Sync changes from the upstream repo

.github/issue_template.md

@@ -1,3 +1,38 @@
+<!--
+
+  Hold on a sec right there...
+
+  Are you asking for help *building* this version of OpenConnect?
+
+  If so, please refer to what I wrote in the README:
+
+    https://github.com/dlenski/openconnect/HEAD/globalprotect/README.md#installation
+
+  This version has the exact same build dependencies as the official OpenConnect v7.08;
+  modern versions of autoconf, automake, gcc, libxml, etc. Follow the
+  official build instructions, or ask for help on the official mailing list:
+
+    http://www.infradead.org/openconnect/building.html
+
+  If you are having trouble *building* this version of OpenConnect, I am
+  simply going to refer you back to the official instructions :-D
+
+  (Unless you can demonstrate that I have somehow broken the ability to
+   to build this version using the official instructions. See #9 for an example
+   of this:
+
+   https://github.com/dlenski/openconnect/pull/9 )
+
+
+---------------------------------------------------------------------
+
+
+  On the other hand, if you have successfully *built* this version of
+  OpenConnect, and are now encountering specific, reproducible errors while
+  *running* it, please continue and fill out details requested below ...
+
+-->
+
 # Problem description
 
 1. I ran openconnect-gp as follows: `openconnect --protocol=gp <!-- Show other command line options here -->`

.gitlab-ci.yml

@@ -10,9 +10,9 @@ CentOS7/GnuTLS:
     'pkgconfig(libproxy-1.0)' 'pkgconfig(liboath)' 'pkgconfig(stoken)'
     ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
     vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)'
-    java-devel-openjdk
+    java-devel-openjdk glibc-langpack-cs
   - ./autogen.sh
-  - ./configure --with-java
+  - ./configure --with-java CFLAGS=-g
   - make -j4
   # XFAIL the auth-pkcs11 test because GnuTLS 3.3.8 doesn't support pin-value
   - make VERBOSE=1 -j4 check
@@ -36,9 +36,9 @@ CentOS7/OpenSSL:
     'pkgconfig(libproxy-1.0)' 'pkgconfig(liboath)' 'pkgconfig(stoken)'
     ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
     vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)'
-    java-devel-openjdk 'pkgconfig(libp11)'
+    java-devel-openjdk 'pkgconfig(libp11)' glibc-langpack-cs
   - ./autogen.sh
-  - ./configure --without-gnutls --with-openssl --with-java --without-openssl-version-check --enable-dtls-xfail --disable-dsa-tests
+  - ./configure --without-gnutls --with-openssl --with-java --without-openssl-version-check --enable-dtls-xfail --disable-dsa-tests CFLAGS=-g
   - make -j4
   - make VERBOSE=1 -j4 check
   tags:
@@ -62,8 +62,9 @@ CentOS6/OpenSSL:
     ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
     vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)'
     java-devel-openjdk vpnc 'pkgconfig(libp11)' 'pkgconfig(p11-kit-1)'
+    glibc-langpack-cs
   - ./autogen.sh
-  - ./configure --with-java --without-openssl-version-check --enable-dtls-xfail
+  - ./configure --with-java --without-openssl-version-check --enable-dtls-xfail CFLAGS=-g
   - make -j4
   - make VERBOSE=1 -j4 check
   tags:
@@ -84,9 +85,9 @@ Fedora/GnuTLS:
     'pkgconfig(libproxy-1.0)' 'pkgconfig(liboath)' 'pkgconfig(stoken)'
     ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
     vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)'
-    java-devel-openjdk
