From: David Woodhouse <dwmw2@infradead.org>
Date: Mon, 29 Mar 2021 22:16:49 +0000 (+0100)
Subject: Merge branch 'ppp_core' of gitlab.com:openconnect/openconnect
X-Git-Tag: v8.20~327
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=6b6d2d063c2054984993d86980c620abc3718458;p=users%2Fdwmw2%2Fopenconnect.git

Merge branch 'ppp_core' of gitlab.com:openconnect/openconnect
---

6b6d2d063c2054984993d86980c620abc3718458
diff --cc .gitlab-ci.yml
index 4a9b0fd3,dcae72f2..66d0c504
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@@ -12,9 -12,9 +12,9 @@@ CentOS7/GnuTLS
    image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS7_BUILD
    script:
    - ./autogen.sh
-   - ./configure --with-java CFLAGS=-g
+   - ./configure --with-java --enable-ppp-tests CFLAGS=-g
    - make -j4
 -# UTF-8 support is not available
 +# auth-nonascii: UTF-8 support is not available in distro's ocserv package
    - make VERBOSE=1 XFAIL_TESTS="auth-nonascii" -j4 check
    tags:
    - shared
@@@ -31,9 -31,11 +31,11 @@@ CentOS7/OpenSSL
    image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS7_BUILD
    script:
    - ./autogen.sh
-   - ./configure --without-gnutls --with-openssl --with-java --without-openssl-version-check --enable-dtls-xfail --disable-dsa-tests CFLAGS=-g
+   - ./configure --without-gnutls --with-openssl --with-java --without-openssl-version-check --enable-dtls-xfail --disable-dsa-tests --enable-ppp-tests CFLAGS=-g
    - make -j4
+ # we don't want pppd to invoke any actual connection scripts
+   - mv /etc/ppp /etc/ppp.DISABLED
 -# auth-nonascii: UTF-8 support is not available
 +# auth-nonascii: UTF-8 support is not available in distro's ocserv package
  # dtls-psk: communication with ocserv fails for undetermined reasons marking as xfail until issue is identified
    - make VERBOSE=1 XFAIL_TESTS="auth-nonascii dtls-psk" -j4 check
    tags:
@@@ -51,9 -53,11 +53,11 @@@ CentOS8/GnuTLS
    image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS8_BUILD
    script:
    - ./autogen.sh
-   - ./configure --with-java --without-gnutls-version-check --disable-dsa-tests CFLAGS=-g
+   - ./configure --with-java --without-gnutls-version-check --disable-dsa-tests --enable-ppp-tests CFLAGS=-g
    - make -j4
+ # we don't want pppd to invoke any actual connection scripts
+   - mv /etc/ppp /etc/ppp.DISABLED
 -# UTF-8 support is not available
 +# auth-nonascii: UTF-8 support is not available in distro's ocserv package
    - make VERBOSE=1 XFAIL_TESTS="auth-nonascii" -j4 check
    tags:
    - shared
@@@ -70,10 -74,12 +74,12 @@@ CentOS8/OpenSSL
    image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS8_BUILD
    script:
    - ./autogen.sh
-   - ./configure --without-gnutls --with-openssl --with-java --without-openssl-version-check --disable-dsa-tests CFLAGS=-g
+   - ./configure --without-gnutls --with-openssl --with-java --without-openssl-version-check --disable-dsa-tests --enable-ppp-tests CFLAGS=-g
    - make -j4
+ # we don't want pppd to invoke any actual connection scripts
+   - mv /etc/ppp /etc/ppp.DISABLED
 -# UTF-8 support is not available
 -# OpenSSL 1.1.0 disables 3DES and RC4 by default (https://www.openssl.org/blog/blog/2016/08/24/sweet32/)
 +# auth-nonascii: UTF-8 support is not available in distro's ocserv package
 +# obsolete-server-crypto: OpenSSL 1.1.0 disables 3DES and RC4 by default (https://www.openssl.org/blog/blog/2016/08/24/sweet32/)
    - make VERBOSE=1 XFAIL_TESTS="auth-nonascii obsolete-server-crypto" -j4 check
    tags:
    - shared
@@@ -90,9 -96,13 +96,13 @@@ CentOS6/OpenSSL
    image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$CENTOS6_BUILD
    script:
    - ./autogen.sh
+ # We should --enable-ppp-tests here, but they just aren't working. For reasons that are not
+ # clear, OpenConnect fails to handshake a TLS connection to socat 1.7.2 (from CentOS 6 EPEL).
