factor out add_ppp_header

Tested with F5 HDLC and non-HDLC

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

fix HDLC packet logging buffer overflow

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

n != ppp.hlen for HDLC (will only work by coincidence if PPP header is uncompressed/4 bytes)

See https://gitlab.com/openconnect/openconnect/-/commit/c060e713f7aba546ccc3a1e729dd6e2e21e0e43b#note_342889873

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

check pre-un-HDLC packet length for NX

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

fix a couple off-by-encap_len bits of NX

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Merge branch 'nx' of https://gitlab.com/Rondom/openconnect into f5

Merge branch 'master' of git.infradead.org:public_git/openconnect into f5

Add initial SonicWall NetExtender support

LCP works, no error handling yet.

Signed-off-by: Andreas Gnau <rondom@rondom.de>

Tag version 8.10

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Update changelog

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Merge branch 'bug721570' of gitlab.com:floppym/openconnect

Bump Android API level to 23 to allow it to run on Android 10

Nobody cares about older API versions, which would only be needed
to support Android versions older than 6.0.

cf. https://gitlab.com/openconnect/openconnect/-/merge_requests/92

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Update Android dependencies

Update GnuTLS, libxml2, nettle, gmp and lz4

Based on a patch from Severus <huynhok.uit@gmail.com>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Merge branch 'Juniper_frmNextToken_submit_button' of gitlab.com:openconnect/openconnect

Merge branch 'GP_stop_asking_to_report_unexpected_arg19=4' of gitlab.com:openconnect/openconnect

Merge branch 'do_not_strip_newlines_in_CSD_response' of gitlab.com:dlenski/openconnect

Tidy up PPP strings

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

parse real Fortinet config

Based on these two real examples (https://forum.fortinet.com/tm.aspx?m=170415 and https://forum.fortinet.com/tm.aspx?m=105123).

Tested with sample XML in comments.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

add test-fortinet-login.py

Often easier to prototype HTTPS-based authentication flows in Python, since
they're so fiddly and arbitary.  So I copied `test-f5-login.py` to
`test-fortinet-login.py`.  Currently only handles basic
username-and-password auth, no 2FA:

```
usage: test-fortinet-login.py [-h] [-v] [-u USERNAME] [-p PASSWORD] [-r REALM]
                              [-c CERT] [--key KEY] [--no-verify]
                              endpoint [extra [extra ...]]

positional arguments:
  endpoint              Fortinet server (or complete URL, e.g.
                        https://forti.vpn.com/remote/login)
  extra                 Extra field to pass to include in the login query
                        string (e.g. "foo=bar")

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose
  --no-verify           Ignore invalid server certificate

Login credentials:
  -u USERNAME, --username USERNAME
                        Username (will prompt if unspecified)
  -p PASSWORD, --password PASSWORD
                        Password (will prompt if unspecified)
  -r REALM, --realm REALM
                        Realm (empty if unspecified)
  -c CERT, --cert CERT  PEM file containing client certificate (and optionally
                        private key)
  --key KEY             PEM file containing client private key (if not
                        included in same file as certificate)
```

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Basic ConfRej handling

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Merge branch 'f5' of gitlab.com:openconnect/openconnect

Use LCP protocol code values for feature bitmask

In preparation for handling ConfRej

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

second time's a charm?

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Fewer magic numbers for NCP opts

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Make encap_names[] compile again

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Merge branch 'master' of git.infradead.org:public_git/openconnect

fix encap_names for Fortinet HDLC

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Use do_https_request()

That's a lot simpler than open-coding it.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Fix fortinet_bye() path

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

combine comments from heretofore missing ppp.h

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

save four bytes in HDLC malloc

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Add basic attempt at Fortinet support

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Use ID from struct ncp

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Make proto strings static

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Add missing ppp.h

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

use HDLC_OUT macro

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

check for PPP state transitions before/after each packet received

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

move PPP #defines and structs to ppp.h

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

unused label

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Handle ConfRej for anything that needs it.

If get a ConfReq with anything we don't want or understand — and that
includes bloody VJ header compression, since I'm not completely batshit
insane — send a ConfRej.

Do this by building up the options to be rejected in an oc_text_buf as
we go, then rejecting that set if it's non-empty once we get to the end.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Fix un-HDLC corner cases

1) The initial 0x7e is optional, the final 0x7e is not (was reversed).
2) Dangling escape can occur even when we haven't run out of buffer. 0x7d 0x7e is an invalid sequence.

While not breaking…

3) 0x7d can be the “target” of an escape (0x7d 0x7d → 0x5d)
4) 0x5d as the “target” of an escape (0x7d 0x5d → 0x7d) doesn't indicate a new escape

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

get rid of a bunch of casts

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

stop asking users to report unexpected GP login argument arg[20]="unknown"

We don't know what this one means, but newer GP servers always send it and it's basically uninteresting.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Add FCS support

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

nope, F5 HDLC isn't emitting junk… I'm just failing to unescape the FCS

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

tweak unhdlc_in_place, in preparation for multiple concatenated packets

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

simplify PPP header checking

There's no point whatsover to checking if the server is doing ACCOMP/PFCOMP
as negotiated:
- Even if negotiated, they're optional.
- Even if *not* negotiated, they're unambiguous.
- Either way, it's much easier just to ignore the negotiated options.

“Be liberal in what you accept, and conservative in what you send.”

