David Woodhouse [Mon, 1 Jun 2009 15:41:42 +0000 (16:41 +0100)]
Remove <sys/socket.h> from files which don't use it
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 1 Jun 2009 14:37:41 +0000 (15:37 +0100)]
Revamp certificate/privkey command line handling
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 1 Jun 2009 13:58:53 +0000 (14:58 +0100)]
Clean up detection of TPM vs. PEM certificates
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 1 Jun 2009 13:08:37 +0000 (14:08 +0100)]
Split out load_tpm_certificate()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 1 Jun 2009 13:07:18 +0000 (14:07 +0100)]
Handle detection of PKCS#12 certificates a bit better
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 1 Jun 2009 00:14:50 +0000 (01:14 +0100)]
changelog update
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 1 Jun 2009 00:14:02 +0000 (01:14 +0100)]
Use correct get_issuer() function
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 31 May 2009 21:18:43 +0000 (22:18 +0100)]
Ask for PKCS#12 passphrase if we need it
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 31 May 2009 20:39:09 +0000 (21:39 +0100)]
Only use issuer certificate if X509_STORE_CTX_get1_issuer() succeeded.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 31 May 2009 19:00:16 +0000 (20:00 +0100)]
Work around OpenSSL bug with certificate chains.
This will probably be RT#1942 -- OpenSSL will look up issuer
certificates by name, but there might be more than one certificate in
the trust chain with the same name, and it doesn't make sure it gets the
right one. The server suffers this bug too, which is why the client has
to submit the full trust chain with its own certificate.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 31 May 2009 18:38:27 +0000 (19:38 +0100)]
Include only useful certificates from PKCS#12 file
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 31 May 2009 14:33:56 +0000 (15:33 +0100)]
Add PKCS#12 support
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 28 May 2009 19:24:53 +0000 (20:24 +0100)]
Add option to generate PEM passphrase from fsid
This is entirely stupid; some corporations have a policy which requires
that we make some token effort to 'prevent' people from moving
certificates from machine to machine -- even if it's trivially
bypassable.
So they accept idiotic nonsense like the 'non-exportable' flag in the
Windows certificate store (despite the existence of tools like Jailbreak
http://www.isecpartners.com/jailbreak.html) and they accept this stupid
trick to use a passphrase which is taken from the file system's fsid --
on the basis that if you copy the certificate file to another machine,
the fsid will be different and you might actually have to sober up and
spend more than 5 seconds thinking about it before you can use the
copied certificate.
Obviously you lose the protection of a _real_ passphrase, but that was
redundant anyway in the case where they use two-stage authentication and
ask for a RADIUS password after your certificate is accepted.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 28 May 2009 16:09:41 +0000 (17:09 +0100)]
Allow PEM passphrase to be set on command line
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 27 May 2009 12:54:51 +0000 (13:54 +0100)]
Tag version 1.40
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 27 May 2009 12:54:30 +0000 (13:54 +0100)]
update changelog for 1.40
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 27 May 2009 10:38:55 +0000 (11:38 +0100)]
Retry passphrase entry when it's wrong
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 27 May 2009 10:19:50 +0000 (11:19 +0100)]
Report SSL errors through vpninfo->progress()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 27 May 2009 08:41:28 +0000 (09:41 +0100)]
Fix double-free of vpninfo->dtls_cipher
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 26 May 2009 18:00:21 +0000 (19:00 +0100)]
Pass only the signature of the server's cert from NetworkManager.
Since we run openconnect as an unprivileged user, it may not be able to
read the original trust chain and validate the certificate for itself.
But since the auth-dialog has already connected to the server and done
the authentication, it can just give us the known signature for the
certificate the server is using today...
