Android 10 App Crash

[alienator88]

The app crashes when trying to connect on Android 10/OxygenOS.
Seeing the following error in logcat:
libc Fatal signal 6 (SIGABRT), code -1 (SI_QUEUE) in tid 11944 (OpenVPNManageme), pid 9948 (app.openconnect)

[kiavash-at-work]

It also crashes on Android Studio Q emulator.

[bukowski12]

The app crashes when trying to connect on Android 10/Pixel

[larionov]

Crashes on pixel 3 xl with android 10

[contemno]

After figuring out how to crudely build and debug Android apps in Android Studio, I found this error on the debugging console on Android 10 that I didn't get on Android 9 (on which the app still works):

A/libc: FORTIFY: %n not allowed on Android

Apparently %n was used in exploits in older versions of sprintf, and Android 9 and below silently sanitizes it. Android 10 will not and refuse to accept it, causing the app to crash. The component responsible for this security feature is called FORTIFY.

https://android-developers.googleblog.com/2017/04/fortify-in-android.html

In the five vasnprintf.c files that contain:

#if USE_SNPRINTF
# if !(((__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3)) && !defined __UCLIBC__) || ((defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__))
                fbp[1] = '%';
                fbp[2] = 'n';
                fbp[3] = '\0';
# else
                /* On glibc2 systems from glibc >= 2.3 - probably also older
                   ones - we know that snprintf's return value conforms to
                   ISO C 99: the tests gl_SNPRINTF_RETVAL_C99 and
                   gl_SNPRINTF_TRUNCATION_C99 pass.
                   Therefore we can avoid using %n in this situation.
                   On glibc2 systems from 2004-10-18 or newer, the use of %n
                   in format strings in writable memory may crash the program
                   (if compiled with _FORTIFY_SOURCE=2), so we should avoid it
                   in this situation.  */
                /* On native Windows systems (such as mingw), we can avoid using
                   %n because:
                     - Although the gl_SNPRINTF_TRUNCATION_C99 test fails,
                       snprintf does not write more than the specified number
                       of bytes. (snprintf (buf, 3, "%d %d", 4567, 89) writes
                       '4', '5', '6' into buf, not '4', '5', '\0'.)
                     - Although the gl_SNPRINTF_RETVAL_C99 test fails, snprintf
                       allows us to recognize the case of an insufficient
                       buffer size: it returns -1 in this case.
                   On native Windows systems (such as mingw) where the OS is
                   Windows Vista, the use of %n in format strings by default
                   crashes the program. See
                     <http://gcc.gnu.org/ml/gcc/2007-06/msg00122.html> and
                     <http://msdn2.microsoft.com/en-us/library/ms175782(VS.80).aspx>
                   So we should avoid %n in this situation.  */
                fbp[1] = '\0';
# endif
#else
                fbp[1] = '\0';
#endif

Based on these comments:

https://lists.gnu.org/archive/html/bug-gnulib/2018-12/msg00126.html
https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00122.html
https://gitlab.com/gnutls/gnutls/issues/653

I tried patching the line:

# if !(((__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3)) && !defined __UCLIBC__) || ((defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__))
to:
# if !(((__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3)) && !defined __UCLIBC__) || ((defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__) || defined __ANDROID__)

but that doesn't seem to work.

It's highly likely that that because I don't know what I'm doing, I'm not building the c libraries ( liboppenconnect, libgnutls, etc) with the NDK (20.0.5594570) correctly or I'm looking in the wrong place.

My next steps are to figure out how to print debugging messages or a stack trace to figure out where in the c libraries the app dies, and what is trying to pass %n.

[cernekee]

https://gitlab.com/gnutls/gnutls/issues/653

IMO this is the most likely culprit, although you might want to check adb logcat for a stack trace to confirm. It's possible that updating $OPENCONNECT/android/ to the latest GnuTLS will cure it.

[contemno]

I tried updating GnuTLS to 3.6.9 and Nettle to 3.4.1 but still get A/libc: FORTIFY: %n not allowed on Android message.

I noticed that the oath-toolkit also had a copy of vasnprintf.c, and from what I could find, the latest version is 2.6.2 is from 2016. It may need to be updated to avoid using '%n' on Android.

[astv25]