Some day I will acquire a time machine, travel back to 1993, and ask the
designers of PPP not to add meaningless boilerplate bytes to their protocol
in such a uniquely strange-yet-approachable way that compels future implementers to
reinvent clever ways of dealing with them hundreds of times.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

F5 server sends frequent extra junk/padding in HDLC mode… just accept it

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

working unhdlc_in_place and hdlc_into_new_pkt

TODO: verify incoming FCS and generate outgoing FCS (F5 accepts it set to zero ¯\_(ツ)_/¯)

https://tools.ietf.org/html/rfc1662#appendix-C.2

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

rip out HDLC skeleton as a thought experiment

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

remove state-machine fall-throughs: unnecessary, error-prone, make the transition display confusing

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

get rid of offset-by-1 in lcp_names and encap_names arrays

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

log ancient deprecated IPCP IP-Addresses option

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

use tcp_control_queue for PPP config packets

(Also fixes the dodginess of using high nibble of first byte to distinguish config from data packets)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

oncp_control_queue → tcp_control_queue

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

cleanup state printing

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

add timers to resend Config-Request after 3 seconds

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

send_config_request → queue_config_request

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

now storing {in,out}_lcp_magic in on-the-wire order (for ease of assembing util packets)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

fix header shift prediction

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Better attempt to get HDLC outbound right

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Use CONFREQ et al definitions instead of numbers

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Make oc_ncp state a structure, including the id.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Drop hdlc and we_go_first args from openconnect_ppp_new()

We should always go first for *our* outbound ConfReqs, not wait for the
server to go first. And HDLC can be inferred from the encap mode, to
which we can add PPP_ENCAP_F5_HDLC.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

we're never gonna want outgoing header compression

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

handle we_go_first

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

use queue for conf-ack packets too

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

two more dumb bugs

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

queue util packets

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

fix two bugs which were cancelling each other

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

consolidate send_util and stash packet header length in packet

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

PPP: use echo-request/discard-request for DPD/keepalive

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

working PPP mainloop

Still TODO:
- Handle we_go_first option where we offer our Configure-Request before receiving one
- Handle HDLC (blech)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

state naming/handling cleanup

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

plan to handle different types of PPP encapsulation (F5, array, etc.)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

include ppp state in `struct openconnect_info`

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

factor out send_config_request

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

working PPP config negotation (LCP+IPCP+IP6CP)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

make buf_append_{be16,be32,le16} global

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

add test-f5-login.py script

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

extract basic IP configuration from XML, including default and split routes

Based on code structure in gpst.c, and hints about interpretation of XML tags from:

- https://github.com/rei/f5vpn-client/blob/HEAD/f5vpn-login.py
- https://github.com/rei/f5vpn-client/blob/HEAD/README.md

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

gnutls: prevent buffer overflow in get_cert_name

The test suite for ocserv calls openconnect with a certificate that has
a name that is 84 bytes in length. The buffer passed to get_cert_name is
currently 80 bytes.

The gnutls_x509_crt_get_dn_by_oid function will update the buffer size
parameter if the buffer is too small.

http://man7.org/linux/man-pages/man3/gnutls_x509_crt_get_dn_by_oid.3.html

RETURNS
       GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long
       enough, and in that case the  buf_size will be updated with the
       required size. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE if there are no
       data in the current index. On success 0 is returned.

Use a temporary variable to avoid clobbering the namelen variable that is
passed to get_cert_name.

Bug: https://bugs.gentoo.org/721570
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Signed-off-by: Mike Gilbert <floppym@gentoo.org>

Juniper frmNextToken: recognize secidactionEnter as submit button

ping #137

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Disable OpenSSL RDRAND in COPR tests to work around SoftHSM deadlock

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Fix name of tpm2-tss-engine

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Also disable cURL's use of HTTP/1.1 expect logic

This is only a useful optimization for large payloads, and seems to confuse some Cisco ASAs or middleboxes.

See https://gms.tf/when-curl-sends-100-continue.html#disabling-expect-logic

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Fix f5_bye

Like oNCP, one GET request takes care of it

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

typo

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Start adding PPP

It's going to need a state machine, with timers and non-blocking reads.
But that's not so hard, based on cancellable_recv().

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

some ASAs are confused by stripping newlines from CSD response

See #139 for report of this.

Using `curl --data-binary` instead of `--data` should avoid this issue.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

First attempt at F5 support

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Fix up COPR specfiles for bash-completion script location

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Merge branch 'bash-completion' of gitlab.com:bluca/openconnect

Use shorter pathname for COPR RPM build

If the path of SOCKET_WRAPPER_DIR is too long, it doesn't fit in the
sun_path field of the sockaddr_un, and libsocket_wrapper gets very
unhappy, reporting 'Too many unix sockets'. Despite actually only ever
trying *one* path over and over again 1024 times due to truncation.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Install tncc-emulate.py too

Signed-off-by: Luca Boccassi <bluca@debian.org>

Fix typo in autocomplete test log message

Signed-off-by: Luca Boccassi <bluca@debian.org>

Bash completion: install as /usr/share/bash-completion/completions/openconnect

This is the common default installation pattern for quite some time

Signed-off-by: Luca Boccassi <bluca@debian.org>

Fix path to openconnect in bash completion

Oops, that wasn't supposed to get committed like that.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

stop asking users to report unexpected GP login argument arg[19]="4"

We still don't know what this one means (my wild guess is that it's telling the client to prefer IPv4), but newer GP servers always send it and it's basically uninteresting.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Fix sigterm test at last

Make the main script wait for the device to be *up* not just exist.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>