Commits on May 14, 2020

  1. Fix COPR release builds for mingw-openconnect 

    For release builds, the tarball contents still don't have the default
name; we need to explicitly state that it's openconnect-%{version}

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
    @dwmw2
    dwmw2 committed May 14, 2020
    Configuration menu
    Copy the full SHA
    195bd74 View commit details
    Browse the repository at this point in the history

Commits on May 15, 2020

  1. Work around SoftHSM lockup in CI 

    Signed-off-by: David Woodhouse <dwmw2@infradead.org>
    @dwmw2
    dwmw2 committed May 15, 2020
    Configuration menu
    Copy the full SHA
    f20f148 View commit details
    Browse the repository at this point in the history

  2. Remove Fedora updates-testing packages now pushed to stable 

    Signed-off-by: David Woodhouse <dwmw2@infradead.org>
    @dwmw2
    dwmw2 committed May 15, 2020
    Configuration menu
    Copy the full SHA
    06ae89f View commit details
    Browse the repository at this point in the history

  3. Update packages documentation 

    Signed-off-by: David Woodhouse <dwmw2@infradead.org>
    @dwmw2
    dwmw2 committed May 15, 2020
    Configuration menu
    Copy the full SHA
    dd5dca0 View commit details
    Browse the repository at this point in the history

  4. Run Coverity only in openconnect/openconnect repo 

    It won't work in someone else's master branch if they've forked the repo.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
    @dwmw2
    dwmw2 committed May 15, 2020
    Configuration menu
    Copy the full SHA
    e713ded View commit details
    Browse the repository at this point in the history

  5. Check for Signed-off-by: in CI 

    Signed-off-by: David Woodhouse <dwmw2@infradead.org>
    @dwmw2
    dwmw2 committed May 15, 2020
    Configuration menu
    Copy the full SHA
    8d33973 View commit details
    Browse the repository at this point in the history

  6. Add missing files to tarball for win32 build 

    Fixes building from distribution tarball on win32/mingw.

Makefile.am: Include win32-ipicmp.h and openconnect.ico in tarball

Signed-off-by: Justin Kendrick <justin@kendrick.tech>
    @justin-kendrick @dwmw2
    justin-kendrick authored and dwmw2 committed May 15, 2020
    Configuration menu
    Copy the full SHA
    ba299b6 View commit details
    Browse the repository at this point in the history

  7. Add openconnect_set_cookie function to library and jni 

    Signed-off-by: Randy Moss <kasaxet794@homedepinst.com>
    Randy Moss committed May 15, 2020
    Configuration menu
    Copy the full SHA
    5b3d3a8 View commit details
    Browse the repository at this point in the history

  8. Merge branch 'add_set_cookie' of gitlab.com:randymoss/openconnect

    @dwmw2
    dwmw2 committed May 15, 2020
    Configuration menu
    Copy the full SHA
    31c8a4f View commit details
    Browse the repository at this point in the history

Commits on May 18, 2020

  1. Fix Signed-off-by CI check 

    Signed-off-by: David Woodhouse <dwmw2@infradead.org>
    @dwmw2
    dwmw2 committed May 18, 2020
    Configuration menu
    Copy the full SHA
    5867033 View commit details
    Browse the repository at this point in the history

Commits on Jun 15, 2020

  1. Make correct TUNDEV value available to vpnc-script during pre-init 

    This makes it possible for a privileged vpnc-script pre-init hook to
create the tun device before an unprivileged openconnect process tries
to use it.