2019-09-25 11:34:22.426 14776-14776/? A/DEBUG: Timestamp: 2019-09-25 11:34:22-0500 2019-09-25 11:34:22.426 14776-14776/? A/DEBUG: pid: 14646, tid: 14773, name: OpenVPNManageme >>> app.openconnect <<< 2019-09-25 11:34:22.427 14776-14776/? A/DEBUG: uid: 10135 2019-09-25 11:34:22.427 14776-14776/? A/DEBUG: signal 6 (SIGABRT), code -1 (SI_QUEUE), fault addr -------- 2019-09-25 11:34:22.427 14776-14776/? A/DEBUG: Abort message: 'FORTIFY: %n not allowed on Android' 2019-09-25 11:34:22.427 14776-14776/? A/DEBUG: eax 00000000 ebx 00003936 ecx 000039b5 edx 00000006 2019-09-25 11:34:22.427 14776-14776/? A/DEBUG: edi eaf0433e esi bf9752e0 2019-09-25 11:34:22.427 14776-14776/? A/DEBUG: ebp edca5ad0 esp bf975288 eip edca5ad9 2019-09-25 11:34:22.572 14776-14776/? A/DEBUG: backtrace: 2019-09-25 11:34:22.573 14776-14776/? A/DEBUG: #00 pc 00000ad9 [vdso] (__kernel_vsyscall+9) 2019-09-25 11:34:22.573 14776-14776/? A/DEBUG: #01 pc 00092328 /apex/com.android.runtime/lib/bionic/libc.so (syscall+40) (BuildId: 76290498408016ad14f4b98c3ab6c65c) 2019-09-25 11:34:22.573 14776-14776/? A/DEBUG: #02 pc 000ad651 /apex/com.android.runtime/lib/bionic/libc.so (abort+193) (BuildId: 76290498408016ad14f4b98c3ab6c65c) 2019-09-25 11:34:22.573 14776-14776/? A/DEBUG: #03 pc 000f46fa /apex/com.android.runtime/lib/bionic/libc.so (__fortify_fatal(char const*, ...)+58) (BuildId: 76290498408016ad14f4b98c3ab6c65c) 2019-09-25 11:34:22.573 14776-14776/? A/DEBUG: #04 pc 000f3dcb /apex/com.android.runtime/lib/bionic/libc.so (__vfprintf+11211) (BuildId: 76290498408016ad14f4b98c3ab6c65c) 2019-09-25 11:34:22.573 14776-14776/? A/DEBUG: #05 pc 001133aa /apex/com.android.runtime/lib/bionic/libc.so (snprintf+170) (BuildId: 76290498408016ad14f4b98c3ab6c65c) 2019-09-25 11:34:22.573 14776-14776/? A/DEBUG: #06 pc 000a1440 /data/app/app.openconnect-H8SZUkhIAU2jL7Oh7V1vuw==/lib/x86/libopenconnect.so (vasnprintf+3088)

I got the following trace from an (emulated) Pixel 2 running API 29. It looks like GnuTLS removed their implementation of vasprintf in favor of the gnulib one.

[ffyliu]

Whether anyone has solved this problem, I also encountered the same problem on pix2-androidQ。

[ffyliu]

I compile with below modify，openconnect can run on mate30、pixel2、android Q-emulator

update GNUTLS to version 3.6.8
update NETTLE to version 3.4.1
modify below files:（rootPath = ics-openconnect/external/openconnect/android/sources/）
./oath-toolkit-2.6.2/oathtool/gl/vasnprintf.c
./oath-toolkit-2.6.2/liboath/gl/vasnprintf.c
./oath-toolkit-2.6.2/libpskc/gl/tests/vasnprintf.c

the attachment is the modify of ./oath-toolkit-2.6.2/oathtool/gl/vasnprintf.c
do the same with other two files and compile

oath-toolkit-2.6.2_oathtool_gl_vasnprintf.zip

[aryan549]

Hi @ffyliu ,

Thanks for the fix. its working perfectly

[davemidd]

What's the chance of one you guys getting the fix into a Pull Request? :)

[itfintech]

Hello to all,
Thx a lot @ffyliu for solution option, it's working but it affected the OPPO R9s.

12-04 09:17:34.837 9397-9397/com.hidemepls.vpn E/AndroidRuntime: FATAL EXCEPTION: main Process: com.hidemepls.vpn, PID: 9397 java.lang.UnsatisfiedLinkError: dlopen failed: cannot locate symbol "in6addr_any" referenced by "/data/app/com.hidemepls.vpn-1/lib/arm64/libopenconnect.so"... at java.lang.Runtime.loadLibrary(Runtime.java:372) at java.lang.System.loadLibrary(System.java:988) at com.hidemepls.vpn.TheApplication.onCreate(TheApplication.java:93) at android.app.Instrumentation.callApplicationOnCreate(Instrumentation.java:1017) at android.app.ActivityThread.handleBindApplication(ActivityThread.java:5084) at android.app.ActivityThread.access$1700(ActivityThread.java:197) at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1672) at android.os.Handler.dispatchMessage(Handler.java:111) at android.os.Looper.loop(Looper.java:224) at android.app.ActivityThread.main(ActivityThread.java:5958) at java.lang.reflect.Method.invoke(Native Method) at java.lang.reflect.Method.invoke(Method.java:372) at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1113) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:879)

I will appreciate if someone can help me to identify what can be the reason.
Note the old version on OPPO works fine asap I apply the fix P30 works fine but OPPO no.

[fariya12]

Whether anyone has solved this problem, any working solution ???, if anyone.... please help me ...

[kmchmk]

Whether anyone has solved this problem, any working solution ???, if anyone.... please help me ...

Try this.
https://play.google.com/store/apps/details?id=com.github.digitalsoftwaresolutions.openconnect

[tnzil]

please help whenever I try to compile with nettle 3.4.1 and gnutls 3.6.8

checking for guile-snarf... /usr/bin/guile-snarf
checking for guild... /usr/bin/guild
checking for arm-linux-androideabi-pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
configure: checking for guile 2.2
configure: checking for guile 2.0
configure: checking for guile 1.8
configure: error:
No Guile development packages were found.

Please verify that you have Guile installed. If you installed Guile
from a binary distribution, please verify that you have also installed
the development packages. If you installed it yourself, you might need
to adjust your PKG_CONFIG_PATH; see the pkg-config man page for more.

