Tiago Vignatti [Sun, 1 Jul 2012 23:03:23 +0000 (02:03 +0300)]
Fix --no-proxy option
A missing break in the case statement meant that --no-proxy would not disable
the proxy at all; it would actually have the same effect as --libproxy.
This bug has been present since the --no-proxy option was first added in
v2.20 (commit
9c6d3f1b). Although it was falling through to the --script
option then.
Signed-off-by: Tiago Vignatti <tiago.vignatti@intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 1 Jul 2012 21:23:01 +0000 (22:23 +0100)]
Update changelog
It looks like the problematic server wasn't really objecting to SSLv3; it
was the lack of 3DES cipher. It wouldn't accept AES which was the only
thing that GnuTLS was offering.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 30 Jun 2012 00:41:59 +0000 (01:41 +0100)]
Separate requested from received MTU settings
This fixes a bug where an MTU requested with the --mtu option will actually
be set as the interface MTU even if the server replies with a smaller value.
It also fixes reconnect behaviour, by not treating the MTU response from
the server on the original connection into an override for the reconnect.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 29 Jun 2012 23:55:06 +0000 (00:55 +0100)]
Fix GnuTLS DTLS MTU for GnuTLS 3.0.21 and above
The fix in 4.01 (commit
c218e2ac) was relying on buggy behaviour of
GnuTLS. It shouldn't have been sufficient just to pass it the *data* MTU
plus 13 and rely on the fact that GnuTLS will happily send packets
larger than that. In fixing GnuTLS MTU handling and adding the new
gnutls_dtls_set_data_mtu() function in 3.0.21, I have broken my own
code. And it serves me right.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 29 Jun 2012 20:17:47 +0000 (21:17 +0100)]
Advertise TLS1.0 not SSL3.0 in GnuTLS ClientHello
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 29 Jun 2012 11:52:41 +0000 (12:52 +0100)]
Remove hard-coded table of ciphers for PEM decryption
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 28 Jun 2012 23:58:34 +0000 (00:58 +0100)]
Improve cipher coverage of OpenSSL encrypted PEM support for GnuTLS
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 28 Jun 2012 14:52:51 +0000 (15:52 +0100)]
Tag version 4.02
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 28 Jun 2012 13:04:36 +0000 (14:04 +0100)]
Fix build failure on systems without GnuTLS v3
Oops. Including header files which are only available in GnuTLS v3 is
probably not cunning, if we're building with OpenSSL or with GnuTLS v2.
Pointed out by Stuart Henderson (thanks).
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 28 Jun 2012 11:46:40 +0000 (12:46 +0100)]
Tag version 4.01
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 27 Jun 2012 22:20:40 +0000 (23:20 +0100)]
Fix DTLS MTU for GnuTLS
GnuTLS defaults to an MTU of 1200 (less the 13-byte overhead), and will
truncate data packets accordingly. We *really* don't want that...
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 27 Jun 2012 18:58:55 +0000 (19:58 +0100)]
Fix SEGV on cstp_reconnect() without deflate
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 26 Jun 2012 14:41:16 +0000 (15:41 +0100)]
Clean up Transifex import some more
Don't let local msgmerge use fuzzy translations either, don't care about
Translation-Team: changing, and use 'diff' so we actually see the changes
(since more often than not they're false positives, so it eases debugging).
