working vpn appliance

1 files changed, 1151 insertions, 0 deletions

diff --git a/master/globalprotect b/master/globalprotect
new file mode 100644
index 0000000..c0fb27f
--- /dev/null
+++ b/master/globalprotect
@@ -0,0 +1,1151 @@
+diff --git a/package/network/utils/globalprotect/Config.in b/package/network/utils/globalprotect/Config.in
+new file mode 100644
+index 0000000..e69de29
+diff --git a/package/network/utils/globalprotect/Makefile b/package/network/utils/globalprotect/Makefile
+new file mode 100644
+index 0000000..b3d5501
+--- /dev/null
++++ b/package/network/utils/globalprotect/Makefile
+@@ -0,0 +1,73 @@
++#
++# Copyright (C) 2006-2015 OpenWrt.org
++#
++# This is free software, licensed under the GNU General Public License v2.
++# See /LICENSE for more information.
++#
++
++include $(TOPDIR)/rules.mk
++
++PKG_NAME:=globalprotect
++PKG_RELEASE:=8
++PKG_USE_MIPS16:=0
++
++PKG_VERSION:=2018-11-19
++PKG_RELEASE=$(PKG_SOURCE_VERSION)
++
++PKG_SOURCE_PROTO:=git
++PKG_SOURCE_URL=https://github.com/dlenski/openconnect
++PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
++PKG_SOURCE_VERSION:=e5fe063a087385c5b157ad7a9a3fa874181f6e3b
++PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz
++
++PKG_LICENSE:=LGPLv2.1+
++
++PKG_FIXUP:=autoreconf
++
++
++include $(INCLUDE_DIR)/package.mk
++
++define Package/globalprotect/config
++	source "$(SOURCE)/Config.in"
++endef
++
++define Package/globalprotect
++  SECTION:=net
++  CATEGORY:=Network
++  DEPENDS:=+libxml2 +kmod-tun +resolveip +vpnc-scripts +GLOBALPROTECT_OPENSSL:libopenssl +p11-kit +libp11 +libpcsclite +libopensc-pkcs11 +pcscd +ccid
++  TITLE:=OpenConnect VPN client (Global Protect version)
++  MAINTAINER:=Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
++  URL:=http://www.infradead.org/globalprotect/
++  SUBMENU:=VPN
++endef
++
++define Package/globalprotect/description
++	A VPN client compatible with Cisco's AnyConnect SSL VPN, ocserv and Juniper (Pulse secure).
++
++        OpenConnect is a client that follows the Cisco's AnyConnect SSL VPN protocol,
++        which is supported by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800,
++        2800, 3800, 7200 Series and Cisco 7301 Routers, as well as the OpenConnect
++        VPN server. It has later been ported to support the Juniper SSL VPN which
++        is now known as Pulse Connect Secure.
++endef
++
++CONFIGURE_ARGS += \
++	--disable-shared \
++	--with-vpnc-script=/lib/netifd/vpnc-script \
++	--with-libpcsclite \
++	--without-stoken \
++	--without-lz4 \
++	--without-gnutls
++
++define Package/globalprotect/install
++	$(INSTALL_DIR) $(1)/etc/globalprotect/
++	$(INSTALL_DIR) $(1)/lib/netifd/proto
++	$(INSTALL_BIN) ./files/globalprotect.sh $(1)/lib/netifd/proto/
++	$(INSTALL_DIR) $(1)/usr/sbin
++	$(INSTALL_BIN) $(PKG_BUILD_DIR)/globalprotect $(1)/usr/sbin/
++	$(INSTALL_BIN) ./files/globalprotect-wrapper $(1)/usr/sbin/
++	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
++	$(INSTALL_DATA) ./files/globalprotect.upgrade $(1)/lib/upgrade/keep.d/globalprotect
++endef
++
++$(eval $(call BuildPackage,globalprotect))
+diff --git a/package/network/utils/globalprotect/README b/package/network/utils/globalprotect/README
+new file mode 100644
+index 0000000..019058c
+--- /dev/null
++++ b/package/network/utils/globalprotect/README
+@@ -0,0 +1,49 @@
++The openconnect client expects to be configured using the uci interface.
++
++To setup a VPN connection, add the following to /etc/config/network:
++
++config interface 'MYVPN'
++	option proto 'openconnect'
++	option interface 'wan'
++	option server 'vpn.example.com'
++	option port '4443'
++	option username 'test'
++	option password 'secret'
++	option serverhash 'AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25'
++	option defaultroute '0'
++	option authgroup 'DEFAULT'
++
++	# For second factor auth:
++
++	# when a fixed 2FA password can be used
++	#option password2 'my-fixed-2fa-password'
++
++	# RSA tokens, must be built with stoken support
++	#option token_mode 'rsa'
++	#option token_secret 'secret'
++
++	# HOTP/TOTP tokens
++	#option token_mode 'hotp'
++	#option token_secret '00'
++
++	# tokens from script
++	#option token_mode 'script'
++	#option token_script '/lib/custom/getocpass.sh'
++
++	# Juniper vpn support
++	#option juniper '1'
++
++The additional files are also used:
++/etc/openconnect/user-cert-vpn-MYVPN.pem: The user certificate
++/etc/openconnect/user-key-vpn-MYVPN.pem: The user private key
++/etc/openconnect/ca-vpn-MYVPN.pem: The CA certificate (instead of serverhash)
++
++After these are setup you can initiate the VPN using "ifup MYVPN", and
++deinitialize it using ifdown. You may also use the luci web interface
++(Network -> Interfaces -> MYVPN Connect).
++
++Note that you need to configure the firewall to allow communication between
++the MYVPN interface and lan.
++
++There is a luci plugin to allow configuring an openconnect interface from
++the web environment; see the luci-proto-openconnect package.
+diff --git a/package/network/utils/globalprotect/files/globalprotect-wrapper b/package/network/utils/globalprotect/files/globalprotect-wrapper
+new file mode 100755
+index 0000000..1f23055
+--- /dev/null
++++ b/package/network/utils/globalprotect/files/globalprotect-wrapper
+@@ -0,0 +1,13 @@
++#!/bin/sh
++
++# This script wraps globalprotect in order to obtain the password
++# file from cmd.
