Hello community, here is the log from the commit of package openconnect for openSUSE:Factory checked in at 2014-12-16 14:47:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openconnect (Old) and /work/SRC/openSUSE:Factory/.openconnect.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openconnect" Changes: -------- --- /work/SRC/openSUSE:Factory/openconnect/openconnect.changes 2014-12-06 13:45:16.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openconnect.new/openconnect.changes 2014-12-16 14:46:59.000000000 +0100 @@ -1,0 +2,9 @@ +Wed Dec 10 15:16:32 UTC 2014 - rsalev...@suse.com + +- Update to Version 7.01 + * Try harder to find a PKCS#11 key to match a given certificate. + * Handle 'Connection: close' from proxies correctly. + * Warn when MTU is set too low (<1280) to permit IPv6 connectivity. + * Add support for X-CSTP-DynDNS, to trigger DNS lookup on each reconnec + +------------------------------------------------------------------- Old: ---- openconnect-7.00.tar.gz New: ---- openconnect-7.01.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openconnect.spec ++++++ --- /var/tmp/diff_new_pack.SzadLG/_old 2014-12-16 14:47:03.000000000 +0100 +++ /var/tmp/diff_new_pack.SzadLG/_new 2014-12-16 14:47:03.000000000 +0100 @@ -17,7 +17,7 @@ Name: openconnect -Version: 7.00 +Version: 7.01 Release: 0 Summary: Open client for Cisco AnyConnect VPN License: LGPL-2.1+ ++++++ openconnect-7.00.tar.gz -> openconnect-7.01.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/Makefile.am new/openconnect-7.01/Makefile.am --- old/openconnect-7.00/Makefile.am 2014-11-10 13:59:07.000000000 +0100 +++ new/openconnect-7.01/Makefile.am 2014-12-07 19:52:55.000000000 +0100 @@ -75,8 +75,8 @@ libopenconnect_la_LDFLAGS = $(LT_VER_ARG) @APIMAJOR@:@APIMINOR@ -no-undefined noinst_HEADERS = openconnect-internal.h openconnect.h gnutls.h include_HEADERS = openconnect.h -if HAVE_SYMBOL_VERSIONING -libopenconnect_la_LDFLAGS += -Wl,@VERSION_SCRIPT_ARG@,libopenconnect.map +if HAVE_VSCRIPT +libopenconnect_la_LDFLAGS += @VSCRIPT_LDFLAGS@,libopenconnect.map libopenconnect_la_DEPENDENCIES = libopenconnect.map endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/Makefile.in new/openconnect-7.01/Makefile.in --- old/openconnect-7.00/Makefile.in 2014-11-27 17:13:46.000000000 +0100 +++ new/openconnect-7.01/Makefile.in 2014-12-07 22:17:23.000000000 +0100 @@ -93,22 +93,22 @@ @OPENCONNECT_ICONV_TRUE@am__append_9 = $(lib_srcs_iconv) @OPENCONNECT_WIN32_TRUE@am__append_10 = $(lib_srcs_win32) @OPENCONNECT_WIN32_FALSE@am__append_11 = $(lib_srcs_posix) -@HAVE_SYMBOL_VERSIONING_TRUE@am__append_12 = -Wl,@VERSION_SCRIPT_ARG@,libopenconnect.map -@HAVE_SYMBOL_VERSIONING_FALSE@libopenconnect_la_DEPENDENCIES = \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \ -@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) +@HAVE_VSCRIPT_TRUE@am__append_12 = @VSCRIPT_LDFLAGS@,libopenconnect.map +@HAVE_VSCRIPT_FALSE@libopenconnect_la_DEPENDENCIES = \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \ +@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) @JNI_STANDALONE_TRUE@@OPENCONNECT_JNI_TRUE@am__append_13 = jni.c @JNI_STANDALONE_TRUE@@OPENCONNECT_JNI_TRUE@am__append_14 = $(JNI_CFLAGS) -Wno-missing-declarations @JNI_STANDALONE_FALSE@@OPENCONNECT_JNI_TRUE@am__append_15 = libopenconnect-wrapper.la @@ -121,12 +121,13 @@ ChangeLog TODO compile config.guess config.rpath config.sub \ install-sh missing ltmain.sh ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/iconv.m4 \ - $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ - $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \ - $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ - $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_vscript.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ @@ -486,7 +487,7 @@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ VERSION = @VERSION@ -VERSION_SCRIPT_ARG = @VERSION_SCRIPT_ARG@ +VSCRIPT_LDFLAGS = @VSCRIPT_LDFLAGS@ WFLAGS = @WFLAGS@ ZLIB_CFLAGS = @ZLIB_CFLAGS@ ZLIB_LIBS = @ZLIB_LIBS@ @@ -588,7 +589,7 @@ -no-undefined $(am__append_12) noinst_HEADERS = openconnect-internal.h openconnect.h gnutls.h include_HEADERS = openconnect.h -@HAVE_SYMBOL_VERSIONING_TRUE@libopenconnect_la_DEPENDENCIES = libopenconnect.map +@HAVE_VSCRIPT_TRUE@libopenconnect_la_DEPENDENCIES = libopenconnect.map @JNI_STANDALONE_FALSE@@OPENCONNECT_JNI_TRUE@libopenconnect_wrapper_la_SOURCES = jni.c @JNI_STANDALONE_FALSE@@OPENCONNECT_JNI_TRUE@libopenconnect_wrapper_la_CFLAGS = $(AM_CFLAGS) $(JNI_CFLAGS) -Wno-missing-declarations @JNI_STANDALONE_FALSE@@OPENCONNECT_JNI_TRUE@libopenconnect_wrapper_la_LIBADD = libopenconnect.la diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/aclocal.m4 new/openconnect-7.01/aclocal.m4 --- old/openconnect-7.00/aclocal.m4 2014-11-27 17:13:45.000000000 +0100 +++ new/openconnect-7.01/aclocal.m4 2014-12-07 22:17:21.000000000 +0100 @@ -1398,6 +1398,7 @@ AC_SUBST([am__untar]) ]) # _AM_PROG_TAR +m4_include([m4/ax_check_vscript.m4]) m4_include([m4/iconv.m4]) m4_include([m4/lib-ld.m4]) m4_include([m4/lib-link.m4]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/configure new/openconnect-7.01/configure --- old/openconnect-7.00/configure 2014-11-27 17:13:47.000000000 +0100 +++ new/openconnect-7.01/configure 2014-12-07 22:17:24.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for openconnect 7.00. +# Generated by GNU Autoconf 2.69 for openconnect 7.01. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='openconnect' PACKAGE_TARNAME='openconnect' -PACKAGE_VERSION='7.00' -PACKAGE_STRING='openconnect 7.00' +PACKAGE_VERSION='7.01' +PACKAGE_STRING='openconnect 7.01' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -679,9 +679,11 @@ ZLIB_CFLAGS LIBXML2_LIBS LIBXML2_CFLAGS -HAVE_SYMBOL_VERSIONING_FALSE -HAVE_SYMBOL_VERSIONING_TRUE -VERSION_SCRIPT_ARG +HAVE_VSCRIPT_COMPLEX_FALSE +HAVE_VSCRIPT_COMPLEX_TRUE +HAVE_VSCRIPT_FALSE +HAVE_VSCRIPT_TRUE +VSCRIPT_LDFLAGS OPENBSD_LIBTOOL_FALSE OPENBSD_LIBTOOL_TRUE OTOOL64 @@ -1445,7 +1447,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures openconnect 7.00 to adapt to many kinds of systems. +\`configure' configures openconnect 7.01 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1515,7 +1517,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of openconnect 7.00:";; + short | recursive ) echo "Configuration of openconnect 7.01:";; esac cat <<\_ACEOF @@ -1690,7 +1692,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -openconnect configure 7.00 +openconnect configure 7.01 