platform/upstream/openconnect.git
12 years agoFix upload-pot make target for out-of-tree build
David Woodhouse [Mon, 11 Jun 2012 09:54:00 +0000 (10:54 +0100)]
Fix upload-pot make target for out-of-tree build

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix update-translations make target for out-of-tree build
David Woodhouse [Mon, 11 Jun 2012 09:34:19 +0000 (10:34 +0100)]
Fix update-translations make target for out-of-tree build

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoOpenSSL: Print name of primary certificate
David Woodhouse [Mon, 11 Jun 2012 09:20:06 +0000 (10:20 +0100)]
OpenSSL: Print name of primary certificate

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Print name of primary certificate
David Woodhouse [Mon, 11 Jun 2012 09:14:59 +0000 (10:14 +0100)]
GnuTLS: Print name of primary certificate

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate docs for GnuTLS and PKCS#11 support
David Woodhouse [Mon, 11 Jun 2012 08:24:43 +0000 (09:24 +0100)]
Update docs for GnuTLS and PKCS#11 support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix non-interactive mode
David Woodhouse [Mon, 11 Jun 2012 00:43:38 +0000 (01:43 +0100)]
Fix non-interactive mode

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoPortability fixes for Solaris, *BSD
David Woodhouse [Mon, 11 Jun 2012 00:38:01 +0000 (01:38 +0100)]
Portability fixes for Solaris, *BSD

OpenBSD needs <sys/types.h> to be included before <netinet/in.h>.
Use IPPROTO_TCP not SOL_TCP for getsockopt() level.
Don't attempt to use FreeBSD's TCP_INFO sockopt.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove obsolete GnuTLS FIXME comment
David Woodhouse [Mon, 11 Jun 2012 00:00:51 +0000 (01:00 +0100)]
Remove obsolete GnuTLS FIXME comment

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Cache token PIN
David Woodhouse [Sun, 10 Jun 2012 23:52:08 +0000 (00:52 +0100)]
GnuTLS: Cache token PIN

Otherwise we get prompted for it about four times in the course of a single
connection, which is going to make users unhappy.

GnuTLS has been fixed not to do it on decent tokens that can have more than
one active session, but on the crap tokens it's still needed.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoSet object-type on PKCS#11 URL for key and cert
David Woodhouse [Sun, 10 Jun 2012 23:09:10 +0000 (00:09 +0100)]
Set object-type on PKCS#11 URL for key and cert

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Fix build with GnuTLS 2.12 and PKCS#11
David Woodhouse [Sun, 10 Jun 2012 20:15:14 +0000 (21:15 +0100)]
GnuTLS: Fix build with GnuTLS 2.12 and PKCS#11

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Fix expiry check and CA chain addition for PKCS#11 certs
David Woodhouse [Sun, 10 Jun 2012 19:52:47 +0000 (20:52 +0100)]
GnuTLS: Fix expiry check and CA chain addition for PKCS#11 certs

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUse gnutls_certificate_set_x509_system_trust() where available
David Woodhouse [Sun, 10 Jun 2012 00:01:49 +0000 (01:01 +0100)]
Use gnutls_certificate_set_x509_system_trust() where available

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoCope with SSL key being PKCS#11 but cert from file
David Woodhouse [Sat, 9 Jun 2012 22:26:42 +0000 (23:26 +0100)]
Cope with SSL key being PKCS#11 but cert from file

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix error handling when GnuTLS can't open key file
David Woodhouse [Sat, 9 Jun 2012 22:22:54 +0000 (23:22 +0100)]
Fix error handling when GnuTLS can't open key file

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoDon't unregister p11-kit PIN callback until vpninfo is finished with
David Woodhouse [Sat, 9 Jun 2012 16:06:09 +0000 (17:06 +0100)]
Don't unregister p11-kit PIN callback until vpninfo is finished with

Unregistering in openconnect_close_https() meant that when we reconnect to
the server, we lose the PIN callback. And then when we connect again, if
GnuTLS is asking us for the PIN on every attempt to touch the key, we fail
because there's no PIN handler.