++
++# $1 password file
++# $2... are passed to globalprotect
++
++test -z "$1" && exit 1
++
++pwfile=$1
++shift
++exec /usr/sbin/globalprotect "$@" <$pwfile
+diff --git a/package/network/utils/globalprotect/files/globalprotect.sh b/package/network/utils/globalprotect/files/globalprotect.sh
+new file mode 100755
+index 0000000..1e40e05
+--- /dev/null
++++ b/package/network/utils/globalprotect/files/globalprotect.sh
+@@ -0,0 +1,119 @@
++#!/bin/sh
++. /lib/functions.sh
++. ../netifd-proto.sh
++init_proto "$@"
++
++proto_globalprotect_init_config() {
++	proto_config_add_string "server"
++	proto_config_add_int "port"
++	proto_config_add_int "mtu"
++	proto_config_add_int "juniper"
++	proto_config_add_string "interface"
++	proto_config_add_string "username"
++	proto_config_add_string "serverhash"
++	proto_config_add_string "authgroup"
++	proto_config_add_string "password"
++	proto_config_add_string "password2"
++	proto_config_add_string "token_mode"
++	proto_config_add_string "token_secret"
++	proto_config_add_string "token_script"
++	proto_config_add_string "os"
++	proto_config_add_string "csd_wrapper"
++	proto_config_add_string "clientcert"
++	no_device=1
++	available=1
++}
++
++proto_globalprotect_setup() {
++	local config="$1"
++
++	json_get_vars server port interface username serverhash authgroup password password2 token_mode token_secret token_script os csd_wrapper mtu juniper clientcert
++
++	grep -q tun /proc/modules || insmod tun
++	ifname="vpn-$config"
++
++	logger -t globalprotect "initializing..."
++
++	logger -t "globalprotect" "adding host dependency for $server at $config"
++	for ip in $(resolveip -t 10 "$server"); do
++		logger -t "globalprotect" "adding host dependency for $ip at $config"
++		proto_add_host_dependency "$config" "$ip" "$interface"
++	done
++
++	[ -n "$port" ] && port=":$port"
++
++	cmdline="$server$port -i "$ifname" --non-inter --syslog --script /lib/netifd/vpnc-script"
++	[ -n "$mtu" ] && cmdline="$cmdline --mtu $mtu"
++
++	[ -n "$clientcert" ] && {
++		append cmdline "--certificate" 
++		append cmdline "$clientcert"
++	}
++
++	append cmdline "--protocol=gp"
++
++	# migrate to standard config files
++	[ -f "/etc/config/globalprotect-user-cert-vpn-$config.pem" ] && mv "/etc/config/globalprotect-user-cert-vpn-$config.pem" "/etc/globalprotect/user-cert-vpn-$config.pem"
++	[ -f "/etc/config/globalprotect-user-key-vpn-$config.pem" ] && mv "/etc/config/globalprotect-user-key-vpn-$config.pem" "/etc/globalprotect/user-key-vpn-$config.pem"
++	[ -f "/etc/config/globalprotect-ca-vpn-$config.pem" ] && mv "/etc/config/globalprotect-ca-vpn-$config.pem" "/etc/globalprotect/ca-vpn-$config.pem"
++
++	[ -f /etc/globalprotect/user-cert-vpn-$config.pem ] && append cmdline "-c /etc/globalprotect/user-cert-vpn-$config.pem"
++	[ -f /etc/globalprotect/user-key-vpn-$config.pem ] && append cmdline "--sslkey /etc/globalprotect/user-key-vpn-$config.pem"
++	[ -f /etc/globalprotect/ca-vpn-$config.pem ] && {
++		append cmdline "--cafile /etc/globalprotect/ca-vpn-$config.pem"
++		append cmdline "--no-system-trust"
++	}
++
++	if [ "${juniper:-0}" -gt 0 ]; then
++		append cmdline "--juniper"
++	fi
++
++	[ -n "$serverhash" ] && {
++		append cmdline " --servercert=$serverhash"
++		append cmdline "--no-system-trust"
++	}
++	[ -n "$authgroup" ] && append cmdline "--authgroup $authgroup"
++	[ -n "$username" ] && append cmdline "-u $username"
++	[ -n "$password" ] || [ "$token_mode" = "script" ] && {
++		umask 077
++		mkdir -p /var/etc
++		pwfile="/var/etc/globalprotect-$config.passwd"
++		[ -n "$password" ] && {
++			echo "$password" > "$pwfile"
++			[ -n "$password2" ] && echo "$password2" >> "$pwfile"
++		}
++		[ "$token_mode" = "script" ] && {
++			$token_script > "$pwfile" 2> /dev/null || {
++				logger -t globalprotect "Cannot get password from script '$token_script'"
++				proto_setup_failed "$config"
++			}
++		}
++		append cmdline "--passwd-on-stdin"
++	}
++
++	[ -n "$token_mode" -a "$token_mode" != "script" ] && append cmdline "--token-mode=$token_mode"
++	[ -n "$token_secret" ] && append cmdline "--token-secret=$token_secret"
++	[ -n "$os" ] && append cmdline "--os=$os"
++	[ -n "$csd_wrapper" ] && [ -x "$csd_wrapper" ] && append cmdline "--csd-wrapper=$csd_wrapper"
++
++	proto_export INTERFACE="$config"
++	logger -t globalprotect "executing 'globalprotect $cmdline'"
++
++	if [ -f "$pwfile" ]; then
++		proto_run_command "$config" /usr/sbin/globalprotect-wrapper $pwfile $cmdline
++	else
++		proto_run_command "$config" /usr/sbin/globalprotect $cmdline
++	fi
++}
++
++proto_globalprotect_teardown() {
++	local config="$1"
++
++	pwfile="/var/etc/globalprotect-$config.passwd"
++
++	rm -f $pwfile
++	logger -t globalprotect "bringing down globalprotect"
++	proto_kill_command "$config" 2
++}
++
++add_protocol globalprotect
+diff --git a/package/network/utils/globalprotect/files/globalprotect.upgrade b/package/network/utils/globalprotect/files/globalprotect.upgrade
+new file mode 100644
+index 0000000..9dc27a6
+--- /dev/null
