Merge branch 'master' into daemonize_option

adrienverge · Nov 18, 2021 · 4ee28f2 · 4ee28f2
2 parents b5626fd + d1b2801
commit 4ee28f2
Show file tree

Hide file tree

Showing 26 changed files with 929 additions and 455 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,68 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '26 6 * * 5'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        queries: +security-extended
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -0,0 +1,21 @@
+---
+name: Codespell
+
+on:
+  push:
+
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  codespell:
+    name: Check for spelling errors
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - uses: codespell-project/actions-codespell@master
+        with:
+          skip: checkpatch.pl,spelling.txt,LICENSE.OpenSSL
+          ignore_words_list: synopsys,parms
diff --git a/.github/workflows/coverity-scan.yml b/.github/workflows/coverity-scan.yml
@@ -0,0 +1,43 @@
+---
+name: Synopsys
+
+on:
+  push:
+    branches: [coverity_scan]
+
+jobs:
+  coverity-scan:
+    name: Coverity Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v2
+
+      - name: Download the Coverity Scan Build Tool
+        run: |
+          wget -q https://scan.coverity.com/download/cxx/linux64 --post-data "token=$TOKEN&project=adrienverge%2Fopenfortivpn" -O cov-analysis-linux64.tar.gz
+          mkdir cov-analysis-linux64
+          tar xzf cov-analysis-linux64.tar.gz --strip 1 -C cov-analysis-linux64
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
+
+      - name: Build
+        run: |
+          ./autogen.sh
+          ./configure --prefix=/usr --sysconfdir=/etc
+          export PATH=`pwd`/cov-analysis-linux64/bin:$PATH
+          cov-build --dir cov-int make
+
+      - name: Upload the Project Build
+        run: |
+          tar caf openfortivpn.xz cov-int
+          curl \
+            --form token=$TOKEN \
+            --form [email protected] \
+            --form [email protected] \
+            --form version=coverity_scan \
+            --form description="Client for PPP+SSL VPN tunnel services" \
+            https://scan.coverity.com/builds?project=adrienverge%2Fopenfortivpn
+        env:
+          TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }}
diff --git a/.github/workflows/openfortivpn.yml b/.github/workflows/openfortivpn.yml
@@ -0,0 +1,53 @@
+---
+name: Tests
+
+on:
+  push:
+
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  astyle:
+    name: Style
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v2
+
+      - name: Install Dependencies
+        run: sudo apt-get install -y astyle
+
+      - name: Artistic Style
+        run: ./tests/lint/astyle.sh $(git ls-files '*.[ch]' | grep -v openssl_hostname_validation)
+
+      - name: Linux Kernel Coding Style
+        run: ./tests/lint/checkpatch.sh $(git ls-files '*.[ch]' | grep -v openssl_hostname_validation)
+
+      - name: EOL at EOF
+        run: ./tests/lint/eol-at-eof.sh $(git ls-files | grep -v openssl_hostname_validation)
+
+      - name: Line Length
+        run: ./tests/lint/line_length.py $(git ls-files '*.[ch]' | grep -v openssl_hostname_validation)
+
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v2
+
+      - name: Install Dependencies
+        run: |
+          sudo apt-get install -y pkg-config
+          ./tests/ci/install_openssl.sh $HOME/.openfortivpn-deps
+
+      - name: Build
+        run: |
+          ./autogen.sh
+          export PKG_CONFIG_PATH="$HOME/.openfortivpn-deps/lib/pkgconfig"
+          ./configure --prefix=/usr --sysconfdir=/etc
+          make
diff --git a/.travis.yml b/.travis.yml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,29 @@ Releases
 This high level changelog is usually updated when a release is tagged.
 On the master branch there may be changes that are not (yet) described here.
 
+### 1.17.1
+
+* [-] fix regression: enable OpenSSL engines by default
+* [-] fix typos found by codespell
+* [-] fix LGTM alerts
+
+### 1.17.0
+
+* [-] make OpenSSL engines optional
+* [+] document and favor --pinentry over plain text password in configuration file
+* [-] fix buffer overflow and other errors in URI espcaping for --pinentry
+* [~] use different --pinentry hints for different hosts, usernames and realms
+* [-] fix memory management errors related to --user-agent option
+
+### 1.16.0
+
+* [+] support for user key pass phrase
+* [~] add a space at the end of the OTP prompt
+* [-] improve tunnel speed on macOS
+* [-] modify memory allocation in the tunnel configuration structure
+* [+] openfortivpn returns the PPP exit status
+* [+] print SSL socket options in log
+
 ### 1.15.0
 