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2055,7 +2057,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by openconnect $as_me 7.00, which was +It was created by openconnect $as_me 7.01, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3141,7 +3143,7 @@ # Define the identity of the package. PACKAGE='openconnect' - VERSION='7.00' + VERSION='7.01' cat >>confdefs.h <<_ACEOF @@ -14727,59 +14729,266 @@ fi -# Ick. This seems like it's likely to be very fragile, but I can't see a better -# way. I shall console myself with the observation that the failure mode isn't -# particularly horrible — you just don't get symbol versioning if it fails. -# Check whether --enable-symvers was given. + + # Check whether --enable-symvers was given. if test "${enable_symvers+set}" = set; then : enableval=$enable_symvers; want_symvers=$enableval else want_symvers=yes + fi -symvers=no -if test "$enable_shared" = "yes" -a "$want_symvers" != "no" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if library symbol versioning is available" >&5 -$as_echo_n "checking if library symbol versioning is available... " >&6; }; - echo 'FOO { global: foo; local: *; };' > conftest.map - echo 'int foo = 0;' > conftest.$ac_ext - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 - (eval $ac_compile) 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - soname=conftest - libobjs=conftest.$ac_objext - if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds ${wl}--version-script ${wl}conftest.map\""; } >&5 - (eval $archive_cmds ${wl}--version-script ${wl}conftest.map) 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - VERSION_SCRIPT_ARG=--version-script + if test x$want_symvers = xyes; then : - symvers="yes (with --version-script)" - elif { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds ${wl}-M ${wl}conftest.map\""; } >&5 - (eval $archive_cmds ${wl}-M ${wl}conftest.map) 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - VERSION_SCRIPT_ARG=-M - symvers="yes (with -M)" - fi - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${symvers}" >&5 -$as_echo "${symvers}" >&6; } + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking linker version script flag" >&5 +$as_echo_n "checking linker version script flag... " >&6; } +if ${ax_cv_check_vscript_flag+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_cv_check_vscript_flag=unsupported + + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + ax_check_vscript_save_flags="$LDFLAGS" + echo "V1 { global: show; local: *; };" > conftest.map + if test x = xyes; then : + + echo "{" >> conftest.map + +fi + LDFLAGS="$LDFLAGS -Wl,--version-script,conftest.map" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int show, hide; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + ax_cv_check_vscript_flag=--version-script + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS="$ax_check_vscript_save_flags" + rm -f conftest.map + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + if test x$ax_cv_check_vscript_flag = xunsupported; then : + + + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + ax_check_vscript_save_flags="$LDFLAGS" + echo "V1 { global: show; local: *; };" > conftest.map + if test x = xyes; then : + + echo "{" >> conftest.map + +fi + LDFLAGS="$LDFLAGS -Wl,-M,conftest.map" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int show, hide; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_vscript_flag=-M +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS="$ax_check_vscript_save_flags" + rm -f conftest.map + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + +fi + + + if test x$ax_cv_check_vscript_flag != xunsupported; then : + + + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + ax_check_vscript_save_flags="$LDFLAGS" + echo "V1 { global: show; local: *; };" > conftest.map + if test xyes = xyes; then : + + echo "{" >> conftest.map + +fi + LDFLAGS="$LDFLAGS -Wl,$ax_cv_check_vscript_flag,conftest.map" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int show, hide; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_vscript_flag=unsupported fi - if test "${symvers}" != "no"; then - HAVE_SYMBOL_VERSIONING_TRUE= - HAVE_SYMBOL_VERSIONING_FALSE='#' +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS="$ax_check_vscript_save_flags" + rm -f conftest.map + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_vscript_flag" >&5 +$as_echo "$ax_cv_check_vscript_flag" >&6; } + + + if test x$ax_cv_check_vscript_flag != xunsupported; then : + + ax_check_vscript_flag=$ax_cv_check_vscript_flag + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if version scripts can use complex wildcards" >&5 +$as_echo_n "checking if version scripts can use complex wildcards... " >&6; } +if ${ax_cv_check_vscript_complex_wildcards+:} false; then : + $as_echo_n "(cached) " >&6 else - HAVE_SYMBOL_VERSIONING_TRUE='#' - HAVE_SYMBOL_VERSIONING_FALSE= + + ax_cv_check_vscript_complex_wildcards=no + + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + ax_check_vscript_save_flags="$LDFLAGS" + echo "V1 { global: sh*; local: *; };" > conftest.map + if test x = xyes; then : + + echo "{" >> conftest.map + fi + LDFLAGS="$LDFLAGS -Wl,$ax_cv_check_vscript_flag,conftest.map" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int show, hide; +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + ax_cv_check_vscript_complex_wildcards=yes +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS="$ax_check_vscript_save_flags" + rm -f conftest.map + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_vscript_complex_wildcards" >&5 +$as_echo "$ax_cv_check_vscript_complex_wildcards" >&6; } + ax_check_vscript_complex_wildcards="$ax_cv_check_vscript_complex_wildcards" + +else + + ax_check_vscript_flag= + ax_check_vscript_complex_wildcards=no + +fi + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking linker version script flag" >&5 +$as_echo_n "checking linker version script flag... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 +$as_echo "disabled" >&6; } + + ax_check_vscript_flag= + ax_check_vscript_complex_wildcards=no + +fi + + if test x$ax_check_vscript_flag != x; then : + + VSCRIPT_LDFLAGS="-Wl,$ax_check_vscript_flag" + + +fi + + if test x$ax_check_vscript_flag != x; then + HAVE_VSCRIPT_TRUE= + HAVE_VSCRIPT_FALSE='#' +else + HAVE_VSCRIPT_TRUE='#' + HAVE_VSCRIPT_FALSE= +fi + + if test x$ax_check_vscript_complex_wildcards = xyes; then + HAVE_VSCRIPT_COMPLEX_TRUE= + HAVE_VSCRIPT_COMPLEX_FALSE='#' +else + HAVE_VSCRIPT_COMPLEX_TRUE='#' + HAVE_VSCRIPT_COMPLEX_FALSE= +fi + + @@ -16684,8 +16893,12 @@ as_fn_error $? "conditional \"OPENBSD_LIBTOOL\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${HAVE_SYMBOL_VERSIONING_TRUE}" && test -z "${HAVE_SYMBOL_VERSIONING_FALSE}"; then - as_fn_error $? "conditional \"HAVE_SYMBOL_VERSIONING\" was never defined. +if test -z "${HAVE_VSCRIPT_TRUE}" && test -z "${HAVE_VSCRIPT_FALSE}"; then + as_fn_error $? "conditional \"HAVE_VSCRIPT\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_VSCRIPT_COMPLEX_TRUE}" && test -z "${HAVE_VSCRIPT_COMPLEX_FALSE}"; then + as_fn_error $? "conditional \"HAVE_VSCRIPT_COMPLEX\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${OPENCONNECT_STOKEN_TRUE}" && test -z "${OPENCONNECT_STOKEN_FALSE}"; then @@ -17113,7 +17326,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by openconnect $as_me 7.00, which was +This file was extended by openconnect $as_me 7.01, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -17179,7 +17392,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -openconnect config.status 7.00 +openconnect config.status 7.01 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/configure.ac new/openconnect-7.01/configure.ac --- old/openconnect-7.00/configure.ac 2014-11-27 17:13:43.000000000 +0100 +++ new/openconnect-7.01/configure.ac 2014-12-07 22:17:20.000000000 +0100 @@ -1,4 +1,4 @@ -AC_INIT(openconnect, 7.00) +AC_INIT(openconnect, 7.01) AC_CONFIG_HEADERS([config.h]) PKG_PROG_PKG_CONFIG @@ -520,35 +520,7 @@ fi AM_CONDITIONAL(OPENBSD_LIBTOOL, [ test "$use_openbsd_libtool" = "true" ]) -# Ick. This seems like it's likely to be very fragile, but I can't see a better -# way. I shall console myself with the observation that the failure mode isn't -# particularly horrible — you just don't get symbol versioning if it fails. - -AC_ARG_ENABLE([symvers], - AS_HELP_STRING([--disable-symvers], - [disable library symbol versioning [default=auto]]), - [want_symvers=$enableval], - [want_symvers=yes]) - -symvers=no -if test "$enable_shared" = "yes" -a "$want_symvers" != "no" ; then - AC_MSG_CHECKING([if library symbol versioning is available]); - echo 'FOO { global: foo; local: *; };' > conftest.map - echo 'int foo = 0;' > conftest.$ac_ext - if AC_TRY_EVAL(ac_compile); then - soname=conftest - libobjs=conftest.$ac_objext - if AC_TRY_EVAL(archive_cmds ${wl}--version-script ${wl}conftest.map); then - AC_SUBST(VERSION_SCRIPT_ARG, [--version-script]) - symvers="yes (with --version-script)" - elif AC_TRY_EVAL(archive_cmds ${wl}-M ${wl}conftest.map); then - AC_SUBST(VERSION_SCRIPT_ARG, [-M]) - symvers="yes (with -M)" - fi - fi - AC_MSG_RESULT(${symvers}) -fi -AM_CONDITIONAL(HAVE_SYMBOL_VERSIONING, [test "${symvers}" != "no"]) +AX_CHECK_VSCRIPT PKG_CHECK_MODULES(LIBXML2, libxml-2.0) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/cstp.c new/openconnect-7.01/cstp.c --- old/openconnect-7.00/cstp.c 2014-11-18 22:49:55.000000000 +0100 +++ new/openconnect-7.01/cstp.c 2014-12-05 12:57:01.000000000 +0100 @@ -378,6 +378,9 @@ int cstpmtu = atol(colon); if (cstpmtu > mtu) mtu = cstpmtu; + } else if (!strcmp(buf + 7, "DynDNS")) { + if (!strcmp(colon, "true")) + vpninfo->is_dyndns = 1; } else if (!strcmp(buf + 7, "Address-IP6")) { vpninfo->ip_info.netmask6 = new_option->value; } else if (!strcmp(buf + 7, "Address")) { @@ -450,6 +453,12 @@ _("No IP address received. Aborting\n")); return -EINVAL; } + if (mtu < 1280 && + (vpninfo->ip_info.addr6 || vpninfo->ip_info.netmask6)) { + vpn_progress(vpninfo, PRG_ERR, + _("IPv6 configuration received but MTU %d is too small.\n"), + mtu); + } if (old_addr) { if (strcmp(old_addr, vpninfo->ip_info.addr)) { vpn_progress(vpninfo, PRG_ERR, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/gnutls.c new/openconnect-7.01/gnutls.c --- old/openconnect-7.00/gnutls.c 2014-11-27 15:51:00.000000000 +0100 +++ new/openconnect-7.01/gnutls.c 2014-12-04 22:28:19.000000000 +0100 @@ -980,7 +980,8 @@ if (!p11_kit_uri_get_pin_source(uri)) p11_kit_uri_set_pin_source(uri, pin_source); #endif - if (!p11_kit_uri_get_attribute(uri, CKA_CLASS)) { + if (vpninfo->sslkey == vpninfo->cert || + !p11_kit_uri_get_attribute(uri, CKA_CLASS)) { class = CKO_PRIVATE_KEY; p11_kit_uri_set_attribute(uri, &attr); } @@ -1126,8 +1127,8 @@ #endif /* HAVE_GNUTLS_SYSTEM_KEYS */ #if defined(HAVE_P11KIT) if (key_is_p11) { - vpn_progress(vpninfo, PRG_DEBUG, - _("Using PKCS#11 key %s\n"), key_url); + vpn_progress(vpninfo, PRG_TRACE, + _("Trying PKCS#11 key URL %s\n"), key_url); err = gnutls_pkcs11_privkey_init(&p11key); if (err) { @@ -1153,7 +1154,7 @@ gnutls_pkcs11_obj_t crt; P11KitUri *uri; CK_TOKEN_INFO *token; - char buf[33]; + char buf[65]; size_t s; if (gnutls_pkcs11_obj_init(&crt)) @@ -1213,8 +1214,41 @@ free(key_url); key_url = NULL; - if (!p11_kit_uri_format(uri, P11_KIT_URI_FOR_ANY, &key_url)) + if (p11_kit_uri_format(uri, P11_KIT_URI_FOR_ANY, &key_url)) + goto key_err_uri; + + vpn_progress(vpninfo, PRG_TRACE, + _("Trying PKCS#11 key URL %s\n"), key_url); + err = gnutls_pkcs11_privkey_import_url(p11key, key_url, 0); + + /* If it still doesn't work then try dropping CKA_LABEL and adding the + CKA_ID of the cert. */ + if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE && + (p11_kit_uri_get_attribute(uri, CKA_LABEL) || + !p11_kit_uri_get_attribute(uri, CKA_ID))) { + CK_ATTRIBUTE attr; + + s = sizeof(buf); + if (gnutls_pkcs11_obj_get_info(crt, GNUTLS_PKCS11_OBJ_ID, + buf, &s)) + goto key_err_uri; + + attr.type = CKA_ID; + attr.pValue = buf; + attr.ulValueLen = s; + + p11_kit_uri_set_attribute(uri, &attr); + p11_kit_uri_clear_attribute(uri, CKA_LABEL); + + free(key_url); + key_url = NULL; + if (p11_kit_uri_format(uri, P11_KIT_URI_FOR_ANY, &key_url)) + goto key_err_uri; + + vpn_progress(vpninfo, PRG_TRACE, + _("Trying PKCS#11 key URL %s\n"), key_url); err = gnutls_pkcs11_privkey_import_url(p11key, key_url, 0); + } key_err_uri: p11_kit_uri_free(uri); key_err_obj: @@ -1230,6 +1264,8 @@ ret = -EIO; goto out; } + vpn_progress(vpninfo, PRG_DEBUG, + _("Using PKCS#11 key %s\n"), key_url); err = gnutls_privkey_init(&pkey); if (err) { @@ -1971,7 +2007,7 @@ # define _DEFAULT_PRIO "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \ "%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION" # if GNUTLS_VERSION_MAJOR >= 3 -# define DEFAULT_PRIO _DEFAULT_PRIO":-CURVE-ALL" +# define DEFAULT_PRIO _DEFAULT_PRIO":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA" #else # define DEFAULT_PRIO _DEFAULT_PRIO # endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/http.c new/openconnect-7.01/http.c --- old/openconnect-7.00/http.c 2014-11-06 11:17:45.000000000 +0100 +++ new/openconnect-7.01/http.c 2014-12-02 16:37:06.000000000 +0100 @@ -2062,7 +2062,8 @@ { int i; - if (!strcasecmp(hdr, "Proxy-Connection")) { + if (!strcasecmp(hdr, "Proxy-Connection") || + !strcasecmp(hdr, "Connection")) { if (!strcasecmp(val, "close")) vpninfo->proxy_close_during_auth = 1; return 0; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/libopenconnect.map.in new/openconnect-7.01/libopenconnect.map.in --- old/openconnect-7.00/libopenconnect.map.in 2014-11-27 17:10:49.000000000 +0100 +++ new/openconnect-7.01/libopenconnect.map.in 2014-12-07 21:24:43.000000000 +0100 @@ -43,7 +43,6 @@ openconnect_set_proxy_auth; openconnect_set_reported_os; openconnect_set_reqmtu; - openconnect_set_server_cert_sha1; openconnect_set_stats_handler; openconnect_set_stoken_mode; openconnect_set_system_trust; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/library.c new/openconnect-7.01/library.c --- old/openconnect-7.00/library.c 2014-11-27 17:10:49.000000000 +0100 +++ new/openconnect-7.01/library.c 2014-12-07 22:16:32.000000000 +0100 @@ -702,6 +702,11 @@ const char *openconnect_get_dtls_cipher(struct openconnect_info *vpninfo) { #if defined(DTLS_GNUTLS) + if (vpninfo->dtls_state != DTLS_CONNECTED) { + gnutls_free(vpninfo->gnutls_dtls_cipher); + vpninfo->gnutls_dtls_cipher = NULL; + return NULL; + } /* in DTLS rehandshakes don't switch the ciphersuite as only * one is enabled. */ if (vpninfo->gnutls_dtls_cipher == NULL) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/m4/ax_check_vscript.m4 new/openconnect-7.01/m4/ax_check_vscript.m4 --- old/openconnect-7.00/m4/ax_check_vscript.m4 1970-01-01 01:00:00.000000000 +0100 +++ new/openconnect-7.01/m4/ax_check_vscript.m4 2014-12-07 19:52:55.000000000 +0100 @@ -0,0 +1,142 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_check_vscript.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CHECK_VSCRIPT +# +# DESCRIPTION +# +# Check whether the linker supports version scripts. Version scripts are +# used when building shared libraries to bind symbols to version nodes +# (helping to detect incompatibilities) or to limit the visibility of +# non-public symbols. +# +# Output: +# +# If version scripts are supported, VSCRIPT_LDFLAGS will contain the +# appropriate flag to pass to the linker. On GNU systems this would +# typically be "-Wl,--version-script", and on Solaris it would +# typically be "-Wl,-M". +# +# Two Automake conditionals are also set: +# +# HAVE_VSCRIPT is true if the linker supports version scripts with +# entries that use simple wildcards, like "local: *". +# +# HAVE_VSCRIPT_COMPLEX is true if the linker supports version scripts with +# pattern matching wildcards, like "global: Java_*". +# +# On systems that do not support symbol versioning, such as Mac OS X, both +# conditionals will be false. They will also be false if the user passes +# "--disable-symvers" on the configure command line. +# +# Example: +# +# configure.ac: +# +# AX_CHECK_VSCRIPT +# +# Makefile.am: +# +# if HAVE_VSCRIPT +# libfoo_la_LDFLAGS += $(VSCRIPT_LDFLAGS),@srcdir@/libfoo.map +# endif +# +# if HAVE_VSCRIPT_COMPLEX +# libbar_la_LDFLAGS += $(VSCRIPT_LDFLAGS),@srcdir@/libbar.map +# endif +# +# LICENSE +# +# Copyright (c) 2014 Kevin Cernekee <cerne...@gmail.com> +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 1 + +# _AX_CHECK_VSCRIPT(flag, global-sym, action-if-link-succeeds, [junk-file=no]) +AC_DEFUN([_AX_CHECK_VSCRIPT], [ + AC_LANG_PUSH([C]) + ax_check_vscript_save_flags="$LDFLAGS" + echo "V1 { global: $2; local: *; };" > conftest.map + AS_IF([test x$4 = xyes], [ + echo "{" >> conftest.map + ]) + LDFLAGS="$LDFLAGS -Wl,$1,conftest.map" + AC_LINK_IFELSE([AC_LANG_PROGRAM([[int show, hide;]], [])], [$3]) + LDFLAGS="$ax_check_vscript_save_flags" + rm -f conftest.map + AC_LANG_POP([C]) +]) dnl _AX_CHECK_VSCRIPT + +AC_DEFUN([AX_CHECK_VSCRIPT], [ + + AC_ARG_ENABLE([symvers], + AS_HELP_STRING([--disable-symvers], + [disable library symbol versioning [default=auto]]), + [want_symvers=$enableval], + [want_symvers=yes] + ) + + AS_IF([test x$want_symvers = xyes], [ + + dnl First test --version-script and -M with a simple wildcard. + + AC_CACHE_CHECK([linker version script flag], ax_cv_check_vscript_flag, [ + ax_cv_check_vscript_flag=unsupported + _AX_CHECK_VSCRIPT([--version-script], [show], [ + ax_cv_check_vscript_flag=--version-script + ]) + AS_IF([test x$ax_cv_check_vscript_flag = xunsupported], [ + _AX_CHECK_VSCRIPT([-M], [show], [ax_cv_check_vscript_flag=-M]) + ]) + + dnl The linker may interpret -M (no argument) as "produce a load map." + dnl If "-M conftest.map" doesn't fail when conftest.map contains + dnl obvious syntax errors, assume this is the case. + + AS_IF([test x$ax_cv_check_vscript_flag != xunsupported], [ + _AX_CHECK_VSCRIPT([$ax_cv_check_vscript_flag], [show], + [ax_cv_check_vscript_flag=unsupported], [yes]) + ]) + ]) + + dnl If the simple wildcard worked, retest with a complex wildcard. + + AS_IF([test x$ax_cv_check_vscript_flag != xunsupported], [ + ax_check_vscript_flag=$ax_cv_check_vscript_flag + AC_CACHE_CHECK([if version scripts can use complex wildcards], + ax_cv_check_vscript_complex_wildcards, [ + ax_cv_check_vscript_complex_wildcards=no + _AX_CHECK_VSCRIPT([$ax_cv_check_vscript_flag], [sh*], [ + ax_cv_check_vscript_complex_wildcards=yes]) + ]) + ax_check_vscript_complex_wildcards="$ax_cv_check_vscript_complex_wildcards" + ], [ + ax_check_vscript_flag= + ax_check_vscript_complex_wildcards=no + ]) + ], [ + AC_MSG_CHECKING([linker version script flag]) + AC_MSG_RESULT([disabled]) + + ax_check_vscript_flag= + ax_check_vscript_complex_wildcards=no + ]) + + AS_IF([test x$ax_check_vscript_flag != x], [ + VSCRIPT_LDFLAGS="-Wl,$ax_check_vscript_flag" + AC_SUBST([VSCRIPT_LDFLAGS]) + ]) + + AM_CONDITIONAL([HAVE_VSCRIPT], + [test x$ax_check_vscript_flag != x]) + AM_CONDITIONAL([HAVE_VSCRIPT_COMPLEX], + [test x$ax_check_vscript_complex_wildcards = xyes]) + +]) dnl AX_CHECK_VSCRIPT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/main.c new/openconnect-7.01/main.c --- old/openconnect-7.00/main.c 2014-11-27 17:10:49.000000000 +0100 +++ new/openconnect-7.01/main.c 2014-12-07 19:58:46.000000000 +0100 @@ -258,7 +258,8 @@ }; #ifdef _WIN32 -static int vfprintf_utf8(FILE *f, const char *fmt, va_list args) +static int __attribute__ ((format(printf, 2, 0))) + vfprintf_utf8(FILE *f, const char *fmt, va_list args) { HANDLE h = GetStdHandle(f == stdout ? STD_OUTPUT_HANDLE : STD_ERROR_HANDLE); wchar_t wbuf[1024]; @@ -273,7 +274,8 @@ return chars; } -static int fprintf_utf8(FILE *f, const