Tag version 3.10

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Note the existence of KDE support for NetworkManager + openconnect

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Silence output from tag checks

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove debugging from uncommitted-check rule

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add 'make tmp-dist' for testing tarballs, to work around the tag check

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Check for repeated tags in 'make tag'

And remove the ifdef VERSION, since $(VERSION) is always defined now.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix dist-hook to enforce being at $(VERSION)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Switch to using autohate :(

I really didn't want to do this, but much as I hate libtool it is the
easiest way to portably build shared libraries, and we really do need
to build libopenconnect as a shared library. And having used libtool
we might as well concede entirely and use autoconf/automake.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add openconnect_vpninfo_new_with_cbdata() function to ease C++ integration

C++ callers really want the 'self' object pointer to be the first argument
of the callbacks. Give them the chance to get that, instead of the vpninfo
pointer.

Preserve the old openconnect_vpninfo_new() call, even with the same
prototype for the callback functions, for compatibility with the existing
GNOME auth-dialog.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Explicitly require pkg-config. It's not installed by default on OS X

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add 'reconnect' invocation of vpnc-script, to re-ensure routing/DNS setup

If we reconnect because of an actual local network disconnect/reconnect, then
something (DHCP, etc.) may have screwed up the routing and DNS according to
the local configuration. Give the script a chance to remedy that.

With iproute (i.e. modern Linux) it ought to work just to make vpnc-script
do the same as it does on 'connect'. For other systems it's somewhat harder.

For now vpnc-script will ignore it, anyway.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use 'openssl' pkgconfig not 'libssl'. Debian doesn't include -lcrypto in libssl

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --non-inter option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update web page to document NetworkManager auth-dialog move

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clarify that --script [...] will be evaluated by the shell.

Signed-off-by: Thomas Schwinge <thomas@codesourcery.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 3.02

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix manpage formatting

Adding back a period at the start of this file fixes the broken
formatting.

Signed-off-by: Ray Kohler <ataraxia937@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clear cached peer_addr where necessary.

If the user declined to manually accept a certificate in the NetworkManager
auth-dialog, and the SSL_connect() failed, we were still keeping the cached
peer_addr around. So even after the user chose *another* host to connect to,
we weren't actually doing another DNS lookup; we were just continuing to
connect to the old address.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use pkgconfig for libssl.

Taken from the Gentoo portage. Either they hadn't bothered to send me
the patch, or I had dropped it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Bump library API for openconnect_vpninfo_free() addition

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Free cert after comparing it with sslkey.

There wasn't a use-after-free here, but it *looked* like it. Swap them anyway.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add openconnect_vpninfo_free(); start to sanify string lifetime rules.

- openconnect_set_http_proxy() now takes ownership of the proxy string
- fix openconnect_clear_cookie() to clear string properly, and only if set

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Install target fixes

 don't create /usr/libexec
 do create /usr/share/man/man8 and install manpage there

Signed-off-by: Ray Kohler <ataraxia937@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 3.01

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add libxml to pkg-config requirements. Doh!

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 3.00

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove auth-dialog. It lives in NetworkManager-openconnect now.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add install-lib make target

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove 'reprompt' variable which does nothing

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add a dummy use of 'thread' after creating it, to shut compiler up

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make a bunch of functions static to avoid compiler warnings

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix shadowed declarations of global config_path

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix shadowed declarations of global gcl

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix shadowed declarations of global ui_data

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add API version to header, fix include guard

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add openconnect_get_version() function

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix namespace prefix on get_cert_sha1 function

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Hide openconnect_close_https() and openconnect_create_useragent()

These are no longer exposed

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add accessor functions for library use, convert nm-auth-dialog to use them

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove vpn_name from struct openconnect_info. It's only used by the auth-dialog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Rename openconnect_parse_url() to internal_parse_url()

We only need to expose a simpler version of this

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Split private parts of openconnect.h out into openconnect-internal.h

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make install commands work on Solaris

Apparently "install -m0755" doesn't work, but "install -m 0755" does.
Pointed out by Kazuyoshi Aizawa.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add csd_wrapper gconf setting

Signed-off-by: Keith Moyer <openconnect-devel@keithmoyer.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Put xml.o before main.o in build.

Just observed a strange failure when someone tried to override CFLAGS when
invoking make. It build main.o happily, but then fell over trying to build
xml.o. Then they tried again, overriding OPT_FLAGS instead. But main.o
wasn't rebuilt, and had been built without -DOPENCONNECT_LIBPROXY, hence
had a different 'struct openconnect_info' to the rest of the program, leading
to weird faults.

