David Woodhouse [Sun, 10 Jan 2010 10:12:17 +0000 (10:12 +0000)]
Fix typo in changelog
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 Jan 2010 19:25:47 +0000 (19:25 +0000)]
Update changelog
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 Jan 2010 13:13:15 +0000 (13:13 +0000)]
Fix handling of HTTP 1.0 responses with Connection: Keep-Alive
An HTTP 1.0 response can keepalive and have a Connection-Length: header,
and this is seen in some cases with the initial redirect when we connect
to a VPN server (Red Hat bug #553817). Fix and clean up the response
handling code accordingly.
I _really_ wish I didn't have to write my own HTTP code, and that one of
the available libraries was actually able to support SSL connections
with a certificate from a TPM.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 9 Jan 2010 13:09:48 +0000 (13:09 +0000)]
Be case-insensitive in HTTP fields (and comparing hostname for redirects)
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 5 Jan 2010 12:53:35 +0000 (12:53 +0000)]
Check return value from asprintf()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 5 Jan 2010 12:52:38 +0000 (12:52 +0000)]
Check return value from system()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 4 Jan 2010 16:06:59 +0000 (16:06 +0000)]
Tag version 2.20
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 3 Jan 2010 18:28:35 +0000 (18:28 +0000)]
Fix HTTP 1.0 body fetch.
Not that we should ever really see one.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 3 Jan 2010 18:22:40 +0000 (18:22 +0000)]
Fix handling of 'HTTP/1.1 100 Continue' response
When we jump back to 'cont' it needs to fetch the next response line,
not just check the existing contents of the buffer (which will be an
empty line).
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 3 Jan 2010 18:18:53 +0000 (18:18 +0000)]
Really, don't shut down SSL twice
It's the one in redirect handling that needs to check whether the
connection is already closed. The one in process_http_response() can't
possibly happen when the connection is already closed.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 3 Jan 2010 16:34:47 +0000 (16:34 +0000)]
Free host URL after parsing
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 3 Jan 2010 08:37:42 +0000 (08:37 +0000)]
Mention SOCKS support in feature list
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 3 Jan 2010 08:37:26 +0000 (08:37 +0000)]
Clarify that -P argument takes a URL, admit to SOCKS support
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 2 Jan 2010 19:55:44 +0000 (19:55 +0000)]
Clean up libproxy.h and if_tun.h detection for cross-compilation
Looking in /usr/include was silly. This is one thing that autoconf would
help with, but at a cost that I'm not really willing to pay.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 2 Jan 2010 19:43:27 +0000 (19:43 +0000)]
Don't include net/if_tun.h twice on Solaris
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 2 Jan 2010 17:32:02 +0000 (17:32 +0000)]
Remove SOCKS from TODO list
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 2 Jan 2010 14:28:39 +0000 (14:28 +0000)]
Use $https_proxy environment variable, if set.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 2 Jan 2010 14:26:52 +0000 (14:26 +0000)]
Disable libproxy by default
Most people don't need to go through a proxy, but might have one
configured anyway for https because it's harmless. But it's _not_ actually
harmless for openconnect, because it'll prevent DTLS from working. So if
a user really needs proxy support, let them ask for it.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 2 Jan 2010 13:33:00 +0000 (13:33 +0000)]
Update changelog
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 2 Jan 2010 14:01:24 +0000 (14:01 +0000)]
Fix up DTLS vs. reconnection address confusion
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 2 Jan 2010 13:17:48 +0000 (13:17 +0000)]
Add SOCKS5 support
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 2 Jan 2010 13:19:02 +0000 (13:19 +0000)]
Fix non-libproxy build
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 2 Jan 2010 11:03:47 +0000 (11:03 +0000)]
Fix use-after-free of UI elements (RH bug #551665)
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 2 Jan 2010 00:43:34 +0000 (00:43 +0000)]
