platform/upstream/openconnect.git
12 years agoFix GnuTLS select() during handshake
David Woodhouse [Thu, 31 May 2012 22:13:59 +0000 (23:13 +0100)]
Fix GnuTLS select() during handshake

It was using vpninfo->ssl_fd even though that's not set yet.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove stray debug printf
David Woodhouse [Thu, 31 May 2012 21:49:12 +0000 (22:49 +0100)]
Remove stray debug printf

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix build on systems without O_CLOEXEC
David Woodhouse [Thu, 31 May 2012 21:44:30 +0000 (22:44 +0100)]
Fix build on systems without O_CLOEXEC

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMove openconnect_SSL_printf() to ssl.c
David Woodhouse [Thu, 31 May 2012 21:38:43 +0000 (22:38 +0100)]
Move openconnect_SSL_printf() to ssl.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix vpninfo->peer_cert handling for GnuTLS
David Woodhouse [Thu, 31 May 2012 21:11:14 +0000 (22:11 +0100)]
Fix vpninfo->peer_cert handling for GnuTLS

Stash the peer cert in verify_peer() so we can refer to it later.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove duplicate socket connect code from gnutls.c
David Woodhouse [Thu, 31 May 2012 21:03:08 +0000 (22:03 +0100)]
Remove duplicate socket connect code from gnutls.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openssl.c and gnutls.c to POTFILES
David Woodhouse [Thu, 31 May 2012 20:52:08 +0000 (21:52 +0100)]
Add openssl.c and gnutls.c to POTFILES

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd GnuTLS to changelog
David Woodhouse [Thu, 31 May 2012 20:50:19 +0000 (21:50 +0100)]
Add GnuTLS to changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Import more than one certificate from PEM file
David Woodhouse [Thu, 31 May 2012 20:42:32 +0000 (21:42 +0100)]
GnuTLS: Import more than one certificate from PEM file

If the PEM file has extra "supporting" CAs, then import those and use them
too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Load trusted CAs before loading certificate
David Woodhouse [Thu, 31 May 2012 19:14:36 +0000 (20:14 +0100)]
GnuTLS: Load trusted CAs before loading certificate

We'll need them present when we load the certificate, because that's when
we search through them for supporting certs.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove unused workaround_openssl_certchain_bug() function
David Woodhouse [Thu, 31 May 2012 19:12:51 +0000 (20:12 +0100)]
Remove unused workaround_openssl_certchain_bug() function

For GnuTLS, this is done as we load the certificate.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoGnuTLS: Add supporting certificates from PKCS#12 file
David Woodhouse [Thu, 31 May 2012 18:54:50 +0000 (19:54 +0100)]
GnuTLS: Add supporting certificates from PKCS#12 file

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMake GnuTLS parse_pkcs12() return extra certificates from the PKCS#12 too
David Woodhouse [Thu, 31 May 2012 15:20:14 +0000 (16:20 +0100)]
Make GnuTLS parse_pkcs12() return extra certificates from the PKCS#12 too

Create a separate list, return them for the caller to do with as it sees fit.

This also cleans up the error handling a little. When this was a purely
internal GnuTLS function, it was fine to leave things (like *key) allocated
and return an error. If my intention is to make this exportable, then it
ought to clean up after itself when returning an error.

I think this actually fixes a potential memory leak for the GnuTLS internal
caller of this function, too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoImport pkcs12_parse() function from GnuTLS to fix PKCS#12 handling
David Woodhouse [Thu, 31 May 2012 14:07:31 +0000 (15:07 +0100)]
Import pkcs12_parse() function from GnuTLS to fix PKCS#12 handling

An immediate effect is that this fixes the checking of cert expiry for
PKCS#12 certificates.

But it also means we can include the full supporting chain of
intermediate CAs (which has to be pre-assembled before we ever call
gnutls_certificate_set_x509_key() and can't be appended later), and we
can use the extra certs from the PKCS#12 file too, which parse_pkcs12()
currently doesn't bother to give us.

