Hello community,
here is the log from the commit of package openconnect for openSUSE:Factory
checked in at 2014-12-16 14:47:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openconnect (Old)
and /work/SRC/openSUSE:Factory/.openconnect.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openconnect"
Changes:
--------
--- /work/SRC/openSUSE:Factory/openconnect/openconnect.changes 2014-12-06
13:45:16.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.openconnect.new/openconnect.changes
2014-12-16 14:46:59.000000000 +0100
@@ -1,0 +2,9 @@
+Wed Dec 10 15:16:32 UTC 2014 - rsalev...@suse.com
+
+- Update to Version 7.01
+ * Try harder to find a PKCS#11 key to match a given certificate.
+ * Handle 'Connection: close' from proxies correctly.
+ * Warn when MTU is set too low (<1280) to permit IPv6 connectivity.
+ * Add support for X-CSTP-DynDNS, to trigger DNS lookup on each reconnec
+
+-------------------------------------------------------------------
Old:
----
openconnect-7.00.tar.gz
New:
----
openconnect-7.01.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openconnect.spec ++++++
--- /var/tmp/diff_new_pack.SzadLG/_old 2014-12-16 14:47:03.000000000 +0100
+++ /var/tmp/diff_new_pack.SzadLG/_new 2014-12-16 14:47:03.000000000 +0100
@@ -17,7 +17,7 @@
Name: openconnect
-Version: 7.00
+Version: 7.01
Release: 0
Summary: Open client for Cisco AnyConnect VPN
License: LGPL-2.1+
++++++ openconnect-7.00.tar.gz -> openconnect-7.01.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/Makefile.am
new/openconnect-7.01/Makefile.am
--- old/openconnect-7.00/Makefile.am 2014-11-10 13:59:07.000000000 +0100
+++ new/openconnect-7.01/Makefile.am 2014-12-07 19:52:55.000000000 +0100
@@ -75,8 +75,8 @@
libopenconnect_la_LDFLAGS = $(LT_VER_ARG) @APIMAJOR@:@APIMINOR@ -no-undefined
noinst_HEADERS = openconnect-internal.h openconnect.h gnutls.h
include_HEADERS = openconnect.h
-if HAVE_SYMBOL_VERSIONING
-libopenconnect_la_LDFLAGS += -Wl,@VERSION_SCRIPT_ARG@,libopenconnect.map
+if HAVE_VSCRIPT
+libopenconnect_la_LDFLAGS += @VSCRIPT_LDFLAGS@,libopenconnect.map
libopenconnect_la_DEPENDENCIES = libopenconnect.map
endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/Makefile.in
new/openconnect-7.01/Makefile.in
--- old/openconnect-7.00/Makefile.in 2014-11-27 17:13:46.000000000 +0100
+++ new/openconnect-7.01/Makefile.in 2014-12-07 22:17:23.000000000 +0100
@@ -93,22 +93,22 @@
@OPENCONNECT_ICONV_TRUE@am__append_9 = $(lib_srcs_iconv)
@OPENCONNECT_WIN32_TRUE@am__append_10 = $(lib_srcs_win32)
@OPENCONNECT_WIN32_FALSE@am__append_11 = $(lib_srcs_posix)
-@HAVE_SYMBOL_VERSIONING_TRUE@am__append_12 =
-Wl,@VERSION_SCRIPT_ARG@,libopenconnect.map
-@HAVE_SYMBOL_VERSIONING_FALSE@libopenconnect_la_DEPENDENCIES = \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1) \
-@HAVE_SYMBOL_VERSIONING_FALSE@ $(am__DEPENDENCIES_1)
+@HAVE_VSCRIPT_TRUE@am__append_12 = @VSCRIPT_LDFLAGS@,libopenconnect.map
+@HAVE_VSCRIPT_FALSE@libopenconnect_la_DEPENDENCIES = \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1) \
+@HAVE_VSCRIPT_FALSE@ $(am__DEPENDENCIES_1)
@JNI_STANDALONE_TRUE@@OPENCONNECT_JNI_TRUE@am__append_13 = jni.c
@JNI_STANDALONE_TRUE@@OPENCONNECT_JNI_TRUE@am__append_14 = $(JNI_CFLAGS)
-Wno-missing-declarations
@JNI_STANDALONE_FALSE@@OPENCONNECT_JNI_TRUE@am__append_15 =
libopenconnect-wrapper.la
@@ -121,12 +121,13 @@
ChangeLog TODO compile config.guess config.rpath config.sub \
install-sh missing ltmain.sh
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/iconv.m4 \
- $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
- $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
- $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
- $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
- $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_vscript.m4 \
+ $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
+ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
+ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
+ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
+ $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/acinclude.m4 \
+ $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \
@@ -486,7 +487,7 @@
TSS_CFLAGS = @TSS_CFLAGS@
TSS_LIBS = @TSS_LIBS@
VERSION = @VERSION@
-VERSION_SCRIPT_ARG = @VERSION_SCRIPT_ARG@
+VSCRIPT_LDFLAGS = @VSCRIPT_LDFLAGS@
WFLAGS = @WFLAGS@
ZLIB_CFLAGS = @ZLIB_CFLAGS@
ZLIB_LIBS = @ZLIB_LIBS@
@@ -588,7 +589,7 @@
-no-undefined $(am__append_12)
noinst_HEADERS = openconnect-internal.h openconnect.h gnutls.h
include_HEADERS = openconnect.h
-@HAVE_SYMBOL_VERSIONING_TRUE@libopenconnect_la_DEPENDENCIES =
libopenconnect.map
+@HAVE_VSCRIPT_TRUE@libopenconnect_la_DEPENDENCIES = libopenconnect.map
@JNI_STANDALONE_FALSE@@OPENCONNECT_JNI_TRUE@libopenconnect_wrapper_la_SOURCES
= jni.c
@JNI_STANDALONE_FALSE@@OPENCONNECT_JNI_TRUE@libopenconnect_wrapper_la_CFLAGS =
$(AM_CFLAGS) $(JNI_CFLAGS) -Wno-missing-declarations
@JNI_STANDALONE_FALSE@@OPENCONNECT_JNI_TRUE@libopenconnect_wrapper_la_LIBADD =
libopenconnect.la
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/aclocal.m4
new/openconnect-7.01/aclocal.m4
--- old/openconnect-7.00/aclocal.m4 2014-11-27 17:13:45.000000000 +0100
+++ new/openconnect-7.01/aclocal.m4 2014-12-07 22:17:21.000000000 +0100
@@ -1398,6 +1398,7 @@
AC_SUBST([am__untar])
]) # _AM_PROG_TAR
+m4_include([m4/ax_check_vscript.m4])
m4_include([m4/iconv.m4])
m4_include([m4/lib-ld.m4])
m4_include([m4/lib-link.m4])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/configure
new/openconnect-7.01/configure
--- old/openconnect-7.00/configure 2014-11-27 17:13:47.000000000 +0100
+++ new/openconnect-7.01/configure 2014-12-07 22:17:24.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for openconnect 7.00.
+# Generated by GNU Autoconf 2.69 for openconnect 7.01.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
# Identity of this package.
PACKAGE_NAME='openconnect'
PACKAGE_TARNAME='openconnect'
-PACKAGE_VERSION='7.00'
-PACKAGE_STRING='openconnect 7.00'
+PACKAGE_VERSION='7.01'
+PACKAGE_STRING='openconnect 7.01'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -679,9 +679,11 @@
ZLIB_CFLAGS
LIBXML2_LIBS
LIBXML2_CFLAGS
-HAVE_SYMBOL_VERSIONING_FALSE
-HAVE_SYMBOL_VERSIONING_TRUE
-VERSION_SCRIPT_ARG
+HAVE_VSCRIPT_COMPLEX_FALSE
+HAVE_VSCRIPT_COMPLEX_TRUE
+HAVE_VSCRIPT_FALSE
+HAVE_VSCRIPT_TRUE
+VSCRIPT_LDFLAGS
OPENBSD_LIBTOOL_FALSE
OPENBSD_LIBTOOL_TRUE
OTOOL64
@@ -1445,7 +1447,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures openconnect 7.00 to adapt to many kinds of systems.
+\`configure' configures openconnect 7.01 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1515,7 +1517,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of openconnect 7.00:";;
+ short | recursive ) echo "Configuration of openconnect 7.01:";;
esac
cat <<\_ACEOF
@@ -1690,7 +1692,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-openconnect configure 7.00
+openconnect configure 7.01
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2055,7 +2057,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by openconnect $as_me 7.00, which was
+It was created by openconnect $as_me 7.01, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3141,7 +3143,7 @@
# Define the identity of the package.
PACKAGE='openconnect'
- VERSION='7.00'
+ VERSION='7.01'
cat >>confdefs.h <<_ACEOF
@@ -14727,59 +14729,266 @@
fi
-# Ick. This seems like it's likely to be very fragile, but I can't see a better
-# way. I shall console myself with the observation that the failure mode isn't
-# particularly horrible — you just don't get symbol versioning if it fails.
-# Check whether --enable-symvers was given.
+
+ # Check whether --enable-symvers was given.
