Colin Petrie [Thu, 27 Jun 2019 16:24:51 +0000 (18:24 +0200)]
Update CSTP for IPv6 DNS servers
When the Cisco side is configured with IPv4 and IPv6 DNS resolver IPs,
it will send option X-CSTP-DNS-IP6
This patch captures the IPv6 addresses provided, and puts them in
INTERNAL_IP6_DNS variable for vpnc-scripts (which is already handled
there)
Signed-off-by: Colin Petrie <colin@spakka.net>
[dwmw2: Put them in $INTERNAL_IP4_DNS instead. They shouldn't be split.] Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Mon, 10 Jun 2019 21:55:25 +0000 (22:55 +0100)]
Improve Pulse ESP setup reliability.
Sometimes, the server is slow to process the ESP config so our first probes
don't elicit a response. Abuse the licensing information packet which comes
after the connection is set up, and send a second set of probes when it
arrives.
Perhaps we should actually send three probes, half a second apart.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Mon, 10 Jun 2019 21:35:26 +0000 (22:35 +0100)]
Revert "Set ESP Next Header field to 0x29 for IPv6 packets"
This reverts commit 02ae906bb691c8b342d7ff0875e200ce55c18f2a. Turns out
Pulse doesn't *accept* ESP frames with the correct Next-Header field
for IPv6. You have to send 0x04 (IPIP). So I cleaned it up and removed
the duplication for nothing...
Might need to put this back when we work out how GPST does IPv6.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Mon, 10 Jun 2019 12:53:14 +0000 (13:53 +0100)]
pulse: Handle multiple IF-T/TLS records in a single SSL record
We are still assuming that IT-F/TLS record won't be *split* between SSL
records. That turned out to be a false assumption for Network Connect,
but hopefully they're saner here. We should cleanly complain about that
if it does happen.
There may be better ways to do this; perhaps we should receive the whole SSL
record then handle each record separately. In the common case there's no
real reason for the incoming packet queue anyway. We could just call
os_write_tun() directly. And then only have to resort to memcpy to
split packets up in the very rare case that the tun isn't taking writes
anyway.
This will do for now. The TCP connection *shouldn't* be the fast path
anyway. Not that we've worked out how to make the Pulse server actually
send data in ESP; even with the Windows client it still sends in TCP...
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Sat, 1 Jun 2019 02:10:10 +0000 (19:10 -0700)]
Add hipreport-android.sh
The desktop version of the HIP report doesn't work on Android in part
because the here-doc appears to exceed the size of the read buffer in
Android's rather primitive /system/bin/sh. This is a rather confusing bug
to identify and diagnose.
Include an alternate script with minimal contents (hipreport-minimal.sh)
which is suitable for use on Android.
Daniel Lenski [Fri, 12 Jan 2018 09:44:17 +0000 (01:44 -0800)]
Incomplete, speculative IPv6 for GlobalProtect
Client-side IPv6 support was added in v4.0:
https://live.paloaltonetworks.com/t5/Colossal-Event-Blog/New-GlobalProtect-4-0-announced-with-IPv6-support/ba-p/141593
Server-side IPv6 support was added in PanOS 8.0:
https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/globalprotect-features
I've been wanting to get IPv6 working for a while, but don't have access to
a GP VPN that supports IPv6, and haven't found anyone else who does. I'm
adding incomplete, speculative IPv6 support here in the hopes that someone
will use it and report back on partial success/failure:
* Known from Windows client: `ipv6-support=yes` in `/ssl-vpn/login.esp`
request, `preferred-ipv6` in `/ssl-vpn/getconfig.esp` request,
`client-ipv6` in `/ssl-vpn/hipreport{,check}.esp` requests,
`app-version=4.0.5-8`,
* Educated guess: 0x0800 in GPST packet header represents IPv4 ethertype,
and will be replaced with 0x86DD for IPv6 packets.
* Unknown: IPv6 routing configuration tags to expect in
`/ssl-vpn/getconfig.esp` response. This build prints a prominent
error message if it encounters any unknown configuration tags
containing the character '6', and requests feedback to the mailing
list.
Dan Lenski [Sat, 25 May 2019 05:41:19 +0000 (22:41 -0700)]
Report GP session lifetime
OpenConnect doesn't have a mechanism to immediately stop trying to reconnect
after the session expires.
Server-forced session expiration "takes care of itself" when OpenConnect
tries to reconnect repeatedly and fails, though it might be useful to save
the expected expiration time somewhere to be able to report it in a more
user-friendly fashion.
Dan Lenski [Sat, 25 May 2019 04:54:40 +0000 (21:54 -0700)]
Better spoofed HIP report
Some GlobalProtect VPNs appear to actually check the contents of the HIP
report in some way, and require that anti-virus/anti-spyware software be
labeled as up-to-date.