++++ b/package/network/utils/globalprotect/files/globalprotect.upgrade
+@@ -0,0 +1,9 @@
++/etc/globalprotect/user-cert-vpn-*.pem
++/etc/globalprotect/user-key-vpn-*.pem
++/etc/globalprotect/ca-vpn-*.pem
++/etc/globalprotect/pre-init.d/
++/etc/globalprotect/connect.d/
++/etc/globalprotect/post-connect.d/
++/etc/globalprotect/disconnect.d/
++/etc/globalprotect/post-disconnect.d/
++/etc/globalprotect/reconnect.d/
+diff --git a/package/network/utils/globalprotect/patches/0001-Fix-compilation-with-libp11-version-0.4.7.patch b/package/network/utils/globalprotect/patches/0001-Fix-compilation-with-libp11-version-0.4.7.patch
+new file mode 100644
+index 0000000..c6e139a
+--- /dev/null
++++ b/package/network/utils/globalprotect/patches/0001-Fix-compilation-with-libp11-version-0.4.7.patch
+@@ -0,0 +1,50 @@
++From 03ecd34e0137b3f0bf0d2fc3ab7f7d8b3682785e Mon Sep 17 00:00:00 2001
++From: Yousong Zhou <yszhou4tech@gmail.com>
++Date: Thu, 14 Dec 2017 18:03:35 +0800
++Subject: [PATCH] Fix compilation with libp11 version >= 0.4.7
++
++libp11 0.4.7 renamed then dropped macro definition in commits
++
++ 4f0fce4: Error reporting fixes
++ e4c641b: PKCS11 errors separated into P11 and CKR
++
++This change assumes that libp11 will restore compatibility by bringing
++back old forms of macro definition
++
++Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
++---
++ openssl-pkcs11.c | 18 ++++++++++++++++++
++ 1 file changed, 18 insertions(+)
++
++diff --git a/openssl-pkcs11.c b/openssl-pkcs11.c
++index 61da123..ba7e491 100644
++--- a/openssl-pkcs11.c
+++++ b/openssl-pkcs11.c
++@@ -30,6 +30,24 @@
++ #include <libp11.h>
++ #include <p11-kit/pkcs11.h>
++ 
+++#ifndef ERR_LIB_PKCS11
+++#	if defined(ERR_LIB_CKR)
+++#		define ERR_LIB_PKCS11 ERR_LIB_CKR
+++#	elif defined(ERR_LIB_USER)
+++#		define ERR_LIB_PKCS11 ERR_LIB_USER
+++#	else
+++#		error undefined macro ERR_LIB_PKCS11
+++#	endif
+++#endif
+++
+++#ifndef PKCS11_F_PKCS11_LOGIN
+++#	if defined(CKR_F_PKCS11_LOGIN)
+++#		define PKCS11_F_PKCS11_LOGIN CKR_F_PKCS11_LOGIN
+++#	else
+++#		error undefined macro PKCS11_F_PKCS11_LOGIN
+++#	endif
+++#endif
+++
++ static PKCS11_CTX *pkcs11_ctx(struct openconnect_info *vpninfo)
++ {
++ 	PKCS11_CTX *ctx;
++-- 
++1.8.3.1
++
+diff --git a/package/network/utils/globalprotect/patches/0002-rename-to-globalprotect.patch b/package/network/utils/globalprotect/patches/0002-rename-to-globalprotect.patch
+new file mode 100644
+index 0000000..93ef78d
+--- /dev/null
++++ b/package/network/utils/globalprotect/patches/0002-rename-to-globalprotect.patch
+@@ -0,0 +1,793 @@
++Index: globalprotect-2018-11-19/Makefile.am
++===================================================================
++--- globalprotect-2018-11-19.orig/Makefile.am
+++++ globalprotect-2018-11-19/Makefile.am
++@@ -1,10 +1,10 @@
++ 
++ SUBDIRS = tests
++ # We kind of want openconnect to be built before we try to test it
++-check-recursive: openconnect$(EXEEXT)
++-# And even *building* some of tests/*.c needs libopenconnect
++-install-recursive: libopenconnect.la
++-all-recursive: libopenconnect.la
+++check-recursive: globalprotect$(EXEEXT)
+++# And even *building* some of tests/*.c needs libglobalprotect
+++install-recursive: libglobalprotect.la
+++all-recursive: libglobalprotect.la
++ 
++ if BUILD_WWW
++ SUBDIRS += www
++@@ -13,19 +13,19 @@ if USE_NLS
++ SUBDIRS += po
++ endif
++ 
++-lib_LTLIBRARIES = libopenconnect.la
++-sbin_PROGRAMS = openconnect
++-man8_MANS = openconnect.8
+++lib_LTLIBRARIES = libglobalprotect.la
+++sbin_PROGRAMS = globalprotect
+++man8_MANS = globalprotect.8
++ 
++ AM_CFLAGS = @WFLAGS@
++ AM_CPPFLAGS = -DLOCALEDIR="\"$(localedir)\""
++ 
++-openconnect_SOURCES = xml.c main.c
++-openconnect_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS)
++-openconnect_LDADD = libopenconnect.la $(SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(INTL_LIBS) $(ICONV_LIBS)
+++globalprotect_SOURCES = xml.c main.c
+++globalprotect_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS)
+++globalprotect_LDADD = libglobalprotect.la $(SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(INTL_LIBS) $(ICONV_LIBS)
++ 
++ if OPENCONNECT_WIN32
++-openconnect_SOURCES += openconnect.rc
+++globalprotect_SOURCES += openconnect.rc
++ endif
++ library_srcs = ssl.c http.c http-auth.c auth-common.c library.c compat.c lzs.c mainloop.c script.c ntlm.c digest.c
++ lib_srcs_cisco = auth.c cstp.c
++@@ -43,7 +43,7 @@ lib_srcs_stoken = stoken.c
++ lib_srcs_esp = esp.c esp-seqno.c
++ lib_srcs_dtls = dtls.c
++ 
++-POTFILES = $(openconnect_SOURCES) $(lib_srcs_cisco) $(lib_srcs_juniper) $(lib_srcs_globalprotect) \
+++POTFILES = $(globalprotect_SOURCES) $(lib_srcs_cisco) $(lib_srcs_juniper) $(lib_srcs_globalprotect) \
++ 	   gnutls-esp.c gnutls-dtls.c openssl-esp.c openssl-dtls.c \
++ 	   $(lib_srcs_esp) $(lib_srcs_dtls) \
++ 	   $(lib_srcs_openssl) $(lib_srcs_gnutls) $(library_srcs) \
++@@ -89,9 +89,9 @@ else
++ library_srcs += $(lib_srcs_posix)
++ endif
++ 
++-libopenconnect_la_SOURCES = version.c $(library_srcs)