if test "${enable_symvers+set}" = set; then :
enableval=$enable_symvers; want_symvers=$enableval
else
want_symvers=yes
+
fi
-symvers=no
-if test "$enable_shared" = "yes" -a "$want_symvers" != "no" ; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking if library symbol
versioning is available" >&5
-$as_echo_n "checking if library symbol versioning is available... " >&6; };
- echo 'FOO { global: foo; local: *; };' > conftest.map
- echo 'int foo = 0;' > conftest.$ac_ext
- if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
- (eval $ac_compile) 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; }; then
- soname=conftest
- libobjs=conftest.$ac_objext
- if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds
${wl}--version-script ${wl}conftest.map\""; } >&5
- (eval $archive_cmds ${wl}--version-script ${wl}conftest.map) 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; }; then
- VERSION_SCRIPT_ARG=--version-script
+ if test x$want_symvers = xyes; then :
- symvers="yes (with --version-script)"
- elif { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds
${wl}-M ${wl}conftest.map\""; } >&5
- (eval $archive_cmds ${wl}-M ${wl}conftest.map) 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; }; then
- VERSION_SCRIPT_ARG=-M
- symvers="yes (with -M)"
- fi
- fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${symvers}" >&5
-$as_echo "${symvers}" >&6; }
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking linker version script
flag" >&5
+$as_echo_n "checking linker version script flag... " >&6; }
+if ${ax_cv_check_vscript_flag+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+
+ ax_cv_check_vscript_flag=unsupported
+
+ ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext
$LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+ ax_check_vscript_save_flags="$LDFLAGS"
+ echo "V1 { global: show; local: *; };" > conftest.map
+ if test x = xyes; then :
+
+ echo "{" >> conftest.map
+
+fi
+ LDFLAGS="$LDFLAGS -Wl,--version-script,conftest.map"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+int show, hide;
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+ ax_cv_check_vscript_flag=--version-script
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ LDFLAGS="$ax_check_vscript_save_flags"
+ rm -f conftest.map
+ ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext
$LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+ if test x$ax_cv_check_vscript_flag = xunsupported; then :
+
+
+ ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext
$LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+ ax_check_vscript_save_flags="$LDFLAGS"
+ echo "V1 { global: show; local: *; };" > conftest.map
+ if test x = xyes; then :
+
+ echo "{" >> conftest.map
+
+fi
+ LDFLAGS="$LDFLAGS -Wl,-M,conftest.map"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+int show, hide;
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ax_cv_check_vscript_flag=-M
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ LDFLAGS="$ax_check_vscript_save_flags"
+ rm -f conftest.map
+ ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext
$LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+fi
+
+
+ if test x$ax_cv_check_vscript_flag != xunsupported; then :
+
+
+ ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext
$LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+ ax_check_vscript_save_flags="$LDFLAGS"
+ echo "V1 { global: show; local: *; };" > conftest.map
+ if test xyes = xyes; then :
+
+ echo "{" >> conftest.map
+
+fi
+ LDFLAGS="$LDFLAGS -Wl,$ax_cv_check_vscript_flag,conftest.map"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+int show, hide;
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+ ax_cv_check_vscript_flag=unsupported
fi
- if test "${symvers}" != "no"; then
- HAVE_SYMBOL_VERSIONING_TRUE=
- HAVE_SYMBOL_VERSIONING_FALSE='#'
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ LDFLAGS="$ax_check_vscript_save_flags"
+ rm -f conftest.map
+ ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext
$LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_vscript_flag" >&5
+$as_echo "$ax_cv_check_vscript_flag" >&6; }
+
+
+ if test x$ax_cv_check_vscript_flag != xunsupported; then :
+
+ ax_check_vscript_flag=$ax_cv_check_vscript_flag
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking if version scripts can
use complex wildcards" >&5
+$as_echo_n "checking if version scripts can use complex wildcards... " >&6; }
+if ${ax_cv_check_vscript_complex_wildcards+:} false; then :
+ $as_echo_n "(cached) " >&6
else
- HAVE_SYMBOL_VERSIONING_TRUE='#'
- HAVE_SYMBOL_VERSIONING_FALSE=
+
+ ax_cv_check_vscript_complex_wildcards=no
+
+ ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext
$LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+ ax_check_vscript_save_flags="$LDFLAGS"
+ echo "V1 { global: sh*; local: *; };" > conftest.map
+ if test x = xyes; then :
+
+ echo "{" >> conftest.map
+
fi
+ LDFLAGS="$LDFLAGS -Wl,$ax_cv_check_vscript_flag,conftest.map"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+int show, hide;
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+ ax_cv_check_vscript_complex_wildcards=yes
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ LDFLAGS="$ax_check_vscript_save_flags"
+ rm -f conftest.map
+ ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext
$LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result:
$ax_cv_check_vscript_complex_wildcards" >&5
+$as_echo "$ax_cv_check_vscript_complex_wildcards" >&6; }
+
ax_check_vscript_complex_wildcards="$ax_cv_check_vscript_complex_wildcards"
+
+else
+
+ ax_check_vscript_flag=
+ ax_check_vscript_complex_wildcards=no
+
+fi
+
+else
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking linker version script
flag" >&5
+$as_echo_n "checking linker version script flag... " >&6; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+
+ ax_check_vscript_flag=
+ ax_check_vscript_complex_wildcards=no
+
+fi
+
+ if test x$ax_check_vscript_flag != x; then :
+
+ VSCRIPT_LDFLAGS="-Wl,$ax_check_vscript_flag"
+
+
+fi
+
+ if test x$ax_check_vscript_flag != x; then
+ HAVE_VSCRIPT_TRUE=
+ HAVE_VSCRIPT_FALSE='#'
+else
+ HAVE_VSCRIPT_TRUE='#'
+ HAVE_VSCRIPT_FALSE=
+fi
+
+ if test x$ax_check_vscript_complex_wildcards = xyes; then
+ HAVE_VSCRIPT_COMPLEX_TRUE=
+ HAVE_VSCRIPT_COMPLEX_FALSE='#'
+else
+ HAVE_VSCRIPT_COMPLEX_TRUE='#'
+ HAVE_VSCRIPT_COMPLEX_FALSE=
+fi
+
+
@@ -16684,8 +16893,12 @@
as_fn_error $? "conditional \"OPENBSD_LIBTOOL\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
-if test -z "${HAVE_SYMBOL_VERSIONING_TRUE}" && test -z
"${HAVE_SYMBOL_VERSIONING_FALSE}"; then
- as_fn_error $? "conditional \"HAVE_SYMBOL_VERSIONING\" was never defined.