[farhananwar187]

I compile with below modify，openconnect can run on mate30、pixel2、android Q-emulator

update GNUTLS to version 3.6.8
update NETTLE to version 3.4.1
modify below files:（rootPath = ics-openconnect/external/openconnect/android/sources/）
./oath-toolkit-2.6.2/oathtool/gl/vasnprintf.c
./oath-toolkit-2.6.2/liboath/gl/vasnprintf.c
./oath-toolkit-2.6.2/libpskc/gl/tests/vasnprintf.c

the attachment is the modify of ./oath-toolkit-2.6.2/oathtool/gl/vasnprintf.c
do the same with other two files and compile

oath-toolkit-2.6.2_oathtool_gl_vasnprintf.zip

please help whenever I try to compile with nettle 3.4.1 and gnutls 3.6.8

checking for guile-snarf... /usr/bin/guile-snarf
checking for guild... /usr/bin/guild
checking for arm-linux-androideabi-pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
configure: checking for guile 2.2
configure: checking for guile 2.0
configure: checking for guile 1.8
configure: error:
No Guile development packages were found.

Please verify that you have Guile installed. If you installed Guile
from a binary distribution, please verify that you have also installed
the development packages. If you installed it yourself, you might need
to adjust your PKG_CONFIG_PATH; see the pkg-config man page for more.

[manuelfleri]

I compile with below modify，openconnect can run on mate30、pixel2、android Q-emulator

update GNUTLS to version 3.6.8
update NETTLE to version 3.4.1
modify below files:（rootPath = ics-openconnect/external/openconnect/android/sources/）
./oath-toolkit-2.6.2/oathtool/gl/vasnprintf.c
./oath-toolkit-2.6.2/liboath/gl/vasnprintf.c
./oath-toolkit-2.6.2/libpskc/gl/tests/vasnprintf.c

the attachment is the modify of ./oath-toolkit-2.6.2/oathtool/gl/vasnprintf.c
do the same with other two files and compile

oath-toolkit-2.6.2_oathtool_gl_vasnprintf.zip

I haven't got this folder, my path terminates at " ics-openconnect/external/openconnect/android/", and there are just some files inside, but no "oath-toolkit-2.6.2", how can I overcome this?

[itfintech]

Run make first, the script will download the dependency, after you will have these files.

[manuelfleri]

Run make first, the script will download the dependency, after you will have these files.

Thank you very much for the quick reply!

I forgot to mention that I already tried, but it gives me this error :

/opt/android-sdk-linux_x86/android-ndk-r16b/build/tools/make-standalone-toolchain.sh --platform=android-14 --arch=arm --install-dir=/Users/[myFolder]/external/openconnect/android/arm-linux-androideabi/toolchain ||
/opt/android-sdk-linux_x86/android-ndk-r16b/build/tools/make-standalone-toolchain.sh
--platform=android-14 --arch=arm --install-dir=/Users/[myFolder]/external/openconnect/android/arm-linux-androideabi/toolchain --system=linux-x86_64
/bin/sh: /opt/android-sdk-linux_x86/android-ndk-r16b/build/tools/make-standalone-toolchain.sh: No such file or directory
/bin/sh: /opt/android-sdk-linux_x86/android-ndk-r16b/build/tools/make-standalone-toolchain.sh: No such file or directory
make: *** [/Users/[myFolder]/external/openconnect/android/arm-linux-androideabi/toolchain/.built] Error 127

Does anyone know how to deal with this? I tried to install the ndk following this guide: "https://gist.github.com/Tydus/11109634", and it seemed to work, but still I get that error.

Thanks in advance.

[DenysFrasinich]

Hello! I applyed workaround from @ffyliu comment (#51 (comment)) and it works fine on my pixel 3.
Here are some pull requests:
cernekee/openconnect#3
#59

[fariya12]

@ffyliu after i apply your workaround still my app is getting crashed. how to fix it any solution

[davemidd]

@ffyliu after i apply your workaround still my app is getting crashed. how to fix it any solution

https://play.google.com/store/apps/details?id=com.github.digitalsoftwaresolutions.openconnect

[siromidz]

checkout before any step :D
so I should clone, checkout, and then follow the steps. thank you

[siromidz]

should i run git checkout master after git submodule update???

[siromidz]

i tried these
git clone https://github.com/NgoHuy/ics-openconnect.git
cd ics-openconnect
git checkout latest-curl
git submodule init
git submodule update
cd external/openconnect
git submodule update --init
cd ../..
make -C external
./misc/download-artifacts.sh

but failed!!!!

[NgoHuy]

git clone https://github.com/NgoHuy/ics-openconnect.git
cd ics-openconnect
git checkout latest-curl
git submodule init
git submodule update
cd external/openconnect
git checkout master
git pull
git submodule update --init
cd ../..
make -C external

[tnzil]

i tried these
git clone https://github.com/NgoHuy/ics-openconnect.git
cd ics-openconnect
git checkout latest-curl
git submodule init
git submodule update
cd external/openconnect
git submodule update --init
cd ../..
make -C external
./misc/download-artifacts.sh

but failed!!!!

Kindly share output logs

[NgoHuy]

I confirmed that I built with error from openconnect master branch.

