]>
www.infradead.org Git - users/dwmw2/openconnect.git/log
David Woodhouse [Wed, 13 May 2020 18:25:40 +0000 (19:25 +0100)]
Merge branch 'f5' of gitlab.com:openconnect/openconnect
David Woodhouse [Wed, 13 May 2020 18:25:09 +0000 (19:25 +0100)]
Use LCP protocol code values for feature bitmask
In preparation for handling ConfRej
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Wed, 13 May 2020 18:07:43 +0000 (11:07 -0700)]
second time's a charm?
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
David Woodhouse [Wed, 13 May 2020 18:07:22 +0000 (19:07 +0100)]
Fewer magic numbers for NCP opts
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 13 May 2020 17:53:27 +0000 (18:53 +0100)]
Make encap_names[] compile again
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 13 May 2020 17:50:26 +0000 (18:50 +0100)]
Merge branch 'master' of git.infradead.org:public_git/openconnect
Daniel Lenski [Wed, 13 May 2020 17:15:46 +0000 (10:15 -0700)]
fix encap_names for Fortinet HDLC
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
David Woodhouse [Wed, 13 May 2020 15:44:54 +0000 (16:44 +0100)]
Use do_https_request()
That's a lot simpler than open-coding it.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 13 May 2020 15:24:44 +0000 (16:24 +0100)]
Fix fortinet_bye() path
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Wed, 13 May 2020 14:28:28 +0000 (07:28 -0700)]
combine comments from heretofore missing ppp.h
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Wed, 13 May 2020 07:05:55 +0000 (00:05 -0700)]
save four bytes in HDLC malloc
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
David Woodhouse [Wed, 13 May 2020 13:58:56 +0000 (14:58 +0100)]
Add basic attempt at Fortinet support
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 13 May 2020 13:32:41 +0000 (14:32 +0100)]
Use ID from struct ncp
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 13 May 2020 10:24:07 +0000 (11:24 +0100)]
Make proto strings static
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 13 May 2020 09:45:44 +0000 (10:45 +0100)]
Add missing ppp.h
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Wed, 13 May 2020 06:38:51 +0000 (23:38 -0700)]
use HDLC_OUT macro
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Wed, 13 May 2020 06:13:17 +0000 (23:13 -0700)]
check for PPP state transitions before/after each packet received
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Tue, 12 May 2020 22:26:23 +0000 (15:26 -0700)]
move PPP #defines and structs to ppp.h
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Tue, 12 May 2020 22:29:57 +0000 (15:29 -0700)]
unused label
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
David Woodhouse [Tue, 12 May 2020 21:27:24 +0000 (22:27 +0100)]
Handle ConfRej for anything that needs it.
If get a ConfReq with anything we don't want or understand — and that
includes bloody VJ header compression, since I'm not completely batshit
insane — send a ConfRej.
Do this by building up the options to be rejected in an oc_text_buf as
we go, then rejecting that set if it's non-empty once we get to the end.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Tue, 12 May 2020 21:12:25 +0000 (14:12 -0700)]
Fix un-HDLC corner cases
1) The initial 0x7e is optional, the final 0x7e is not (was reversed).
2) Dangling escape can occur even when we haven't run out of buffer. 0x7d 0x7e is an invalid sequence.
While not breaking…
3) 0x7d can be the “target” of an escape (0x7d 0x7d → 0x5d)
4) 0x5d as the “target” of an escape (0x7d 0x5d → 0x7d) doesn't indicate a new escape
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
David Woodhouse [Tue, 12 May 2020 19:41:06 +0000 (20:41 +0100)]
Add FCS support
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Tue, 12 May 2020 20:15:37 +0000 (13:15 -0700)]
nope, F5 HDLC isn't emitting junk… I'm just failing to unescape the FCS
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Tue, 12 May 2020 17:37:00 +0000 (10:37 -0700)]
tweak unhdlc_in_place, in preparation for multiple concatenated packets
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Tue, 12 May 2020 06:16:34 +0000 (23:16 -0700)]
simplify PPP header checking
There's no point whatsover to checking if the server is doing ACCOMP/PFCOMP
as negotiated:
- Even if negotiated, they're optional.
- Even if *not* negotiated, they're unambiguous.
- Either way, it's much easier just to ignore the negotiated options.
“Be liberal in what you accept, and conservative in what you send.”
Some day I will acquire a time machine, travel back to 1993, and ask the
designers of PPP not to add meaningless boilerplate bytes to their protocol
in such a uniquely strange-yet-approachable way that compels future implementers to
reinvent clever ways of dealing with them hundreds of times.