+if test -z "${HAVE_VSCRIPT_TRUE}" && test -z "${HAVE_VSCRIPT_FALSE}"; then
+ as_fn_error $? "conditional \"HAVE_VSCRIPT\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
+if test -z "${HAVE_VSCRIPT_COMPLEX_TRUE}" && test -z
"${HAVE_VSCRIPT_COMPLEX_FALSE}"; then
+ as_fn_error $? "conditional \"HAVE_VSCRIPT_COMPLEX\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
if test -z "${OPENCONNECT_STOKEN_TRUE}" && test -z
"${OPENCONNECT_STOKEN_FALSE}"; then
@@ -17113,7 +17326,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by openconnect $as_me 7.00, which was
+This file was extended by openconnect $as_me 7.01, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -17179,7 +17392,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-openconnect config.status 7.00
+openconnect config.status 7.01
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/configure.ac
new/openconnect-7.01/configure.ac
--- old/openconnect-7.00/configure.ac 2014-11-27 17:13:43.000000000 +0100
+++ new/openconnect-7.01/configure.ac 2014-12-07 22:17:20.000000000 +0100
@@ -1,4 +1,4 @@
-AC_INIT(openconnect, 7.00)
+AC_INIT(openconnect, 7.01)
AC_CONFIG_HEADERS([config.h])
PKG_PROG_PKG_CONFIG
@@ -520,35 +520,7 @@
fi
AM_CONDITIONAL(OPENBSD_LIBTOOL, [ test "$use_openbsd_libtool" = "true" ])
-# Ick. This seems like it's likely to be very fragile, but I can't see a better
-# way. I shall console myself with the observation that the failure mode isn't
-# particularly horrible — you just don't get symbol versioning if it fails.
-
-AC_ARG_ENABLE([symvers],
- AS_HELP_STRING([--disable-symvers],
- [disable library symbol versioning [default=auto]]),
- [want_symvers=$enableval],
- [want_symvers=yes])
-
-symvers=no
-if test "$enable_shared" = "yes" -a "$want_symvers" != "no" ; then
- AC_MSG_CHECKING([if library symbol versioning is available]);
- echo 'FOO { global: foo; local: *; };' > conftest.map
- echo 'int foo = 0;' > conftest.$ac_ext
- if AC_TRY_EVAL(ac_compile); then
- soname=conftest
- libobjs=conftest.$ac_objext
- if AC_TRY_EVAL(archive_cmds ${wl}--version-script ${wl}conftest.map);
then
- AC_SUBST(VERSION_SCRIPT_ARG, [--version-script])
- symvers="yes (with --version-script)"
- elif AC_TRY_EVAL(archive_cmds ${wl}-M ${wl}conftest.map); then
- AC_SUBST(VERSION_SCRIPT_ARG, [-M])
- symvers="yes (with -M)"
- fi
- fi
- AC_MSG_RESULT(${symvers})
-fi
-AM_CONDITIONAL(HAVE_SYMBOL_VERSIONING, [test "${symvers}" != "no"])
+AX_CHECK_VSCRIPT
PKG_CHECK_MODULES(LIBXML2, libxml-2.0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/cstp.c new/openconnect-7.01/cstp.c
--- old/openconnect-7.00/cstp.c 2014-11-18 22:49:55.000000000 +0100
+++ new/openconnect-7.01/cstp.c 2014-12-05 12:57:01.000000000 +0100
@@ -378,6 +378,9 @@
int cstpmtu = atol(colon);
if (cstpmtu > mtu)
mtu = cstpmtu;
+ } else if (!strcmp(buf + 7, "DynDNS")) {
+ if (!strcmp(colon, "true"))
+ vpninfo->is_dyndns = 1;
} else if (!strcmp(buf + 7, "Address-IP6")) {
vpninfo->ip_info.netmask6 = new_option->value;
} else if (!strcmp(buf + 7, "Address")) {
@@ -450,6 +453,12 @@
_("No IP address received. Aborting\n"));
return -EINVAL;
}
+ if (mtu < 1280 &&
+ (vpninfo->ip_info.addr6 || vpninfo->ip_info.netmask6)) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("IPv6 configuration received but MTU %d is too
small.\n"),
+ mtu);
+ }
if (old_addr) {
if (strcmp(old_addr, vpninfo->ip_info.addr)) {
vpn_progress(vpninfo, PRG_ERR,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/gnutls.c
new/openconnect-7.01/gnutls.c
--- old/openconnect-7.00/gnutls.c 2014-11-27 15:51:00.000000000 +0100
