From 2529bb240d5d1d02250d810d87b8892f74ab7d44 Mon Sep 17 00:00:00 2001 From: James <31272717+gpd-pocket-hacker@users.noreply.github.com> Date: Mon, 7 Jan 2019 18:07:49 +0000 Subject: working vpn appliance --- master/globalprotect | 1151 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1151 insertions(+) create mode 100644 master/globalprotect (limited to 'master/globalprotect') diff --git a/master/globalprotect b/master/globalprotect new file mode 100644 index 0000000..c0fb27f --- /dev/null +++ b/master/globalprotect @@ -0,0 +1,1151 @@ +diff --git a/package/network/utils/globalprotect/Config.in b/package/network/utils/globalprotect/Config.in +new file mode 100644 +index 0000000..e69de29 +diff --git a/package/network/utils/globalprotect/Makefile b/package/network/utils/globalprotect/Makefile +new file mode 100644 +index 0000000..b3d5501 +--- /dev/null ++++ b/package/network/utils/globalprotect/Makefile +@@ -0,0 +1,73 @@ ++# ++# Copyright (C) 2006-2015 OpenWrt.org ++# ++# This is free software, licensed under the GNU General Public License v2. ++# See /LICENSE for more information. ++# ++ ++include $(TOPDIR)/rules.mk ++ ++PKG_NAME:=globalprotect ++PKG_RELEASE:=8 ++PKG_USE_MIPS16:=0 ++ ++PKG_VERSION:=2018-11-19 ++PKG_RELEASE=$(PKG_SOURCE_VERSION) ++ ++PKG_SOURCE_PROTO:=git ++PKG_SOURCE_URL=https://github.com/dlenski/openconnect ++PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) ++PKG_SOURCE_VERSION:=e5fe063a087385c5b157ad7a9a3fa874181f6e3b ++PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz ++ ++PKG_LICENSE:=LGPLv2.1+ ++ ++PKG_FIXUP:=autoreconf ++ ++ ++include $(INCLUDE_DIR)/package.mk ++ ++define Package/globalprotect/config ++ source "$(SOURCE)/Config.in" ++endef ++ ++define Package/globalprotect ++ SECTION:=net ++ CATEGORY:=Network ++ DEPENDS:=+libxml2 +kmod-tun +resolveip +vpnc-scripts +GLOBALPROTECT_OPENSSL:libopenssl +p11-kit +libp11 +libpcsclite +libopensc-pkcs11 +pcscd +ccid ++ TITLE:=OpenConnect VPN client (Global Protect version) ++ MAINTAINER:=Nikos Mavrogiannopoulos ++ URL:=http://www.infradead.org/globalprotect/ ++ SUBMENU:=VPN ++endef ++ ++define Package/globalprotect/description ++ A VPN client compatible with Cisco's AnyConnect SSL VPN, ocserv and Juniper (Pulse secure). ++ ++ OpenConnect is a client that follows the Cisco's AnyConnect SSL VPN protocol, ++ which is supported by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, ++ 2800, 3800, 7200 Series and Cisco 7301 Routers, as well as the OpenConnect ++ VPN server. It has later been ported to support the Juniper SSL VPN which ++ is now known as Pulse Connect Secure. ++endef ++ ++CONFIGURE_ARGS += \ ++ --disable-shared \ ++ --with-vpnc-script=/lib/netifd/vpnc-script \ ++ --with-libpcsclite \ ++ --without-stoken \ ++ --without-lz4 \ ++ --without-gnutls ++ ++define Package/globalprotect/install ++ $(INSTALL_DIR) $(1)/etc/globalprotect/ ++ $(INSTALL_DIR) $(1)/lib/netifd/proto ++ $(INSTALL_BIN) ./files/globalprotect.sh $(1)/lib/netifd/proto/ ++ $(INSTALL_DIR) $(1)/usr/sbin ++ $(INSTALL_BIN) $(PKG_BUILD_DIR)/globalprotect $(1)/usr/sbin/ ++ $(INSTALL_BIN) ./files/globalprotect-wrapper $(1)/usr/sbin/ ++ $(INSTALL_DIR) $(1)/lib/upgrade/keep.d ++ $(INSTALL_DATA) ./files/globalprotect.upgrade $(1)/lib/upgrade/keep.d/globalprotect ++endef ++ ++$(eval $(call BuildPackage,globalprotect)) +diff --git a/package/network/utils/globalprotect/README b/package/network/utils/globalprotect/README +new file mode 100644 +index 0000000..019058c +--- /dev/null ++++ b/package/network/utils/globalprotect/README +@@ -0,0 +1,49 @@ ++The openconnect client expects to be configured using the uci interface. ++ ++To setup a VPN connection, add the following to /etc/config/network: ++ ++config interface 'MYVPN' ++ option proto 'openconnect' ++ option interface 'wan' ++ option server 'vpn.example.com' ++ option port '4443' ++ option username 'test' ++ option password 'secret' ++ option serverhash 'AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25' ++ option defaultroute '0' ++ option authgroup 'DEFAULT' ++ ++ # For second factor auth: ++ ++ # when a fixed 2FA password can be used ++ #option password2 'my-fixed-2fa-password' ++ ++ # RSA tokens, must be built with stoken support ++ #option token_mode 'rsa' ++ #option token_secret 'secret' ++ ++ # HOTP/TOTP tokens ++ #option token_mode 'hotp' ++ #option token_secret '00' ++ ++ # tokens from script ++ #option token_mode 'script' ++ #option token_script '/lib/custom/getocpass.sh' ++ ++ # Juniper vpn support ++ #option juniper '1' ++ ++The additional files are also used: ++/etc/openconnect/user-cert-vpn-MYVPN.pem: The user certificate ++/etc/openconnect/user-key-vpn-MYVPN.pem: The user private key ++/etc/openconnect/ca-vpn-MYVPN.pem: The CA certificate (instead of serverhash) ++ ++After these are setup you can initiate the VPN using "ifup MYVPN", and ++deinitialize it using ifdown. You may also use the luci web interface ++(Network -> Interfaces -> MYVPN Connect). ++ ++Note that you need to configure the firewall to allow communication between ++the MYVPN interface and lan. ++ ++There is a luci plugin to allow configuring an openconnect interface from ++the web environment; see the luci-proto-openconnect package. +diff --git a/package/network/utils/globalprotect/files/globalprotect-wrapper b/package/network/utils/globalprotect/files/globalprotect-wrapper +new file mode 100755 +index 0000000..1f23055 +--- /dev/null ++++ b/package/network/utils/globalprotect/files/globalprotect-wrapper +@@ -0,0 +1,13 @@ ++#!