Add libproxy support, conditionally
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 2 Jan 2010 00:18:21 +0000 (00:18 +0000)]
Use URL in example command line
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 1 Jan 2010 22:54:25 +0000 (22:54 +0000)]
Handle IPv6 literal [] in connection, accept https:// URL for server
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 1 Jan 2010 22:12:15 +0000 (22:12 +0000)]
Update copyright years
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 1 Jan 2010 22:09:25 +0000 (22:09 +0000)]
Add proxy support (based on Pál Dorogi's version)
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 1 Jan 2010 17:51:18 +0000 (17:51 +0000)]
Handle IPv6 server correctly when setting $VPNGATEWAY
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 1 Jan 2010 10:45:21 +0000 (10:45 +0000)]
Fix various memory leaks, mostly with libxml
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 1 Jan 2010 10:44:41 +0000 (10:44 +0000)]
Don't shut down SSL twice
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 25 Dec 2009 00:40:29 +0000 (00:40 +0000)]
Add parse_url() function, which will be useful for proxies too
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 23 Dec 2009 22:33:10 +0000 (22:33 +0000)]
Clean up redirection, support non-standard port
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 7 Dec 2009 16:40:34 +0000 (16:40 +0000)]
Tag version 2.12
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 7 Dec 2009 16:40:21 +0000 (16:40 +0000)]
Update changelog
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 7 Dec 2009 16:32:40 +0000 (16:32 +0000)]
Reconnect CSTP to the previously-used IP address; don't redo DNS lookup
Some people use a fucking stupid schizoDNS setup where they abuse the
real public domain name "company.com" for internal machines, rather than
using a separate and unambiguous domain like "company.internal".
Some people compound this mistake by having some hosts which don't even
_exist_ in the internal domain, or worse which get different IP
addresses depending on which version of the domain you're in.
So if you're already on the VPN and have configured DNS for it, looking
up "vpnserver.company.com" isn't necessarily such a cunning thing to do.
We're _already_ remembering the IP address of the server, so that DTLS
can use it. Just ensure that it's getting cleared correctly on HTTP
redirects, then use it for HTTP reconnections too.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 7 Dec 2009 16:14:00 +0000 (16:14 +0000)]
Fix buffer overrun in useragent. Use asprintf
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 18 Nov 2009 17:09:30 +0000 (17:09 +0000)]
Try to clean up os-dependent tun handling a bit. Fix OSX IPv6, DragonflyBSD
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 17 Nov 2009 15:01:13 +0000 (15:01 +0000)]
Tag version 2.11
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 17 Nov 2009 12:18:05 +0000 (12:18 +0000)]
Minor web page updates
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 17 Nov 2009 11:34:40 +0000 (11:34 +0000)]
Warn about lack of DTLS compatibility at build time
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 16 Nov 2009 13:20:43 +0000 (13:20 +0000)]
Note that the 2009-11-16 version of Solaris tun/tap driver is required for IPv6
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 13 Nov 2009 16:54:39 +0000 (16:54 +0000)]
Update IPv6 references in documentation
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 13 Nov 2009 16:23:05 +0000 (16:23 +0000)]
Add IPv6 support for FreeBSD
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 11 Nov 2009 00:32:19 +0000 (00:32 +0000)]
Pass IPv6 routes separately from Legacy IP routes
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 9 Nov 2009 12:03:09 +0000 (12:03 +0000)]
Calculate client cert MD5 for CSD with all cert types, when needed
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 9 Nov 2009 10:55:21 +0000 (10:55 +0000)]
Clean up error reporting when cert/key can't be loaded
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 9 Nov 2009 01:46:11 +0000 (01:46 +0000)]
Update note on OpenSSL versions
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 6 Nov 2009 11:26:59 +0000 (11:26 +0000)]
Clean up fsid routines, use asprintf()