++-libopenconnect_la_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(P11KIT_CFLAGS) $(TSS_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS) $(LIBP11_CFLAGS) $(LIBLZ4_CFLAGS)
++-libopenconnect_la_LIBADD = $(SSL_LIBS) $(DTLS_SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(ZLIB_LIBS) $(P11KIT_LIBS) $(TSS_LIBS) $(LIBSTOKEN_LIBS) $(LIBPSKC_LIBS) $(GSSAPI_LIBS) $(INTL_LIBS) $(ICONV_LIBS) $(LIBPCSCLITE_LIBS) $(LIBP11_LIBS) $(LIBLZ4_LIBS)
+++libglobalprotect_la_SOURCES = version.c $(library_srcs)
+++libglobalprotect_la_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(P11KIT_CFLAGS) $(TSS_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS) $(LIBP11_CFLAGS) $(LIBLZ4_CFLAGS)
+++libglobalprotect_la_LIBADD = $(SSL_LIBS) $(DTLS_SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(ZLIB_LIBS) $(P11KIT_LIBS) $(TSS_LIBS) $(LIBSTOKEN_LIBS) $(LIBPSKC_LIBS) $(GSSAPI_LIBS) $(INTL_LIBS) $(ICONV_LIBS) $(LIBPCSCLITE_LIBS) $(LIBP11_LIBS) $(LIBLZ4_LIBS)
++ if OPENBSD_LIBTOOL
++ # OpenBSD's libtool doesn't have -version-number, but its -version-info arg
++ # does what GNU libtool's -version-number does. Which arguably is what the
++@@ -100,27 +100,27 @@ LT_VER_ARG = -version-info
++ else
++ LT_VER_ARG = -version-number
++ endif
++-libopenconnect_la_LDFLAGS = $(LT_VER_ARG) @APIMAJOR@:@APIMINOR@ -no-undefined
+++libglobalprotect_la_LDFLAGS = $(LT_VER_ARG) @APIMAJOR@:@APIMINOR@ -no-undefined
++ noinst_HEADERS = openconnect-internal.h openconnect.h gnutls.h lzo.h
++ include_HEADERS = openconnect.h
++ if HAVE_VSCRIPT
++-libopenconnect_la_LDFLAGS += @VSCRIPT_LDFLAGS@,libopenconnect.map
++-libopenconnect_la_DEPENDENCIES = libopenconnect.map
+++libglobalprotect_la_LDFLAGS += @VSCRIPT_LDFLAGS@,libopenconnect.map
+++libglobalprotect_la_DEPENDENCIES = libopenconnect.map
++ endif
++ 
++ if OPENCONNECT_JNI
++ if JNI_STANDALONE
++-libopenconnect_la_SOURCES += jni.c
++-libopenconnect_la_CFLAGS += $(JNI_CFLAGS) -Wno-missing-declarations
+++libglobalprotect_la_SOURCES += jni.c
+++libglobalprotect_la_CFLAGS += $(JNI_CFLAGS) -Wno-missing-declarations
++ else
++-lib_LTLIBRARIES += libopenconnect-wrapper.la
++-libopenconnect_wrapper_la_SOURCES = jni.c
++-libopenconnect_wrapper_la_CFLAGS = $(AM_CFLAGS) $(JNI_CFLAGS) -Wno-missing-declarations
++-libopenconnect_wrapper_la_LIBADD = libopenconnect.la
+++lib_LTLIBRARIES += libglobalprotect-wrapper.la
+++libglobalprotect_wrapper_la_SOURCES = jni.c
+++libglobalprotect_wrapper_la_CFLAGS = $(AM_CFLAGS) $(JNI_CFLAGS) -Wno-missing-declarations
+++libglobalprotect_wrapper_la_LIBADD = libglobalprotect.la
++ endif
++ endif
++ 
++-pkgconfig_DATA = openconnect.pc
+++pkgconfig_DATA = globalprotect.pc
++ 
++ EXTRA_DIST = version.sh README.TESTS COPYING.LGPL $(lib_srcs_openssl) $(lib_srcs_gnutls)
++ EXTRA_DIST += $(shell cd "$(top_srcdir)" && \
++@@ -132,7 +132,7 @@ DISTCLEANFILES = $(pkgconfig_DATA)
++ openconnect-main.$(OBJEXT): version.c
++ 
++ version.c: $(library_srcs) $(lib_openssl_srcs) $(lib_gnutls_srcs) \
++-	   $(openconnect_SOURCES) Makefile.am configure.ac \
+++	   $(globalprotect_SOURCES) Makefile.am configure.ac \
++ 	   openconnect.h openconnect-internal.h version.sh @GITVERSIONDEPS@
++ 	@cd $(srcdir) && ./version.sh $(abs_builddir)/version.c
++ 
++Index: globalprotect-2018-11-19/configure.ac
++===================================================================
++--- globalprotect-2018-11-19.orig/configure.ac
+++++ globalprotect-2018-11-19/configure.ac
++@@ -1,4 +1,4 @@
++-AC_INIT(openconnect, 7.08)
+++AC_INIT(globalprotect, 7.08)
++ AC_CONFIG_HEADERS([config.h])
++ 
++ PKG_PROG_PKG_CONFIG
++@@ -16,7 +16,7 @@ AC_PREREQ([2.62], [], [AC_SUBST([localed
++ m4_ifdef([PKG_INSTALLDIR], [PKG_INSTALLDIR],
++ 	  [AC_ARG_WITH([pkgconfigdir],
++ 		       [AS_HELP_STRING([--with-pkgconfigdir],
++-		       [install directory for openconnect.pc pkg-config file])],
+++		       [install directory for globalprotect.pc pkg-config file])],
++ 			[],[with_pkgconfigdir='$(libdir)/pkgconfig'])
++ 	   AC_SUBST([pkgconfigdir], [${with_pkgconfigdir}])])
++ 
++@@ -942,7 +942,7 @@ AC_SUBST([CONFIG_STATUS_DEPENDENCIES],
++ 	 ['$(top_srcdir)/po/LINGUAS \
++ 	   $(top_srcdir)/openconnect.h \
++            $(top_srcdir)/libopenconnect.map.in \
++-	   $(top_srcdir)/openconnect.8.in \
+++	   $(top_srcdir)/globalprotect.8.in \
++ 	   $(top_srcdir)/tests/softhsm2.conf.in \
++ 	   $(top_srcdir)/tests/configs/test-user-cert.config.in \
++ 	   $(top_srcdir)/tests/configs/test-user-pass.config.in'])
++@@ -973,8 +973,8 @@ AC_SUBST(GITVERSIONDEPS)
++ AC_SUBST(OCSERV_USER, $(whoami))
++ AC_SUBST(OCSERV_GROUP, $(groups|cut -f 1 -d ' '))
++ 
++-AC_CONFIG_FILES(Makefile openconnect.pc po/Makefile www/Makefile \
++-		libopenconnect.map openconnect.8 www/styles/Makefile \
+++AC_CONFIG_FILES(Makefile globalprotect.pc po/Makefile www/Makefile \
+++		libopenconnect.map globalprotect.8 www/styles/Makefile \
++ 		www/inc/Makefile www/images/Makefile tests/Makefile \
++ 		tests/softhsm2.conf tests/configs/test-user-cert.config \