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 25 Jun 2012 20:13:35 +0000 (22:13 +0200)]
Fix build on systems without O_CLOEXEC
Reported by Ryan Steinmetz <zi@freebsd.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Steven Ihde [Sun, 24 Jun 2012 03:49:32 +0000 (20:49 -0700)]
Add source port option for DTLS
Signed-off-by: Steven Ihde <sihde@hamachi.us>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 23 Jun 2012 16:15:07 +0000 (18:15 +0200)]
Update translations from Transifex
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 23 Jun 2012 15:20:42 +0000 (17:20 +0200)]
Transifex import: Reduce churn, and don't forget to add new translations
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 22 Jun 2012 14:17:40 +0000 (15:17 +0100)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 22 Jun 2012 09:56:37 +0000 (10:56 +0100)]
Rebuild openconnect.8 if necessary before openconnect.8.inc
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 22 Jun 2012 09:03:01 +0000 (10:03 +0100)]
Print correct error when /dev/net/tun open fails
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 21 Jun 2012 16:04:23 +0000 (17:04 +0100)]
Don't require zlib in pkgconfig if it was found without it
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 20 Jun 2012 17:01:21 +0000 (18:01 +0100)]
Tag version 4.00
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 20 Jun 2012 13:59:25 +0000 (14:59 +0100)]
Update translations from Transifex
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 20 Jun 2012 13:47:41 +0000 (14:47 +0100)]
Run msgmerge after importing translations from Transifex
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 20 Jun 2012 12:55:30 +0000 (13:55 +0100)]
Add translations that GNOME NetworkManager-openconnect has, that we don't
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 20 Jun 2012 12:34:19 +0000 (13:34 +0100)]
Fix typo in error message
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 19 Jun 2012 16:42:22 +0000 (17:42 +0100)]
Support old-style OpenSSL encrypted PEM keys
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 19 Jun 2012 16:34:41 +0000 (17:34 +0100)]
Fix memory leaks in text-mode process_form_opts
The caller probably won't free the returned answers if we return error,
so do it locally.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 19 Jun 2012 12:37:38 +0000 (13:37 +0100)]
NUL-terminate blobs from Andoird keystore
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 18 Jun 2012 19:06:36 +0000 (20:06 +0100)]
Fix PKCS#11 cleanup when no SSL certificate is set
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 17 Jun 2012 22:42:53 +0000 (23:42 +0100)]
Add Android keystore support for --cafile
Based on a patch from Vilmos Nebehaj <v.nebehaj@gmail.com>
Signed-off-by: Vilmos Nebehaj <v.nebehaj@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 17 Jun 2012 22:40:41 +0000 (23:40 +0100)]
Add missing includes and libs to Android.mk
I probably shouldn't need to add libc, but it shouldn't hurt either, and I
*do* need it. Otherwise I think my screwed up local build system is using
the wrong one. One day I'll actually get AOSP or Cyanogen to build properly
and I won't have to suffer with this cobbled-together pile of crap that I'm
using...
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 17 Jun 2012 21:02:16 +0000 (22:02 +0100)]
Switch from Android's keystore_get() to our own keystore_fetch()
This gives proper error handling which Android's lacks.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 17 Jun 2012 20:58:02 +0000 (21:58 +0100)]
Fix double-free of BIO in loading cert from keystore
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 17 Jun 2012 01:37:42 +0000 (02:37 +0100)]
Fix fake Android keystore_get() to return -1 on failure
Harmless in this case, but it doesn't hurt to be consistent with Android.
At least, with what Android does when it's *not* buggy... :)
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 17 Jun 2012 01:33:43 +0000 (02:33 +0100)]
Fix Android keystore support for older keystore_get.h
This is an "inline" function, in the header file. So it's about the build
environment you use for building openconnect, not the runtime environment.
It was fixed by the following commit in android/frameworks/base:
commit
c741a2fe41ea33fc386a4d5b932cc081aa92a18c
Author: Chia-chi Yeh <chiachi@android.com>
Date: Thu Sep 30 15:17:58 2010 +0800
KeyStore: Fix the return value when send() or recv() has an error.
Change-Id: I20a63c76bd29b1a9f8959a6c4fe5a5b8a9a971b4
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 15 Jun 2012 14:06:31 +0000 (15:06 +0100)]
Add trousers to list of optional build deps
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 15 Jun 2012 13:55:56 +0000 (14:55 +0100)]
Add gnutls.h to noinst_HEADERS
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 15 Jun 2012 13:49:06 +0000 (14:49 +0100)]
Remove POTFILES.in from po/ EXTRA_DIST
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 15 Jun 2012 13:48:04 +0000 (14:48 +0100)]
Automatically keep Android.mk in sync with source lists from Makefile.am
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 15 Jun 2012 13:26:26 +0000 (14:26 +0100)]
OpenSSL: Fix recognition of repeated 'wrong passphrase' errors
Without it, we were getting the wrong error if the passphrase was wrong
a second time, and not correctly staying in the retry loop:
Enter PEM pass phrase:
140379913099200:error:
06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:536:
Loading private key failed (wrong passphrase?)
