A missing break in the case statement meant that --no-proxy would not disable
the proxy at all; it would actually have the same effect as --libproxy.
This bug has been present since the --no-proxy option was first added in
v2.20 (commit 9c6d3f1b). Although it was falling through to the --script
option then.
Signed-off-by: Tiago Vignatti <tiago.vignatti@intel.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 1 Jul 2012 21:23:01 +0000 (22:23 +0100)]
Update changelog
It looks like the problematic server wasn't really objecting to SSLv3; it
was the lack of 3DES cipher. It wouldn't accept AES which was the only
thing that GnuTLS was offering.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 30 Jun 2012 00:41:59 +0000 (01:41 +0100)]
Separate requested from received MTU settings
This fixes a bug where an MTU requested with the --mtu option will actually
be set as the interface MTU even if the server replies with a smaller value.
It also fixes reconnect behaviour, by not treating the MTU response from
the server on the original connection into an override for the reconnect.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 29 Jun 2012 23:55:06 +0000 (00:55 +0100)]
Fix GnuTLS DTLS MTU for GnuTLS 3.0.21 and above
The fix in 4.01 (commit c218e2ac) was relying on buggy behaviour of
GnuTLS. It shouldn't have been sufficient just to pass it the *data* MTU
plus 13 and rely on the fact that GnuTLS will happily send packets
larger than that. In fixing GnuTLS MTU handling and adding the new
gnutls_dtls_set_data_mtu() function in 3.0.21, I have broken my own
code. And it serves me right.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 26 Jun 2012 14:41:16 +0000 (15:41 +0100)]
Clean up Transifex import some more
Don't let local msgmerge use fuzzy translations either, don't care about
Translation-Team: changing, and use 'diff' so we actually see the changes
(since more often than not they're false positives, so it eases debugging).
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 17 Jun 2012 22:40:41 +0000 (23:40 +0100)]
Add missing includes and libs to Android.mk
I probably shouldn't need to add libc, but it shouldn't hurt either, and I
*do* need it. Otherwise I think my screwed up local build system is using
the wrong one. One day I'll actually get AOSP or Cyanogen to build properly
and I won't have to suffer with this cobbled-together pile of crap that I'm
using...
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 15 Jun 2012 12:45:13 +0000 (13:45 +0100)]
Fix Android build
Well, almost. My local NDK setup still fails to link because libicuuc.so
needs libgabi++.so, and even with that it has undefined references to
mbstowcs and wcstombs. But that's probably a local issue.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 16:02:18 +0000 (17:02 +0100)]
Cope with lack of gnutls_certificate_set_key() in GnuTLS 2.12
We *can* use arbitrary privkeys, by using the cert_callback to provide
them on demand.
And even without gnutls_privkey_import_ext() to give us a constructed
privkey that represents the TPM key, we can cope by registering a
sign_callback on the TLS session.
This means that we can support the TPM, and also fix the lack of extra
supporting certs and expiry check when using PKCS#11 certs with GnuTLS 2.12.
It also means my code is an even bigger mess of #ifdefs than it was before.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 14 Jun 2012 07:34:11 +0000 (08:34 +0100)]
Document SHA1 buffer requirements more clearly
There's an inconsistency here; openconnect_set_xmlsha1() takes a redundant
'len' arg which serves no purpose except to check that the caller knows
how big a SHA1 is. If it's not 41, we bail.
Next time the soname is getting bumped, I'll add a similar redundant
check to openconnect_get_cert_sha1() too. I should have done that when
it was first converted from an internal function to a public-facing one
in commit 20840ab0. But I didn't, and it's not worth bumping the soname
again right now *just* for that.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 20:39:27 +0000 (21:39 +0100)]
Allow GUI to distinguish between PIN/passphrase callbacks
The UI may cache user input by form->auth_id, opt->name. But those were
always the same (and auth_id was even NULL for OpenSSL UI callbacks from
the TPM engine), so it wasn't very helpful. Fix it.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 13 Jun 2012 19:21:30 +0000 (20:21 +0100)]
Fix error exits in GnuTLS load_certificate() function
Having separate 'err' for GnuTLS errno, and 'ret' for the return value, has
caused me to sometimes return without setting 'ret'. Make it uninitialised
to start with, and then the compiler should warn if I 'goto out' again
without setting 'ret'.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 13:51:15 +0000 (14:51 +0100)]
Translate build option output
Oops. The whole point in doing it this way with full sentences instead of
crap like ("with%s TPM support", tpm?"":"out") was to ease translation...
and then I forgot to mark the strings translatable :)
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 12:47:24 +0000 (13:47 +0100)]
Make --disable-ipv6 really do it
Previously, it only made us stop *asking* the server for IPv6. If the server
gave us IPv6 addresses anyway on the basis that this is the 21st century and
there's no excuse for pretending otherwise (or, in practice, because my test
server is handing out hard-coded responses without looking at the request),
we were still actually using them.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 11 Jun 2012 12:42:27 +0000 (13:42 +0100)]
Remove --cert-type option from command line
With the impending v4.00 release and the soname change, this is a good
time to obsolete the --cert-type option. We've been automatically
detecting key types for a *long* time.
Only remove it from the command line for now; the library never exposed
it, but if the GnuTLS cert-loading code ends up being contributed back
to GnuTLS then they might want something similar there. So leave it in
place but unused.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
projects / users / dwmw2 / openconnect.git / log