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 26 May 2009 17:59:58 +0000 (18:59 +0100)]
Reconnect after SSL write fails
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 May 2009 12:46:22 +0000 (13:46 +0100)]
Tag version 1.30
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 May 2009 12:46:12 +0000 (13:46 +0100)]
changelog for 1.30 release
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 10 May 2009 23:05:16 +0000 (00:05 +0100)]
Add changelog entry for form saving
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 10 May 2009 09:28:33 +0000 (10:28 +0100)]
Handle dependencies on stuff like gconf/gtk better.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 May 2009 16:45:37 +0000 (17:45 +0100)]
Avoid duplicate form entries, especially in wrong order
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 May 2009 16:16:12 +0000 (17:16 +0100)]
Remember form entries
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 May 2009 15:43:24 +0000 (16:43 +0100)]
Ensure prompt overrides are honoured for default selection
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 May 2009 15:23:48 +0000 (16:23 +0100)]
Use form answers from gconf
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 May 2009 15:14:40 +0000 (16:14 +0100)]
Allow default settings for UI form elements to be set
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 May 2009 15:13:49 +0000 (16:13 +0100)]
Fix default result for combobox
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 May 2009 14:31:09 +0000 (15:31 +0100)]
Import web page into git where it'll be easier to manage.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Sat, 9 May 2009 14:06:08 +0000 (15:06 +0100)]
Fix up TODO list. We seem to have done everything that was in there before.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 May 2009 18:56:06 +0000 (19:56 +0100)]
Tag version 1.20
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 May 2009 18:32:34 +0000 (19:32 +0100)]
Handle parameters in messages
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 May 2009 18:02:51 +0000 (19:02 +0100)]
shift message handling into separate function
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 May 2009 17:55:20 +0000 (18:55 +0100)]
Don't set form->{banner,error,message} if it's empty
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 May 2009 17:46:51 +0000 (18:46 +0100)]
Abort when no login form opts
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 May 2009 17:46:36 +0000 (18:46 +0100)]
Ask user about authentication group
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 7 May 2009 19:48:00 +0000 (20:48 +0100)]
Allow auth group selection to be set on command line
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 7 May 2009 19:32:12 +0000 (20:32 +0100)]
apply configured username/password more selectively
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 2 May 2009 11:21:24 +0000 (12:21 +0100)]
Fix various bugs in split_{in,ex}clude list handling
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 29 Apr 2009 13:29:42 +0000 (14:29 +0100)]
Expose all CSTP options to script
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 29 Apr 2009 13:04:26 +0000 (14:04 +0100)]
Support proxy autoconfiguration
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 29 Apr 2009 12:54:51 +0000 (13:54 +0100)]
Add processing of Split-Exclude headers from server
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Thomas Wood [Fri, 24 Apr 2009 19:22:33 +0000 (20:22 +0100)]
Add a command line option to continue in background after startup
[dwmw2: Don't add background flag to struct openconnect_info]
Signed-off-by: Thomas Wood <thomas.wood@intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 28 Apr 2009 15:18:47 +0000 (16:18 +0100)]
clean up printing of server disconnect message
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 24 Apr 2009 22:27:35 +0000 (23:27 +0100)]
Don't SEGV on empty selection
David Woodhouse [Fri, 24 Apr 2009 15:34:52 +0000 (16:34 +0100)]
Allow user to set DTLS ciphers
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 24 Apr 2009 15:27:17 +0000 (16:27 +0100)]
Handle failure to agree DTLS cipher more gracefully
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 16:32:15 +0000 (17:32 +0100)]
handle login button visibility
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 16:05:09 +0000 (17:05 +0100)]
silence warning about do_override_label func
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 15:56:43 +0000 (16:56 +0100)]
handle label overrides
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 15:22:28 +0000 (16:22 +0100)]
print banner/error/message only if they aren't empty
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 15:21:48 +0000 (16:21 +0100)]
handle select opts in NM UI
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 15:03:49 +0000 (16:03 +0100)]
Start at processing form directly instead of through OpenSSL UI
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 13:20:02 +0000 (14:20 +0100)]
create ssl_box_add_info()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 13:16:42 +0000 (14:16 +0100)]
Don't print banner/error/message when empty
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 13:04:45 +0000 (14:04 +0100)]
Allow automatic vertical resize
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 12:52:26 +0000 (13:52 +0100)]
Allow process_auth_form() to be overridden in vpninfo
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 12:49:37 +0000 (13:49 +0100)]
drop request body args from process_form
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 12:48:10 +0000 (13:48 +0100)]
Add README.DTLS
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 12:27:16 +0000 (13:27 +0100)]
remove 'verbose' variable
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 12:25:58 +0000 (13:25 +0100)]
Clean up openconnect_obtain_cookie() return value
Bring it into line with other things. Zero for success, 1 for
cancellation, and -errno for errors.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 12:17:50 +0000 (13:17 +0100)]
Clean up parse_xml_response() and process_form() return values.
This was a mess; now it's simple. Return values are:
0 when a form has been filled in and needs submitting
1 for user cancellation
2 when the xml indicated that login was already successful
-errno for other errors
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 11:38:49 +0000 (12:38 +0100)]
move form definitions to openconnect.h
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 11:34:24 +0000 (12:34 +0100)]
Move append_form_opts() up to avoid having to declare it first
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 11:17:05 +0000 (12:17 +0100)]
rename form structures, basic documentation on string handling
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 11:12:26 +0000 (12:12 +0100)]
All input types process after user-interaction now
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 10:12:14 +0000 (11:12 +0100)]
Handle choice in append_form_opts() too
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 22 Apr 2009 10:06:39 +0000 (11:06 +0100)]
Move towards building form submission req _after_ processing input
... starting with just the hidden opts...