++ 		tests/configs/test-user-pass.config)
++Index: globalprotect-2018-11-19/globalprotect.pc.in
++===================================================================
++--- /dev/null
+++++ globalprotect-2018-11-19/globalprotect.pc.in
++@@ -0,0 +1,13 @@
+++prefix=@prefix@
+++exec_prefix=@exec_prefix@
+++libdir=@libdir@
+++includedir=@includedir@
+++
+++
+++Name: globalprotect
+++Description: OpenConnect VPN client
+++Version: @VERSION@
+++Requires.private: @LIBPROXY_PC@ @ZLIB_PC@ @LIBLZ4_PC@ @SSL_PC@ @P11KIT_PC@ @LIBSTOKEN_PC@ @LIBPSKC_PC@ @LIBPCSCLITE_PC@ libxml-2.0
+++Libs: -L${libdir} -lglobalprotect
+++Libs.private: @INTL_LIBS@ @system_pcsc_libs@ @openssl_pc_libs@
+++Cflags: -I${includedir}
++Index: globalprotect-2018-11-19/globalprotect.8.in
++===================================================================
++--- /dev/null
+++++ globalprotect-2018-11-19/globalprotect.8.in
++@@ -0,0 +1,558 @@
+++.TH OPENCONNECT 8
+++.SH NAME
+++openconnect \- Multi-protocol VPN client, for Cisco AnyConnect VPNs and others
+++.SH SYNOPSIS
+++.SY openconnect
+++.OP \-\-config configfile
+++.OP \-b,\-\-background
+++.OP \-\-pid\-file pidfile
+++.OP \-c,\-\-certificate cert
+++.OP \-e,\-\-cert\-expire\-warning days
+++.OP \-k,\-\-sslkey key
+++.OP \-C,\-\-cookie cookie
+++.OP \-\-cookie\-on\-stdin
+++.OP \-\-compression MODE
+++.OP \-d,\-\-deflate
+++.OP \-D,\-\-no\-deflate
+++.OP \-\-force\-dpd interval
+++.OP \-g,\-\-usergroup group
+++.OP \-h,\-\-help
+++.OP \-\-http\-auth methods
+++.OP \-i,\-\-interface ifname
+++.OP \-l,\-\-syslog
+++.OP \-\-timestamp
+++.OP \-\-passtos
+++.OP \-U,\-\-setuid user
+++.OP \-\-csd\-user user
+++.OP \-m,\-\-mtu mtu
+++.OP \-\-base\-mtu mtu
+++.OP \-p,\-\-key\-password pass
+++.OP \-P,\-\-proxy proxyurl
+++.OP \-\-proxy\-auth methods
+++.OP \-\-no\-proxy
+++.OP \-\-libproxy
+++.OP \-\-key\-password\-from\-fsid
+++.OP \-q,\-\-quiet
+++.OP \-Q,\-\-queue\-len len
+++.OP \-s,\-\-script vpnc\-script
+++.OP \-S,\-\-script\-tun
+++.OP \-u,\-\-user name
+++.OP \-V,\-\-version
+++.OP \-v,\-\-verbose
+++.OP \-x,\-\-xmlconfig config
+++.OP \-\-authgroup group
+++.OP \-\-authenticate
+++.OP \-\-cookieonly
+++.OP \-\-printcookie
+++.OP \-\-cafile file
+++.OP \-\-disable\-ipv6
+++.OP \-\-dtls\-ciphers list
+++.OP \-\-dtls\-local\-port port
+++.OP \-\-dump\-http\-traffic
+++.OP \-\-no\-system\-trust
+++.OP \-\-pfs
+++.OP \-\-no\-dtls
+++.OP \-\-no\-http\-keepalive
+++.OP \-\-no\-passwd
+++.OP \-\-no\-xmlpost
+++.OP \-\-non\-inter
+++.OP \-\-passwd\-on\-stdin
+++.OP \-\-protocol proto
+++.OP \-\-token\-mode mode
+++.OP \-\-token\-secret {secret\fR[\fI,counter\fR]|@\fIfile\fR}
+++.OP \-\-reconnect\-timeout
+++.OP \-\-resolve host:ip
+++.OP \-\-servercert sha1
+++.OP \-\-useragent string
+++.OP \-\-local-hostname string
+++.OP \-\-os string
+++.B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]
+++.YS
+++
+++.SH DESCRIPTION
+++The program
+++.B openconnect
+++connects to VPN servers which use standard TLS/SSL, DTLS, and ESP
+++protocols for data transport.
+++
+++It was originally written to support Cisco "AnyConnect" VPN servers,
+++and has since been extended with experimental support for Juniper
+++Network Connect and Junos Pulse VPN servers
+++.RB ( \-\-protocol=nc )
+++and PAN GlobalProtect VPN servers
+++.RB ( \-\-protocol=gp ).
+++
+++The connection happens in two phases. First there is a simple HTTPS
+++connection over which the user authenticates somehow \- by using a
+++certificate, or password or SecurID, etc.  Having authenticated, the
+++user is rewarded with an authentication cookie which can be used to make the
+++real VPN connection.
+++
+++The second phase uses that cookie to connect to a tunnel via HTTPS,
+++and data packets can be passed over the resulting connection. When
+++possible, a UDP tunnel is also configured: AnyConnect uses DTLS, while
+++Juniper and GlobalProtect use UDP-encapsulated ESP. The UDP tunnel
+++may be disabled with
+++.BR \-\-no\-dtls ,
+++but is preferred when correctly supported by the server and network
+++for performance reasons. (TCP performs poorly and unreliably over
+++TCP-based tunnels; see
+++.IR http://sites.inka.de/~W1011/devel/tcp-tcp.html .)
+++
+++.SH OPTIONS
+++.TP
+++.B \-\-config=CONFIGFILE
+++Read further options from
+++.I CONFIGFILE
+++before continuing to process options from the command line. The file
+++should contain long-format options as would be accepted on the command line,
+++but without the two leading \-\- dashes. Empty lines, or lines where the
+++first non-space character is a # character, are ignored.
+++
+++Any option except the
+++.B config
+++option may be specified in the file.
+++.TP
+++.B \-b,\-\-background
+++Continue in background after startup
+++.TP
+++.B \-\-pid\-file=PIDFILE
+++Save the pid to
+++.I PIDFILE
+++when backgrounding
+++.TP
+++.B \-c,\-\-certificate=CERT
+++Use SSL client certificate
+++.I CERT
+++which may be either a file name or, if OpenConnect has been built with an appropriate
+++version of GnuTLS, a PKCS#11 URL.
