David Woodhouse [Thu, 14 Jun 2012 21:22:05 +0000 (22:22 +0100)]
Clean up handling of gnutls_pkcs12.c
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 21:10:16 +0000 (22:10 +0100)]
Fix BER encoding of hash in sign_dummy_data()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 16:02:18 +0000 (17:02 +0100)]
Cope with lack of gnutls_certificate_set_key() in GnuTLS 2.12
We *can* use arbitrary privkeys, by using the cert_callback to provide
them on demand.
And even without gnutls_privkey_import_ext() to give us a constructed
privkey that represents the TPM key, we can cope by registering a
sign_callback on the TLS session.
This means that we can support the TPM, and also fix the lack of extra
supporting certs and expiry check when using PKCS#11 certs with GnuTLS 2.12.
It also means my code is an even bigger mess of #ifdefs than it was before.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 15:00:03 +0000 (16:00 +0100)]
Fix memory leak of TPM key password
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 07:45:16 +0000 (08:45 +0100)]
Fix wording of comment about string handling
The library *will* free them later. Honest! If we say "should", someone
might get confused and think we're saying the *caller* needs to do it.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 07:34:11 +0000 (08:34 +0100)]
Document SHA1 buffer requirements more clearly
There's an inconsistency here; openconnect_set_xmlsha1() takes a redundant
'len' arg which serves no purpose except to check that the caller knows
how big a SHA1 is. If it's not 41, we bail.
Next time the soname is getting bumped, I'll add a similar redundant
check to openconnect_get_cert_sha1() too. I should have done that when
it was first converted from an internal function to a public-facing one
in commit
20840ab0. But I didn't, and it's not worth bumping the soname
again right now *just* for that.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 01:14:05 +0000 (02:14 +0100)]
Fix Solaris build, again
I really ought to script a check for this.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 23:55:54 +0000 (00:55 +0100)]
Fix GnuTLS 2.12 library still referencing OpenSSL ERR_print_errors_cb()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 22:55:17 +0000 (23:55 +0100)]
Tag version 3.99
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 22:55:03 +0000 (23:55 +0100)]
Make 'make tag' work out of source tree
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 22:32:53 +0000 (23:32 +0100)]
$CISCO_SPLIT_DNS is separated by commas in vpnc, not spaces
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 22:32:02 +0000 (23:32 +0100)]
Link libopenconnect to trousers, not openconnect
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 21:22:39 +0000 (22:22 +0100)]
Move dtls1_stop_timer() declaration inside the OPENCONNECT_OPENSSL section
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 20:43:20 +0000 (21:43 +0100)]
Update translations from Transifex
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 20:41:42 +0000 (21:41 +0100)]
Fix build with GnuTLS 2.12
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 20:39:27 +0000 (21:39 +0100)]
Allow GUI to distinguish between PIN/passphrase callbacks
The UI may cache user input by form->auth_id, opt->name. But those were
always the same (and auth_id was even NULL for OpenSSL UI callbacks from
the TPM engine), so it wasn't very helpful. Fix it.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 19:56:55 +0000 (20:56 +0100)]
Handle TPM keys with their own authentication PIN
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 19:29:08 +0000 (20:29 +0100)]
Give proper error reporting from tpm_sign_fn() TPM operations
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 19:24:19 +0000 (20:24 +0100)]
Try null SRK key (20 bytes of zero) first
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 19:21:30 +0000 (20:21 +0100)]
Fix error exits in GnuTLS load_certificate() function
Having separate 'err' for GnuTLS errno, and 'ret' for the return value, has
caused me to sometimes return without setting 'ret'. Make it uninitialised
to start with, and then the compiler should warn if I 'goto out' again
without setting 'ret'.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 15:38:14 +0000 (16:38 +0100)]
Implement certificate matching for TPM/PKCS#11 privkeys
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 15:30:18 +0000 (16:30 +0100)]
Fix GnuTLS PIN cache leak when only *key* is PKCS#11 and not certificate.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 15:03:06 +0000 (16:03 +0100)]
Remove redundancy in code which 'matches' cert to privkey
Yes, it doesn't *actually* do any matching... yet.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 22:27:42 +0000 (23:27 +0100)]
Add TPM support for GnuTLS
Based on GnuTLS TPM code by Carolin Latze <latze@angry-red-pla.net>
and Tobias Soder.