[NgoHuy]

I forgot mention that on archlinux or debian, in external/openconnect/android/Makefile must define -fuse-ld=gold in EXTRA_CFLAGS

[siromidz]

I forgot mention that on archlinux or debian, in external/openconnect/android/Makefile must define -fuse-ld=gold in EXTRA_CFLAGS

where has to be changed in that file?
there are multiple places EXTRA_CFLAGS is used.

[siromidz]

I forgot mention that on archlinux or debian, in external/openconnect/android/Makefile must define -fuse-ld=gold in EXTRA_CFLAGS

i added the -fuse-ld=gold at 2 positions where EXTRA_CFLAGS was used but got the same result

[siromidz]

I forgot mention that on archlinux or debian, in external/openconnect/android/Makefile must define -fuse-ld=gold in EXTRA_CFLAGS

i changed the file you mentioned like this:

#
# This Makefile attempts to build OpenConnect and its dependencies for Android
#
# It doesn't do a stunning job of tracking changes in the dependencies and
# automatically rebuilding them, but it's good enough for getting them built
# and installed into its own local sysroot.
#
# As long as you have the Android NDK toolchain on your path, you should then
# be able to edit fairly much anything in place and rebuild it locally.
#
# It should also be fairly simple to extend this to cross-compile for any target

# Last tested with https://dl.google.com/android/repository/android-ndk-r21b-linux-x86_64.zip


NDK     := /opt/android-sdk-linux_x86/android-ndk-r21b
ARCH    := x86_64
API_LEVEL := 23

EXTRA_CFLAGS := -fuse-ld=gold

# You should be able to just 'make ARCH=x86' and it should DTRT.
ifeq ($(ARCH),arm)
TRIPLET := arm-linux-androideabi
EXTRA_CFLAGS := -march=armv7-a -mthumb -fuse-ld=gold
endif
ifeq ($(ARCH),arm64)
TRIPLET := aarch64-linux-android
API_LEVEL := 26
endif
ifeq ($(ARCH),x86)
TRIPLET := i686-linux-android
endif
ifeq ($(ARCH),x86_64)
TRIPLET := x86_64-linux-android
endif

TOPDIR := $(shell pwd)
DESTDIR := $(TOPDIR)/$(TRIPLET)/out

EXTRA_CFLAGS += -D__ANDROID_API__=$(API_LEVEL) -O2

TOOLCHAIN := $(TOPDIR)/$(TRIPLET)/toolchain
TOOLCHAIN_BUILT := $(TOOLCHAIN)/.built
TOOLCHAIN_OPTS := --platform=android-$(API_LEVEL) --arch=$(ARCH) \
		  --install-dir=$(TOOLCHAIN)
PATH := $(TOOLCHAIN)/bin:$(PATH)

OC_SYSROOT := $(TOOLCHAIN)/sysroot/usr
PKG_CONFIG_LIBDIR := $(OC_SYSROOT)/lib/pkgconfig

export PATH PKG_CONFIG_LIBDIR

# PKG_CONFIG_LIBDIR gets exported to sub-makes, but not to $(shell
PKG_CONFIG := PKG_CONFIG_LIBDIR=$(PKG_CONFIG_LIBDIR) pkg-config

MAKEINSTALL=$(MAKE) INSTALL=$(TOPDIR)/install_symlink.sh
FETCH=$(TOPDIR)/fetch.sh

CONFIGURE_ARGS := --host=$(TRIPLET) --prefix=$(OC_SYSROOT) \
		  --disable-shared --enable-static --with-pic \
		  CC=$(TRIPLET)-clang CFLAGS="$(EXTRA_CFLAGS)"

SOURCE_LIST = $(LIBXML2_SRC)/configure $(GMP_SRC)/configure \
	$(NETTLE_SRC)/configure $(GNUTLS_SRC)/configure \
	$(STOKEN_SRC)/configure $(OATH_SRC)/configure \
	$(LZ4_DIR)/Makefile

PKG_LIST := LIBXML2 GMP NETTLE GNUTLS STOKEN OATH LZ4

MIRROR_TEST_TARGETS := $(addprefix mirror-test-,$(PKG_LIST))

all: openconnect run_pie

#####################################################################
#
# Install a local cross toolchain + sysroot
#
# (The fallback logic is because NDK versions <= r8e can fail after trying to
# use 32-bit binaries on a 64-bit NDK installation.)
#
$(TOOLCHAIN_BUILT):
	$(NDK)/build/tools/make-standalone-toolchain.sh $(TOOLCHAIN_OPTS) || \
		$(NDK)/build/tools/make-standalone-toolchain.sh \
			$(TOOLCHAIN_OPTS) --system=linux-x86_64
	touch $@

#####################################################################
#
# Build libxml2 with minimal configuration for OpenConnect
#
# http://xmlsoft.org/news.html
LIBXML2_VER := 2.9.11
LIBXML2_TAR := libxml2-$(LIBXML2_VER).tar.gz
LIBXML2_SHA := 886f696d5d5b45d780b2880645edf9e0c62a4fd6841b853e824ada4e02b4d331
LIBXML2_SRC := sources/libxml2-$(LIBXML2_VER)
LIBXML2_BUILD := $(TRIPLET)/libxml2