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 6 Nov 2009 11:16:22 +0000 (11:16 +0000)]
Check for alloc failure in cookie addition
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 6 Nov 2009 11:16:08 +0000 (11:16 +0000)]
Consolidate http cookie addition
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 5 Nov 2009 12:26:10 +0000 (12:26 +0000)]
Warn when running Linux CSD trojan on non-Linux system
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 4 Nov 2009 09:38:05 +0000 (09:38 +0000)]
Tag version 2.10
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 4 Nov 2009 08:55:26 +0000 (08:55 +0000)]
Web page update
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 4 Nov 2009 07:56:13 +0000 (07:56 +0000)]
Change csd user option name
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 3 Nov 2009 19:25:59 +0000 (19:25 +0000)]
Point to vpnc-scripts repo for Solaris
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 3 Nov 2009 18:51:48 +0000 (18:51 +0000)]
Netmask is optional
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 3 Nov 2009 18:51:15 +0000 (18:51 +0000)]
Set $INTERNAL_IP4_NETMASKLEN and $INTERNAL_IP4_NETADDR correctly.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 3 Nov 2009 16:10:15 +0000 (16:10 +0000)]
Add OpenSolaris support to doc
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 3 Nov 2009 16:07:22 +0000 (16:07 +0000)]
Add tun/tap support for Solaris
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 3 Nov 2009 15:43:25 +0000 (15:43 +0000)]
Move tunnel shutdown into tun.c
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 3 Nov 2009 15:40:05 +0000 (15:40 +0000)]
Fix includes for Solaris
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 3 Nov 2009 15:39:32 +0000 (15:39 +0000)]
Use AI_NUMERICSERV; don't rely on https being in /etc/services. Yay Solaris!
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 3 Nov 2009 15:38:45 +0000 (15:38 +0000)]
Use statvfs() on Solaris
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 3 Nov 2009 15:38:02 +0000 (15:38 +0000)]
Provide local implementation of strcasestr for Solaris
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 2 Nov 2009 12:18:24 +0000 (12:18 +0000)]
Clarify the fact that DTLS support isn't required
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 2 Nov 2009 10:39:46 +0000 (10:39 +0000)]
Documentation updates
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 2 Nov 2009 10:36:20 +0000 (10:36 +0000)]
Enable IPv6
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 2 Nov 2009 10:28:48 +0000 (10:28 +0000)]
Attempt to handle IPv6
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 2 Nov 2009 09:54:51 +0000 (09:54 +0000)]
Kill packet type field; IPv6 and Legacy IP are carried identically
... so there's no need to remember what type of packet it is.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 19 Oct 2009 05:40:31 +0000 (14:40 +0900)]
Change verbosity with SIGUSR[12]
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 19 Oct 2009 02:56:44 +0000 (11:56 +0900)]
Move TCP closure detection to cstp.c, make it reconnect when it happens
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 8 Oct 2009 16:44:21 +0000 (17:44 +0100)]
Handle SIGTERM and disconnect cleanly
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Erik Mouw [Mon, 5 Oct 2009 19:53:05 +0000 (21:53 +0200)]
Add .PHONY target to Makefile
Signed-off-by: Erik Mouw <mouw@nl.linux.org>
Erik Mouw [Mon, 21 Sep 2009 11:40:04 +0000 (13:40 +0200)]
Added target realclean that also removes backup files
Signed-off-by: Erik Mouw <mouw@nl.linux.org>
Erik Mouw [Mon, 21 Sep 2009 10:55:50 +0000 (12:55 +0200)]
Check return value of write(2) and print an error if it fails.
Signed-off-by: Erik Mouw <mouw@nl.linux.org>
Erik Mouw [Mon, 21 Sep 2009 10:47:32 +0000 (12:47 +0200)]
Git should ignore backup files and Emacs temp files
Signed-off-by: Erik Mouw <mouw@nl.linux.org>
Erik Mouw [Mon, 21 Sep 2009 10:45:56 +0000 (12:45 +0200)]
Save errno because fprintf() could overwrite it
Signed-off-by: Erik Mouw <mouw@nl.linux.org>
Erik Mouw [Mon, 21 Sep 2009 10:40:49 +0000 (12:40 +0200)]
open(2) returns a negative value in case of an error
The previous test was !config_fd which fails exactly when most needed
(i.e.: when open(2) actually returns an error). The correct test is to
check for negative return values.
