platform/upstream/openconnect.git
12 years agoUpdate translations from Transifex
David Woodhouse [Wed, 20 Jun 2012 13:59:25 +0000 (14:59 +0100)]
Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRun msgmerge after importing translations from Transifex
David Woodhouse [Wed, 20 Jun 2012 13:47:41 +0000 (14:47 +0100)]
Run msgmerge after importing translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd translations that GNOME NetworkManager-openconnect has, that we don't
David Woodhouse [Wed, 20 Jun 2012 12:55:30 +0000 (13:55 +0100)]
Add translations that GNOME NetworkManager-openconnect has, that we don't

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix typo in error message
David Woodhouse [Wed, 20 Jun 2012 12:34:19 +0000 (13:34 +0100)]
Fix typo in error message

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoSupport old-style OpenSSL encrypted PEM keys
David Woodhouse [Tue, 19 Jun 2012 16:42:22 +0000 (17:42 +0100)]
Support old-style OpenSSL encrypted PEM keys

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix memory leaks in text-mode process_form_opts
David Woodhouse [Tue, 19 Jun 2012 16:34:41 +0000 (17:34 +0100)]
Fix memory leaks in text-mode process_form_opts

The caller probably won't free the returned answers if we return error,
so do it locally.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoNUL-terminate blobs from Andoird keystore
David Woodhouse [Tue, 19 Jun 2012 12:37:38 +0000 (13:37 +0100)]
NUL-terminate blobs from Andoird keystore

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix PKCS#11 cleanup when no SSL certificate is set
David Woodhouse [Mon, 18 Jun 2012 19:06:36 +0000 (20:06 +0100)]
Fix PKCS#11 cleanup when no SSL certificate is set

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd Android keystore support for --cafile
David Woodhouse [Sun, 17 Jun 2012 22:42:53 +0000 (23:42 +0100)]
Add Android keystore support for --cafile

Based on a patch from Vilmos Nebehaj <v.nebehaj@gmail.com>

Signed-off-by: Vilmos Nebehaj <v.nebehaj@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd missing includes and libs to Android.mk
David Woodhouse [Sun, 17 Jun 2012 22:40:41 +0000 (23:40 +0100)]
Add missing includes and libs to Android.mk

I probably shouldn't need to add libc, but it shouldn't hurt either, and I
*do* need it. Otherwise I think my screwed up local build system is using
the wrong one. One day I'll actually get AOSP or Cyanogen to build properly
and I won't have to suffer with this cobbled-together pile of crap that I'm
using...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoSwitch from Android's keystore_get() to our own keystore_fetch()
David Woodhouse [Sun, 17 Jun 2012 21:02:16 +0000 (22:02 +0100)]
Switch from Android's keystore_get() to our own keystore_fetch()

This gives proper error handling which Android's lacks.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix double-free of BIO in loading cert from keystore
David Woodhouse [Sun, 17 Jun 2012 20:58:02 +0000 (21:58 +0100)]
Fix double-free of BIO in loading cert from keystore

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix fake Android keystore_get() to return -1 on failure
David Woodhouse [Sun, 17 Jun 2012 01:37:42 +0000 (02:37 +0100)]
Fix fake Android keystore_get() to return -1 on failure

Harmless in this case, but it doesn't hurt to be consistent with Android.
At least, with what Android does when it's *not* buggy... :)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix Android keystore support for older keystore_get.h
David Woodhouse [Sun, 17 Jun 2012 01:33:43 +0000 (02:33 +0100)]
Fix Android keystore support for older keystore_get.h

This is an "inline" function, in the header file. So it's about the build
environment you use for building openconnect, not the runtime environment.

It was fixed by the following commit in android/frameworks/base:

commit c741a2fe41ea33fc386a4d5b932cc081aa92a18c
Author: Chia-chi Yeh <chiachi@android.com>
Date:   Thu Sep 30 15:17:58 2010 +0800

    KeyStore: Fix the return value when send() or recv() has an error.

