Remove obsolete --key-type option from usage help text

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix endless loop when multiple PKCS#11 tokens need PINs

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Use P11_KIT_URI_FOR_ANY to preserve all attributes in PKCS#11 URIs

Otherwise we were losing the attributes which specified a token... which is
a pain when the token doesn't list private keys until you're logged in. In
that case you do *have* to specify the token otherwise the object will never
be found.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't forget key password on reconnect / change hosts in GUI.

As part of the password handling cleanup, we were clearing the stored
->cert_password after using it. This means we have to retain the https_ctx
or https_cred structure for the whole lifetime of the vpninfo, even across
reconnects. Fix openconnect_reset_ssl() accordingly.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

mainloop.c - malloc without a prototype

I noticed a little problem building OpenConnect against gnutls 3;
mainloop.c uses malloc() in queue_new_packet(), somewhere in the chain
of openssl headers stdlib.h gets pulled in so it works ok there, but
this isn't the case with a gnutls build.

Signed-off-by: Stuart Henderson <sthen@openbsd.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix 'make update-translations' not to remove file headers

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.04

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Strip out full header when comparing po files

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix spelling error in --pid-file help text

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix GnuTLS password handling for PKCS#8 files

When we have no preconfigured password for a PKCS#8 file, we were getting
the wrong error and were aborting instead of asking for a password.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.03

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix --no-proxy option

A missing break in the case statement meant that --no-proxy would not disable
the proxy at all; it would actually have the same effect as --libproxy.

This bug has been present since the --no-proxy option was first added in
v2.20 (commit 9c6d3f1b). Although it was falling through to the --script
option then.

Signed-off-by: Tiago Vignatti <tiago.vignatti@intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update changelog

It looks like the problematic server wasn't really objecting to SSLv3; it
was the lack of 3DES cipher. It wouldn't accept AES which was the only
thing that GnuTLS was offering.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Separate requested from received MTU settings

This fixes a bug where an MTU requested with the --mtu option will actually
be set as the interface MTU even if the server replies with a smaller value.

It also fixes reconnect behaviour, by not treating the MTU response from
the server on the original connection into an override for the reconnect.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix GnuTLS DTLS MTU for GnuTLS 3.0.21 and above

The fix in 4.01 (commit c218e2ac) was relying on buggy behaviour of
GnuTLS. It shouldn't have been sufficient just to pass it the *data* MTU
plus 13 and rely on the fact that GnuTLS will happily send packets
larger than that. In fixing GnuTLS MTU handling and adding the new
gnutls_dtls_set_data_mtu() function in 3.0.21, I have broken my own
code. And it serves me right.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Advertise TLS1.0 not SSL3.0 in GnuTLS ClientHello

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove hard-coded table of ciphers for PEM decryption

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Improve cipher coverage of OpenSSL encrypted PEM support for GnuTLS

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.02

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix build failure on systems without GnuTLS v3

Oops. Including header files which are only available in GnuTLS v3 is
probably not cunning, if we're building with OpenSSL or with GnuTLS v2.

Pointed out by Stuart Henderson (thanks).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.01

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix DTLS MTU for GnuTLS

GnuTLS defaults to an MTU of 1200 (less the 13-byte overhead), and will
truncate data packets accordingly. We *really* don't want that...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix SEGV on cstp_reconnect() without deflate

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up Transifex import some more

Don't let local msgmerge use fuzzy translations either, don't care about
Translation-Team: changing, and use 'diff' so we actually see the changes
(since more often than not they're false positives, so it eases debugging).

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix build on systems without O_CLOEXEC

Reported by Ryan Steinmetz <zi@freebsd.org>

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add source port option for DTLS

Signed-off-by: Steven Ihde <sihde@hamachi.us>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Transifex import: Reduce churn, and don't forget to add new translations

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Import translations from GNOME

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Rebuild openconnect.8 if necessary before openconnect.8.inc

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Print correct error when /dev/net/tun open fails

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't require zlib in pkgconfig if it was found without it

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 4.00

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Run msgmerge after importing translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add translations that GNOME NetworkManager-openconnect has, that we don't

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix typo in error message

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Support old-style OpenSSL encrypted PEM keys

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix memory leaks in text-mode process_form_opts

The caller probably won't free the returned answers if we return error,
so do it locally.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

NUL-terminate blobs from Andoird keystore

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix PKCS#11 cleanup when no SSL certificate is set

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add Android keystore support for --cafile

Based on a patch from Vilmos Nebehaj <v.nebehaj@gmail.com>

Signed-off-by: Vilmos Nebehaj <v.nebehaj@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add missing includes and libs to Android.mk

I probably shouldn't need to add libc, but it shouldn't hurt either, and I
*do* need it. Otherwise I think my screwed up local build system is using
the wrong one. One day I'll actually get AOSP or Cyanogen to build properly
and I won't have to suffer with this cobbled-together pile of crap that I'm
using...

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Switch from Android's keystore_get() to our own keystore_fetch()

This gives proper error handling which Android's lacks.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix double-free of BIO in loading cert from keystore

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix fake Android keystore_get() to return -1 on failure

Harmless in this case, but it doesn't hurt to be consistent with Android.
At least, with what Android does when it's *not* buggy... :)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix Android keystore support for older keystore_get.h

This is an "inline" function, in the header file. So it's about the build
environment you use for building openconnect, not the runtime environment.

It was fixed by the following commit in android/frameworks/base:

commit c741a2fe41ea33fc386a4d5b932cc081aa92a18c
Author: Chia-chi Yeh <chiachi@android.com>
Date:   Thu Sep 30 15:17:58 2010 +0800

    KeyStore: Fix the return value when send() or recv() has an error.

