that they will be reset on each iteration, thereby making the
"spin forever" case more idiot-proof. (With me being the probable idiot.)

Signed-off-by: Daniel Lenski <email address hidden>

f24770d... by Dan Lenski

Update 'Getting Started / Connecting' docs

- Remove section on patching for DTLS support (thankfully, long-obsolete)
- Clarify meaning of "certificate" as TLS/SSL client certificate; lots of
  users appear to be confused by this
- Mention both -c and -k options
- Refer to manual for more automation of authentication
- Clarify when Jailbreak might be needed to extract certificates on
  Windows (when the private key is marked as "non-exportable")

Signed-off-by: Daniel Lenski <email address hidden>

8e15f92... by Dan Lenski

Accept IPv6 netmasks like /dead:beef::, in addition to /N

Some F5 server configurations appear to require an IPv6 netmask in this
form.

This adds a netmasklen6() function, analogous to the Legacy IP version in
netmasklen(). It also adds gcc-optimized forms, using __builtin_clz, for
both netmasklen functions.

[dwmw2: Detect __builtin_clz() with autoconf, wrap it once in cls()]
Signed-off-by: Daniel Lenski <email address hidden>
Signed-off-by: David Woodhouse <email address hidden>

950bdf0... by Dan Lenski

Remove attempt_period from protocol-specific udp_setup() functions

All protocols just plunk it into vpninfo->dtls_attempt_period. Let's
just do that in the library wrapper function.

Signed-off-by: Daniel Lenski <email address hidden>

89c2e5c... by dwmw2

Fix DTLS MTU probe timeouts

We mustn't ask for a timeout of 0ms; that means infinite.

Signed-off-by: David Woodhouse <email address hidden>

cc58696... by dwmw2

Handle empty response buf in process_http_response()

If there is no body and the 'body' buf has never had any data in it, then
body->data can be NULL. So don't dereference it when trying to ensure a
NUL at the end.

Signed-off-by: David Woodhouse <email address hidden>

307bb09... by dwmw2

Avoid free of argv[] when ciphersuite_config provided

This should use dup_config_arg() since it gets freed.

Signed-off-by: David Woodhouse <email address hidden>

365516b... by dwmw2

Fix memory leak in F5 config parsing

Wouldn't this be easier in C++? Or maybe Rust?

Signed-off-by: David Woodhouse <email address hidden>

5d2bbd7... by dwmw2

Fix CI artifact list for out-of-tree builds

Signed-off-by: David Woodhouse <email address hidden>

e1eac26... by Dan Lenski

Set Fortinet DPD interval from server's config

The name of the tag implies that its purpose is DTLS-specific (<dtls-config heartbeat-interval="X">)
and that it requires the use of the DTLS heartbeat extension (https://tools.ietf.org/html/rfc6520).

However, PPP already contains natural analogues for keepalive (Discard-Request) and DPD (Echo-Request
and Echo-Reply), which appear to work just fine with Fortinet servers. We may as well use the server's
heartbeat/keepalive interval for a more generic, transport-agnostic DPD mechanism, since OpenConnect
and PPP already support it.

The official Fortinet client software for Windows/Mac appears to be very deficient at dead peer
detection, so this may represent a substantial improvement in functionality for some users.

Signed-off-by: Daniel Lenski <email address hidden>