    Change-Id: I20a63c76bd29b1a9f8959a6c4fe5a5b8a9a971b4

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd trousers to list of optional build deps
David Woodhouse [Fri, 15 Jun 2012 14:06:31 +0000 (15:06 +0100)]
Add trousers to list of optional build deps

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd gnutls.h to noinst_HEADERS
David Woodhouse [Fri, 15 Jun 2012 13:55:56 +0000 (14:55 +0100)]
Add gnutls.h to noinst_HEADERS

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove POTFILES.in from po/ EXTRA_DIST
David Woodhouse [Fri, 15 Jun 2012 13:49:06 +0000 (14:49 +0100)]
Remove POTFILES.in from po/ EXTRA_DIST

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAutomatically keep Android.mk in sync with source lists from Makefile.am
David Woodhouse [Fri, 15 Jun 2012 13:48:04 +0000 (14:48 +0100)]
Automatically keep Android.mk in sync with source lists from Makefile.am

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoOpenSSL: Fix recognition of repeated 'wrong passphrase' errors
David Woodhouse [Fri, 15 Jun 2012 13:26:26 +0000 (14:26 +0100)]
OpenSSL: Fix recognition of repeated 'wrong passphrase' errors

Without it, we were getting the wrong error if the passphrase was wrong
a second time, and not correctly staying in the retry loop:

Enter PEM pass phrase:
140379913099200:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:536:
Loading private key failed (wrong passphrase?)
Enter PEM pass phrase:
140379913099200:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:97:
Loading private key failed (see above errors)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd Android keystore support
David Woodhouse [Fri, 15 Jun 2012 13:03:03 +0000 (14:03 +0100)]
Add Android keystore support

Based on a patch from Vilmos Nebehaj <v.nebehaj@gmail.com>

Signed-off-by: Vilmos Nebehaj <v.nebehaj@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix Android build
David Woodhouse [Fri, 15 Jun 2012 12:45:13 +0000 (13:45 +0100)]
Fix Android build

Well, almost. My local NDK setup still fails to link because libicuuc.so
needs libgabi++.so, and even with that it has undefined references to
mbstowcs and wcstombs. But that's probably a local issue.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix build for OpenSSL without DTLS
David Woodhouse [Fri, 15 Jun 2012 12:43:36 +0000 (13:43 +0100)]
Fix build for OpenSSL without DTLS

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoClean up feature/index web pages a little
David Woodhouse [Fri, 15 Jun 2012 09:58:40 +0000 (10:58 +0100)]
Clean up feature/index web pages a little

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove separate POTFILES list and build potfile from real sources lists
David Woodhouse [Fri, 15 Jun 2012 09:29:46 +0000 (10:29 +0100)]
Remove separate POTFILES list and build potfile from real sources lists

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd gnutls_tpm.c to POTFILES
David Woodhouse [Fri, 15 Jun 2012 00:03:30 +0000 (01:03 +0100)]
Add gnutls_tpm.c to POTFILES

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoDon't repack extra_certs[] when matching key; just cope with it being sparse
David Woodhouse [Thu, 14 Jun 2012 23:56:31 +0000 (00:56 +0100)]
Don't repack extra_certs[] when matching key; just cope with it being sparse

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoClean up GnuTLS load_certificate() and improve comments
David Woodhouse [Thu, 14 Jun 2012 23:39:42 +0000 (00:39 +0100)]
Clean up GnuTLS load_certificate() and improve comments

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUnify assign_privkey() function for GnuTLS 2 and 3
David Woodhouse [Thu, 14 Jun 2012 22:59:46 +0000 (23:59 +0100)]
Unify assign_privkey() function for GnuTLS 2 and 3

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMove setting of vpninfo->my_p11key to somewhere tidier
David Woodhouse [Thu, 14 Jun 2012 22:51:08 +0000 (23:51 +0100)]
Move setting of vpninfo->my_p11key to somewhere tidier

