diff --git a/package/network/utils/globalprotect/Config.in b/package/network/utils/globalprotect/Config.in new file mode 100644 index 0000000..e69de29 diff --git a/package/network/utils/globalprotect/Makefile b/package/network/utils/globalprotect/Makefile new file mode 100644 index 0000000..b3d5501 --- /dev/null +++ b/package/network/utils/globalprotect/Makefile @@ -0,0 +1,73 @@ +# +# Copyright (C) 2006-2015 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=globalprotect +PKG_RELEASE:=8 +PKG_USE_MIPS16:=0 + +PKG_VERSION:=2018-11-19 +PKG_RELEASE=$(PKG_SOURCE_VERSION) + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL=https://github.com/dlenski/openconnect +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) +PKG_SOURCE_VERSION:=e5fe063a087385c5b157ad7a9a3fa874181f6e3b +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz + +PKG_LICENSE:=LGPLv2.1+ + +PKG_FIXUP:=autoreconf + + +include $(INCLUDE_DIR)/package.mk + +define Package/globalprotect/config + source "$(SOURCE)/Config.in" +endef + +define Package/globalprotect + SECTION:=net + CATEGORY:=Network + DEPENDS:=+libxml2 +kmod-tun +resolveip +vpnc-scripts +GLOBALPROTECT_OPENSSL:libopenssl +p11-kit +libp11 +libpcsclite +libopensc-pkcs11 +pcscd +ccid + TITLE:=OpenConnect VPN client (Global Protect version) + MAINTAINER:=Nikos Mavrogiannopoulos + URL:=http://www.infradead.org/globalprotect/ + SUBMENU:=VPN +endef + +define Package/globalprotect/description + A VPN client compatible with Cisco's AnyConnect SSL VPN, ocserv and Juniper (Pulse secure). + + OpenConnect is a client that follows the Cisco's AnyConnect SSL VPN protocol, + which is supported by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, + 2800, 3800, 7200 Series and Cisco 7301 Routers, as well as the OpenConnect + VPN server. It has later been ported to support the Juniper SSL VPN which + is now known as Pulse Connect Secure. +endef + +CONFIGURE_ARGS += \ + --disable-shared \ + --with-vpnc-script=/lib/netifd/vpnc-script \ + --with-libpcsclite \ + --without-stoken \ + --without-lz4 \ + --without-gnutls + +define Package/globalprotect/install + $(INSTALL_DIR) $(1)/etc/globalprotect/ + $(INSTALL_DIR) $(1)/lib/netifd/proto + $(INSTALL_BIN) ./files/globalprotect.sh $(1)/lib/netifd/proto/ + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/globalprotect $(1)/usr/sbin/ + $(INSTALL_BIN) ./files/globalprotect-wrapper $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/lib/upgrade/keep.d + $(INSTALL_DATA) ./files/globalprotect.upgrade $(1)/lib/upgrade/keep.d/globalprotect +endef + +$(eval $(call BuildPackage,globalprotect)) diff --git a/package/network/utils/globalprotect/README b/package/network/utils/globalprotect/README new file mode 100644 index 0000000..019058c --- /dev/null +++ b/package/network/utils/globalprotect/README @@ -0,0 +1,49 @@ +The openconnect client expects to be configured using the uci interface. + +To setup a VPN connection, add the following to /etc/config/network: + +config interface 'MYVPN' + option proto 'openconnect' + option interface 'wan' + option server 'vpn.example.com' + option port '4443' + option username 'test' + option password 'secret' + option serverhash 'AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25' + option defaultroute '0' + option authgroup 'DEFAULT' + + # For second factor auth: + + # when a fixed 2FA password can be used + #option password2 'my-fixed-2fa-password' + + # RSA tokens, must be built with stoken support + #option token_mode 'rsa' + #option token_secret 'secret' + + # HOTP/TOTP tokens + #option token_mode 'hotp' + #option token_secret '00' + + # tokens from script + #option token_mode 'script' + #option token_script '/lib/custom/getocpass.sh' + + # Juniper vpn support + #option juniper '1' + +The additional files are also used: +/etc/openconnect/user-cert-vpn-MYVPN.pem: The user certificate +/etc/openconnect/user-key-vpn-MYVPN.pem: The user private key +/etc/openconnect/ca-vpn-MYVPN.pem: The CA certificate (instead of serverhash) + +After these are setup you can initiate the VPN using "ifup MYVPN", and +deinitialize it using ifdown. You may also use the luci web interface +(Network -> Interfaces -> MYVPN Connect). + +Note that you need to configure the firewall to allow communication between +the MYVPN interface and lan. + +There is a luci plugin to allow configuring an openconnect interface from +the web environment; see the luci-proto-openconnect package. diff --git a/package/network/utils/globalprotect/files/globalprotect-wrapper b/package/network/utils/globalprotect/files/globalprotect-wrapper new file mode 100755 index 0000000..1f23055 --- /dev/null +++ b/package/network/utils/globalprotect/files/globalprotect-wrapper @@ -0,0 +1,13 @@ +#!/bin/sh + +# This script wraps globalprotect in order to obtain the password +# file from cmd. + +# $1 password file +# $2... are passed to globalprotect + +test -z "$1" && exit 1 + +pwfile=$1 +shift +exec /usr/sbin/globalprotect "$@" <$pwfile diff --git a/package/network/utils/globalprotect/files/globalprotect.sh b/package/network/utils/globalprotect/files/globalprotect.sh new file mode 100755 index 0000000..1e40e05 --- /dev/null +++ b/package/network/utils/globalprotect/files/globalprotect.sh @@ -0,0 +1,119 @@ +#!