Remove vpn_name from struct openconnect_info. It's only used by the auth-dialog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Rename openconnect_parse_url() to internal_parse_url()

We only need to expose a simpler version of this

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Split private parts of openconnect.h out into openconnect-internal.h

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make install commands work on Solaris

Apparently "install -m0755" doesn't work, but "install -m 0755" does.
Pointed out by Kazuyoshi Aizawa.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add csd_wrapper gconf setting

Signed-off-by: Keith Moyer <openconnect-devel@keithmoyer.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Put xml.o before main.o in build.

Just observed a strange failure when someone tried to override CFLAGS when
invoking make. It build main.o happily, but then fell over trying to build
xml.o. Then they tried again, overriding OPT_FLAGS instead. But main.o
wasn't rebuilt, and had been built without -DOPENCONNECT_LIBPROXY, hence
had a different 'struct openconnect_info' to the rest of the program, leading
to weird faults.

Ideally we ought to remember the flags used for each build and compare; the
kernel and chromium makefiles have the required magic for that which could
be easily stolen. But for now the easy fix is just to build xml.o first.
That way, if someone overrides CFLAGS they'll get an immediate failure and
no stray objects with wrong struct layout.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Partly revert excessive renaming (s/passphrase_from_fsid/openconnect_\1/)

Commit 1c41ab12942fc05e9a9fa833bb9864727bb34f46 also renamed the internal
variable do_passphrase_from_fsid in main.c. Revert that part.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't elide webvpn cookie if it's empty

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix leak of form_buf on redirect/repost/etc

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up auth form handling

Instead of scanning the login form and only displaying specific prompts,
display and record responses for all <input type="text">, and
<input type="password"> elements in the login form. It is still limited to
a single <select> element. The support for combining a securid code and pin
has also been removed.

Signed-off-by: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --csd-wrapper

Add option to run the CSD trojan via a user supplied script.

Signed-off-by: Paul Brook <paul@codesourcery.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix help output for --servercert option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up fingerprint routines

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Namespace cleanup: s/parse_url/openconnect_parse_url/

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Namespace cleanup: s/passphrase_from_fsid/openconnect_passphrase_from_fsid/

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Namespace cleanup: s/set_http_proxy/openconnect_set_http_proxy/

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Report and abort when cafile fails to open.

Slightly saner error handling would have prevented a wild goose chase
this morning.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.26

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't crash on relative redirect when original urlpath was NULL
Red Hat bug #629979

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Android has /dev/tun, not /dev/net/tun

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update --script-tun description, remove non-existent --tun-fd from manpage.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix host selection in NM auth-dialog

It wasn't actually clearing vpninfo->peer_addr, so we were always just
reconnecting to the first host, even when the user changed the selection.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use SSLv3 not TLSv1

There are servers (or firewalls) which apparently reject all connections with
any hello extensions. Seen with a Cisco VPN 3000.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Check certificate expiry and complain

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update status of Debian OpenSSL DTLS support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Never use protocol family prefixes with a TUN script.

Signed-off-by: Eric Barkie <ebarkie@us.ibm.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Close existing connection and discard compressed packet in cstp_reconnect()

Both callers need to do this, so move it into the function.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Implement DTLS and CSTP rekeying.

Don't know if there's a way to pass a new DTLS master secret and get
back a new session-id over an existing CSTP connection; reconnecting the
CSTP works though. And is the way to rekey CSTP too, since SSL
renegotiation got deprecated (we never got round to doing it that way
either, anyway).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up option handling to use sane values for long-only options

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --force-dpd option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Elide webvpn cookie from debugging output.

Hopefully this should help to stop users from posting them to the
mailing list.

The check in Exim to add a warning header if it detects a cookie, and the
Mailman rule to trap messages with that header for moderation, should also
help.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update ConnMan references

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Link to knetworkmanager bug for OpenConnect support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.25

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Compare cert IP address with that of the server... not the proxy

We mustn't use vpninfo->peer_addr when validating the server's
certificate, because that could be the address of the proxy if we're
using one. Use the result of running inet_pton() on the hostname instead.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print UTF8 form of URI in messages, not raw form

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make parse_url preserve its input string

It still screws with it as it parses it, but at least it puts it back now.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't match URIs with a path component

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove stray debugging printf

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove stray break which stopped processing altnames after the first GEN_DNS

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use ASN1_STRING_to_UTF8 for altnames

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of GEN_URI altnames.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix memory leak on non-200 HTTP result

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of GEN_IPADD altnames.

In particular, the length of the altname wasn't the same as the length
of the corresponding sockaddr.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Accept GEN_IPADD certificate altneme for raw IPv6 address without [] too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle wildcards in hostname matching

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Attempt to handle GEN_IPADD in X509 altnames. Or at least not crash.