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoSplit assign_privkey_gtls2() to separate function
David Woodhouse [Thu, 14 Jun 2012 22:38:29 +0000 (23:38 +0100)]
Split assign_privkey_gtls2() to separate function

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoSplit assign_privkey_gtls3() to separate function
David Woodhouse [Thu, 14 Jun 2012 22:07:49 +0000 (23:07 +0100)]
Split assign_privkey_gtls3() to separate function

Another step towards a cleaner load_certificate() for GnuTLS.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMove TPM code out into gnutls_tpm.c
David Woodhouse [Thu, 14 Jun 2012 21:48:38 +0000 (22:48 +0100)]
Move TPM code out into gnutls_tpm.c

Slightly reduce the #ifdef hell in gnutls.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoClean up handling of gnutls_pkcs12.c
David Woodhouse [Thu, 14 Jun 2012 21:22:05 +0000 (22:22 +0100)]
Clean up handling of gnutls_pkcs12.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix BER encoding of hash in sign_dummy_data()
David Woodhouse [Thu, 14 Jun 2012 21:10:16 +0000 (22:10 +0100)]
Fix BER encoding of hash in sign_dummy_data()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoCope with lack of gnutls_certificate_set_key() in GnuTLS 2.12
David Woodhouse [Thu, 14 Jun 2012 16:02:18 +0000 (17:02 +0100)]
Cope with lack of gnutls_certificate_set_key() in GnuTLS 2.12

We *can* use arbitrary privkeys, by using the cert_callback to provide
them on demand.

And even without gnutls_privkey_import_ext() to give us a constructed
privkey that represents the TPM key, we can cope by registering a
sign_callback on the TLS session.

This means that we can support the TPM, and also fix the lack of extra
supporting certs and expiry check when using PKCS#11 certs with GnuTLS 2.12.

It also means my code is an even bigger mess of #ifdefs than it was before.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix memory leak of TPM key password
David Woodhouse [Thu, 14 Jun 2012 15:00:03 +0000 (16:00 +0100)]
Fix memory leak of TPM key password

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix wording of comment about string handling
David Woodhouse [Thu, 14 Jun 2012 07:45:16 +0000 (08:45 +0100)]
Fix wording of comment about string handling

The library *will* free them later. Honest! If we say "should", someone
might get confused and think we're saying the *caller* needs to do it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoDocument SHA1 buffer requirements more clearly
David Woodhouse [Thu, 14 Jun 2012 07:34:11 +0000 (08:34 +0100)]
Document SHA1 buffer requirements more clearly

There's an inconsistency here; openconnect_set_xmlsha1() takes a redundant
'len' arg which serves no purpose except to check that the caller knows
how big a SHA1 is. If it's not 41, we bail.

Next time the soname is getting bumped, I'll add a similar redundant
check to openconnect_get_cert_sha1() too. I should have done that when
it was first converted from an internal function to a public-facing one
in commit 20840ab0. But I didn't, and it's not worth bumping the soname
again right now *just* for that.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix Solaris build, again
David Woodhouse [Thu, 14 Jun 2012 01:14:05 +0000 (02:14 +0100)]
Fix Solaris build, again

I really ought to script a check for this.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix GnuTLS 2.12 library still referencing OpenSSL ERR_print_errors_cb()
David Woodhouse [Wed, 13 Jun 2012 23:55:54 +0000 (00:55 +0100)]
Fix GnuTLS 2.12 library still referencing OpenSSL ERR_print_errors_cb()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoTag version 3.99 v3.99
David Woodhouse [Wed, 13 Jun 2012 22:55:17 +0000 (23:55 +0100)]
Tag version 3.99

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMake 'make tag' work out of source tree
David Woodhouse [Wed, 13 Jun 2012 22:55:03 +0000 (23:55 +0100)]
Make 'make tag' work out of source tree