/bin/sh +. /lib/functions.sh +. ../netifd-proto.sh +init_proto "$@" + +proto_globalprotect_init_config() { + proto_config_add_string "server" + proto_config_add_int "port" + proto_config_add_int "mtu" + proto_config_add_int "juniper" + proto_config_add_string "interface" + proto_config_add_string "username" + proto_config_add_string "serverhash" + proto_config_add_string "authgroup" + proto_config_add_string "password" + proto_config_add_string "password2" + proto_config_add_string "token_mode" + proto_config_add_string "token_secret" + proto_config_add_string "token_script" + proto_config_add_string "os" + proto_config_add_string "csd_wrapper" + proto_config_add_string "clientcert" + no_device=1 + available=1 +} + +proto_globalprotect_setup() { + local config="$1" + + json_get_vars server port interface username serverhash authgroup password password2 token_mode token_secret token_script os csd_wrapper mtu juniper clientcert + + grep -q tun /proc/modules || insmod tun + ifname="vpn-$config" + + logger -t globalprotect "initializing..." + + logger -t "globalprotect" "adding host dependency for $server at $config" + for ip in $(resolveip -t 10 "$server"); do + logger -t "globalprotect" "adding host dependency for $ip at $config" + proto_add_host_dependency "$config" "$ip" "$interface" + done + + [ -n "$port" ] && port=":$port" + + cmdline="$server$port -i "$ifname" --non-inter --syslog --script /lib/netifd/vpnc-script" + [ -n "$mtu" ] && cmdline="$cmdline --mtu $mtu" + + [ -n "$clientcert" ] && { + append cmdline "--certificate" + append cmdline "$clientcert" + } + + append cmdline "--protocol=gp" + + # migrate to standard config files + [ -f "/etc/config/globalprotect-user-cert-vpn-$config.pem" ] && mv "/etc/config/globalprotect-user-cert-vpn-$config.pem" "/etc/globalprotect/user-cert-vpn-$config.pem" + [ -f "/etc/config/globalprotect-user-key-vpn-$config.pem" ] && mv "/etc/config/globalprotect-user-key-vpn-$config.pem" "/etc/globalprotect/user-key-vpn-$config.pem" + [ -f "/etc/config/globalprotect-ca-vpn-$config.pem" ] && mv "/etc/config/globalprotect-ca-vpn-$config.pem" "/etc/globalprotect/ca-vpn-$config.pem" + + [ -f /etc/globalprotect/user-cert-vpn-$config.pem ] && append cmdline "-c /etc/globalprotect/user-cert-vpn-$config.pem" + [ -f /etc/globalprotect/user-key-vpn-$config.pem ] && append cmdline "--sslkey /etc/globalprotect/user-key-vpn-$config.pem" + [ -f /etc/globalprotect/ca-vpn-$config.pem ] && { + append cmdline "--cafile /etc/globalprotect/ca-vpn-$config.pem" + append cmdline "--no-system-trust" + } + + if [ "${juniper:-0}" -gt 0 ]; then + append cmdline "--juniper" + fi + + [ -n "$serverhash" ] && { + append cmdline " --servercert=$serverhash" + append cmdline "--no-system-trust" + } + [ -n "$authgroup" ] && append cmdline "--authgroup $authgroup" + [ -n "$username" ] && append cmdline "-u $username" + [ -n "$password" ] || [ "$token_mode" = "script" ] && { + umask 077 + mkdir -p /var/etc + pwfile="/var/etc/globalprotect-$config.passwd" + [ -n "$password" ] && { + echo "$password" > "$pwfile" + [ -n "$password2" ] && echo "$password2" >> "$pwfile" + } + [ "$token_mode" = "script" ] && { + $token_script > "$pwfile" 2> /dev/null || { + logger -t globalprotect "Cannot get password from script '$token_script'" + proto_setup_failed "$config" + } + } + append cmdline "--passwd-on-stdin" + } + + [ -n "$token_mode" -a "$token_mode" != "script" ] && append cmdline "--token-mode=$token_mode" + [ -n "$token_secret" ] && append cmdline "--token-secret=$token_secret" + [ -n "$os" ] && append cmdline "--os=$os" + [ -n "$csd_wrapper" ] && [ -x "$csd_wrapper" ] && append cmdline "--csd-wrapper=$csd_wrapper" + + proto_export INTERFACE="$config" + logger -t globalprotect "executing 'globalprotect $cmdline'" + + if [ -f "$pwfile" ]; then + proto_run_command "$config" /usr/sbin/globalprotect-wrapper $pwfile $cmdline + else + proto_run_command "$config" /usr/sbin/globalprotect $cmdline + fi +} + +proto_globalprotect_teardown() { + local config="$1" + + pwfile="/var/etc/globalprotect-$config.passwd" + + rm -f $pwfile + logger -t globalprotect "bringing down globalprotect" + proto_kill_command "$config" 2 +} + +add_protocol globalprotect diff --git a/package/network/utils/globalprotect/files/globalprotect.upgrade b/package/network/utils/globalprotect/files/globalprotect.upgrade new file mode 100644 index 0000000..9dc27a6 --- /dev/null +++ b/package/network/utils/globalprotect/files/globalprotect.upgrade @@ -0,0 +1,9 @@ +/etc/globalprotect/user-cert-vpn-*.pem +/etc/globalprotect/user-key-vpn-*.pem +/etc/globalprotect/ca-vpn-*.pem +/etc/globalprotect/pre-init.d/ +/etc/globalprotect/connect.d/ +/etc/globalprotect/post-connect.d/ +/etc/globalprotect/disconnect.d/ +/etc/globalprotect/post-disconnect.d/ +/etc/globalprotect/reconnect.d/ diff --git a/package/network/utils/globalprotect/patches/0001-Fix-compilation-with-libp11-version-0.4.7.patch b/package/network/utils/globalprotect/patches/0001-Fix-compilation-with-libp11-version-0.4.7.patch new file mode 100644 index 0000000..c6e139a --- /dev/null +++ b/package/network/utils/globalprotect/patches/0001-Fix-compilation-with-libp11-version-0.4.7.patch @@ -0,0 +1,50 @@ +From 03ecd34e0137b3f0bf0d2fc3ab7f7d8b3682785e Mon Sep 17 00:00:00 2001 +From: Yousong Zhou +Date: Thu, 14 Dec 2017 18:03:35 +0800 +Subject: [PATCH] Fix compilation with libp11 version >= 0.4.7 + +libp11 0.4.7 renamed then dropped macro definition in commits + + 4f0fce4: Error reporting fixes + e4c641b: PKCS11 errors separated into P11 and CKR + +This change assumes that libp11 will restore compatibility by bringing +back old forms of macro definition + +Signed-off-by: Yousong Zhou +--- + openssl-pkcs11.