Daniel Lenski [Fri, 12 Jan 2018 09:44:17 +0000 (01:44 -0800)]
Incomplete, speculative IPv6 for GlobalProtect
Client-side IPv6 support was added in v4.0:
https://live.paloaltonetworks.com/t5/Colossal-Event-Blog/New-GlobalProtect-4-0-announced-with-IPv6-support/ba-p/141593
Server-side IPv6 support was added in PanOS 8.0:
https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/globalprotect-features
I've been wanting to get IPv6 working for a while, but don't have access to
a GP VPN that supports IPv6, and haven't found anyone else who does. I'm
adding incomplete, speculative IPv6 support here in the hopes that someone
will use it and report back on partial success/failure:
* Known from Windows client: `ipv6-support=yes` in `/ssl-vpn/login.esp`
request, `preferred-ipv6` in `/ssl-vpn/getconfig.esp` request,
`client-ipv6` in `/ssl-vpn/hipreport{,check}.esp` requests,
`app-version=4.0.5-8`,
* Educated guess: 0x0800 in GPST packet header represents IPv4 ethertype,
and will be replaced with 0x86DD for IPv6 packets.
* Unknown: IPv6 routing configuration tags to expect in
`/ssl-vpn/getconfig.esp` response. This build prints a prominent
error message if it encounters any unknown configuration tags
containing the character '6', and requests feedback to the mailing
list.
Dan Lenski [Sat, 25 May 2019 05:41:19 +0000 (22:41 -0700)]
Report GP session lifetime
OpenConnect doesn't have a mechanism to immediately stop trying to reconnect
after the session expires.
Server-forced session expiration "takes care of itself" when OpenConnect
tries to reconnect repeatedly and fails, though it might be useful to save
the expected expiration time somewhere to be able to report it in a more
user-friendly fashion.
Dan Lenski [Sat, 25 May 2019 04:54:40 +0000 (21:54 -0700)]
Better spoofed HIP report
Some GlobalProtect VPNs appear to actually check the contents of the HIP
report in some way, and require that anti-virus/anti-spyware software be
labeled as up-to-date.
Also, the --computer parameter is no longer needed (now that its value
is included in the "cookie")
David Woodhouse [Fri, 7 Jun 2019 16:04:41 +0000 (17:04 +0100)]
Convert dump_buf_hex() to use oc_text_buf instead of sprintf
I seem to recall the OpenBSD build will complain loudly about the use of
"bad" functions like sprintf. And even though this particular code does
seem to be perfectly correct, they do have a point in the general case.
Just use buf_append() for this, since that's what it was designed for.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 16 May 2019 18:18:30 +0000 (11:18 -0700)]
Include <errno.h> in gnutls_tpm2_ibm.c
Some environments don't pull it in implicitly; we should include it for
ourselves.
gnutls_tpm2_ibm.c: In function ‘install_tpm2_key’:
gnutls_tpm2_ibm.c:485:11: error: ‘EINVAL’ undeclared (first use in this function)
return -EINVAL;
^~~~~~
gnutls_tpm2_ibm.c:485:11: note: each undeclared identifier is reported only once for each function it appears in
gnutls_tpm2_ibm.c:490:11: error: ‘ENOMEM’ undeclared (first use in this function)
return -ENOMEM;
^~~~~~
gnutls_tpm2_ibm.c:528:1: warning: control reaches end of non-void function [-Wreturn-type]
}
^
Makefile:1206: recipe for target 'libopenconnect_la-gnutls_tpm2_ibm.lo' failed
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Sat, 11 May 2019 09:41:14 +0000 (10:41 +0100)]
Kill MAX_BUF_LEN
There's no real point in having a hard limit for struct oc_text_buf, the
whole point of which is that it is dynamically allocated. Just guard
against the int buf_len overflowing.
In process_http_response() the hard-coded buf[] array is only used for
headers one line at a time now, so 8KiB should suffice.
Fixes: #39 Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 25 Apr 2019 11:01:02 +0000 (13:01 +0200)]
Clean up memset_s() detection a bit more.
Definining __STDC_WANT_LIB_EXT1__ to get memset_s() is required by the C11
standard, not a Solaris-ism. It's no use just to check for its presence
in the library with AC_CHECK_FUNC() if it isn't going to compile, so make
sure we check for it with AC_LINK_IFELSE() *and* with the warning flags
that might include -Werror-implicit-function-declarations.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Tue, 9 Apr 2019 15:45:33 +0000 (18:45 +0300)]
Don't read from non-readable fds
By removing the unneeded reads from file descriptors that we know aren't
readable, ESP TX performance goes from 1700Mb/s to 1760Mb/s on my current
test setup.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Wed, 10 Apr 2019 14:42:43 +0000 (17:42 +0300)]
more careful gpst_esp_catch_probe()
Previous version of gpst_esp_catch_probe would catch/filter *any* ping reply sent over the tunnel
from the "magical" ESP "gateway" address. (Heavy-handed scare quotes intentional.)
