Kevin Cernekee [Wed, 24 Oct 2012 04:10:44 +0000 (21:10 -0700)]
library: Add call to change reported OS name
Newer gateways require the client to announce its platform name (win,
mac, linux, linux-64) in the HTTP headers and in the <config-auth>
section of each request. The gateway can be configured to apply different
security policies to different OSes, or even completely block access to
OSes that are not on the "approved" list.
Therefore, it is useful to be able to adjust the OS name that is reported
to the gateway.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Fri, 26 Oct 2012 04:53:10 +0000 (21:53 -0700)]
auth: Parse the new server response format
Newer AnyConnect installations use a different XML document tree
to pass information to the client. This patch allows OpenConnect
to parse the new format, and attempts to document both the old
format and the new format in the comments.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 27 Oct 2012 22:44:23 +0000 (15:44 -0700)]
auth: Split auth form prompt logic from parsing logic
Provide separate calls for parse_xml_response() and handle_auth_form(),
so that the ordering of events in openconnect_obtain_cookie() can be
modified.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 27 Oct 2012 22:26:11 +0000 (15:26 -0700)]
auth: Don't forget to free OC_FORM_OPT_STOKEN entries
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Fri, 26 Oct 2012 04:42:09 +0000 (21:42 -0700)]
auth: Introduce new XML helper functions for parse_auth_node()
Try to clean up some of the c&p casting and long lines.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Fri, 26 Oct 2012 04:29:03 +0000 (21:29 -0700)]
auth: Move <auth> node parsing into a separate function
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Fri, 26 Oct 2012 04:16:57 +0000 (21:16 -0700)]
auth: Remove obsolete trace message from parse_form()
parse_form() used to add hidden form fields to the query string on
the spot, but since it doesn't anymore, it should not display the
"Fixed options" trace message.
After making this change, we can remove the request / request_body
arguments.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 27 Oct 2012 19:38:18 +0000 (12:38 -0700)]
http: Create add_common_headers() to simplify HTTP request code
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 27 Oct 2012 19:25:50 +0000 (12:25 -0700)]
http: Fix overflow on HTTP request buffers
A malicious VPN gateway can send a very long hostname/path (for redirects)
or cookie list (in general), which OpenConnect will attempt to sprintf()
into a fixed length buffer. Each HTTP server response line can add
roughly MAX_BUF_LEN (131072) bytes to the next OpenConnect HTTP request,
but the request buffer (buf) is capped at MAX_BUF_LEN bytes and is
allocated on the stack.
The result of passing a long "Location:" header looks like:
Attempting to connect to server 127.0.0.1:443
SSL negotiation with localhost
Server certificate verify failed: self signed certificate in certificate chain
Connected to HTTPS on localhost
GET https://localhost/
Got HTTP response: HTTP/1.0 301 Moved
Ignoring unknown HTTP response line '
aaaaaaaaaaaaaaaaaa'
SSL negotiation with localhost
Server certificate verify failed: self signed certificate in certificate chain
Connected to HTTPS on localhost
*** buffer overflow detected ***: /scr/openconnect2/.libs/lt-openconnect terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fd62729b82c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fd62729a700]
/lib/x86_64-linux-gnu/libc.so.6(+0x108b69)[0x7fd627299b69]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fd62720d13d]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7fd6271db4a7]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fd627299c04]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fd627299b4d]
/scr/openconnect2/.libs/libopenconnect.so.2(openconnect_obtain_cookie+0xc0)[0x7fd62832d210]
/scr/openconnect2/.libs/lt-openconnect[0x40413f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fd6271b276d]
/scr/openconnect2/.libs/lt-openconnect[0x404579]
The proposed fix is to use dynamically allocated buffers with overflow
checking.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 27 Oct 2012 17:55:27 +0000 (10:55 -0700)]
http: Split HTTP redirect and cookie clear logic into helper functions
This makes openconnect_obtain_cookie() shorter, and easier to follow.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 27 Oct 2012 19:05:33 +0000 (12:05 -0700)]
openssl: Fix missing newline on "Failed to write" error string
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
David Woodhouse [Mon, 22 Oct 2012 16:00:05 +0000 (17:00 +0100)]