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/openssl-pkcs11.c b/openssl-pkcs11.c +index 61da123..ba7e491 100644 +--- a/openssl-pkcs11.c ++++ b/openssl-pkcs11.c +@@ -30,6 +30,24 @@ + #include + #include + ++#ifndef ERR_LIB_PKCS11 ++# if defined(ERR_LIB_CKR) ++# define ERR_LIB_PKCS11 ERR_LIB_CKR ++# elif defined(ERR_LIB_USER) ++# define ERR_LIB_PKCS11 ERR_LIB_USER ++# else ++# error undefined macro ERR_LIB_PKCS11 ++# endif ++#endif ++ ++#ifndef PKCS11_F_PKCS11_LOGIN ++# if defined(CKR_F_PKCS11_LOGIN) ++# define PKCS11_F_PKCS11_LOGIN CKR_F_PKCS11_LOGIN ++# else ++# error undefined macro PKCS11_F_PKCS11_LOGIN ++# endif ++#endif ++ + static PKCS11_CTX *pkcs11_ctx(struct openconnect_info *vpninfo) + { + PKCS11_CTX *ctx; +-- +1.8.3.1 + diff --git a/package/network/utils/globalprotect/patches/0002-rename-to-globalprotect.patch b/package/network/utils/globalprotect/patches/0002-rename-to-globalprotect.patch new file mode 100644 index 0000000..93ef78d --- /dev/null +++ b/package/network/utils/globalprotect/patches/0002-rename-to-globalprotect.patch @@ -0,0 +1,793 @@ +Index: globalprotect-2018-11-19/Makefile.am +=================================================================== +--- globalprotect-2018-11-19.orig/Makefile.am ++++ globalprotect-2018-11-19/Makefile.am +@@ -1,10 +1,10 @@ + + SUBDIRS = tests + # We kind of want openconnect to be built before we try to test it +-check-recursive: openconnect$(EXEEXT) +-# And even *building* some of tests/*.c needs libopenconnect +-install-recursive: libopenconnect.la +-all-recursive: libopenconnect.la ++check-recursive: globalprotect$(EXEEXT) ++# And even *building* some of tests/*.c needs libglobalprotect ++install-recursive: libglobalprotect.la ++all-recursive: libglobalprotect.la + + if BUILD_WWW + SUBDIRS += www +@@ -13,19 +13,19 @@ if USE_NLS + SUBDIRS += po + endif + +-lib_LTLIBRARIES = libopenconnect.la +-sbin_PROGRAMS = openconnect +-man8_MANS = openconnect.8 ++lib_LTLIBRARIES = libglobalprotect.la ++sbin_PROGRAMS = globalprotect ++man8_MANS = globalprotect.8 + + AM_CFLAGS = @WFLAGS@ + AM_CPPFLAGS = -DLOCALEDIR="\"$(localedir)\"" + +-openconnect_SOURCES = xml.c main.c +-openconnect_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS) +-openconnect_LDADD = libopenconnect.la $(SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(INTL_LIBS) $(ICONV_LIBS) ++globalprotect_SOURCES = xml.c main.c ++globalprotect_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS) ++globalprotect_LDADD = libglobalprotect.la $(SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(INTL_LIBS) $(ICONV_LIBS) + + if OPENCONNECT_WIN32 +-openconnect_SOURCES += openconnect.rc ++globalprotect_SOURCES += openconnect.rc + endif + library_srcs = ssl.c http.c http-auth.c auth-common.c library.c compat.c lzs.c mainloop.c script.c ntlm.c digest.c + lib_srcs_cisco = auth.c cstp.c +@@ -43,7 +43,7 @@ lib_srcs_stoken = stoken.c + lib_srcs_esp = esp.c esp-seqno.c + lib_srcs_dtls = dtls.c + +-POTFILES = $(openconnect_SOURCES) $(lib_srcs_cisco) $(lib_srcs_juniper) $(lib_srcs_globalprotect) \ ++POTFILES = $(globalprotect_SOURCES) $(lib_srcs_cisco) $(lib_srcs_juniper) $(lib_srcs_globalprotect) \ + gnutls-esp.c gnutls-dtls.c openssl-esp.c openssl-dtls.c \ + $(lib_srcs_esp) $(lib_srcs_dtls) \ + $(lib_srcs_openssl) $(lib_srcs_gnutls) $(library_srcs) \ +@@ -89,9 +89,9 @@ else + library_srcs += $(lib_srcs_posix) + endif + +-libopenconnect_la_SOURCES = version.c $(library_srcs) +-libopenconnect_la_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(P11KIT_CFLAGS) $(TSS_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS) $(LIBP11_CFLAGS) $(LIBLZ4_CFLAGS) +-libopenconnect_la_LIBADD = $(SSL_LIBS) $(DTLS_SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(ZLIB_LIBS) $(P11KIT_LIBS) $(TSS_LIBS) $(LIBSTOKEN_LIBS) $(LIBPSKC_LIBS) $(GSSAPI_LIBS) $(INTL_LIBS) $(ICONV_LIBS) $(LIBPCSCLITE_LIBS) $(LIBP11_LIBS) $(LIBLZ4_LIBS) ++libglobalprotect_la_SOURCES = version.c $(library_srcs) ++libglobalprotect_la_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(P11KIT_CFLAGS) $(TSS_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS) $(LIBP11_CFLAGS) $(LIBLZ4_CFLAGS) ++libglobalprotect_la_LIBADD = $(SSL_LIBS) $(DTLS_SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(ZLIB_LIBS) $(P11KIT_LIBS) $(TSS_LIBS) $(LIBSTOKEN_LIBS) $(LIBPSKC_LIBS) $(GSSAPI_LIBS) $(INTL_LIBS) $(ICONV_LIBS) $(LIBPCSCLITE_LIBS) $(LIBP11_LIBS) $(LIBLZ4_LIBS) + if OPENBSD_LIBTOOL + # OpenBSD's libtool doesn't have -version-number, but its -version-info arg + # does what GNU libtool's -version-number does. Which arguably is what the +@@ -100,27 +100,27 @@ LT_VER_ARG = -version-info + else + LT_VER_ARG = -version-number + endif +-libopenconnect_la_LDFLAGS = $(LT_VER_ARG) @APIMAJOR@:@APIMINOR@ -no-undefined ++libglobalprotect_la_LDFLAGS = $(LT_VER_ARG) @APIMAJOR@:@APIMINOR@ -no-undefined + noinst_HEADERS = openconnect-internal.h openconnect.h gnutls.h lzo.h + include_HEADERS = openconnect.h + if HAVE_VSCRIPT +-libopenconnect_la_LDFLAGS += @VSCRIPT_LDFLAGS@,libopenconnect.map +-libopenconnect_la_DEPENDENCIES = libopenconnect.map ++libglobalprotect_la_LDFLAGS += @VSCRIPT_LDFLAGS@,libopenconnect.map ++libglobalprotect_la_DEPENDENCIES = libopenconnect.map + endif + + if OPENCONNECT_JNI + if JNI_STANDALONE +-libopenconnect_la_SOURCES += jni.c +-libopenconnect_la_CFLAGS += $(JNI_CFLAGS) -Wno-missing-declarations ++libglobalprotect_la_SOURCES += jni.c ++libglobalprotect_la_CFLAGS += $(JNI_CFLAGS) -Wno-missing-declarations + else +-lib_LTLIBRARIES += libopenconnect-wrapper.la +-libopenconnect_wrapper_la_SOURCES = jni.c +-libopenconnect_wrapper_la_CFLAGS = $(AM_CFLAGS) $(JNI_CFLAGS) -Wno-missing-declarations +-libopenconnect_wrapper_la_LIBADD = libopenconnect.la ++lib_LTLIBRARIES += libglobalprotect-wrapper.la ++libglobalprotect_wrapper_la_SOURCES = jni.c ++libglobalprotect_wrapper_la_CFLAGS = $(AM_CFLAGS) $(JNI_CFLAGS) -Wno-missing-declarations ++libglobalprotect_wrapper_la_LIBADD = libglobalprotect.la + endif + endif + +-pkgconfig_DATA = openconnect.pc ++pkgconfig_DATA = globalprotect.pc + + EXTRA_DIST = version.sh README.TESTS COPYING.LGPL $(lib_srcs_openssl) $(lib_srcs_gnutls) + EXTRA_DIST += $(shell cd "$(top_srcdir)" && \ +@@ -132,7 +132,7 @@ DISTCLEANFILES = $(pkgconfig_DATA) + openconnect-main.$(OBJEXT): version.c + + version.c: $(library_srcs) $(lib_openssl_srcs) $(lib_gnutls_srcs) \ +- $(openconnect_SOURCES) Makefile.am configure.ac \ ++ $(globalprotect_SOURCES) Makefile.am configure.ac \ + openconnect.h openconnect-internal.h version.sh @GITVERSIONDEPS@ + @cd $(srcdir) && ./version.sh $(abs_builddir)/version.c + +Index: globalprotect-2018-11-19/configure.ac +=================================================================== +--- globalprotect-2018-11-19.orig/configure.ac ++++ globalprotect-2018-11-19/configure.ac +@@ -1,4 +1,4 @@ +-AC_INIT(openconnect, 7.08) ++AC_INIT(globalprotect, 7.08) + AC_CONFIG_HEADERS([config.h]) + + PKG_PROG_PKG_CONFIG +@@ -16,7 +16,7 @@ AC_PREREQ([2.62], [], [AC_SUBST([localed + m4_ifdef([PKG_INSTALLDIR], [PKG_INSTALLDIR], + [AC_ARG_WITH([pkgconfigdir], + [AS_HELP_STRING([--with-pkgconfigdir], +- [install directory for openconnect.pc pkg-config file])], ++ [install directory for globalprotect.pc pkg-config file])], + [],[with_pkgconfigdir='$(libdir)/pkgconfig']) + AC_SUBST([pkgconfigdir], [${with_pkgconfigdir}])]) + +@@ -942,7 +942,7 @@ AC_SUBST([CONFIG_STATUS_DEPENDENCIES], + ['$(top_srcdir)/po/LINGUAS \ + $(top_srcdir)/openconnect.h \ + $(top_srcdir)/libopenconnect.map.in \ +- $(top_srcdir)/openconnect.8.in \ ++ $(top_srcdir)/globalprotect.8.in \ + $(top_srcdir)/tests/softhsm2.conf.in \ + $(top_srcdir)/tests/configs/test-user-cert.config.in \ + $(top_srcdir)/tests/configs/test-user-pass.config.in']) +@@ -973,8 +973,8 @@ AC_SUBST(GITVERSIONDEPS) + AC_SUBST(OCSERV_USER, $(whoami)) + AC_SUBST(OCSERV_GROUP, $(groups|cut -f 1 -d ' ')) + +-AC_CONFIG_FILES(Makefile openconnect.pc po/Makefile www/Makefile \ +- libopenconnect.map openconnect.8 www/styles/Makefile \ ++AC_CONFIG_FILES(Makefile globalprotect.pc po/Makefile www/Makefile \ ++ libopenconnect.map globalprotect.8 www/styles/Makefile \ + www/inc/Makefile www/images/Makefile tests/Makefile \ + tests/softhsm2.conf tests/configs/test-user-cert.config \ + tests/configs/test-user-pass.config) +Index: globalprotect-2018-11-19/globalprotect.pc.in +=================================================================== +--- /dev/null ++++ globalprotect-2018-11-19/globalprotect.pc.in +@@ -0,0 +1,13 @@ ++prefix=@prefix@ ++exec_prefix=@exec_prefix@ ++libdir=@libdir@ ++includedir=@includedir@ ++ ++ ++Name: globalprotect ++Description: OpenConnect VPN client ++Version: @VERSION@ ++Requires.private: @LIBPROXY_PC@ @ZLIB_PC@ @LIBLZ4_PC@ @SSL_PC@ @P11KIT_PC@ @LIBSTOKEN_PC@ @LIBPSKC_PC@ @LIBPCSCLITE_PC@ libxml-2.0 ++Libs: -L${libdir} -lglobalprotect ++Libs.private: @INTL_LIBS@ @system_pcsc_libs@ @openssl_pc_libs@ ++Cflags: -I${includedir} +Index: globalprotect-2018-11-19/globalprotect.8.in +=================================================================== +--- /dev/null ++++ globalprotect-2018-11-19/globalprotect.8.in +@@ -0,0 +1,558 @@ ++.TH OPENCONNECT 8 ++.SH NAME ++openconnect \- Multi-protocol VPN client, for Cisco AnyConnect VPNs and others ++.SH SYNOPSIS ++.SY openconnect ++.OP \-\-config configfile ++.OP \-b,\-\-background ++.OP \-\-pid\-file pidfile ++.OP \-c,\-\-certificate cert ++.OP \-e,\-\-cert\-expire\-warning days ++.OP \-k,\-\-sslkey key ++.OP \-C,\-\-cookie cookie ++.OP \-\-cookie\-on\-stdin ++.OP \-\-compression MODE ++.OP \-d,\-\-deflate ++.OP \-D,\-\-no\-deflate ++.OP \-\-force\-dpd interval ++.OP \-g,\-\-usergroup group ++.OP \-h,\-\-help ++.OP \-\-http\-auth methods ++.OP \-i,\-\-interface ifname ++.OP \-l,\-\-syslog ++.OP \-\-timestamp ++.OP \-\-passtos ++.OP \-U,\-\-setuid user ++.OP \-\-csd\-user user ++.OP \-m,\-\-mtu mtu ++.OP \-\-base\-mtu mtu ++.OP \-p,\-\-key\-password pass ++.OP \-P,\-\-proxy proxyurl ++.OP \-\-proxy\-auth methods ++.OP \-\-no\-proxy ++.OP \-\-libproxy ++.OP \-\-key\-password\-from\-fsid ++.OP \-q,\-\-quiet ++.OP \-Q,\-\-queue\-len len ++.OP \-s,\-\-script vpnc\-script ++.OP \-S,\-\-script\-tun ++.OP \-u,\-\-user name ++.OP \-V,\-\-version ++.OP \-v,\-\-verbose ++.OP \-x,\-\-xmlconfig config ++.OP \-\-authgroup group ++.OP \-\-authenticate ++.OP \-\-cookieonly ++.OP \-\-printcookie ++.OP \-\-cafile file ++.OP \-\-disable\-ipv6 ++.OP \-\-dtls\-ciphers list ++.OP \-\-dtls\-local\-port port ++.OP \-\-dump\-http\-traffic ++.OP \-\-no\-system\-trust ++.OP \-\-pfs ++.OP \-\-no\-dtls ++.OP \-\-no\-http\-keepalive ++.OP \-\-no\-passwd ++.OP \-\-no\-xmlpost ++.OP \-\-non\-inter ++.OP \-\-passwd\-on\-stdin ++.OP \-\-protocol proto ++.OP \-\-token\-mode mode ++.OP \-\-token\-secret {secret\fR[\fI,counter\fR]|@\fIfile\fR} ++.OP \-\-reconnect\-timeout ++.OP \-\-resolve host:ip ++.OP \-\-servercert sha1 ++.OP \-\-useragent string ++.OP \-\-local-hostname string ++.OP \-\-os string ++.B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB] ++.YS ++ ++.SH DESCRIPTION ++The program ++.B openconnect ++connects to VPN servers which use standard TLS/SSL, DTLS, and ESP ++protocols for data transport. ++ ++It was originally written to support Cisco "AnyConnect" VPN servers, ++and has since been extended with experimental support for Juniper ++Network Connect and Junos Pulse VPN servers ++.RB ( \-\-protocol=nc ) ++and PAN GlobalProtect VPN servers ++.RB ( \-\-protocol=gp ). ++ ++The connection happens in two phases. First there is a simple HTTPS ++connection over which the user authenticates somehow \- by using a ++certificate, or password or SecurID, etc. Having authenticated, the ++user is rewarded with an authentication cookie which can be used to make the ++real VPN connection. ++ ++The second phase uses that cookie to connect to a tunnel via HTTPS, ++and data packets can be passed over the resulting connection. When ++possible, a UDP tunnel is also configured: AnyConnect uses DTLS, while ++Juniper and GlobalProtect use UDP-encapsulated ESP. The UDP tunnel ++may be disabled with ++.BR \-\-no\-dtls , ++but is preferred when correctly supported by the server and network ++for performance reasons. (TCP performs poorly and unreliably over ++TCP-based tunnels; see ++.IR http://sites.inka.de/~W1011/devel/tcp-tcp.html .) ++ ++.SH OPTIONS ++.TP ++.B \-\-config=CONFIGFILE ++Read further options from ++.I CONFIGFILE ++before continuing to process options from the command line. The file ++should contain long-format options as would be accepted on the command line, ++but without the two leading \-\- dashes. Empty lines, or lines where the ++first non-space character is a # character, are ignored. ++ ++Any option except the ++.B config ++option may be specified in the file. ++.TP ++.B \-b,\-\-background ++Continue in background after startup ++.TP ++.B \-\-pid\-file=PIDFILE ++Save the pid to ++.I PIDFILE ++when backgrounding ++.TP ++.B \-c,\-\-certificate=CERT ++Use SSL client certificate ++.I CERT ++which may be either a file name or, if OpenConnect has been built with an appropriate ++version of GnuTLS, a PKCS#11 URL. ++.TP ++.B \-e,\-\-cert\-expire\-warning=DAYS ++Give a warning when SSL client certificate has ++.I DAYS ++left before expiry ++.TP ++.B \-k,\-\-sslkey=KEY ++Use SSL private key ++.I KEY ++which may be either a file name or, if OpenConnect has been built with an appropriate ++version of GnuTLS, a PKCS#11 URL. ++.TP ++.B \-C,\-\-cookie=COOKIE ++Use authentication cookie COOKIE. ++.I COOKIE ++.TP ++.B \-\-cookie\-on\-stdin ++Read cookie from standard input. ++.TP ++.B \-d,\-\-deflate ++Enable all compression, including stateful modes. By default, only stateless ++compression algorithms are enabled. ++.TP ++.B \-D,\-\-no\-deflate ++Disable all compression. ++.TP ++.B \-\-compression=MODE ++Set compression mode, where ++.I MODE ++is one of ++.IR "stateless" , ++.IR "none" , ++or ++.IR "all" . ++ ++By default, only stateless compression algorithms which do not maintain state ++from one packet to the next (and which can be used on UDP transports) are ++enabled. By setting the mode to ++.I "all" ++stateful algorithms (currently only zlib deflate) can be enabled. Or all ++compression can be disabled by setting the mode to ++.IR "none" . ++.TP ++.B \-\-force\-dpd=INTERVAL ++Use ++.I INTERVAL ++as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it. ++.TP ++.B \-g,\-\-usergroup=GROUP ++Use ++.I GROUP ++as login UserGroup ++.TP ++.B \-h,\-\-help ++Display help text ++.TP ++.B \-\-http\-auth=METHODS ++Use only the specified methods for HTTP authentication to a server. By default, ++only Negotiate, NTLM and Digest authentication are enabled. Basic authentication ++is also supported but because it is insecure it must be explicitly enabled. The ++argument is a comma-separated list of methods to be enabled. Note that the order ++does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic ++authentication in that order, if each is enabled, regardless of the order ++specified in the METHODS string. ++.TP ++.B \-i,\-\-interface=IFNAME ++Use ++.I IFNAME ++for tunnel interface ++.TP ++.B \-l,\-\-syslog ++Use syslog for progress messages ++.TP ++.B \-\-timestamp ++Prepend a timestamp to each progress message ++.TP ++.B \-\-passtos ++Copy TOS / TCLASS of payload packet into DTLS packets. ++.TP ++.B \-U,\-\-setuid=USER ++Drop privileges