 * [-] fix issue sending pin codes
@@ -34,7 +57,7 @@ On the master branch there may be changes that are not (yet) described here.
 * [+] add git commit id in debug output
 * [-] do not use interface ip for routing on linux
 * [-] avoid extra hop on interface for default route
-* [+] clean up, updates and improvments in the build system
+* [+] clean up, updates and improvements in the build system
 * [+] increase the inbound HTTP buffer capacity when needed
 * [+] print domain search list to output
 * [+] add systemd service file
@@ -73,7 +96,7 @@ On the master branch there may be changes that are not (yet) described here.
 * [-] fix CVE-2020-7041: incorrect use of X509_check_host (regarding return value).
 * [-] always hide cleartest password in -vv output
 * [+] add a clear warning about sensitive information in the debug output
-* [+] add a hint in debug output when password is read from config file
+* [+] add a hint in debug output when password is read from configuration file
 * [-] fix segfault when connecting with empty password
 * [+] use resolvconf if available to update resolv.conf file
 * [~] replace semicolon by space in dns-suffix string
@@ -137,7 +160,7 @@ On the master branch there may be changes that are not (yet) described here.
 * [~] Invert order of ssl libraries (this may help linking on some platforms)
 * [+] Add FreeBSD support and redesigned the autoconf mechanism
 * [+] Support building with gcc 8
-* [-] Prioritize command line arguments over config file parameters
+* [-] Prioritize command line arguments over configuration file parameters
 * [~] Dynamically allocate routing buffer and therefore allow larger routing table
 * [+] Support systemd notification upon tunnel up
 * [+] Support building in a separate directory
@@ -147,15 +170,15 @@ On the master branch there may be changes that are not (yet) described here.
 
 ### 1.7.1
 
-* [~] Be more tolerant about white space in config file
+* [~] Be more tolerant about white space in configuration file
 * [~] Make better usage of pkg-config
 * [~] Rework linking against OpenSSL
 * [-] Build again on Mac OSX where pthread_mutexattr_setrobust is not available
 
 ### 1.7.0
 
 * [~] Correctly set up route to vpn gateway (add support for some particular situations)
-* [+] Support two factor authentication with config file (for NM-plugin)
+* [+] Support two factor authentication with configuration file (for NM-plugin)
 * [~] Change the ip address in the pppd call parameters by a rfc3330 test-net address
 * [-] Correctly report the exit status codes of pppd
 * [+] Add --pppd-call option
@@ -165,26 +188,26 @@ On the master branch there may be changes that are not (yet) described here.
 
 ### 1.6.0
 
-* [-] Fix possible buffer overflow in in long requests
+* [-] Fix possible buffer overflow in long requests
 * [~] Code improvements in terms of header inclusion and some other coverity warnings
 * [+] Add proxy support
 * [~] Use the compiled-in fixed full path to pppd
 * [+] Support pppd ifname option
 * [+] Print a clear error message at runtime if pppd does not exist
 * [+] Print clear text error messages of pppd upon failure
-* [~] Existing config file is not overwritten anymore at installation time
+* [~] Existing configuration file is not overwritten anymore at installation time
 * [~] Increase the accepted cookie size and align the error behavior according to RFCs
-* [-] More gracefully handle unexcpected content of resolv.conf
+* [-] More gracefully handle unexpected content of resolv.conf
 * [~] Dynamically allocate memory for split routes and thus support larger numbers of routes
 
 ### 1.5.0
 
 * [~] Improve error handling around the call of pppd
 * [+] Add half-internet-routes option
-* [-] realm was not recognized in the config file
+* [-] realm was not recognized in the configuration file
 * [~] Switch from no-routes and no-dns to set-routes and set-dns option
 * [+] Add pppd-no-peerdns and pppd-log option
-* [~] Allow passing the otp via the config file for use with NetworkManager plugin
+* [~] Allow passing the otp via the configuration file for use with NetworkManager plugin
 * [-] Fix issues initializing memory and with build system
 * [+] Support building against Openssl 1.1
 * [~] use pkg-config for configuration of openssl instead of configure option
@@ -227,7 +250,7 @@ On the master branch there may be changes that are not (yet) described here.
 
 ### 1.2.0
 
-* [+] Support login with client certificate, key, and ca-file specified in config file
+* [+] Support login with client certificate, key, and ca-file specified in configuration file
 * [~] Use more meaningful error codes when loading config fails
 * [-] Correctly report errors of hostname lookup
 * [+] Add an option not to ask ppp peer for dns servers
@@ -246,7 +269,7 @@ On the master branch there may be changes that are not (yet) described here.
 
 ### 1.1.3
 
-* [~] Support set-dns and set-routes flag from config file as well
+* [~] Support set-dns and set-routes flag from configuration file as well
 * [-] Properly URL-encode values sent in http requests
 * [+] Add support for realm authentication
 * [+] Add support for two factor authentication
@@ -269,8 +292,8 @@ On the master branch there may be changes that are not (yet) described here.
 * [+] Add support for client keys and certificates
 * [~] Extend the split VPN support with older FortiOS servers
 * [+] Add a config parser to handle received non-xml content
-* [~] Allow ommitting the gateway for split routes
-* [~] Allow ommitting DNS servers
+* [~] Allow omitting the gateway for split routes
+* [~] Allow omitting DNS servers
 * [-] Fix a memory leak in auth_get_config
 * [+] Support split routes
 * [+] Export the configuration of routes and gateway to environment
@@ -286,13 +309,13 @@ On the master branch there may be changes that are not (yet) described here.
 
 * [~] Better error messages in /etc/resolv.conf helpers
 * [~] Use better colors for warnings and error messages and only if output is a tty
-* [-] Fix parsing of "trusted-cert" in config file
+* [-] Fix parsing of "trusted-cert" in configuration file
 * [~] Add --pedantic to CFLAGS
 * [+] Add ability to type password interactively
 * [+] Verify gateway's X509 certificate
 * [-] Don't delete nameservers at tear down if they were here before
 * [~] Set /etc/openfortivpn/config not readable by other users
-* [+] Add ability to use a config file
+* [+] Add ability to use a configuration file
 
 ### 1.0.0