openconnect: update to 7.03

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

net/openconnect/Makefile

@@ -8,12 +8,17 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openconnect
-PKG_VERSION:=6.00
-PKG_RELEASE:=3
+PKG_VERSION:=7.03
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/openconnect/
-PKG_MD5SUM:=7e28e23c6e281be31446e6c365f5d273
+PKG_MD5SUM:=83f6a359906d49473f591ba613ca3fe5
+
+PKG_CONFIG_DEPENDS:= \
+	CONFIG_OPENCONNECT_GNUTLS \
+	CONFIG_OPENCONNECT_OPENSSL \
+
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -42,7 +47,9 @@ endef
 
 CONFIGURE_ARGS += \
 	--disable-shared \
-	--with-vpnc-script=/lib/netifd/vpnc-script
+	--with-vpnc-script=/lib/netifd/vpnc-script \
+	--without-libpcsclite \
+	--without-stoken
 
 ifeq ($(CONFIG_OPENCONNECT_OPENSSL),y)
 CONFIGURE_ARGS += \

net/openconnect/README

@@ -3,27 +3,26 @@ The openconnect client expects to be configured using the uci interface.
 To setup a VPN connection, add the following to /etc/config/network:
 
 config interface 'MYVPN'
-        option _orig_ifname 'vpnc'
-        option _orig_bridge 'false'
         option proto 'openconnect'
         option server 'vpn.example.com'
         option port '4443'
         option username 'test'
         option password 'secret'
         option serverhash 'AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25'
+        option authgroup 'DEFAULT'
 
 The additional files are also used:
-/etc/openconnect/user-cert-vpn-MYVPN.pem: The user certificate
-/etc/openconnect/user-key-vpn-MYVPN.pem: The user private key
-/etc/openconnect/ca-vpn-MYVPN.pem: The CA certificate (instead of serverhash)
+/etc/config/openconnect-user-cert-vpn-MYVPN.pem: The user certificate
+/etc/config/openconnect-user-key-vpn-MYVPN.pem: The user private key
+/etc/config/openconnect-ca-vpn-MYVPN.pem: The CA certificate (instead of serverhash)
 
 After these are setup you can initiate the VPN using "ifup MYVPN", and
 deinitialize it using ifdown. You may also use the luci web interface
-(Network -> Interfaces -> AVPN Connect).
+(Network -> Interfaces -> MYVPN Connect).
 
 Note that you need to configure the firewall to allow communication between
 the MYVPN interface and lan.
 
 
 There is a luci plugin to allow configuring an openconnect interface from
-the web environment; see the luci-protocol-openconnect package.
+the web environment; see the luci-proto-openconnect package.

net/openconnect/files/openconnect-wrapper

@@ -22,7 +22,17 @@ cleanup()
 	exit 0
 }
 
-trap cleanup 1 2 3 6 15
+cleanup2()
+{
+	if ! test -z "$pid";then
+		kill -2 $pid
+		wait $pid
+	fi
+	exit 0
+}
+
+trap cleanup2 2
+trap cleanup 1 3 6 15
 
 rm -f "$pidfile"
 /usr/sbin/openconnect $* <$pwfile &

net/openconnect/files/openconnect.sh

@@ -17,7 +17,7 @@ proto_openconnect_init_config() {
 proto_openconnect_setup() {
 	local config="$1"
 
-	json_get_vars server port username serverhash authgroup password vgroup
+	json_get_vars server port username serverhash authgroup password vgroup token_mode token_secret
 
 	grep -q tun /proc/modules || insmod tun
 
@@ -38,10 +38,23 @@ proto_openconnect_setup() {
 
 	cmdline="$server$port -i vpn-$config --non-inter --syslog --script /lib/netifd/vpnc-script"
 
-	[ -f /etc/openconnect/ca-vpn-$config.pem ] && append cmdline "--cafile /etc/openconnect/ca-vpn-$config.pem"
-	[ -f /etc/openconnect/user-cert-vpn-$config.pem ] && append cmdline "-c /etc/openconnect/user-cert-vpn-$config.pem"
-	[ -f /etc/openconnect/user-key-vpn-$config.pem ] && append cmdline "--sslkey /etc/openconnect/user-key-vpn-$config.pem"
-	[ -n "$serverhash" ] && append cmdline "--servercert=$serverhash"
+	# migrate to new config files
+	[ -f /etc/openconnect/user-cert-vpn-$config.pem ] && mv "/etc/openconnect/user-cert-vpn-$config.pem" "/etc/config/openconnect-user-cert-vpn-$config.pem"
+	[ -f /etc/openconnect/user-key-vpn-$config.pem ] && mv "/etc/openconnect/user-key-vpn-$config.pem" "/etc/config/openconnect-user-key-vpn-$config.pem"
+	[ -f /etc/openconnect/ca-vpn-$config.pem ] && mv "/etc/openconnect/ca-vpn-$config.pem" "/etc/config/openconnect-ca-vpn-$config.pem"
+
+	# read new config files
+	[ -f /etc/config/openconnect-user-cert-vpn-$config.pem ] && append cmdline "-c /etc/config/openconnect-user-cert-vpn-$config.pem"
+	[ -f /etc/config/openconnect-user-key-vpn-$config.pem ] && append cmdline "--sslkey /etc/config/openconnect-user-key-vpn-$config.pem"
+	[ -f /etc/config/openconnect-ca-vpn-$config.pem ] && {
+		append cmdline "--cafile /etc/openconnect/ca-vpn-$config.pem"
+		append cmdline "--no-system-trust"
+	}
+
+	[ -n "$serverhash" ] && {
+		append cmdline " --servercert=$serverhash"
+		append cmdline "--no-system-trust"
+	}
 	[ -n "$authgroup" ] && append cmdline "--authgroup $authgroup"
 	[ -n "$username" ] && append cmdline "-u $username"
 	[ -n "$password" ] && {
@@ -51,10 +64,13 @@ proto_openconnect_setup() {
 		append cmdline "--passwd-on-stdin"
 	}
 