$(LIBXML2_TAR):
	$(FETCH) $@ $(LIBXML2_SHA)

$(LIBXML2_SRC)/configure: $(LIBXML2_TAR)
	mkdir -p sources
	tar xfz $<  -C sources
	touch $@

$(LIBXML2_BUILD)/Makefile: $(TOOLCHAIN_BUILT) $(LIBXML2_SRC)/configure
	mkdir -p $(LIBXML2_BUILD)
	cd $(LIBXML2_BUILD) && ../../$(LIBXML2_SRC)/configure $(CONFIGURE_ARGS) \
	    --without-c14n -without-catalog --without-debug --without-docbook \
	    --without-fexceptions --without-ftp --without-history \
	    --without-http --without-iconv --without-iconv \
	    --without-iso8859x --without-legacy --without-pattern \
	    --without-push --without-regexps --without-run-debug \
	    --without-sax1 --without-schemas --without-schematron \
	    --without-threads --without-valid --without-xinclude \
	    --without-xpath --without-xptr --without-zlib --without-lzma \
	    --without-coverage --without-python

$(LIBXML2_BUILD)/libxml2.la: $(LIBXML2_BUILD)/Makefile
	$(MAKE) -C $(LIBXML2_BUILD) libxml2.la

$(LIBXML2_BUILD)/libxml-2.0.pc: $(LIBXML2_BUILD)/Makefile
	$(MAKE) -C $(LIBXML2_BUILD) libxml-2.0.pc

$(OC_SYSROOT)/lib/libxml2.la: $(LIBXML2_BUILD)/libxml2.la
	$(MAKEINSTALL) -C $(LIBXML2_BUILD) install-libLTLIBRARIES

$(OC_SYSROOT)/lib/pkgconfig/libxml-2.0.pc: $(LIBXML2_BUILD)/libxml-2.0.pc
	$(MAKEINSTALL) -C $(LIBXML2_BUILD) install-data

LIBXML_DEPS := $(OC_SYSROOT)/lib/libxml2.la $(OC_SYSROOT)/lib/pkgconfig/libxml-2.0.pc

libxml: $(LIBXML_DEPS)


#####################################################################
#
# Build GNU MP
#
# https://gmplib.org/
GMP_VER := 6.2.1
GMP_TAR := gmp-$(GMP_VER).tar.xz
GMP_SHA := fd4829912cddd12f84181c3451cc752be224643e87fac497b69edddadc49b4f2
GMP_SRC := sources/gmp-$(GMP_VER)
GMP_BUILD := $(TRIPLET)/gmp

$(GMP_TAR):
	$(FETCH) $@ $(GMP_SHA)

$(GMP_SRC)/configure: $(GMP_TAR)
	mkdir -p sources
	tar -xJf $< -C sources
	touch $@

$(GMP_BUILD)/Makefile: $(TOOLCHAIN_BUILT) $(GMP_SRC)/configure
	mkdir -p $(GMP_BUILD)
	cd $(GMP_BUILD) && ../../$(GMP_SRC)/configure $(CONFIGURE_ARGS) 


$(GMP_BUILD)/libgmp.la: $(GMP_BUILD)/Makefile
	$(MAKE) -C $(GMP_BUILD)

$(OC_SYSROOT)/lib/libgmp.la: $(GMP_BUILD)/libgmp.la
	$(MAKEINSTALL) -C $(GMP_BUILD) install

GMP_DEPS := $(OC_SYSROOT)/lib/libgmp.la

gmp: $(GMP_DEPS)


#####################################################################
#
# Build nettle
#
# https://ftp.gnu.org/gnu/nettle/
NETTLE_VER := 3.6
NETTLE_TAR := nettle-$(NETTLE_VER).tar.gz
NETTLE_SHA := d24c0d0f2abffbc8f4f34dcf114b0f131ec3774895f3555922fe2f40f3d5e3f1
NETTLE_SRC := sources/nettle-$(NETTLE_VER)
NETTLE_BUILD := $(TRIPLET)/nettle

$(NETTLE_TAR):
	$(FETCH) $@ $(NETTLE_SHA)

$(NETTLE_SRC)/configure: $(NETTLE_TAR)
	mkdir -p sources
	tar xfz $< -C sources
	touch $@

$(NETTLE_BUILD)/Makefile: $(TOOLCHAIN_BUILT) $(NETTLE_SRC)/configure $(GMP_DEPS)
	mkdir -p $(NETTLE_BUILD)
	cd $(NETTLE_BUILD) && ../../$(NETTLE_SRC)/configure $(CONFIGURE_ARGS)

$(NETTLE_BUILD)/libnettle.a: $(NETTLE_BUILD)/Makefile
	$(MAKE) -C $(NETTLE_BUILD) SUBDIRS=

$(OC_SYSROOT)/lib/libnettle.a: $(NETTLE_BUILD)/libnettle.a
	$(MAKEINSTALL) -C $(NETTLE_BUILD) SUBDIRS= install

NETTLE_DEPS := $(OC_SYSROOT)/lib/libnettle.a

nettle: $(NETTLE_DEPS)