Fix missing verb in Solaris error message
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 22 Oct 2012 15:49:25 +0000 (16:49 +0100)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 18 Oct 2012 00:45:28 +0000 (17:45 -0700)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 17 Oct 2012 14:40:59 +0000 (07:40 -0700)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Jiří Klimeš [Wed, 17 Oct 2012 13:09:59 +0000 (15:09 +0200)]
Fix typo "Keystore ocked" -> "Keystore locked"
Found by Chris Leonard <cjlhomeaddress@gmail.com>,
https://bugzilla.gnome.org/show_bug.cgi?id=684648
Signed-off-by: Jiří Klimeš <jklimes@redhat.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 15 Oct 2012 22:52:50 +0000 (15:52 -0700)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 15 Oct 2012 04:33:53 +0000 (21:33 -0700)]
Update changelog
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 15 Oct 2012 04:31:18 +0000 (21:31 -0700)]
Hide nuke_opt_values() if stoken support not built
auth.c:498:13: warning: 'nuke_opt_values' defined but not used [-Wunused-function]
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Kevin Cernekee [Mon, 8 Oct 2012 01:03:44 +0000 (18:03 -0700)]
stoken: Update documentation, manpage with libstoken information
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 20:06:18 +0000 (13:06 -0700)]
stoken: Fill in "password" fields with a generated tokencode
If the gateway prompts for a password and soft token information is
available, generate a tokencode and mark the form field as OPT_STOKEN
so the user is not prompted for a password.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 19:31:18 +0000 (12:31 -0700)]
stoken: Implement new auth form to gather soft token information
If the user has asked to use a soft token, libopenconnect will prompt
for devid/pass/pin (as necessary) to unlock the soft token, prior to
the initial server connection. If the user aborts, soft token mode will
be disabled and the user will need to enter his tokencode by hand.
Manual entry could be useful for e.g. activating a new token.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 18:23:35 +0000 (11:23 -0700)]
stoken: Add --stoken option to CLI, and invoke library to set up soft token
--stoken allows specifying a token string on the command line, or telling
the library to read it from ~/.stokenrc .
--version will indicate whether openconnect was built with software token
support.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 17:46:18 +0000 (10:46 -0700)]
stoken: Add software token functions to library API; bump to v2.1
openconnect_has_stoken_support(): returns 1 if the library was linked
with libstoken.
openconnect_set_stoken_mode(): enables/disables tokencode generation,
and tells the library how to locate the seed. Unless this function is
called, the library will not try to use a soft token.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Mon, 8 Oct 2012 01:03:42 +0000 (18:03 -0700)]
stoken: Link with libstoken if available
libstoken [1] implements a "software token" that generates one-time
passwords from RSA SecurID 128-bit (AES) token seeds.
[1] http://stoken.sf.net/
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Mon, 8 Oct 2012 01:03:41 +0000 (18:03 -0700)]
Allow optional arguments in the config file
getopt_long() treats an argument as optional if has_arg == 2. Extend
this feature to the config file parser as well.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Mon, 8 Oct 2012 01:03:38 +0000 (18:03 -0700)]
Move strcasestr() implementation to compat.c
Note: this change is untested.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 19:39:40 +0000 (12:39 -0700)]
Fix missing newline in the "No form handler" error message
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Mon, 8 Oct 2012 01:03:37 +0000 (18:03 -0700)]
Link to OpenConnect SOCKS proxy (ocproxy) from documentation
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Mon, 8 Oct 2012 01:03:36 +0000 (18:03 -0700)]
Update Debian package status
Debian stable (squeeze) includes openconnect,
network-manager-openconnect, and OpenSSL 0.9.8o:
http://packages.debian.org/squeeze/openconnect
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Mon, 8 Oct 2012 01:03:35 +0000 (18:03 -0700)]
Fix a couple of minor typos
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sun, 30 Sep 2012 03:02:35 +0000 (20:02 -0700)]
Delete references to long-removed SecurID code
Commit
d707fc524 (Clean up auth form handling) removed securid.c and
the tokencode+PIN prompts, but the docs and headers still refer to these
