Work around OpenSSL SEGV when retrying PKCS#12 passphrase

This seems to have been fixed in OpenSSL 1.0.0-beta2 by
http://cvs.openssl.org/chngview?cn=17957 but still affects 0.9.8n.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add DragonFly BSD too

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Document NetBSD support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix NetBSD build.

We need to include <netinet/in.h>, so do that unconditionally. And let
NetBSD use the Solaris code path for fsid handling.

Based on a patch from Pouya D. Tafti.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove gratuitous -ldl from static OpenSSL link command

NetBSD doesn't like it.

Also remove the -lz and add an explicit -lz to LDFLAGS. We use that
directly, so we shouldn't be relying on getting it pulled in indirectly.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Change OpenSSL version number check for const methods to 0.9.9

NetBSD 5.0 ships with an old pre-1.0 snapshot of OpenSSL, which has the
const methods already.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update hardware support list

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make some functions static

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update TODO list to reflect current status

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Improve handling of cert passphrase errors

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix purpose workaround to build against OpenSSL 0.9.7

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Move unhex() out of DTLS ifdef, to build with OpenSSL 0.9.7 again

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Include ctype.h for isxdigit()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Forget preconfigured password after one attempt; don't keep retrying.

Without this, we were seeing infinite retries to post the auth form, when
the password was wrong or the required certificate was absent.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use X-CSTP-Banner header to set $CISCO_BANNER

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.23

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --no-http-keepalive option to help work around Cisco incompetence.

We know that certain versions of the ASA software (8.2.2.5 at least) are
buggy and will 'forget' the client's SSL certificate by the time they
receive the second request on a re-used HTTP connection. We have an
unconditional workaround for the case where we _know_ that bug will
trip, in commit 357c85e8 ("Always close HTTP/1.0 connection...").

Cisco's support staff are completely useless and have failed to give any
competent response to the bug report -- so not only does it look like
they won't fix it, but we don't actually know what under _other_
circumstances this same bug might manifest itself.

This patch adds an option to disable _all_ connection re-use. The
intention is that users can try it out if they encounter problems, then
report to the mailing list that it worked so that we can work out how
to trigger it automatically.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix Debian/kFreeBSD build

Debian bug #577004

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update instructions to note that script must be executable

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print notice about lack of DNS and routing if no --script

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Change mainloop idle message to look less like 'Did not work'

That can cause confusion if it's misread.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print failing host name when getaddrinfo() fails

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print non-200 HTTP responses even without -v

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix SEGV on 404

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Cope with server certs without SSL_SERVER purpose bit set, with old OpenSSL

We already had a workaround, but it didn't work with OpenSSL < 0.9.8k so
we need to do it differently, by providing our own wrapper around
X509_verify_cert().

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Note DTLS support in 0.9.8m release

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Return error on refusing to run CSD trojan, rather than exiting

This fixes the error handling in the NM auth dialog. Fix the message so that
it doesn't refer to the command-line option, too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add CSD support for NetworkManager auth dialog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle proxy setting in NetworkManager, ignore unnecessary 'authtype'

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.22

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Always close HTTP/1.0 connection, even after Connection: Keep-Alive header.

Some servers seem to fail certificate authentication after the initial
redirect unless you make a new connection. I see no valid reason in the
HTTP spec why we should do this, but it makes things work...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Avoid using vpninfo->ifname before it's set.

Commit 78e461ce2d74d7772578a07785fd96c7b784efae ("Set script environment
earlier...") was broken because we end up trying to set the $TUNDEV
environment variable before vpninfo->ifname has actually been set.

[dwmw2: slightly modified Jørgen's original patch so that we do actually
 set $TUNDEV later, otherwise the script won't work.]

Signed-off-by: Jørgen Wahlberg <jorgen@jaws.no>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Set script environment earlier, so it applies to script_tun too

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix build where AI_NUMERICSERV isn't defined (OSX < 1.6)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Pass port number to openconnect from NetworkManager.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Accept full urls in nm-auth-dialog

E.g. "<host>:<port>" will now work.