The plan is to fix parse_pkcs12(), submit the changes back upstream and
make it an exported function there, then stick a version-conditional on
our local copy and look forward to the day when we can rip it out again.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd server certificate validation for GnuTLS
David Woodhouse [Thu, 31 May 2012 12:43:56 +0000 (13:43 +0100)]
Add server certificate validation for GnuTLS

It's broken with trust chains at the moment, at least with GnuTLS
2.12.x, because it looks up issuer certs by *name* and then when it
picks the wrong one the signature unsurprisingly fails. And then it
returns GNUTLS_CERT_INVALID without any specific *reason* for the
failure, which is even more joyful. At least with OpenSSL I can get a
reason string out of it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoClean up GnuTLS PKCS#12 handling a little
David Woodhouse [Thu, 31 May 2012 12:40:32 +0000 (13:40 +0100)]
Clean up GnuTLS PKCS#12 handling a little

Also try other types if gnutls_pkcs12_verify_mac() returns anything other
than GNUTLS_E_MAC_VERIFY_FAILED.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoCheck cert expiry, at least for PEM certs
David Woodhouse [Thu, 31 May 2012 00:39:28 +0000 (01:39 +0100)]
Check cert expiry, at least for PEM certs

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd client certificate support for GnuTLS
David Woodhouse [Wed, 30 May 2012 22:47:27 +0000 (23:47 +0100)]
Add client certificate support for GnuTLS

Argh. Why is there not just a function I can call to do this all *for* me?
249 lines of code for this one, which is more than the OpenSSL one I ranted
about at http://www.advogato.org/person/dwmw2/diary/205.html

Oh well, at least the password handling is *slightly* more consistent, if
not entirely so.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoImprove GnuTLS compatibility options
David Woodhouse [Wed, 30 May 2012 16:42:08 +0000 (17:42 +0100)]
Improve GnuTLS compatibility options

TLSv1.0, no safe renegotiation, no padding.

For some reason, large amounts of padding are causing the Intel servers to
kick me off — although gnutls-cli is allowed to use large amounts of padding
with getting disconnected, and I can't see *why* there's a difference.

So there's something else odd going on here, and disabling padding is just
a workaround. I bet I forget about this, and I bet it comes back to bite
me one day. And it'll serve me right for being lazy and not following it
up properly right now. But still, there's plenty more GnuTLS porting work
to be done and I've spent long enough staring at packet traces already
today.

Disable safe renegotiation because we've previously observed that some
servers are behind crappy firewalls that'll block *any* extension.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMake CSTP connection in a single SSL record
David Woodhouse [Wed, 30 May 2012 00:22:16 +0000 (01:22 +0100)]
Make CSTP connection in a single SSL record

By creating a buffer with the request and sending it in a single SSL record,
I roughly halve the amount of time it takes for the round trip from 215ms
to 116ms.

Introduce a buf_append() function to help with processing the buffer, since
I shouldn't just be using sprintf() like other places do. Will fix those
next...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRefuse to build with GnuTLS < 2.12.16
David Woodhouse [Tue, 29 May 2012 23:43:30 +0000 (00:43 +0100)]
Refuse to build with GnuTLS < 2.12.16

We need the fix for gnutls_record_get_direction() or we end up sitting in
select() waiting for a read, when the blockage was actually on a *write*.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd barely functional GnuTLS support
David Woodhouse [Tue, 29 May 2012 22:53:38 +0000 (23:53 +0100)]
Add barely functional GnuTLS support

It has no DTLS, doesn't do any server certificate validation, doesn't
support client certificates and there are odd bugs with it even in the
bits that *are* implemented. But we're getting there...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoIntroduce semi-opaque OPENCONNECT_X509 type in library API
David Woodhouse [Tue, 29 May 2012 15:41:35 +0000 (16:41 +0100)]
Introduce semi-opaque OPENCONNECT_X509 type in library API

We offer functions to do everything that a user might want to do with the
cert, including one that returns it in DER form. The *only* reason this
isn't a completely opaque type is backward-compatibility.