+    java-devel-openjdk glibc-langpack-cs
   - ./autogen.sh
-  - ./configure --with-java
+  - ./configure --with-java CFLAGS=-g
   - make -j4
   - make VERBOSE=1 -j4 check
   tags:
@@ -107,9 +108,9 @@ Fedora/GnuTLS/clang:
     'pkgconfig(libproxy-1.0)' 'pkgconfig(liboath)' 'pkgconfig(stoken)'
     ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
     vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)'
-    java-devel-openjdk clang
+    java-devel-openjdk clang glibc-langpack-cs
   - ./autogen.sh
-  - ./configure --with-java CC=clang
+  - ./configure --with-java CC=clang CFLAGS=-g
   - make -j4
   - make VERBOSE=1 -j4 check
   tags:
@@ -130,10 +131,10 @@ Fedora/OpenSSL:
     'pkgconfig(libproxy-1.0)' 'pkgconfig(liboath)' 'pkgconfig(stoken)'
     ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
     vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)'
-    java-devel-openjdk 'pkgconfig(libp11)'
+    java-devel-openjdk 'pkgconfig(libp11)' glibc-langpack-cs
   - dnf --enablerepo=updates-testing update -y libp11\* gnutls
   - ./autogen.sh
-  - ./configure --without-gnutls --with-openssl --without-openssl-version-check --disable-dsa-tests
+  - ./configure --without-gnutls --with-openssl --without-openssl-version-check --disable-dsa-tests CFLAGS=-g
   - make -j4
   - make VERBOSE=1 -j4 check
   tags:
@@ -154,10 +155,10 @@ Fedora/OpenSSL/clang:
     'pkgconfig(libproxy-1.0)' 'pkgconfig(liboath)' 'pkgconfig(stoken)'
     ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
     vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)'
-    java-devel-openjdk 'pkgconfig(libp11)' clang
+    java-devel-openjdk 'pkgconfig(libp11)' clang glibc-langpack-cs
   - dnf --enablerepo=updates-testing update -y libp11\* gnutls
   - ./autogen.sh
-  - ./configure CC=clang --without-gnutls --with-openssl --without-openssl-version-check --disable-dsa-tests
+  - ./configure CC=clang --without-gnutls --with-openssl --without-openssl-version-check --disable-dsa-tests CFLAGS=-g
   - make -j4
   - make VERBOSE=1 -j4 check
   tags:
@@ -178,7 +179,7 @@ MinGW32/GnuTLS:
   - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
   - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
   - ./autogen.sh
-  - mingw32-configure
+  - mingw32-configure CFLAGS=-g
   - make -j4
   - make VERBOSE=1 -j4 check
   tags:
@@ -199,7 +200,7 @@ MinGW32/OpenSSL:
   - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
   - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
   - ./autogen.sh
-  - mingw32-configure --without-gnutls --with-openssl --without-openssl-version-check
+  - mingw32-configure --without-gnutls --with-openssl --without-openssl-version-check CFLAGS=-g
   - make -j4
   - make VERBOSE=1 -j4 check
   tags:
@@ -220,7 +221,7 @@ MinGW64/GnuTLS:
   - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
   - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
   - ./autogen.sh
-  - mingw64-configure
+  - mingw64-configure CFLAGS=-g
   - make -j4
   - make VERBOSE=1 -j4 check
   tags:
@@ -241,7 +242,7 @@ MinGW64/OpenSSL:
   - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
   - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
   - ./autogen.sh
-  - mingw64-configure --without-gnutls --with-openssl --without-openssl-version-check
+  - mingw64-configure --without-gnutls --with-openssl --without-openssl-version-check CFLAGS=-g
   - make -j4
   - make VERBOSE=1 -j4 check
   tags:

