Tag version 3.11

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Output to stderr too in Android's syslog_progress()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Mention Android in supported platforms

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

android: fix typo in #include header

Signed-off-by: Jason Cooper <cyanogen@lakedaemon.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Android build support.

[dwmw2: Clean up file lists, define IF_TUN_HDR]

Signed-off-by: Jason Cooper <cyanogen@lakedaemon.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add Android logging support

[dwmw2: make it use the --syslog option instead of removing it]

Signed-off-by: Jason Cooper <cyanogen@lakedaemon.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove <sys/syslog.h> inclusion. It should be <syslog.h>

Android doesn't have <sys/syslog.h>

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make TPM ENGINE support optional

Android's OpenSSL doesn't have ENGINE support; don't require it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Changelog entry for the switch back to TLSv1

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use TLSv1 again, but with no extensions.

In commit 3bee59cd8c4fd6dc38bc2c7d5edb9b5795509fca ("Use SSLv3 not TLSv1")
we switched to SSLv3 to avoid problems with VPN servers (or firewalls)
which reject extensions in ClientHello. Another user now reports that
using SSLv3 is failing, and he needs to use TLSv1.

Testing confirms that the originally problematic server *does* work with
TLSv1, as long as we disable the session ticket extension. So that makes
everyone happy... for now, until a new extension is invented and enabled
by default, and we have to block that too.  It's a shame that there's no
SSL_OP_NO_EXTENSIONS which would turn them *all* off.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 3.10

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Note the existence of KDE support for NetworkManager + openconnect

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Silence output from tag checks

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove debugging from uncommitted-check rule

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add 'make tmp-dist' for testing tarballs, to work around the tag check

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Check for repeated tags in 'make tag'

And remove the ifdef VERSION, since $(VERSION) is always defined now.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix dist-hook to enforce being at $(VERSION)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Switch to using autohate :(

I really didn't want to do this, but much as I hate libtool it is the
easiest way to portably build shared libraries, and we really do need
to build libopenconnect as a shared library. And having used libtool
we might as well concede entirely and use autoconf/automake.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add openconnect_vpninfo_new_with_cbdata() function to ease C++ integration

C++ callers really want the 'self' object pointer to be the first argument
of the callbacks. Give them the chance to get that, instead of the vpninfo
pointer.

Preserve the old openconnect_vpninfo_new() call, even with the same
prototype for the callback functions, for compatibility with the existing
GNOME auth-dialog.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Explicitly require pkg-config. It's not installed by default on OS X

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add 'reconnect' invocation of vpnc-script, to re-ensure routing/DNS setup

If we reconnect because of an actual local network disconnect/reconnect, then
something (DHCP, etc.) may have screwed up the routing and DNS according to
the local configuration. Give the script a chance to remedy that.

With iproute (i.e. modern Linux) it ought to work just to make vpnc-script
do the same as it does on 'connect'. For other systems it's somewhat harder.

For now vpnc-script will ignore it, anyway.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use 'openssl' pkgconfig not 'libssl'. Debian doesn't include -lcrypto in libssl

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --non-inter option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update web page to document NetworkManager auth-dialog move

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clarify that --script [...] will be evaluated by the shell.

Signed-off-by: Thomas Schwinge <thomas@codesourcery.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 3.02

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix manpage formatting

Adding back a period at the start of this file fixes the broken
formatting.

Signed-off-by: Ray Kohler <ataraxia937@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clear cached peer_addr where necessary.

If the user declined to manually accept a certificate in the NetworkManager
auth-dialog, and the SSL_connect() failed, we were still keeping the cached
peer_addr around. So even after the user chose *another* host to connect to,
we weren't actually doing another DNS lookup; we were just continuing to
connect to the old address.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use pkgconfig for libssl.

Taken from the Gentoo portage. Either they hadn't bothered to send me
the patch, or I had dropped it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Bump library API for openconnect_vpninfo_free() addition

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Free cert after comparing it with sslkey.

There wasn't a use-after-free here, but it *looked* like it. Swap them anyway.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add openconnect_vpninfo_free(); start to sanify string lifetime rules.

- openconnect_set_http_proxy() now takes ownership of the proxy string
- fix openconnect_clear_cookie() to clear string properly, and only if set

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Install target fixes

 don't create /usr/libexec
 do create /usr/share/man/man8 and install manpage there

Signed-off-by: Ray Kohler <ataraxia937@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 3.01

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add libxml to pkg-config requirements. Doh!

