- 14 Dec, 2020 1 commit
-
-
Daniel Lenski authored
This allows protocols to save the moment when a session's authentication (`vpninfo->cookie`) is expected to expire and no longer be useful for reconnection. The motivation is to eventually allow front-ends to know whether reauthentication is needed, or whether they should try using a cached cookie. Current state: - AnyConnect protocol: expiration is determined from the CONNECT response header `X-CSTP-Session-Timeout-Remaining` (with `X-CSTP-Session-Timeout` or `X-CSTP-Lease-Duration` as upper bounds in its absence) - GlobalProtect protocol: expiration is determined from the `<lifetime>` tag of the XML config. - Juniper Network Connect protocol: no currently known way to determine expiration. The `DSID` cookie is a standard HTTP cookie, so perhaps its expiration timestamp is intended for this purpose; however, I can find no real-world case where it has an expiration timestamp set. - None of the currently-supported protocols provide the expiration timestamp until the connection phase, so it can't be obtained for export by the `--authenticate` option. Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 04 Nov, 2020 1 commit
-
-
Daniel Lenski authored
This closes #145, and adds tests intended to prevent similar situations from recurring. Allowing the ancient, broken 3DES and RC4 ciphers is insecure; we do not want to (re-)enable them by default. (See discussion: https://gitlab.com/openconnect/openconnect/-/issues/145#note_344687335) However, some still-in-use VPN servers can't do any better. So instead, we explicitly disable them, unless explicitly enabled with the `--allow-insecure-crypto` option, or corresponding API functions. Also attempts to future-proof --allow-obsolete-crypto a bit, by setting `%VERIFY_ALLOW_SIGN_WITH_SHA1` (per nmav: https://gitlab.com/openconnect/openconnect/-/merge_requests/114#note_346496796), and explicitly enabling SHA1 (which was moved to GnuTLS “bad hashes list” in 1d75e116b1681d0e6b140d7530e7f0403088da88) Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 01 Apr, 2020 1 commit
-
-
Daniel Lenski authored
Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 30 Mar, 2020 1 commit
-
-
Daniel Lenski authored
Signed-off-by:
Daniel Lenski <dlenski@gmail.com>
-
- 15 Oct, 2018 1 commit
-
-
Ralph Schmieder authored
I've included a patch that provides better compatibility with CSD on ASA head ends. E.g. it allows to specify the version string that is presented to the ASA. Previous to this patch, OC presents its own version e.g. 0.7.8 but that could cause rejection on the head end if it looks for a matching AC version string. [dwmw2: All the library ABI support for the new function] Signed-off-by:
Ralph Schmieder <ralph.schmieder@gmail.com> Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 11 Oct, 2018 1 commit
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 15 Aug, 2018 1 commit
-
-
Daniel Lenski authored
Juniper servers do extra stupid things when "Java" appears in the UA string Signed-off-by:
Daniel Lenski <dlenski@gmail.com> Signed-off-by:
David Woodhouse <dwmw2@infradead.org>
-
- 06 Aug, 2018 1 commit
-
-
Daniel Lenski authored
This is needed for the Android GUI to detect the idle/keepalive interval in a cross-protocol way.
-
- 05 Aug, 2018 2 commits
-
-
Daniel Lenski authored
-
Daniel Lenski authored
-
- 12 Feb, 2018 1 commit
-
-
Kevin Cernekee authored
This fixes the following warnings: [javac] warning: [options] bootstrap class path not set in conjunction with -source 1.5 [javac] warning: [options] source value 1.5 is obsolete and will be removed in a future release [javac] warning: [options] target value 1.5 is obsolete and will be removed in a future release Java 8 was released in 2014 so it should be widely available now. Signed-off-by:
Kevin Cernekee <cernekee@gmail.com>
-
- 06 May, 2016 3 commits
-
-
Kevin Cernekee authored
Allow external validation of the entire certificate chain, not just the peer_cert. Tested using a letsencrypt cert on Chrome OS. Signed-off-by:
Kevin Cernekee <cernekee@gmail.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
Kevin Cernekee authored
openconnect_get_hostname() usually returns an IP, because it is used for two-stage connections. Add a new API call that returns a hostname so certificate validation can be handled externally. Signed-off-by:
Kevin Cernekee <cernekee@gmail.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
Kevin Cernekee authored
Currently, library callers can pause the connection and then re-enter the mainloop later on, reusing the same cookie they obtained during the initial login. But they do not have an easy way to tell when the VPN has successfully reconnected and is able to pass traffic. This could be useful for informing the host OS (and/or UI) that the VPN has transitioned back from Reconnecting->Connected. A callback is only needed on reconnection, not initial connection, because for the latter case CSTP is started through the openconnect_make_cstp_connection() API call before entering the mainloop. Signed-off-by:
Kevin Cernekee <cernekee@gmail.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 08 Mar, 2016 3 commits