    Change-Id: I20a63c76bd29b1a9f8959a6c4fe5a5b8a9a971b4

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add trousers to list of optional build deps

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add gnutls.h to noinst_HEADERS

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove POTFILES.in from po/ EXTRA_DIST

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Automatically keep Android.mk in sync with source lists from Makefile.am

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

OpenSSL: Fix recognition of repeated 'wrong passphrase' errors

Without it, we were getting the wrong error if the passphrase was wrong
a second time, and not correctly staying in the retry loop:

Enter PEM pass phrase:
140379913099200:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:536:
Loading private key failed (wrong passphrase?)
Enter PEM pass phrase:
140379913099200:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:97:
Loading private key failed (see above errors)

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add Android keystore support

Based on a patch from Vilmos Nebehaj <v.nebehaj@gmail.com>

Signed-off-by: Vilmos Nebehaj <v.nebehaj@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix Android build

Well, almost. My local NDK setup still fails to link because libicuuc.so
needs libgabi++.so, and even with that it has undefined references to
mbstowcs and wcstombs. But that's probably a local issue.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix build for OpenSSL without DTLS

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up feature/index web pages a little

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove separate POTFILES list and build potfile from real sources lists

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add gnutls_tpm.c to POTFILES

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Don't repack extra_certs[] when matching key; just cope with it being sparse

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up GnuTLS load_certificate() and improve comments

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Unify assign_privkey() function for GnuTLS 2 and 3

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Move setting of vpninfo->my_p11key to somewhere tidier

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Split assign_privkey_gtls2() to separate function

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Split assign_privkey_gtls3() to separate function

Another step towards a cleaner load_certificate() for GnuTLS.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Move TPM code out into gnutls_tpm.c

Slightly reduce the #ifdef hell in gnutls.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up handling of gnutls_pkcs12.c

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix BER encoding of hash in sign_dummy_data()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Cope with lack of gnutls_certificate_set_key() in GnuTLS 2.12

We *can* use arbitrary privkeys, by using the cert_callback to provide
them on demand.

And even without gnutls_privkey_import_ext() to give us a constructed
privkey that represents the TPM key, we can cope by registering a
sign_callback on the TLS session.

This means that we can support the TPM, and also fix the lack of extra
supporting certs and expiry check when using PKCS#11 certs with GnuTLS 2.12.

It also means my code is an even bigger mess of #ifdefs than it was before.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix memory leak of TPM key password

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix wording of comment about string handling

The library *will* free them later. Honest! If we say "should", someone
might get confused and think we're saying the *caller* needs to do it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Document SHA1 buffer requirements more clearly

There's an inconsistency here; openconnect_set_xmlsha1() takes a redundant
'len' arg which serves no purpose except to check that the caller knows
how big a SHA1 is. If it's not 41, we bail.

Next time the soname is getting bumped, I'll add a similar redundant
check to openconnect_get_cert_sha1() too. I should have done that when
it was first converted from an internal function to a public-facing one
in commit 20840ab0. But I didn't, and it's not worth bumping the soname
again right now *just* for that.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix Solaris build, again

I really ought to script a check for this.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix GnuTLS 2.12 library still referencing OpenSSL ERR_print_errors_cb()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Tag version 3.99

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make 'make tag' work out of source tree

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

$CISCO_SPLIT_DNS is separated by commas in vpnc, not spaces

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Link libopenconnect to trousers, not openconnect

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Move dtls1_stop_timer() declaration inside the OPENCONNECT_OPENSSL section

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Update translations from Transifex

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix build with GnuTLS 2.12

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Allow GUI to distinguish between PIN/passphrase callbacks

The UI may cache user input by form->auth_id, opt->name. But those were
always the same (and auth_id was even NULL for OpenSSL UI callbacks from
the TPM engine), so it wasn't very helpful. Fix it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Handle TPM keys with their own authentication PIN

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Give proper error reporting from tpm_sign_fn() TPM operations

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Try null SRK key (20 bytes of zero) first

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix error exits in GnuTLS load_certificate() function

Having separate 'err' for GnuTLS errno, and 'ret' for the return value, has
caused me to sometimes return without setting 'ret'. Make it uninitialised
to start with, and then the compiler should warn if I 'goto out' again
without setting 'ret'.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Implement certificate matching for TPM/PKCS#11 privkeys

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix GnuTLS PIN cache leak when only *key* is PKCS#11 and not certificate.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Remove redundancy in code which 'matches' cert to privkey

Yes, it doesn't *actually* do any matching... yet.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Add TPM support for GnuTLS

Based on GnuTLS TPM code by Carolin Latze <latze@angry-red-pla.net>
and Tobias Soder.

Like the OpenSSL TPM ENGINE, this only supports a key 'blob' rather than
using keys by UUID. That shouldn't be hard to fix if someone wants it.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Clean up build options printout

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix DTLS fallback to OpenSSL for old GnuTLS

Due to a typo, it wasn't using OpenSSL for DTLS unless you specified
--without-openssl on the configure command line.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Explicitly check for gnutls_certificate_set_key(), separate it from p11-kit

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

OpenSSL: Fix leak of cert_x509

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

OpenSSL: Free BIO leak in reload_pem_cert()

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

OpenSSL: Clean up leaks in TPM ENGINE handling

The key, in the ctx, holds a reference on the engine. We should be dropping
our own.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

OpenSSL: Fix password memory leaks

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Make authentication valgrind-friendly

Not strictly needed to free stuff right before we exit, but it makes it
easier to find leaks in the library code.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

Fix useragent leak

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>