When we change the soname, it'll be opaque. For now, let it actually be
an X509* for OpenSSL or a gnutls_x509_crt_t for GnuTLS.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd SSL library definition to CFLAGS in openconnect.pc
David Woodhouse [Tue, 29 May 2012 15:37:41 +0000 (16:37 +0100)]
Add SSL library definition to CFLAGS in openconnect.pc

If openconnect.h is going to reference this, it needs to be set reliably.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove OpenSSL dependency from http.c
David Woodhouse [Tue, 29 May 2012 15:28:30 +0000 (16:28 +0100)]
Remove OpenSSL dependency from http.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoDisable DTLS for GnuTLS build for now
David Woodhouse [Tue, 29 May 2012 15:03:01 +0000 (16:03 +0100)]
Disable DTLS for GnuTLS build for now

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMove OpenSSL-specific functions from ssl.c to openssl.c
David Woodhouse [Tue, 29 May 2012 15:01:44 +0000 (16:01 +0100)]
Move OpenSSL-specific functions from ssl.c to openssl.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoSplit out connect_https_socket() function from openconnect_open_https()
David Woodhouse [Tue, 29 May 2012 14:43:30 +0000 (15:43 +0100)]
Split out connect_https_socket() function from openconnect_open_https()

This can be used by the GnuTLS version too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openconnect_random() function
David Woodhouse [Tue, 29 May 2012 14:29:36 +0000 (15:29 +0100)]
Add openconnect_random() function

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openconnect_get_cert_DER() function
David Woodhouse [Tue, 29 May 2012 14:17:38 +0000 (15:17 +0100)]
Add openconnect_get_cert_DER() function

This translates a cert into an SSL-library-agnostic form, so that the caller
can then process it using their own choice of tools.

As with the new openconnect_get_cert_details(), this isn't marked as a
public function yet because we anticipate more changes to the API.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoBe more self-sufficient with header inclusions
David Woodhouse [Tue, 29 May 2012 14:11:11 +0000 (15:11 +0100)]
Be more self-sufficient with header inclusions

Don't rely on things that are implicitly included through OpenSSL headers.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMove basic process_auth_form() out to main.c
David Woodhouse [Tue, 29 May 2012 14:01:02 +0000 (15:01 +0100)]
Move basic process_auth_form() out to main.c

There's no need for it to be in the library, and it uses OpenSSL UI.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openconnect_sha1() function and use it instead of using OpenSSL directly
David Woodhouse [Tue, 29 May 2012 13:38:38 +0000 (14:38 +0100)]
Add openconnect_sha1() function and use it instead of using OpenSSL directly

This also adds openssl.c that OpenSSL-specific functions will migrate to.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openconnect_get_cert_details() function
David Woodhouse [Tue, 29 May 2012 11:55:55 +0000 (12:55 +0100)]
Add openconnect_get_cert_details() function

Another aspect of the certificate handling becomes ssl-library-agnostic.

This is marked OPENCONNECT_PRIVATE for now. It probably *won't* be private,
but there are other changes to come and probably an soname bump, so there's
no point in exporting it for now.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMove peer_cert handling to openconnect_open_https()
David Woodhouse [Tue, 29 May 2012 11:33:08 +0000 (12:33 +0100)]
Move peer_cert handling to openconnect_open_https()

There's no real need to do this in openconnect_obtain_cookie(). It doesn't
really matter if we do it for other connections, since any connections we
make *after* obtaining the cookie will be to the same server anyway.

This moves another OpenSSL-specific snippet out of what should be generic
code.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix API major/minor handling for out-of-source-tree build
David Woodhouse [Tue, 29 May 2012 11:31:59 +0000 (12:31 +0100)]
Fix API major/minor handling for out-of-source-tree build

We need to look in ${srcdir}/openconnect.h, not just openconnect.h

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd gnutls support to build system
David Woodhouse [Mon, 28 May 2012 19:02:10 +0000 (20:02 +0100)]
Add gnutls support to build system

Don't get excited; this is *only* in the build system. It won't build at all.
But we have to start somewhere.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUse openconnect_open_https() and openconnect_close_https() better.
David Woodhouse [Mon, 28 May 2012 14:55:19 +0000 (15:55 +0100)]
Use openconnect_open_https() and openconnect_close_https() better.

Use them unconditionally, without checking ->https_ssl first, and use them
in some places instead of open-coding the same thing.

This makes the code slightly more agnostic to the choice of SSL library.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix non-blocking support in fetch_config()
David Woodhouse [Mon, 28 May 2012 14:03:06 +0000 (15:03 +0100)]
Fix non-blocking support in fetch_config()

Rarely likely to matter, but writing the GET request for the config wasn't
coping with -EAGAIN.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMake openconnect_open_https() and openconnect_close_https() more forgiving.
David Woodhouse [Mon, 28 May 2012 13:58:36 +0000 (14:58 +0100)]
Make openconnect_open_https() and openconnect_close_https() more forgiving.

