Hello community, here is the log from the commit of package openfortivpn for openSUSE:Factory checked in at 2019-03-18 10:43:07 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openfortivpn (Old) and /work/SRC/openSUSE:Factory/.openfortivpn.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openfortivpn" Mon Mar 18 10:43:07 2019 rev:6 rq:685778 version:1.9.0 Changes: -------- --- /work/SRC/openSUSE:Factory/openfortivpn/openfortivpn.changes 2019-01-21 11:00:55.451230858 +0100 +++ /work/SRC/openSUSE:Factory/.openfortivpn.new.28833/openfortivpn.changes 2019-03-18 10:43:14.935150918 +0100 @@ -1,0 +2,11 @@ +Sun Mar 17 11:52:47 UTC 2019 - Martin Hauke <mar...@gmx.de> + +- Update to version 1.9.0 + * Update of the man page, especially about the dns settings + * improved configure output: show detected paths for use at runtime + * Make search string for the otp-prompt configurable + * Add an option to specify a configurable delay during otp + authentication + * Make the options that control usepeerdns more consistent + +------------------------------------------------------------------- Old: ---- openfortivpn-1.8.1.tar.gz New: ---- openfortivpn-1.9.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openfortivpn.spec ++++++ --- /var/tmp/diff_new_pack.YJBM3F/_old 2019-03-18 10:43:16.271150157 +0100 +++ /var/tmp/diff_new_pack.YJBM3F/_new 2019-03-18 10:43:16.271150157 +0100 @@ -12,12 +12,12 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: openfortivpn -Version: 1.8.1 +Version: 1.9.0 Release: 0 Summary: Client for PPP+SSL VPN tunnel services License: GPL-3.0-or-later ++++++ openfortivpn-1.8.1.tar.gz -> openfortivpn-1.9.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.8.1/CHANGELOG.md new/openfortivpn-1.9.0/CHANGELOG.md --- old/openfortivpn-1.8.1/CHANGELOG.md 2018-12-14 16:49:46.000000000 +0100 +++ new/openfortivpn-1.9.0/CHANGELOG.md 2019-03-17 10:17:06.000000000 +0100 @@ -14,6 +14,15 @@ This high level changelog is usually updated when a release is tagged. On the master branch there may be changes that are not (yet) described here. +### 1.9.0 + +* [+] update of the man page, especially about the dns settings +* [+] improved configure output: show detected paths for use at runtime +* [-] correctly convert parsed values, fix for an issue e.g. on Raspbian +* [+] make search string for the otp-prompt configurable +* [+] add an option to specify a configurable delay during otp authentication +* [~] make the options that control usepeerdns more consistent + ### 1.8.1 * [~] Support longer passowrds by allocation of a larger buffer diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.8.1/README.md new/openfortivpn-1.9.0/README.md --- old/openfortivpn-1.8.1/README.md 2018-12-14 16:49:46.000000000 +0100 +++ new/openfortivpn-1.9.0/README.md 2019-03-17 10:17:06.000000000 +0100 @@ -52,7 +52,7 @@ ### Installing existing packages Some Linux distibutions provide `openfortivpn` packages: -* [Fedora](https://apps.fedoraproject.org/packages/openfortivpn) +* [Fedora / CentOS](https://apps.fedoraproject.org/packages/openfortivpn) * [openSUSE / SLE](https://software.opensuse.org/package/openfortivpn) * [Gentoo](https://packages.gentoo.org/packages/net-vpn/openfortivpn) * [NixOS](https://github.com/NixOS/nixpkgs/tree/master/pkgs/tools/networking/openfortivpn) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.8.1/configure.ac new/openfortivpn-1.9.0/configure.ac --- old/openfortivpn-1.8.1/configure.ac 2018-12-14 16:49:46.000000000 +0100 +++ new/openfortivpn-1.9.0/configure.ac 