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years ago$CISCO_SPLIT_DNS is separated by commas in vpnc, not spaces
David Woodhouse [Wed, 13 Jun 2012 22:32:53 +0000 (23:32 +0100)]
$CISCO_SPLIT_DNS is separated by commas in vpnc, not spaces

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoLink libopenconnect to trousers, not openconnect
David Woodhouse [Wed, 13 Jun 2012 22:32:02 +0000 (23:32 +0100)]
Link libopenconnect to trousers, not openconnect

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMove dtls1_stop_timer() declaration inside the OPENCONNECT_OPENSSL section
David Woodhouse [Wed, 13 Jun 2012 21:22:39 +0000 (22:22 +0100)]
Move dtls1_stop_timer() declaration inside the OPENCONNECT_OPENSSL section

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate translations from Transifex
David Woodhouse [Wed, 13 Jun 2012 20:43:20 +0000 (21:43 +0100)]
Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix build with GnuTLS 2.12
David Woodhouse [Wed, 13 Jun 2012 20:41:42 +0000 (21:41 +0100)]
Fix build with GnuTLS 2.12

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAllow GUI to distinguish between PIN/passphrase callbacks
David Woodhouse [Wed, 13 Jun 2012 20:39:27 +0000 (21:39 +0100)]
Allow GUI to distinguish between PIN/passphrase callbacks

The UI may cache user input by form->auth_id, opt->name. But those were
always the same (and auth_id was even NULL for OpenSSL UI callbacks from
the TPM engine), so it wasn't very helpful. Fix it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoHandle TPM keys with their own authentication PIN
David Woodhouse [Wed, 13 Jun 2012 19:56:55 +0000 (20:56 +0100)]
Handle TPM keys with their own authentication PIN

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGive proper error reporting from tpm_sign_fn() TPM operations
David Woodhouse [Wed, 13 Jun 2012 19:29:08 +0000 (20:29 +0100)]
Give proper error reporting from tpm_sign_fn() TPM operations

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoTry null SRK key (20 bytes of zero) first
David Woodhouse [Wed, 13 Jun 2012 19:24:19 +0000 (20:24 +0100)]
Try null SRK key (20 bytes of zero) first

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix error exits in GnuTLS load_certificate() function
David Woodhouse [Wed, 13 Jun 2012 19:21:30 +0000 (20:21 +0100)]
Fix error exits in GnuTLS load_certificate() function

Having separate 'err' for GnuTLS errno, and 'ret' for the return value, has
caused me to sometimes return without setting 'ret'. Make it uninitialised
to start with, and then the compiler should warn if I 'goto out' again
without setting 'ret'.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoImplement certificate matching for TPM/PKCS#11 privkeys
David Woodhouse [Wed, 13 Jun 2012 15:38:14 +0000 (16:38 +0100)]
Implement certificate matching for TPM/PKCS#11 privkeys

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix GnuTLS PIN cache leak when only *key* is PKCS#11 and not certificate.
David Woodhouse [Wed, 13 Jun 2012 15:30:18 +0000 (16:30 +0100)]
Fix GnuTLS PIN cache leak when only *key* is PKCS#11 and not certificate.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove redundancy in code which 'matches' cert to privkey
David Woodhouse [Wed, 13 Jun 2012 15:03:06 +0000 (16:03 +0100)]
Remove redundancy in code which 'matches' cert to privkey

Yes, it doesn't *actually* do any matching... yet.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd TPM support for GnuTLS
David Woodhouse [Tue, 12 Jun 2012 22:27:42 +0000 (23:27 +0100)]
Add TPM support for GnuTLS

Based on GnuTLS TPM code by Carolin Latze <latze@angry-red-pla.net>
and Tobias Soder.

