Tag version 2.26

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't crash on relative redirect when original urlpath was NULL
Red Hat bug #629979

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Android has /dev/tun, not /dev/net/tun

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update --script-tun description, remove non-existent --tun-fd from manpage.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix host selection in NM auth-dialog

It wasn't actually clearing vpninfo->peer_addr, so we were always just
reconnecting to the first host, even when the user changed the selection.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use SSLv3 not TLSv1

There are servers (or firewalls) which apparently reject all connections with
any hello extensions. Seen with a Cisco VPN 3000.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Check certificate expiry and complain

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update status of Debian OpenSSL DTLS support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Never use protocol family prefixes with a TUN script.

Signed-off-by: Eric Barkie <ebarkie@us.ibm.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Close existing connection and discard compressed packet in cstp_reconnect()

Both callers need to do this, so move it into the function.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Implement DTLS and CSTP rekeying.

Don't know if there's a way to pass a new DTLS master secret and get
back a new session-id over an existing CSTP connection; reconnecting the
CSTP works though. And is the way to rekey CSTP too, since SSL
renegotiation got deprecated (we never got round to doing it that way
either, anyway).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up option handling to use sane values for long-only options

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --force-dpd option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Elide webvpn cookie from debugging output.

Hopefully this should help to stop users from posting them to the
mailing list.

The check in Exim to add a warning header if it detects a cookie, and the
Mailman rule to trap messages with that header for moderation, should also
help.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update ConnMan references

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Link to knetworkmanager bug for OpenConnect support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.25

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Compare cert IP address with that of the server... not the proxy

We mustn't use vpninfo->peer_addr when validating the server's
certificate, because that could be the address of the proxy if we're
using one. Use the result of running inet_pton() on the hostname instead.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print UTF8 form of URI in messages, not raw form

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make parse_url preserve its input string

It still screws with it as it parses it, but at least it puts it back now.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't match URIs with a path component

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove stray debugging printf

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove stray break which stopped processing altnames after the first GEN_DNS

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use ASN1_STRING_to_UTF8 for altnames

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of GEN_URI altnames.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix memory leak on non-200 HTTP result

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of GEN_IPADD altnames.

In particular, the length of the altname wasn't the same as the length
of the corresponding sockaddr.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Accept GEN_IPADD certificate altneme for raw IPv6 address without [] too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle wildcards in hostname matching

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Attempt to handle GEN_IPADD in X509 altnames. Or at least not crash.

In particular, stop assuming that every altname is an ASN1_STRING and
using strlen() on what would be its data. If the untested support for
GEN_IPADD actually works, that's an added bonus.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --no-cert-check option, update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add basic cert hostname matching

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add text-mode function for validating failed certs

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Pass failure reason to validate_peer_cert()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Always verify server certificate, even with no cafile

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up PKCS12_parse() bug workaround

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix potential memory leak in load_pkcs12_certificate()

If there were certificates in the PKCS#12 file which didn't get used, they
would never be freed. Increase the refcount on the certs we _do_ use, and
then free the entire stack properly using sk_X509_pop_free().

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix memory leak in verify_peer()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Packages now in pkgsrc-wip

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog, improve requirements documentation

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update README.DTLS to reflect current OpenSSL versions

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix libproxy support with pkgsrc

While preparing the new package I noticed that OpenConnect
was being built without libproxy support, due to the fact that
pkgsrc's libproxy installs proxy.h under ${PREFIX}/include and not
under ${PREFIX}/include/libproxy.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Pouya D. Tafti <p@san-serriffe.org>

Make Solaris build more user-friendly w.r.t. installing TAP driver.

Tell the user what to do if the TAP driver is missing, and don't rely on them
removing Make.config so that the Makefile goes looking for it again.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.24

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update to more permanent URL for pkgsrc package

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Pointer to pkgsrc package

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Document Ubuntu status

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Create libopenconnect.a for GUI authentication dialogs to use.

Now that things have stabilised, it ought to be feasible for us to put
the NetworkManager auth-dialog in the network-manager-openconnect
package where it belongs. Knetworkmanager support for openconnect will need
to use it too.

A static library is the first step; ideally we'll be able to do a sane
dynamic library with a reasonable stable ABI and no namespace pollution.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Work around OpenSSL SEGV when retrying PKCS#12 passphrase

This seems to have been fixed in OpenSSL 1.0.0-beta2 by
http://cvs.openssl.org/chngview?cn=17957 but still affects 0.9.8n.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add DragonFly BSD too

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Document NetBSD support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix NetBSD build.