/bin/sh ++ ++# This script wraps globalprotect in order to obtain the password ++# file from cmd. ++ ++# $1 password file ++# $2... are passed to globalprotect ++ ++test -z "$1" && exit 1 ++ ++pwfile=$1 ++shift ++exec /usr/sbin/globalprotect "$@" <$pwfile +diff --git a/package/network/utils/globalprotect/files/globalprotect.sh b/package/network/utils/globalprotect/files/globalprotect.sh +new file mode 100755 +index 0000000..1e40e05 +--- /dev/null ++++ b/package/network/utils/globalprotect/files/globalprotect.sh +@@ -0,0 +1,119 @@ ++#!/bin/sh ++. /lib/functions.sh ++. ../netifd-proto.sh ++init_proto "$@" ++ ++proto_globalprotect_init_config() { ++ proto_config_add_string "server" ++ proto_config_add_int "port" ++ proto_config_add_int "mtu" ++ proto_config_add_int "juniper" ++ proto_config_add_string "interface" ++ proto_config_add_string "username" ++ proto_config_add_string "serverhash" ++ proto_config_add_string "authgroup" ++ proto_config_add_string "password" ++ proto_config_add_string "password2" ++ proto_config_add_string "token_mode" ++ proto_config_add_string "token_secret" ++ proto_config_add_string "token_script" ++ proto_config_add_string "os" ++ proto_config_add_string "csd_wrapper" ++ proto_config_add_string "clientcert" ++ no_device=1 ++ available=1 ++} ++ ++proto_globalprotect_setup() { ++ local config="$1" ++ ++ json_get_vars server port interface username serverhash authgroup password password2 token_mode token_secret token_script os csd_wrapper mtu juniper clientcert ++ ++ grep -q tun /proc/modules || insmod tun ++ ifname="vpn-$config" ++ ++ logger -t globalprotect "initializing..." ++ ++ logger -t "globalprotect" "adding host dependency for $server at $config" ++ for ip in $(resolveip -t 10 "$server"); do ++ logger -t "globalprotect" "adding host dependency for $ip at $config" ++ proto_add_host_dependency "$config" "$ip" "$interface" ++ done ++ ++ [ -n "$port" ] && port=":$port" ++ ++ cmdline="$server$port -i "$ifname" --non-inter --syslog --script /lib/netifd/vpnc-script" ++ [ -n "$mtu" ] && cmdline="$cmdline --mtu $mtu" ++ ++ [ -n "$clientcert" ] && { ++ append cmdline "--certificate" ++ append cmdline "$clientcert" ++ } ++ ++ append cmdline "--protocol=gp" ++ ++ # migrate to standard config files ++ [ -f "/etc/config/globalprotect-user-cert-vpn-$config.pem" ] && mv "/etc/config/globalprotect-user-cert-vpn-$config.pem" "/etc/globalprotect/user-cert-vpn-$config.pem" ++ [ -f "/etc/config/globalprotect-user-key-vpn-$config.pem" ] && mv "/etc/config/globalprotect-user-key-vpn-$config.pem" "/etc/globalprotect/user-key-vpn-$config.pem" ++ [ -f "/etc/config/globalprotect-ca-vpn-$config.pem" ] && mv "/etc/config/globalprotect-ca-vpn-$config.pem" "/etc/globalprotect/ca-vpn-$config.pem" ++ ++ [ -f /etc/globalprotect/user-cert-vpn-$config.pem ] && append cmdline "-c /etc/globalprotect/user-cert-vpn-$config.pem" ++ [ -f /etc/globalprotect/user-key-vpn-$config.pem ] && append cmdline "--sslkey /etc/globalprotect/user-key-vpn-$config.pem" ++ [ -f /etc/globalprotect/ca-vpn-$config.pem ] && { ++ append cmdline "--cafile /etc/globalprotect/ca-vpn-$config.pem" ++ append cmdline "--no-system-trust" ++ } ++ ++ if [ "${juniper:-0}" -gt 0 ]; then ++ append cmdline "--juniper" ++ fi ++ ++ [ -n "$serverhash" ] && { ++ append cmdline " --servercert=$serverhash" ++ append cmdline "--no-system-trust" ++ } ++ [ -n "$authgroup" ] && append cmdline "--authgroup $authgroup" ++ [ -n "$username" ] && append cmdline "-u $username" ++ [ -n "$password" ] || [ "$token_mode" = "script" ] && { ++ umask 077 ++ mkdir -p /var/etc ++ pwfile="/var/etc/globalprotect-$config.passwd" ++ [ -n "$password" ] && { ++ echo "$password" > "$pwfile" ++ [ -n "$password2" ] && echo "$password2" >> "$pwfile" ++ } ++ [ "$token_mode" = "script" ] && { ++ $token_script > "$pwfile" 2> /dev/null || { ++ logger -t globalprotect "Cannot get password from script '$token_script'" ++ proto_setup_failed "$config" ++ } ++ } ++ append cmdline "--passwd-on-stdin" ++ } ++ ++ [ -n "$token_mode" -a "$token_mode" != "script" ] && append cmdline "--token-mode=$token_mode" ++ [ -n "$token_secret" ] && append cmdline "--token-secret=$token_secret" ++ [ -n "$os" ] && append cmdline "--os=$os" ++ [ -n "$csd_wrapper" ] && [ -x "$csd_wrapper" ] && append cmdline "--csd-wrapper=$csd_wrapper" ++ ++ proto_export INTERFACE="$config" ++ logger -t globalprotect "executing 'globalprotect $cmdline'" ++ ++ if [ -f "$pwfile" ]; then ++ proto_run_command "$config" /usr/sbin/globalprotect-wrapper $pwfile $cmdline ++ else ++ proto_run_command "$config" /usr/sbin/globalprotect $cmdline ++ fi ++} ++ ++proto_globalprotect_teardown() { ++ local config="$1" ++ ++ pwfile="/var/etc/globalprotect-$config.passwd" ++ ++ rm -f $pwfile ++ logger -t globalprotect "bringing down globalprotect" ++ proto_kill_command "$config" 2 ++} ++ ++add_protocol globalprotect +diff --git a/package/network/utils/globalprotect/files/globalprotect.upgrade b/package/network/utils/globalprotect/files/globalprotect.upgrade +new file mode 100644 +index 0000000..9dc27a6 +--- /dev/null ++++ b/package/network/utils/globalprotect/files/globalprotect.upgrade +@@ -0,0 +1,9 @@ ++/etc/globalprotect/user-cert-vpn-*.pem ++/etc/globalprotect/user-key-vpn-*.pem ++/etc/globalprotect/ca-vpn-*.pem ++/etc/globalprotect/pre-init.d/ ++/etc/globalprotect/connect.d/ ++/etc/globalprotect/post-connect.d/ ++/etc/globalprotect/disconnect.d/ ++/etc/globalprotect/post-disconnect.d/ ++/etc/globalprotect/reconnect.d/ +diff --git a/package/network/utils/globalprotect/patches/0001-Fix-compilation-with-libp11-version-0.4.7.patch b/package/network/utils/globalprotect/patches/0001-Fix-compilation-with-libp11-version-0.4.7.patch +new file mode 100644 +index 0000000..c6e139a +--- /dev/null ++++ b/package/network/utils/globalprotect/patches/0001-Fix-compilation-with-libp11-version-0.4.7.patch +@@ -0,0 +1,50 @@ ++From 03ecd34e0137b3f0bf0d2fc3ab7f7d8b3682785e Mon Sep 17 00:00:00 2001 ++From: Yousong Zhou ++Date: Thu, 14 Dec 2017 18:03:35 +0800 ++Subject: [PATCH] Fix compilation with libp11 version >= 0.4.7 ++ ++libp11 0.4.7 renamed then dropped macro definition in commits ++ ++ 4f0fce4: Error reporting fixes ++ e4c641b: PKCS11 errors separated into P11 and CKR ++ ++This change assumes that libp11 will restore compatibility by bringing ++back old forms of macro definition ++ ++Signed-off-by: Yousong Zhou ++--- ++ openssl-pkcs11.c | 18 ++++++++++++++++++ ++ 1 file changed, 18 insertions(+) ++ ++diff --git a/openssl-pkcs11.c b/openssl-pkcs11.c ++index 61da123..ba7e491 100644 ++--- a/openssl-pkcs11.c +++++ b/openssl-pkcs11.c ++@@ -30,6 +30,24 @@ ++ #include ++ #include ++ +++#ifndef ERR_LIB_PKCS11 +++# if defined(ERR_LIB_CKR) +++# define ERR_LIB_PKCS11 ERR_LIB_CKR +++# elif defined(ERR_LIB_USER) +++# define ERR_LIB_PKCS11 ERR_LIB_USER +++# else +++# error undefined macro ERR_LIB_PKCS11 +++# endif +++#endif +++ +++#ifndef PKCS11_F_PKCS11_LOGIN +++# if defined(CKR_F_PKCS11_LOGIN) +++# define PKCS11_F_PKCS11_LOGIN CKR_F_PKCS11_LOGIN +++# else +++# error undefined macro PKCS11_F_PKCS11_LOGIN +++# endif +++#endif +++ ++ static PKCS11_CTX *pkcs11_ctx(struct openconnect_info *vpninfo) ++ { ++ PKCS11_CTX *ctx; ++-- ++1.8.3.1 ++ +diff --git a/package/network/utils/globalprotect/patches/0002-rename-to-globalprotect.patch b/package/network/utils/globalprotect/patches/0002-rename-to-globalprotect.patch +new file mode 100644 +index 0000000..93ef78d +--- /dev/null ++++ b/package/network/utils/globalprotect/patches/0002-rename-to-globalprotect.patch +@@ -0,0 +1,793 @@ ++Index: globalprotect-2018-11-19/Makefile.am ++=================================================================== ++--- globalprotect-2018-11-19.orig/Makefile.am +++++ globalprotect-2018-11-19/Makefile.am ++@@ -1,10 +1,10 @@ ++ ++ SUBDIRS = tests ++ # We kind of want openconnect to be built before we try to test it ++-check-recursive: openconnect$(EXEEXT) ++-# And even *building* some of tests/*.c needs libopenconnect ++-install-recursive: libopenconnect.la ++-all-recursive: libopenconnect.la +++check-recursive: globalprotect$(EXEEXT) +++# And even *building* some of tests/*.c needs libglobalprotect +++install-recursive: libglobalprotect.la +++all-recursive: libglobalprotect.la ++ ++ if BUILD_WWW ++ SUBDIRS += www ++@@ -13,19 +13,19 @@ if USE_NLS ++ SUBDIRS += po ++ endif ++ ++-lib_LTLIBRARIES = libopenconnect.la ++-sbin_PROGRAMS = openconnect ++-man8_MANS = openconnect.8 +++lib_LTLIBRARIES = libglobalprotect.la +++sbin_PROGRAMS = globalprotect +++man8_MANS = globalprotect.8 ++ ++ AM_CFLAGS = @WFLAGS@ ++ AM_CPPFLAGS = -DLOCALEDIR="\"$(localedir)\"" ++ ++-openconnect_SOURCES = xml.c main.c ++-openconnect_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS) ++-openconnect_LDADD = libopenconnect.la $(SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(INTL_LIBS) $(ICONV_LIBS) +++globalprotect_SOURCES = xml.c main.c +++globalprotect_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS) +++globalprotect_LDADD = libglobalprotect.la $(SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(INTL_LIBS) $(ICONV_LIBS) ++ ++ if OPENCONNECT_WIN32 ++-openconnect_SOURCES += openconnect.rc +++globalprotect_SOURCES += openconnect.rc ++ endif ++ library_srcs = ssl.c http.c http-auth.c auth-common.c library.c compat.c lzs.c mainloop.c script.c ntlm.c digest.c ++ lib_srcs_cisco = auth.c cstp.c ++@@ -43,7 +43,7 @@ lib_srcs_stoken = stoken.c ++ lib_srcs_esp = esp.c esp-seqno.c ++ lib_srcs_dtls = dtls.c ++ ++-POTFILES = $(openconnect_SOURCES) $(lib_srcs_cisco) $(lib_srcs_juniper) $(lib_srcs_globalprotect) \ +++POTFILES = $(globalprotect_SOURCES) $(lib_srcs_cisco) $(lib_srcs_juniper) $(lib_srcs_globalprotect) \ ++ gnutls-esp.c gnutls-dtls.c openssl-esp.c openssl-dtls.c \ ++ $(lib_srcs_esp) $(lib_srcs_dtls) \ ++ $(lib_srcs_openssl) $(lib_srcs_gnutls) $(library_srcs) \ ++@@ -89,9 +89,9 @@ else ++ library_srcs += $(lib_srcs_posix) ++ endif ++ ++-libopenconnect_la_SOURCES = version.c $(library_srcs) ++-libopenconnect_la_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(P11KIT_CFLAGS) $(TSS_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS) $(LIBP11_CFLAGS) $(LIBLZ4_CFLAGS) ++-libopenconnect_la_LIBADD = $(SSL_LIBS) $(DTLS_SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(ZLIB_LIBS) $(P11KIT_LIBS) $(TSS_LIBS) $(LIBSTOKEN_LIBS) $(LIBPSKC_LIBS) $(GSSAPI_LIBS) $(INTL_LIBS) $(ICONV_LIBS) $(LIBPCSCLITE_LIBS) $(LIBP11_LIBS) $(LIBLZ4_LIBS) +++libglobalprotect_la_SOURCES = version.c $(library_srcs) +++libglobalprotect_la_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(P11KIT_CFLAGS) $(TSS_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS) $(LIBP11_CFLAGS) $(LIBLZ4_CFLAGS) +++libglobalprotect_la_LIBADD = $(SSL_LIBS) $(DTLS_SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(ZLIB_LIBS) $(P11KIT_LIBS) $(TSS_LIBS) $(LIBSTOKEN_LIBS) $(LIBPSKC_LIBS) $(GSSAPI_LIBS) $(INTL_LIBS) $(ICONV_LIBS) $(LIBPCSCLITE_LIBS) $(LIBP11_LIBS) $(LIBLZ4_LIBS) ++ if OPENBSD_LIBTOOL ++ # OpenBSD's libtool doesn't have -version-number, but its -version-info arg ++ # does what GNU libtool's -version-number does. Which arguably is what the ++@@ -100,27 +100,27 @@ LT_VER_ARG = -version-info ++ else ++ LT_VER_ARG = -version-number ++ endif ++-libopenconnect_la_LDFLAGS = $(LT_VER_ARG) @APIMAJOR@:@APIMINOR@ -no-undefined +++libglobalprotect_la_LDFLAGS = $(LT_VER_ARG) @APIMAJOR@:@APIMINOR@ -no-undefined ++ noinst_HEADERS = openconnect-internal.h openconnect.h gnutls.h lzo.h ++ include_HEADERS = openconnect.h ++ if HAVE_VSCRIPT ++-libopenconnect_la_LDFLAGS += @VSCRIPT_LDFLAGS@,libopenconnect.map ++-libopenconnect_la_DEPENDENCIES = libopenconnect.map +++libglobalprotect_la_LDFLAGS += @VSCRIPT_LDFLAGS@,libopenconnect.map +++libglobalprotect_la_DEPENDENCIES = libopenconnect.map ++ endif ++ ++ if OPENCONNECT_JNI ++ if JNI_STANDALONE ++-libopenconnect_la_SOURCES += jni.c ++-libopenconnect_la_CFLAGS += $(JNI_CFLAGS) -Wno-missing-declarations +++libglobalprotect_la_SOURCES += jni.c +++libglobalprotect_la_CFLAGS += $(JNI_CFLAGS) -Wno-missing-declarations ++ else ++-lib_LTLIBRARIES += libopenconnect-wrapper.la ++-libopenconnect_wrapper_la_SOURCES = jni.c ++-libopenconnect_wrapper_la_CFLAGS = $(AM_CFLAGS) $(JNI_CFLAGS) -Wno-missing-declarations ++-libopenconnect_wrapper_la_LIBADD = libopenconnect.la +++lib_LTLIBRARIES += libglobalprotect-wrapper.la +++libglobalprotect_wrapper_la_SOURCES = jni.c +++libglobalprotect_wrapper_la_CFLAGS = $(AM_CFLAGS) $(JNI_CFLAGS) -Wno-missing-declarations +++libglobalprotect_wrapper_la_LIBADD = libglobalprotect.la ++ endif ++ endif ++ ++-pkgconfig_DATA = openconnect.pc +++pkgconfig_DATA = globalprotect.pc ++ ++ EXTRA_DIST = version.sh README.TESTS COPYING.LGPL $(lib_srcs_openssl) $(lib_srcs_gnutls) ++ EXTRA_DIST += $(shell cd "$(top_srcdir)" && \ ++@@ -132,7 +132,7 @@ DISTCLEANFILES = $(pkgconfig_DATA) ++ openconnect-main.$(OBJEXT): version.c ++ ++ version.c: $(library_srcs) $(lib_openssl_srcs) $(lib_gnutls_srcs) \ ++- $(openconnect_SOURCES) Makefile.am configure.ac \ +++ $(globalprotect_SOURCES) Makefile.am configure.ac \ ++ openconnect.h openconnect-internal.h version.sh @GITVERSIONDEPS@ ++ @cd $(srcdir) && ./version.sh $(abs_builddir)/version.c ++ ++Index: globalprotect-2018-11-19/configure.ac ++=================================================================== ++--- globalprotect-2018-11-19.orig/configure.ac +++++ globalprotect-2018-11-19/configure.ac ++@@ -1,4 +1,4 @@ ++-AC_INIT(openconnect, 7.08) +++AC_INIT(globalprotect, 7.08) ++ AC_CONFIG_HEADERS([config.h]) ++ ++ PKG_PROG_PKG_CONFIG ++@@ -16,7 +16,7 @@ AC_PREREQ([2.62], [], [AC_SUBST([localed ++ m4_ifdef([PKG_INSTALLDIR], [PKG_INSTALLDIR], ++ [AC_ARG_WITH([pkgconfigdir], ++ [AS_HELP_STRING([--with-pkgconfigdir], ++- [install directory for openconnect.pc pkg-config file])], +++ [install directory for globalprotect.pc pkg-config file])], ++ [],[with_pkgconfigdir='$(libdir)/pkgconfig']) ++ AC_SUBST([pkgconfigdir], [${with_pkgconfigdir}])]) ++ ++@@ -942,7 +942,7 @@ AC_SUBST([CONFIG_STATUS_DEPENDENCIES], ++ ['$(top_srcdir)/po/LINGUAS \ ++ $(top_srcdir)/openconnect.h \ ++ $(top_srcdir)/libopenconnect.map.in \ ++- $(top_srcdir)/openconnect.8.in \ +++ $(top_srcdir)/globalprotect.8.in \ ++ $(top_srcdir)/tests/softhsm2.conf.in \ ++ $(top_srcdir)/tests/configs/test-user-cert.config.in \ ++ $(top_srcdir)/tests/configs/test-user-pass.config.in']) ++@@ -973,8 +973,8 @@ AC_SUBST(GITVERSIONDEPS) ++ AC_SUBST(OCSERV_USER, $(whoami)) ++ AC_SUBST(OCSERV_GROUP, $(groups|cut -f 1 -d ' ')) ++ ++-AC_CONFIG_FILES(Makefile openconnect.pc po/Makefile www/Makefile \ ++- libopenconnect.map openconnect.8 www/styles/Makefile \ +++AC_CONFIG_FILES(Makefile globalprotect.pc po/Makefile www/Makefile \ +++ libopenconnect.map globalprotect.8 www/styles/Makefile \ ++ www/inc/Makefile www/images/Makefile tests/Makefile \ ++ tests/softhsm2.conf tests/configs/test-user-cert.config \ ++ tests/configs/test-user-pass.config) ++Index: globalprotect-2018-11-19/globalprotect.pc.in ++=================================================================== ++--- /dev/null +++++ globalprotect-2018-11-19/globalprotect.pc.in ++@@ -0,0 +1,13 @@ +++prefix=@prefix@ +++exec_prefix=@exec_prefix@ +++libdir=@libdir@ +++includedir=@includedir@ +++ +++ +++Name: globalprotect +++Description: OpenConnect VPN client +++Version: @VERSION@ +++Requires.private: @LIBPROXY_PC@ @ZLIB_PC@ @LIBLZ4_PC@ @SSL_PC@ @P11KIT_PC@ @LIBSTOKEN_PC@ @LIBPSKC_PC@ @LIBPCSCLITE_PC@ libxml-2.0 +++Libs: -L${libdir} -lglobalprotect +++Libs.private: @INTL_LIBS@ @system_pcsc_libs@ @openssl_pc_libs@ +++Cflags: -I${includedir} ++Index: globalprotect-2018-11-19/globalprotect.8.in ++=================================================================== ++--- /dev/null +++++ globalprotect-2018-11-19/globalprotect.8.in ++@@ -0,0 +1,558 @@ +++.TH OPENCONNECT 8 +++.SH NAME +++openconnect \- Multi-protocol VPN client, for Cisco AnyConnect VPNs and others +++.SH SYNOPSIS +++.SY