+++ new/openconnect-7.01/gnutls.c 2014-12-04 22:28:19.000000000 +0100
@@ -980,7 +980,8 @@
if (!p11_kit_uri_get_pin_source(uri))
p11_kit_uri_set_pin_source(uri, pin_source);
#endif
- if (!p11_kit_uri_get_attribute(uri, CKA_CLASS)) {
+ if (vpninfo->sslkey == vpninfo->cert ||
+ !p11_kit_uri_get_attribute(uri, CKA_CLASS)) {
class = CKO_PRIVATE_KEY;
p11_kit_uri_set_attribute(uri, &attr);
}
@@ -1126,8 +1127,8 @@
#endif /* HAVE_GNUTLS_SYSTEM_KEYS */
#if defined(HAVE_P11KIT)
if (key_is_p11) {
- vpn_progress(vpninfo, PRG_DEBUG,
- _("Using PKCS#11 key %s\n"), key_url);
+ vpn_progress(vpninfo, PRG_TRACE,
+ _("Trying PKCS#11 key URL %s\n"), key_url);
err = gnutls_pkcs11_privkey_init(&p11key);
if (err) {
@@ -1153,7 +1154,7 @@
gnutls_pkcs11_obj_t crt;
P11KitUri *uri;
CK_TOKEN_INFO *token;
- char buf[33];
+ char buf[65];
size_t s;
if (gnutls_pkcs11_obj_init(&crt))
@@ -1213,8 +1214,41 @@
free(key_url);
key_url = NULL;
- if (!p11_kit_uri_format(uri, P11_KIT_URI_FOR_ANY,
&key_url))
+ if (p11_kit_uri_format(uri, P11_KIT_URI_FOR_ANY,
&key_url))
+ goto key_err_uri;
+
+ vpn_progress(vpninfo, PRG_TRACE,
+ _("Trying PKCS#11 key URL %s\n"), key_url);
+ err = gnutls_pkcs11_privkey_import_url(p11key, key_url,
0);
+
+ /* If it still doesn't work then try dropping CKA_LABEL
and adding the
+ CKA_ID of the cert. */
+ if (err == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE &&
+ (p11_kit_uri_get_attribute(uri, CKA_LABEL) ||
+ !p11_kit_uri_get_attribute(uri, CKA_ID))) {
+ CK_ATTRIBUTE attr;
+
+ s = sizeof(buf);
+ if (gnutls_pkcs11_obj_get_info(crt,
GNUTLS_PKCS11_OBJ_ID,
+ buf, &s))
+ goto key_err_uri;
+
+ attr.type = CKA_ID;
+ attr.pValue = buf;
+ attr.ulValueLen = s;
+
+ p11_kit_uri_set_attribute(uri, &attr);
+ p11_kit_uri_clear_attribute(uri, CKA_LABEL);
+
+ free(key_url);
+ key_url = NULL;
+ if (p11_kit_uri_format(uri,
P11_KIT_URI_FOR_ANY, &key_url))
+ goto key_err_uri;
+
+ vpn_progress(vpninfo, PRG_TRACE,
+ _("Trying PKCS#11 key URL %s\n"),
key_url);
err = gnutls_pkcs11_privkey_import_url(p11key,
key_url, 0);
+ }
key_err_uri:
p11_kit_uri_free(uri);
key_err_obj:
@@ -1230,6 +1264,8 @@
ret = -EIO;
goto out;
}
+ vpn_progress(vpninfo, PRG_DEBUG,
+ _("Using PKCS#11 key %s\n"), key_url);
err = gnutls_privkey_init(&pkey);
if (err) {
@@ -1971,7 +2007,7 @@
# define _DEFAULT_PRIO "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
"%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION"
# if GNUTLS_VERSION_MAJOR >= 3
-# define DEFAULT_PRIO _DEFAULT_PRIO":-CURVE-ALL"
+# define DEFAULT_PRIO _DEFAULT_PRIO":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA"
#else
# define DEFAULT_PRIO _DEFAULT_PRIO
# endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/http.c new/openconnect-7.01/http.c
--- old/openconnect-7.00/http.c 2014-11-06 11:17:45.000000000 +0100
+++ new/openconnect-7.01/http.c 2014-12-02 16:37:06.000000000 +0100
@@ -2062,7 +2062,8 @@
{
int i;
- if (!strcasecmp(hdr, "Proxy-Connection")) {
+ if (!strcasecmp(hdr, "Proxy-Connection") ||
+ !strcasecmp(hdr, "Connection")) {
if (!strcasecmp(val, "close"))
vpninfo->proxy_close_during_auth = 1;
return 0;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/libopenconnect.map.in
new/openconnect-7.01/libopenconnect.map.in
--- old/openconnect-7.00/libopenconnect.map.in 2014-11-27 17:10:49.000000000
+0100
+++ new/openconnect-7.01/libopenconnect.map.in 2014-12-07 21:24:43.000000000
+0100
@@ -43,7 +43,6 @@
openconnect_set_proxy_auth;
openconnect_set_reported_os;
openconnect_set_reqmtu;
- openconnect_set_server_cert_sha1;
openconnect_set_stats_handler;
openconnect_set_stoken_mode;
openconnect_set_system_trust;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/library.c