after connecting, to become user ++.I USER ++.TP ++.B \-\-csd\-user=USER ++Drop privileges during execution of trojan binary or script (CSD, TNCC, or HIP). ++.TP ++.B \-\-csd\-wrapper=SCRIPT ++Run ++.I SCRIPT ++instead of the trojan binary or script. ++.TP ++.B \-m,\-\-mtu=MTU ++Request ++.I MTU ++from server as the MTU of the tunnel. ++.TP ++.B \-\-base\-mtu=MTU ++Indicate ++.I MTU ++as the path MTU between client and server on the unencrypted network. Newer ++servers will automatically calculate the MTU to be used on the tunnel from ++this value. ++.TP ++.B \-p,\-\-key\-password=PASS ++Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM ++.TP ++.B \-P,\-\-proxy=PROXYURL ++Use HTTP or SOCKS proxy for connection. A username and password can be provided ++in the given URL, and will be used for authentication. If authentication is ++required but no credentials are given, GSSAPI and automatic NTLM authentication ++using Samba's ntlm_auth helper tool may be attempted. ++.TP ++.B \-\-proxy\-auth=METHODS ++Use only the specified methods for HTTP authentication to a proxy. By default, ++only Negotiate, NTLM and Digest authentication are enabled. Basic authentication ++is also supported but because it is insecure it must be explicitly enabled. The ++argument is a comma-separated list of methods to be enabled. Note that the order ++does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic ++authentication in that order, if each is enabled, regardless of the order ++specified in the METHODS string. ++.TP ++.B \-\-no\-proxy ++Disable use of proxy ++.TP ++.B \-\-libproxy ++Use libproxy to configure proxy automatically (when built with libproxy support) ++.TP ++.B \-\-key\-password\-from\-fsid ++Passphrase for certificate file is automatically generated from the ++.I fsid ++of the file system on which it is stored. The ++.I fsid ++is obtained from the ++.BR statvfs (2) ++or ++.BR statfs (2) ++system call, depending on the operating system. On a Linux or similar system ++with GNU coreutils, the ++.I fsid ++used by this option should be equal to the output of the command: ++.EX ++stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE ++.EE ++It is not the same as the 128\-bit UUID of the file system. ++.TP ++.B \-q,\-\-quiet ++Less output ++.TP ++.B \-Q,\-\-queue\-len=LEN ++Set packet queue limit to ++.I LEN ++pkts ++.TP ++.B \-s,\-\-script=SCRIPT ++Invoke ++.I SCRIPT ++to configure the network after connection. Without this, routing and name ++service are unlikely to work correctly. The script is expected to be ++compatible with the ++.B vpnc\-script ++which is shipped with the "vpnc" VPN client. See ++.I http://www.infradead.org/openconnect/vpnc-script.html ++for more information. This version of OpenConnect is configured to ++use \fB@DEFAULT_VPNCSCRIPT@\fR by default. ++ ++On Windows, a relative directory for the default script will be handled as ++starting from the directory that the openconnect executable is running from, ++rather than the current directory. The script will be invoked with the ++command-based script host \fBcscript.exe\fR. ++.TP ++.B \-S,\-\-script\-tun ++Pass traffic to 'script' program over a UNIX socket, instead of to a kernel ++tun/tap device. This allows the VPN IP traffic to be handled entirely in ++userspace, for example by a program which uses lwIP to provide SOCKS access ++into the VPN. ++.TP ++.B \-u,\-\-user=NAME ++Set login username to ++.I NAME ++.TP ++.B \-V,\-\-version ++Report version number ++.TP ++.B \-v,\-\-verbose ++More output (may be specified multiple times for additional output) ++.TP ++.B \-x,\-\-xmlconfig=CONFIG ++XML config file ++.TP ++.B \-\-authgroup=GROUP ++Choose authentication login selection ++.TP ++.B \-\-authenticate ++Authenticate only, and output the information needed to make the connection ++a form which can be used to set shell environment variables. When invoked with ++this option, openconnect will not make the connection, but if successful will ++output something like the following to stdout: ++.nf ++.B COOKIE=3311180634@13561856@1339425499@B315A0E29D16C6FD92EE... ++.B HOST=10.0.0.1 ++.B FINGERPRINT=469bb424ec8835944d30bc77c77e8fc1d8e23a42 ++.fi ++Thus, you can invoke openconnect as a non-privileged user ++.I (with access to the user's PKCS#11 tokens, etc.) ++for authentication, and then invoke openconnect separately to make the actual ++connection as root: ++.nf ++.B eval `openconnect --authenticate https://vpnserver.example.com`; ++.B [ -n "$COOKIE" ] && echo "$COOKIE" | ++.B \ \ sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT ++.fi ++.TP ++.B \-\-cookieonly ++Fetch and print cookie only; don't connect ++.TP ++.B \-\-printcookie ++Print cookie before connecting ++.TP ++.B \-\-cafile=FILE ++Cert file for server verification ++.TP ++.B \-\-disable\-ipv6 ++Do not advertise IPv6 capability to server ++.TP ++.B \-\-dtls\-ciphers=LIST ++Set OpenSSL ciphers to support for DTLS ++.TP ++.B \-\-dtls\-local\-port=PORT ++Use ++.I PORT ++as the local port for DTLS and UDP datagrams ++.TP ++.B \-\-dump\-http\-traffic ++Enable verbose output of all HTTP requests and the bodies of all responses ++received from the server. ++.TP ++.B \-\-no\-system\-trust ++Do not trust the system default certificate authorities. If this