Signed-off-by: Steven Luo <steven@steven676.net>
    @steven676
    steven676 committed Jun 15, 2020
    Configuration menu
    Copy the full SHA
    032e95a View commit details
    Browse the repository at this point in the history

Commits on Jul 30, 2020

  1. Fixed failing tests 

    This removes dtls-psk from XFAIL in centos8 as it is no longer applicable,
adds crypto policies script from missing targets, and checks for both
devices prior to adding routes in dtls-psk.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
    @nmav
    nmav committed Jul 30, 2020
    Configuration menu
    Copy the full SHA
    3193ce3 View commit details
    Browse the repository at this point in the history

  2. .mailmap: set gmail as primary email of Nikos 

    Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
    @nmav
    nmav committed Jul 30, 2020
    Configuration menu
    Copy the full SHA
    48b8ce9 View commit details
    Browse the repository at this point in the history

  3. .gitlab-ci.yml: fix on fedora32 

    Previously a change in Fedora release would result to several weeks or
months of broken CI. Fix on a specific version so that the CI is stable,
even if that comes at the cost of a manual update of the fedora CI.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
    @nmav
    nmav committed Jul 30, 2020
    Configuration menu
    Copy the full SHA
    d433495 View commit details
    Browse the repository at this point in the history

Commits on Oct 31, 2020

  1. gnutls: try multiple hashes when checking for pub/priv key match 

    This also ensures that we don't take into account the state of the
algorithm (e.g., marked as insecure), because it does matter for
checking whether the keys match.

Resolves: #189

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
    @nmav
    nmav committed Oct 31, 2020
    Configuration menu
    Copy the full SHA
    ec04a39 View commit details
    Browse the repository at this point in the history

  2. .gitlab-ci.yml: updated to fedora33 

    Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
    @nmav
    nmav committed Oct 31, 2020
    Configuration menu
    Copy the full SHA
    e7c16ad View commit details
    Browse the repository at this point in the history

Commits on Nov 3, 2020

  1. Merge branch 'tmp-fix-tests' into 'master' 

    .gitlab-ci.yml: fixed failing tests and update to fedora 33

Closes #189

See merge request openconnect/openconnect!128
    @nmav
    nmav committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    8826606 View commit details
    Browse the repository at this point in the history

  2. explain why --form-entry shouldn't be used for passwords 

    Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    8db3126 View commit details
    Browse the repository at this point in the history

  3. Merge branch 'explain_why_form_entry_should_not_be_used_for_passwords… 

    …' into 'master'

explain why --form-entry shouldn't be used for passwords

See merge request openconnect/openconnect!123
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    c91869b View commit details
    Browse the repository at this point in the history

  4. fix tncc_emulate.py with Python 3.7 

    Fingerprint-checking monkey-patch for SSLSocket needs to be refined to work with Python 3.7+

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    be010fd View commit details
    Browse the repository at this point in the history

  5. bugfix string/binary handling 

    See https://gitlab.com/openconnect/openconnect/-/merge_requests/120#note_356905574

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    50f13e9 View commit details
    Browse the repository at this point in the history

  6. Merge branch 'fix_tncc_emulate.py_with_Python_3.7' into 'master' 

    fix tncc_emulate.py with Python 3.7+

Closes #152

See merge request openconnect/openconnect!120
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    068c2be View commit details
    Browse the repository at this point in the history

  7. handle errors on initial TLS connection identically to subsequent rec… 

    …onnection

In order to write OpenConnect wrapper scripts that decouple the
authentication phase and tunnel phase, while caching authentication cookies,
we need to be able to reliably distinguish errors from invalid/expired
cookies from other errors. This makes that possible.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    bf4813a View commit details
    Browse the repository at this point in the history

  8. don't switch to syslog logger until we're ready to background/daemonize 

    Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    666da3f View commit details
    Browse the repository at this point in the history

  9. Merge branch 'consistent_handling_of_initial_connection_errors' into … 

    …'master'

Consistent handling of initial connection errors

See merge request openconnect/openconnect!133
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    7fa08e9 View commit details
    Browse the repository at this point in the history

  10. Protocols should try explicitly request the same IP addresses on reco… 

    …nnect, since they will abort if new addresses are sent by the server.