Signed-off-by: Erik Mouw <mouw@nl.linux.org>
David Woodhouse [Sat, 3 Oct 2009 09:54:34 +0000 (10:54 +0100)]
Fix compiler warnings
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 3 Oct 2009 09:54:19 +0000 (10:54 +0100)]
Fix compiler warnings with OpenSSL 1.0.0
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 3 Oct 2009 09:06:49 +0000 (10:06 +0100)]
Update changelog for HEAD, update distro status
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 3 Oct 2009 08:59:25 +0000 (09:59 +0100)]
Fix bye packet length
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 3 Oct 2009 08:50:24 +0000 (09:50 +0100)]
Recognise private keys generated with OpenSSL 1.0.0 (Fedora 12)
These say '-----BEGIN ENCRYPTED PRIVATE KEY-----'.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Adam Piątyszek [Mon, 21 Sep 2009 21:43:41 +0000 (23:43 +0200)]
Require "--setuid-csd=USER" option for servers with CSD functionality.
Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Adam Piątyszek [Thu, 17 Sep 2009 20:08:42 +0000 (22:08 +0200)]
Merge remote branch 'upstream/master'
David Woodhouse [Thu, 17 Sep 2009 12:48:45 +0000 (13:48 +0100)]
Fix disconnect packet
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Adam Piątyszek [Fri, 21 Aug 2009 20:29:38 +0000 (22:29 +0200)]
Provide a list of authors and contributors
Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Adam Piątyszek [Fri, 21 Aug 2009 20:27:59 +0000 (22:27 +0200)]
Drop root privileges during execution of CSD script
A new option "--setuid-csd=USER" is provided, which means that
a separate user can be used for CSD script execution.
Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
David Woodhouse [Thu, 20 Aug 2009 11:10:33 +0000 (12:10 +0100)]
Don't try to do SSL negotiation on a socket which failed to connect
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Antonio Borneo [Fri, 7 Aug 2009 08:43:44 +0000 (10:43 +0200)]
Drop root privileges before running CSD code
This functionallity requires a valid user provided on the command
line with "-U".
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Antonio Borneo [Fri, 7 Aug 2009 08:42:31 +0000 (10:42 +0200)]
Fix compile time warning
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Adam Piątyszek [Tue, 4 Aug 2009 20:05:04 +0000 (22:05 +0200)]
Fix Makefile so "make clean" removes nm-openconnect-auth-dialog
Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Adam Piątyszek [Tue, 4 Aug 2009 20:04:00 +0000 (22:04 +0200)]
Update .gitignore (anyconnect -> openconnect)
Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
David Woodhouse [Tue, 4 Aug 2009 19:18:03 +0000 (20:18 +0100)]
Admit --useragent option
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 4 Aug 2009 19:17:26 +0000 (20:17 +0100)]
Admit CSD support
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 4 Aug 2009 19:14:06 +0000 (20:14 +0100)]
Merge branch 'master' of git://git.infradead.org/~ediap/openconnect-csd2
Antonio Borneo [Sun, 2 Aug 2009 18:26:43 +0000 (20:26 +0200)]
Support cookies in a CSD way
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Adam Piątyszek [Sun, 2 Aug 2009 18:24:58 +0000 (20:24 +0200)]
Use common implementation for get_cert_XYZ_fingerprint() functions
Specialized functions get_gert_md5_fingerprint() and
get_cert_sha1_fingerprint() call get_cert_fingerprint() function.
Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Adam Piątyszek [Sun, 2 Aug 2009 17:20:32 +0000 (19:20 +0200)]
Pass MD5 fingerprints of client/server certificates to the CSD script
Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>