resetting manifest requested domain to floor

remove dependency on gtk/gconf

initial import

Add packaging

Tag version 4.99

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't append port number to hostname when canonicalising

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Impose minimum MTU of 1280 bytes.

Some people have seen extremely low pMTU values from the kernel. Not sure
why, but let's impose a lower limit for now.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Canonicalise hostname during authentication if necessary

Some people have round-robin servers, all addressed by the same hostname
but with different SSL certificates. Where we do the authentication (and
user-interactive approval of certificates) from a GUI via libopenconnect,
or with 'openconnect --authenticate', we end up being given the SHA1 on
the server's certificate and the non-interactive connection is going to
expect to see exactly that certificate. So if there is more than one
result in the original DNS lookup, *change* vpninfo->hostname to hold
the IP address that we actually connected to.

This means that the Host: header in what we send will be the numeric IP
address instead of the hostname, but that doesn't seem to hurt. It could
potentially, theoretically, break virtual hosts but I don't think that
kind of setup could ever existing in practice.

This also works only in the case where we're *not* connecting via a proxy.
We currently let the proxy do the DNS lookups *for* us, and we'd have to
do them locally and then ask the proxy for a connection by IP address
even for the *first* connection.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Reinstate compatibility with test server hack

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

tun: Kill the tunnel script's process group

When invoked with --script-tun, openconnect starts the tunnel script
via "/bin/sh -c 'SCRIPT'", then sends SIGHUP to the shell's PID when
shutting down.  However, non-interactive shells are not guaranteed to
send SIGHUP to any running jobs¹; indeed, the observed behavior on
Linux is that only the shell process receives SIGHUP, and the tunnel
script continues running after openconnect exits.

A quick fix is to set the child's pgid == pid, then send SIGHUP to the
entire process group when we want to shut down.

¹ http://www.gnu.org/software/bash/manual/html_node/Signals.html

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

tun: Don't call tunnel script on reconnect events

If --script-tun is used, the vpnc_script is not invoked for pre-init,
connect, or disconnect events.  However, it is invoked on reconnect, and
this may confuse the tunnel script.

Add an extra check to script_config_tun() to make the reconnect behavior
consistent with the behavior of other events.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use -version-info arg to libtool on OpenBSD, not -version-number

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use native libtool on OpenBSD

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Include version.c from build dir in preference to source dir

This should fix out-of-source-tree builds from a tarball, which
otherwise would use the autogenerated $(objdir)/version.c for building
the library, but the pre-packaged $(srcdir)/version.c for the
executable. This is because the latter was included directly from main.c
by #include "version.c". By changing to #include <main.c> instead, we get
to use the new auto-generated one instead if anything's been changed.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle libintl needing libiconv (for OpenBSD 5.2)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Avoid incorrect compiler warning about optlen being used uninitialised

GCC 3.4.3 on Solaris 11.1 complains:
main.c:348: warning: 'optlen' might be used uninitialized in this function

It's wrong, and it's obviously wrong. But shut it up anyway.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use libsocket and libnsl as necessary on Solaris

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix library versioning

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix missing newlines on more messages

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Merge branch 'xmlpost-v2' of git://github.com/cernekee/openconnect

www: Update changelog

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

www: Use a more "stable" URL for the libstoken homepage

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Document new --os option

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

stoken: Fix CSD/stoken interaction

When using CSD, the auth form could be parsed more than once per
connection.  Change the accounting so that stoken_tries only gets
incremented if a tokencode is actually generated.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Fix a couple of valgrind warnings

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

http: Rewrite openconnect_obtain_cookie() loop

First try XML POST, then fall back to the old method if that breaks.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

csd: Export some useful environment variables

CSD_HOSTNAME is a known-valid hostname on which (hopefully) our script
won't have to perform too much input validation to know it's safe.

CSD_TOKEN is passed in as the "sdesktop" cookie from host scan.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

csd: Don't return from run_csd_script() in the forked process

If something in the CSD child process fails, we want it to exit.  We
do not want it to return to openconnect_obtain_cookie() and cause two
instances of the latter function to run in parallel.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

http: Record the last redirection type

The AnyConnect client uses the redirection type (new host, or just a
new URL on the same host) to figure out whether to use XML POST or
the old urlencoded scheme.  Preserve this information for future use.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

http: Add new X-* HTTP headers

Newer AnyConnect clients (e.g. v3.1) specify X-Aggregate-Auth and
X-AnyConnect-Platform.  These are required by some gateways.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

http: Split GET/POST logic into a helper function

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

auth: Add new XML POST capability

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Allow setting reported OS from the command line

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

library: Add call to change reported OS name

Newer gateways require the client to announce its platform name (win,
mac, linux, linux-64) in the HTTP headers and in the <config-auth>
section of each request.  The gateway can be configured to apply different
security policies to different OSes, or even completely block access to
OSes that are not on the "approved" list.

Therefore, it is useful to be able to adjust the OS name that is reported
to the gateway.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

auth: Parse the new server response format

Newer AnyConnect installations use a different XML document tree
to pass information to the client.  This patch allows OpenConnect
to parse the new format, and attempts to document both the old
format and the new format in the comments.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

auth: Split auth form prompt logic from parsing logic

Provide separate calls for parse_xml_response() and handle_auth_form(),
so that the ordering of events in openconnect_obtain_cookie() can be
modified.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

auth: Don't forget to free OC_FORM_OPT_STOKEN entries

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

auth: Introduce new XML helper functions for parse_auth_node()

Try to clean up some of the c&p casting and long lines.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

auth: Move <auth> node parsing into a separate function

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

auth: Remove obsolete trace message from parse_form()

parse_form() used to add hidden form fields to the query string on
the spot, but since it doesn't anymore, it should not display the
"Fixed options" trace message.