#####################################################################
#
# Build GnuTLS
#
# https://www.gnutls.org/download.html
GNUTLS_VER := 3.6.16
GNUTLS_TAR := gnutls-$(GNUTLS_VER).tar.xz
GNUTLS_SHA := 1b79b381ac283d8b054368b335c408fedcb9b7144e0c07f531e3537d4328f3b3
GNUTLS_SRC := sources/gnutls-$(GNUTLS_VER)
GNUTLS_BUILD := $(TRIPLET)/gnutls

$(GNUTLS_TAR):
	$(FETCH) $@ $(GNUTLS_SHA)

$(GNUTLS_SRC)/configure: $(GNUTLS_TAR)
	mkdir -p sources
	xz -d < $< | tar xf - -C sources
	touch $@

#$(GNUTLS_SRC)/configure.ac:
#	mkdir -p sources
#	cd sources && git clone git://gitorious.org/gnutls/gnutls.git

#$(GNUTLS_SRC)/configure: $(GNUTLS_SRC)/configure.ac
#	touch $(GNUTLS_SRC)/ChangeLog
#	cd $(GNUTLS_SRC) && autoreconf -fvi

$(GNUTLS_BUILD)/Makefile: $(TOOLCHAIN_BUILT) $(GNUTLS_SRC)/configure $(NETTLE_DEPS)
	mkdir -p $(GNUTLS_BUILD)
	cd $(GNUTLS_BUILD) && ../../$(GNUTLS_SRC)/configure $(CONFIGURE_ARGS) \
		AUTOGEN=/bin/false \
		--disable-threads --disable-tests --disable-nls \
		--disable-doc --disable-openssl-compatibility --disable-cxx \
		--disable-openssl-compatibility --disable-ocsp --disable-tools \
		--disable-anon-authentication --with-included-libtasn1 \
		--enable-psk-authentication --disable-srp-authentication \
		--disable-dtls-srtp-support  --enable-dhe --enable-ecdhe \
		--with-included-unistring --without-p11-kit --disable-guile

$(GNUTLS_BUILD)/lib/libgnutls.la: $(GNUTLS_BUILD)/Makefile
	$(MAKE) -C $(GNUTLS_BUILD)

$(OC_SYSROOT)/lib/libgnutls.la: $(GNUTLS_BUILD)/lib/libgnutls.la
	$(MAKEINSTALL) -C $(GNUTLS_BUILD) install

GNUTLS_DEPS := $(OC_SYSROOT)/lib/libgnutls.la

gnutls: $(GNUTLS_DEPS)


#####################################################################
#
# Build libstoken
#
# https://sourceforge.net/projects/stoken/files/
STOKEN_VER := 0.92
STOKEN_TAR := stoken-$(STOKEN_VER).tar.gz
STOKEN_SHA := aa2b481b058e4caf068f7e747a2dcf5772bcbf278a4f89bc9efcbf82bcc9ef5a
STOKEN_SRC := sources/stoken-$(STOKEN_VER)
STOKEN_BUILD := $(TRIPLET)/stoken

$(STOKEN_TAR):
	$(FETCH) $@ $(STOKEN_SHA)

$(STOKEN_SRC)/configure: $(STOKEN_TAR)
	mkdir -p sources
	tar xfz $< -C sources
	touch $@

$(STOKEN_BUILD)/Makefile: $(TOOLCHAIN_BUILT) $(STOKEN_SRC)/configure $(NETTLE_DEPS)
	mkdir -p $(STOKEN_BUILD)
	cd $(STOKEN_BUILD) && ../../$(STOKEN_SRC)/configure $(CONFIGURE_ARGS) \
		--without-gtk

$(STOKEN_BUILD)/libstoken.la: $(STOKEN_BUILD)/Makefile
	$(MAKE) -C $(STOKEN_BUILD)

$(OC_SYSROOT)/lib/libstoken.la: $(STOKEN_BUILD)/libstoken.la
	$(MAKEINSTALL) -C $(STOKEN_BUILD) install

STOKEN_DEPS := $(OC_SYSROOT)/lib/libstoken.la

stoken: $(STOKEN_DEPS)


#####################################################################
#
# Build liboath
#
# https://download.savannah.nongnu.org/releases/oath-toolkit/
OATH_VER := 2.6.7
OATH_TAR := oath-toolkit-$(OATH_VER).tar.gz
OATH_SHA := 36eddfce8f2f36347fb257dbf878ba0303a2eaafe24eaa071d5cd302261046a9
OATH_SRC := sources/oath-toolkit-$(OATH_VER)
OATH_BUILD := $(TRIPLET)/oath

$(OATH_TAR):
	$(FETCH) $@ $(OATH_SHA)

$(OATH_SRC)/configure: $(OATH_TAR)
	mkdir -p sources
	tar xfz $< -C sources
	> $(OATH_SRC)/liboath/gl/freading.c
	touch $@

$(OATH_BUILD)/Makefile: $(TOOLCHAIN_BUILT) $(OATH_SRC)/configure
	mkdir -p $(OATH_BUILD)
	cd $(OATH_BUILD) && ../../$(OATH_SRC)/configure $(CONFIGURE_ARGS) \
		--disable-pskc --disable-pam \
		gl_cv_func_fflush_stdin=yes \
		gl_cv_func_fpurge_works=yes

$(OATH_BUILD)/liboath/liboath.la: $(OATH_BUILD)/Makefile
	$(MAKE) -C $(OATH_BUILD)/liboath