+++.TP
+++.B \-e,\-\-cert\-expire\-warning=DAYS
+++Give a warning when SSL client certificate has
+++.I DAYS
+++left before expiry
+++.TP
+++.B \-k,\-\-sslkey=KEY
+++Use SSL private key
+++.I KEY
+++which may be either a file name or, if OpenConnect has been built with an appropriate
+++version of GnuTLS, a PKCS#11 URL.
+++.TP
+++.B \-C,\-\-cookie=COOKIE
+++Use authentication cookie COOKIE.
+++.I COOKIE
+++.TP
+++.B \-\-cookie\-on\-stdin
+++Read cookie from standard input.
+++.TP
+++.B \-d,\-\-deflate
+++Enable all compression, including stateful modes. By default, only stateless
+++compression algorithms are enabled.
+++.TP
+++.B \-D,\-\-no\-deflate
+++Disable all compression.
+++.TP
+++.B \-\-compression=MODE
+++Set compression mode, where
+++.I MODE
+++is one of
+++.IR "stateless" ,
+++.IR "none" ,
+++or
+++.IR "all" .
+++
+++By default, only stateless compression algorithms which do not maintain state
+++from one packet to the next (and which can be used on UDP transports) are
+++enabled. By setting the mode to
+++.I "all"
+++stateful algorithms (currently only zlib deflate) can be enabled. Or all
+++compression can be disabled by setting the mode to
+++.IR "none" .
+++.TP
+++.B \-\-force\-dpd=INTERVAL
+++Use
+++.I INTERVAL
+++as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it.
+++.TP
+++.B \-g,\-\-usergroup=GROUP
+++Use
+++.I GROUP
+++as login UserGroup
+++.TP
+++.B \-h,\-\-help
+++Display help text
+++.TP
+++.B \-\-http\-auth=METHODS
+++Use only the specified methods for HTTP authentication to a server.  By default,
+++only Negotiate, NTLM and Digest authentication are enabled. Basic authentication
+++is also supported but because it is insecure it must be explicitly enabled. The
+++argument is a comma-separated list of methods to be enabled. Note that the order
+++does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic
+++authentication in that order, if each is enabled, regardless of the order
+++specified in the METHODS string.
+++.TP
+++.B \-i,\-\-interface=IFNAME
+++Use
+++.I IFNAME
+++for tunnel interface
+++.TP
+++.B \-l,\-\-syslog
+++Use syslog for progress messages
+++.TP
+++.B \-\-timestamp
+++Prepend a timestamp to each progress message
+++.TP
+++.B \-\-passtos
+++Copy TOS / TCLASS of payload packet into DTLS packets.
+++.TP
+++.B \-U,\-\-setuid=USER
+++Drop privileges after connecting, to become user
+++.I USER
+++.TP
+++.B \-\-csd\-user=USER
+++Drop privileges during execution of trojan binary or script (CSD, TNCC, or HIP).
+++.TP
+++.B \-\-csd\-wrapper=SCRIPT
+++Run
+++.I SCRIPT
+++instead of the trojan binary or script.
+++.TP
+++.B \-m,\-\-mtu=MTU
+++Request
+++.I MTU
+++from server as the MTU of the tunnel.
+++.TP
+++.B \-\-base\-mtu=MTU
+++Indicate
+++.I MTU
+++as the path MTU between client and server on the unencrypted network. Newer
+++servers will automatically calculate the MTU to be used on the tunnel from
+++this value.
+++.TP
+++.B \-p,\-\-key\-password=PASS
+++Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
+++.TP
+++.B \-P,\-\-proxy=PROXYURL
+++Use HTTP or SOCKS proxy for connection. A username and password can be provided
+++in the given URL, and will be used for authentication. If authentication is
+++required but no credentials are given, GSSAPI and automatic NTLM authentication
+++using Samba's ntlm_auth helper tool may be attempted.
+++.TP
+++.B \-\-proxy\-auth=METHODS
+++Use only the specified methods for HTTP authentication to a proxy.  By default,
+++only Negotiate, NTLM and Digest authentication are enabled. Basic authentication
+++is also supported but because it is insecure it must be explicitly enabled. The
+++argument is a comma-separated list of methods to be enabled. Note that the order
+++does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic
+++authentication in that order, if each is enabled, regardless of the order
+++specified in the METHODS string.
+++.TP
+++.B \-\-no\-proxy
+++Disable use of proxy
+++.TP
+++.B \-\-libproxy
+++Use libproxy to configure proxy automatically (when built with libproxy support)
+++.TP
+++.B \-\-key\-password\-from\-fsid
+++Passphrase for certificate file is automatically generated from the
+++.I fsid
+++of the file system on which it is stored. The
+++.I fsid
+++is obtained from the
+++.BR statvfs (2)
+++or
+++.BR statfs (2)
+++system call, depending on the operating system. On a Linux or similar system
+++with GNU coreutils, the
+++.I fsid
+++used by this option should be equal to the output of the command:
+++.EX
+++stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE
+++.EE
+++It is not the same as the 128\-bit UUID of the file system.
+++.TP
+++.B \-q,\-\-quiet
+++Less output
+++.TP
+++.B \-Q,\-\-queue\-len=LEN
+++Set packet queue limit to
+++.I LEN
+++pkts
+++.TP
+++.B \-s,\-\-script=SCRIPT
+++Invoke
+++.I SCRIPT
+++to configure the network after connection. Without this, routing and name
+++service are unlikely to work correctly. The script is expected to be
+++compatible with the
+++.B vpnc\-script
+++which is shipped with the "vpnc" VPN client. See
+++.I http://www.infradead.org/openconnect/vpnc-script.html
+++for more information. This version of OpenConnect is configured to
+++use \fB@DEFAULT_VPNCSCRIPT@\fR by default.
+++
+++On Windows, a relative directory for the default script will be handled as
+++starting from the directory that the openconnect executable is running from,
+++rather than the current directory. The script will be invoked with the
+++command-based script host \fBcscript.exe\fR.
+++.TP
+++.B \-S,\-\-script\-tun
+++Pass traffic to 'script' program over a UNIX socket, instead of to a kernel
+++tun/tap device. This allows the VPN IP traffic to be handled entirely in
+++userspace, for example by a program which uses lwIP to provide SOCKS access
+++into the VPN.