char *fmt, ...) +static int __attribute__ ((format(printf, 2, 3))) + fprintf_utf8(FILE *f, const char *fmt, ...) { va_list args; int ret; @@ -365,7 +367,7 @@ nr_read = WideCharToMultiByte(CP_UTF8, 0, wbuf, -1, NULL, 0, NULL, NULL); if (!nr_read) { char *errstr = openconnect__win32_strerror(GetLastError()); - fprintf(stderr, _("Error converting console input: %lx\n"), + fprintf(stderr, _("Error converting console input: %s\n"), errstr); free(errstr); goto out; @@ -408,7 +410,8 @@ return 1; } -static int vfprintf_utf8(FILE *f, const char *fmt, va_list args) +static int __attribute__ ((format(printf, 2, 0))) + vfprintf_utf8(FILE *f, const char *fmt, va_list args) { char *utf8_str; iconv_t ic; @@ -463,7 +466,8 @@ return ret; } -static int fprintf_utf8(FILE *f, const char *fmt, ...) +static int __attribute__ ((format(printf, 2, 3))) + fprintf_utf8(FILE *f, const char *fmt, ...) { va_list args; int ret; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/openconnect-internal.h new/openconnect-7.01/openconnect-internal.h --- old/openconnect-7.00/openconnect-internal.h 2014-11-20 23:40:22.000000000 +0100 +++ new/openconnect-7.01/openconnect-internal.h 2014-12-05 12:57:38.000000000 +0100 @@ -427,6 +427,7 @@ int dtls_local_port; int deflate; + int is_dyndns; /* Attempt to redo DNS lookup on each CSTP reconnect */ char *useragent; const char *quit_reason; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/po/Makefile.in new/openconnect-7.01/po/Makefile.in --- old/openconnect-7.00/po/Makefile.in 2014-11-27 17:13:46.000000000 +0100 +++ new/openconnect-7.01/po/Makefile.in 2014-12-07 22:17:23.000000000 +0100 @@ -81,12 +81,13 @@ subdir = po DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ChangeLog ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/iconv.m4 \ - $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ - $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \ - $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ - $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_vscript.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d @@ -237,7 +238,7 @@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ VERSION = @VERSION@ -VERSION_SCRIPT_ARG = @VERSION_SCRIPT_ARG@ +VSCRIPT_LDFLAGS = @VSCRIPT_LDFLAGS@ WFLAGS = @WFLAGS@ ZLIB_CFLAGS = @ZLIB_CFLAGS@ ZLIB_LIBS = @ZLIB_LIBS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/ssl.c new/openconnect-7.01/ssl.c --- old/openconnect-7.00/ssl.c 2014-11-04 16:08:45.000000000 +0100 +++ new/openconnect-7.01/ssl.c 2014-12-07 19:57:10.000000000 +0100 @@ -106,6 +106,23 @@ return 1; } +static int match_sockaddr(struct sockaddr *a, struct sockaddr *b) +{ + if (a->sa_family == AF_INET) { + struct sockaddr_in *a4 = (void *)a; + struct sockaddr_in *b4 = (void *)b; + + return (a4->sin_addr.s_addr == b4->sin_addr.s_addr) && + (a4->sin_port == b4->sin_port); + } else if (a->sa_family == AF_INET6) { + struct sockaddr_in6 *a6 = (void *)a; + struct sockaddr_in6 *b6 = (void *)b; + return !memcmp(&a6->sin6_addr, &b6->sin6_addr, sizeof(a6->sin6_addr)) && + a6->sin6_port == b6->sin6_port; + } else + return 0; +} + int connect_https_socket(struct openconnect_info *vpninfo) { int ssl_sock = -1; @@ -114,7 +131,11 @@ if (!vpninfo->port) vpninfo->port = 443; - if (vpninfo->peer_addr) { + /* If we're talking to a server which told us it has dynamic DNS, don't + just re-use its previous IP address. If we're talking to a proxy, we + can use *its* previous IP address. We expect it'll re-do the DNS + lookup for the server anyway. */ + if (vpninfo->peer_addr && (!vpninfo->is_dyndns || vpninfo->proxy)) { reconnect: #ifdef SOCK_CLOEXEC ssl_sock = socket(vpninfo->peer_addr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, IPPROTO_IP); @@ -230,6 +251,13 @@ if (hints.ai_flags & AI_NUMERICHOST) free(hostname); ssl_sock = -EINVAL; + /* If we were just retrying for dynamic DNS, reconnct using + the previously-known IP address */ + if (vpninfo->peer_addr) { + vpn_progress(vpninfo, PRG_ERR, + _("Reconnecting to DynDNS server using previously cached IP address\n")); + goto reconnect; + } goto out; } if (hints.ai_flags & AI_NUMERICHOST) @@ -257,6 +285,8 @@ if (cancellable_connect(vpninfo, ssl_sock, rp->ai_addr, rp->ai_addrlen) >= 0) { /* Store the peer address we actually used, so that DTLS can use it again later */ + free(vpninfo->peer_addr); + vpninfo->peer_addrlen = 0; vpninfo->peer_addr = malloc(rp->ai_addrlen); if (!vpninfo->peer_addr) { vpn_progress(vpninfo, PRG_ERR, @@ -288,6 +318,17 @@ } closesocket(ssl_sock); ssl_sock = -1; + + /* If we're in DynDNS mode but this *was* the cached IP address, + * don't bother falling back to it if it didn't work. */ + if (vpninfo->peer_addr && vpninfo->peer_addrlen == rp->ai_addrlen && + match_sockaddr(vpninfo->peer_addr, rp->ai_addr)) { + vpn_progress(vpninfo, PRG_TRACE, + _("Forgetting non-functional previous peer address\n")); + free(vpninfo->peer_addr); + vpninfo->peer_addr = 0; + vpninfo->peer_addrlen = 0; + } } freeaddrinfo(result); @@ -296,6 +337,11 @@ _("Failed to connect to host %s\n"), vpninfo->proxy?:vpninfo->hostname); ssl_sock = -EINVAL; + if (vpninfo->peer_addr) { + vpn_progress(vpninfo, PRG_ERR, + _("Reconnecting to DynDNS server using previously cached IP address\n")); + goto reconnect; + } goto out; } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/version.c new/openconnect-7.01/version.c --- old/openconnect-7.00/version.c 2014-11-27 17:13:52.000000000 +0100 +++ new/openconnect-7.01/version.c 2014-12-07 22:17:28.000000000 +0100 @@ -1 +1 @@ -const char *openconnect_version_str = "v7.00"; +const char *openconnect_version_str = "v7.01"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/version.sh new/openconnect-7.01/version.sh --- old/openconnect-7.00/version.sh 2014-11-27 17:13:43.000000000 +0100 +++ new/openconnect-7.01/version.sh 2014-12-07 22:17:20.000000000 +0100 @@ -1,6 +1,6 @@ #!