If openconnect_open_https() is called with the connection already open,
return immediate success. Thus, the caller doesn't have to poke at
vpninfo->https_ssl to check it.

And if openconnect_close_https() is called when the connection isn't open,
don't attempt to close/free things that don't exist.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove libopenconnect.map from EXTRA_DIST
Mike Miller [Fri, 18 May 2012 22:58:17 +0000 (18:58 -0400)]
Remove libopenconnect.map from EXTRA_DIST

Signed-off-by: Mike Miller <mtmiller@ieee.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd --with-pkgconfigdir to allow different environments like FreeBSD
David Woodhouse [Fri, 18 May 2012 13:29:38 +0000 (14:29 +0100)]
Add --with-pkgconfigdir to allow different environments like FreeBSD

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoTag version 3.20 v3.20
David Woodhouse [Fri, 18 May 2012 01:30:49 +0000 (02:30 +0100)]
Tag version 3.20

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix invalid progress callback on socket cancellation
David Woodhouse [Fri, 18 May 2012 00:35:31 +0000 (01:35 +0100)]
Fix invalid progress callback on socket cancellation

Oops! This caused the KDE auth-dialog to die because we pass it back
the wrong pointer.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoStash peer certificate before fetching HTTP response
David Woodhouse [Thu, 17 May 2012 15:41:07 +0000 (16:41 +0100)]
Stash peer certificate before fetching HTTP response

If the server closes the connection by giving an HTTP 1.0-style response,
then the SSL connection will be gone by the time the GUI auth dialog calls
openconnect_get_peer_cert(). So remember it in order to give it out later.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoTag version 3.19 v3.19
David Woodhouse [Thu, 17 May 2012 11:01:24 +0000 (12:01 +0100)]
Tag version 3.19

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate changelog
David Woodhouse [Thu, 17 May 2012 11:00:33 +0000 (12:00 +0100)]
Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate translations from Transifex
David Woodhouse [Thu, 17 May 2012 01:57:17 +0000 (02:57 +0100)]
Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUse SOCK_CLOEXEC when opening TCP socket
David Woodhouse [Thu, 17 May 2012 01:54:43 +0000 (02:54 +0100)]
Use SOCK_CLOEXEC when opening TCP socket

We were already setting FD_CLOEXEC but we should use SOCK_CLOEXEC where
it's available, so there's no race condition in a threaded environment.

When SOCK_CLOEXEC isn't available, set FD_CLOEXEC as soon as possible
after the socket() call to at least reduce the race window.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix --non-inter option so it still allows username/password from command line
David Woodhouse [Wed, 16 May 2012 15:27:30 +0000 (16:27 +0100)]
Fix --non-inter option so it still allows username/password from command line

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix error message when too many command line arguments
David Woodhouse [Tue, 15 May 2012 14:44:05 +0000 (15:44 +0100)]
Fix error message when too many command line arguments

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate translations from Transifex
David Woodhouse [Tue, 15 May 2012 14:56:45 +0000 (15:56 +0100)]
Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoCall BIO_set_nbio() for SSL BIO at startup
David Woodhouse [Mon, 14 May 2012 03:31:29 +0000 (22:31 -0500)]
Call BIO_set_nbio() for SSL BIO at startup

Oops, this was still in CSTP code where we *used* to make the socket
non-blocking, and now it should be like that from the beginning.

It's not entirely clear what difference it makes; all my testing of the
non-blocking code through authentication and CSTP connection was working
fine in non-blocking mode without it, when all I'd done was set O_NONBLOCK
on the socket.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoClean up BIO_set_nbio() calls for DTLS
David Woodhouse [Mon, 14 May 2012 03:29:30 +0000 (22:29 -0500)]
Clean up BIO_set_nbio() calls for DTLS

It's not necessary to do it twice for the same BIO, and it's not necessary
to get that BIO back from the SSL with SSL_get_[rw]bio() when we already
have it in a local variable.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoNamespace cleanup: s/set_http_proxy/openconnect_set_http_proxy/
David Woodhouse [Mon, 14 May 2012 03:22:59 +0000 (22:22 -0500)]
Namespace cleanup: s/set_http_proxy/openconnect_set_http_proxy/

Now the library namespace is entirely prefixed by openconnect_ with no
inappropriate pollution. At least on platforms where the linker version
scripts work.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove internal_parse_url() from the library exports.
David Woodhouse [Sun, 13 May 2012 17:56:22 +0000 (10:56 -0700)]
Remove internal_parse_url() from the library exports.

