Dimitri Papadopoulos [Wed, 2 Nov 2022 23:21:51 +0000 (00:21 +0100)]
Create new process group for script
The SINGINT signal is delivered to the each process of the OpenConnect
process group. We want the script to run in a different process group,
so that SIGINT is not delivered to the script. We want the script to
finish its task, typically set/reset routing and DNS.
The arguments of openconnect_set_mobile_info() have been strdup'ed:
- prior to passing them to openconnect_set_mobile_info(),
- inside openconnect_set_mobile_info().
We don't need both. I have chosen to keep the strdup() call inside
openconnect_set_mobile_info(), and discard the strdup() of the arguments
just before calling openconnect_set_mobile_info().
fake-cisco-server.py:205: DeprecationWarning: ssl.SSLContext() without protocol argument is deprecated.
fake-cisco-server.py:205: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
All ssl.PROTOCOL_TLS* constants have been added in Python 3.6, and
the default PROTOCOL_TLS has been deprecated since Python 3.10.
David Woodhouse [Tue, 7 Jan 2025 13:20:13 +0000 (13:20 +0000)]
tests: set SOCKET_WRAPPER_DIR_ALLOW_ORIG
This allows the sockwrap library to use the original relative path of its
directory, instead of failing when realpath() gives an absolute pathname
which is too long. This was causing the COPR builds to fail on newer
versions of Fedora (with newer sockwrap).
Closes: #770 Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Tue, 7 Jan 2025 13:06:54 +0000 (13:06 +0000)]
tests: Don't recreate sockdir after cleanup()
Ever since commit bba8db3e922d ("modify tests/common.sh so that
launch_simple_sr_server() → test → cleanup() can be used repeatedly in a
single script") the cleanup() function has left an empty socket wrapper
directory behind.
Instead of recreating it in cleanup(), do so in launch_simple_sr_server()
launch_simple_pppd().
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Fri, 5 Apr 2024 16:23:22 +0000 (17:23 +0100)]
Allow tests to run over IPv6 as well as Legacy IP
When run in an environment with no Legacy IP addresses, or no IPv6 addresses,
AI_ADDRCONFIG will cause getaddrinfo() not to return addresses of that type.
So when running in an IPv6-only environment, ocserv doesn't listen on Legacy
IP. And thus the tests fail. Fix this by using a hostname 'sockwrap' for the
test connections, and providing '--resolve' arguments for both the Legacy IP
and IPv6 addresses handled by libsocket_wrapper.
Some of the python test servers which don't use AI_ADDRCONFIG do still work
on Legacy IP, so leave those alone for now.
We recently added '-4' to the socat invocation for the nullppp tests, for
similar reasons (becaose socat started listening on IPv6 by default). We
can remove that now too.
Closes #721
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Imple Lee [Thu, 19 Dec 2024 15:57:10 +0000 (15:57 +0000)]
fix URL to Open Build Service
The original page now shows an error stating `no implicit conversion of nil into String`.
This is due to an extra `;` in the URL.
It seems that Open Build Service doesn't accept this now.
Removing the extra `;` makes the link correct.
Stefan Bühler [Wed, 19 Jun 2024 14:01:10 +0000 (16:01 +0200)]
Don't default form action to '/' in AnyConnect/OpenConnect XML form handling (fixes #737)
Still require action to be non-empty if present.
Form action "redirect" handling code in auth.c already works with
action==NULL (as in not building a new URL). (It'd do weird things
with an empty action though.)
Signed-off-by: Stefan Bühler <source@stbuehler.de>
Marios Paouris [Sat, 12 Oct 2024 14:56:34 +0000 (17:56 +0300)]
Improved adapter name generation when no adapter name is specified.
Try to find an adapter name that is not already used in the system by
appending a monotonically increasing integer to the hostname that is
used as a default name.
This works around wintun's weird behaviour of renaming existing adapters
without preventing two or more instances of openconnect to connect to
the same VPN host (without explicity specifying an interface name), or
otherwise messing with user's network adapters.
Marios Paouris [Mon, 7 Oct 2024 05:53:35 +0000 (08:53 +0300)]
Use hostname as Wintun ifname (if ifname not specified), v2
The intention for the commit 48bd28aa was a bit different
from what was actually implemented.
Although it states that "Instead, we should use the VPN server's hostname
as a sane default interface name with Wintun, and only attempt to use
TAP-Windows as a fallback in the case where Wintun can't be initialized.",
it first tries with an empty interface name, which uses the first available
interface found, whether it is tap or tun, and if that fails then creates
the same default with the server name, which will prioritize wintun over
tap.
Instead, implement the following flow:
If the user did specify an interface name:
- Try to find an adapter with the specified name (whether it's tun
or tap) and use it.