features.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 26 Sep 2012 21:01:10 +0000 (22:01 +0100)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 26 Sep 2012 20:56:21 +0000 (21:56 +0100)]
Update changelog
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 26 Sep 2012 20:55:42 +0000 (21:55 +0100)]
Fix leaks on failure paths in OpenSSL openconnect_open_https()
Spotted by Coverity.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 26 Sep 2012 19:42:10 +0000 (20:42 +0100)]
Fix use-after-free of numeric IPv6 hostname on error path
Spotted by Coverity.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 26 Sep 2012 19:27:25 +0000 (20:27 +0100)]
Fix fd/memory leak on error return from openconnect_open_https()
Spotted by Coverity.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 26 Sep 2012 19:26:04 +0000 (20:26 +0100)]
Close dtls_fd on error returns from connect_dtls_socket()
Spotted by Coverity.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 26 Sep 2012 19:24:52 +0000 (20:24 +0100)]
Close config_fd before returning from write_new_config()
Spotted by Coverity.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 26 Sep 2012 19:23:31 +0000 (20:23 +0100)]
Close ssl_sock before returning error in connect_https_socket()
Spotted by Coverity.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 26 Sep 2012 19:21:37 +0000 (20:21 +0100)]
Free CSTP option structure before error return if malloc fails
Spotted by Coverity.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 26 Sep 2012 19:20:32 +0000 (20:20 +0100)]
Close XML file handle before error return if fstat() fails
Spotted by Coverity.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 26 Sep 2012 19:12:57 +0000 (20:12 +0100)]
Fix error reporting when failed to write CSD script file
Spotted by Coverity.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 26 Sep 2012 19:09:17 +0000 (20:09 +0100)]
Fix potential NULL dereference in error path in gnutls_pkcs11_simple_parse()
Spotted by Coverity. Also fixed in GnuTLS already in commit
6aca5dd7.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 26 Sep 2012 19:04:28 +0000 (20:04 +0100)]
Fix token serial number matching when trying to find hidden PKCS#11 key
Spotted by Coverity.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 24 Sep 2012 10:34:20 +0000 (11:34 +0100)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 23 Sep 2012 13:48:05 +0000 (14:48 +0100)]
Update translations from Transifex
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 22 Sep 2012 11:20:03 +0000 (12:20 +0100)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 23 Sep 2012 15:42:41 +0000 (17:42 +0200)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 23 Sep 2012 15:41:09 +0000 (17:41 +0200)]
Be explicit when we're connecting to a proxy not directly to a VPN server
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 10 Sep 2012 15:59:10 +0000 (16:59 +0100)]
Update translations from Transifex
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 3 Sep 2012 23:11:51 +0000 (00:11 +0100)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 31 Aug 2012 12:29:57 +0000 (13:29 +0100)]
Tag version 4.07
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 31 Aug 2012 12:25:06 +0000 (13:25 +0100)]
Update changelog
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Stuart Henderson [Thu, 30 Aug 2012 13:15:05 +0000 (14:15 +0100)]
Add missing : to getopt string for -p which takes a parameter.
Print an error rather than trying to strdup(NULL) if the parameter
is not specified.
Signed-off-by: Stuart Henderson <sthen@openbsd.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 20 Aug 2012 10:37:52 +0000 (11:37 +0100)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 20 Aug 2012 10:14:23 +0000 (11:14 +0100)]
Update translations from Transifex
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 3 Aug 2012 22:26:52 +0000 (23:26 +0100)]
Handle CSTP rekey when stalled
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 3 Aug 2012 09:11:54 +0000 (10:11 +0100)]
Fix CSTP write stall handling
We were handling the -EAGAIN case as a hard error and tearing down the
connection. Instead, we should just wait for the socket to become writeable.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 2 Aug 2012 21:08:12 +0000 (22:08 +0100)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 23 Jul 2012 13:14:06 +0000 (14:14 +0100)]
Tag version 4.06
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Mike Miller [Thu, 19 Jul 2012 05:10:42 +0000 (01:10 -0400)]
Check for system CA certificate file for GnuTLS
Look in certain well-known system paths for the default file to give to
gnutls_certificate_set_x509_trust_file() if required. Auto-detection is
inspired by the GnuTLS configure script.