Enter PEM pass phrase:
140379913099200:error:
23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:97:
Loading private key failed (see above errors)
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 15 Jun 2012 13:03:03 +0000 (14:03 +0100)]
Add Android keystore support
Based on a patch from Vilmos Nebehaj <v.nebehaj@gmail.com>
Signed-off-by: Vilmos Nebehaj <v.nebehaj@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 15 Jun 2012 12:45:13 +0000 (13:45 +0100)]
Fix Android build
Well, almost. My local NDK setup still fails to link because libicuuc.so
needs libgabi++.so, and even with that it has undefined references to
mbstowcs and wcstombs. But that's probably a local issue.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 15 Jun 2012 12:43:36 +0000 (13:43 +0100)]
Fix build for OpenSSL without DTLS
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 15 Jun 2012 09:58:40 +0000 (10:58 +0100)]
Clean up feature/index web pages a little
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 15 Jun 2012 09:29:46 +0000 (10:29 +0100)]
Remove separate POTFILES list and build potfile from real sources lists
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 15 Jun 2012 00:03:30 +0000 (01:03 +0100)]
Add gnutls_tpm.c to POTFILES
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 23:56:31 +0000 (00:56 +0100)]
Don't repack extra_certs[] when matching key; just cope with it being sparse
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 23:39:42 +0000 (00:39 +0100)]
Clean up GnuTLS load_certificate() and improve comments
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 22:59:46 +0000 (23:59 +0100)]
Unify assign_privkey() function for GnuTLS 2 and 3
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 22:51:08 +0000 (23:51 +0100)]
Move setting of vpninfo->my_p11key to somewhere tidier
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 22:38:29 +0000 (23:38 +0100)]
Split assign_privkey_gtls2() to separate function
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 22:07:49 +0000 (23:07 +0100)]
Split assign_privkey_gtls3() to separate function
Another step towards a cleaner load_certificate() for GnuTLS.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 21:48:38 +0000 (22:48 +0100)]
Move TPM code out into gnutls_tpm.c
Slightly reduce the #ifdef hell in gnutls.c
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 21:22:05 +0000 (22:22 +0100)]
Clean up handling of gnutls_pkcs12.c
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 21:10:16 +0000 (22:10 +0100)]
Fix BER encoding of hash in sign_dummy_data()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 16:02:18 +0000 (17:02 +0100)]
Cope with lack of gnutls_certificate_set_key() in GnuTLS 2.12
We *can* use arbitrary privkeys, by using the cert_callback to provide
them on demand.
And even without gnutls_privkey_import_ext() to give us a constructed
privkey that represents the TPM key, we can cope by registering a
sign_callback on the TLS session.
This means that we can support the TPM, and also fix the lack of extra
supporting certs and expiry check when using PKCS#11 certs with GnuTLS 2.12.
It also means my code is an even bigger mess of #ifdefs than it was before.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 15:00:03 +0000 (16:00 +0100)]
Fix memory leak of TPM key password
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 07:45:16 +0000 (08:45 +0100)]
Fix wording of comment about string handling
The library *will* free them later. Honest! If we say "should", someone
might get confused and think we're saying the *caller* needs to do it.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 07:34:11 +0000 (08:34 +0100)]
Document SHA1 buffer requirements more clearly
There's an inconsistency here; openconnect_set_xmlsha1() takes a redundant
'len' arg which serves no purpose except to check that the caller knows
how big a SHA1 is. If it's not 41, we bail.
Next time the soname is getting bumped, I'll add a similar redundant
check to openconnect_get_cert_sha1() too. I should have done that when
it was first converted from an internal function to a public-facing one
in commit
20840ab0. But I didn't, and it's not worth bumping the soname
again right now *just* for that.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 01:14:05 +0000 (02:14 +0100)]
Fix Solaris build, again
I really ought to script a check for this.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 23:55:54 +0000 (00:55 +0100)]
Fix GnuTLS 2.12 library still referencing OpenSSL ERR_print_errors_cb()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 22:55:17 +0000 (23:55 +0100)]
Tag version 3.99
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 22:55:03 +0000 (23:55 +0100)]
Make 'make tag' work out of source tree
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 22:32:53 +0000 (23:32 +0100)]
$CISCO_SPLIT_DNS is separated by commas in vpnc, not spaces
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 22:32:02 +0000 (23:32 +0100)]
Link libopenconnect to trousers, not openconnect
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 21:22:39 +0000 (22:22 +0100)]
Move dtls1_stop_timer() declaration inside the OPENCONNECT_OPENSSL section
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 20:43:20 +0000 (21:43 +0100)]
Update translations from Transifex
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 20:41:42 +0000 (21:41 +0100)]
Fix build with GnuTLS 2.12
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 20:39:27 +0000 (21:39 +0100)]
Allow GUI to distinguish between PIN/passphrase callbacks
The UI may cache user input by form->auth_id, opt->name. But those were
always the same (and auth_id was even NULL for OpenSSL UI callbacks from
the TPM engine), so it wasn't very helpful. Fix it.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 19:56:55 +0000 (20:56 +0100)]
Handle TPM keys with their own authentication PIN
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 19:29:08 +0000 (20:29 +0100)]
Give proper error reporting from tpm_sign_fn() TPM operations
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 19:24:19 +0000 (20:24 +0100)]
Try null SRK key (20 bytes of zero) first
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 19:21:30 +0000 (20:21 +0100)]
Fix error exits in GnuTLS load_certificate() function
Having separate 'err' for GnuTLS errno, and 'ret' for the return value, has
caused me to sometimes return without setting 'ret'. Make it uninitialised
to start with, and then the compiler should warn if I 'goto out' again
without setting 'ret'.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 15:38:14 +0000 (16:38 +0100)]
Implement certificate matching for TPM/PKCS#11 privkeys
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 15:30:18 +0000 (16:30 +0100)]
Fix GnuTLS PIN cache leak when only *key* is PKCS#11 and not certificate.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 15:03:06 +0000 (16:03 +0100)]
Remove redundancy in code which 'matches' cert to privkey
Yes, it doesn't *actually* do any matching... yet.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 22:27:42 +0000 (23:27 +0100)]
Add TPM support for GnuTLS
Based on GnuTLS TPM code by Carolin Latze <latze@angry-red-pla.net>
and Tobias Soder.
