Tag version 2.22

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Always close HTTP/1.0 connection, even after Connection: Keep-Alive header.

Some servers seem to fail certificate authentication after the initial
redirect unless you make a new connection. I see no valid reason in the
HTTP spec why we should do this, but it makes things work...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Avoid using vpninfo->ifname before it's set.

Commit 78e461ce2d74d7772578a07785fd96c7b784efae ("Set script environment
earlier...") was broken because we end up trying to set the $TUNDEV
environment variable before vpninfo->ifname has actually been set.

[dwmw2: slightly modified Jørgen's original patch so that we do actually
 set $TUNDEV later, otherwise the script won't work.]

Signed-off-by: Jørgen Wahlberg <jorgen@jaws.no>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Set script environment earlier, so it applies to script_tun too

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix build where AI_NUMERICSERV isn't defined (OSX < 1.6)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Pass port number to openconnect from NetworkManager.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Accept full urls in nm-auth-dialog

E.g. "<host>:<port>" will now work.

Signed-off-by: Jussi Kukkonen <jku@linux.intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of port numbers above 9999

We need to allow 5 digits in the port number, which means 6 characters
including the terminating NUL. The buffer was already big enough, but
the length argument to snprintf() wasn't. Spotted by Charles Bovy (thanks).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle relative redirect and form action

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle allocation failure in HTTP 1.0 loop

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Allocate extra byte for NUL termination after HTTP 1.0 read loop, not in it.

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Free dynamically allocated memory before returning on errors

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use the somewhat misnamed proxy_write() function to write the CSD script

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Dynamically allocate buffer size for downloaded CSD script

Thanks to David for his help in rewriting this patch and to actually
make it work.

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Case-insensitive comparison for server SHA1 fingerprint

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix exit code with --background option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

No strndup() on Solaris. Yay Solaris!

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.21

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix typo in changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of HTTP 1.0 responses with Connection: Keep-Alive

An HTTP 1.0 response can keepalive and have a Connection-Length: header,
and this is seen in some cases with the initial redirect when we connect
to a VPN server (Red Hat bug #553817). Fix and clean up the response
handling code accordingly.

I _really_ wish I didn't have to write my own HTTP code, and that one of
the available libraries was actually able to support SSL connections
with a certificate from a TPM.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Be case-insensitive in HTTP fields (and comparing hostname for redirects)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Check return value from asprintf()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Check return value from system()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.20

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix HTTP 1.0 body fetch.

Not that we should ever really see one.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of 'HTTP/1.1 100 Continue' response

When we jump back to 'cont' it needs to fetch the next response line,
not just check the existing contents of the buffer (which will be an
empty line).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Really, don't shut down SSL twice

It's the one in redirect handling that needs to check whether the
connection is already closed. The one in process_http_response() can't
possibly happen when the connection is already closed.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Free host URL after parsing

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Mention SOCKS support in feature list

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clarify that -P argument takes a URL, admit to SOCKS support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up libproxy.h and if_tun.h detection for cross-compilation

Looking in /usr/include was silly. This is one thing that autoconf would
help with, but at a cost that I'm not really willing to pay.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't include net/if_tun.h twice on Solaris

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove SOCKS from TODO list

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use $https_proxy environment variable, if set.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Disable libproxy by default

Most people don't need to go through a proxy, but might have one
configured anyway for https because it's harmless. But it's _not_ actually
harmless for openconnect, because it'll prevent DTLS from working. So if
a user really needs proxy support, let them ask for it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix up DTLS vs. reconnection address confusion

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add SOCKS5 support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix non-libproxy build

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix use-after-free of UI elements (RH bug #551665)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add libproxy support, conditionally

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use URL in example command line

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle IPv6 literal [] in connection, accept https:// URL for server

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update copyright years

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add proxy support (based on Pál Dorogi's version)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle IPv6 server correctly when setting $VPNGATEWAY

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix various memory leaks, mostly with libxml

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't shut down SSL twice

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add parse_url() function, which will be useful for proxies too

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up redirection, support non-standard port

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.12

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Reconnect CSTP to the previously-used IP address; don't redo DNS lookup

Some people use a fucking stupid schizoDNS setup where they abuse the
real public domain name "company.com" for internal machines, rather than
using a separate and unambiguous domain like "company.internal".

Some people compound this mistake by having some hosts which don't even
_exist_ in the internal domain, or worse which get different IP
addresses depending on which version of the domain you're in.

So if you're already on the VPN and have configured DNS for it, looking
up "vpnserver.company.com" isn't necessarily such a cunning thing to do.
We're _already_ remembering the IP address of the server, so that DTLS
can use it. Just ensure that it's getting cleared correctly on HTTP
redirects, then use it for HTTP reconnections too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix buffer overrun in useragent. Use asprintf

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Try to clean up os-dependent tun handling a bit. Fix OSX IPv6, DragonflyBSD

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.11

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Minor web page updates

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Warn about lack of DTLS compatibility at build time

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Note that the 2009-11-16 version of Solaris tun/tap driver is required for IPv6

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update IPv6 references in documentation

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add IPv6 support for FreeBSD

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Pass IPv6 routes separately from Legacy IP routes

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Calculate client cert MD5 for CSD with all cert types, when needed

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up error reporting when cert/key can't be loaded

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update note on OpenSSL versions

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up fsid routines, use asprintf()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Check for alloc failure in cookie addition

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Consolidate http cookie addition

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Warn when running Linux CSD trojan on non-Linux system

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.10

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Web page update

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Change csd user option name

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Point to vpnc-scripts repo for Solaris

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Netmask is optional

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Set $INTERNAL_IP4_NETMASKLEN and $INTERNAL_IP4_NETADDR correctly.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add OpenSolaris support to doc

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add tun/tap support for Solaris

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Move tunnel shutdown into tun.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix includes for Solaris

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use AI_NUMERICSERV; don't rely on https being in /etc/services. Yay Solaris!

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use statvfs() on Solaris

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Provide local implementation of strcasestr for Solaris

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clarify the fact that DTLS support isn't required

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Documentation updates

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Enable IPv6

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Attempt to handle IPv6

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Kill packet type field; IPv6 and Legacy IP are carried identically

... so there's no need to remember what type of packet it is.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Change verbosity with SIGUSR[12]

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Move TCP closure detection to cstp.c, make it reconnect when it happens

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle SIGTERM and disconnect cleanly

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add .PHONY target to Makefile

Signed-off-by: Erik Mouw <mouw@nl.linux.org>

Added target realclean that also removes backup files

Signed-off-by: Erik Mouw <mouw@nl.linux.org>

Check return value of write(2) and print an error if it fails.

Signed-off-by: Erik Mouw <mouw@nl.linux.org>

Git should ignore backup files and Emacs temp files

Signed-off-by: Erik Mouw <mouw@nl.linux.org>

Save errno because fprintf() could overwrite it

Signed-off-by: Erik Mouw <mouw@nl.linux.org>

open(2) returns a negative value in case of an error

The previous test was !config_fd which fails exactly when most needed
(i.e.: when open(2) actually returns an error). The correct test is to
check for negative return values.

Signed-off-by: Erik Mouw <mouw@nl.linux.org>

Fix compiler warnings

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>