Signed-off-by: Mike Miller <mtmiller@ieee.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 16 Jul 2012 20:20:45 +0000 (21:20 +0100)]
Fix strict-aliasing warning with DTLS local port handling
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 16 Jul 2012 19:19:44 +0000 (20:19 +0100)]
Improve error reporting for vpnc-script
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 15 Jul 2012 19:25:44 +0000 (20:25 +0100)]
Handle PKCS#11 tokens which don't list keys before login
If the user passed only one URL for both key+cert, and the cert was found,
then at least *try* looking for the key in the same token before giving up.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 12 Jul 2012 13:57:01 +0000 (14:57 +0100)]
Tag version 4.05
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 12 Jul 2012 12:12:50 +0000 (13:12 +0100)]
Use correct XML tag for CSD script on Mac
Other operating systems still get the Linux version, and will need a
wrapper or something to make it cope.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 12 Jul 2012 12:05:33 +0000 (13:05 +0100)]
Remove CSD script when done with it
We still don't remove it if the user hits Ctrl-C when we're logging in.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 12 Jul 2012 11:56:54 +0000 (12:56 +0100)]
Only setuid() for CSD if a user was specified.
Otherwise it'll be setuid(0) which will (mostly) be a no-op for root, or
fail for non-root users.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 12 Jul 2012 11:53:33 +0000 (12:53 +0100)]
Remove -vpnclient arg from CSD invocation
It never made any sense, and doesn't seem to be necessary.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 11 Jul 2012 21:42:29 +0000 (22:42 +0100)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 11 Jul 2012 21:40:17 +0000 (22:40 +0100)]
Remove obsolete --key-type option from usage help text
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 11 Jul 2012 17:13:34 +0000 (18:13 +0100)]
Fix endless loop when multiple PKCS#11 tokens need PINs
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 11 Jul 2012 16:58:32 +0000 (17:58 +0100)]
Use P11_KIT_URI_FOR_ANY to preserve all attributes in PKCS#11 URIs
Otherwise we were losing the attributes which specified a token... which is
a pain when the token doesn't list private keys until you're logged in. In
that case you do *have* to specify the token otherwise the object will never
be found.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 10 Jul 2012 14:30:26 +0000 (15:30 +0100)]
Don't forget key password on reconnect / change hosts in GUI.
As part of the password handling cleanup, we were clearing the stored
->cert_password after using it. This means we have to retain the https_ctx
or https_cred structure for the whole lifetime of the vpninfo, even across
reconnects. Fix openconnect_reset_ssl() accordingly.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Stuart Henderson [Sun, 8 Jul 2012 15:23:05 +0000 (17:23 +0200)]
mainloop.c - malloc without a prototype
I noticed a little problem building OpenConnect against gnutls 3;
mainloop.c uses malloc() in queue_new_packet(), somewhere in the chain
of openssl headers stdlib.h gets pulled in so it works ok there, but
this isn't the case with a gnutls build.
Signed-off-by: Stuart Henderson <sthen@openbsd.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 8 Jul 2012 19:42:07 +0000 (20:42 +0100)]
Update translations from Transifex
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 8 Jul 2012 19:38:34 +0000 (20:38 +0100)]
Fix 'make update-translations' not to remove file headers
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 5 Jul 2012 10:14:27 +0000 (11:14 +0100)]
Tag version 4.04
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 5 Jul 2012 10:03:37 +0000 (11:03 +0100)]
Strip out full header when comparing po files
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 5 Jul 2012 08:50:09 +0000 (09:50 +0100)]
Fix spelling error in --pid-file help text
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 5 Jul 2012 08:40:36 +0000 (09:40 +0100)]
Import translations from GNOME
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 2 Jul 2012 23:41:38 +0000 (00:41 +0100)]
Fix GnuTLS password handling for PKCS#8 files
When we have no preconfigured password for a PKCS#8 file, we were getting
the wrong error and were aborting instead of asking for a password.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 2 Jul 2012 10:25:55 +0000 (11:25 +0100)]
Tag version 4.03
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Tiago Vignatti [Sun, 1 Jul 2012 23:03:23 +0000 (02:03 +0300)]
Fix --no-proxy option
A missing break in the case statement meant that --no-proxy would not disable
the proxy at all; it would actually have the same effect as --libproxy.