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Tue, 12 May 2020 02:39:36 +0000 (19:39 -0700)]
F5 server sends frequent extra junk/padding in HDLC mode… just accept it
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Tue, 12 May 2020 01:02:19 +0000 (18:02 -0700)]
working unhdlc_in_place and hdlc_into_new_pkt
TODO: verify incoming FCS and generate outgoing FCS (F5 accepts it set to zero ¯\_(ツ)_/¯)
https://tools.ietf.org/html/rfc1662#appendix-C.2
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 22:56:36 +0000 (15:56 -0700)]
rip out HDLC skeleton as a thought experiment
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Tue, 12 May 2020 02:14:30 +0000 (19:14 -0700)]
remove state-machine fall-throughs: unnecessary, error-prone, make the transition display confusing
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Tue, 12 May 2020 01:47:10 +0000 (18:47 -0700)]
get rid of offset-by-1 in lcp_names and encap_names arrays
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 23:54:47 +0000 (16:54 -0700)]
log ancient deprecated IPCP IP-Addresses option
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 22:34:34 +0000 (15:34 -0700)]
use tcp_control_queue for PPP config packets
(Also fixes the dodginess of using high nibble of first byte to distinguish config from data packets)
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 22:34:34 +0000 (15:34 -0700)]
oncp_control_queue → tcp_control_queue
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 22:10:06 +0000 (15:10 -0700)]
cleanup state printing
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 22:04:27 +0000 (15:04 -0700)]
add timers to resend Config-Request after 3 seconds
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 21:52:20 +0000 (14:52 -0700)]
send_config_request → queue_config_request
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 19:34:36 +0000 (12:34 -0700)]
now storing {in,out}_lcp_magic in on-the-wire order (for ease of assembing util packets)
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 19:33:16 +0000 (12:33 -0700)]
fix header shift prediction
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
David Woodhouse [Mon, 11 May 2020 15:12:34 +0000 (16:12 +0100)]
Better attempt to get HDLC outbound right
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Mon, 11 May 2020 13:26:38 +0000 (14:26 +0100)]
Use CONFREQ et al definitions instead of numbers
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Mon, 11 May 2020 12:39:10 +0000 (13:39 +0100)]
Make oc_ncp state a structure, including the id.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Mon, 11 May 2020 12:29:28 +0000 (13:29 +0100)]
Drop hdlc and we_go_first args from openconnect_ppp_new()
We should always go first for *our* outbound ConfReqs, not wait for the
server to go first. And HDLC can be inferred from the encap mode, to
which we can add PPP_ENCAP_F5_HDLC.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Mon, 11 May 2020 18:47:54 +0000 (11:47 -0700)]
we're never gonna want outgoing header compression
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 18:40:59 +0000 (11:40 -0700)]
handle we_go_first
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 18:17:55 +0000 (11:17 -0700)]
use queue for conf-ack packets too
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 17:57:02 +0000 (10:57 -0700)]
two more dumb bugs
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 16:58:33 +0000 (09:58 -0700)]
queue util packets
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 16:58:12 +0000 (09:58 -0700)]
fix two bugs which were cancelling each other
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 08:28:12 +0000 (01:28 -0700)]
consolidate send_util and stash packet header length in packet
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 04:32:50 +0000 (21:32 -0700)]
PPP: use echo-request/discard-request for DPD/keepalive
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 03:39:03 +0000 (20:39 -0700)]
working PPP mainloop
Still TODO:
- Handle we_go_first option where we offer our Configure-Request before receiving one
- Handle HDLC (blech)
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 03:36:33 +0000 (20:36 -0700)]
state naming/handling cleanup
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 03:33:43 +0000 (20:33 -0700)]
plan to handle different types of PPP encapsulation (F5, array, etc.)
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Mon, 11 May 2020 00:37:18 +0000 (17:37 -0700)]
include ppp state in `struct openconnect_info`
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Fri, 8 May 2020 21:35:13 +0000 (14:35 -0700)]
factor out send_config_request
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Fri, 8 May 2020 09:40:47 +0000 (02:40 -0700)]
working PPP config negotation (LCP+IPCP+IP6CP)
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Fri, 8 May 2020 07:11:51 +0000 (00:11 -0700)]
make buf_append_{be16,be32,le16} global
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Wed, 6 May 2020 20:01:28 +0000 (13:01 -0700)]
add test-f5-login.py script
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Thu, 7 May 2020 00:01:51 +0000 (17:01 -0700)]
extract basic IP configuration from XML, including default and split routes
Based on code structure in gpst.c, and hints about interpretation of XML tags from:
- https://github.com/rei/f5vpn-client/blob/HEAD/f5vpn-login.py
- https://github.com/rei/f5vpn-client/blob/HEAD/README.md
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
David Woodhouse [Thu, 7 May 2020 14:17:37 +0000 (15:17 +0100)]
Disable OpenSSL RDRAND in COPR tests to work around SoftHSM deadlock
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 7 May 2020 09:42:57 +0000 (10:42 +0100)]
Fix name of tpm2-tss-engine
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Wed, 6 May 2020 20:21:42 +0000 (13:21 -0700)]
Fix f5_bye
Like oNCP, one GET request takes care of it
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Wed, 6 May 2020 16:12:52 +0000 (09:12 -0700)]
typo
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
David Woodhouse [Wed, 6 May 2020 21:10:42 +0000 (22:10 +0100)]
Start adding PPP
It's going to need a state machine, with timers and non-blocking reads.