option is ++given, only certificate authorities given with the ++.B \-\-cafile ++option, if any, will be trusted automatically. ++ ++.TP ++.B \-\-pfs ++Enforces Perfect Forward Secrecy (PFS). That ensures that if the server's ++long-term key is compromised, any session keys established before the compromise ++will be unaffected. If this option is provided and the server does not support PFS ++in the TLS channel the connection will fail. ++ ++PFS is available in Cisco ASA releases 9.1(2) and higher; a suitable cipher ++suite may need to be manually enabled by the administrator using the ++.B ssl encryption ++setting. ++ ++.TP ++.B \-\-no\-dtls ++Disable DTLS and ESP ++.TP ++.B \-\-no\-http\-keepalive ++Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget ++the client's SSL certificate when HTTP connections are being re\-used for ++multiple requests. So far, this has only been seen on the initial connection, ++where the server gives an HTTP/1.0 redirect response with an explicit ++.B Connection: Keep\-Alive ++directive. OpenConnect as of v2.22 has an unconditional workaround for this, ++which is never to obey that directive after an HTTP/1.0 response. ++ ++However, Cisco's support team has failed to give any competent ++response to the bug report and we don't know under what other ++circumstances their bug might manifest itself. So this option exists ++to disable ALL re\-use of HTTP sessions and cause a new connection to be ++made for each request. If your server seems not to be recognising your ++certificate, try this option. If it makes a difference, please report ++this information to the ++.B openconnect\-devel@lists.infradead.org ++mailing list. ++.TP ++.B \-\-no\-passwd ++Never attempt password (or SecurID) authentication. ++.TP ++.B \-\-no\-xmlpost ++Do not attempt to post an XML authentication/configuration request to the ++server; use the old style GET method which was used by older clients and ++servers instead. ++ ++This option is a temporary safety net, to work around potential ++compatibility issues with the code which falls back to the old method ++automatically. It causes OpenConnect to behave more like older ++versions (4.08 and below) did. If you find that you need to use this ++option, then you have found a bug in OpenConnect. Please see ++http://www.infradead.org/openconnect/mail.html and report this to the ++developers. ++.TP ++.B \-\-non\-inter ++Do not expect user input; exit if it is required. ++.TP ++.B \-\-passwd\-on\-stdin ++Read password from standard input ++.TP ++.B \-\-protocol=PROTO ++Select VPN protocol ++.I PROTO ++to be used for the connection. Supported protocols are ++.I anyconnect ++for Cisco AnyConnect (the default), ++.I nc ++for experimental support for Juniper Network Connect (also supported ++by Junos Pulse servers), and ++.I gp ++for experimental support for PAN GlobalProtect. ++.TP ++.B \-\-token\-mode=MODE ++Enable one-time password generation using the ++.I MODE ++algorithm. ++.B \-\-token\-mode=rsa ++will call libstoken to generate an RSA SecurID tokencode, ++.B \-\-token\-mode=totp ++will call liboath to generate an RFC 6238 time-based password, and ++.B \-\-token\-mode=hotp ++will call liboath to generate an RFC 4226 HMAC-based password. Yubikey ++tokens which generate OATH codes in hardware are supported with ++.B \-\-token\-mode=yubioath ++.TP ++.B \-\-token\-secret={ SECRET[,COUNTER] | @FILENAME } ++The secret to use when generating one-time passwords/verification codes. ++Base 32-encoded TOTP/HOTP secrets can be used by specifying "base32:" at the ++beginning of the secret, and for HOTP secrets the token counter can be ++specified following a comma. ++ ++RSA SecurID secrets can be specified as an Android/iPhone URI or a raw numeric ++CTF string (with or without dashes). ++ ++For Yubikey OATH the token secret specifies the name of the credential to be ++used. If not provided, the first OATH credential found on the device will be ++used. ++ ++.IR FILENAME , ++if specified, can contain any of the above strings. Or, it can contain a ++SecurID XML (SDTID) seed. ++ ++If this option is omitted, and \-\-token\-mode is ++"rsa", libstoken will try to use the software token seed saved in ++.B ~/.stokenrc ++by the "stoken import" command. ++.TP ++.B \-\-reconnect\-timeout ++Keep reconnect attempts until so much seconds are elapsed. The default ++timeout is 300 seconds, which means that openconnect can recover ++VPN connection after a temporary network down time of 300 seconds. ++.TP ++.B \-\-resolve=HOST:IP ++Automatically resolve the hostname ++.IR HOST ++to ++.IR IP ++instead of using the normal resolver to look it up. ++.TP ++.B \-\-servercert=HASH ++Accept server's SSL certificate only if the provided fingerprint matches. ++The allowed fingerprint types are ++.IR SHA1 , ++.IR SHA256 , ++and ++.IR PIN-SHA256 . ++They are distinguished by the 'sha1:', 'sha256:' and 'pin-sha256:' prefixes to the ++encoded hash. The first two are custom identifiers providing hex ++encoding of the peer's public key, while 'pin-sha256:' is the RFC7469 key ++PIN, which utilizes base64 encoding. To ease certain ++testing use-cases, a partial match of the hash will also ++be accepted, if it is at least 4 characters past the prefix. ++.TP ++.B \-\-useragent=STRING ++Use ++.I STRING ++as 'User\-Agent:' field value in HTTP header. ++(e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133') ++.TP ++.B \-\-local-hostname=STRING ++Use ++.I STRING ++as 'X\-CSTP\-Hostname:' field value in HTTP header. For example \-\-local\-hostname 'mypc', ++will advertise the value 'mypc' as the suggested hostname to point to the provided IP address. ++.TP ++.B \-\-os=STRING ++OS type to report to gateway. Recognized values are: ++.BR linux , ++.BR linux\-64 , ++.BR win , ++.BR mac\-intel , ++.BR android , ++.BR apple\-ios . ++Reporting a different OS type may affect the dynamic access policy (DAP) ++applied to the VPN session. If the gateway requires CSD, it will also cause ++the corresponding CSD trojan binary to be downloaded, so you may need to use ++.B \-\-csd\-wrapper ++if this code is not executable on the local machine. ++.SH SIGNALS ++In the data phase of the connection, the following signals are handled: ++.TP ++.B SIGINT ++performs a clean shutdown by logging the session off, disconnecting from the ++gateway, and running the vpnc\-script to restore the network configuration. ++.TP ++.B SIGHUP ++disconnects from the gateway and runs the vpnc\-script, but does not log the ++session off; this allows for reconnection later using ++.BR \-\-cookie . ++.TP ++.B SIGUSR2 ++forces an immediate disconnection and reconnection; this can be used to ++quickly recover from LAN IP address changes. ++.TP ++.B SIGTERM ++exits immediately without logging off or running vpnc\-script. ++.SH LIMITATIONS ++Note that although IPv6 has been tested on all platforms on which ++.B openconnect ++is known to run, it depends on a suitable ++.B vpnc\-script ++to configure the network. The standard ++.B vpnc\-script ++shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from ++.B git://git.infradead.org/users/dwmw2/vpnc\-scripts.git ++will be required. ++.SH SEE ALSO ++.BR ocserv (8) ++ ++.SH AUTHORS ++David Woodhouse +Index: globalprotect-2018-11-19/tests/Makefile.am +=================================================================== +--- globalprotect-2018-11-19.orig/tests/Makefile.am ++++ globalprotect-2018-11-19/tests/Makefile.am +@@ -88,7 +88,7 @@ TESTS = $(dist_check_SCRIPTS) $(C_TESTS) + noinst_PROGRAMS = $(C_TESTS) serverhash + + serverhash_SOURCES = serverhash.c +-serverhash_LDADD = ../libopenconnect.la $(SSL_LIBS) ++serverhash_LDADD = ../libglobalprotect.la $(SSL_LIBS) + + # Nothing actually *depends* on the cert files; they are created manually + # and considered part of the sources, committed to the git tree. But for +Index: globalprotect-2018-11-19/www/Makefile.am +=================================================================== +--- globalprotect-2018-11-19.orig/www/Makefile.am ++++ globalprotect-2018-11-19/www/Makefile.am +@@ -17,7 +17,7 @@ html_DATA = $(ALL_PAGES) + $(PYTHON) $(CONV) -d $(srcdir) $< > $@ || (rm $@; exit 1) + + clean-local: +- rm -f $(ALL_PAGES) openconnect.8.inc ++ rm -f $(ALL_PAGES) globalprotect.8.inc + + $(ALL_PAGES): menu1.xml $(srcdir)/inc/*.tmpl + $(FTR_PAGES): menu2-features.xml +@@ -25,14 +25,14 @@ $(START_PAGES): menu2-started.xml + $(PROTO_PAGES): menu2-protocols.xml + $(MAIN_PAGES): menu2.xml + +-manual.html: openconnect.8.inc ++manual.html: globalprotect.8.inc + +-$(top_builddir)/openconnect.8: $(top_srcdir)/openconnect.8.in $(top_builddir)/config.status +- cd $(top_builddir) && $(SHELL) ./config.status openconnect.8 ++$(top_builddir)/globalprotect.8: $(top_srcdir)/globalprotect.8.in $(top_builddir)/config.status ++ cd $(top_builddir) && $(SHELL) ./config.status globalprotect.8 + + # If this command line ever changes significantly, so should the + # corresponding autoconf check. +-openconnect.8.inc: $(top_builddir)/openconnect.8 ++globalprotect.8.inc: $(top_builddir)/globalprotect.8 + $(GROFF) -t -K UTF-8 -mandoc -Txhtml $? | \ + sed -e 's/−/-/g' -e '1,//d' -e '/<\/body>/,$$d' > $@ + +Index: globalprotect-2018-11-19/www/manual.xml +=================================================================== +--- globalprotect-2018-11-19.orig/www/manual.xml ++++ globalprotect-2018-11-19/www/manual.xml +@@ -8,7 +8,7 @@ + + + +- ++ + + + diff --git a/package/network/utils/globalprotect/patches/0003-make-default-pkcs11-opensc.patch b/package/network/utils/globalprotect/patches/0003-make-default-pkcs11-opensc.patch new file mode 100644 index 0000000..52c0bdf --- /dev/null +++ b/package/network/utils/globalprotect/patches/0003-make-default-pkcs11-opensc.patch @@ -0,0 +1,14 @@ +Index: globalprotect-2018-11-19/configure.ac +=================================================================== +--- globalprotect-2018-11-19/configure.ac 2019-01-05 12:47:22.490825396 +0000 ++++ globalprotect-2018-11-19/configure.ac 2019-01-05 18:48:14.110431665 +0000 +@@ -325,7 +325,8 @@ + [PKG_CHECK_MODULES(LIBP11, libp11, + [AC_DEFINE(HAVE_LIBP11, 1, [Have libp11 and p11-kit for OpenSSL]) + AC_SUBST(P11KIT_PC, ["libp11 p11-kit-1"]) +- proxy_module="`$PKG_CONFIG --variable=proxy_module p11-kit-1`" ++ #proxy_module="`$PKG_CONFIG --variable=proxy_module p11-kit-1`" ++ proxy_module="/usr/lib/pkcs11/opensc-pkcs11.so" + pkcs11_support="libp11" + AC_DEFINE_UNQUOTED([DEFAULT_PKCS11_MODULE], "${proxy_module}", [p11-kit proxy])], + [:])], [:])