Like the OpenSSL TPM ENGINE, this only supports a key 'blob' rather than
using keys by UUID. That shouldn't be hard to fix if someone wants it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoClean up build options printout
David Woodhouse [Wed, 13 Jun 2012 11:07:34 +0000 (12:07 +0100)]
Clean up build options printout

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix DTLS fallback to OpenSSL for old GnuTLS
David Woodhouse [Wed, 13 Jun 2012 11:05:50 +0000 (12:05 +0100)]
Fix DTLS fallback to OpenSSL for old GnuTLS

Due to a typo, it wasn't using OpenSSL for DTLS unless you specified
--without-openssl on the configure command line.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoExplicitly check for gnutls_certificate_set_key(), separate it from p11-kit
David Woodhouse [Tue, 12 Jun 2012 21:59:07 +0000 (22:59 +0100)]
Explicitly check for gnutls_certificate_set_key(), separate it from p11-kit

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoOpenSSL: Fix leak of cert_x509
David Woodhouse [Tue, 12 Jun 2012 09:34:45 +0000 (10:34 +0100)]
OpenSSL: Fix leak of cert_x509

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoOpenSSL: Free BIO leak in reload_pem_cert()
David Woodhouse [Tue, 12 Jun 2012 09:33:48 +0000 (10:33 +0100)]
OpenSSL: Free BIO leak in reload_pem_cert()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoOpenSSL: Clean up leaks in TPM ENGINE handling
David Woodhouse [Tue, 12 Jun 2012 09:32:23 +0000 (10:32 +0100)]
OpenSSL: Clean up leaks in TPM ENGINE handling

The key, in the ctx, holds a reference on the engine. We should be dropping
our own.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoOpenSSL: Fix password memory leaks
David Woodhouse [Tue, 12 Jun 2012 09:31:42 +0000 (10:31 +0100)]
OpenSSL: Fix password memory leaks

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMake authentication valgrind-friendly
David Woodhouse [Tue, 12 Jun 2012 09:30:42 +0000 (10:30 +0100)]
Make authentication valgrind-friendly

Not strictly needed to free stuff right before we exit, but it makes it
easier to find leaks in the library code.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix useragent leak
David Woodhouse [Tue, 12 Jun 2012 09:28:40 +0000 (10:28 +0100)]
Fix useragent leak

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Fix password memory leaks
David Woodhouse [Tue, 12 Jun 2012 09:28:09 +0000 (10:28 +0100)]
GnuTLS: Fix password memory leaks

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openconnect_has_tss_blob_support()
David Woodhouse [Mon, 11 Jun 2012 20:58:02 +0000 (21:58 +0100)]
Add openconnect_has_tss_blob_support()

Turns out this might not be entirely OpenSSL-specific; we should be able
to support it in GnuTLS too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix const char * warnings in GnuTLS pin_helper on FreeBSD
David Woodhouse [Mon, 11 Jun 2012 18:27:00 +0000 (19:27 +0100)]
Fix const char * warnings in GnuTLS pin_helper on FreeBSD

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd --authenticate option
David Woodhouse [Mon, 11 Jun 2012 15:18:46 +0000 (16:18 +0100)]
Add --authenticate option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openconnect_has_pkcs11_support()
David Woodhouse [Mon, 11 Jun 2012 13:57:39 +0000 (14:57 +0100)]
Add openconnect_has_pkcs11_support()

Theoretically, the OpenSSL side can (and should) gain PKCS#11 support at
some point. There *is* a PKCS#11 engine, although it seems somewhat unloved.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoReturn error from OpenSSL load_certificate() for PKCS#11 URLs
David Woodhouse [Mon, 11 Jun 2012 13:57:01 +0000 (14:57 +0100)]
Return error from OpenSSL load_certificate() for PKCS#11 URLs

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoTranslate build option output
David Woodhouse [Mon, 11 Jun 2012 13:51:15 +0000 (14:51 +0100)]
Translate build option output

Oops. The whole point in doing it this way with full sentences instead of
crap like ("with%s TPM support", tpm?"":"out") was to ease translation...
and then I forgot to mark the strings translatable :)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMake --disable-ipv6 really do it
David Woodhouse [Mon, 11 Jun 2012 12:47:24 +0000 (13:47 +0100)]
Make --disable-ipv6 really do it