openconnect +++.OP \-\-config configfile +++.OP \-b,\-\-background +++.OP \-\-pid\-file pidfile +++.OP \-c,\-\-certificate cert +++.OP \-e,\-\-cert\-expire\-warning days +++.OP \-k,\-\-sslkey key +++.OP \-C,\-\-cookie cookie +++.OP \-\-cookie\-on\-stdin +++.OP \-\-compression MODE +++.OP \-d,\-\-deflate +++.OP \-D,\-\-no\-deflate +++.OP \-\-force\-dpd interval +++.OP \-g,\-\-usergroup group +++.OP \-h,\-\-help +++.OP \-\-http\-auth methods +++.OP \-i,\-\-interface ifname +++.OP \-l,\-\-syslog +++.OP \-\-timestamp +++.OP \-\-passtos +++.OP \-U,\-\-setuid user +++.OP \-\-csd\-user user +++.OP \-m,\-\-mtu mtu +++.OP \-\-base\-mtu mtu +++.OP \-p,\-\-key\-password pass +++.OP \-P,\-\-proxy proxyurl +++.OP \-\-proxy\-auth methods +++.OP \-\-no\-proxy +++.OP \-\-libproxy +++.OP \-\-key\-password\-from\-fsid +++.OP \-q,\-\-quiet +++.OP \-Q,\-\-queue\-len len +++.OP \-s,\-\-script vpnc\-script +++.OP \-S,\-\-script\-tun +++.OP \-u,\-\-user name +++.OP \-V,\-\-version +++.OP \-v,\-\-verbose +++.OP \-x,\-\-xmlconfig config +++.OP \-\-authgroup group +++.OP \-\-authenticate +++.OP \-\-cookieonly +++.OP \-\-printcookie +++.OP \-\-cafile file +++.OP \-\-disable\-ipv6 +++.OP \-\-dtls\-ciphers list +++.OP \-\-dtls\-local\-port port +++.OP \-\-dump\-http\-traffic +++.OP \-\-no\-system\-trust +++.OP \-\-pfs +++.OP \-\-no\-dtls +++.OP \-\-no\-http\-keepalive +++.OP \-\-no\-passwd +++.OP \-\-no\-xmlpost +++.OP \-\-non\-inter +++.OP \-\-passwd\-on\-stdin +++.OP \-\-protocol proto +++.OP \-\-token\-mode mode +++.OP \-\-token\-secret {secret\fR[\fI,counter\fR]|@\fIfile\fR} +++.OP \-\-reconnect\-timeout +++.OP \-\-resolve host:ip +++.OP \-\-servercert sha1 +++.OP \-\-useragent string +++.OP \-\-local-hostname string +++.OP \-\-os string +++.B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB] +++.YS +++ +++.SH DESCRIPTION +++The program +++.B openconnect +++connects to VPN servers which use standard TLS/SSL, DTLS, and ESP +++protocols for data transport. +++ +++It was originally written to support Cisco "AnyConnect" VPN servers, +++and has since been extended with experimental support for Juniper +++Network Connect and Junos Pulse VPN servers +++.RB ( \-\-protocol=nc ) +++and PAN GlobalProtect VPN servers +++.RB ( \-\-protocol=gp ). +++ +++The connection happens in two phases. First there is a simple HTTPS +++connection over which the user authenticates somehow \- by using a +++certificate, or password or SecurID, etc. Having authenticated, the +++user is rewarded with an authentication cookie which can be used to make the +++real VPN connection. +++ +++The second phase uses that cookie to connect to a tunnel via HTTPS, +++and data packets can be passed over the resulting connection. When +++possible, a UDP tunnel is also configured: AnyConnect uses DTLS, while +++Juniper and GlobalProtect use UDP-encapsulated ESP. The UDP tunnel +++may be disabled with +++.BR \-\-no\-dtls , +++but is preferred when correctly supported by the server and network +++for performance reasons. (TCP performs poorly and unreliably over +++TCP-based tunnels; see +++.IR http://sites.inka.de/~W1011/devel/tcp-tcp.html .) +++ +++.SH OPTIONS +++.TP +++.B \-\-config=CONFIGFILE +++Read further options from +++.I CONFIGFILE +++before continuing to process options from the command line. The file +++should contain long-format options as would be accepted on the command line, +++but without the two leading \-\- dashes. Empty lines, or lines where the +++first non-space character is a # character, are ignored. +++ +++Any option except the +++.B config +++option may be specified in the file. +++.TP +++.B \-b,\-\-background +++Continue in background after startup +++.TP +++.B \-\-pid\-file=PIDFILE +++Save the pid to +++.I PIDFILE +++when backgrounding +++.TP +++.B \-c,\-\-certificate=CERT +++Use SSL client certificate +++.I CERT +++which may be either a file name or, if OpenConnect has been built with an appropriate +++version of GnuTLS, a PKCS#11 URL. +++.TP +++.B \-e,\-\-cert\-expire\-warning=DAYS +++Give a warning when SSL client certificate has +++.I DAYS +++left before expiry +++.TP +++.B \-k,\-\-sslkey=KEY +++Use SSL private key +++.I KEY +++which may be either a file name or, if OpenConnect has been built with an appropriate +++version of GnuTLS, a PKCS#11 URL. +++.TP +++.B \-C,\-\-cookie=COOKIE +++Use authentication cookie COOKIE. +++.I COOKIE +++.TP +++.B \-\-cookie\-on\-stdin +++Read cookie from standard input. +++.TP +++.B \-d,\-\-deflate +++Enable all compression, including stateful modes. By default, only stateless +++compression algorithms are enabled. +++.TP +++.B \-D,\-\-no\-deflate +++Disable all compression. +++.TP +++.B \-\-compression=MODE +++Set compression mode, where +++.I MODE +++is one of +++.IR "stateless" , +++.IR "none" , +++or +++.IR "all" . +++ +++By default, only stateless compression algorithms which do not maintain state +++from one packet to the next (and which can be used on UDP transports) are +++enabled. By setting the mode to +++.I "all" +++stateful algorithms (currently only zlib deflate) can be enabled. Or all +++compression can be disabled by setting the mode to +++.IR "none" . +++.TP +++.B \-\-force\-dpd=INTERVAL +++Use +++.I INTERVAL +++as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it. +++.TP +++.B \-g,\-\-usergroup=GROUP +++Use +++.I GROUP +++as login UserGroup +++.TP +++.B \-h,\-\-help +++Display help text +++.TP +++.B \-\-http\-auth=METHODS +++Use only the specified methods for HTTP authentication to a server. By default, +++only Negotiate, NTLM and Digest authentication are enabled. Basic authentication +++is also supported but because it is insecure it must be explicitly enabled. The +++argument is a comma-separated list of methods to be enabled. Note that the order +++does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic +++authentication in that order, if each is enabled, regardless of the order +++specified in the METHODS string. +++.TP +++.B \-i,\-\-interface=IFNAME +++Use +++.I IFNAME +++for tunnel interface +++.TP +++.B \-l,\-\-syslog +++Use syslog for progress messages +++.TP +++.B \-\-timestamp +++Prepend a timestamp to each progress message +++.TP +++.B \-\-passtos +++Copy TOS / TCLASS of payload packet into DTLS packets. +++.TP +++.B \-U,\-\-setuid=USER +++Drop privileges after connecting, to become user +++.I USER +++.TP +++.B \-\-csd\-user=USER +++Drop privileges during execution of trojan binary or script (CSD, TNCC, or HIP). +++.TP +++.B \-\-csd\-wrapper=SCRIPT +++Run +++.I SCRIPT +++instead of the trojan binary or script. +++.TP +++.B \-m,\-\-mtu=MTU +++Request +++.I MTU +++from server as the MTU of the tunnel. +++.TP +++.B \-\-base\-mtu=MTU +++Indicate +++.I MTU +++as the path MTU between client and server on the unencrypted network. Newer +++servers will automatically calculate the MTU to be used on the tunnel from +++this value. +++.TP +++.B \-p,\-\-key\-password=PASS +++Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM +++.TP +++.B \-P,\-\-proxy=PROXYURL +++Use HTTP or SOCKS proxy for connection. A username and password can be provided +++in the given URL, and will be used for authentication. If authentication is +++required but no credentials are given, GSSAPI and automatic NTLM authentication +++using Samba's ntlm_auth helper tool may be attempted. +++.TP +++.B \-\-proxy\-auth=METHODS +++Use only the specified methods for HTTP authentication to a proxy. By default, +++only Negotiate, NTLM and Digest authentication are enabled. Basic authentication +++is also supported but because it is insecure it must be explicitly enabled. The +++argument is a comma-separated list of methods to be enabled. Note that the order +++does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic +++authentication in that order, if each is enabled, regardless of the order +++specified in the METHODS string. +++.TP +++.B \-\-no\-proxy +++Disable use of proxy +++.TP +++.B \-\-libproxy +++Use libproxy to configure proxy automatically (when built with libproxy support) +++.TP +++.B \-\-key\-password\-from\-fsid +++Passphrase for certificate file is automatically generated from the +++.I fsid +++of the file system on which it is stored. The +++.I fsid +++is obtained from the +++.BR statvfs (2) +++or +++.BR statfs (2) +++system call, depending on the operating system. On a Linux or similar system +++with GNU coreutils, the +++.I fsid +++used by this option should be equal to the output of the command: +++.EX +++stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE +++.EE +++It is not the same as the 128\-bit UUID of the file system. +++.TP +++.B \-q,\-\-quiet +++Less output +++.TP +++.B \-Q,\-\-queue\-len=LEN +++Set packet queue limit to +++.I LEN +++pkts +++.TP +++.B \-s,\-\-script=SCRIPT +++Invoke +++.I SCRIPT +++to configure the network after connection. Without this, routing and name +++service are unlikely to work correctly. The script is expected to be +++compatible with the +++.B vpnc\-script +++which is shipped with the "vpnc" VPN client. See +++.I http://www.infradead.org/openconnect/vpnc-script.html +++for more information. This version of OpenConnect is configured to +++use \fB@DEFAULT_VPNCSCRIPT@\fR by default. +++ +++On Windows, a relative directory for the default script will be handled as +++starting from the directory that the openconnect executable is running from, +++rather than the current directory. The script will be invoked with the +++command-based script host \fBcscript.exe\fR. +++.TP +++.B \-S,\-\-script\-tun +++Pass traffic to 'script' program over a UNIX socket, instead of to a kernel +++tun/tap device. This allows the VPN IP traffic to be handled entirely in +++userspace, for example by a program which uses lwIP to provide SOCKS access +++into the VPN. +++.TP +++.B \-u,\-\-user=NAME +++Set login username to +++.I NAME +++.TP +++.B \-V,\-\-version +++Report version number +++.TP +++.B \-v,\-\-verbose +++More output (may be specified multiple times for additional output) +++.TP +++.B \-x,\-\-xmlconfig=CONFIG +++XML config file +++.TP +++.B \-\-authgroup=GROUP +++Choose authentication login selection +++.TP +++.B \-\-authenticate +++Authenticate only, and output the information needed to make the connection +++a form which can be used to set shell environment variables. When invoked with +++this option, openconnect will not make the connection, but if successful will +++output something like the following to stdout: +++.nf +++.B COOKIE=3311180634@13561856@1339425499@B315A0E29D16C6FD92EE... +++.B HOST=10.0.0.1 +++.B FINGERPRINT=469bb424ec8835944d30bc77c77e8fc1d8e23a42 +++.fi +++Thus, you can invoke openconnect as a non-privileged user +++.I (with access to the user's PKCS#11 