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 21 Apr 2009 00:29:07 +0000 (01:29 +0100)]
Fix banner/error messages, don't complain about submit/reset inputs
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 21 Apr 2009 00:21:59 +0000 (01:21 +0100)]
Split XML parsing from form handling
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 20 Apr 2009 14:18:54 +0000 (15:18 +0100)]
Move all authentication form handling to auth.c
...in preparation for fixing/rewriting it.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 18 Apr 2009 19:51:18 +0000 (20:51 +0100)]
version.c depends on Makefile too
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 18 Apr 2009 19:47:26 +0000 (20:47 +0100)]
Include version.c in tarballs
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 18 Apr 2009 19:20:20 +0000 (20:20 +0100)]
Add '-unknown' tag when git unavailable
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 18 Apr 2009 19:19:57 +0000 (20:19 +0100)]
Fix dependencies for version.c
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 18 Apr 2009 13:26:50 +0000 (14:26 +0100)]
DTLS: Use cipher specified by server, not the one from the TCP connection
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 18 Apr 2009 13:26:08 +0000 (14:26 +0100)]
Detect TCP connection closure; OpenSSL doesn't.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 18 Apr 2009 13:25:35 +0000 (14:25 +0100)]
Use TLSv1, not SSLv23 for TCP connection
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 18 Apr 2009 13:14:54 +0000 (14:14 +0100)]
Allow auth-type choice without authtype, since some people seem to need it
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 9 Apr 2009 16:07:44 +0000 (09:07 -0700)]
Fix description of --tpm-key option in man page too
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Nick Andrew [Thu, 9 Apr 2009 15:23:27 +0000 (01:23 +1000)]
Whitespace cleanups
Remove trailing blanks; put whitespace around operators as
appropriate.
Signed-off-by: Nick Andrew <nick@nick-andrew.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Nick Andrew [Thu, 9 Apr 2009 15:23:26 +0000 (01:23 +1000)]
Correct filename in the script comments
Script was renamed, so show the current name.
Signed-off-by: Nick Andrew <nick@nick-andrew.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Nick Andrew [Thu, 9 Apr 2009 15:23:25 +0000 (01:23 +1000)]
URL no longer exists; here's an alternate
Signed-off-by: Nick Andrew <nick@nick-andrew.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Nick Andrew [Thu, 9 Apr 2009 15:23:24 +0000 (01:23 +1000)]
Improve readability of progress message
"remaining timeout 8s" reads better than "remain timeout 8s".
Signed-off-by: Nick Andrew <nick@nick-andrew.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Nick Andrew [Thu, 9 Apr 2009 15:23:23 +0000 (01:23 +1000)]
Fix a compile warning on fprintf argument
st.st_size is an off_t which should be printed using %ld.
Also add my (C) to openconnect.h
Signed-off-by: Nick Andrew <nick@nick-andrew.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Nick Andrew [Thu, 9 Apr 2009 15:23:22 +0000 (01:23 +1000)]
Fix no-password progress report message
Clarify that the option is '--no-passwd' not 'nopasswd' (which is
the internal name for it).
Signed-off-by: Nick Andrew <nick@nick-andrew.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Nick Andrew [Thu, 9 Apr 2009 15:23:21 +0000 (01:23 +1000)]
Fix description of --tpm-key option
The option name is --tpm-key, not --tpm.
Signed-off-by: Nick Andrew <nick@nick-andrew.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 1 Apr 2009 14:32:32 +0000 (15:32 +0100)]
Tag version 1.10
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 1 Apr 2009 12:14:30 +0000 (13:14 +0100)]
no need to conditionally free urlpath
David Woodhouse [Wed, 1 Apr 2009 12:12:23 +0000 (13:12 +0100)]
Sanify urlpath settings... no longer include leading /
David Woodhouse [Tue, 31 Mar 2009 23:12:54 +0000 (00:12 +0100)]
show autoconnect option
David Woodhouse [Tue, 31 Mar 2009 22:16:24 +0000 (23:16 +0100)]
cope with UserGroup option in XML files, and gateway option.
David Woodhouse [Tue, 31 Mar 2009 21:46:35 +0000 (22:46 +0100)]
Grok UserGroup option in XML file
David Woodhouse [Tue, 31 Mar 2009 21:42:33 +0000 (22:42 +0100)]
remove superfluous debug output
David Woodhouse [Tue, 31 Mar 2009 20:16:04 +0000 (21:16 +0100)]
Add UserGroup option
David Woodhouse [Tue, 31 Mar 2009 20:15:44 +0000 (21:15 +0100)]
Don't free cookies when a redirect sends you back to the same host
David Woodhouse [Tue, 31 Mar 2009 19:57:45 +0000 (20:57 +0100)]
Fix HTTP redirect handling for non-root URLs