    - ./configure --with-java --without-openssl-version-check --enable-dtls-xfail CFLAGS=-g
    - make -j4
+ # we don't want pppd to invoke any actual connection scripts
+   - mv /etc/ppp /etc/ppp.DISABLED
 -# UTF-8 support is not available
 +# auth-nonascii: UTF-8 support is not available in distro's ocserv package
    - make VERBOSE=1 XFAIL_TESTS="bad_dtls_test auth-nonascii" -j4 check
    tags:
    - shared
@@@ -233,12 -243,14 +243,14 @@@ asan/OpenSSL/Fedora
  Fedora/GnuTLS:
    script:
    - ./autogen.sh
-   - ./configure --with-java --disable-dsa-tests --without-gnutls-version-check CFLAGS=-g
+   - ./configure --with-java --disable-dsa-tests --without-gnutls-version-check --enable-ppp-tests CFLAGS=-g
    - make tmp-distdir
    - cd openconnect-$(git describe --tags | sed s/^v//)
-   - ./configure --with-java --disable-dsa-tests --without-gnutls-version-check CFLAGS=-g
+   - ./configure --with-java --disable-dsa-tests --without-gnutls-version-check --enable-ppp-tests CFLAGS=-g
    - make -j4
+ # we don't want pppd to invoke any actual connection scripts
+   - mv /etc/ppp /etc/ppp.DISABLED
 -  # Disable rdrand to work around https://bugzilla.redhat.com/1831086
 +# auth-pkcs11: Disable rdrand to work around https://bugzilla.redhat.com/1831086
    - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 -j4 check
    tags:
    - shared
@@@ -254,12 -266,14 +266,14 @@@
  Fedora/GnuTLS/clang:
    script:
    - ./autogen.sh
-   - ./configure --with-java --disable-dsa-tests --without-gnutls-version-check CC=clang CFLAGS=-g
+   - ./configure --with-java --disable-dsa-tests --without-gnutls-version-check CC=clang --enable-ppp-tests CFLAGS=-g
    - make tmp-distdir
    - cd openconnect-$(git describe --tags | sed s/^v//)
-   - ./configure --with-java --disable-dsa-tests --without-gnutls-version-check CC=clang CFLAGS=-g
+   - ./configure --with-java --disable-dsa-tests --without-gnutls-version-check CC=clang --enable-ppp-tests CFLAGS=-g
    - make -j4
+ # we don't want pppd to invoke any actual connection scripts
+   - mv /etc/ppp /etc/ppp.DISABLED
 -  # Disable rdrand to work around https://bugzilla.redhat.com/1831086
 +# auth-pkcs11: Disable rdrand to work around https://bugzilla.redhat.com/1831086
    - make VERBOSE=1 OPENSSL_ia32cap=~0x4000000000000000 -j4 check
    tags:
    - shared
@@@ -277,13 -291,14 +291,15 @@@ Fedora/OpenSSL
  # Re-enable DSA since we test it
    - update-crypto-policies --set LEGACY
    - ./autogen.sh
-   - ./configure --without-gnutls --with-openssl --without-openssl-version-check --disable-dsa-tests CFLAGS=-g
+   - ./configure --without-gnutls --with-openssl --without-openssl-version-check --disable-dsa-tests --enable-ppp-tests CFLAGS=-g
    - make tmp-distdir
    - cd openconnect-$(git describe --tags | sed s/^v//)
-   - ./configure --without-gnutls --with-openssl --without-openssl-version-check --disable-dsa-tests CFLAGS=-g
+   - ./configure --without-gnutls --with-openssl --without-openssl-version-check --disable-dsa-tests --enable-ppp-tests CFLAGS=-g
    - make -j4
+ # we don't want pppd to invoke any actual connection scripts
+   - mv /etc/ppp /etc/ppp.DISABLED
 -# OpenSSL 1.1.0 disables 3DES and RC4 by default (https://www.openssl.org/blog/blog/2016/08/24/sweet32/)
 +# auth-nonascii: UTF-8 support is not available in distro's ocserv package
 +# obsolete-server-crypto: OpenSSL 1.1.0 disables 3DES and RC4 by default (https://www.openssl.org/blog/blog/2016/08/24/sweet32/)
    - make VERBOSE=1 XFAIL_TESTS="obsolete-server-crypto" -j4 check
    tags:
    - shared
@@@ -301,13 -316,14 +317,14 @@@ Fedora/OpenSSL/clang