Like the OpenSSL TPM ENGINE, this only supports a key 'blob' rather than
using keys by UUID. That shouldn't be hard to fix if someone wants it.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 11:07:34 +0000 (12:07 +0100)]
Clean up build options printout
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 11:05:50 +0000 (12:05 +0100)]
Fix DTLS fallback to OpenSSL for old GnuTLS
Due to a typo, it wasn't using OpenSSL for DTLS unless you specified
--without-openssl on the configure command line.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 21:59:07 +0000 (22:59 +0100)]
Explicitly check for gnutls_certificate_set_key(), separate it from p11-kit
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:34:45 +0000 (10:34 +0100)]
OpenSSL: Fix leak of cert_x509
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:33:48 +0000 (10:33 +0100)]
OpenSSL: Free BIO leak in reload_pem_cert()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:32:23 +0000 (10:32 +0100)]
OpenSSL: Clean up leaks in TPM ENGINE handling
The key, in the ctx, holds a reference on the engine. We should be dropping
our own.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:31:42 +0000 (10:31 +0100)]
OpenSSL: Fix password memory leaks
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:30:42 +0000 (10:30 +0100)]
Make authentication valgrind-friendly
Not strictly needed to free stuff right before we exit, but it makes it
easier to find leaks in the library code.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:28:40 +0000 (10:28 +0100)]
Fix useragent leak
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 12 Jun 2012 09:28:09 +0000 (10:28 +0100)]
GnuTLS: Fix password memory leaks
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 20:58:02 +0000 (21:58 +0100)]
Add openconnect_has_tss_blob_support()
Turns out this might not be entirely OpenSSL-specific; we should be able
to support it in GnuTLS too.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 18:27:00 +0000 (19:27 +0100)]
Fix const char * warnings in GnuTLS pin_helper on FreeBSD
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 15:18:46 +0000 (16:18 +0100)]
Add --authenticate option
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 13:57:39 +0000 (14:57 +0100)]
Add openconnect_has_pkcs11_support()
Theoretically, the OpenSSL side can (and should) gain PKCS#11 support at
some point. There *is* a PKCS#11 engine, although it seems somewhat unloved.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 13:57:01 +0000 (14:57 +0100)]
Return error from OpenSSL load_certificate() for PKCS#11 URLs
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 13:51:15 +0000 (14:51 +0100)]
Translate build option output
Oops. The whole point in doing it this way with full sentences instead of
crap like ("with%s TPM support", tpm?"":"out") was to ease translation...
and then I forgot to mark the strings translatable :)
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 12:47:24 +0000 (13:47 +0100)]
Make --disable-ipv6 really do it
Previously, it only made us stop *asking* the server for IPv6. If the server
gave us IPv6 addresses anyway on the basis that this is the 21st century and
there's no excuse for pretending otherwise (or, in practice, because my test
server is handing out hard-coded responses without looking at the request),
we were still actually using them.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 12:42:27 +0000 (13:42 +0100)]
Remove --cert-type option from command line
With the impending v4.00 release and the soname change, this is a good
time to obsolete the --cert-type option. We've been automatically
detecting key types for a *long* time.
Only remove it from the command line for now; the library never exposed
it, but if the GnuTLS cert-loading code ends up being contributed back
to GnuTLS then they might want something similar there. So leave it in
place but unused.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 12:39:50 +0000 (13:39 +0100)]
Print SSL build options on --version or usage()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 12:25:58 +0000 (13:25 +0100)]
Allow building against GnuTLS (for TCP) and GnuTLS (for DTLS) simultaneously
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 11:43:36 +0000 (12:43 +0100)]
Remove stray openssl includes
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 09:54:37 +0000 (10:54 +0100)]
Update translations from Transifex
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 09:54:00 +0000 (10:54 +0100)]
Fix upload-pot make target for out-of-tree build
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 09:34:19 +0000 (10:34 +0100)]
Fix update-translations make target for out-of-tree build
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 09:20:06 +0000 (10:20 +0100)]
OpenSSL: Print name of primary certificate
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 09:14:59 +0000 (10:14 +0100)]
GnuTLS: Print name of primary certificate
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 08:24:43 +0000 (09:24 +0100)]
Update docs for GnuTLS and PKCS#11 support
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 00:43:38 +0000 (01:43 +0100)]
Fix non-interactive mode
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 00:38:01 +0000 (01:38 +0100)]
Portability fixes for Solaris, *BSD
OpenBSD needs <sys/types.h> to be included before <netinet/in.h>.
Use IPPROTO_TCP not SOL_TCP for getsockopt() level.