So add a 'final' flag to openconnect_close_https(). Use this to clean up
library.c::openconnect_close_https() a little, too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoImport updated gnutls_pkcs12_simple_parse() from GnuTLS
David Woodhouse [Sat, 9 Jun 2012 15:50:58 +0000 (16:50 +0100)]
Import updated gnutls_pkcs12_simple_parse() from GnuTLS

Changes corresponding to commit 6c82bf34 in GnuTLS master, imported with
permission from Nikos to use under LGPLv2.1.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUse X-DTLS-MTU response from server as well as X-CSTP-MTU
David Woodhouse [Fri, 8 Jun 2012 22:47:45 +0000 (23:47 +0100)]
Use X-DTLS-MTU response from server as well as X-CSTP-MTU

Currently we take a very naïve approach: we just use the higher of the
two. Normally the DTLS MTU will be larger. Theoretically, perhaps we
ought to actually change the MTU of the interface according to whether
DTLS is currently connected or not? That seems cumbersome, and is almost
impossible if we aren't running as root.

So what *should* we do with packets which are "too big" for the CSTP
MTU, if they arrive while DTLS is down? Drop them? And try to fake an
ICMP "too big" or "fragmentation needed" response? Fragment them? Please
$DEITY no. The sanest thing to do would seem to be just to send them
down the CSTP link even though they'll end up fragmented into more than
one TCP packet.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate changelog
David Woodhouse [Fri, 8 Jun 2012 16:10:29 +0000 (17:10 +0100)]
Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd $CISCO_SPLIT_DNS environment variable for vpnc-script
David Woodhouse [Fri, 8 Jun 2012 15:10:08 +0000 (16:10 +0100)]
Add $CISCO_SPLIT_DNS environment variable for vpnc-script

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd gnutls.c and openssl.c to EXTRA_DIST too
David Woodhouse [Fri, 8 Jun 2012 13:58:20 +0000 (14:58 +0100)]
Add gnutls.c and openssl.c to EXTRA_DIST too

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd gnutls_pkcs12 to dist
David Woodhouse [Fri, 8 Jun 2012 13:33:35 +0000 (14:33 +0100)]
Add gnutls_pkcs12 to dist

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMake 'make dist' work for out-of-tree build
David Woodhouse [Fri, 8 Jun 2012 13:31:29 +0000 (14:31 +0100)]
Make 'make dist' work for out-of-tree build

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoSet X-CSTP-Base-MTU: for new servers
David Woodhouse [Fri, 8 Jun 2012 13:25:15 +0000 (14:25 +0100)]
Set X-CSTP-Base-MTU: for new servers

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoDon't hard-code cipher type in GnuTLS DTLS
David Woodhouse [Fri, 8 Jun 2012 12:54:56 +0000 (13:54 +0100)]
Don't hard-code cipher type in GnuTLS DTLS

Add an array with the two cipher labels (AES128-SHA and DES-CBC3-SHA) that
I've been able to test. The server doesn't seem to accept anything else
that we ask for.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix git-tree deps for version.c in out-of-tree build
David Woodhouse [Fri, 8 Jun 2012 10:27:57 +0000 (11:27 +0100)]
Fix git-tree deps for version.c in out-of-tree build

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix generation of version.c for out-of-tree builds
David Woodhouse [Fri, 8 Jun 2012 07:50:30 +0000 (08:50 +0100)]
Fix generation of version.c for out-of-tree builds

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoChange Requires: to Requires.private: in openconnect.pc
David Woodhouse [Fri, 8 Jun 2012 02:24:03 +0000 (03:24 +0100)]
Change Requires: to Requires.private: in openconnect.pc

There's no need for users of the library to directly link with anything else
that we use.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix cbdata argument to process_auth_form()
David Woodhouse [Fri, 8 Jun 2012 02:20:05 +0000 (03:20 +0100)]
Fix cbdata argument to process_auth_form()

I just introduced lots of bugs... oops.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoKill old openconnect_vpninfo_new()
David Woodhouse [Fri, 8 Jun 2012 02:01:39 +0000 (03:01 +0100)]
Kill old openconnect_vpninfo_new()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoBump library soname to libopenconnect.so.2
David Woodhouse [Fri, 8 Jun 2012 01:56:17 +0000 (02:56 +0100)]
Bump library soname to libopenconnect.so.2

With this, the certificates are now an opaque type and callers are not
permitted to access them directly. Take the opportunity to also rename
openconnect_init_openssl() to openconnect_init_ssl().