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 3.00

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove auth-dialog. It lives in NetworkManager-openconnect now.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add install-lib make target

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove 'reprompt' variable which does nothing

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add a dummy use of 'thread' after creating it, to shut compiler up

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make a bunch of functions static to avoid compiler warnings

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix shadowed declarations of global config_path

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix shadowed declarations of global gcl

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix shadowed declarations of global ui_data

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add API version to header, fix include guard

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add openconnect_get_version() function

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix namespace prefix on get_cert_sha1 function

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Hide openconnect_close_https() and openconnect_create_useragent()

These are no longer exposed

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add accessor functions for library use, convert nm-auth-dialog to use them

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove vpn_name from struct openconnect_info. It's only used by the auth-dialog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Rename openconnect_parse_url() to internal_parse_url()

We only need to expose a simpler version of this

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Split private parts of openconnect.h out into openconnect-internal.h

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make install commands work on Solaris

Apparently "install -m0755" doesn't work, but "install -m 0755" does.
Pointed out by Kazuyoshi Aizawa.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add csd_wrapper gconf setting

Signed-off-by: Keith Moyer <openconnect-devel@keithmoyer.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Put xml.o before main.o in build.

Just observed a strange failure when someone tried to override CFLAGS when
invoking make. It build main.o happily, but then fell over trying to build
xml.o. Then they tried again, overriding OPT_FLAGS instead. But main.o
wasn't rebuilt, and had been built without -DOPENCONNECT_LIBPROXY, hence
had a different 'struct openconnect_info' to the rest of the program, leading
to weird faults.

Ideally we ought to remember the flags used for each build and compare; the
kernel and chromium makefiles have the required magic for that which could
be easily stolen. But for now the easy fix is just to build xml.o first.
That way, if someone overrides CFLAGS they'll get an immediate failure and
no stray objects with wrong struct layout.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Partly revert excessive renaming (s/passphrase_from_fsid/openconnect_\1/)

Commit 1c41ab12942fc05e9a9fa833bb9864727bb34f46 also renamed the internal
variable do_passphrase_from_fsid in main.c. Revert that part.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't elide webvpn cookie if it's empty

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix leak of form_buf on redirect/repost/etc

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up auth form handling

Instead of scanning the login form and only displaying specific prompts,
display and record responses for all <input type="text">, and
<input type="password"> elements in the login form. It is still limited to
a single <select> element. The support for combining a securid code and pin
has also been removed.

Signed-off-by: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --csd-wrapper

Add option to run the CSD trojan via a user supplied script.

Signed-off-by: Paul Brook <paul@codesourcery.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix help output for --servercert option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up fingerprint routines

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Namespace cleanup: s/parse_url/openconnect_parse_url/

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Namespace cleanup: s/passphrase_from_fsid/openconnect_passphrase_from_fsid/

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Namespace cleanup: s/set_http_proxy/openconnect_set_http_proxy/

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Report and abort when cafile fails to open.

Slightly saner error handling would have prevented a wild goose chase
this morning.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.26

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't crash on relative redirect when original urlpath was NULL
Red Hat bug #629979

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Android has /dev/tun, not /dev/net/tun

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update --script-tun description, remove non-existent --tun-fd from manpage.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix host selection in NM auth-dialog

It wasn't actually clearing vpninfo->peer_addr, so we were always just
reconnecting to the first host, even when the user changed the selection.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use SSLv3 not TLSv1

There are servers (or firewalls) which apparently reject all connections with
any hello extensions. Seen with a Cisco VPN 3000.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Check certificate expiry and complain

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update status of Debian OpenSSL DTLS support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Never use protocol family prefixes with a TUN script.

Signed-off-by: Eric Barkie <ebarkie@us.ibm.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Close existing connection and discard compressed packet in cstp_reconnect()

Both callers need to do this, so move it into the function.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Implement DTLS and CSTP rekeying.

Don't know if there's a way to pass a new DTLS master secret and get
back a new session-id over an existing CSTP connection; reconnecting the
CSTP works though. And is the way to rekey CSTP too, since SSL
renegotiation got deprecated (we never got round to doing it that way
either, anyway).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up option handling to use sane values for long-only options

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --force-dpd option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Elide webvpn cookie from debugging output.

Hopefully this should help to stop users from posting them to the
mailing list.

The check in Exim to add a warning header if it detects a cookie, and the
Mailman rule to trap messages with that header for moderation, should also
help.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update ConnMan references

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Link to knetworkmanager bug for OpenConnect support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.25

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Compare cert IP address with that of the server... not the proxy

We mustn't use vpninfo->peer_addr when validating the server's
certificate, because that could be the address of the proxy if we're
using one. Use the result of running inet_pton() on the hostname instead.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print UTF8 form of URI in messages, not raw form

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make parse_url preserve its input string

It still screws with it as it parses it, but at least it puts it back now.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't match URIs with a path component

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove stray debugging printf

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove stray break which stopped processing altnames after the first GEN_DNS

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use ASN1_STRING_to_UTF8 for altnames

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of GEN_URI altnames.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix memory leak on non-200 HTTP result

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of GEN_IPADD altnames.

In particular, the length of the altname wasn't the same as the length
of the corresponding sockaddr.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Accept GEN_IPADD certificate altneme for raw IPv6 address without [] too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle wildcards in hostname matching

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>