.travis.yml

@@ -0,0 +1,39 @@
+notifications:
+  email:
+    false
+
+dist: trusty
+sudo: required
+
+language: c
+compiler:
+  - gcc
+
+services:
+  - docker
+
+jobs:
+  include:
+    - stage: app build
+      env: MAKEFLAGS="-j 2"
+      before_script:
+        - sudo apt-get update -qq
+        - sudo apt-get install -qq build-essential autoconf automake libtool pkg-config
+                       vpnc-scripts
+                       gettext libproxy-dev libxml2-dev liblz4-1 liblz4-dev libstoken-dev liboath-dev
+                       libgnutls28-dev # actually GnuTLS 3.2.11 ¯\_(ツ)_/¯
+      script: 
+        - ./autogen.sh
+        - ./configure
+        - make VERBOSE=1 version.c
+        - make
+        - make VERBOSE=1 -j4 check
+    - stage: docker build
+      services:
+        - docker
+      before_script:
+        - docker build -t openconnect .
+      script:
+        - docker run openconnect "/openconnect/openconnect" "-V"| grep gp
+        # This last grep should be changed if this goes upstream, as it
+        # only checks for GlobalProtect support availability.

Dockerfile

@@ -0,0 +1,27 @@
+FROM debian:9-slim as builder
+WORKDIR /openconnect
+RUN apt update \
+    && apt install -y  \
+	build-essential \
+	gettext \
+	autoconf \
+	automake \
+	libproxy-dev \
+	libxml2-dev \
+	libtool \
+	vpnc-scripts \
+	pkg-config \
+	libgnutls28-dev \
+	git \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+ADD . .
+RUN ./autogen.sh
+RUN ./configure
+RUN make
+
+#FROM debian:9-slim
+#WORKDIR /openconnect
+#COPY --from=builder /openconnect .
+#RUN make install
+#RUN ldconfig

Makefile.am

@@ -28,7 +28,7 @@ library_srcs = ssl.c http.c http-auth.c auth-common.c library.c compat.c lzs.c m
 lib_srcs_cisco = auth.c cstp.c
 lib_srcs_juniper = oncp.c lzo.c auth-juniper.c
 lib_srcs_globalprotect = gpst.c auth-globalprotect.c
-lib_srcs_gnutls = gnutls.c gnutls_pkcs12.c gnutls_tpm.c
+lib_srcs_gnutls = gnutls.c gnutls_tpm.c
 lib_srcs_openssl = openssl.c openssl-pkcs11.c
 lib_srcs_win32 = tun-win32.c sspi.c
 lib_srcs_posix = tun.c

PAN_GlobalProtect_protocol_doc.md

@@ -1,4 +1,8 @@
-This is an anonymized log of the authentication, configuration, tunnel data transfer, and logout interactions between a [PAN](http://www.paloaltonetworks.com) GlobalProtect VPN server and client (Windows client, v3.0.1-10).
+This is an anonymized log of the authentication, configuration, tunnel data transfer, and logout interactions between a
+[PAN](http://www.paloaltonetworks.com) GlobalProtect VPN server and client. The logs below are based on the official Windows
+client, v3.0.1-10, with some updates from v4.0.5-8.
+
+Client version 4.0 [adds IPv6 support](https://live.paloaltonetworks.com/t5/Colossal-Event-Blog/New-GlobalProtect-4-0-announced-with-IPv6-support/ba-p/141593) and SAML authentication support.
 
 The correct user-agent (`User-Agent: PAN Globalprotect`) is **required** for all HTTP interactions with the GlobalProtect VPN. It treats any other user-agent as a web browser, not a VPN client.
 
@@ -38,6 +42,20 @@ portal-prelogonuserauthcookie:  empty
 host-id:                        deadbeef-dead-beef-dead-beefdeadbeef
 ```
 
+New parameters sent by Windows client v4.0.5-8:
+
+```
+clientgpversion:                4.0.5-8
+prelogin-cookie:
+ipv6-support:                   yes
+client-ip:                      34.56.78.90
+client-ipv6:                    .
+preferred-ipv6:
+```
+
+The `client-ip{,v6}` parameters refer to the client's _external_ internet-facing IP address, while `preferred-ip{,v6}` parameters
+refer to the expected/desired addresses within the VPN.
+
 Successful login response
 =========================
 
@@ -70,11 +88,20 @@ In order to handle the getconfig, tunnel-connect, and logon requests properly (d
     <argument>tunnel</argument>
     <argument>-1</argument>
     <argument>4100</argument>
-    <argument>preferred ip address as provided above</argument>
+    <argument>preferred IP address as sent in request</argument>
   </application-desc>
 </jnlp>
 ```
 