We need to include <netinet/in.h>, so do that unconditionally. And let
NetBSD use the Solaris code path for fsid handling.

Based on a patch from Pouya D. Tafti.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove gratuitous -ldl from static OpenSSL link command

NetBSD doesn't like it.

Also remove the -lz and add an explicit -lz to LDFLAGS. We use that
directly, so we shouldn't be relying on getting it pulled in indirectly.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Change OpenSSL version number check for const methods to 0.9.9

NetBSD 5.0 ships with an old pre-1.0 snapshot of OpenSSL, which has the
const methods already.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update hardware support list

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make some functions static

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update TODO list to reflect current status

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Improve handling of cert passphrase errors

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix purpose workaround to build against OpenSSL 0.9.7

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Move unhex() out of DTLS ifdef, to build with OpenSSL 0.9.7 again

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Include ctype.h for isxdigit()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Forget preconfigured password after one attempt; don't keep retrying.

Without this, we were seeing infinite retries to post the auth form, when
the password was wrong or the required certificate was absent.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use X-CSTP-Banner header to set $CISCO_BANNER

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.23

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --no-http-keepalive option to help work around Cisco incompetence.

We know that certain versions of the ASA software (8.2.2.5 at least) are
buggy and will 'forget' the client's SSL certificate by the time they
receive the second request on a re-used HTTP connection. We have an
unconditional workaround for the case where we _know_ that bug will
trip, in commit 357c85e8 ("Always close HTTP/1.0 connection...").

Cisco's support staff are completely useless and have failed to give any
competent response to the bug report -- so not only does it look like
they won't fix it, but we don't actually know what under _other_
circumstances this same bug might manifest itself.

This patch adds an option to disable _all_ connection re-use. The
intention is that users can try it out if they encounter problems, then
report to the mailing list that it worked so that we can work out how
to trigger it automatically.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix Debian/kFreeBSD build

Debian bug #577004

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update instructions to note that script must be executable

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print notice about lack of DNS and routing if no --script

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Change mainloop idle message to look less like 'Did not work'

That can cause confusion if it's misread.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print failing host name when getaddrinfo() fails

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print non-200 HTTP responses even without -v

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix SEGV on 404

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Cope with server certs without SSL_SERVER purpose bit set, with old OpenSSL

We already had a workaround, but it didn't work with OpenSSL < 0.9.8k so
we need to do it differently, by providing our own wrapper around
X509_verify_cert().

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Note DTLS support in 0.9.8m release

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Return error on refusing to run CSD trojan, rather than exiting

This fixes the error handling in the NM auth dialog. Fix the message so that
it doesn't refer to the command-line option, too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add CSD support for NetworkManager auth dialog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle proxy setting in NetworkManager, ignore unnecessary 'authtype'

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.22

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Always close HTTP/1.0 connection, even after Connection: Keep-Alive header.

Some servers seem to fail certificate authentication after the initial
redirect unless you make a new connection. I see no valid reason in the
HTTP spec why we should do this, but it makes things work...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Avoid using vpninfo->ifname before it's set.

Commit 78e461ce2d74d7772578a07785fd96c7b784efae ("Set script environment
earlier...") was broken because we end up trying to set the $TUNDEV
environment variable before vpninfo->ifname has actually been set.

[dwmw2: slightly modified Jørgen's original patch so that we do actually
 set $TUNDEV later, otherwise the script won't work.]

Signed-off-by: Jørgen Wahlberg <jorgen@jaws.no>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Set script environment earlier, so it applies to script_tun too

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix build where AI_NUMERICSERV isn't defined (OSX < 1.6)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Pass port number to openconnect from NetworkManager.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Accept full urls in nm-auth-dialog

E.g. "<host>:<port>" will now work.

Signed-off-by: Jussi Kukkonen <jku@linux.intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of port numbers above 9999

We need to allow 5 digits in the port number, which means 6 characters
including the terminating NUL. The buffer was already big enough, but
the length argument to snprintf() wasn't. Spotted by Charles Bovy (thanks).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle relative redirect and form action

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle allocation failure in HTTP 1.0 loop

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Allocate extra byte for NUL termination after HTTP 1.0 read loop, not in it.

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Free dynamically allocated memory before returning on errors

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use the somewhat misnamed proxy_write() function to write the CSD script

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Dynamically allocate buffer size for downloaded CSD script

Thanks to David for his help in rewriting this patch and to actually
make it work.

Signed-off-by: Adam Piątyszek <ediap@users.sourceforge.net>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Case-insensitive comparison for server SHA1 fingerprint

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix exit code with --background option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

No strndup() on Solaris. Yay Solaris!

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>