2019-03-17 10:17:06.000000000 +0100 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ([2.63]) -AC_INIT([openfortivpn], [1.8.1]) +AC_INIT([openfortivpn], [1.9.0]) AC_CONFIG_SRCDIR([src/main.c]) AM_INIT_AUTOMAKE([foreign subdir-objects]) @@ -191,6 +191,7 @@ strtok \ strtok_r \ strtol \ +strtoul \ syslog \ system \ tcgetattr \ @@ -316,7 +317,7 @@ with_pppd="no" ]) -# when neither ppp nor pppd are enabled, assume the previous behavior (for travis) +# when neither ppp nor pppd are enabled fall back to a sensible choice for the platform AS_IF([test "x$with_ppp" = "xno" -a "x$with_pppd" = "xno" ], [ AS_IF([test "x$uname" = "xFreeBSD" ], [ PPP_PATH="/usr/sbin/ppp" @@ -327,29 +328,42 @@ ]) ]) -# when both are enabled, give pppd the higher priority (we can only use one of them) +# When both are enabled, give pppd the higher priority (we can only use one of them). +# Note that PPP_PATH should already be correct since pppd is detected later +# and PPP_PATH is overwritten during detection. AS_IF([test "x$with_ppp" = "xyes" -a "x$with_pppd" = "xyes"], [ with_ppp="no" ]) AS_IF([test "x$with_ppp" = "xyes"], [ AC_DEFINE(HAVE_USR_SBIN_PPP, 1) + AC_MSG_NOTICE([HAVE_USR_SBIN_PPP... 1]) ],[ AC_DEFINE(HAVE_USR_SBIN_PPP, 0) + AC_MSG_NOTICE([HAVE_USR_SBIN_PPP... 0]) ]) AS_IF([test "x$with_pppd" = "xyes"], [ AC_DEFINE(HAVE_USR_SBIN_PPPD, 1) + AC_MSG_NOTICE([HAVE_USR_SBIN_PPPD... 1]) ],[ AC_DEFINE(HAVE_USR_SBIN_PPPD, 0) + AC_MSG_NOTICE([HAVE_USR_SBIN_PPPD... 0]) ]) AS_IF([test "x$enable_proc" = "xyes"], [ AC_DEFINE(HAVE_PROC_NET_ROUTE, 1) + AC_MSG_NOTICE([HAVE_PROC_NET_ROUTE... 1]) ],[ AC_DEFINE(HAVE_PROC_NET_ROUTE, 0) + AC_MSG_NOTICE([HAVE_PROC_NET_ROUTE... 0]) ]) AC_SUBST(PPP_PATH) +AC_MSG_NOTICE([PPP_PATH...] $PPP_PATH) + AC_SUBST(NETSTAT_PATH) +AS_IF([test "x$NETSTAT_PATH" != "x" ], [ + AC_MSG_NOTICE([NETSTAT_PATH...] $NETSTAT_PATH) +]) AC_CONFIG_COMMANDS([timestamp], [touch src/.dirstamp]) AC_OUTPUT(Makefile) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.8.1/doc/openfortivpn.1.in new/openfortivpn-1.9.0/doc/openfortivpn.1.in --- old/openfortivpn-1.8.1/doc/openfortivpn.1.in 2018-12-14 16:49:46.000000000 +0100 +++ new/openfortivpn-1.9.0/doc/openfortivpn.1.in 2019-03-17 10:17:06.000000000 +0100 @@ -1,33 +1,37 @@ -.TH OPENFORTIVPN 1 "October 23, 2017" "" +.TH OPENFORTIVPN 1 "March 12, 2019" "" .SH NAME openfortivpn \- Client for PPP+SSL VPN tunnel services .SH SYNOPSIS .B openfortivpn -[\fI<host>\fR:\fI<port>\fR] +[\fI<host>\fR[:\fI<port>\fR]] [\fB\-u\fR \fI<user>\fR] [\fB\-p\fR \fI<pass>\fR] [\fB\-\-otp=\fI<otp>\fR] +[\fB\-\-otp\-prompt=\fI<prompt>\fR] +[\fB\-\-otp\-delay=\fI<delay>\fR] [\fB\-\-realm=\fI<realm>\fR] -[\fB\-\-set-routes=<bool>\fR] -[\fB\-\-no-routes\fR] -[\fB\-\-set-dns=<bool>\fR] -[\fB\-\-no-dns\fR] -[\fB\-\-half-internet-routes=<bool>\fR] -[\fB\-\-ca-file=\fI<file>\fR] -[\fB\-\-user-cert=\fI<file>\fR] -[\fB\-\-user-key=\fI<file>\fR] -[\fB\-\-use-syslog\fR] -[\fB\-\-trusted-cert=\fI<digest>\fR] -[\fB\-\-insecure-ssl\fR] -[\fB\-\-cipher-list=\fI<ciphers>\fR] -[\fB\-\-pppd-no-peerdns\fR] -[\fB\-\-pppd-log=\fI<file>\fR] -[\fB\-\-pppd-plugin=\fI<file>\fR] -[\fB\-\-pppd-ipparam=\fI<string>\fR] -[\fB\-\-pppd-ifname=\fI<string>\fR] -[\fB\-\-pppd-call=\fI<name>\fR] +[\fB\-\-set\-routes=<bool>\fR] +[\fB\-\-no\-routes\fR] +[\fB\-\-set\-dns=<bool>\fR] +[\fB\-\-no\-dns\fR] +[\fB\-\-half\-internet\-routes=<bool>\fR] +[\fB\-\-ca\-file=\fI<file>\fR] +[\fB\-\-user\-cert=\fI<file>\fR] +[\fB\-\-user\-key=\fI<file>\fR] +[\fB\-\-use\-syslog\fR] +[\fB\-\-trusted\-cert=\fI<digest>\fR] +[\fB\-\-insecure\-ssl\fR] +[\fB\-\-cipher\-list=\fI<ciphers>\fR] +[\fB\-\-pppd\-use\-peerdns=<bool>\fR] +[\fB\-\-pppd\-no\-peerdns\fR] +[\fB\-\-pppd\-log=\fI<file>\fR] +[\fB\-\-pppd\-plugin=\fI<file>\fR] +[\fB\-\-pppd\-ipparam=\fI<string>\fR] +[\fB\-\-pppd\-ifname=\fI<string>\fR] +[\fB\-\-pppd\-call=\fI<name>\fR] +[\fB\-\-ppp\-system=\fI<string>\fR] [\fB\-\-persistent=\fI<interval>\fR] [\fB\-c\fR \fI<file>\fR] [\fB\-v|\-q\fR] @@ -46,7 +50,7 @@ .SH OPTIONS .TP \fB\-\-help\fR -Show this help message and exit. +Show the help message and exit. .TP \fB\-\-version\fR Show version and exit. @@ -63,53 +67,65 @@ \fB\-o \fI<otp>\fR, \fB\-\-otp=\fI<otp>\fR One-Time-Password. .TP +\fB\-\-otp\-prompt=\fI<prompt>\fR +Search for the otp password prompt starting with the string \fI<prompt>\fR. +.TP +\fB\-\-otp\-delay\=\fI<delay>\fR +Set the amount of time to wait before sending the One-Time-Password. +The delay time must be specified in seconds, where 0 means +no wait (this is the default). +.TP \fB\-\-realm=\fI<realm>\fR Connect to the specified authentication realm. Defaults to empty, which is usually what you want. .TP -\fB\-\-set-routes=\fI<bool>\fR, \fB\-\-no-routes\fR +\fB\-\-set\-routes=\fI<bool>\fR, \fB\-\-no-routes\fR Set if openfortivpn should try to configure IP routes through the VPN when tunnel is up. If used multiple times, the last one takes priority. -\fB\-\-no-routes\fR is the same as \fB\-\-set-routes=\fI0\fR. +\fB\-\-no\-routes\fR is the same as \fB\-\-set-routes=\fI0\fR. .TP -\fB\-\-half-internet-routes=\fI<bool>\fR +\fB\-\-half\-internet\-routes=\fI<bool>\fR Set if openfortivpn should add two 0.0.0.0/1 and 128.0.0.0/1 routes with higher priority instead of replacing the default route. .TP -\fB\-\-set-dns=\fI<bool>\fR, \fB\-\-no-dns\fR +\fB\-\-set\-dns=\fI<bool>\fR, \fB\-\-no\-dns\fR Set if openfortivpn should add VPN nameservers in /etc/resolv.conf when tunnel is up. If used multiple times, the last one takes priority. +This option requires that the dns entries are requested from the peer. +So, \fB\-\-pppd\-no\-peerdns\fR conflicts with \fB\-\-set\-dns=\fI1\fR. +Note that there may be other mechanisms to update /etc/resolv.conf +which may require that openfortivpn is called with \fB\-\-no\-dns\fR. -\fB\-\-no-dns\fR is the same as \fB\-\-set-dns=\fI0\fR. +\fB\-\-no\-dns\fR is the same as \fB\-\-set\-dns=\fI0\fR. .TP -\fB\-\-ca-file=\fI<file>\fR +\fB\-\-ca\-file=\fI<file>\fR Use specified PEM-encoded certificate bundle instead of system-wide store to verify the gateway certificate. .TP -\fB\-\-user-cert=\fI<file>\fR +\fB\-\-user\-cert=\fI<file>\fR Use specified PEM-encoded certificate if the server requires authentication with a certificate. .TP -\fB\-\-user-key=\fI<file>\fR +\fB\-\-user\-key=\fI<file>\fR Use specified PEM-encoded key if the server requires authentication with a certificate. .TP -\fB\-\-use-syslog\fR +\fB\-\-use\-syslog\fR Log to syslog instead of terminal. .TP -\fB\-\-trusted-cert=\fI<digest>\fR +\fB\-\-trusted\-cert=\fI<digest>\fR Trust a given gateway. If classical SSL certificate validation fails, the gateway certificate will be matched against this value. \fI<digest>\fR is the X509 certificate's sha256 sum. This option can be used multiple times to trust several certificates. .TP -\fB\-\-insecure-ssl\fR +\fB\-\-insecure\-ssl\fR Do not disable insecure SSL protocols/ciphers. -If your server requires a specific cipher, consider using \fB\-\-cipher-list\fR +If your server requires a specific cipher, consider