After making this change, we can remove the request / request_body
arguments.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

http: Create add_common_headers() to simplify HTTP request code

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

http: Fix overflow on HTTP request buffers

A malicious VPN gateway can send a very long hostname/path (for redirects)
or cookie list (in general), which OpenConnect will attempt to sprintf()
into a fixed length buffer.  Each HTTP server response line can add
roughly MAX_BUF_LEN (131072) bytes to the next OpenConnect HTTP request,
but the request buffer (buf) is capped at MAX_BUF_LEN bytes and is
allocated on the stack.

The result of passing a long "Location:" header looks like:

    Attempting to connect to server 127.0.0.1:443
    SSL negotiation with localhost
    Server certificate verify failed: self signed certificate in certificate chain
    Connected to HTTPS on localhost
    GET https://localhost/
    Got HTTP response: HTTP/1.0 301 Moved
    Ignoring unknown HTTP response line 'aaaaaaaaaaaaaaaaaa'
    SSL negotiation with localhost
    Server certificate verify failed: self signed certificate in certificate chain
    Connected to HTTPS on localhost
    *** buffer overflow detected ***: /scr/openconnect2/.libs/lt-openconnect terminated
    ======= Backtrace: =========
    /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fd62729b82c]
    /lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fd62729a700]
    /lib/x86_64-linux-gnu/libc.so.6(+0x108b69)[0x7fd627299b69]
    /lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fd62720d13d]
    /lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7fd6271db4a7]
    /lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fd627299c04]
    /lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fd627299b4d]
    /scr/openconnect2/.libs/libopenconnect.so.2(openconnect_obtain_cookie+0xc0)[0x7fd62832d210]
    /scr/openconnect2/.libs/lt-openconnect[0x40413f]
    /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fd6271b276d]
    /scr/openconnect2/.libs/lt-openconnect[0x404579]

The proposed fix is to use dynamically allocated buffers with overflow
checking.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

http: Split HTTP redirect and cookie clear logic into helper functions

This makes openconnect_obtain_cookie() shorter, and easier to follow.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

openssl: Fix missing newline on "Failed to write" error string

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix missing verb in Solaris error message

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix typo "Keystore ocked" -> "Keystore locked"

Found by Chris Leonard <cjlhomeaddress@gmail.com>,
https://bugzilla.gnome.org/show_bug.cgi?id=684648

Signed-off-by: Jiří Klimeš <jklimes@redhat.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Hide nuke_opt_values() if stoken support not built

auth.c:498:13: warning: 'nuke_opt_values' defined but not used [-Wunused-function]

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

stoken: Update documentation, manpage with libstoken information

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

stoken: Fill in "password" fields with a generated tokencode

If the gateway prompts for a password and soft token information is
available, generate a tokencode and mark the form field as OPT_STOKEN
so the user is not prompted for a password.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

stoken: Implement new auth form to gather soft token information

If the user has asked to use a soft token, libopenconnect will prompt
for devid/pass/pin (as necessary) to unlock the soft token, prior to
the initial server connection.  If the user aborts, soft token mode will
be disabled and the user will need to enter his tokencode by hand.
Manual entry could be useful for e.g. activating a new token.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

stoken: Add --stoken option to CLI, and invoke library to set up soft token

--stoken allows specifying a token string on the command line, or telling
the library to read it from ~/.stokenrc .

--version will indicate whether openconnect was built with software token
support.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

stoken: Add software token functions to library API; bump to v2.1

openconnect_has_stoken_support(): returns 1 if the library was linked
with libstoken.

openconnect_set_stoken_mode(): enables/disables tokencode generation,
and tells the library how to locate the seed.  Unless this function is
called, the library will not try to use a soft token.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

stoken: Link with libstoken if available

libstoken [1] implements a "software token" that generates one-time
passwords from RSA SecurID 128-bit (AES) token seeds.

[1] http://stoken.sf.net/

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Allow optional arguments in the config file

getopt_long() treats an argument as optional if has_arg == 2.  Extend
this feature to the config file parser as well.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Move strcasestr() implementation to compat.c

Note: this change is untested.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Fix missing newline in the "No form handler" error message

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Link to OpenConnect SOCKS proxy (ocproxy) from documentation

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Update Debian package status

Debian stable (squeeze) includes openconnect,
network-manager-openconnect, and OpenSSL 0.9.8o:

http://packages.debian.org/squeeze/openconnect

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Fix a couple of minor typos

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

Delete references to long-removed SecurID code

Commit d707fc524 (Clean up auth form handling) removed securid.c and
the tokencode+PIN prompts, but the docs and headers still refer to these
features.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix leaks on failure paths in OpenSSL openconnect_open_https()

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix use-after-free of numeric IPv6 hostname on error path

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix fd/memory leak on error return from openconnect_open_https()

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Close dtls_fd on error returns from connect_dtls_socket()

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Close config_fd before returning from write_new_config()

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Close ssl_sock before returning error in connect_https_socket()

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Free CSTP option structure before error return if malloc fails

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Close XML file handle before error return if fstat() fails

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix error reporting when failed to write CSD script file

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix potential NULL dereference in error path in gnutls_pkcs11_simple_parse()

Spotted by Coverity. Also fixed in GnuTLS already in commit 6aca5dd7.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix token serial number matching when trying to find hidden PKCS#11 key

Spotted by Coverity.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Be explicit when we're connecting to a proxy not directly to a VPN server

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.07

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add missing : to getopt string for -p which takes a parameter.

Print an error rather than trying to strdup(NULL) if the parameter
is not specified.

Signed-off-by: Stuart Henderson <sthen@openbsd.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>