new/openconnect-7.01/library.c
--- old/openconnect-7.00/library.c 2014-11-27 17:10:49.000000000 +0100
+++ new/openconnect-7.01/library.c 2014-12-07 22:16:32.000000000 +0100
@@ -702,6 +702,11 @@
const char *openconnect_get_dtls_cipher(struct openconnect_info *vpninfo)
{
#if defined(DTLS_GNUTLS)
+ if (vpninfo->dtls_state != DTLS_CONNECTED) {
+ gnutls_free(vpninfo->gnutls_dtls_cipher);
+ vpninfo->gnutls_dtls_cipher = NULL;
+ return NULL;
+ }
/* in DTLS rehandshakes don't switch the ciphersuite as only
* one is enabled. */
if (vpninfo->gnutls_dtls_cipher == NULL)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/m4/ax_check_vscript.m4
new/openconnect-7.01/m4/ax_check_vscript.m4
--- old/openconnect-7.00/m4/ax_check_vscript.m4 1970-01-01 01:00:00.000000000
+0100
+++ new/openconnect-7.01/m4/ax_check_vscript.m4 2014-12-07 19:52:55.000000000
+0100
@@ -0,0 +1,142 @@
+# ===========================================================================
+# http://www.gnu.org/software/autoconf-archive/ax_check_vscript.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+# AX_CHECK_VSCRIPT
+#
+# DESCRIPTION
+#
+# Check whether the linker supports version scripts. Version scripts are
+# used when building shared libraries to bind symbols to version nodes
+# (helping to detect incompatibilities) or to limit the visibility of
+# non-public symbols.
+#
+# Output:
+#
+# If version scripts are supported, VSCRIPT_LDFLAGS will contain the
+# appropriate flag to pass to the linker. On GNU systems this would
+# typically be "-Wl,--version-script", and on Solaris it would
+# typically be "-Wl,-M".
+#
+# Two Automake conditionals are also set:
+#
+# HAVE_VSCRIPT is true if the linker supports version scripts with
+# entries that use simple wildcards, like "local: *".
+#
+# HAVE_VSCRIPT_COMPLEX is true if the linker supports version scripts with
+# pattern matching wildcards, like "global: Java_*".
+#
+# On systems that do not support symbol versioning, such as Mac OS X, both
+# conditionals will be false. They will also be false if the user passes
+# "--disable-symvers" on the configure command line.
+#
+# Example:
+#
+# configure.ac:
+#
+# AX_CHECK_VSCRIPT
+#
+# Makefile.am:
+#
+# if HAVE_VSCRIPT
+# libfoo_la_LDFLAGS += $(VSCRIPT_LDFLAGS),@srcdir@/libfoo.map
+# endif
+#
+# if HAVE_VSCRIPT_COMPLEX
+# libbar_la_LDFLAGS += $(VSCRIPT_LDFLAGS),@srcdir@/libbar.map
+# endif
+#
+# LICENSE
+#
+# Copyright (c) 2014 Kevin Cernekee <cerne...@gmail.com>
+#
+# Copying and distribution of this file, with or without modification, are
+# permitted in any medium without royalty provided the copyright notice
+# and this notice are preserved. This file is offered as-is, without any
+# warranty.
+
+#serial 1
+
+# _AX_CHECK_VSCRIPT(flag, global-sym, action-if-link-succeeds, [junk-file=no])
+AC_DEFUN([_AX_CHECK_VSCRIPT], [
+ AC_LANG_PUSH([C])
+ ax_check_vscript_save_flags="$LDFLAGS"
+ echo "V1 { global: $2; local: *; };" > conftest.map
+ AS_IF([test x$4 = xyes], [
+ echo "{" >> conftest.map
+ ])
+ LDFLAGS="$LDFLAGS -Wl,$1,conftest.map"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[int show, hide;]], [])], [$3])
+ LDFLAGS="$ax_check_vscript_save_flags"
+ rm -f conftest.map
+ AC_LANG_POP([C])
+]) dnl _AX_CHECK_VSCRIPT
+
+AC_DEFUN([AX_CHECK_VSCRIPT], [
+
+ AC_ARG_ENABLE([symvers],
+ AS_HELP_STRING([--disable-symvers],
+ [disable library symbol versioning [default=auto]]),
+ [want_symvers=$enableval],
+ [want_symvers=yes]
+ )
+
+ AS_IF([test x$want_symvers = xyes], [
+
+ dnl First test --version-script and -M with a simple wildcard.