using \fB\-\-cipher\-list\fR instead. .TP -\fB\-\-cipher-list=\fI<ciphers>\fR +\fB\-\-cipher\-list=\fI<ciphers>\fR Openssl ciphers to use. If default does not work, you can try alternatives such as HIGH:!MD5:!RC4 or as suggested by the Cipher: line in the output of \fBopenssl\fP(1) (e.g. AES256-GCM-SHA384): @@ -118,34 +134,44 @@ (default: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4) .TP -\fB\-\-pppd-no-peerdns\fR -Do not ask peer ppp server for DNS server addresses and do not make pppd -rewrite /etc/resolv.conf. +\fB\-\-use\-peer\-dns=\fI<bool>\fR, \fB\-\-pppd\-no\-peerdns\fR +Whether to ask peer ppp server for DNS server addresses and do not make pppd +rewrite /etc/resolv.conf. If the DNS server addresses are not requested, +also \fB\-\-set\-dns=\fI1\fR has no effect. On the other hand, with +\fB\-\-set\-dns=\fI0\fR, when pppd requests DNS server addresses, there +may be othter mechanisms, such as an pppd\-ip\-up-script that do the update +of /etc/resolv.conf. + +\fB\-\-pppd\-no\-peerdns\fR is the same as \fB\-\-pppd\-use\-peerdns=\fI0\fR. .TP -\fB\-\-pppd-log=\fI<file>\fR +\fB\-\-pppd\-log=\fI<file>\fR Set pppd in debug mode and save its logs into \fI<file>\fR. .TP -\fB\-\-pppd-plugin=\fI<file>\fR +\fB\-\-pppd\-plugin=\fI<file>\fR Use specified pppd plugin instead of configuring the resolver and routes directly. .TP -\fB\-\-pppd-ipparam=\fI<string>\fR -Provides an extra parameter to the ip-up, ip-pre-up and ip-down scripts. See man +\fB\-\-pppd\-ipparam=\fI<string>\fR +Provides an extra parameter to the ip\-up, ip\-pre\-up and ip\-down scripts. See man .BR pppd(8) for further details .TP -\fB\-\-pppd-ifname=\fI<string>\fR +\fB\-\-pppd\-ifname=\fI<string>\fR Set the ppp interface name. Only if supported by pppd. Patched versions of pppd implement this option but may not be available on your platform. .TP -\fB\-\-pppd-call=\fI<name>\fR +\fB\-\-pppd\-call=\fI<name>\fR Drop usual arguments from pppd command line and add `call <name>' instead. This can be useful on Debian and Ubuntu, where unprivileged users in group `dip' can invoke `pppd call <name>' to make pppd read and apply options from /etc/ppp/peers/<name> (including privileged ones). .TP +\fB\-\-ppp\-system=\fI<string>\fR +Only available if compiled for ppp user space client (e.g. on FreeBSD). +Connect to the specified system as defined in /etc/ppp/ppp.conf +.TP \fB\-\-persistent\=\fI<interval>\fR -Runs the vpn persistently in an endless loop and tries to reconnect forever. +Run the vpn persistently in an endless loop and try to reconnect forever. The reconnect interval may be specified in seconds, where 0 means no reconnect is done (this is the default). .TP @@ -157,7 +183,7 @@ .SH ENVIRONMENT and proxy support .B openfortivpn -can be run behind a http that supports the http connect command. +can be run behind a http proxy that supports the http connect command. It checks if one of the environment variables .B https_proxy HTTPS_PROXY all_proxy ALL_PROXY is set which are supposed to contain a string of the format @@ -195,6 +221,9 @@ .br VPN_ROUTE_GATEWAY_... the gateway for the current route entry +If not compiled for pppd the pppd options and features that rely on them are not +available. On FreeBSD \fB\-\-ppp\-system\fR is available instead. + .SH CONFIG FILE Options can be taken from a configuration file. Options passed in the command line will override those from the config file, though. The default config file @@ -206,52 +235,72 @@ A config file looks like: # this is a comment .br -host = vpn-gateway +host = vpn\-gateway .br -port = 8443 +port = 443 .br username = foo .br password = bar .br -user-cert = @SYSCONFDIR@/openfortivpn/user-cert.pem +# realm = some-realm +.br +# useful for a gui that passes a config file to openfortivpn +.br +# otp = 123456 +.br +# otp\-delay = 0 .br -user-key = @SYSCONFDIR@/openfortivpn/user-key.pem +# otp\-prompt = Please +.br +user\-cert = @SYSCONFDIR@/openfortivpn/user\-cert.pem +.br +user\-key = @SYSCONFDIR@/openfortivpn/user\-key.pem .br # the sha256 digest of the trusted host certs obtained by .br -# openssl dgst -sha256 server-cert.pem: +# openssl dgst -sha256 server\-cert.pem: .br -trusted-cert = certificatedigest4daa8c5fe6c... +trusted\-cert = certificatedigest4daa8c5fe6c... .br -trusted-cert = othercertificatedigest6631bf... +trusted\-cert = othercertificatedigest6631bf... .br # This would specify a ca bundle instead of system-wide store .br -# ca-file = @SYSCONFDIR@/openfortivpn/ca-bundle.pem +# ca\-file = @SYSCONFDIR@/openfortivpn/ca\-bundle.pem .br -set-dns = 0 +set\-dns = 0 .br -set-routes = 1 +set\-routes = 1 .br -half-internet-routes = 0 +half\-internet\-routes = 0 .br -pppd-use-peerdns = 1 +pppd\-use\-peerdns = 1 .br # alternatively, use a specific pppd plugin instead .br -# pppd-plugin = /usr/lib/pppd/default/some-plugin.so +# pppd\-plugin = /usr/lib/pppd/default/some\-plugin.so .br # for debugging pppd write logs here .br -# pppd-log = /var/log/pppd.log +# pppd\-log = /var/log/pppd.log +.br +# pass ppp interface name to pppd (if supported by a patched pppd) +.br +# pppd\-ifname = ppp1 +.br +# pass an ipparam string to pppd, e.g. the device name (a similar use case) +.br +# pppd\-ipparam = 'device=$DEVICE' +.br +# instruct pppd to call a script instead of passing arguments (if pppd supports it) .br -# pass an ipparam string to pppd +# pppd\-call = script .br -# pppd-ipparam = somestringtopasstopppd +# use\-syslog = 0 .br -insecure-ssl = 0 +insecure\-ssl = 0 .br -cipher-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 +cipher\-list = HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 .br persistent = 0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.8.1/src/config.c new/openfortivpn-1.9.0/src/config.c --- old/openfortivpn-1.8.1/src/config.c 2018-12-14 16:49:46.000000000 +0100 +++ new/openfortivpn-1.9.0/src/config.c 2019-03-17 10:17:06.000000000 +0100 @@ -32,6 +32,8 @@ .username = {'\0'}, .password = NULL, .otp = {'\0'}, + .otp_prompt = NULL, + .otp_delay = -1, .realm = {'\0'}, .set_routes = -1, .set_dns = -1, @@ -190,7 +192,7 @@ strncpy(cfg->gateway_host, val, FIELD_SIZE); cfg->gateway_host[FIELD_SIZE] = '\0'; } else if (strcmp(key, "port") == 0) { - long int port = strtol(val, NULL, 0); + unsigned long int port = strtoul(val, NULL, 0); if (port <= 0 || port > 65535) { log_warn("Bad port in config file: \"%d\".\n", port); @@ -205,6 +207,17 @@ } else if (strcmp(key, "otp") == 0) { strncpy(cfg->otp, val, FIELD_SIZE - 1); cfg->otp[FIELD_SIZE] = '\0'; + } else if (strcmp(key, "otp-prompt") == 0) { + free(cfg->otp_prompt); + cfg->otp_prompt = strdup(val); + } else if (strcmp(key, "otp-delay") == 0) { + long int otp_delay = strtol(val, NULL, 0); + if (otp_delay < 0 || otp_delay > UINT_MAX) { + log_warn("Bad value for otp-delay in config file: \"%s\".