But that's not so hard, based on cancellable_recv().
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 6 May 2020 11:26:45 +0000 (12:26 +0100)]
First attempt at F5 support
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Mon, 4 May 2020 15:27:46 +0000 (16:27 +0100)]
Fix up COPR specfiles for bash-completion script location
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Mon, 4 May 2020 12:50:38 +0000 (13:50 +0100)]
Merge branch 'bash-completion' of gitlab.com:bluca/openconnect
David Woodhouse [Mon, 4 May 2020 10:56:36 +0000 (11:56 +0100)]
Use shorter pathname for COPR RPM build
If the path of SOCKET_WRAPPER_DIR is too long, it doesn't fit in the
sun_path field of the sockaddr_un, and libsocket_wrapper gets very
unhappy, reporting 'Too many unix sockets'. Despite actually only ever
trying *one* path over and over again 1024 times due to truncation.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Luca Boccassi [Sat, 2 May 2020 10:58:05 +0000 (11:58 +0100)]
Install tncc-emulate.py too
Signed-off-by: Luca Boccassi <bluca@debian.org>
Luca Boccassi [Sat, 2 May 2020 10:57:14 +0000 (11:57 +0100)]
Fix typo in autocomplete test log message
Signed-off-by: Luca Boccassi <bluca@debian.org>
Luca Boccassi [Sat, 2 May 2020 10:53:37 +0000 (11:53 +0100)]
Bash completion: install as /usr/share/bash-completion/completions/openconnect
This is the common default installation pattern for quite some time
Signed-off-by: Luca Boccassi <bluca@debian.org>
David Woodhouse [Sat, 2 May 2020 08:25:29 +0000 (09:25 +0100)]
Fix path to openconnect in bash completion
Oops, that wasn't supposed to get committed like that.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Fri, 1 May 2020 11:06:17 +0000 (12:06 +0100)]
Fix sigterm test at last
Make the main script wait for the device to be *up* not just exist.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Fri, 1 May 2020 10:57:57 +0000 (11:57 +0100)]
More debug for sigterm
It's actually the vpnc-script which is failing:
+ '[' connect = connect ']'
+ ip link set dev oc-6352-tun0 up mtu 1434
Error: Device for nexthop is not up.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Fri, 1 May 2020 10:36:21 +0000 (11:36 +0100)]
No, the sigterm test is just unreliable, like it always has been.
A little more debugging. Perhaps just a longer sleep would suffice?
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Fri, 1 May 2020 10:22:13 +0000 (11:22 +0100)]
The sigterm test is actually passing on CentOS8/GnuTLS
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Fri, 1 May 2020 09:14:57 +0000 (10:14 +0100)]
Revert "Add DLL requires for mingw package"
This reverts commit
7f015dbf2aacf48356bb3e587d56e9ff21beefd7 . With
https://bugzilla.redhat.com/show_bug.cgi?id=
1830233 understood, it isn't
necessary to provide these manually.
David Woodhouse [Thu, 30 Apr 2020 16:41:20 +0000 (17:41 +0100)]
Attempt to fix EPEL8 build
Use --without-gnutls-version-check; as if EPEL8 *does* get the fix for
the zero-client-random bug it will probably come without a version bump.