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove last traces of special UI and PIN handling from main.c
David Woodhouse [Fri, 8 Jun 2012 01:34:26 +0000 (02:34 +0100)]
Remove last traces of special UI and PIN handling from main.c

Absolutely everything should now be proxied onto the ->process_auth_form()
function, so there's no need to handle anything directly.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUse p11-kit for directing PIN request to process_auth_form()
David Woodhouse [Fri, 8 Jun 2012 01:29:49 +0000 (02:29 +0100)]
Use p11-kit for directing PIN request to process_auth_form()

Set a 'pin-source' attribute which identifies the vpninfo structure, and
register a handler which converts it to an auth form for the GUI to process.

If the URI we are given already contains a pin_source then theoretically
we don't override it; we assume the caller knew what they were doing. In
practice, p11_kit_get_pin_source() seems to be returning NULL even when
the attribute *is* set, so we always override it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix GnuTLS PKCS#11 PIN request function
David Woodhouse [Thu, 7 Jun 2012 22:49:00 +0000 (23:49 +0100)]
Fix GnuTLS PKCS#11 PIN request function

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS now uses gnutls_session_set_premaster()
David Woodhouse [Thu, 7 Jun 2012 17:50:07 +0000 (18:50 +0100)]
GnuTLS now uses gnutls_session_set_premaster()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoShow correct path to vpnc-script in the man page
Mike Miller [Thu, 7 Jun 2012 15:58:30 +0000 (11:58 -0400)]
Show correct path to vpnc-script in the man page

Insert the actual path to vpnc-script that is compiled into the
openconnect executable.

Signed-off-by: Mike Miller <mtmiller@ieee.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd UI handling for OpenSSL TPM keys
David Woodhouse [Thu, 7 Jun 2012 16:39:04 +0000 (17:39 +0100)]
Add UI handling for OpenSSL TPM keys

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAllow '--with-gnutls' in configure
David Woodhouse [Thu, 7 Jun 2012 14:13:52 +0000 (15:13 +0100)]
Allow '--with-gnutls' in configure

No need to require '--with-gnutls=shibboleet' any more; we have some
confidence that the GnuTLS support is actually working so we can let
non-hackers discover it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd DTLS support for GnuTLS
David Woodhouse [Thu, 7 Jun 2012 13:50:10 +0000 (14:50 +0100)]
Add DTLS support for GnuTLS

This requires the patches I just sent to Nikos...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoSplit out OpenSSL_specific start_dtls_handshake() function
David Woodhouse [Thu, 7 Jun 2012 13:41:51 +0000 (14:41 +0100)]
Split out OpenSSL_specific start_dtls_handshake() function

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoCheck for gnutls_pkcs12_simple_parse() in GnuTLS
David Woodhouse [Thu, 7 Jun 2012 12:21:07 +0000 (13:21 +0100)]
Check for gnutls_pkcs12_simple_parse() in GnuTLS

Our modifications made it upstream...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUse request_passphrase() for OpenSSL PEM files
David Woodhouse [Tue, 5 Jun 2012 07:42:15 +0000 (08:42 +0100)]
Use request_passphrase() for OpenSSL PEM files

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix config fetch
David Woodhouse [Tue, 5 Jun 2012 07:41:16 +0000 (08:41 +0100)]
Fix config fetch

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix config_arg handling
David Woodhouse [Tue, 5 Jun 2012 00:15:10 +0000 (01:15 +0100)]
Fix config_arg handling

The ->cert_password field must always be allocated, and it turns out I never
did fix the keep_config_arg() macro to do the right thing for options from
a file, despite deliberately introducing it for precisely that purpose.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUse request_passphrase() for OpenSSL PKCS#12
David Woodhouse [Mon, 4 Jun 2012 23:06:32 +0000 (00:06 +0100)]
Use request_passphrase() for OpenSSL PKCS#12