The only thing that main.c was really doing differently to the public
openconnect_parse_url() function was allowing 'urlpath' to be superseded
by the --usergroup command line argument. Which we can handle simply
by storing that in a separate variable and applying it afterwards.

The other thing it did differently was check that the scheme is https.
But openconnect_parse_url() arguably should have been doing that anyway.

Fix potential memory leak of old strings in openconnect_parse_url()
while we're at it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRefuse to redirect to a non-https URL
David Woodhouse [Sun, 13 May 2012 17:31:33 +0000 (10:31 -0700)]
Refuse to redirect to a non-https URL

Not good:
$ ./openconnect www.cam.ac.uk
Attempting to connect to 131.111.8.46:443
SSL negotiation with www.cam.ac.uk
Connected to HTTPS on www.cam.ac.uk
GET https://www.cam.ac.uk/
Got HTTP response: HTTP/1.1 301 Moved Permanently
GET https://www.cam.ac.uk/http://www.cam.ac.uk:80/
Got HTTP response: HTTP/1.1 301 Moved Permanently
GET https://www.cam.ac.uk/http://www.cam.ac.uk:80/http://www.cam.ac.uk:80/
Got HTTP response: HTTP/1.1 301 Moved Permanently
GET https://www.cam.ac.uk/http://www.cam.ac.uk:80/http://www.cam.ac.uk:80/http://www.cam.ac.uk:80/

OK, I asked it to do a stupid thing, but a polite refusal is much better.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd OPENCONNECT_CHECK_VER() macro for compatibility testing
David Woodhouse [Sun, 13 May 2012 17:24:36 +0000 (10:24 -0700)]
Add OPENCONNECT_CHECK_VER() macro for compatibility testing

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix up the historical version tags in libopenconnect.map
David Woodhouse [Sun, 13 May 2012 17:12:56 +0000 (10:12 -0700)]
Fix up the historical version tags in libopenconnect.map

It's entirely irrelevant since nothing was using them back then, but it
doesn't hurt to have them correct.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMake compat symbols @@OPENCONNECT_PRIVATE
David Woodhouse [Sun, 13 May 2012 17:09:59 +0000 (10:09 -0700)]
Make compat symbols @@OPENCONNECT_PRIVATE

Would be even nicer if I could find a way to let *only* openconnect itself
use them, and not have them visible to general users of the library.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove duplicate library API version number from Makefile.am
David Woodhouse [Sun, 13 May 2012 16:54:11 +0000 (09:54 -0700)]
Remove duplicate library API version number from Makefile.am

Pick it up from openconnect.h automatically. This means that the
configure script will run, and the makefiles will be regenerated,
whenever openconnect.h changes — but openconnect.h shouldn't be changing
in non-cosmetic ways without the version being bumped anyway, and if the
version is bumped then the makefile needs to be rebuilt too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd library.c and compat.c to POTFILES.in for translation
David Woodhouse [Sun, 13 May 2012 16:28:53 +0000 (09:28 -0700)]
Add library.c and compat.c to POTFILES.in for translation

There are no translatable strings in them yet, but I'm never going to
remember to add them if they ever *do* grow strings. So add them now
while I think of it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoDefine _WITH_GETLINE for BSD systems
David Woodhouse [Sun, 13 May 2012 07:59:09 +0000 (00:59 -0700)]
Define _WITH_GETLINE for BSD systems

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoMake symbol versioning work on Solaris too
David Woodhouse [Sun, 13 May 2012 07:13:01 +0000 (00:13 -0700)]
Make symbol versioning work on Solaris too

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate changelog
David Woodhouse [Sun, 13 May 2012 04:34:17 +0000 (21:34 -0700)]
Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate copyright years
David Woodhouse [Sun, 13 May 2012 04:27:59 +0000 (21:27 -0700)]
Update copyright years

