~mamarley/openconnect/+git/gitlab-main:globalprotect

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

82d4430... by Dan Lenski on 2017-08-17

improved MTU calculation for GlobalProtect ESP

On Wed, Aug 16, 2017 at 8:03 PM, Daniel Lenski wrote:

> I believe the correct [ESP padding] algorithm is actually as follows:
>
> * From payload MTU, add 2 footer bytes, round *up* to a multiple of
> the blocksize. Add the size of the MAC, IV, and other headers. That's
> the size of the packet on the wire.
> * From wire packet MTU, subtract headers and MAC and IV, round *down*
> to a multiple of blocksize, subtract TWO footer bytes, and that's the
> largest payload you can carry.

Signed-off-by: Daniel Lenski <email address hidden>
Signed-off-by: David Woodhouse <email address hidden>

ca7ac61... by Brennan Hildebrand <email address hidden> on 2017-08-17

Include extra headers needed for ICMP packet-building on FreeBSD

Signed-off-by: Daniel Lenski <email address hidden>
Signed-off-by: David Woodhouse <email address hidden>

2e4a070... by Dan Lenski on 2017-08-15

fix DTLS_OVERHEAD and GlobalProtect ESP overhead calculation

GlobalProtect doesn't try to calculate MTU until after it has information on
the ESP ciphersuite, so it can use the real HMAC/encryption key lengths when
calculating ESP overhead. In practice, I have never seen or heard of a GP
VPN that uses anything other than AES128+SHA1, but both the clients and
servers appear to include support for AES256.

DTLS_OVERHEAD was not correctly accounting for possibility of AES256
(32-byte IV).

Signed-off-by: Daniel Lenski <email address hidden>
Signed-off-by: David Woodhouse <email address hidden>

1f07992... by dwmw2 on 2017-08-15

Heckle MTU calc

Signed-off-by: David Woodhouse <email address hidden>

64a72af... by Dan Lenski on 2017-08-15

one more patch to GP login argument handling

Alexander Kurilo (https://github.com/kamazee) figured out the meaning of this one

Signed-off-by: Daniel Lenski <email address hidden>
Signed-off-by: David Woodhouse <email address hidden>

f83484c... by Dan Lenski on 2017-08-15

use can_gen_tokencode() in auth-globalprotect.c

Signed-off-by: Daniel Lenski <email address hidden>
Signed-off-by: David Woodhouse <email address hidden>

d2cbc42... by dwmw2 on 2017-08-15

Fix gpst parse_portal_xmk() some more

If both 'portal-name' and 'gateways' nodes exist, but the 'gateways'
node comes first, we'd never handle the 'portal-name'. It might never
happen in practice... but that's no excuse :)

Signed-off-by: David Woodhouse <email address hidden>

f5528ef... by dwmw2 on 2017-08-15

Heckle gpst_obtain_cookie()

Signed-off-by: David Woodhouse <email address hidden>

4387e14... by dwmw2 on 2017-08-15

gpst: Mangle User-Agent haeder in one place

If we really need to override it for *all* requests, let's just do that
in gpst_common_headers(). Although maybe it'd be better just to ensure
that vpninfo->useragent is set appropriately in the first place?

It's not clear what we're gaining by preserving ->urlpath either, since
it never gets used as-is; we only *ever* override it with our own
strings. So we might as well just free the old one and set it.

Signed-off-by: David Woodhouse <email address hidden>

da0a15a... by dwmw2 on 2017-08-15

More cleanups in gpst auth_form()

Signed-off-by: David Woodhouse <email address hidden>