\n", + val); + continue; + } + cfg->otp_delay = otp_delay; } else if (strcmp(key, "realm") == 0) { strncpy(cfg->realm, val, FIELD_SIZE - 1); cfg->realm[FIELD_SIZE] = '\0'; @@ -233,8 +246,8 @@ } cfg->half_internet_routes = half_internet_routes; } else if (strcmp(key, "persistent") == 0) { - long int persistent = strtol(val, NULL, 0); - if (persistent < 0 || persistent > UINT_MAX) { + unsigned long int persistent = strtoul(val, NULL, 0); + if (persistent > UINT_MAX) { log_warn("Bad value for persistent in config file: \"%s\".\n", val); continue; @@ -330,6 +343,7 @@ void destroy_vpn_config(struct vpn_config *cfg) { free(cfg->password); + free(cfg->otp_prompt); #if HAVE_USR_SBIN_PPPD free(cfg->pppd_log); free(cfg->pppd_plugin); @@ -363,6 +377,8 @@ dst->password = strdup(src->password); if (src->otp[0]) strcpy(dst->otp, src->otp); + if (src->otp_delay != invalid_cfg.otp_delay) + dst->otp_delay = src->otp_delay; if (src->realm[0]) strcpy(dst->realm, src->realm); if (src->set_routes != invalid_cfg.set_routes) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.8.1/src/config.h new/openfortivpn-1.9.0/src/config.h --- old/openfortivpn-1.8.1/src/config.h 2018-12-14 16:49:46.000000000 +0100 +++ new/openfortivpn-1.9.0/src/config.h 2019-03-17 10:17:06.000000000 +0100 @@ -66,6 +66,8 @@ char username[FIELD_SIZE + 1]; char *password; char otp[FIELD_SIZE + 1]; + char *otp_prompt; + unsigned int otp_delay; char realm[FIELD_SIZE + 1]; int set_routes; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.8.1/src/http.c new/openfortivpn-1.9.0/src/http.c --- old/openfortivpn-1.8.1/src/http.c 2018-12-14 16:49:46.000000000 +0100 +++ new/openfortivpn-1.9.0/src/http.c 2019-03-17 10:17:06.000000000 +0100 @@ -27,6 +27,7 @@ #include <stdarg.h> #include <stdio.h> #include <stdlib.h> +#include <unistd.h> #define BUFSZ 0x8000 @@ -373,6 +374,14 @@ return ret; } +static void delay_otp(struct tunnel *tunnel) +{ + if (tunnel->config->otp_delay > 0) { + log_info("Delaying OTP by %d seconds...\n", tunnel->config->otp_delay); + sleep(tunnel->config->otp_delay); + } +} + static int try_otp_auth( struct tunnel *tunnel, @@ -410,6 +419,8 @@ * Fall back to default prompt if not found/parseable */ p = strstr(s, "Please"); + if (tunnel->config->otp_prompt != NULL) + p = strstr(s, tunnel->config->otp_prompt); if (p) { e = strchr(p, '<'); if (e != NULL) { @@ -558,6 +569,8 @@ /* Probably one-time password required */ if (strncmp(res, "HTTP/1.1 401 Authorization Required\r\n", 37) == 0) { + delay_otp(tunnel); + ret = try_otp_auth(tunnel, res, &res, &response_size); if (ret != 1) goto end; @@ -612,6 +625,7 @@ "&redir=%%2Fremote%%2Findex&just_logged_in=1", username, realm, reqid, polid, group, tokenresponse); + delay_otp(tunnel); ret = http_request( tunnel, "POST", "/remote/logincheck", data, &res, &response_size); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.8.1/src/ipv4.c new/openfortivpn-1.9.0/src/ipv4.c --- old/openfortivpn-1.8.1/src/ipv4.c 2018-12-14 16:49:46.000000000 +0100 +++ new/openfortivpn-1.9.0/src/ipv4.c 2019-03-17 10:17:06.000000000 +0100 @@ -347,16 +347,16 @@ unsigned long mtu, window; iface = strtok_r(line, "\t", &saveptr2); - dest = strtol(strtok_r(NULL, "\t", &saveptr2), NULL, 16); - gtw = strtol(strtok_r(NULL, "\t", &saveptr2), NULL, 16); - flags = strtol(strtok_r(NULL, "\t", &saveptr2), NULL, 16); + dest = strtoul(strtok_r(NULL, "\t", &saveptr2), NULL, 16); + gtw = strtoul(strtok_r(NULL, "\t", &saveptr2), NULL, 16); + flags = strtoul(strtok_r(NULL, "\t", &saveptr2), NULL, 16); strtok_r(NULL, "\t", &saveptr2); // "RefCnt" strtok_r(NULL, "\t", &saveptr2); // "Use" - metric = strtol(strtok_r(NULL, "\t", &saveptr2), NULL, 16); - mask = strtol(strtok_r(NULL, "\t", &saveptr2), NULL, 16); - mtu = strtol(strtok_r(NULL, "\t", &saveptr2), NULL, 16); - window = strtol(strtok_r(NULL, "\t", &saveptr2), NULL, 16); - irtt = strtol(strtok_r(NULL, "\t", &saveptr2), NULL, 16); + metric = strtoul(strtok_r(NULL, "\t", &saveptr2), NULL, 16); + mask = strtoul(strtok_r(NULL, "\t", &saveptr2), NULL, 16); + mtu = strtoul(strtok_r(NULL, "\t", &saveptr2), NULL, 16); + window = strtoul(strtok_r(NULL, "\t", &saveptr2), NULL, 16); + irtt = strtoul(strtok_r(NULL, "\t", &saveptr2), NULL, 16); #else /* parse netstat output on Mac OSX and BSD */ char tmp_ip_string[16]; @@ -392,7 +392,7 @@ // break CIDR up into address and mask part strcpy(tmp_ip_string, strtok_r(tmpstr, "/", &saveptr3)); - mask = strtol(saveptr3, NULL, 10); + mask = strtoul(saveptr3, NULL, 10); // convert from CIDR to ipv4 mask mask = 0xffffffff << (32-mask); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.8.1/src/main.c new/openfortivpn-1.9.0/src/main.c --- old/openfortivpn-1.8.1/src/main.c 2018-12-14 16:49:46.000000000 +0100 +++ new/openfortivpn-1.9.0/src/main.c 2019-03-17 10:17:06.000000000 +0100 @@ -29,16 +29,17 @@ #define PWD_BUFSIZ 4096 - #if HAVE_USR_SBIN_PPPD #define PPPD_USAGE \ -" [--pppd-no-peerdns] [--pppd-log=<file>]\n" \ +" [--pppd-use-peerdns=<0|1>] [--pppd-log=<file>]\n" \ " [--pppd-ifname=<string>] [--pppd-ipparam=<string>]\n" \ " [--pppd-call=<name>] [--pppd-plugin=<file>]\n" #define PPPD_HELP \ -" --pppd-no-peerdns Do not ask peer ppp server for DNS server addresses\n" \ -" and do not make pppd rewrite /etc/resolv.conf\n" \ +" --pppd-use-peerdns=[01] Whether to ask peer ppp server for DNS server\n" \ +" addresses and make pppd rewrite /etc/resolv.conf.\n" \ +" --pppd-no-peerdns Same as --pppd-use-peerdns=0. Neiter pppd\n" \ +" nor openfortivpn will modify DNS resolution then.\n" \ " --pppd-log=<file> Set pppd in debug mode and save its logs into\n" \ " <file>.\n" \ " --pppd-plugin=<file> Use specified pppd plugin instead of configuring\n" \ @@ -60,7 +61,8 @@ #define usage \ "Usage: openfortivpn [<host>[:<port>]] [-u <user>] [-p <pass>]\n" \ -" [--realm=<realm>] [--otp=<otp>] [--set-routes=<0|1>]\n" \ +" [--realm=<realm>] [--otp=<otp>] [--otp-delay=<delay>]\n" \ +" [--otp-prompt=<prompt>] [--set-routes=<0|1>]\n" \ " [--half-internet-routes=<0|1>] [--set-dns=<0|1>]\n" \ PPPD_USAGE \ " [--ca-file=<file>]\n" \ @@ -78,7 +80,6 @@ "the gateway and this process.\n" \ "\n" - #define help_options \ "Options:\n" \ " -h --help Show this help message and exit.\n" \ @@ -88,6 +89,8 @@ " -u <user>, --username=<user> VPN account username.\n" \ " -p <pass>, --password=<pass> VPN account password.\n" \ " -o <otp>, --otp=<otp> One-Time-Password.\n" \ +" --otp-prompt=<prompt> Search for the otp prompt starting with this string\n" \ +" --otp-delay=<delay> Wait <delay> seconds before sending the OTP.\n" \ " --realm=<realm> Use specified authentication realm on VPN gateway\n" \ " when tunnel is up.\n" \ " --set-routes=[01] Set if openfortivpn should configure output routes through\n" \ @@ -96,7 +99,7 @@ " --half-internet-routes=[01] Add two 0.0.0.0/1 and 128.0.0.0/1 routes with higher\n" \ " priority instead of replacing the default route.\n" \ " --set-dns=[01] Set if openfortivpn should add VPN name servers in\n" \ -" /etc/resolv.conf\n" \ +" /etc/resolv.conf, pppd must provide the DNS servers.