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix corruption of input string to openconnect_parse_url()
David Woodhouse [Sun, 13 May 2012 03:49:39 +0000 (20:49 -0700)]
Fix corruption of input string to openconnect_parse_url()

Well, kind of. This is the approach which was partially implemented in
commit 382d05dd1929788be151e96d80e7b8289b8f7c08 but missed restoring the
colon before the port number. It's still fairly dodgy that we're scribbling
on the input string at all, even if we do put it back again afterwards.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove inappropriate exit() from library code
David Woodhouse [Sun, 13 May 2012 03:30:27 +0000 (20:30 -0700)]
Remove inappropriate exit() from library code

It makes the auth-dialog very unhappy, if openconnect_obtain_cookie() calls
exit() from its thread when it gets cancelled. Distinctly suboptimal.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd symbol versioning to libopenconnect shared library
David Woodhouse [Sun, 13 May 2012 01:52:51 +0000 (18:52 -0700)]
Add symbol versioning to libopenconnect shared library

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoExport openconnect_version as a pointer rather than an array
David Woodhouse [Sat, 12 May 2012 23:42:40 +0000 (16:42 -0700)]
Export openconnect_version as a pointer rather than an array

Otherwise, the binary seems to *know* the length of the string that it
expected to be in the library, and when bitching of a mismatch it still
truncates the library version to the length that it *expected* the library
version string to be.

Change the name of it to 'openconnect_version_str' at the same time as we
change the datatype, to avoid crashes when linking against an older/newer
library.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openconnect_set_cancel_fd() to library
David Woodhouse [Sat, 12 May 2012 23:31:33 +0000 (16:31 -0700)]
Add openconnect_set_cancel_fd() to library

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUse openconnect_SSL_read() for fetching HTTP response
David Woodhouse [Sat, 12 May 2012 21:48:20 +0000 (14:48 -0700)]
Use openconnect_SSL_read() for fetching HTTP response

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd openconnect_SSL_read() functional which handles cancellation
David Woodhouse [Sat, 12 May 2012 21:44:36 +0000 (14:44 -0700)]
Add openconnect_SSL_read() functional which handles cancellation

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoWrite initial auth GET request in non-blocking mode
David Woodhouse [Sat, 12 May 2012 20:18:13 +0000 (13:18 -0700)]
Write initial auth GET request in non-blocking mode

Now we can remain non-blocking all the way to fetching the body.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoHandle cancellation in openconnect_SSL_gets()
David Woodhouse [Sat, 12 May 2012 20:12:13 +0000 (13:12 -0700)]
Handle cancellation in openconnect_SSL_gets()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd cancellable openconnect_SSL_write(), use it from openconnect_SSL_printf()
David Woodhouse [Sat, 12 May 2012 19:34:56 +0000 (12:34 -0700)]
Add cancellable openconnect_SSL_write(), use it from openconnect_SSL_printf()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoReturn non-blocking socket from openconnect_open_https()
David Woodhouse [Sat, 12 May 2012 19:31:29 +0000 (12:31 -0700)]
Return non-blocking socket from openconnect_open_https()

All the callers just set it to blocking mode again immediately, but we're
working on that...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd vpninfo arg to openconnect_SSL_{printf,gets} functions
David Woodhouse [Sat, 12 May 2012 18:58:42 +0000 (11:58 -0700)]
Add vpninfo arg to openconnect_SSL_{printf,gets} functions

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd cancellation handling to SSL_connect() for https connection
David Woodhouse [Sat, 12 May 2012 18:46:15 +0000 (11:46 -0700)]
Add cancellation handling to SSL_connect() for https connection

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd cancellation handling to proxy I/O functions
David Woodhouse [Sat, 12 May 2012 18:12:45 +0000 (11:12 -0700)]
Add cancellation handling to proxy I/O functions

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix handling of error from proxy_write() in process_http_proxy()
David Woodhouse [Sat, 12 May 2012 18:11:39 +0000 (11:11 -0700)]
Fix handling of error from proxy_write() in process_http_proxy()

It returns the error; don't look in errno for it

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd vpninfo arg to proxy I/O functions, use proxy_read() from proxy_gets()
David Woodhouse [Sat, 12 May 2012 17:58:31 +0000 (10:58 -0700)]
Add vpninfo arg to proxy I/O functions, use proxy_read() from proxy_gets()

This allows us to handle cancellation in proxy_read() and proxy_write().