This bug has been present since the --no-proxy option was first added in
v2.20 (commit
9c6d3f1b). Although it was falling through to the --script
option then.
Signed-off-by: Tiago Vignatti <tiago.vignatti@intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 1 Jul 2012 21:23:01 +0000 (22:23 +0100)]
Update changelog
It looks like the problematic server wasn't really objecting to SSLv3; it
was the lack of 3DES cipher. It wouldn't accept AES which was the only
thing that GnuTLS was offering.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 30 Jun 2012 00:41:59 +0000 (01:41 +0100)]
Separate requested from received MTU settings
This fixes a bug where an MTU requested with the --mtu option will actually
be set as the interface MTU even if the server replies with a smaller value.
It also fixes reconnect behaviour, by not treating the MTU response from
the server on the original connection into an override for the reconnect.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 29 Jun 2012 23:55:06 +0000 (00:55 +0100)]
Fix GnuTLS DTLS MTU for GnuTLS 3.0.21 and above
The fix in 4.01 (commit
c218e2ac) was relying on buggy behaviour of
GnuTLS. It shouldn't have been sufficient just to pass it the *data* MTU
plus 13 and rely on the fact that GnuTLS will happily send packets
larger than that. In fixing GnuTLS MTU handling and adding the new
gnutls_dtls_set_data_mtu() function in 3.0.21, I have broken my own
code. And it serves me right.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 29 Jun 2012 20:17:47 +0000 (21:17 +0100)]
Advertise TLS1.0 not SSL3.0 in GnuTLS ClientHello
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 29 Jun 2012 11:52:41 +0000 (12:52 +0100)]
Remove hard-coded table of ciphers for PEM decryption
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 28 Jun 2012 23:58:34 +0000 (00:58 +0100)]
Improve cipher coverage of OpenSSL encrypted PEM support for GnuTLS
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 28 Jun 2012 14:52:51 +0000 (15:52 +0100)]
Tag version 4.02
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 28 Jun 2012 13:04:36 +0000 (14:04 +0100)]
Fix build failure on systems without GnuTLS v3
Oops. Including header files which are only available in GnuTLS v3 is
probably not cunning, if we're building with OpenSSL or with GnuTLS v2.
Pointed out by Stuart Henderson (thanks).
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 28 Jun 2012 11:46:40 +0000 (12:46 +0100)]
Tag version 4.01
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 27 Jun 2012 22:20:40 +0000 (23:20 +0100)]
Fix DTLS MTU for GnuTLS
GnuTLS defaults to an MTU of 1200 (less the 13-byte overhead), and will
truncate data packets accordingly. We *really* don't want that...
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 27 Jun 2012 18:58:55 +0000 (19:58 +0100)]
Fix SEGV on cstp_reconnect() without deflate
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 26 Jun 2012 14:41:16 +0000 (15:41 +0100)]
Clean up Transifex import some more
Don't let local msgmerge use fuzzy translations either, don't care about
Translation-Team: changing, and use 'diff' so we actually see the changes
(since more often than not they're false positives, so it eases debugging).
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 25 Jun 2012 20:13:35 +0000 (22:13 +0200)]
Fix build on systems without O_CLOEXEC
Reported by Ryan Steinmetz <zi@freebsd.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Steven Ihde [Sun, 24 Jun 2012 03:49:32 +0000 (20:49 -0700)]
Add source port option for DTLS
Signed-off-by: Steven Ihde <sihde@hamachi.us>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 23 Jun 2012 16:15:07 +0000 (18:15 +0200)]
Update translations from Transifex
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
projects / platform / upstream / openconnect.git / log