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMove request_passphrase() to ssl.c
David Woodhouse [Mon, 4 Jun 2012 22:57:26 +0000 (23:57 +0100)]
Move request_passphrase() to ssl.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate comment about gnutls_x509_privkey_import_pkcs8() password handling
David Woodhouse [Mon, 4 Jun 2012 15:46:23 +0000 (16:46 +0100)]
Update comment about gnutls_x509_privkey_import_pkcs8() password handling

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix FreeBSD tun handling with net.link.tun.devfs_cloning=0
David Woodhouse [Fri, 1 Jun 2012 18:58:26 +0000 (19:58 +0100)]
Fix FreeBSD tun handling with net.link.tun.devfs_cloning=0

Try to use SIOCIFCREATE to create an interface if it doesn't already exists.
Also try opening /dev/tun to get the next available device, before falling
back to the loop over tun0-tun255.

There is still strangeness here; sometimes the interface doesn't get an
IPv6 link-local address, and the IFDISABLED flag remains set.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAllow interface name to be specified on *BSD
David Woodhouse [Fri, 1 Jun 2012 15:07:09 +0000 (16:07 +0100)]
Allow interface name to be specified on *BSD

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix FreeBSD compile
David Woodhouse [Fri, 1 Jun 2012 14:28:04 +0000 (15:28 +0100)]
Fix FreeBSD compile

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoOpenSSL: Don't include root CA in the supporting evidence; only intermediates
David Woodhouse [Fri, 1 Jun 2012 13:33:54 +0000 (14:33 +0100)]
OpenSSL: Don't include root CA in the supporting evidence; only intermediates

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Don't include root CA in the supporting evidence; only intermediates
David Woodhouse [Fri, 1 Jun 2012 12:07:20 +0000 (13:07 +0100)]
GnuTLS: Don't include root CA in the supporting evidence; only intermediates

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Split logging of additional certs into a separate loop
David Woodhouse [Fri, 1 Jun 2012 12:06:28 +0000 (13:06 +0100)]
GnuTLS: Split logging of additional certs into a separate loop

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd completely untested PIN callback for GnuTLS
David Woodhouse [Fri, 1 Jun 2012 02:22:35 +0000 (03:22 +0100)]
Add completely untested PIN callback for GnuTLS

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoStop using OpenSSL UI for user interaction
David Woodhouse [Fri, 1 Jun 2012 02:09:18 +0000 (03:09 +0100)]
Stop using OpenSSL UI for user interaction

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoopenconnect_set_xmlsha1() takes a const char *
David Woodhouse [Thu, 31 May 2012 23:10:47 +0000 (00:10 +0100)]
openconnect_set_xmlsha1() takes a const char *

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix GnuTLS request_passphrase() if no UI callback function
David Woodhouse [Thu, 31 May 2012 22:48:08 +0000 (23:48 +0100)]
Fix GnuTLS request_passphrase() if no UI callback function

If it's NULL, don't call it. Also change 'gnutls' to 'ssl' in the auth_id,
since we may end up using this on the OpenSSL side too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoReduce priority of GnuTLS certificate verify failure message to PRG_INFO
David Woodhouse [Thu, 31 May 2012 22:37:26 +0000 (23:37 +0100)]
Reduce priority of GnuTLS certificate verify failure message to PRG_INFO

We don't want to see it in the auth-dialog UI; it's handled explicitly.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoBump API version, advertise get_cert_DER() and get_cert_details() functions
David Woodhouse [Thu, 31 May 2012 22:14:53 +0000 (23:14 +0100)]
Bump API version, advertise get_cert_DER() and get_cert_details() functions

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix GnuTLS select() during handshake
David Woodhouse [Thu, 31 May 2012 22:13:59 +0000 (23:13 +0100)]
Fix GnuTLS select() during handshake

It was using vpninfo->ssl_fd even though that's not set yet.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove stray debug printf
David Woodhouse [Thu, 31 May 2012 21:49:12 +0000 (22:49 +0100)]
Remove stray debug printf

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix build on systems without O_CLOEXEC
David Woodhouse [Thu, 31 May 2012 21:44:30 +0000 (22:44 +0100)]
Fix build on systems without O_CLOEXEC

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMove openconnect_SSL_printf() to ssl.c
David Woodhouse [Thu, 31 May 2012 21:38:43 +0000 (22:38 +0100)]
Move openconnect_SSL_printf() to ssl.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix vpninfo->peer_cert handling for GnuTLS
David Woodhouse [Thu, 31 May 2012 21:11:14 +0000 (22:11 +0100)]
Fix vpninfo->peer_cert handling for GnuTLS