+
+ AC_CACHE_CHECK([linker version script flag], ax_cv_check_vscript_flag, [
+ ax_cv_check_vscript_flag=unsupported
+ _AX_CHECK_VSCRIPT([--version-script], [show], [
+ ax_cv_check_vscript_flag=--version-script
+ ])
+ AS_IF([test x$ax_cv_check_vscript_flag = xunsupported], [
+ _AX_CHECK_VSCRIPT([-M], [show], [ax_cv_check_vscript_flag=-M])
+ ])
+
+ dnl The linker may interpret -M (no argument) as "produce a load map."
+ dnl If "-M conftest.map" doesn't fail when conftest.map contains
+ dnl obvious syntax errors, assume this is the case.
+
+ AS_IF([test x$ax_cv_check_vscript_flag != xunsupported], [
+ _AX_CHECK_VSCRIPT([$ax_cv_check_vscript_flag], [show],
+ [ax_cv_check_vscript_flag=unsupported], [yes])
+ ])
+ ])
+
+ dnl If the simple wildcard worked, retest with a complex wildcard.
+
+ AS_IF([test x$ax_cv_check_vscript_flag != xunsupported], [
+ ax_check_vscript_flag=$ax_cv_check_vscript_flag
+ AC_CACHE_CHECK([if version scripts can use complex wildcards],
+ ax_cv_check_vscript_complex_wildcards, [
+ ax_cv_check_vscript_complex_wildcards=no
+ _AX_CHECK_VSCRIPT([$ax_cv_check_vscript_flag], [sh*], [
+ ax_cv_check_vscript_complex_wildcards=yes])
+ ])
+
ax_check_vscript_complex_wildcards="$ax_cv_check_vscript_complex_wildcards"
+ ], [
+ ax_check_vscript_flag=
+ ax_check_vscript_complex_wildcards=no
+ ])
+ ], [
+ AC_MSG_CHECKING([linker version script flag])
+ AC_MSG_RESULT([disabled])
+
+ ax_check_vscript_flag=
+ ax_check_vscript_complex_wildcards=no
+ ])
+
+ AS_IF([test x$ax_check_vscript_flag != x], [
+ VSCRIPT_LDFLAGS="-Wl,$ax_check_vscript_flag"
+ AC_SUBST([VSCRIPT_LDFLAGS])
+ ])
+
+ AM_CONDITIONAL([HAVE_VSCRIPT],
+ [test x$ax_check_vscript_flag != x])
+ AM_CONDITIONAL([HAVE_VSCRIPT_COMPLEX],
+ [test x$ax_check_vscript_complex_wildcards = xyes])
+
+]) dnl AX_CHECK_VSCRIPT
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/main.c new/openconnect-7.01/main.c
--- old/openconnect-7.00/main.c 2014-11-27 17:10:49.000000000 +0100
+++ new/openconnect-7.01/main.c 2014-12-07 19:58:46.000000000 +0100
@@ -258,7 +258,8 @@
};
#ifdef _WIN32
-static int vfprintf_utf8(FILE *f, const char *fmt, va_list args)
+static int __attribute__ ((format(printf, 2, 0)))
+ vfprintf_utf8(FILE *f, const char *fmt, va_list args)
{
HANDLE h = GetStdHandle(f == stdout ? STD_OUTPUT_HANDLE :
STD_ERROR_HANDLE);
wchar_t wbuf[1024];
@@ -273,7 +274,8 @@
return chars;
}
-static int fprintf_utf8(FILE *f, const char *fmt, ...)
+static int __attribute__ ((format(printf, 2, 3)))
+ fprintf_utf8(FILE *f, const char *fmt, ...)
{
va_list args;
int ret;
@@ -365,7 +367,7 @@
nr_read = WideCharToMultiByte(CP_UTF8, 0, wbuf, -1, NULL, 0, NULL,
NULL);
if (!nr_read) {
char *errstr = openconnect__win32_strerror(GetLastError());
- fprintf(stderr, _("Error converting console input: %lx\n"),
+ fprintf(stderr, _("Error converting console input: %s\n"),
errstr);
free(errstr);
goto out;
@@ -408,7 +410,8 @@
return 1;
}
-static int vfprintf_utf8(FILE *f, const char *fmt, va_list args)
+static int __attribute__ ((format(printf, 2, 0)))
+ vfprintf_utf8(FILE *f, const char *fmt, va_list args)
{
char *utf8_str;
iconv_t ic;
@@ -463,7 +466,8 @@
return ret;
}
-static int fprintf_utf8(FILE *f, const char *fmt, ...)
+static int __attribute__ ((format(printf, 2, 3)))
+ fprintf_utf8(FILE *f, const char *fmt, ...)