+++.TP
+++.B \-u,\-\-user=NAME
+++Set login username to
+++.I NAME
+++.TP
+++.B \-V,\-\-version
+++Report version number
+++.TP
+++.B \-v,\-\-verbose
+++More output (may be specified multiple times for additional output)
+++.TP
+++.B \-x,\-\-xmlconfig=CONFIG
+++XML config file
+++.TP
+++.B \-\-authgroup=GROUP
+++Choose authentication login selection
+++.TP
+++.B \-\-authenticate
+++Authenticate only, and output the information needed to make the connection
+++a form which can be used to set shell environment variables. When invoked with
+++this option, openconnect will not make the connection, but if successful will
+++output something like the following to stdout:
+++.nf
+++.B COOKIE=3311180634@13561856@1339425499@B315A0E29D16C6FD92EE...
+++.B HOST=10.0.0.1
+++.B FINGERPRINT=469bb424ec8835944d30bc77c77e8fc1d8e23a42
+++.fi
+++Thus, you can invoke openconnect as a non-privileged user
+++.I (with access to the user's PKCS#11 tokens, etc.)
+++for authentication, and then invoke openconnect separately to make the actual
+++connection as root:
+++.nf
+++.B eval `openconnect --authenticate https://vpnserver.example.com`;
+++.B [ -n "$COOKIE" ] && echo "$COOKIE" |
+++.B \ \ sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT
+++.fi
+++.TP
+++.B \-\-cookieonly
+++Fetch and print cookie only; don't connect
+++.TP
+++.B \-\-printcookie
+++Print cookie before connecting
+++.TP
+++.B \-\-cafile=FILE
+++Cert file for server verification
+++.TP
+++.B \-\-disable\-ipv6
+++Do not advertise IPv6 capability to server
+++.TP
+++.B \-\-dtls\-ciphers=LIST
+++Set OpenSSL ciphers to support for DTLS
+++.TP
+++.B \-\-dtls\-local\-port=PORT
+++Use
+++.I PORT
+++as the local port for DTLS and UDP datagrams
+++.TP
+++.B \-\-dump\-http\-traffic
+++Enable verbose output of all HTTP requests and the bodies of all responses
+++received from the server.
+++.TP
+++.B \-\-no\-system\-trust
+++Do not trust the system default certificate authorities. If this option is
+++given, only certificate authorities given with the
+++.B \-\-cafile
+++option, if any, will be trusted automatically.
+++
+++.TP
+++.B \-\-pfs
+++Enforces Perfect Forward Secrecy (PFS). That ensures that if the server's
+++long-term key is compromised, any session keys established before the compromise
+++will be unaffected. If this option is provided and the server does not support PFS
+++in the TLS channel the connection will fail.
+++
+++PFS is available in Cisco ASA releases 9.1(2) and higher; a suitable cipher
+++suite may need to be manually enabled by the administrator using the
+++.B ssl encryption
+++setting.
+++
+++.TP
+++.B \-\-no\-dtls
+++Disable DTLS and ESP
+++.TP
+++.B \-\-no\-http\-keepalive
+++Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget
+++the client's SSL certificate when HTTP connections are being re\-used for
+++multiple requests. So far, this has only been seen on the initial connection,
+++where the server gives an HTTP/1.0 redirect response with an explicit
+++.B Connection: Keep\-Alive
+++directive. OpenConnect as of v2.22 has an unconditional workaround for this,
+++which is never to obey that directive after an HTTP/1.0 response.
+++
+++However, Cisco's support team has failed to give any competent
+++response to the bug report and we don't know under what other
+++circumstances their bug might manifest itself. So this option exists
+++to disable ALL re\-use of HTTP sessions and cause a new connection to be
+++made for each request. If your server seems not to be recognising your
+++certificate, try this option. If it makes a difference, please report
+++this information to the
+++.B openconnect\-devel@lists.infradead.org
+++mailing list.
+++.TP
+++.B \-\-no\-passwd
+++Never attempt password (or SecurID) authentication.
+++.TP
+++.B \-\-no\-xmlpost
+++Do not attempt to post an XML authentication/configuration request to the
+++server; use the old style GET method which was used by older clients and
+++servers instead.
+++
+++This option is a temporary safety net, to work around potential
+++compatibility issues with the code which falls back to the old method
+++automatically. It causes OpenConnect to behave more like older
+++versions (4.08 and below) did. If you find that you need to use this
+++option, then you have found a bug in OpenConnect. Please see
+++http://www.infradead.org/openconnect/mail.html and report this to the
+++developers.
+++.TP
+++.B \-\-non\-inter
+++Do not expect user input; exit if it is required.
+++.TP
+++.B \-\-passwd\-on\-stdin
+++Read password from standard input
+++.TP
+++.B \-\-protocol=PROTO
+++Select VPN protocol
+++.I PROTO
+++to be used for the connection. Supported protocols are
+++.I anyconnect
+++for Cisco AnyConnect (the default),
+++.I nc
+++for experimental support for Juniper Network Connect (also supported
+++by Junos Pulse servers), and
+++.I gp
+++for experimental support for PAN GlobalProtect.
+++.TP
+++.B \-\-token\-mode=MODE
+++Enable one-time password generation using the
+++.I MODE
+++algorithm.
+++.B \-\-token\-mode=rsa
+++will call libstoken to generate an RSA SecurID tokencode,
+++.B \-\-token\-mode=totp
+++will call liboath to generate an RFC 6238 time-based password, and
+++.B \-\-token\-mode=hotp
+++will call liboath to generate an RFC 4226 HMAC-based password. Yubikey
+++tokens which generate OATH codes in hardware are supported with
+++.B \-\-token\-mode=yubioath
+++.TP
+++.B \-\-token\-secret={ SECRET[,COUNTER] | @FILENAME }
+++The secret to use when generating one-time passwords/verification codes.
+++Base 32-encoded TOTP/HOTP secrets can be used by specifying "base32:" at the
+++beginning of the secret, and for HOTP secrets the token counter can be
+++specified following a comma.
+++
+++RSA SecurID secrets can be specified as an Android/iPhone URI or a raw numeric
+++CTF string (with or without dashes).
+++
+++For Yubikey OATH the token secret specifies the name of the credential to be
+++used. If not provided, the first OATH credential found on the device will be
+++used.
+++
+++.IR FILENAME ,
+++if specified, can contain any of the above strings.  Or, it can contain a
+++SecurID XML (SDTID) seed.
+++
+++If this option is omitted, and \-\-token\-mode is
+++"rsa", libstoken will try to use the software token seed saved in
+++.B ~/.stokenrc
+++by the "stoken import" command.