This also partially reverts commit
68641c0393e which disabled the use of
--with-default-gnutls-priority on *all* EPEL versions, but since I wasn't
building for EPEL8 at that point I don't think it was done for EPEL8
specifically, and can probably be restored.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 30 Apr 2020 15:19:47 +0000 (16:19 +0100)]
Import wine fix for CI
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 30 Apr 2020 08:17:38 +0000 (09:17 +0100)]
Update translations from GNOME
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 30 Apr 2020 08:03:28 +0000 (09:03 +0100)]
Fix up changelog confusion a bit more
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Wed, 29 Apr 2020 21:35:36 +0000 (14:35 -0700)]
fix wrong string in error message
Typo in https://gitlab.com/openconnect/openconnect/-/merge_requests/97
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Daniel Lenski [Wed, 29 Apr 2020 21:34:43 +0000 (14:34 -0700)]
add and fix a few changelog entries
One significant user-facing entries left out of v8.09 changelog:
* modernized Juniper TNCC script
Two were labeled as being in v8.08 when in fact they weren't merged until v8.09:
* GlobalProtect MRs (!90, !93, !95)
* disabling of Nagle's algorithm for TLS sockets
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
David Woodhouse [Wed, 29 Apr 2020 15:58:40 +0000 (16:58 +0100)]
Add DLL requires for mingw package
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 29 Apr 2020 15:49:18 +0000 (16:49 +0100)]
No SoftHSM for EPEL8 for now
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 29 Apr 2020 13:21:06 +0000 (14:21 +0100)]
Tag version 8.09
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 29 Apr 2020 13:15:32 +0000 (14:15 +0100)]
Update translations from GNOME
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Jordy Zomer [Thu, 23 Apr 2020 11:28:12 +0000 (13:28 +0200)]
Use OpenSSL X509_check_host() and X509_check_ip() correctly.
These functions return 1 for a successful match, 0 for a failed match,
-1 for an internal error, or -2 if the certificate is malformed.
OpenConnect has been treating any value other than zero as a success,
meaning that an attacker who could get a trusted CA to issue an invalid
certificate (on which the ASN.1 decoder fails, for example), could use
that to assume *any* identity.
This is CVE-2020-12105.
https://gitlab.com/openconnect/openconnect/-/merge_requests/96
Signed-off-by: Jordy Zomer <jordy@simplyhacker.com>
Daniel Lenski [Thu, 23 Apr 2020 17:30:40 +0000 (10:30 -0700)]
fix IPv4 split-{in,ex}clude routes with misspecified host bits
Some VPN platforms (GlobalProtect, apparently) allow administrators to input
such non-canonical IPv4 routes, and some routing configuration utilities
(apparently *not* iproute2) simply do not accept such non-canonical IPv4
routes.
An example of the confusion this can cause:
https://lists.infradead.org/pipermail/openconnect-devel/2020-April/005665.html
The robustness principle suggests that the best thing to do here is to fix
these routes, but complain about them while we're at it.
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
David Woodhouse [Mon, 27 Apr 2020 16:53:25 +0000 (17:53 +0100)]
Build mingw with lz4 and stoken
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Mon, 27 Apr 2020 15:12:12 +0000 (16:12 +0100)]
Drop wine-common for now, openconnect.exe in bindir
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Mon, 27 Apr 2020 12:20:16 +0000 (13:20 +0100)]
Add mingw build in copr
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Sat, 25 Apr 2020 08:54:28 +0000 (09:54 +0100)]
Fix dependencies and tests/configs/server-cert.prm to dist
Strictly, *break* the dependencies. We don't want server-cert.pem being
gratuitously rebuilt. It's breaking the CI because the file isn't pristine
when 'make tmp-distdir' runs.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 23 Apr 2020 13:33:02 +0000 (14:33 +0100)]
Add commands for creating server-cert
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 22 Apr 2020 15:57:59 +0000 (16:57 +0100)]
Add CentOS8 CI
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Tue, 14 Apr 2020 12:48:09 +0000 (13:48 +0100)]
Log in slots with CKF_USER_PIN_INITIALIZED and not CKF_LOGIN_REQUIRED
Fixes: #123 (for OpenSSL build)
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 22 Apr 2020 15:04:37 +0000 (16:04 +0100)]
Reimport with SoftHSM v2.2
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 22 Apr 2020 14:30:11 +0000 (15:30 +0100)]
Update SoftHSM token import scripting and reimport
The slot numbers get reassigned now.
The RSA key modulus had been imported with a leading zero bytes,
confusing SoftHSM when it tried to perform CKM_RSA_PKCS or
CKM_RSA_PKCS_PSS signatures.
https://github.com/opendnssec/SoftHSMv2/issues/544
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Tue, 21 Apr 2020 21:31:39 +0000 (22:31 +0100)]
Merge branch 'use_TCP_NODELAY_when_tunnel_running_over_TCP' of gitlab.com:openconnect/openconnect
Daniel Lenski [Tue, 21 Apr 2020 21:22:34 +0000 (14:22 -0700)]
changelog
Signed-off-by: Daniel Lenski <dlenski@gmail.com>