\n" \ " --no-dns Do not reconfigure DNS, same as --set-dns=0\n" \ " --ca-file=<file> Use specified PEM-encoded certificate bundle\n" \ " instead of system-wide store to verify the gateway\n" \ @@ -119,17 +122,16 @@ " you can try with the cipher suggested in the output\n" \ " of 'openssl s_client -connect <host:port>'\n" \ " (e.g. AES256-GCM-SHA384)\n" \ -PPPD_HELP \ " --persistent=<interval> Run the vpn persistently in a loop and try to re-\n" \ " connect every <interval> seconds when dropping out\n" \ " -v Increase verbosity. Can be used multiple times\n" \ " to be even more verbose.\n" \ " -q Decrease verbosity. Can be used multiple times\n" \ -" to be even less verbose.\n" \ -"\n" +" to be even less verbose.\n" #define help_config \ +"\n" \ "Config file:\n" \ " Options can be taken from a configuration file. Options passed in the\n" \ " command line will override those from the config file, though. The default\n" \ @@ -158,6 +160,8 @@ .username = {'\0'}, .password = NULL, .otp = {'\0'}, + .otp_prompt = NULL, + .otp_delay = 0, .realm = {'\0'}, .set_routes = 1, .set_dns = 1, @@ -192,6 +196,8 @@ {"username", required_argument, 0, 'u'}, {"password", required_argument, 0, 'p'}, {"otp", required_argument, 0, 'o'}, + {"otp-prompt", required_argument, 0, 0}, + {"otp-delay", required_argument, 0, 0}, {"set-routes", required_argument, 0, 0}, {"no-routes", no_argument, &cli_cfg.set_routes, 0}, {"half-internet-routes", required_argument, 0, 0}, @@ -206,6 +212,7 @@ {"insecure-ssl", no_argument, &cli_cfg.insecure_ssl, 1}, {"cipher-list", required_argument, 0, 0}, #if HAVE_USR_SBIN_PPPD + {"pppd-use-peerdns", required_argument, 0, 0}, {"pppd-no-peerdns", no_argument, &cli_cfg.pppd_use_peerdns, 0}, {"pppd-log", required_argument, 0, 0}, {"pppd-plugin", required_argument, 0, 0}, @@ -246,6 +253,17 @@ } #if HAVE_USR_SBIN_PPPD if (strcmp(long_options[option_index].name, + "pppd-use-peerdns") == 0) { + int pppd_use_peerdns = strtob(optarg); + if (pppd_use_peerdns < 0) { + log_warn("Bad pppd-use-peerdns option: \"%s\"\n", + optarg); + break; + } + cli_cfg.pppd_use_peerdns = pppd_use_peerdns; + break; + } + if (strcmp(long_options[option_index].name, "pppd-log") == 0) { cli_cfg.pppd_log = strdup(optarg); break; @@ -318,6 +336,11 @@ break; } if (strcmp(long_options[option_index].name, + "otp-prompt") == 0) { + cli_cfg.otp_prompt = strdup(optarg); + break; + } + if (strcmp(long_options[option_index].name, "set-routes") == 0) { int set_routes = strtob(optarg); if (set_routes < 0) { @@ -340,6 +363,17 @@ break; } if (strcmp(long_options[option_index].name, + "otp-delay") == 0) { + long int otp_delay = strtol(optarg, NULL, 0); + if (otp_delay < 0 || otp_delay > UINT_MAX) { + log_warn("Bad otp-delay option: \"%s\"\n", + optarg); + break; + } + cli_cfg.otp_delay = otp_delay; + break; + } + if (strcmp(long_options[option_index].name, "persistent") == 0) { long int persistent = strtol(optarg, NULL, 0); if (persistent < 0 || persistent > UINT_MAX) { @@ -362,7 +396,8 @@ } goto user_error; case 'h': - printf("%s%s%s%s", usage, summary, help_options, help_config); + printf("%s%s%s%s%s", usage, summary, help_options, + PPPD_HELP, help_config); ret = EXIT_SUCCESS; goto exit; case 'v': diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openfortivpn-1.8.1/src/tunnel.c new/openfortivpn-1.9.0/src/tunnel.c --- old/openfortivpn-1.8.1/src/tunnel.c 2018-12-14 16:49:46.000000000 +0100 +++ new/openfortivpn-1.9.0/src/tunnel.c 2019-03-17 10:17:06.000000000 +0100 @@ -452,7 +452,7 @@ if (proxy_port != NULL) { proxy_port[0] = '\0'; proxy_port++; - server.sin_port = htons(strtol(proxy_port, NULL, 10)); + server.sin_port = htons(strtoul(proxy_port, NULL, 10)); } else { server.sin_port = htons(tunnel->config->gateway_port); }