* GlobalProtect:
  - Supported and used by official clients (POST /ssl-vpn/getconfig.esp with preferred-ip form field).
  - GlobalProtect servers often give different IP addresses on reconnect if this mechanism is *not* used,
    so this mechanism is necessary.
  - Same mechanism appears to exist for IPv6 (preferred-ipv6) and was added to OpenConnect in
    d6db0ec, even though IPv6 support is not yet complete.
* AnyConnect:
  - Not (yet) supported by ocserv
  - It appears that *some* AnyConnect server will try to provide the IP address provided in the X-CSTP-Address
    *request* header along with the CONNECT request, but other servers appear not to
  - This patch reproduces the behavior of GPST: attempt to request same IPv4 and IPv6 addresses on reconnect,
    via CONNECT headers.
* Juniper:
  - There does not appear to be any way to provide this using the Juniper NC protocol.
  - No known reports of Juniper servers giving out different IP address on reconnect.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    bc370b9 View commit details
    Browse the repository at this point in the history

  11. gpst.c should also return -EPERM when server changes IP address, not … 

    …-EINVAL

(see previous commit by David Woodhouse, 24df331, which did this for cstp.c)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    5e3af5b View commit details
    Browse the repository at this point in the history

  12. factor out check_address_sanity() from gpst.c and cstp.c, and use it … 

    …in oncp.c and pulse.c as well

Suggested by David Woodhouse: https://gitlab.com/openconnect/openconnect/merge_requests/35#note_169620281

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    45144f2 View commit details
    Browse the repository at this point in the history

  13. add comment on openconnect__inet_aton(), which is not 100% compatible… 

    … with "real" inet_aton()

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    9490efb View commit details
    Browse the repository at this point in the history

  14. openconnect_make_cstp_connection should always set ssl_times.last_tx … 

    …on successful connection

As suggested by David Woodhouse (https://gitlab.com/openconnect/openconnect/merge_requests/35#note_163190180)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    8f86b73 View commit details
    Browse the repository at this point in the history

  15. Merge branch 'check_address_sanity' into 'master' 

    Common code for check_address_sanity()

See merge request openconnect/openconnect!116
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    46d7126 View commit details
    Browse the repository at this point in the history

  16. enable csd-wrapper.sh/csd-post.sh to run insecurely (no cert validati… 

    …on) for compatibility with ancient cURL

cURL <7.39 doesn't have `--pinnedpubkey` option.  Falling back to insecure connection to CSD server (as we did until
4385272) is the easiest band-aid.

CentOS 7 is affected, as described in https://lists.infradead.org/pipermail/openconnect-devel/2020-July/004886.html

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    026236a View commit details
    Browse the repository at this point in the history

  17. the -s/--silent option to cURL isn't related to cert validation; remo… 

    …ve it from the PINNEDPUBKEY variable

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    eef404e View commit details
    Browse the repository at this point in the history

  18. Merge branch 'enable_insecure_CSD_submission_for_ancient_cURL_version… 

    …s' into 'master'

Enable insecure CSD submission for ancient cURL versions

See merge request openconnect/openconnect!125
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    af0cfa3 View commit details
    Browse the repository at this point in the history

  19. fix CI 

    - dtls-psk is frequently failing; add 1-second wait AFTER tunnel interface appears
- (already merged in !128) CentOS8 now has GnuTLS with client random bug fixed (remove XFAIL_TESTS="dtls-psk")
- (already merged in !128) Fedora 32 needs crypto-policies-scripts package for update-crypto-policies to work

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    7534be7 View commit details
    Browse the repository at this point in the history

  20. Gitlab has CI images for Ubuntu 18.04, so let's include those too. 

    Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    c5cae44 View commit details
    Browse the repository at this point in the history

  21. re-add socket_wrapper and softhsm support to CentOS8 CI 

    It appears that a separate Power Tools repository needs to be enabled for `{uid,socket}_wrapper` in CentOS8.
See https://centos.pkgs.org/8/centos-powertools-x86_64/uid_wrapper-1.2.4-4.el8.x86_64.rpm.html and https://serverfault.com/questions/997896/how-to-enable-powertools-repository-in-centos-8

For softhsm, this should work per nmav: https://gitlab.com/openconnect/openconnect/-/issues/145#note_347864560

The auth-nonascii test, and DSA cert tests, are now failing again, and needs to be disabled.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    7151447 View commit details
    Browse the repository at this point in the history

  22. Merge branch 'fix_CI' into 'master' 

    fix CI and coverage

See merge request openconnect/openconnect!134
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    95acb3f View commit details
    Browse the repository at this point in the history

  23. Added platform name to the HIP report script 

    It is now possible to send an optional platform to the script using the
parameter `--client-os` (defaults to `Windows` if parameter is missing).