Also, the --computer parameter is no longer needed (now that its value
is included in the "cookie")
David Woodhouse [Fri, 7 Jun 2019 16:04:41 +0000 (17:04 +0100)]
Convert dump_buf_hex() to use oc_text_buf instead of sprintf
I seem to recall the OpenBSD build will complain loudly about the use of
"bad" functions like sprintf. And even though this particular code does
seem to be perfectly correct, they do have a point in the general case.
Just use buf_append() for this, since that's what it was designed for.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 16 May 2019 18:18:30 +0000 (11:18 -0700)]
Include <errno.h> in gnutls_tpm2_ibm.c
Some environments don't pull it in implicitly; we should include it for
ourselves.
gnutls_tpm2_ibm.c: In function ‘install_tpm2_key’:
gnutls_tpm2_ibm.c:485:11: error: ‘EINVAL’ undeclared (first use in this function)
return -EINVAL;
^~~~~~
gnutls_tpm2_ibm.c:485:11: note: each undeclared identifier is reported only once for each function it appears in
gnutls_tpm2_ibm.c:490:11: error: ‘ENOMEM’ undeclared (first use in this function)
return -ENOMEM;
^~~~~~
gnutls_tpm2_ibm.c:528:1: warning: control reaches end of non-void function [-Wreturn-type]
}
^
Makefile:1206: recipe for target 'libopenconnect_la-gnutls_tpm2_ibm.lo' failed
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Sat, 11 May 2019 09:41:14 +0000 (10:41 +0100)]
Kill MAX_BUF_LEN
There's no real point in having a hard limit for struct oc_text_buf, the
whole point of which is that it is dynamically allocated. Just guard
against the int buf_len overflowing.
In process_http_response() the hard-coded buf[] array is only used for
headers one line at a time now, so 8KiB should suffice.
Fixes: #39 Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 25 Apr 2019 11:01:02 +0000 (13:01 +0200)]
Clean up memset_s() detection a bit more.
Definining __STDC_WANT_LIB_EXT1__ to get memset_s() is required by the C11
standard, not a Solaris-ism. It's no use just to check for its presence
in the library with AC_CHECK_FUNC() if it isn't going to compile, so make
sure we check for it with AC_LINK_IFELSE() *and* with the warning flags
that might include -Werror-implicit-function-declarations.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Tue, 9 Apr 2019 15:45:33 +0000 (18:45 +0300)]
Don't read from non-readable fds
By removing the unneeded reads from file descriptors that we know aren't
readable, ESP TX performance goes from 1700Mb/s to 1760Mb/s on my current
test setup.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Wed, 10 Apr 2019 14:42:43 +0000 (17:42 +0300)]
more careful gpst_esp_catch_probe()
Previous version of gpst_esp_catch_probe would catch/filter *any* ping reply sent over the tunnel
from the "magical" ESP "gateway" address. (Heavy-handed scare quotes intentional.)
This may result in confusing behavior in some testing/debugging scenarios, as described in this thread:
Daniel Lenski [Wed, 3 Apr 2019 14:22:08 +0000 (17:22 +0300)]
bugfix for OTP "challenge" form handling
In the patch entitled 'Recognise auth forms named "challenge" as token
requests' (commit 51f8feb6, released in v8.00) the condition for using an
OTP token in an AnyConnect login form was changed from:
(field is named `secondary_password`)
… to:
(field is named `secondary_password`) AND (form is named `challenge`)
This was almost certainly a mistake, and should have been as follows:
(field is named `secondary_password`) OR (form is named `challenge`)
This patch rewrites the condition to do just that, in a clearer form, and
should fix GitLab issue #24 (https://gitlab.com/openconnect/openconnect/issues/24#note_157035052).
Marc St-Amand [Tue, 5 Feb 2019 13:35:22 +0000 (08:35 -0500)]
auth-juniper.c: ignore non-empty lines from TNCC after DSPREAUTH cookie
This skips over a seemingly harmless DSPREAUTH failure:
Unexpected non-empty line from TNCC after DSPREAUTH cookie: '0'
Failed to read response from TNCC
Failed to obtain WebVPN cookie
After the unexpected '0', TNCC sends an empty line response and the
authentication sequence can proceed normally. In case other TNCC
variants send more chatter, the function ignores and logs up to 10
non-empty lines before giving up.
Signed-off-by: Marc St-Amand <pedalling.philosopher@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Tue, 15 Jan 2019 15:16:08 +0000 (17:16 +0200)]
Add 'attempt-reconnect' vpnc-script reason
In https://gitlab.com/openconnect/openconnect/issues/17 we think we need
to give the vpnc-script a chance to reinstate the host route to the VPN
server before we can reconnect.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Mike Miller [Sat, 12 Jan 2019 01:04:09 +0000 (17:04 -0800)]
Define IPV6_TCLASS when it isn't defined on Hurd
Per https://bugs.debian.org/738646, Hurd uses the *BSD definition for
the socket option IPV6_TCLASS, but it is not yet provided in any system
header files.
projects / users / dwmw2 / openconnect.git / log