+++.TP
+++.B \-\-reconnect\-timeout
+++Keep reconnect attempts until so much seconds are elapsed. The default
+++timeout is 300 seconds, which means that openconnect can recover
+++VPN connection after a temporary network down time of 300 seconds.
+++.TP
+++.B \-\-resolve=HOST:IP
+++Automatically resolve the hostname
+++.IR HOST
+++to
+++.IR IP
+++instead of using the normal resolver to look it up.
+++.TP
+++.B \-\-servercert=HASH
+++Accept server's SSL certificate only if the provided fingerprint matches.
+++The allowed fingerprint types are
+++.IR SHA1 ,
+++.IR SHA256 ,
+++and
+++.IR PIN-SHA256 .
+++They are distinguished by the 'sha1:', 'sha256:' and 'pin-sha256:' prefixes to the
+++encoded hash. The first two are custom identifiers providing hex
+++encoding of the peer's public key, while 'pin-sha256:' is the RFC7469 key
+++PIN, which utilizes base64 encoding. To ease certain
+++testing use-cases, a partial match of the hash will also
+++be accepted, if it is at least 4 characters past the prefix.
+++.TP
+++.B \-\-useragent=STRING
+++Use
+++.I STRING
+++as 'User\-Agent:' field value in HTTP header.
+++(e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
+++.TP
+++.B \-\-local-hostname=STRING
+++Use
+++.I STRING
+++as 'X\-CSTP\-Hostname:' field value in HTTP header. For example \-\-local\-hostname 'mypc',
+++will advertise the value 'mypc' as the suggested hostname to point to the provided IP address.
+++.TP
+++.B \-\-os=STRING
+++OS type to report to gateway.  Recognized values are:
+++.BR linux ,
+++.BR linux\-64 ,
+++.BR win ,
+++.BR mac\-intel ,
+++.BR android ,
+++.BR apple\-ios .
+++Reporting a different OS type may affect the dynamic access policy (DAP)
+++applied to the VPN session.  If the gateway requires CSD, it will also cause
+++the corresponding CSD trojan binary to be downloaded, so you may need to use
+++.B \-\-csd\-wrapper
+++if this code is not executable on the local machine.
+++.SH SIGNALS
+++In the data phase of the connection, the following signals are handled:
+++.TP
+++.B SIGINT
+++performs a clean shutdown by logging the session off, disconnecting from the
+++gateway, and running the vpnc\-script to restore the network configuration.
+++.TP
+++.B SIGHUP
+++disconnects from the gateway and runs the vpnc\-script, but does not log the
+++session off; this allows for reconnection later using
+++.BR \-\-cookie .
+++.TP
+++.B SIGUSR2
+++forces an immediate disconnection and reconnection; this can be used to
+++quickly recover from LAN IP address changes.
+++.TP
+++.B SIGTERM
+++exits immediately without logging off or running vpnc\-script.
+++.SH LIMITATIONS
+++Note that although IPv6 has been tested on all platforms on which
+++.B openconnect
+++is known to run, it depends on a suitable
+++.B vpnc\-script
+++to configure the network. The standard
+++.B vpnc\-script
+++shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from
+++.B git://git.infradead.org/users/dwmw2/vpnc\-scripts.git
+++will be required.
+++.SH SEE ALSO
+++.BR ocserv (8)
+++
+++.SH AUTHORS
+++David Woodhouse <dwmw2@infradead.org>
++Index: globalprotect-2018-11-19/tests/Makefile.am
++===================================================================
++--- globalprotect-2018-11-19.orig/tests/Makefile.am
+++++ globalprotect-2018-11-19/tests/Makefile.am
++@@ -88,7 +88,7 @@ TESTS = $(dist_check_SCRIPTS) $(C_TESTS)
++ noinst_PROGRAMS = $(C_TESTS) serverhash
++ 
++ serverhash_SOURCES = serverhash.c
++-serverhash_LDADD = ../libopenconnect.la $(SSL_LIBS)
+++serverhash_LDADD = ../libglobalprotect.la $(SSL_LIBS)
++ 
++ # Nothing actually *depends* on the cert files; they are created manually
++ # and considered part of the sources, committed to the git tree. But for
++Index: globalprotect-2018-11-19/www/Makefile.am
++===================================================================
++--- globalprotect-2018-11-19.orig/www/Makefile.am
+++++ globalprotect-2018-11-19/www/Makefile.am
++@@ -17,7 +17,7 @@ html_DATA = $(ALL_PAGES)
++ 	$(PYTHON) $(CONV) -d $(srcdir) $< > $@ || (rm $@; exit 1)
++ 
++ clean-local:
++-	rm -f $(ALL_PAGES) openconnect.8.inc
+++	rm -f $(ALL_PAGES) globalprotect.8.inc
++ 
++ $(ALL_PAGES): menu1.xml $(srcdir)/inc/*.tmpl
++ $(FTR_PAGES): menu2-features.xml
++@@ -25,14 +25,14 @@ $(START_PAGES): menu2-started.xml
++ $(PROTO_PAGES): menu2-protocols.xml
++ $(MAIN_PAGES): menu2.xml
++ 
++-manual.html: openconnect.8.inc
+++manual.html: globalprotect.8.inc
++ 
++-$(top_builddir)/openconnect.8: $(top_srcdir)/openconnect.8.in $(top_builddir)/config.status
++-	cd $(top_builddir) && $(SHELL) ./config.status openconnect.8
+++$(top_builddir)/globalprotect.8: $(top_srcdir)/globalprotect.8.in $(top_builddir)/config.status
+++	cd $(top_builddir) && $(SHELL) ./config.status globalprotect.8
++ 
++ # If this command line ever changes significantly, so should the
++ # corresponding autoconf check.
++-openconnect.8.inc: $(top_builddir)/openconnect.8
+++globalprotect.8.inc: $(top_builddir)/globalprotect.8
++ 	$(GROFF) -t -K UTF-8 -mandoc -Txhtml $? | \
++ 		sed -e 's/&minus;/-/g' -e '1,/<body>/d' -e '/<\/body>/,$$d' > $@
++ 
++Index: globalprotect-2018-11-19/www/manual.xml
++===================================================================
++--- globalprotect-2018-11-19.orig/www/manual.xml
+++++ globalprotect-2018-11-19/www/manual.xml
++@@ -8,7 +8,7 @@
++ 	
++ 	<INCLUDE file="inc/content.tmpl" />
++ 
++-	<INCLUDE file="openconnect.8.inc" />
+++	<INCLUDE file="globalprotect.8.inc" />
++ 
++ 	<INCLUDE file="inc/footer.tmpl" />
++ </PAGE>