Don't attempt to use FreeBSD's TCP_INFO sockopt.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 00:00:51 +0000 (01:00 +0100)]
Remove obsolete GnuTLS FIXME comment
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 10 Jun 2012 23:52:08 +0000 (00:52 +0100)]
GnuTLS: Cache token PIN
Otherwise we get prompted for it about four times in the course of a single
connection, which is going to make users unhappy.
GnuTLS has been fixed not to do it on decent tokens that can have more than
one active session, but on the crap tokens it's still needed.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 10 Jun 2012 23:09:10 +0000 (00:09 +0100)]
Set object-type on PKCS#11 URL for key and cert
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 10 Jun 2012 20:15:14 +0000 (21:15 +0100)]
GnuTLS: Fix build with GnuTLS 2.12 and PKCS#11
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 10 Jun 2012 19:52:47 +0000 (20:52 +0100)]
GnuTLS: Fix expiry check and CA chain addition for PKCS#11 certs
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 10 Jun 2012 00:01:49 +0000 (01:01 +0100)]
Use gnutls_certificate_set_x509_system_trust() where available
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 Jun 2012 22:26:42 +0000 (23:26 +0100)]
Cope with SSL key being PKCS#11 but cert from file
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 Jun 2012 22:22:54 +0000 (23:22 +0100)]
Fix error handling when GnuTLS can't open key file
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 Jun 2012 16:06:09 +0000 (17:06 +0100)]
Don't unregister p11-kit PIN callback until vpninfo is finished with
Unregistering in openconnect_close_https() meant that when we reconnect to
the server, we lose the PIN callback. And then when we connect again, if
GnuTLS is asking us for the PIN on every attempt to touch the key, we fail
because there's no PIN handler.
So add a 'final' flag to openconnect_close_https(). Use this to clean up
library.c::openconnect_close_https() a little, too.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 Jun 2012 15:50:58 +0000 (16:50 +0100)]
Import updated gnutls_pkcs12_simple_parse() from GnuTLS
Changes corresponding to commit
6c82bf34 in GnuTLS master, imported with
permission from Nikos to use under LGPLv2.1.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 22:47:45 +0000 (23:47 +0100)]
Use X-DTLS-MTU response from server as well as X-CSTP-MTU
Currently we take a very naïve approach: we just use the higher of the
two. Normally the DTLS MTU will be larger. Theoretically, perhaps we
ought to actually change the MTU of the interface according to whether
DTLS is currently connected or not? That seems cumbersome, and is almost
impossible if we aren't running as root.
So what *should* we do with packets which are "too big" for the CSTP
MTU, if they arrive while DTLS is down? Drop them? And try to fake an
ICMP "too big" or "fragmentation needed" response? Fragment them? Please
$DEITY no. The sanest thing to do would seem to be just to send them
down the CSTP link even though they'll end up fragmented into more than
one TCP packet.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 16:10:29 +0000 (17:10 +0100)]
Update changelog
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 15:10:08 +0000 (16:10 +0100)]
Add $CISCO_SPLIT_DNS environment variable for vpnc-script
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 13:58:20 +0000 (14:58 +0100)]
Add gnutls.c and openssl.c to EXTRA_DIST too
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 13:33:35 +0000 (14:33 +0100)]
Add gnutls_pkcs12 to dist
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 13:31:29 +0000 (14:31 +0100)]
Make 'make dist' work for out-of-tree build
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 13:25:15 +0000 (14:25 +0100)]
Set X-CSTP-Base-MTU: for new servers
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 12:54:56 +0000 (13:54 +0100)]
Don't hard-code cipher type in GnuTLS DTLS
Add an array with the two cipher labels (AES128-SHA and DES-CBC3-SHA) that
I've been able to test. The server doesn't seem to accept anything else
that we ask for.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 10:27:57 +0000 (11:27 +0100)]
Fix git-tree deps for version.c in out-of-tree build
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 07:50:30 +0000 (08:50 +0100)]
Fix generation of version.c for out-of-tree builds
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 02:24:03 +0000 (03:24 +0100)]
Change Requires: to Requires.private: in openconnect.pc
There's no need for users of the library to directly link with anything else
that we use.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 02:20:05 +0000 (03:20 +0100)]
Fix cbdata argument to process_auth_form()
I just introduced lots of bugs... oops.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 02:01:39 +0000 (03:01 +0100)]
Kill old openconnect_vpninfo_new()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 01:56:17 +0000 (02:56 +0100)]
Bump library soname to libopenconnect.so.2
With this, the certificates are now an opaque type and callers are not
permitted to access them directly. Take the opportunity to also rename
openconnect_init_openssl() to openconnect_init_ssl().