/bin/sh -v="v7.00" +v="v7.01" if [ -d ${GIT_DIR:-.git} ] && tag=`git describe --tags`; then v="$tag" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/www/Makefile.am new/openconnect-7.01/www/Makefile.am --- old/openconnect-7.00/www/Makefile.am 2014-11-04 16:08:45.000000000 +0100 +++ new/openconnect-7.01/www/Makefile.am 2014-12-05 14:35:30.000000000 +0100 @@ -3,7 +3,7 @@ SUBDIRS = styles inc images CONV = "$(srcdir)/html.py" -FTR_PAGES = csd.html charset.html token.html features.html gui.html nonroot.html +FTR_PAGES = csd.html charset.html token.html pkcs11.html features.html gui.html nonroot.html START_PAGES = building.html connecting.html manual.html vpnc-script.html INDEX_PAGES = changelog.html download.html index.html packages.html platforms.html TOPLEVEL_PAGES = contribute.html mail.html technical.html diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/www/Makefile.in new/openconnect-7.01/www/Makefile.in --- old/openconnect-7.00/www/Makefile.in 2014-11-27 17:13:46.000000000 +0100 +++ new/openconnect-7.01/www/Makefile.in 2014-12-07 22:17:23.000000000 +0100 @@ -83,12 +83,13 @@ subdir = www DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/iconv.m4 \ - $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ - $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \ - $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ - $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_vscript.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d @@ -327,7 +328,7 @@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ VERSION = @VERSION@ -VERSION_SCRIPT_ARG = @VERSION_SCRIPT_ARG@ +VSCRIPT_LDFLAGS = @VSCRIPT_LDFLAGS@ WFLAGS = @WFLAGS@ ZLIB_CFLAGS = @ZLIB_CFLAGS@ ZLIB_LIBS = @ZLIB_LIBS@ @@ -388,7 +389,7 @@ top_srcdir = @top_srcdir@ SUBDIRS = styles inc images CONV = "$(srcdir)/html.py" -FTR_PAGES = csd.html charset.html token.html features.html gui.html nonroot.html +FTR_PAGES = csd.html charset.html token.html pkcs11.html features.html gui.html nonroot.html START_PAGES = building.html connecting.html manual.html vpnc-script.html INDEX_PAGES = changelog.html download.html index.html packages.html platforms.html TOPLEVEL_PAGES = contribute.html mail.html technical.html diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/www/changelog.xml new/openconnect-7.01/www/changelog.xml --- old/openconnect-7.00/www/changelog.xml 2014-11-27 17:13:43.000000000 +0100 +++ new/openconnect-7.01/www/changelog.xml 2014-12-07 22:17:20.000000000 +0100 @@ -18,6 +18,15 @@ <li><i>No changelog entries yet</i></li> </ul><br/> </li> + <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.01.tar.gz">OpenConnect v7.01</a></b> + <i>(<a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.01.tar.gz.asc">PGP signature</a>)</i> — 2014-12-07 + <ul> + <li>Try harder to find a PKCS#11 key to match a given certificate.</li> + <li>Handle '<tt>Connection: close</tt>' from proxies correctly.</li> + <li>Warn when MTU is set too low <i>(<1280)</i> to permit IPv6 connectivity.</li> + <li>Add support for <tt>X-CSTP-DynDNS</tt>, to trigger DNS lookup on each reconnect.</li> + </ul><br/> + </li> <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.00.tar.gz">OpenConnect v7.00</a></b> <i>(<a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.00.tar.gz.asc">PGP signature</a>)</i> — 2014-11-27 <ul> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/www/download.xml new/openconnect-7.01/www/download.xml --- old/openconnect-7.00/www/download.xml 2014-11-27 17:13:43.000000000 +0100 +++ new/openconnect-7.01/www/download.xml 2014-12-07 22:17:20.000000000 +0100 @@ -17,29 +17,14 @@ <p> <!-- latest-release-start --> -The latest release is <a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.00.tar.gz">OpenConnect v7.00</a> -<i>(<a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.00.tar.gz.asc">PGP signature</a>)</i>, -released on 2014-11-27 with the following changelog:</p> +The latest release is <a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.01.tar.gz">OpenConnect v7.01</a> +<i>(<a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.01.tar.gz.asc">PGP signature</a>)</i>, +released on 2014-12-07 with the following changelog:</p> <ul> - <li>Add support for GnuTLS 3.4 <tt>system:</tt> keys including Windows certificate store.</li> - <li>Add support for HOTP/TOTP keys from Yubikey NEO devices.</li> - <li>Add <tt>---no-system-trust</tt> option to disable default certificate authorities.</li> - <li>Improve <tt>libiconv</tt> and <tt>libintl</tt> detection.</li> - <li>Stop calling <tt>setenv()</tt> from library functions.</li> - <li>Support <tt>utun</tt> driver on OS X.</li> - <li>Change library API so string ownership is never transferred.</li> - <li>Support new NDIS6 TAP-Windows driver shipped with OpenVPN 2.3.4.</li> - <li>Support using PSKC <i>(<a href="http://tools.ietf.org/html/rfc6030">RFC6030</a>)</i> token files for HOTP/TOTP tokens.</li> - <li>Support for updating HOTP token storage when token is used.</li> - <li>Support for reading OTP token data from a file.</li> - <li>Add full <a href="charset.html">character set handling</a> for legacy non-UTF8 systems <i>(including Windows)</i>.</li> - <li>Fix legacy <i>(i.e. not XML POST)</i> submission of non-ASCII form entries <i>(even in UTF-8 locales)</i>.</li> - <li>Add support for 32-bit Windows XP.</li> - <li>Avoid retrying without XML POST, when we failed to even reach the server.</li> - <li>Fix off-by-one in parameter substitution in error messages.</li> - <li>Improve reporting when GSSAPI auth requested but not compiled in.</li> - <li>Fix parsing of split include routes on Windows.</li> - <li>Fix crash on invocation with <tt>--token-mode</tt> but no <tt>--token-secret</tt>.</li> + <li>Try harder to find a PKCS#11 key to match a given certificate.</li> + <li>Handle '<tt>Connection: close</tt>' from proxies correctly.</li> + <li>Warn when MTU is set too low <i>(<1280)</i> to permit IPv6 connectivity.</li> + <li>Add support for <tt>X-CSTP-DynDNS</tt>, to trigger DNS lookup on each reconnect.</li> </ul> <!-- latest-release-end --> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/www/images/Makefile.in new/openconnect-7.01/www/images/Makefile.in --- old/openconnect-7.00/www/images/Makefile.in 2014-11-27 17:13:46.000000000 +0100 +++ new/openconnect-7.01/www/images/Makefile.in 2014-12-07 22:17:23.000000000 +0100 @@ -82,12 +82,13 @@ DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(dist_images_DATA) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/iconv.m4 \ - $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ - $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \ - $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ - $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_vscript.