Signed-off-by: Jussi Kukkonen <jku@linux.intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of port numbers above 9999

We need to allow 5 digits in the port number, which means 6 characters
including the terminating NUL. The buffer was already big enough, but
the length argument to snprintf() wasn't. Spotted by Charles Bovy (thanks).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle relative redirect and form action

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle allocation failure in HTTP 1.0 loop

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Allocate extra byte for NUL termination after HTTP 1.0 read loop, not in it.

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Free dynamically allocated memory before returning on errors

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use the somewhat misnamed proxy_write() function to write the CSD script

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Dynamically allocate buffer size for downloaded CSD script

Thanks to David for his help in rewriting this patch and to actually
make it work.

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Case-insensitive comparison for server SHA1 fingerprint

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix exit code with --background option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

No strndup() on Solaris. Yay Solaris!

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.21

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix typo in changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of HTTP 1.0 responses with Connection: Keep-Alive

An HTTP 1.0 response can keepalive and have a Connection-Length: header,
and this is seen in some cases with the initial redirect when we connect
to a VPN server (Red Hat bug #553817). Fix and clean up the response
handling code accordingly.

I _really_ wish I didn't have to write my own HTTP code, and that one of
the available libraries was actually able to support SSL connections
with a certificate from a TPM.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Be case-insensitive in HTTP fields (and comparing hostname for redirects)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Check return value from asprintf()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Check return value from system()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.20

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix HTTP 1.0 body fetch.

Not that we should ever really see one.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of 'HTTP/1.1 100 Continue' response

When we jump back to 'cont' it needs to fetch the next response line,
not just check the existing contents of the buffer (which will be an
empty line).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Really, don't shut down SSL twice

It's the one in redirect handling that needs to check whether the
connection is already closed. The one in process_http_response() can't
possibly happen when the connection is already closed.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Free host URL after parsing

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Mention SOCKS support in feature list

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clarify that -P argument takes a URL, admit to SOCKS support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up libproxy.h and if_tun.h detection for cross-compilation

Looking in /usr/include was silly. This is one thing that autoconf would
help with, but at a cost that I'm not really willing to pay.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't include net/if_tun.h twice on Solaris

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove SOCKS from TODO list

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use $https_proxy environment variable, if set.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Disable libproxy by default

Most people don't need to go through a proxy, but might have one
configured anyway for https because it's harmless. But it's _not_ actually
harmless for openconnect, because it'll prevent DTLS from working. So if
a user really needs proxy support, let them ask for it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix up DTLS vs. reconnection address confusion

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add SOCKS5 support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix non-libproxy build

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix use-after-free of UI elements (RH bug #551665)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add libproxy support, conditionally

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use URL in example command line

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle IPv6 literal [] in connection, accept https:// URL for server

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update copyright years

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add proxy support (based on Pál Dorogi's version)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle IPv6 server correctly when setting $VPNGATEWAY

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix various memory leaks, mostly with libxml

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't shut down SSL twice

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add parse_url() function, which will be useful for proxies too

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up redirection, support non-standard port

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.12

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Reconnect CSTP to the previously-used IP address; don't redo DNS lookup

Some people use a fucking stupid schizoDNS setup where they abuse the
real public domain name "company.com" for internal machines, rather than
using a separate and unambiguous domain like "company.internal".

Some people compound this mistake by having some hosts which don't even
_exist_ in the internal domain, or worse which get different IP
addresses depending on which version of the domain you're in.

So if you're already on the VPN and have configured DNS for it, looking
up "vpnserver.company.com" isn't necessarily such a cunning thing to do.
We're _already_ remembering the IP address of the server, so that DTLS
can use it. Just ensure that it's getting cleared correctly on HTTP
redirects, then use it for HTTP reconnections too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix buffer overrun in useragent. Use asprintf

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Try to clean up os-dependent tun handling a bit. Fix OSX IPv6, DragonflyBSD

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.11

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Minor web page updates

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Warn about lack of DTLS compatibility at build time

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Note that the 2009-11-16 version of Solaris tun/tap driver is required for IPv6

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update IPv6 references in documentation

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add IPv6 support for FreeBSD

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Pass IPv6 routes separately from Legacy IP routes

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Calculate client cert MD5 for CSD with all cert types, when needed

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up error reporting when cert/key can't be loaded

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update note on OpenSSL versions

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up fsid routines, use asprintf()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>