tokens, etc.) +++for authentication, and then invoke openconnect separately to make the actual +++connection as root: +++.nf +++.B eval `openconnect --authenticate https://vpnserver.example.com`; +++.B [ -n "$COOKIE" ] && echo "$COOKIE" | +++.B \ \ sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT +++.fi +++.TP +++.B \-\-cookieonly +++Fetch and print cookie only; don't connect +++.TP +++.B \-\-printcookie +++Print cookie before connecting +++.TP +++.B \-\-cafile=FILE +++Cert file for server verification +++.TP +++.B \-\-disable\-ipv6 +++Do not advertise IPv6 capability to server +++.TP +++.B \-\-dtls\-ciphers=LIST +++Set OpenSSL ciphers to support for DTLS +++.TP +++.B \-\-dtls\-local\-port=PORT +++Use +++.I PORT +++as the local port for DTLS and UDP datagrams +++.TP +++.B \-\-dump\-http\-traffic +++Enable verbose output of all HTTP requests and the bodies of all responses +++received from the server. +++.TP +++.B \-\-no\-system\-trust +++Do not trust the system default certificate authorities. If this option is +++given, only certificate authorities given with the +++.B \-\-cafile +++option, if any, will be trusted automatically. +++ +++.TP +++.B \-\-pfs +++Enforces Perfect Forward Secrecy (PFS). That ensures that if the server's +++long-term key is compromised, any session keys established before the compromise +++will be unaffected. If this option is provided and the server does not support PFS +++in the TLS channel the connection will fail. +++ +++PFS is available in Cisco ASA releases 9.1(2) and higher; a suitable cipher +++suite may need to be manually enabled by the administrator using the +++.B ssl encryption +++setting. +++ +++.TP +++.B \-\-no\-dtls +++Disable DTLS and ESP +++.TP +++.B \-\-no\-http\-keepalive +++Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget +++the client's SSL certificate when HTTP connections are being re\-used for +++multiple requests. So far, this has only been seen on the initial connection, +++where the server gives an HTTP/1.0 redirect response with an explicit +++.B Connection: Keep\-Alive +++directive. OpenConnect as of v2.22 has an unconditional workaround for this, +++which is never to obey that directive after an HTTP/1.0 response. +++ +++However, Cisco's support team has failed to give any competent +++response to the bug report and we don't know under what other +++circumstances their bug might manifest itself. So this option exists +++to disable ALL re\-use of HTTP sessions and cause a new connection to be +++made for each request. If your server seems not to be recognising your +++certificate, try this option. If it makes a difference, please report +++this information to the +++.B openconnect\-devel@lists.infradead.org +++mailing list. +++.TP +++.B \-\-no\-passwd +++Never attempt password (or SecurID) authentication. +++.TP +++.B \-\-no\-xmlpost +++Do not attempt to post an XML authentication/configuration request to the +++server; use the old style GET method which was used by older clients and +++servers instead. +++ +++This option is a temporary safety net, to work around potential +++compatibility issues with the code which falls back to the old method +++automatically. It causes OpenConnect to behave more like older +++versions (4.08 and below) did. If you find that you need to use this +++option, then you have found a bug in OpenConnect. Please see +++http://www.infradead.org/openconnect/mail.html and report this to the +++developers. +++.TP +++.B \-\-non\-inter +++Do not expect user input; exit if it is required. +++.TP +++.B \-\-passwd\-on\-stdin +++Read password from standard input +++.TP +++.B \-\-protocol=PROTO +++Select VPN protocol +++.I PROTO +++to be used for the connection. Supported protocols are +++.I anyconnect +++for Cisco AnyConnect (the default), +++.I nc +++for experimental support for Juniper Network Connect (also supported +++by Junos Pulse servers), and +++.I gp +++for experimental support for PAN GlobalProtect. +++.TP +++.B \-\-token\-mode=MODE +++Enable one-time password generation using the +++.I MODE +++algorithm. +++.B \-\-token\-mode=rsa +++will call libstoken to generate an RSA SecurID tokencode, +++.B \-\-token\-mode=totp +++will call liboath to generate an RFC 6238 time-based password, and +++.B \-\-token\-mode=hotp +++will call liboath to generate an RFC 4226 HMAC-based password. Yubikey +++tokens which generate OATH codes in hardware are supported with +++.B \-\-token\-mode=yubioath +++.TP +++.B \-\-token\-secret={ SECRET[,COUNTER] | @FILENAME } +++The secret to use when generating one-time passwords/verification codes. +++Base 32-encoded TOTP/HOTP secrets can be used by specifying "base32:" at the +++beginning of the secret, and for HOTP secrets the token counter can be +++specified following a comma. +++ +++RSA SecurID secrets can be specified as an Android/iPhone URI or a raw numeric +++CTF string (with or without dashes). +++ +++For Yubikey OATH the token secret specifies the name of the credential to be +++used. If not provided, the first OATH credential found on the device will be +++used. +++ +++.IR FILENAME , +++if specified, can contain any of the above strings. Or, it can contain a +++SecurID XML (SDTID) seed. +++ +++If this option is omitted, and \-\-token\-mode is +++"rsa", libstoken will try to use the software token seed saved in +++.B ~/.stokenrc +++by the "stoken import" command. +++.TP +++.B \-\-reconnect\-timeout +++Keep reconnect attempts until so much seconds are elapsed. The default +++timeout is 300 seconds, which means that openconnect can recover +++VPN connection after a temporary network down time of 300 seconds. +++.TP +++.B \-\-resolve=HOST:IP +++Automatically resolve the hostname +++.IR HOST +++to +++.IR IP +++instead of using the normal resolver to look it up. +++.TP +++.B \-\-servercert=HASH +++Accept server's SSL certificate only if the provided fingerprint matches. +++The allowed fingerprint types are +++.IR SHA1 , +++.IR SHA256 , +++and +++.IR PIN-SHA256 . +++They are distinguished by the 'sha1:', 'sha256:' and 'pin-sha256:' prefixes to the +++encoded hash. The first two are custom identifiers providing hex +++encoding of the peer's public key, while 'pin-sha256:' is the RFC7469 key +++PIN, which utilizes base64 encoding. To ease certain +++testing use-cases, a partial match of the hash will also +++be accepted, if it is at least 4 characters past the prefix. +++.TP +++.B \-\-useragent=STRING +++Use +++.I STRING +++as 'User\-Agent:' field value in HTTP header. +++(e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133') +++.TP +++.B \-\-local-hostname=STRING +++Use +++.I STRING +++as 'X\-CSTP\-Hostname:' field value in HTTP header. For example \-\-local\-hostname 'mypc', +++will advertise the value 'mypc' as the suggested hostname to point to the provided IP address. +++.TP +++.B \-\-os=STRING +++OS type to report to gateway. Recognized values are: +++.BR linux , +++.BR linux\-64 , +++.BR win , +++.BR mac\-intel , +++.BR android , +++.BR apple\-ios . +++Reporting a different OS type may affect the dynamic access policy (DAP) +++applied to the VPN session. If the gateway requires CSD, it will also cause +++the corresponding CSD trojan binary to be downloaded, so you may need to use +++.B \-\-csd\-wrapper +++if this code is not executable on the local machine. +++.SH SIGNALS +++In the data phase of the connection, the following signals are handled: +++.TP +++.B SIGINT +++performs a clean shutdown by logging the session off, disconnecting from the +++gateway, and running the vpnc\-script to restore the network configuration. +++.TP +++.B SIGHUP +++disconnects from the gateway and runs the vpnc\-script, but does not log the +++session off; this allows for reconnection later using +++.BR \-\-cookie . +++.TP +++.B SIGUSR2 +++forces an immediate disconnection and reconnection; this can be used to +++quickly recover from LAN IP address changes. +++.TP +++.B SIGTERM +++exits immediately without logging off or running vpnc\-script. +++.SH LIMITATIONS +++Note that although IPv6 has been tested on all platforms on which +++.B openconnect +++is known to run, it depends on a suitable +++.B vpnc\-script +++to configure the network. The standard +++.B vpnc\-script +++shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from +++.B git://git.infradead.org/users/dwmw2/vpnc\-scripts.git +++will be required. +++.SH SEE ALSO +++.BR ocserv (8) +++ +++.SH AUTHORS +++David Woodhouse ++Index: globalprotect-2018-11-19/tests/Makefile.am ++=================================================================== ++--- globalprotect-2018-11-19.orig/tests/Makefile.am +++++ globalprotect-2018-11-19/tests/Makefile.am ++@@ -88,7 +88,7 @@ TESTS = $(dist_check_SCRIPTS) $(C_TESTS) ++ noinst_PROGRAMS = $(C_TESTS) serverhash ++ ++ serverhash_SOURCES = serverhash.c ++-serverhash_LDADD = ../libopenconnect.la $(SSL_LIBS) +++serverhash_LDADD = ../libglobalprotect.la $(SSL_LIBS) ++ ++ # Nothing actually *depends* on the cert files; they are created manually ++ # and considered part of the sources, committed to the git tree. But for ++Index: globalprotect-2018-11-19/www/Makefile.am ++=================================================================== ++--- globalprotect-2018-11-19.orig/www/Makefile.am +++++ globalprotect-2018-11-19/www/Makefile.am ++@@ -17,7 +17,7 @@ html_DATA = $(ALL_PAGES) ++ $(PYTHON) $(CONV) -d $(srcdir) $< > $@ || (rm $@; exit 1) ++ ++ clean-local: ++- rm -f $(ALL_PAGES) openconnect.8.inc +++ rm -f $(ALL_PAGES) globalprotect.8.inc ++ ++ $(ALL_PAGES): menu1.xml $(srcdir)/inc/*.tmpl ++ $(FTR_PAGES): menu2-features.xml ++@@ -25,14 +25,14 @@ $(START_PAGES): menu2-started.xml ++ $(PROTO_PAGES): menu2-protocols.xml ++ $(MAIN_PAGES): menu2.xml ++ ++-manual.html: openconnect.8.inc +++manual.html: globalprotect.8.inc ++ ++-$(top_builddir)/openconnect.8: $(top_srcdir)/openconnect.8.in $(top_builddir)/config.status ++- cd $(top_builddir) && $(SHELL) ./config.status openconnect.8 +++$(top_builddir)/globalprotect.8: $(top_srcdir)/globalprotect.8.in $(top_builddir)/config.status +++ cd $(top_builddir) && $(SHELL) ./config.status globalprotect.8 ++ ++ # If this command line ever changes significantly, so should the ++ # corresponding autoconf check. ++-openconnect.8.inc: $(top_builddir)/openconnect.8 +++globalprotect.8.inc: $(top_builddir)/globalprotect.8 ++ $(GROFF) -t -K UTF-8 -mandoc -Txhtml $? | \ ++ sed -e 's/−/-/g' -e '1,//d' -e '/<\/body>/,$$d' > $@ ++ ++Index: globalprotect-2018-11-19/www/manual.xml ++=================================================================== ++--- globalprotect-2018-11-19.orig/www/manual.xml +++++ globalprotect-2018-11-19/www/manual.xml ++@@ -8,7 +8,7 @@ ++ ++ ++ ++- +++ ++ ++ ++ -- cgit v1.2.3