Admit --useragent option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Admit CSD support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Merge branch 'master' of git://git.infradead.org/~ediap/openconnect-csd2

Support cookies in a CSD way

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>

Use common implementation for get_cert_XYZ_fingerprint() functions

Specialized functions get_gert_md5_fingerprint() and
get_cert_sha1_fingerprint() call get_cert_fingerprint() function.

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>

Pass MD5 fingerprints of client/server certificates to the CSD script

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>

Code refactoring (get_cert_fingerprint -> get_cert_sha1_fingerprint)

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>

Minor fixes of quotation marks in CSD script arguments

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>

Fix most arguments to csd script

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

quick hack to handle refresh

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix double free of stuburl

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use redirect handling for form action and csd

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Delete CSD script after authentication, use CSD only once

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

fix csd script running

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove leading '/' from csd_stuburl and csd_waiturl strings

This was necessary, because of connection errors when using:
"xxx.yyy.com//CACHE/sdesktop/install/binaries/sfinst"
FIXME: this should be implemented in a more generic way!

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>

Do not overwrite the csd_token and csd_ticket strings

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>

Double the buffer size to 128KB

The downloaded CSD package has almost 69KB, so 64KB was not enough.

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>

Fix default useragent string

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Select User-Agent field

Cisco device logs User-Agent: string, as explained in
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect23/release/notes/anyconnect23rn.html#wp908512
This patch let you change OpenConnect default User-Agent: string from
command line.

e.g. --useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133'

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

First attempt at CSD support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Allow parse_xml_response to redirect

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add mailing list

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.01

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't clear vpninfo->dtls_cipher on CSTP reconnect

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't free certs while building chain

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix install target

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Mention FreeBSD port

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Give up permanently when no DTLS cipher; don't keep complaining

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't add duplicate certs

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use SSL_CTX_use_certificate_chain_file() to load extra certs too

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.00

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update web page with tag

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add missing </LI> tags to changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix documentation for --servercert option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up Makefile detection of gtk/gconf, check for openssl includes

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up warning seen on MacOS build

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix printf format for st_size

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove GNUism from Makefile by printing new version in version.sh

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up version.sh

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove bashisms from version.sh

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Grab focus on first widget which needs entry in the form

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Abort if certificate load fails, rather than continuing anyway

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Only save form entries if not cancelled.. and if they're non-NULL

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use fingerprint for comparing certificates, not signature

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

update compatibility notes

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

changelog update

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

More OpenSSL-0.9.7 compatibility

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up certificate purpose workaround

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Build against old OpenSSL without DTLS support (OSX, OpenBSD)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Include <arpa/inet.h> for ntohl()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Include appropriate headers for statfs() on FreeBSD and OSX

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Discard all but Legacy IP packets on VPN transmit

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Weird tun prefix is only OpenBSD

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle tun prefixing with AF_INET on BSD

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Builds on OpenBSD

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix FSID handling on *BSD

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Link libcrypto

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add another missing <string.h>

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Move ifr declaration inside Linux-only block

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Include <string.h> where needed

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

fix size_t printf format

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

No need for bash

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Include ctype.h for isspace()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

More include file fixes for OpenBSD

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove <sys/socket.h> from files which don't use it

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Revamp certificate/privkey command line handling

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up detection of TPM vs. PEM certificates

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Split out load_tpm_certificate()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle detection of PKCS#12 certificates a bit better

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

changelog update

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use correct get_issuer() function

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Ask for PKCS#12 passphrase if we need it

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Only use issuer certificate if X509_STORE_CTX_get1_issuer() succeeded.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Work around OpenSSL bug with certificate chains.

This will probably be RT#1942 -- OpenSSL will look up issuer
certificates by name, but there might be more than one certificate in
the trust chain with the same name, and it doesn't make sure it gets the
right one. The server suffers this bug too, which is why the client has
to submit the full trust chain with its own certificate.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Include only useful certificates from PKCS#12 file

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add PKCS#12 support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add option to generate PEM passphrase from fsid

This is entirely stupid; some corporations have a policy which requires
that we make some token effort to 'prevent' people from moving
certificates from machine to machine -- even if it's trivially
bypassable.

So they accept idiotic nonsense like the 'non-exportable' flag in the
Windows certificate store (despite the existence of tools like Jailbreak
http://www.isecpartners.com/jailbreak.html) and they accept this stupid
trick to use a passphrase which is taken from the file system's fsid --
on the basis that if you copy the certificate file to another machine,
the fsid will be different and you might actually have to sober up and
spend more than 5 seconds thinking about it before you can use the
copied certificate.

Obviously you lose the protection of a _real_ passphrase, but that was
redundant anyway in the case where they use two-stage authentication and
ask for a RADIUS password after your certificate is accepted.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Allow PEM passphrase to be set on command line

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 1.40

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

update changelog for 1.40

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Retry passphrase entry when it's wrong

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Report SSL errors through vpninfo->progress()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix double-free of vpninfo->dtls_cipher

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Pass only the signature of the server's cert from NetworkManager.

Since we run openconnect as an unprivileged user, it may not be able to
read the original trust chain and validate the certificate for itself.
But since the auth-dialog has already connected to the server and done
the authentication, it can just give us the known signature for the
certificate the server is using today...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Reconnect after SSL write fails

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 1.30

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

changelog for 1.30 release

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add changelog entry for form saving

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle dependencies on stuff like gconf/gtk better.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Avoid duplicate form entries, especially in wrong order

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remember form entries

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Ensure prompt overrides are honoured for default selection

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use form answers from gconf

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Allow default settings for UI form elements to be set

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix default result for combobox

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import web page into git where it'll be easier to manage.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Fix up TODO list. We seem to have done everything that was in there before.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 1.20

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>