  # Re-enable DSA since we test it
    - update-crypto-policies --set LEGACY
    - ./autogen.sh
-   - ./configure CC=clang --without-gnutls --with-openssl --without-openssl-version-check --disable-dsa-tests CFLAGS=-g
+   - ./configure CC=clang --without-gnutls --with-openssl --without-openssl-version-check --disable-dsa-tests --enable-ppp-tests CFLAGS=-g
    - make tmp-distdir
    - cd openconnect-$(git describe --tags | sed s/^v//)
-   - ./configure CC=clang --without-gnutls --with-openssl --without-openssl-version-check --disable-dsa-tests CFLAGS=-g
+   - ./configure CC=clang --without-gnutls --with-openssl --without-openssl-version-check --disable-dsa-tests --enable-ppp-tests CFLAGS=-g
    - make -j4
- # auth-nonascii: UTF-8 support is not available in distro's ocserv package
+ # we don't want pppd to invoke any actual connection scripts
+   - mv /etc/ppp /etc/ppp.DISABLED
 -# OpenSSL 1.1.0 disables 3DES and RC4 by default (https://www.openssl.org/blog/blog/2016/08/24/sweet32/)
 +# obsolete-server-crypto: OpenSSL 1.1.0 disables 3DES and RC4 by default (https://www.openssl.org/blog/blog/2016/08/24/sweet32/)
    - make VERBOSE=1 XFAIL_TESTS="obsolete-server-crypto" -j4 check
    tags:
    - shared
@@@ -324,10 -340,15 +341,15 @@@ Ubuntu18.04/GnuTLS
    image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$UBUNTU_BUILD
    script:
    - ./autogen.sh
-   - ./configure --with-java CFLAGS=-g
+   - ./configure --with-java --enable-ppp-tests CFLAGS=-g
    - make -j4
+ # we don't want pppd to invoke any actual connection scripts
+   - mv /etc/ppp /etc/ppp.DISABLED
+ # For reasons that are unclear, but probably also unimportant, IPv6 is disabled by default on this CI
+ # image (verified in https://gitlab.com/openconnect/openconnect/-/jobs/1135199323#L335), and this will
+ # cause PPP tests using IPv6 to fail. So we must explicitly enable IPv6:
+   - sysctl net.ipv6.conf.all.disable_ipv6=0
 -# UTF-8 support is not available
 +# auth-nonascii: UTF-8 support is not available in distro's ocserv package
- # obsolete-server-crypto: OpenSSL 1.1.0 disables 3DES and RC4 by default (https://www.openssl.org/blog/blog/2016/08/24/sweet32/)
    - make VERBOSE=1 XFAIL_TESTS="auth-nonascii" -j4 check
    tags:
    - shared
@@@ -344,10 -364,16 +365,16 @@@ Ubuntu18.04/OpenSSL
    image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$UBUNTU_BUILD
    script:
    - ./autogen.sh
-   - ./configure --without-gnutls --with-openssl --with-java --without-openssl-version-check --disable-dsa-tests CFLAGS=-g
+   - ./configure --without-gnutls --with-openssl --with-java --without-openssl-version-check --disable-dsa-tests --enable-ppp-tests CFLAGS=-g
    - make -j4
+ # we don't want pppd to invoke any actual connection scripts
+   - mv /etc/ppp /etc/ppp.DISABLED
+ # For reasons that are unclear, but probably also unimportant, IPv6 is disabled by default on this CI
+ # image (verified in https://gitlab.com/openconnect/openconnect/-/jobs/1135199323#L335), and this will
+ # cause PPP tests using IPv6 to fail. So we must explicitly enable IPv6:
+   - sysctl net.ipv6.conf.all.disable_ipv6=0
 -# UTF-8 support is not available
 -# OpenSSL 1.1.0 disables 3DES and RC4 by default (https://www.openssl.org/blog/blog/2016/08/24/sweet32/)
 +# auth-nonascii: UTF-8 support is not available in distro's ocserv package
 +# obsolete-server-crypto: OpenSSL 1.1.0 disables 3DES and RC4 by default (https://www.openssl.org/blog/blog/2016/08/24/sweet32/)
    - make VERBOSE=1 XFAIL_TESTS="auth-nonascii obsolete-server-crypto" -j4 check
    tags:
    - shared