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 01:34:26 +0000 (02:34 +0100)]
Remove last traces of special UI and PIN handling from main.c
Absolutely everything should now be proxied onto the ->process_auth_form()
function, so there's no need to handle anything directly.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 8 Jun 2012 01:29:49 +0000 (02:29 +0100)]
Use p11-kit for directing PIN request to process_auth_form()
Set a 'pin-source' attribute which identifies the vpninfo structure, and
register a handler which converts it to an auth form for the GUI to process.
If the URI we are given already contains a pin_source then theoretically
we don't override it; we assume the caller knew what they were doing. In
practice, p11_kit_get_pin_source() seems to be returning NULL even when
the attribute *is* set, so we always override it.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 7 Jun 2012 22:49:00 +0000 (23:49 +0100)]
Fix GnuTLS PKCS#11 PIN request function
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 7 Jun 2012 17:50:07 +0000 (18:50 +0100)]
GnuTLS now uses gnutls_session_set_premaster()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Mike Miller [Thu, 7 Jun 2012 15:58:30 +0000 (11:58 -0400)]
Show correct path to vpnc-script in the man page
Insert the actual path to vpnc-script that is compiled into the
openconnect executable.
Signed-off-by: Mike Miller <mtmiller@ieee.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 7 Jun 2012 16:39:04 +0000 (17:39 +0100)]
Add UI handling for OpenSSL TPM keys
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 7 Jun 2012 14:13:52 +0000 (15:13 +0100)]
Allow '--with-gnutls' in configure
No need to require '--with-gnutls=shibboleet' any more; we have some
confidence that the GnuTLS support is actually working so we can let
non-hackers discover it.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 7 Jun 2012 13:50:10 +0000 (14:50 +0100)]
Add DTLS support for GnuTLS
This requires the patches I just sent to Nikos...
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 7 Jun 2012 13:41:51 +0000 (14:41 +0100)]
Split out OpenSSL_specific start_dtls_handshake() function
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 7 Jun 2012 12:21:07 +0000 (13:21 +0100)]
Check for gnutls_pkcs12_simple_parse() in GnuTLS
Our modifications made it upstream...
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 5 Jun 2012 07:42:15 +0000 (08:42 +0100)]
Use request_passphrase() for OpenSSL PEM files
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 5 Jun 2012 07:41:16 +0000 (08:41 +0100)]
Fix config fetch
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 5 Jun 2012 00:15:10 +0000 (01:15 +0100)]
Fix config_arg handling
The ->cert_password field must always be allocated, and it turns out I never
did fix the keep_config_arg() macro to do the right thing for options from
a file, despite deliberately introducing it for precisely that purpose.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 4 Jun 2012 23:06:32 +0000 (00:06 +0100)]
Use request_passphrase() for OpenSSL PKCS#12
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 4 Jun 2012 22:57:26 +0000 (23:57 +0100)]
Move request_passphrase() to ssl.c
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 4 Jun 2012 15:46:23 +0000 (16:46 +0100)]
Update comment about gnutls_x509_privkey_import_pkcs8() password handling
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 1 Jun 2012 18:58:26 +0000 (19:58 +0100)]
Fix FreeBSD tun handling with net.link.tun.devfs_cloning=0
Try to use SIOCIFCREATE to create an interface if it doesn't already exists.
Also try opening /dev/tun to get the next available device, before falling
back to the loop over tun0-tun255.
There is still strangeness here; sometimes the interface doesn't get an
IPv6 link-local address, and the IFDISABLED flag remains set.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 1 Jun 2012 15:07:09 +0000 (16:07 +0100)]
Allow interface name to be specified on *BSD
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 1 Jun 2012 14:28:04 +0000 (15:28 +0100)]
Fix FreeBSD compile
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 1 Jun 2012 13:33:54 +0000 (14:33 +0100)]
OpenSSL: Don't include root CA in the supporting evidence; only intermediates
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 1 Jun 2012 12:07:20 +0000 (13:07 +0100)]
GnuTLS: Don't include root CA in the supporting evidence; only intermediates
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 1 Jun 2012 12:06:28 +0000 (13:06 +0100)]
GnuTLS: Split logging of additional certs into a separate loop
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 1 Jun 2012 02:22:35 +0000 (03:22 +0100)]
Add completely untested PIN callback for GnuTLS
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
projects / platform / upstream / openconnect.git / log