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d @@ -266,7 +267,7 @@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ VERSION = @VERSION@ -VERSION_SCRIPT_ARG = @VERSION_SCRIPT_ARG@ +VSCRIPT_LDFLAGS = @VSCRIPT_LDFLAGS@ WFLAGS = @WFLAGS@ ZLIB_CFLAGS = @ZLIB_CFLAGS@ ZLIB_LIBS = @ZLIB_LIBS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/www/inc/Makefile.in new/openconnect-7.01/www/inc/Makefile.in --- old/openconnect-7.00/www/inc/Makefile.in 2014-11-27 17:13:46.000000000 +0100 +++ new/openconnect-7.01/www/inc/Makefile.in 2014-12-07 22:17:23.000000000 +0100 @@ -82,12 +82,13 @@ DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(dist_tmpldata_DATA) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/iconv.m4 \ - $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ - $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \ - $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ - $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_vscript.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d @@ -266,7 +267,7 @@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ VERSION = @VERSION@ -VERSION_SCRIPT_ARG = @VERSION_SCRIPT_ARG@ +VSCRIPT_LDFLAGS = @VSCRIPT_LDFLAGS@ WFLAGS = @WFLAGS@ ZLIB_CFLAGS = @ZLIB_CFLAGS@ ZLIB_LIBS = @ZLIB_LIBS@ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/www/menu2-features.xml new/openconnect-7.01/www/menu2-features.xml --- old/openconnect-7.00/www/menu2-features.xml 2014-11-13 23:59:31.000000000 +0100 +++ new/openconnect-7.01/www/menu2-features.xml 2014-12-05 14:36:41.000000000 +0100 @@ -6,5 +6,6 @@ <MENU topic="GUI" link="gui.html" mode="VAR_SEL_FEATURE_GUI" /> <MENU topic="Character sets" link="charset.html" mode="VAR_SEL_FEATURE_CHARSET" /> <MENU topic="One Time Passwords" link="token.html" mode="VAR_SEL_FEATURE_TOKEN" /> + <MENU topic="Smart Cards / PKCS#11" link="pkcs11.html" mode="VAR_SEL_FEATURE_PKCS11" /> <ENDMENU /> </PAGE> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/www/pkcs11.xml new/openconnect-7.01/www/pkcs11.xml --- old/openconnect-7.00/www/pkcs11.xml 1970-01-01 01:00:00.000000000 +0100 +++ new/openconnect-7.01/www/pkcs11.xml 2014-12-05 21:19:02.000000000 +0100 @@ -0,0 +1,207 @@ +<PAGE> + <INCLUDE file="inc/header.tmpl" /> + + <VAR match="VAR_SEL_FEATURES" replace="selected" /> + <VAR match="VAR_SEL_FEATURE_PKCS11" replace="selected" /> + <PARSE file="menu1.xml" /> + <PARSE file="menu2-features.xml" /> + + <INCLUDE file="inc/content.tmpl" /> + +<h1>Smart Card / PKCS#11 support</h1> + +<p>OpenConnect supports the use of X.509 certificates and keys from +smart cards <i>(as well as software storage such as GNOME Keyring and +SoftHSM)</i> by means of the PKCS#11 standard. Objects from PKCS#11 tokens +are specified by a <a href="http://p11-glue.freedesktop.org/pkcs11-uris.html">PKCS#11 URI</a>.</p> + +<p>In order to use a certificate or key with OpenConnect, you must +provide a PKCS#11 URI which identifies it sufficiently. That can be as simple +as the following example: +<ul><li> <tt>openconnect -c <i>pkcs11:id=%01</i> vpn.example.com</tt></li></ul> + +However, if you're now looking blankly at a USB crypto device and +wondering what PKCS#11 URI to use, the following documentation should +hopefully assist you in working it out.</p> + +<h2>Identifying the token</h2> +<p>In order to use a PKCS#11 token with OpenConnect, first it must be installed +appropriately in the system's +<a href="http://p11-glue.freedesktop.org/doc/p11-kit/config.html">p11-kit configuration</a>. +You shouldn't need to worry about this; it should automatically be the case for +properly packaged software on any modern operating system.</p> + +<p>Typically, the smart card support is likely to be +provided by <a href="https://github.com/OpenSC/OpenSC/wiki">OpenSC</a> and a +distribution's packaging of OpenSC should automatically have registered +the OpenSC module with p11-kit by creating a file such as +<tt>/usr/share/p11-kit/modules/opensc.module</tt>.</p> + +<p>In order to query the available PKCS#11 modules, and the certificates +stored therein, the best tool to use is the +<a href="http://www.gnutls.org/manual/html_node/p11tool-Invocation.html">p11tool</a> +distributed with GnuTLS. In Fedora it's in the <tt>gnutls-utils</tt> package.</p> + +<p>First identify the PKCS#11 modules which are available by using the <tt>--list-tokens</tt> option:</p> +<ul><li><tt>p11tool --list-tokens</tt></li></ul> +This should produce output including something like the following: +<table border="1"><tr><td><pre> +Token 7: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29 + Label: PIV_II (PIV Card Holder pin) + Type: Hardware token + Manufacturer: piv_II + Model: PKCS#15 emulated + Serial: 108421384210c3f5 +</pre></td></tr></table> + +<p>This example shows the relatively common <a href="https://www.opensc-project.org/opensc/wiki/UnitedStatesPIV">PIV</a> +SmartCard, in this case in a <a href="https://developers.yubico.com/yubico-piv-tool/YubiKey-NEO-PIV-Introduction.html">Yubikey NEO</a> device.</p> + +<h2>Locating the certificate</h2> + +<p>Having established that the token is present and registered correctly with p11-kit, the next +step is to identify the URI of the certificate you wish to use. You will note that +the above output of <tt>p11tool --list-tokens</tt> gave a PKCS#11 URI for each token. +With that, we can now query the objects available <em>within</em> a specific token, using the <tt>--list-all-certs</tt> +option. We can cut and paste the PKCS#11 URI for the token, but be careful to put it within +quotes because it contains semicolons:</p> +<ul><li><tt>p11tool --list-all-certs 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29'</tt></li></ul> + +<p>Note that the PKCS#11 URI specifies a list of attributes which must +match. Some of these match criteria may be redundant — in this case + we've asked it to list the certificates in a token +which has a model of <i>"PKCS#15 emulated"</i> <b>and</b> a +manufacturer of <i>"piv_II"</i> <b>and</b> serial number +<i>108421384210c3f5</i> <b>and</b> token label <i>"PIV_II (PIV Card +Holder pin)"</i>. Since any <em>one</em> of those criteria would probably +be sufficient to uniquely identify this token from the other configured tokens +in our system, a simpler command line would also work. For example:</p> +<ul><li><tt>p11tool --list-all-certs pkcs11:manufacturer=piv_II</tt></li></ul> + +The output of either such command should look something like this: +<table border="1"><tr><td><pre>Object 0: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=Certificate%20for%20PIV%20Authentication;object-type=cert + Type: X.509 Certificate + Label: Certificate for PIV Authentication + ID: 01 + +Object 1: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=Certificate%20for%20Digital%20Signature;object-type=cert + Type: X.509 Certificate + Label: Certificate for Digital Signature + ID: 02 + +Object 2: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%03;object=Certificate%20for%20Key%20Management;object-type=cert + Type: X.509 Certificate + Label: Certificate for Key Management + ID: 03 + +Object 3: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%04;object=Certificate%20for%20Card%20Authentication;object-type=cert + Type: X.509 Certificate + Label: Certificate for Card Authentication + ID: 04 +</pre></td></tr></table> + + + +<p>This device has four certificates installed; the URL for each one +is given in the output. <i>(Choosing <em>between</em> the certificates on +a given device, if there is more than one, is left as an exercise for +the user. You may need to try each one.)