Previously, it only made us stop *asking* the server for IPv6. If the server
gave us IPv6 addresses anyway on the basis that this is the 21st century and
there's no excuse for pretending otherwise (or, in practice, because my test
server is handing out hard-coded responses without looking at the request),
we were still actually using them.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove --cert-type option from command line
David Woodhouse [Mon, 11 Jun 2012 12:42:27 +0000 (13:42 +0100)]
Remove --cert-type option from command line

With the impending v4.00 release and the soname change, this is a good
time to obsolete the --cert-type option. We've been automatically
detecting key types for a *long* time.

Only remove it from the command line for now; the library never exposed
it, but if the GnuTLS cert-loading code ends up being contributed back
to GnuTLS then they might want something similar there. So leave it in
place but unused.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoPrint SSL build options on --version or usage()
David Woodhouse [Mon, 11 Jun 2012 12:39:50 +0000 (13:39 +0100)]
Print SSL build options on --version or usage()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAllow building against GnuTLS (for TCP) and GnuTLS (for DTLS) simultaneously
David Woodhouse [Mon, 11 Jun 2012 12:25:58 +0000 (13:25 +0100)]
Allow building against GnuTLS (for TCP) and GnuTLS (for DTLS) simultaneously

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove stray openssl includes
David Woodhouse [Mon, 11 Jun 2012 11:43:36 +0000 (12:43 +0100)]
Remove stray openssl includes

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate translations from Transifex
David Woodhouse [Mon, 11 Jun 2012 09:54:37 +0000 (10:54 +0100)]
Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix upload-pot make target for out-of-tree build
David Woodhouse [Mon, 11 Jun 2012 09:54:00 +0000 (10:54 +0100)]
Fix upload-pot make target for out-of-tree build

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix update-translations make target for out-of-tree build
David Woodhouse [Mon, 11 Jun 2012 09:34:19 +0000 (10:34 +0100)]
Fix update-translations make target for out-of-tree build

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoOpenSSL: Print name of primary certificate
David Woodhouse [Mon, 11 Jun 2012 09:20:06 +0000 (10:20 +0100)]
OpenSSL: Print name of primary certificate

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Print name of primary certificate
David Woodhouse [Mon, 11 Jun 2012 09:14:59 +0000 (10:14 +0100)]
GnuTLS: Print name of primary certificate

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate docs for GnuTLS and PKCS#11 support
David Woodhouse [Mon, 11 Jun 2012 08:24:43 +0000 (09:24 +0100)]
Update docs for GnuTLS and PKCS#11 support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix non-interactive mode
David Woodhouse [Mon, 11 Jun 2012 00:43:38 +0000 (01:43 +0100)]
Fix non-interactive mode

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoPortability fixes for Solaris, *BSD
David Woodhouse [Mon, 11 Jun 2012 00:38:01 +0000 (01:38 +0100)]
Portability fixes for Solaris, *BSD

OpenBSD needs <sys/types.h> to be included before <netinet/in.h>.
Use IPPROTO_TCP not SOL_TCP for getsockopt() level.
Don't attempt to use FreeBSD's TCP_INFO sockopt.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove obsolete GnuTLS FIXME comment
David Woodhouse [Mon, 11 Jun 2012 00:00:51 +0000 (01:00 +0100)]
Remove obsolete GnuTLS FIXME comment

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Cache token PIN
David Woodhouse [Sun, 10 Jun 2012 23:52:08 +0000 (00:52 +0100)]
GnuTLS: Cache token PIN

Otherwise we get prompted for it about four times in the course of a single
connection, which is going to make users unhappy.