Stash the peer cert in verify_peer() so we can refer to it later.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove duplicate socket connect code from gnutls.c
David Woodhouse [Thu, 31 May 2012 21:03:08 +0000 (22:03 +0100)]
Remove duplicate socket connect code from gnutls.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openssl.c and gnutls.c to POTFILES
David Woodhouse [Thu, 31 May 2012 20:52:08 +0000 (21:52 +0100)]
Add openssl.c and gnutls.c to POTFILES

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd GnuTLS to changelog
David Woodhouse [Thu, 31 May 2012 20:50:19 +0000 (21:50 +0100)]
Add GnuTLS to changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Import more than one certificate from PEM file
David Woodhouse [Thu, 31 May 2012 20:42:32 +0000 (21:42 +0100)]
GnuTLS: Import more than one certificate from PEM file

If the PEM file has extra "supporting" CAs, then import those and use them
too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Load trusted CAs before loading certificate
David Woodhouse [Thu, 31 May 2012 19:14:36 +0000 (20:14 +0100)]
GnuTLS: Load trusted CAs before loading certificate

We'll need them present when we load the certificate, because that's when
we search through them for supporting certs.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove unused workaround_openssl_certchain_bug() function
David Woodhouse [Thu, 31 May 2012 19:12:51 +0000 (20:12 +0100)]
Remove unused workaround_openssl_certchain_bug() function

For GnuTLS, this is done as we load the certificate.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Add supporting certificates from PKCS#12 file
David Woodhouse [Thu, 31 May 2012 18:54:50 +0000 (19:54 +0100)]
GnuTLS: Add supporting certificates from PKCS#12 file

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMake GnuTLS parse_pkcs12() return extra certificates from the PKCS#12 too
David Woodhouse [Thu, 31 May 2012 15:20:14 +0000 (16:20 +0100)]
Make GnuTLS parse_pkcs12() return extra certificates from the PKCS#12 too

Create a separate list, return them for the caller to do with as it sees fit.

This also cleans up the error handling a little. When this was a purely
internal GnuTLS function, it was fine to leave things (like *key) allocated
and return an error. If my intention is to make this exportable, then it
ought to clean up after itself when returning an error.

I think this actually fixes a potential memory leak for the GnuTLS internal
caller of this function, too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoImport pkcs12_parse() function from GnuTLS to fix PKCS#12 handling
David Woodhouse [Thu, 31 May 2012 14:07:31 +0000 (15:07 +0100)]
Import pkcs12_parse() function from GnuTLS to fix PKCS#12 handling

An immediate effect is that this fixes the checking of cert expiry for
PKCS#12 certificates.

But it also means we can include the full supporting chain of
intermediate CAs (which has to be pre-assembled before we ever call
gnutls_certificate_set_x509_key() and can't be appended later), and we
can use the extra certs from the PKCS#12 file too, which parse_pkcs12()
currently doesn't bother to give us.

The plan is to fix parse_pkcs12(), submit the changes back upstream and
make it an exported function there, then stick a version-conditional on
our local copy and look forward to the day when we can rip it out again.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd server certificate validation for GnuTLS
David Woodhouse [Thu, 31 May 2012 12:43:56 +0000 (13:43 +0100)]
Add server certificate validation for GnuTLS

It's broken with trust chains at the moment, at least with GnuTLS
2.12.x, because it looks up issuer certs by *name* and then when it
picks the wrong one the signature unsurprisingly fails. And then it
returns GNUTLS_CERT_INVALID without any specific *reason* for the
failure, which is even more joyful. At least with OpenSSL I can get a
reason string out of it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoClean up GnuTLS PKCS#12 handling a little
David Woodhouse [Thu, 31 May 2012 12:40:32 +0000 (13:40 +0100)]
Clean up GnuTLS PKCS#12 handling a little

Also try other types if gnutls_pkcs12_verify_mac() returns anything other
than GNUTLS_E_MAC_VERIFY_FAILED.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoCheck cert expiry, at least for PEM certs
David Woodhouse [Thu, 31 May 2012 00:39:28 +0000 (01:39 +0100)]
Check cert expiry, at least for PEM certs