$(OC_SYSROOT)/lib/liboath.la: $(OATH_BUILD)/liboath/liboath.la
	$(MAKEINSTALL) -C $(OATH_BUILD)/liboath install

OATH_DEPS := $(OC_SYSROOT)/lib/liboath.la

oath: $(OATH_DEPS)


#####################################################################
#
# Build liblz4
#
# https://github.com/lz4/lz4/tags
LZ4_VER := 1.9.3
LZ4_TAR := lz4-v$(LZ4_VER).tar.gz
LZ4_SHA := 030644df4611007ff7dc962d981f390361e6c97a34e5cbc393ddfbe019ffe2c1
LZ4_DIR := $(TRIPLET)/lz4-$(LZ4_VER)

$(LZ4_TAR):
	$(FETCH) $@ $(LZ4_SHA)

$(LZ4_DIR)/Makefile: $(LZ4_TAR)
	mkdir -p $(TRIPLET)
	tar xzf $< -C $(TRIPLET)
	touch $@

$(OC_SYSROOT)/lib/liblz4.a: $(TOOLCHAIN_BUILT) $(LZ4_DIR)/Makefile
	$(MAKE) -C $(LZ4_DIR)/lib \
		CC="$(TRIPLET)-clang $(EXTRA_CFLAGS)" \
		AR="$(TRIPLET)-ar" \
		LIBDIR=$(OC_SYSROOT)/lib \
		INCLUDEDIR=$(OC_SYSROOT)/include \
		install
	rm -f $(OC_SYSROOT)/lib/liblz4.so*

LZ4_DEPS := $(OC_SYSROOT)/lib/liblz4.a

lz4: $(LZ4_DEPS)

#####################################################################
#
# Build OpenConnect for Android
#
OPENCONNECT_SRC := ..
OPENCONNECT_BUILD := $(TRIPLET)/openconnect

$(OPENCONNECT_SRC)/configure:
	cd $(OPENCONNECT_SRC) && ./autogen.sh

$(OPENCONNECT_BUILD)/Makefile: $(TOOLCHAIN_BUILT) $(GNUTLS_DEPS) $(LIBXML_DEPS) \
		$(STOKEN_DEPS) $(OATH_DEPS) $(LZ4_DEPS) $(OPENCONNECT_SRC)/configure
	mkdir -p $(OPENCONNECT_BUILD)
	cd $(OPENCONNECT_BUILD) && ../../../configure \
	--host=$(TRIPLET) --prefix=/ \
	CFLAGS="$(EXTRA_CFLAGS) -fvisibility=default -fPIE" \
	LDFLAGS="$(EXTRA_LDFLAGS) -rdynamic -pie" \
	GNUTLS_LIBS="$(shell $(PKG_CONFIG) --static --libs gnutls)" \
	LIBSTOKEN_LIBS="$(shell $(PKG_CONFIG) --static --libs stoken)" \
	--enable-shared --with-vpnc-script=/etc/vpnc/vpnc-script \
	--with-java=$(OC_SYSROOT)/include --enable-jni-standalone \
	--disable-symvers

openconnect: $(OPENCONNECT_BUILD)/Makefile
	make -C $(OPENCONNECT_BUILD)
	make -C $(OPENCONNECT_BUILD) install-strip DESTDIR=$(DESTDIR)


#####################################################################
#
# Build run_pie helper program
#
$(DESTDIR)/sbin/run_pie: run_pie.c $(TOOLCHAIN_BUILT)
	mkdir -p $(DESTDIR)/sbin
	$(TRIPLET)-clang $< -o $@ -ldl

.PHONY: run_pie
run_pie: $(DESTDIR)/sbin/run_pie


#####################################################################
#
# Special targets for maintainer use
#

# download + extract, but do not build
.PHONY: sources
sources: $(SOURCE_LIST)

.PHONY: $(MIRROR_TEST_TARGETS)
$(MIRROR_TEST_TARGETS) : mirror-test-% :
	$(FETCH) --mirror-test $($(*)_TAR) $($(*)_SHA)

# (re)test all mirrors for all packages. safe for use with "make -jN"
.PHONY: mirror-test
mirror-test: $(MIRROR_TEST_TARGETS)

[NgoHuy]

you should edit this line
EXTRA_CFLAGS += -D__ANDROID_API__=$(API_LEVEL) -O2

[siromidz]

EXTRA_CFLAGS += -D__ANDROID_API__=$(API_LEVEL) -O2

I changed that line to this:
EXTRA_CFLAGS += -D__ANDROID_API__=$(API_LEVEL) -O2 -fuse-ld=gold
but nothing changed. still crash

2021-07-15 07:52:13.965 24018-24216/app.openconnect A/libc: FORTIFY: %n not allowed on Android
2021-07-15 07:52:13.965 24018-24216/app.openconnect A/libc: Fatal signal 6 (SIGABRT), code -1 (SI_QUEUE) in tid 24216 (OpenVPNManageme), pid 24018 (app.openconnect)

[siromidz]

EXTRA_CFLAGS += -D__ANDROID_API__=$(API_LEVEL) -O2

I changed that line to this:
EXTRA_CFLAGS += -D__ANDROID_API__=$(API_LEVEL) -O2 -fuse-ld=gold
but nothing changed. still crash

2021-07-15 07:52:13.965 24018-24216/app.openconnect A/libc: FORTIFY: %n not allowed on Android
2021-07-15 07:52:13.965 24018-24216/app.openconnect A/libc: Fatal signal 6 (SIGABRT), code -1 (SI_QUEUE) in tid 24216 (OpenVPNManageme), pid 24018 (app.openconnect)

did I edit that line correctly?

