~mamarley/openconnect/+git/gitlab-main:request_specific_ip_new

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

1dd2335... by Dan Lenski on 2017-12-21

Add openconnect_set_requested_ip() and --request-ip to explicitly request specific IP addresses

Protocol support:

- GlobalProtect supports requesting either Legacy IP or IPv6 addresses.
- Some Cisco AnyConnect servers *maybe* support this, but ocserv does not.
- PPP-based protocols might support this for Legacy IP *if* their IP
  address negotiation is purely via PPP/IPCP; PPP/IP6CP can't actually
  request a complete 16-byte IPv6 address.
- No known way to provide it for Juniper, Pulse, Array.

Currently, this option is only a request. OpenConnect will print an error
message, but will not abort, if the server assigns a different IP address.

The openconnect_set_requested_ip() API function carefully parses user-input
requested IP addresses using inet_pton(), and then renormalizes them using
inet_ntop(). This will avoid warnings about IP address mismatch where the
requested address doesn't match the quad-dotted notation for IPv4 or CIDR
notation for IPv6.

We assume that any real VPN server that provides IP addresses in text form
adheres to one of these two normalizations (see
https://gitlab.com/openconnect/openconnect/merge_requests/35#note_174395447), but
perhaps we *should* do similar for server-provided IP addresses too,
since we've had problems with this in the past.

Signed-off-by: Daniel Lenski <email address hidden>

759f085... by dwmw2 on 2022-04-21

Import translations from GNOME

Signed-off-by: David Woodhouse <email address hidden>

127cd5d... by dwmw2 on 2022-04-21

Fix lost translations for PRId64 → PRIu64 change

When we make changes like this, we should fix the translations too, to avoid
losing them.

Fixes: 7d8747806c ("The format specifier for uint64_t is PRIu64")
Signed-off-by: David Woodhouse <email address hidden>

14a5998... by Dan Lenski on 2022-04-20

Merge branch 'GP_internal_no_flag_for_issue_246' into 'master'

GP: add 'internal=no' flag to the login and configuration requests

See merge request openconnect/openconnect!337

8a99439... by Dan Lenski on 2022-04-08

Update changelog

Signed-off-by: Daniel Lenski <email address hidden>

51586b2... by Dan Lenski on 2022-02-11

GP: add 'internal=no' flag to the login and configuration requests

Without these flags, one user reports consistently hitting the "Matching
client config not found" error in response to the /ssl-vpn/getconfig.esp
request. See https://gitlab.com/openconnect/openconnect/-/issues/246

I *suspect* that 'internal=no' is the implicit default if unspecified
(https://gitlab.com/openconnect/openconnect/-/issues/246#note_836128670),
but we should get more testing on other GlobalProtect VPNs to confirm that
this works fine with them. If there is variation in whether this parameter
is allowed/expected, then we need a way to automatically detect the correct
value.

Signed-off-by: Daniel Lenski <email address hidden>

ba6c321... by Dan Lenski on 2022-04-20

Fix initial client request XML structure when announcing multicert capability

Having a separate 'announce_multicert_capability' function wasn't ideal:

1. Building the initial '<config-auth>' XML was more spread out and complex
   than necessary due to an extra layer of functions.
2. When multicert auth is offered by the client, the resultant XML actually
   contained *two* nested capabilities/auth-method tags:

       <config-auth client="vpn" type="init">
         <capabilities>
           <auth-method>single-sign-on</auth-method>
           <auth-method>single-sign-on-v2</auth-method>
         </capabilities>
         <capabilities>
           <auth-method>multiple-cert</auth-method>
         </capabilities>
       </config-auth>

What Cisco clients appear to send is a *single* '<capabilities>' tag
containing multiple '<auth-method>', as shown in the MITM capture in the
comments of
f51ecb36bedcd370086586295978627daeabade4 ("Converse the multiple certificate authentication (multicert) protocol."),
which introduced this structural mistake.

With the non-repeated '<capabilities>' tag, we can also fix the multicert
auth tests, where the check that the client was offering multicert was
disabled in
45da3b07dfc8f808e7b0d0bf80fbf7e73b1b0721 ("fake-cisco-server.py: Disable check for `multiple-cert` support"),
probably due to confusion over the XML structure and xmltodict's handling
of it.

Signed-off-by: Daniel Lenski <email address hidden>

ad1e734... by dwmw2 on 2022-04-20

Merge branch 'DWORD_PRId32_PRIo32' into 'master'

MinGW warning: the format specifier for DWORD is "%lu"

Closes #365

See merge request openconnect/openconnect!361

227dc02... by dwmw2 on 2022-04-20

Merge branch 'field_precision_specifier_expects_int' into 'master'

MinGW warning: field precision specifier '.*' expects argument of type 'int'

See merge request openconnect/openconnect!362

7d87478... by Dimitri Papadopoulos <email address hidden> on 2022-04-20

The format specifier for uint64_t is PRIu64

Switch from PRId64 (int64_t) to PRIu64 (uint64_t).

Signed-off-by: Dimitri Papadopoulos <email address hidden>