yubikey.c:421:13: warning: The left operand of '!=' is a garbage value [core.UndefinedBinaryOperatorResult]
421 | if (type != NAME_LIST_TAG || tlvlen < 1) {
| ~~~~ ^
auth.c:717:14: warning: Access to field 'auth_id' results in a dereference of a null pointer (loaded from variable 'form') [core.NullDereference]
717 | if (!strcmp(form->auth_id, "success"))
| ^~~~~~~~~~~~~
openssl.c:2090:3: warning: The 1st argument to 'close' is <= -2 but should be >= -1 [unix.StdCLibraryFunctions]
2090 | closesocket(vpninfo->ssl_fd);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
./openconnect-internal.h:1176:21: note: expanded from macro 'closesocket'
1176 | #define closesocket close
| ^
gnutls.c:2569:3: warning: The 1st argument to 'close' is <= -2 but should be >= -1 [unix.StdCLibraryFunctions]
2569 | closesocket(vpninfo->ssl_fd);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
./openconnect-internal.h:1176:21: note: expanded from macro 'closesocket'
1176 | #define closesocket close
| ^
esp.c:451:3: warning: The 1st argument to 'close' is <= -2 but should be >= -1 [unix.StdCLibraryFunctions]
451 | closesocket(vpninfo->dtls_fd);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./openconnect-internal.h:1176:21: note: expanded from macro 'closesocket'
1176 | #define closesocket close
| ^
Jan-Michael Brummer [Wed, 11 Jun 2025 13:41:51 +0000 (15:41 +0200)]
Move localname setter to openconnect_vpninfo_new
Currently localname was only set for CLI version and thus
every application making use of openconnect_vpninfo_new had localhost
as default name. This can cause issues with e.g. PAN and thus
move it to this function to ensure every consumer is safe.
Dimitri Papadopoulos [Wed, 2 Nov 2022 23:21:51 +0000 (00:21 +0100)]
Create new process group for script
The SINGINT signal is delivered to the each process of the OpenConnect
process group. We want the script to run in a different process group,
so that SIGINT is not delivered to the script. We want the script to
finish its task, typically set/reset routing and DNS.
The arguments of openconnect_set_mobile_info() have been strdup'ed:
- prior to passing them to openconnect_set_mobile_info(),
- inside openconnect_set_mobile_info().
We don't need both. I have chosen to keep the strdup() call inside
openconnect_set_mobile_info(), and discard the strdup() of the arguments
just before calling openconnect_set_mobile_info().
fake-cisco-server.py:205: DeprecationWarning: ssl.SSLContext() without protocol argument is deprecated.
fake-cisco-server.py:205: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
All ssl.PROTOCOL_TLS* constants have been added in Python 3.6, and
the default PROTOCOL_TLS has been deprecated since Python 3.10.
David Woodhouse [Tue, 7 Jan 2025 13:20:13 +0000 (13:20 +0000)]
tests: set SOCKET_WRAPPER_DIR_ALLOW_ORIG
This allows the sockwrap library to use the original relative path of its
directory, instead of failing when realpath() gives an absolute pathname
which is too long. This was causing the COPR builds to fail on newer
versions of Fedora (with newer sockwrap).
Closes: #770 Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Tue, 7 Jan 2025 13:06:54 +0000 (13:06 +0000)]
tests: Don't recreate sockdir after cleanup()
Ever since commit bba8db3e922d ("modify tests/common.sh so that
launch_simple_sr_server() → test → cleanup() can be used repeatedly in a
single script") the cleanup() function has left an empty socket wrapper
directory behind.
Instead of recreating it in cleanup(), do so in launch_simple_sr_server()
launch_simple_pppd().
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Fri, 5 Apr 2024 16:23:22 +0000 (17:23 +0100)]
Allow tests to run over IPv6 as well as Legacy IP
When run in an environment with no Legacy IP addresses, or no IPv6 addresses,
AI_ADDRCONFIG will cause getaddrinfo() not to return addresses of that type.
So when running in an IPv6-only environment, ocserv doesn't listen on Legacy
IP. And thus the tests fail. Fix this by using a hostname 'sockwrap' for the
test connections, and providing '--resolve' arguments for both the Legacy IP
and IPv6 addresses handled by libsocket_wrapper.
Some of the python test servers which don't use AI_ADDRCONFIG do still work
on Legacy IP, so leave those alone for now.
We recently added '-4' to the socat invocation for the nullppp tests, for
similar reasons (becaose socat started listening on IPv6 by default). We
can remove that now too.
Closes #721
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Imple Lee [Thu, 19 Dec 2024 15:57:10 +0000 (15:57 +0000)]
fix URL to Open Build Service
The original page now shows an error stating `no implicit conversion of nil into String`.
This is due to an extra `;` in the URL.
It seems that Open Build Service doesn't accept this now.
Removing the extra `;` makes the link correct.
Stefan Bühler [Wed, 19 Jun 2024 14:01:10 +0000 (16:01 +0200)]
Don't default form action to '/' in AnyConnect/OpenConnect XML form handling (fixes #737)
Still require action to be non-empty if present.
Form action "redirect" handling code in auth.c already works with
action==NULL (as in not building a new URL). (It'd do weird things
with an empty action though.)
Signed-off-by: Stefan Bühler <source@stbuehler.de>
Marios Paouris [Sat, 12 Oct 2024 14:56:34 +0000 (17:56 +0300)]
Improved adapter name generation when no adapter name is specified.
Try to find an adapter name that is not already used in the system by
appending a monotonically increasing integer to the hostname that is
used as a default name.
This works around wintun's weird behaviour of renaming existing adapters
without preventing two or more instances of openconnect to connect to
the same VPN host (without explicity specifying an interface name), or
otherwise messing with user's network adapters.
Marios Paouris [Mon, 7 Oct 2024 05:53:35 +0000 (08:53 +0300)]
Use hostname as Wintun ifname (if ifname not specified), v2
The intention for the commit 48bd28aa was a bit different
from what was actually implemented.
Although it states that "Instead, we should use the VPN server's hostname
as a sane default interface name with Wintun, and only attempt to use
TAP-Windows as a fallback in the case where Wintun can't be initialized.",
it first tries with an empty interface name, which uses the first available
interface found, whether it is tap or tun, and if that fails then creates
the same default with the server name, which will prioritize wintun over
tap.
Instead, implement the following flow:
If the user did specify an interface name:
- Try to find an adapter with the specified name (whether it's tun
or tap) and use it.
- If no adapter found, try to create a wintun adapter. If wintun is
not available then bail out.
If the user did not specify an interface name:
- Generate a default interface name based on the server URL.
- If the generated interface already exists don't try to use it
and fallback to using the first available adapter.
- If the generated interface doesn't exist, try to create a wintun
adapter. If wintun in not available then fallback to using the first
available adapter.
See https://gitlab.com/openconnect/openconnect-gui/-/issues/357#note_1758999655
and https://gitlab.com/openconnect/openconnect/-/issues/699#note_1762029017
Enumerate adapters to a list to decouple searching from enumerating.
Add adapters with of not interested types to the list, to facilitate name
collision detection, if needed.
Get Wintun adapter guid by calling APIs instead of searching again.
projects / users / dwmw2 / openconnect.git / log