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoHandling cancellation during initial connect()
David Woodhouse [Sat, 12 May 2012 17:41:30 +0000 (10:41 -0700)]
Handling cancellation during initial connect()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd (unused) cancel_fd to vpninfo struct
David Woodhouse [Sat, 12 May 2012 17:22:10 +0000 (10:22 -0700)]
Add (unused) cancel_fd to vpninfo struct

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFlush progress output immediately.
Fabian Jäger [Fri, 11 May 2012 18:19:39 +0000 (11:19 -0700)]
Flush progress output immediately.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoExpand OpenSSL DTLS compatibility to include Ubuntu 10.04 (Lucid Lynx)
David Woodhouse [Thu, 10 May 2012 18:07:26 +0000 (11:07 -0700)]
Expand OpenSSL DTLS compatibility to include Ubuntu 10.04 (Lucid Lynx)

They appear to have backported the Cisco DTLS compatibility, but their
OpenSSL is otherwise so old that our workaround for the absence of
dtls1_stop_timer() doesn't work. The timer handling is entirely different
there. So after an archaeological expedition through OpenSSL CVS history
and RT, cope a little better with such abominations.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix ENGINE_by_id() and dtls1_stop_timer() checks with non-system OpenSSL
David Woodhouse [Thu, 10 May 2012 17:49:39 +0000 (10:49 -0700)]
Fix ENGINE_by_id() and dtls1_stop_timer() checks with non-system OpenSSL

If we use AC_CHECK_LIB(-lssl, ...) then it'll use the system libssl even
when configured with --with-openssl= to use something different. So switch
to using AC_LINK_IFELSE and use $OPENSSL_LIBS (which should be correct)
instead.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd local getline() for Solaris 10 build
David Woodhouse [Thu, 3 May 2012 14:41:49 +0000 (15:41 +0100)]
Add local getline() for Solaris 10 build

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAdd --config option for reading options from file
David Woodhouse [Thu, 3 May 2012 13:46:25 +0000 (14:46 +0100)]
Add --config option for reading options from file

Based on a patch by Fabian Jäger.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoPrepare for config file support; don't use getopt_long() and optarg directly
David Woodhouse [Thu, 3 May 2012 11:19:43 +0000 (12:19 +0100)]
Prepare for config file support; don't use getopt_long() and optarg directly

And also use an accessor macro for when we want to *copy* it, since when
it comes from the config file it'll need to be strdup'd.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoTag version 3.18 v3.18
David Woodhouse [Wed, 25 Apr 2012 22:48:15 +0000 (23:48 +0100)]
Tag version 3.18

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate changelog
David Woodhouse [Wed, 25 Apr 2012 22:48:02 +0000 (23:48 +0100)]
Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoFix potential buffer overflow in banner handling
David Woodhouse [Mon, 23 Apr 2012 01:09:33 +0000 (02:09 +0100)]
Fix potential buffer overflow in banner handling

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoAttempt to fix autohate breakage when building without NLS support
David Woodhouse [Mon, 23 Apr 2012 01:08:31 +0000 (02:08 +0100)]
Attempt to fix autohate breakage when building without NLS support

configure: error: conditional "AMDEP" was never defined.
Usually this means the macro was only invoked conditionally.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoTag version 3.17 v3.17
David Woodhouse [Fri, 20 Apr 2012 12:14:01 +0000 (13:14 +0100)]
Tag version 3.17

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate building and vpnc-script pages for mandatory vpnc-script
David Woodhouse [Fri, 20 Apr 2012 12:07:28 +0000 (13:07 +0100)]
Update building and vpnc-script pages for mandatory vpnc-script

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate distro status
David Woodhouse [Fri, 20 Apr 2012 11:39:26 +0000 (12:39 +0100)]
Update distro status

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate supported platform list
David Woodhouse [Fri, 20 Apr 2012 11:25:12 +0000 (12:25 +0100)]
Update supported platform list

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoRemove unused started.xml page
David Woodhouse [Fri, 20 Apr 2012 11:21:22 +0000 (12:21 +0100)]
Remove unused started.xml page

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
12 years agoUpdate translations from Transifex
David Woodhouse [Fri, 20 Apr 2012 00:00:50 +0000 (01:00 +0100)]
Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>