Ideally we ought to remember the flags used for each build and compare; the
kernel and chromium makefiles have the required magic for that which could
be easily stolen. But for now the easy fix is just to build xml.o first.
That way, if someone overrides CFLAGS they'll get an immediate failure and
no stray objects with wrong struct layout.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Partly revert excessive renaming (s/passphrase_from_fsid/openconnect_\1/)

Commit 1c41ab12942fc05e9a9fa833bb9864727bb34f46 also renamed the internal
variable do_passphrase_from_fsid in main.c. Revert that part.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't elide webvpn cookie if it's empty

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix leak of form_buf on redirect/repost/etc

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up auth form handling

Instead of scanning the login form and only displaying specific prompts,
display and record responses for all <input type="text">, and
<input type="password"> elements in the login form. It is still limited to
a single <select> element. The support for combining a securid code and pin
has also been removed.

Signed-off-by: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --csd-wrapper

Add option to run the CSD trojan via a user supplied script.

Signed-off-by: Paul Brook <paul@codesourcery.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix help output for --servercert option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up fingerprint routines

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Namespace cleanup: s/parse_url/openconnect_parse_url/

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Namespace cleanup: s/passphrase_from_fsid/openconnect_passphrase_from_fsid/

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Namespace cleanup: s/set_http_proxy/openconnect_set_http_proxy/

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Report and abort when cafile fails to open.

Slightly saner error handling would have prevented a wild goose chase
this morning.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.26

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't crash on relative redirect when original urlpath was NULL
Red Hat bug #629979

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Android has /dev/tun, not /dev/net/tun

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update --script-tun description, remove non-existent --tun-fd from manpage.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix host selection in NM auth-dialog

It wasn't actually clearing vpninfo->peer_addr, so we were always just
reconnecting to the first host, even when the user changed the selection.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use SSLv3 not TLSv1

There are servers (or firewalls) which apparently reject all connections with
any hello extensions. Seen with a Cisco VPN 3000.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Check certificate expiry and complain

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update status of Debian OpenSSL DTLS support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Never use protocol family prefixes with a TUN script.

Signed-off-by: Eric Barkie <ebarkie@us.ibm.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Close existing connection and discard compressed packet in cstp_reconnect()

Both callers need to do this, so move it into the function.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Implement DTLS and CSTP rekeying.

Don't know if there's a way to pass a new DTLS master secret and get
back a new session-id over an existing CSTP connection; reconnecting the
CSTP works though. And is the way to rekey CSTP too, since SSL
renegotiation got deprecated (we never got round to doing it that way
either, anyway).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up option handling to use sane values for long-only options

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --force-dpd option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Elide webvpn cookie from debugging output.

Hopefully this should help to stop users from posting them to the
mailing list.

The check in Exim to add a warning header if it detects a cookie, and the
Mailman rule to trap messages with that header for moderation, should also
help.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update ConnMan references

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Link to knetworkmanager bug for OpenConnect support

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 2.25

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Compare cert IP address with that of the server... not the proxy

We mustn't use vpninfo->peer_addr when validating the server's
certificate, because that could be the address of the proxy if we're
using one. Use the result of running inet_pton() on the hostname instead.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print UTF8 form of URI in messages, not raw form

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make parse_url preserve its input string

It still screws with it as it parses it, but at least it puts it back now.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't match URIs with a path component

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove stray debugging printf

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove stray break which stopped processing altnames after the first GEN_DNS

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use ASN1_STRING_to_UTF8 for altnames

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of GEN_URI altnames.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix memory leak on non-200 HTTP result

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix handling of GEN_IPADD altnames.

In particular, the length of the altname wasn't the same as the length
of the corresponding sockaddr.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Accept GEN_IPADD certificate altneme for raw IPv6 address without [] too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle wildcards in hostname matching

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Attempt to handle GEN_IPADD in X509 altnames. Or at least not crash.

In particular, stop assuming that every altname is an ASN1_STRING and
using strlen() on what would be its data. If the untested support for
GEN_IPADD actually works, that's an added bonus.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add --no-cert-check option, update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add basic cert hostname matching

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add text-mode function for validating failed certs

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Pass failure reason to validate_peer_cert()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Always verify server certificate, even with no cafile

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up PKCS12_parse() bug workaround

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix potential memory leak in load_pkcs12_certificate()

If there were certificates in the PKCS#12 file which didn't get used, they
would never be freed. Increase the refcount on the certs we _do_ use, and
then free the entire stack properly using sk_X509_pop_free().

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix memory leak in verify_peer()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Packages now in pkgsrc-wip

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>