+	[ -n "$token_mode" ] && append cmdline "--token-mode=$token_mode"
+	[ -n "$token_secret" ] && append cmdline "--token-secret=$token_secret"
+
 	proto_export INTERFACE="$config"
 	logger -t openconnect "executing 'openconnect $cmdline'"
 
-	if [ -f "$pwfile" ];then
+	if [ -f "$pwfile" ]; then
 		proto_run_command "$config" /usr/sbin/openconnect-wrapper $pwfile $cmdline
 	else
 		proto_run_command "$config" /usr/sbin/openconnect $cmdline
@@ -68,7 +84,7 @@ proto_openconnect_teardown() {
 
 	rm -f $pwfile
 	logger -t openconnect "bringing down openconnect"
-	proto_kill_command "$config"
+	proto_kill_command "$config" 2
 }
 
 add_protocol openconnect

net/openconnect/files/vpnc-script

@@ -26,6 +26,8 @@
 #* CISCO_IPV6_SPLIT_INC_%d_ADDR -- IPv6 network address
 #* CISCO_IPV6_SPLIT_INC_$%d_MASKLEN -- IPv6 subnet masklen
 
+HOOKS_DIR=/etc/openconnect
+
 # FIXMEs:
 
 # Section A: route handling
@@ -44,13 +46,12 @@
 
 # Section B: Split DNS handling
 
-# 1) Maybe dnsmasq can do something like that
-# 2) Parse dns packets going out via tunnel and redirect them to original dns-server
+# 1) We parse CISCO_SPLIT_DNS and use dnsmasq to set it
 
 do_connect() {
 	if [ -n "$CISCO_BANNER" ]; then
 		logger -t openconnect "Connect Banner:"
-		logger -t openconnect "$CISCO_BANNER" | while read LINE ; do logger -t openconnect "|" "$LINE" ; done
+		echo "$CISCO_BANNER" | while read LINE ; do logger -t openconnect "|" "$LINE" ; done
 	fi
 
 	proto_init_update "$TUNDEV" 1
@@ -80,8 +81,23 @@ do_connect() {
 		[[ "$addr" != "$mask" ]] && proto_add_ipv6_address "$addr" "$mask"
 	fi
 
-	[ -n "$INTERNAL_IP4_DNS" ] && proto_add_dns_server "$INTERNAL_IP4_DNS"
-	[ -n "$CISCO_DEF_DOMAIN" ] && proto_add_dns_search "$CISCO_DEF_DOMAIN"
+	if [ -n "$CISCO_SPLIT_DNS" ] && [ -d "/tmp/dnsmasq.d/" ];then
+		SDNS=`echo $CISCO_SPLIT_DNS|sed 's/,/\n/g'`
+		DNSMASQ_FILE="/tmp/dnsmasq.d/openconnect.$TUNDEV"
+		rm -f $DNSMASQ_FILE
+		echo "$SDNS" | while read i; do
+			if [ -n "$INTERNAL_IP4_DNS" ];then
+				echo "server=/$i/$INTERNAL_IP4_DNS" >> $DNSMASQ_FILE
+			fi
+			if [ -n "$INTERNAL_IP6_DNS" ];then
+				echo "server=/$i/$INTERNAL_IP6_DNS" >> $DNSMASQ_FILE
+			fi
+		done
+		/etc/init.d/dnsmasq restart
+	else
+		[ -n "$INTERNAL_IP4_DNS" ] && proto_add_dns_server "$INTERNAL_IP4_DNS"
+		[ -n "$CISCO_DEF_DOMAIN" ] && proto_add_dns_search "$CISCO_DEF_DOMAIN"
+	fi
 
 	if [ -n "$CISCO_SPLIT_INC" ]; then
 		i=0
@@ -118,10 +134,22 @@ do_connect() {
 }
 
 do_disconnect() {
+	rm -f "/tmp/dnsmasq.d/openconnect.$TUNDEV"
 	proto_init_update "$TUNDEV" 0
 	proto_send_update "$INTERFACE"
 }
 
+#### Hooks
+run_hooks() {
+	HOOK="$1"
+
+	if [ -d ${HOOKS_DIR}/${HOOK}.d ]; then
+		for script in ${HOOKS_DIR}/${HOOK}.d/* ; do
+			[ -f $script ] && . $script
+		done
+	fi
+}
+
 #### Main
 
 if [ -z "$reason" ]; then
@@ -137,14 +165,20 @@ fi
 
 case "$reason" in
 	pre-init)
+		run_hooks pre-init
 		;;
 	connect)
+		run_hooks connect
 		do_connect
+		run_hooks post-connect
 		;;
 	disconnect)
+		run_hooks disconnect
 		do_disconnect
+		run_hooks post-disconnect
 		;;
 	reconnect)
+		run_hooks reconnect
 		;;
 	*)
 		logger -t openconnect "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2