[siromidz]

git clone https://github.com/NgoHuy/ics-openconnect.git
cd ics-openconnect
git checkout latest-curl
git submodule init
git submodule update
cd external/openconnect
git checkout master
git pull
git submodule update --init
cd ../..
make -C external

does this work on redhat?

[siromidz]

EXTRA_CFLAGS += -D__ANDROID_API__=$(API_LEVEL) -O2

I changed that line to this:
EXTRA_CFLAGS += -D__ANDROID_API__=$(API_LEVEL) -O2 -fuse-ld=gold
but nothing changed. still crash

2021-07-15 07:52:13.965 24018-24216/app.openconnect A/libc: FORTIFY: %n not allowed on Android
2021-07-15 07:52:13.965 24018-24216/app.openconnect A/libc: Fatal signal 6 (SIGABRT), code -1 (SI_QUEUE) in tid 24216 (OpenVPNManageme), pid 24018 (app.openconnect)

@NgoHuy is this correct? or i have to edit this in another way?
I'm using kali linux

[NgoHuy]

I'm not sure why it crashed, I use debian and archlinux to build it

[siromidz]

I'm not sure why it crashed, I use debian and archlinux to build it

could you please tell me the exact distribution and version you are using so that I can compile the project?

[NgoHuy]

I use debian and archlinux with latest update

[daktak]

this is my apk, does it crash on your phone? https://drive.google.com/file/d/1ynE77127QPLzoDSLCXOPI2HEMx3YXGXN/view?usp=sharing

This still works on Android 13. I had to rename by certs to .jpg as file permissions seemed to only work for "Media"

[wolandtel]

I've wasted all the day to build it. So that's the step-by-step instruction.

mkdir ics-openconnect
cd ics-openconnect

# download gnutls+nettle.patch
git clone https://github.com/cernekee/ics-openconnect ics-openconnect.github

cd ics-openconnect
# external/Makefile → check ANDROID_NDK path; remove anything except arm from ARCHS

git submodule init
git submodule update

cd external/openconnect
git apply ../../../gnutls+nettle.patch
cd ../..

make -C external

./gradlew assembleDebug

cd ..
mv ics-openconnect.github/app/build/outputs/apk/debug/app-debug.apk OpenConnect.apk

gnutls+nettle.patch.zip

And the result:
OpenConnect.apk.zip

[ildar]

Mikhail, thank you so much for your contribution. I asked F-Droid guys to build it according to your instructions. Thanks again! ref: https://gitlab.com/fdroid/fdroiddata/-/issues/941

[ildar]

Mikhail, ppl, can anyone update the libopenconnect to the latest version?

[ildar]

Found another repo, maybe worth moving. https://gitlab.com/openconnect/ics-openconnect/-/issues/8

[DimitriPapadopoulos]

It would be worth submitting a pull request to https://gitlab.com/openconnect/openconnect/. The above patch doesn't appear to apply cleanly to the current master branch, I'll have a look.

Indeed, https://gitlab.com/openconnect/ics-openconnect/ is more recent and the patch you refer to is obsolete as far as I can see.

[wolandtel]

The above patch doesn't appear to apply cleanly to the current master branch

Of course. When you do git submodule … you get the tag v8.03 of openconnect.

[wolandtel]

Mikhail, ppl, can anyone update the libopenconnect to the latest version?

What do you mean? Build ics-openconnect with the latest version of the lib? What for?

[wolandtel]

Found another repo, maybe worth moving. https://gitlab.com/openconnect/ics-openconnect/-/issues/8

Gitlab project has the same build problems as the current one. And maybe a little bit more. And all the difference is a new functionality (protocols added). I was need just an openconnect.

[DimitriPapadopoulos]

Oh, I see, I wasn't aware it uses submodule, sorry about it. Any way, the OpenConnect library has been maintained in https://gitlab.com/openconnect/openconnect/ for years and 8.0.3 has become obsolete, although I understand it works for you. What way forward would you suggest for the community?

[wolandtel]

Dimitri, I think only an openconnect's maintainer has enough knowledge to build android client with the actual version of libopenconnect. It hasn't been built for the x86 arch, for example (v8.0.3) and I've just skipped it. So I suppose there will be a lot of issues if you try to build with the libopenconnect's master.

[DimitriPapadopoulos]

That's precisely where I come from:
openconnect/ics-openconnect/#8

OpenConnect CI jobs do create artefacts that include Android libraries:
openconnect/openconnect/#461 (comment)

It's just that:

• The Android OpenConnect library is only available as a CI job artefact, making it hard to download. Help is welcome to produce Windows and Android libraries that are easier to download. Knowledge of OpenConnect is not really required, just knowledge of the Android build system and CI.
• The Android client, which uses the Android OpenConnect library, lacks a maintainer. Help is welcome to finalise openconnect/ics-openconnect/!4. Knowledge of OpenConnect is not really required, just the experience of building apps for Android and CI.