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd client certificate support for GnuTLS
David Woodhouse [Wed, 30 May 2012 22:47:27 +0000 (23:47 +0100)]
Add client certificate support for GnuTLS

Argh. Why is there not just a function I can call to do this all *for* me?
249 lines of code for this one, which is more than the OpenSSL one I ranted
about at http://www.advogato.org/person/dwmw2/diary/205.html

Oh well, at least the password handling is *slightly* more consistent, if
not entirely so.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoImprove GnuTLS compatibility options
David Woodhouse [Wed, 30 May 2012 16:42:08 +0000 (17:42 +0100)]
Improve GnuTLS compatibility options

TLSv1.0, no safe renegotiation, no padding.

For some reason, large amounts of padding are causing the Intel servers to
kick me off — although gnutls-cli is allowed to use large amounts of padding
with getting disconnected, and I can't see *why* there's a difference.

So there's something else odd going on here, and disabling padding is just
a workaround. I bet I forget about this, and I bet it comes back to bite
me one day. And it'll serve me right for being lazy and not following it
up properly right now. But still, there's plenty more GnuTLS porting work
to be done and I've spent long enough staring at packet traces already
today.

Disable safe renegotiation because we've previously observed that some
servers are behind crappy firewalls that'll block *any* extension.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMake CSTP connection in a single SSL record
David Woodhouse [Wed, 30 May 2012 00:22:16 +0000 (01:22 +0100)]
Make CSTP connection in a single SSL record

By creating a buffer with the request and sending it in a single SSL record,
I roughly halve the amount of time it takes for the round trip from 215ms
to 116ms.

Introduce a buf_append() function to help with processing the buffer, since
I shouldn't just be using sprintf() like other places do. Will fix those
next...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRefuse to build with GnuTLS < 2.12.16
David Woodhouse [Tue, 29 May 2012 23:43:30 +0000 (00:43 +0100)]
Refuse to build with GnuTLS < 2.12.16

We need the fix for gnutls_record_get_direction() or we end up sitting in
select() waiting for a read, when the blockage was actually on a *write*.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd barely functional GnuTLS support
David Woodhouse [Tue, 29 May 2012 22:53:38 +0000 (23:53 +0100)]
Add barely functional GnuTLS support

It has no DTLS, doesn't do any server certificate validation, doesn't
support client certificates and there are odd bugs with it even in the
bits that *are* implemented. But we're getting there...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoIntroduce semi-opaque OPENCONNECT_X509 type in library API
David Woodhouse [Tue, 29 May 2012 15:41:35 +0000 (16:41 +0100)]
Introduce semi-opaque OPENCONNECT_X509 type in library API

We offer functions to do everything that a user might want to do with the
cert, including one that returns it in DER form. The *only* reason this
isn't a completely opaque type is backward-compatibility.

When we change the soname, it'll be opaque. For now, let it actually be
an X509* for OpenSSL or a gnutls_x509_crt_t for GnuTLS.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd SSL library definition to CFLAGS in openconnect.pc
David Woodhouse [Tue, 29 May 2012 15:37:41 +0000 (16:37 +0100)]
Add SSL library definition to CFLAGS in openconnect.pc

If openconnect.h is going to reference this, it needs to be set reliably.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove OpenSSL dependency from http.c
David Woodhouse [Tue, 29 May 2012 15:28:30 +0000 (16:28 +0100)]
Remove OpenSSL dependency from http.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoDisable DTLS for GnuTLS build for now
David Woodhouse [Tue, 29 May 2012 15:03:01 +0000 (16:03 +0100)]
Disable DTLS for GnuTLS build for now

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMove OpenSSL-specific functions from ssl.c to openssl.c
David Woodhouse [Tue, 29 May 2012 15:01:44 +0000 (16:01 +0100)]
Move OpenSSL-specific functions from ssl.c to openssl.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoSplit out connect_https_socket() function from openconnect_open_https()
David Woodhouse [Tue, 29 May 2012 14:43:30 +0000 (15:43 +0100)]
Split out connect_https_socket() function from openconnect_open_https()

This can be used by the GnuTLS version too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openconnect_random() function
David Woodhouse [Tue, 29 May 2012 14:29:36 +0000 (15:29 +0100)]
Add openconnect_random() function

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openconnect_get_cert_DER() function
David Woodhouse [Tue, 29 May 2012 14:17:38 +0000 (15:17 +0100)]
Add openconnect_get_cert_DER() function

This translates a cert into an SSL-library-agnostic form, so that the caller
can then process it using their own choice of tools.