+Windows client v4.0.5-8 receives additional input-parroting arguments at the end:
+
+```xml
+    <argument>portal-userauthcookie as sent in request</argument>
+    <argument>prelogon-userauthcookie as sent in request</argument>
+    <argument>preferred IPv6 address as sent in request</argument>
+```
+
+
 getconfig request
 =================
 
@@ -108,6 +135,17 @@ enc-algo:          aes-256-gcm,aes-128-gcm,aes-128-cbc,
 hmac-algo:         sha1,
 ```
 
+Windows client v4.0.5-8 adds additional parameters at the end:
+
+```xml
+app-version:       4.0.5-8
+addr1-v6-1:        f00f::/16
+addr1-v6-2:        f00f:dead:beef::dead:beef/128
+preferred-ipv6:
+hmac-algo:         sha1,.
+```
+
+
 Response #2 (getconfig)
 =======================
 
@@ -190,14 +228,22 @@ In the back-and-forth flows shown below, `<` means sent by the gateway, `>` mean
 
 ### ESP-over-UDP
 
-Uses the keying information obtained in response to the `getconfig` request. In order to initiate the connection, the client sends 3 ESP-encapsulated ICMP request ("ping") packets to the gateway. They are sent _from_ the client's in-VPN IP address _to_ the IP address specified by the `<gw-address>` from the `getconfig` response (this is normally the same as the gateway's **public** IP address, but is sometimes a VPN-internal address ¯\\\_(ツ)\_/¯). These ICMP request packets include the following magic payload:
+Uses the keying information obtained in response to the `getconfig` request. In order to initiate the connection, the client sends 3 ICMP request ("ping") packets to the gateway.
 
-    "monitor\x00\x00pan ha 0123456789:;<=>? !\"#$%&\'()*+,-./\x10\x11\x12\x13\x14\x15\x16\x18"
-    "monitor\x00\x00pan ha " (first 16 bytes)
+* These packets are ESP-encapsulated
+* These packets are sent _from_ **the client's in-VPN IP address** _to_ **the IP address specified by the `<gw-address>` from
+  the `getconfig` response**.
+  * The destination address is usually the same as the gateway's **public** internet-facing IP address, but sometimes it is a
+    VPN-internal address ¯\\\_(ツ)\_/¯
+* These ICMP request packets include the following magic payload — though only the first 16 bytes of the payload appear
+  to be necessary to elicit a response from the gateway.
 
-Only the first 16 bytes of the payload appear to be necessary to elicit a response from the gateway. Once the gateway has responded with a corresponding ICMP reply, the client and server send and receive arbitrary ESP-encapsulated traffic.
+      "monitor\x00\x00pan ha 0123456789:;<=>? !\"#$%&\'()*+,-./\x10\x11\x12\x13\x14\x15\x16\x18"
+      "monitor\x00\x00pan ha " (first 16 bytes)
 
-The client continues to periodically send the "magic ping" packets as a keepalive.
+* Once the gateway has responded with a corresponding ICMP reply, the client and server send and receive arbitrary
+  ESP-encapsulated traffic.
+* The client continues to periodically send the same "magic ping" packets as a keepalive.
 
 ### SSL vpn tunnel
 
@@ -264,5 +310,9 @@ Successful logout response
   <domain>company domain name</domain>
   <user>Myusername</user>
   <computer>DEADBEEF01</computer>
+
+  <!-- newer servers include these, older ones don't: -->
+  <saml-session-index></saml-session-index>
+  <saml-name-id></saml-name-id>
 </response>
-```
+```