- If no adapter found, try to create a wintun adapter. If wintun is
not available then bail out.
If the user did not specify an interface name:
- Generate a default interface name based on the server URL.
- If the generated interface already exists don't try to use it
and fallback to using the first available adapter.
- If the generated interface doesn't exist, try to create a wintun
adapter. If wintun in not available then fallback to using the first
available adapter.
See https://gitlab.com/openconnect/openconnect-gui/-/issues/357#note_1758999655
and https://gitlab.com/openconnect/openconnect/-/issues/699#note_1762029017
Enumerate adapters to a list to decouple searching from enumerating.
Add adapters with of not interested types to the list, to facilitate name
collision detection, if needed.
Get Wintun adapter guid by calling APIs instead of searching again.
Daniel Lenski [Sun, 28 Jul 2024 00:38:01 +0000 (17:38 -0700)]
Update changelog
This also addresses the closely-related issue described in
https://gitlab.com/openconnect/openconnect/-/merge_requests/500, where
OpenConnect would prefer a GP server's IPv6 magic ping adress over its
Legacy IP magic ping address, even if `--disable-ipv6` is specified:
> Previous logic always preferred the ipv6 gateway address and magic for ESP
> even if ipv6 was explicitly disabled. A VPN I use currently will only
> negotiate an ESP connection over ipv4 despite advertising a v6 gateway.
This similarly results in non-functional ESP:
> The result was that with ipv6 enabled, ESP pings were sent but would not
> renegotiate, with it disabled openconnect would erroneously report that
> the response did not contain a matching gateway and keys.
Daniel Lenski [Sat, 27 Jul 2024 22:04:58 +0000 (15:04 -0700)]
Add a fake IPSEC/ESP configuration to fake-gp-server.py
This allows testing for correct interpretation of the ESP configuration, as in
https://lists.infradead.org/pipermail/openconnect-devel/2024-July/005447.html
Also needed to fix a mistake in the logout handler of fake-gp-server.py
("POST not GET"), and an oversight in how GP propagated errors when falling
back to TLS tunnel from ESP.
Daniel Lenski [Sat, 27 Jul 2024 17:58:28 +0000 (10:58 -0700)]
GP server may send only a Legacy IP client address, but both Legacy and IPv6 magic addresses for ESP
In this corner case, we need to use the Legacy IP magic address. The
inverse corner case would be if the server sends ESP ping magic addresses of
both types, but only sends an IPv6 client address; we were already handling
that one correctly, because we had observed that GlobalProtect servers
require the client to use the IPv6 magic ping address if they want to send
both IPv6 and Legacy IP traffic.
The easiest and most straightforward way to handle all these cases robustly
is simply to save both versions of the ESP magic address, just as we save
both versions of the client address, until after we have parsed the whole
config. At that point we decide which ESP magic address should be used.
See logs attached to
https://lists.infradead.org/pipermail/openconnect-devel/2024-July/005447.html
for an example of this:
POST https://vpnhost.example.com/ssl-vpn/getconfig.esp
…
< <gw-address>REDACTEDIPV4ADDRESS7</gw-address>
< <gw-address-v6>REDACTEDIPV6ADDRESS7</gw-address-v6>
< <ipv6-connection>no</ipv6-connection>
< <ip-address>REDACTEDIPV4ADDRESS0</ip-address>
< <netmask>255.255.255.255</netmask>
…
< <ipsec>…</ipsec>
Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
Antonio Borneo [Sat, 15 Jun 2024 12:32:23 +0000 (14:32 +0200)]
csd-wrapper: remove trailing part from URL
The Cisco ASA server I use got some update.
It suddenly stopped providing the reply:
<host-scan-base-uri>/CACHE</host-scan-base-uri>
and went back to the legacy reply:
<csdLinux
stuburl="/CACHE/sdesktop/install/binaries/sfinst"
starturl="/CACHE/sdesktop/install/result.htm"
waiturl="/+CSCOE+/sdesktop/wait.html"
/>
The csd-wrapper now receives in the command line
-url https://server/CACHE/sdesktop/install/result.htm
instead of
-url https://server/CACHE
and, obviously, the concatenation of $URL within the script makes
impossible to download the manifest.
Strip away the trailing "/sdesktop/*" from $URL.
This should work even in case of custom path in the ASA server.
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Nikos Mavrogiannopoulos [Fri, 10 May 2024 18:29:44 +0000 (20:29 +0200)]
.gitlab-ci.yml: use saas-linux-small-amd64 as tag
The linux and shared tags are deprecated:
https://docs.gitlab.com/ee/update/deprecations.html?removal_milestone=17.0#removal-of-tags-from-small-saas-runners-on-linux
projects / users / dwmw2 / openconnect.git / log