-
-
Kevin Cernekee authored
Library users used to do something like: openconnect_obtain_cookie() openconnect_make_cstp_connection() openconnect_setup_dtls() openconnect_get_ip_info() # ask the OS to create the tun interface openconnect_setup_tun_fd() openconnect_mainloop() But now that MTU is calculated a few seconds after the mainloop starts up, it is necessary to provide a callback so that the calling application can create a tun interface with the correct MTU. (Bonus: Android and Chrome OS currently do not allow the MTU, IP address, or other parameters to be adjusted after the initial settings were sent to the OS.) Signed-off-by:
Kevin Cernekee <cernekee@gmail.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
Kevin Cernekee authored
NaCl needs to whitelist (split-exclude) the gateway's IP address, because it doesn't have the option of whitelisting individual file descriptors. Use vpninfo->ip_info.gateway_addr to track the numeric representation of vpn->peer_addr. Signed-off-by:
Kevin Cernekee <cernekee@gmail.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
Nikos Mavrogiannopoulos authored
This provides an API to advertise our desired hostname to the server. Signed-off-by:
Nikos Mavrogiannopoulos <nmav@gnutls.org> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 06 Oct, 2015 1 commit
-
-
Nikos Mavrogiannopoulos authored
Signed-off-by:
Nikos Mavrogiannopoulos <nmav@redhat.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 08 Dec, 2014 1 commit
-
-
Michael Zhilin authored
Signed-off-by:
Michael Zhilin <zhilin@netcracker.com> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 20 Nov, 2014 2 commits
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
David Woodhouse authored
Just let main.c handle this in the validate_peer_cert() callback. Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 17 Nov, 2014 1 commit
-
-
David Woodhouse authored
The Yubikey can do a bunch of stuff, not just the OATH tokens. The OATH tokens aren't even its *major* functionality. So call this 'yubioath' to avoid confusion and make it easier to support other things in the future if they make sense. Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 07 Nov, 2014 1 commit
-
-
David Woodhouse authored
cf. https://code.google.com/p/android/issues/detail?id=22970Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 06 Nov, 2014 1 commit
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 28 Oct, 2014 2 commits
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
Nikos Mavrogiannopoulos authored
Signed-off-by:
Nikos Mavrogiannopoulos <nmav@gnutls.org> Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 27 Oct, 2014 1 commit
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 17 Aug, 2014 1 commit
-
-
Kevin Cernekee authored
Signed-off-by:
Kevin Cernekee <cernekee@gmail.com>
-
- 12 Aug, 2014 1 commit
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 20 Jun, 2014 1 commit
-
-
David Woodhouse authored
Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 10 Jun, 2014 3 commits
-
-
Kevin Cernekee authored
Some users on unstable connections have requested the ability to lower the local DPD timeout, so the VPN reconnects more quickly if the connection hangs. The new library call also implements sanity checks to prevent openconnect from going bananas when somebody passes in "--force-dpd 1" or "--force-dpd -1". Signed-off-by:
Kevin Cernekee <cernekee@gmail.com>
-
Kevin Cernekee authored
This makes it more consistent with setXMLPost(). Signed-off-by:
Kevin Cernekee <cernekee@gmail.com>
-
Kevin Cernekee authored
Remove unused setupFD() jni stub. Add missing setPFS() Java declaration. Add missing setReqMTU() jni stub. Remove unnecessary "!!" on jboolean. Signed-off-by:
Kevin Cernekee <cernekee@gmail.com>
-
- 26 Apr, 2014 2 commits
-
-
Kevin Cernekee authored
It is useful to allow the user to toggle PRG_TRACE logging on an active connection for debugging purposes. But currently this would involve releasing the class lock held by the mainloop. So we will use asyncLock to protect the shared variable. Timings conducted on a Nexus 7 (2012) show that the new MonitorEnter/MonitorExit pair adds about 700ns to each progress_cb (which is called on each packet). This isn't great, but it's probably small enough to make it worth doing things the right way (using a lock) instead of just declaring loglevel as volatile. Signed-off-by:
Kevin Cernekee <cernekee@gmail.com>
-
Kevin Cernekee authored
Rename cancelLock to asyncLock and store a global reference so it can be acquired by various JNI functions. Signed-off-by:
Kevin Cernekee <cernekee@gmail.com>
-
- 09 Mar, 2014 1 commit
-
-
David Woodhouse authored
The ones in the java/ and android/ directories were being included in the release tarballs. Easier just to merge into one than filter them out. Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 06 Feb, 2014 1 commit
-
-
David Woodhouse authored
Intel guidelines now recommend that this is omitted. Signed-off-by:
David Woodhouse <David.Woodhouse@intel.com>
-
- 15 Jan, 2014 1 commit
-
-
Kevin Cernekee authored
Signed-off-by:
Kevin Cernekee <cernekee@gmail.com>
-