We still don't know how the Mac XML looks like so, in case the platform
value is not `Linux`, it will be always defaulted to Windows.

Signed-off-by: Roberto Leinardi <leinardi@gmail.com>
    @leinardi @dlenski
    leinardi authored and dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    98fd3dd View commit details
    Browse the repository at this point in the history

  24. Merge branch 'hipreport' into 'master' 

    hipreport.sh: Vary emulated report output by platform (Windows vs. Linux)

See merge request openconnect/openconnect!129
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    26ecf2c View commit details
    Browse the repository at this point in the history

  25. fix duplicate bitfield constant 

    Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    a515513 View commit details
    Browse the repository at this point in the history

  26. Merge branch 'fix_duplicate_bitfield_constant' into 'master' 

    fix duplicate bitfield constant

See merge request openconnect/openconnect!115
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    ba6abd2 View commit details
    Browse the repository at this point in the history

  27. .gitlab-ci.yml: run coverity weekly with a scheduled run 

    This also fixes the image for coverity to fedora31 to avoid
gcc compatibility issues. The reason for moving to scheduled
runs is that there is a limit to coverity runs per project.

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
    @nmav
    nmav committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    5ece269 View commit details
    Browse the repository at this point in the history

  28. Merge branch 'coverity' into 'master' 

    .gitlab-ci.yml: run coverity weekly with a scheduled run

See merge request openconnect/openconnect!127
    @dlenski
    dlenski committed Nov 3, 2020
    Configuration menu
    Copy the full SHA
    de4c4ca View commit details
    Browse the repository at this point in the history

Commits on Nov 4, 2020

  1. Merge branch 'master' into 'master' 

    Make correct TUNDEV value available to vpnc-script during pre-init

See merge request openconnect/openconnect!122
    @dlenski
    dlenski committed Nov 4, 2020
    Configuration menu
    Copy the full SHA
    e474967 View commit details
    Browse the repository at this point in the history

  2. bump emulated GlobalProtect version number 

    Apparently some GlobalProtect servers complain about old versions of the client connecting to them, so we should periodically bump up the version number of the client that we emulate.

See https://gitlab.com/openconnect/openconnect/-/issues/176#note_395207613

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 4, 2020
    Configuration menu
    Copy the full SHA
    6c10332 View commit details
    Browse the repository at this point in the history

  3. changelog 

    Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 4, 2020
    Configuration menu
    Copy the full SHA
    e005fb8 View commit details
    Browse the repository at this point in the history

  4. Merge branch 'bump_emulated_GlobalProtect_version_number' into 'master' 

    bump emulated GlobalProtect version number

See merge request openconnect/openconnect!131
    @dlenski
    dlenski committed Nov 4, 2020
    Configuration menu
    Copy the full SHA
    5dbd27c View commit details
    Browse the repository at this point in the history

  5. Juniper unknown forms with action remediate.cgi seem to indicate TNCC… 

    …/Host Checker failure: log error about this

Suggested at https://gitlab.com/openconnect/openconnect/-/issues/175#note_392561212

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
    @dlenski
    dlenski committed Nov 4, 2020
    Configuration menu
    Copy the full SHA
    db5142f View commit details
    Browse the repository at this point in the history

  6. Merge branch 'Juniper_form_action_remediate.cgi_indicates_TNCC_failur… 

    …e' into 'master'

Juniper unknown forms with action remediate.cgi seem to indicate TNCC/Host Checker failure

See merge request openconnect/openconnect!130
    @dlenski
    dlenski committed Nov 4, 2020
    Configuration menu
    Copy the full SHA
    e79b26d View commit details
    Browse the repository at this point in the history