Piotr Kubaj [Fri, 12 May 2017 13:24:37 +0000 (14:24 +0100)]
Fix build with LibreSSL 2.5.1 and higher.
We don't actually care if we use the read or write state; we're only
calculating the cipher/protocol overheads which are the same in both
directions.
In LibreSSL they were all removed in
https://github.com/libressl-portable/openbsd/commit/122ecd906da7
and the read side was restored in
https://github.com/libressl-portable/openbsd/commit/0d7a7d5f5a44
so just use that.
Signed-off-by: Piotr Kubaj <pkubaj@anongoth.pl> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
- This commit simply makes the openconnect global protect protocol to work when
the global protect portal presents a gateway address that is not the same as
the actual portal. This is done by parsing the <gw-address>-field of the xml-
config recieved by the server and save it to the new gateway_addr_gp variable
in the ip_info struct. This is then used as the destination of the esp icmp-
packets.
Daniel Lenski [Sun, 15 Jan 2017 21:45:23 +0000 (13:45 -0800)]
enumerate supported VPN protocols via openconnect_get_supported_protocols()
Add a new public function, openconnect_get_supported_protocols(), which
returns a list of protocols supported by the client. Each supported
protocol has a short name (as accepted by the --protocol command-line
option), description, and list of flags.
The flags indicate features that are meaningful for this protocol, to be
used by tools like the Networkmanager configuration UI. Current flags:
* OC_PROTO_PROXY: can connect via HTTP or SOCKS proxy
* OC_PROTO_CSD: supports verification of the client via CSD trojan
* OC_PROTO_AUTH_CERT: supports authentication by client certificate
* OC_PROTO_AUTH_OTP: supports authentication by OATH HOTP/TOTP token
* OC_PROTO_AUTH_STOKEN: supports authentication by RSA SecurID token (stoken)
Description of anyconnect protocol adjusted to match IETF draft
standard for openconnect VPN (https://tools.ietf.org/html/draft-mavrogiannopoulos-openconnect-00).
Daniel Lenski [Thu, 6 Apr 2017 04:54:20 +0000 (21:54 -0700)]
Wait until getconfig parse succeeds before clearing old IP config (fixes #16)
Previously, we would clear ip_info.addr and .netmask before successfully
requesting the new getconfig XML. This prevented openconnect from correctly
requesting the same IPv4 address that it had previously (via `preferred-ip`
in the query string) in cases where getconfig XML has to be re-requested
multiple times.
Daniel Lenski [Sun, 8 Jan 2017 20:27:54 +0000 (12:27 -0800)]
add oncp_bye() to logout the Juniper session
The nc protocol lacked a .vpn_close_session function; without logout, the
VPN cookie remains active and can be used to restart the session, which is a
security hazard—especially when passing around OpenConnect logs on the
mailing list for development and troubleshooting.
Juniper logout is straightforward: GET /dana-na/auth/logout.cgi (with the
appropriate DSID cookie set).
David Woodhouse [Wed, 14 Dec 2016 20:30:47 +0000 (20:30 +0000)]
Rely on SoftHSM being installed correctly with a p11-kit .module file
I don't actually remember why I added my own; it *ought* to be installed
correctly by the distribution's packaging of SoftHSM.
There was a brief discussion about my hard-coded version being
Fedora-specific, followed by a suggestion that I could pick up the
proper path from and existing module file, followed by the realisation
that said existing module file would suffice anyway. So just require it.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Janne Juntunen [Tue, 29 Nov 2016 22:37:22 +0000 (22:37 +0000)]
Add support for Google Authenticator 2fa on Juniper VPN
We resently changed our Juniper VPN from SMS 2fa to use Google
Authenticator instead. Before it worked perfectly with "openconnect
--juniper" switch, but after the change all we got was:
Unknown form ID 'frmTotpToken'
and a dump of the form.
I spent some time debugging the issue, and managed to write a very
simple fix for it.
Signed-off-by: Janne Juntunen <janne.juntunen@hermanit.fi> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Mike Miller [Wed, 14 Dec 2016 18:02:13 +0000 (10:02 -0800)]
tests: avoid using eval with variable assignments
For shell portability, avoid using eval with variable assignments to set
openconnect's environment. Shell implementations vary on whether
variable assignments in front of eval are marked as environment
variables or just treated as ordinary shell assignments.
Every call to $OPENCONNECT already has LD_PRELOAD=libsocket_wrapper.so
in front of it, so the "eval LD_PRELOAD=libsocket_wrapper.so" was
redundant anyway.
Signed-off-by: Mike Miller <mtmiller@debian.org> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Nikolay Martynov [Thu, 17 Nov 2016 03:26:17 +0000 (22:26 -0500)]
IPv6 packet size field doesn't include header size, take this into account
IPv6 packet's 'length' field contains length of payload excluding headers.
Header's length (40) needs to be added to that to get complete packet length.
This patch seems to be fixing random VPN drops.
Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Dan Lenski [Sun, 16 Oct 2016 01:56:30 +0000 (18:56 -0700)]
Correctly handle IPv4 route specified as either 10.1.2.0/255.255.255.0 or 10.1.2.0/24
The existing process_split_xxclude() only handles IPv4 routes
formatted as "10.1.2.0/255.255.255.0", not those formatted as
"10.1.2.0/24".
It's possible to unambiguously distinguish the two and handle the
latter case correctly, because no IPv4 netmask address can possibly
have a decimal integer value <= 32.
Signed-off-by: Daniel Lenski <dlenski@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Sat, 15 Oct 2016 01:46:34 +0000 (18:46 -0700)]
Unset got_cancel_cmd after reacting to it, as is already done for got_pause_cmd
Per David Woodhouse (http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004034.html):
> I think it's probably OK to set vpninfo->got_cancel_cmd=0 in the mainloop
> right before calling proto->vpn_close_session. If we get cancelled
> *again* then we'll give up on that too.
Without this fix, do_https_request() can't be used to close the
session — it interrupts itself as soon as it sees that got_cancel_cmd is
set.
Signed-off-by: Daniel Lenski <dlenski@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Sun, 16 Oct 2016 19:37:58 +0000 (12:37 -0700)]
Make buf_append_urlencoded() percent-encode fewer characters.
Per RFC 3986, the characters '-', '_', '.', '~' don't need to be
percent-encoded anywhere in a URL or query string.
Removed special case for ' ' → '+' to prevent incompatibility with ocserv:
http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004042.html
/* else if (c==' ')
buf_append_bytes(buf, "+", 1); */
Signed-off-by: Dan Lenski <dlenski@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Tue, 13 Dec 2016 11:36:15 +0000 (11:36 +0000)]
Stop using deprecated LZ4 functions
../cstp.c:865:3: warning: ‘LZ4_compress_limitedOutput’ is deprecated: use LZ4_compress_default() instead [-Wdeprecated-declarations]
ret = LZ4_compress_default((void*)this->data, (void*)vpninfo->deflate_pkt->data,
^~~
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Nikos Mavrogiannopoulos [Tue, 1 Nov 2016 08:32:31 +0000 (09:32 +0100)]
openconnect_check_peer_cert_hash: allow partial server hash matches
That is allow the user specifying a small part of the hash (e.g., 'sha256:6429')
in order to be able to connect. This is to ease test connections, when copy-paste
is not possible.
[dwmw2: Fix man page to say 'at least 4 characters' not 'more than']
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
projects / users / dwmw2 / openconnect.git / log