In particular, stop assuming that every altname is an ASN1_STRING and
using strlen() on what would be its data. If the untested support for
GEN_IPADD actually works, that's an added bonus.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --no-cert-check option, update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add basic cert hostname matching

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add text-mode function for validating failed certs

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Pass failure reason to validate_peer_cert()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Always verify server certificate, even with no cafile

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up PKCS12_parse() bug workaround

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix potential memory leak in load_pkcs12_certificate()

If there were certificates in the PKCS#12 file which didn't get used, they
would never be freed. Increase the refcount on the certs we _do_ use, and
then free the entire stack properly using sk_X509_pop_free().

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix memory leak in verify_peer()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Packages now in pkgsrc-wip

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog, improve requirements documentation

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update README.DTLS to reflect current OpenSSL versions

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix libproxy support with pkgsrc

While preparing the new package I noticed that OpenConnect
was being built without libproxy support, due to the fact that
pkgsrc's libproxy installs proxy.h under ${PREFIX}/include and not
under ${PREFIX}/include/libproxy.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Pouya D. Tafti <p@san-serriffe.org>

Make Solaris build more user-friendly w.r.t. installing TAP driver.

Tell the user what to do if the TAP driver is missing, and don't rely on them
removing Make.config so that the Makefile goes looking for it again.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.24

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update to more permanent URL for pkgsrc package

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Pointer to pkgsrc package

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Document Ubuntu status

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Create libopenconnect.a for GUI authentication dialogs to use.

Now that things have stabilised, it ought to be feasible for us to put
the NetworkManager auth-dialog in the network-manager-openconnect
package where it belongs. Knetworkmanager support for openconnect will need
to use it too.

A static library is the first step; ideally we'll be able to do a sane
dynamic library with a reasonable stable ABI and no namespace pollution.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Work around OpenSSL SEGV when retrying PKCS#12 passphrase

This seems to have been fixed in OpenSSL 1.0.0-beta2 by
http://cvs.openssl.org/chngview?cn=17957 but still affects 0.9.8n.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add DragonFly BSD too

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Document NetBSD support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix NetBSD build.

We need to include <netinet/in.h>, so do that unconditionally. And let
NetBSD use the Solaris code path for fsid handling.

Based on a patch from Pouya D. Tafti.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove gratuitous -ldl from static OpenSSL link command

NetBSD doesn't like it.

Also remove the -lz and add an explicit -lz to LDFLAGS. We use that
directly, so we shouldn't be relying on getting it pulled in indirectly.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Change OpenSSL version number check for const methods to 0.9.9

NetBSD 5.0 ships with an old pre-1.0 snapshot of OpenSSL, which has the
const methods already.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update hardware support list

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make some functions static

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update TODO list to reflect current status

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Improve handling of cert passphrase errors

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix purpose workaround to build against OpenSSL 0.9.7

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Move unhex() out of DTLS ifdef, to build with OpenSSL 0.9.7 again

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Include ctype.h for isxdigit()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Forget preconfigured password after one attempt; don't keep retrying.

Without this, we were seeing infinite retries to post the auth form, when
the password was wrong or the required certificate was absent.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use X-CSTP-Banner header to set $CISCO_BANNER

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.23

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --no-http-keepalive option to help work around Cisco incompetence.

We know that certain versions of the ASA software (8.2.2.5 at least) are
buggy and will 'forget' the client's SSL certificate by the time they
receive the second request on a re-used HTTP connection. We have an
unconditional workaround for the case where we _know_ that bug will
trip, in commit 357c85e8 ("Always close HTTP/1.0 connection...").

Cisco's support staff are completely useless and have failed to give any
competent response to the bug report -- so not only does it look like
they won't fix it, but we don't actually know what under _other_
circumstances this same bug might manifest itself.

This patch adds an option to disable _all_ connection re-use. The
intention is that users can try it out if they encounter problems, then
report to the mailing list that it worked so that we can work out how
to trigger it automatically.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix Debian/kFreeBSD build

Debian bug #577004

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update instructions to note that script must be executable

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print notice about lack of DNS and routing if no --script

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Change mainloop idle message to look less like 'Did not work'

That can cause confusion if it's misread.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print failing host name when getaddrinfo() fails

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print non-200 HTTP responses even without -v

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix SEGV on 404

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Cope with server certs without SSL_SERVER purpose bit set, with old OpenSSL

We already had a workaround, but it didn't work with OpenSSL < 0.9.8k so
we need to do it differently, by providing our own wrapper around
X509_verify_cert().

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Note DTLS support in 0.9.8m release

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Return error on refusing to run CSD trojan, rather than exiting

This fixes the error handling in the NM auth dialog. Fix the message so that
it doesn't refer to the command-line option, too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add CSD support for NetworkManager auth dialog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle proxy setting in NetworkManager, ignore unnecessary 'authtype'

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.22

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>