</i></p> + +<p>Some devices may not even permit you to list the certificates +without logging in. In that case add <tt>--login</tt> to the +<tt>p11tool</tt> command line above, and provide the PIN when +requested</p> + +<p>For OpenConnect 7.01 we should be able to use the URI seen here in +its entirety, and the software will be cunning enough to +find the corresponding key: + +<ul><li><tt>openconnect -c 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=Certificate%20for%20PIV%20Authentication;object-type=cert' vpn.example.com</tt></li></ul> + +Older versions, however, may require a little help...</p> + +<h2>Helping OpenConnect find the key</h2> + +<p>If no explicit <tt>-k</tt> argument is given to specify the key, +OpenConnect will use the contents of the <tt>-c</tt> argument as the +basis for finding <em>both</em> certificate and key.</p> + +<p>It will sensibly add <tt>object-type=cert</tt> or <tt>object-type=private</tt> +for itself, according to which object it is trying to locate each time. But in +version 7.00 and earlier, it would <em>not</em> do that if the URI you provide +already contained any <tt>object-type=</tt> element. So the first thing you need to do with +older versions of OpenConnect is trim that part of the URI. So the above example might now be: +<ul><li><tt>openconnect -c 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=Certificate%20for%20PIV%20Authentication' vpn.example.com</tt></li></ul> +</p> + +<p>Additionally, it can sometimes be the case that although the ID +(<tt>id=</tt>) for a certificate should match the ID of its matching +key, the label (<tt>object=</tt>) might <em>not</em> match. Newer versions +of OpenConnect (7.01+), on failing to find a key, will <em>strip</em> the label +from the search URI and add the ID of the certificate that was found (even if +no ID was part of the original search terms provided with the <tt>-c</tt> option). But older versions don't.</p> + +<p>So it can be useful also to remove the <tt>object=</tt> part of the URI and leave only the <tt>id=</tt> attribute to specify the individual object, so that you're giving search criteria which are true for both the certificate <em>and</em> the key: +<ul><li><tt>openconnect -c 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01' vpn.example.com</tt></li></ul> +</p> + +<p>And while we're at it, that's <em>still</em> a massively redundant way of specifying which token +to look in, so we can cut that down as we did before just to make it less unwieldy: +<ul><li><tt>openconnect -c 'pkcs11:manufacturer=piv_II;id=%01' vpn.example.com</tt></li></ul> + +<h2>Searching for the key manually</h2> + +<p>If the heuristics for finding the key don't work, you can always +provide an explicit PKCS#11 URI for the key with the <tt>-k</tt> +option. You can look for them by using the <tt>--list-privkeys</tt> option to <tt>p11tool</tt>. You will almost certainly want to use the <tt>--login</tt> option too:</p> +<ul><li><tt>p11tool --list-privkeys --login pkcs11:manufacturer=piv_II</tt></li></ul> +<table border="1"><tr><td><pre>Token 'PIV_II (PIV Card Holder pin)' with URL 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29' requires user PIN +Enter PIN: +Object 0: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key;object-type=private + Type: Private key + Label: PIV AUTH key + Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; + ID: 01 + +Object 1: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=private + Type: Private key + Label: SIGN key + Flags: CKA_PRIVATE; CKA_SENSITIVE; + ID: 02 + +Object 2: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%03;object=KEY%20MAN%20key;object-type=private + Type: Private key + Label: KEY MAN key + Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; + ID: 03 + +Object 3: + URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%04;object=CARD%20AUTH%20key;object-type=private + Type: Private key + Label: CARD AUTH key + Flags: CKA_SENSITIVE; + ID: 04 +</pre></td></tr></table> +<p> +Here's the full longhand specification of both certificate <em>and</em> key: +<ul><li><tt>openconnect -c 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=Certificate%20for%20PIV%20Authentication;object-type=cert' -k 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key;object-type=private' vpn.example.com</tt></li></ul> + + +OpenConnect doesn't care; you can use certificate and key from entirely +<em>different</em> hardware tokens if you want to. Or one from a file. Or a key +from a TPM and a certificate from a PKCS#11 hardware token. Or all kinds of bizarre combinations. But if it's a <em>sensible</em> combination on a sanely configured PKCS#11 token, and OpenConnect can't infer the key location from the certificate, then please <a href="mail.html">send us an email</a> and we'll try to fix it.</p> +</p> + + + + +<INCLUDE file="inc/footer.tmpl" /> +</PAGE> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openconnect-7.00/www/styles/Makefile.in new/openconnect-7.01/www/styles/Makefile.in --- old/openconnect-7.00/www/styles/Makefile.in 2014-11-27 17:13:46.000000000 +0100 +++ new/openconnect-7.01/www/styles/Makefile.in 2014-12-07 22:17:23.000000000 +0100 @@ -82,12 +82,13 @@ DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(dist_stylesdata_DATA) ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/iconv.m4 \ - $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ - $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \ - $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ - $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_vscript.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d @@ -266,7 +267,7 @@ TSS_CFLAGS = @TSS_CFLAGS@ TSS_LIBS = @TSS_LIBS@ VERSION = @VERSION@ -VERSION_SCRIPT_ARG = @VERSION_SCRIPT_ARG@ +VSCRIPT_LDFLAGS = @VSCRIPT_LDFLAGS@ WFLAGS = @WFLAGS@ ZLIB_CFLAGS = @ZLIB_CFLAGS@ ZLIB_LIBS = @ZLIB_LIBS@ -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org