This may result in confusing behavior in some testing/debugging scenarios, as described in this thread:
Daniel Lenski [Wed, 3 Apr 2019 14:22:08 +0000 (17:22 +0300)]
bugfix for OTP "challenge" form handling
In the patch entitled 'Recognise auth forms named "challenge" as token
requests' (commit 51f8feb6, released in v8.00) the condition for using an
OTP token in an AnyConnect login form was changed from:
(field is named `secondary_password`)
… to:
(field is named `secondary_password`) AND (form is named `challenge`)
This was almost certainly a mistake, and should have been as follows:
(field is named `secondary_password`) OR (form is named `challenge`)
This patch rewrites the condition to do just that, in a clearer form, and
should fix GitLab issue #24 (https://gitlab.com/openconnect/openconnect/issues/24#note_157035052).
Marc St-Amand [Tue, 5 Feb 2019 13:35:22 +0000 (08:35 -0500)]
auth-juniper.c: ignore non-empty lines from TNCC after DSPREAUTH cookie
This skips over a seemingly harmless DSPREAUTH failure:
Unexpected non-empty line from TNCC after DSPREAUTH cookie: '0'
Failed to read response from TNCC
Failed to obtain WebVPN cookie
After the unexpected '0', TNCC sends an empty line response and the
authentication sequence can proceed normally. In case other TNCC
variants send more chatter, the function ignores and logs up to 10
non-empty lines before giving up.
Signed-off-by: Marc St-Amand <pedalling.philosopher@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Tue, 15 Jan 2019 15:16:08 +0000 (17:16 +0200)]
Add 'attempt-reconnect' vpnc-script reason
In https://gitlab.com/openconnect/openconnect/issues/17 we think we need
to give the vpnc-script a chance to reinstate the host route to the VPN
server before we can reconnect.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Mike Miller [Sat, 12 Jan 2019 01:04:09 +0000 (17:04 -0800)]
Define IPV6_TCLASS when it isn't defined on Hurd
Per https://bugs.debian.org/738646, Hurd uses the *BSD definition for
the socket option IPV6_TCLASS, but it is not yet provided in any system
header files.
Daniel Lenski [Sun, 6 Jan 2019 10:07:51 +0000 (02:07 -0800)]
no need to send multiple probe packets as an ESP keepalive
Both Juniper and GlobalProtect ESP send special probe packets to initiate the ESP connection, and as keepalives.
Multiple packets are sent to initiate the connection, because a lack of response will cause a total fallback to TLS.
However, one probe packet (per keepalive interval) is enough for the keepalive packets. GlobalProtect ESP already
did this, but Juniper did not.
This patch is motivated by me having access to the highest-latency Juniper VPN server in the known universe.
David Woodhouse [Wed, 9 Jan 2019 16:27:10 +0000 (16:27 +0000)]
Clean up DTLS cipher selection for OpenSSL >= 1.1.0
Where we have SSL_get1_supported_ciphers(), use it to generate the list we
advertise to the server in the first place. This stops us from advertising
DES support when we're not really going to do it, for example.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 9 Jan 2019 12:02:57 +0000 (12:02 +0000)]
OpenSSL: Loop over DTLS ciphersuites looking for the one we asked for.
As of OpenSSL 1.1.1, the trick of using SSL_CTX_set_cipher_list() and then
expecting only the one ciphersuite to be present in what we get back from
SSL_get_ciphers(), is no longer working. It now always returns the TLSv1.3
ciphers, even though we don't have DTLSv1.3 yet.
Reported as https://github.com/openssl/openssl/issues/8004 but probably
not going to change; the most likely outcome there is that I'm told that
I'm Doing It Wrong™ and a different approach is suggested.
In the meantime, just loop over the results and pick the one that we
actually asked for.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David GEIGER [Sat, 5 Jan 2019 22:27:24 +0000 (22:27 +0000)]
Fix Mageia TSS2_ESYS build
On Mageia Cauldron latest openconnect 8.00 and 8.01 fais to build with
TSS2_ESYS support due to a missing header in gnutls_tpm2_esys.c file, so
adding #include <errno.h> in gnutls_tpm2_esys.c fixes build.
Signed-off-by: David Geiger (Mageia Linux Team Packager) <geiger.david68210@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
projects / users / dwmw2 / openconnect.git / log