Like the OpenSSL TPM ENGINE, this only supports a key 'blob' rather than
using keys by UUID. That shouldn't be hard to fix if someone wants it.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 11:07:34 +0000 (12:07 +0100)]
Clean up build options printout
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 11:05:50 +0000 (12:05 +0100)]
Fix DTLS fallback to OpenSSL for old GnuTLS
Due to a typo, it wasn't using OpenSSL for DTLS unless you specified
--without-openssl on the configure command line.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 21:59:07 +0000 (22:59 +0100)]
Explicitly check for gnutls_certificate_set_key(), separate it from p11-kit
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:34:45 +0000 (10:34 +0100)]
OpenSSL: Fix leak of cert_x509
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:33:48 +0000 (10:33 +0100)]
OpenSSL: Free BIO leak in reload_pem_cert()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:32:23 +0000 (10:32 +0100)]
OpenSSL: Clean up leaks in TPM ENGINE handling
The key, in the ctx, holds a reference on the engine. We should be dropping
our own.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:31:42 +0000 (10:31 +0100)]
OpenSSL: Fix password memory leaks
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:30:42 +0000 (10:30 +0100)]
Make authentication valgrind-friendly
Not strictly needed to free stuff right before we exit, but it makes it
easier to find leaks in the library code.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:28:40 +0000 (10:28 +0100)]
Fix useragent leak
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:28:09 +0000 (10:28 +0100)]
GnuTLS: Fix password memory leaks
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 20:58:02 +0000 (21:58 +0100)]
Add openconnect_has_tss_blob_support()
Turns out this might not be entirely OpenSSL-specific; we should be able
to support it in GnuTLS too.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 18:27:00 +0000 (19:27 +0100)]
Fix const char * warnings in GnuTLS pin_helper on FreeBSD
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 15:18:46 +0000 (16:18 +0100)]
Add --authenticate option
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 13:57:39 +0000 (14:57 +0100)]
Add openconnect_has_pkcs11_support()
Theoretically, the OpenSSL side can (and should) gain PKCS#11 support at
some point. There *is* a PKCS#11 engine, although it seems somewhat unloved.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 13:57:01 +0000 (14:57 +0100)]
Return error from OpenSSL load_certificate() for PKCS#11 URLs
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 13:51:15 +0000 (14:51 +0100)]
Translate build option output
Oops. The whole point in doing it this way with full sentences instead of
crap like ("with%s TPM support", tpm?"":"out") was to ease translation...
and then I forgot to mark the strings translatable :)
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 12:47:24 +0000 (13:47 +0100)]
Make --disable-ipv6 really do it
Previously, it only made us stop *asking* the server for IPv6. If the server
gave us IPv6 addresses anyway on the basis that this is the 21st century and
there's no excuse for pretending otherwise (or, in practice, because my test
server is handing out hard-coded responses without looking at the request),
we were still actually using them.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 12:42:27 +0000 (13:42 +0100)]
Remove --cert-type option from command line
With the impending v4.00 release and the soname change, this is a good
time to obsolete the --cert-type option. We've been automatically
detecting key types for a *long* time.
Only remove it from the command line for now; the library never exposed
it, but if the GnuTLS cert-loading code ends up being contributed back
to GnuTLS then they might want something similar there. So leave it in
place but unused.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 12:39:50 +0000 (13:39 +0100)]
Print SSL build options on --version or usage()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 12:25:58 +0000 (13:25 +0100)]
Allow building against GnuTLS (for TCP) and GnuTLS (for DTLS) simultaneously
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 11:43:36 +0000 (12:43 +0100)]
Remove stray openssl includes
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 09:54:37 +0000 (10:54 +0100)]
Update translations from Transifex
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>