As with the new openconnect_get_cert_details(), this isn't marked as a
public function yet because we anticipate more changes to the API.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoBe more self-sufficient with header inclusions
David Woodhouse [Tue, 29 May 2012 14:11:11 +0000 (15:11 +0100)]
Be more self-sufficient with header inclusions

Don't rely on things that are implicitly included through OpenSSL headers.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMove basic process_auth_form() out to main.c
David Woodhouse [Tue, 29 May 2012 14:01:02 +0000 (15:01 +0100)]
Move basic process_auth_form() out to main.c

There's no need for it to be in the library, and it uses OpenSSL UI.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openconnect_sha1() function and use it instead of using OpenSSL directly
David Woodhouse [Tue, 29 May 2012 13:38:38 +0000 (14:38 +0100)]
Add openconnect_sha1() function and use it instead of using OpenSSL directly

This also adds openssl.c that OpenSSL-specific functions will migrate to.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openconnect_get_cert_details() function
David Woodhouse [Tue, 29 May 2012 11:55:55 +0000 (12:55 +0100)]
Add openconnect_get_cert_details() function

Another aspect of the certificate handling becomes ssl-library-agnostic.

This is marked OPENCONNECT_PRIVATE for now. It probably *won't* be private,
but there are other changes to come and probably an soname bump, so there's
no point in exporting it for now.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMove peer_cert handling to openconnect_open_https()
David Woodhouse [Tue, 29 May 2012 11:33:08 +0000 (12:33 +0100)]
Move peer_cert handling to openconnect_open_https()

There's no real need to do this in openconnect_obtain_cookie(). It doesn't
really matter if we do it for other connections, since any connections we
make *after* obtaining the cookie will be to the same server anyway.

This moves another OpenSSL-specific snippet out of what should be generic
code.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix API major/minor handling for out-of-source-tree build
David Woodhouse [Tue, 29 May 2012 11:31:59 +0000 (12:31 +0100)]
Fix API major/minor handling for out-of-source-tree build

We need to look in ${srcdir}/openconnect.h, not just openconnect.h

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd gnutls support to build system
David Woodhouse [Mon, 28 May 2012 19:02:10 +0000 (20:02 +0100)]
Add gnutls support to build system

Don't get excited; this is *only* in the build system. It won't build at all.
But we have to start somewhere.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUse openconnect_open_https() and openconnect_close_https() better.
David Woodhouse [Mon, 28 May 2012 14:55:19 +0000 (15:55 +0100)]
Use openconnect_open_https() and openconnect_close_https() better.

Use them unconditionally, without checking ->https_ssl first, and use them
in some places instead of open-coding the same thing.

This makes the code slightly more agnostic to the choice of SSL library.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix non-blocking support in fetch_config()
David Woodhouse [Mon, 28 May 2012 14:03:06 +0000 (15:03 +0100)]
Fix non-blocking support in fetch_config()

Rarely likely to matter, but writing the GET request for the config wasn't
coping with -EAGAIN.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMake openconnect_open_https() and openconnect_close_https() more forgiving.
David Woodhouse [Mon, 28 May 2012 13:58:36 +0000 (14:58 +0100)]
Make openconnect_open_https() and openconnect_close_https() more forgiving.

If openconnect_open_https() is called with the connection already open,
return immediate success. Thus, the caller doesn't have to poke at
vpninfo->https_ssl to check it.

And if openconnect_close_https() is called when the connection isn't open,
don't attempt to close/free things that don't exist.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove libopenconnect.map from EXTRA_DIST
Mike Miller [Fri, 18 May 2012 22:58:17 +0000 (18:58 -0400)]
Remove libopenconnect.map from EXTRA_DIST

Signed-off-by: Mike Miller <mtmiller@ieee.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>