GnuTLS has been fixed not to do it on decent tokens that can have more than
one active session, but on the crap tokens it's still needed.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoSet object-type on PKCS#11 URL for key and cert
David Woodhouse [Sun, 10 Jun 2012 23:09:10 +0000 (00:09 +0100)]
Set object-type on PKCS#11 URL for key and cert

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Fix build with GnuTLS 2.12 and PKCS#11
David Woodhouse [Sun, 10 Jun 2012 20:15:14 +0000 (21:15 +0100)]
GnuTLS: Fix build with GnuTLS 2.12 and PKCS#11

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Fix expiry check and CA chain addition for PKCS#11 certs
David Woodhouse [Sun, 10 Jun 2012 19:52:47 +0000 (20:52 +0100)]
GnuTLS: Fix expiry check and CA chain addition for PKCS#11 certs

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUse gnutls_certificate_set_x509_system_trust() where available
David Woodhouse [Sun, 10 Jun 2012 00:01:49 +0000 (01:01 +0100)]
Use gnutls_certificate_set_x509_system_trust() where available

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoCope with SSL key being PKCS#11 but cert from file
David Woodhouse [Sat, 9 Jun 2012 22:26:42 +0000 (23:26 +0100)]
Cope with SSL key being PKCS#11 but cert from file

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix error handling when GnuTLS can't open key file
David Woodhouse [Sat, 9 Jun 2012 22:22:54 +0000 (23:22 +0100)]
Fix error handling when GnuTLS can't open key file

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoDon't unregister p11-kit PIN callback until vpninfo is finished with
David Woodhouse [Sat, 9 Jun 2012 16:06:09 +0000 (17:06 +0100)]
Don't unregister p11-kit PIN callback until vpninfo is finished with

Unregistering in openconnect_close_https() meant that when we reconnect to
the server, we lose the PIN callback. And then when we connect again, if
GnuTLS is asking us for the PIN on every attempt to touch the key, we fail
because there's no PIN handler.

So add a 'final' flag to openconnect_close_https(). Use this to clean up
library.c::openconnect_close_https() a little, too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoImport updated gnutls_pkcs12_simple_parse() from GnuTLS
David Woodhouse [Sat, 9 Jun 2012 15:50:58 +0000 (16:50 +0100)]
Import updated gnutls_pkcs12_simple_parse() from GnuTLS

Changes corresponding to commit 6c82bf34 in GnuTLS master, imported with
permission from Nikos to use under LGPLv2.1.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUse X-DTLS-MTU response from server as well as X-CSTP-MTU
David Woodhouse [Fri, 8 Jun 2012 22:47:45 +0000 (23:47 +0100)]
Use X-DTLS-MTU response from server as well as X-CSTP-MTU

Currently we take a very naïve approach: we just use the higher of the
two. Normally the DTLS MTU will be larger. Theoretically, perhaps we
ought to actually change the MTU of the interface according to whether
DTLS is currently connected or not? That seems cumbersome, and is almost
impossible if we aren't running as root.

So what *should* we do with packets which are "too big" for the CSTP
MTU, if they arrive while DTLS is down? Drop them? And try to fake an
ICMP "too big" or "fragmentation needed" response? Fragment them? Please
$DEITY no. The sanest thing to do would seem to be just to send them
down the CSTP link even though they'll end up fragmented into more than
one TCP packet.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate changelog
David Woodhouse [Fri, 8 Jun 2012 16:10:29 +0000 (17:10 +0100)]
Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd $CISCO_SPLIT_DNS environment variable for vpnc-script
David Woodhouse [Fri, 8 Jun 2012 15:10:08 +0000 (16:10 +0100)]
Add $CISCO_SPLIT_DNS environment variable for vpnc-script

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd gnutls.c and openssl.c to EXTRA_DIST too
David Woodhouse [Fri, 8 Jun 2012 13:58:20 +0000 (14:58 +0100)]
Add gnutls.c and openssl.c to EXTRA_DIST too

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd gnutls_pkcs12 to dist
David Woodhouse [Fri, 8 Jun 2012 13:33:35 +0000 (14:33 +0100)]
Add gnutls_pkcs12 to dist

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>