{
va_list args;
int ret;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/openconnect-internal.h
new/openconnect-7.01/openconnect-internal.h
--- old/openconnect-7.00/openconnect-internal.h 2014-11-20 23:40:22.000000000
+0100
+++ new/openconnect-7.01/openconnect-internal.h 2014-12-05 12:57:38.000000000
+0100
@@ -427,6 +427,7 @@
int dtls_local_port;
int deflate;
+ int is_dyndns; /* Attempt to redo DNS lookup on each CSTP reconnect */
char *useragent;
const char *quit_reason;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/po/Makefile.in
new/openconnect-7.01/po/Makefile.in
--- old/openconnect-7.00/po/Makefile.in 2014-11-27 17:13:46.000000000 +0100
+++ new/openconnect-7.01/po/Makefile.in 2014-12-07 22:17:23.000000000 +0100
@@ -81,12 +81,13 @@
subdir = po
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am ChangeLog
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/iconv.m4 \
- $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
- $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
- $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
- $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
- $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_vscript.m4 \
+ $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
+ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
+ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
+ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
+ $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/acinclude.m4 \
+ $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
@@ -237,7 +238,7 @@
TSS_CFLAGS = @TSS_CFLAGS@
TSS_LIBS = @TSS_LIBS@
VERSION = @VERSION@
-VERSION_SCRIPT_ARG = @VERSION_SCRIPT_ARG@
+VSCRIPT_LDFLAGS = @VSCRIPT_LDFLAGS@
WFLAGS = @WFLAGS@
ZLIB_CFLAGS = @ZLIB_CFLAGS@
ZLIB_LIBS = @ZLIB_LIBS@
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/ssl.c new/openconnect-7.01/ssl.c
--- old/openconnect-7.00/ssl.c 2014-11-04 16:08:45.000000000 +0100
+++ new/openconnect-7.01/ssl.c 2014-12-07 19:57:10.000000000 +0100
@@ -106,6 +106,23 @@
return 1;
}
+static int match_sockaddr(struct sockaddr *a, struct sockaddr *b)
+{
+ if (a->sa_family == AF_INET) {
+ struct sockaddr_in *a4 = (void *)a;
+ struct sockaddr_in *b4 = (void *)b;
+
+ return (a4->sin_addr.s_addr == b4->sin_addr.s_addr) &&
+ (a4->sin_port == b4->sin_port);
+ } else if (a->sa_family == AF_INET6) {
+ struct sockaddr_in6 *a6 = (void *)a;
+ struct sockaddr_in6 *b6 = (void *)b;
+ return !memcmp(&a6->sin6_addr, &b6->sin6_addr,
sizeof(a6->sin6_addr)) &&
+ a6->sin6_port == b6->sin6_port;
+ } else
+ return 0;
+}
+
int connect_https_socket(struct openconnect_info *vpninfo)
{
int ssl_sock = -1;
@@ -114,7 +131,11 @@
if (!vpninfo->port)
vpninfo->port = 443;
- if (vpninfo->peer_addr) {
+ /* If we're talking to a server which told us it has dynamic DNS, don't
+ just re-use its previous IP address. If we're talking to a proxy, we
+ can use *its* previous IP address. We expect it'll re-do the DNS
+ lookup for the server anyway. */
+ if (vpninfo->peer_addr && (!vpninfo->is_dyndns || vpninfo->proxy)) {
reconnect:
#ifdef SOCK_CLOEXEC
ssl_sock = socket(vpninfo->peer_addr->sa_family, SOCK_STREAM |
SOCK_CLOEXEC, IPPROTO_IP);
@@ -230,6 +251,13 @@
if (hints.ai_flags & AI_NUMERICHOST)
free(hostname);
ssl_sock = -EINVAL;
+ /* If we were just retrying for dynamic DNS, reconnct
using
+ the previously-known IP address */
+ if (vpninfo->peer_addr) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Reconnecting to DynDNS server
using previously cached IP address\n"));
+ goto reconnect;
+ }
goto out;
}
if (hints.ai_flags & AI_NUMERICHOST)
@@ -257,6 +285,8 @@
if (cancellable_connect(vpninfo, ssl_sock, rp->ai_addr,
rp->ai_addrlen) >= 0) {
/* Store the peer address we actually used, so
that DTLS can
use it again later */
+ free(vpninfo->peer_addr);
+ vpninfo->peer_addrlen = 0;
vpninfo->peer_addr = malloc(rp->ai_addrlen);
if (!vpninfo->peer_addr) {
vpn_progress(vpninfo, PRG_ERR,
@@ -288,6 +318,17 @@
}
closesocket(ssl_sock);
ssl_sock = -1;
+
+ /* If we're in DynDNS mode but this *was* the cached IP
address,
+ * don't bother falling back to it if it didn't work. */
+ if (vpninfo->peer_addr && vpninfo->peer_addrlen ==
rp->ai_addrlen &&
+ match_sockaddr(vpninfo->peer_addr, rp->ai_addr)) {
+ vpn_progress(vpninfo, PRG_TRACE,
+ _("Forgetting non-functional
previous peer address\n"));
+ free(vpninfo->peer_addr);
+ vpninfo->peer_addr = 0;
+ vpninfo->peer_addrlen = 0;
+ }
}
freeaddrinfo(result);
@@ -296,6 +337,11 @@
_("Failed to connect to host %s\n"),
vpninfo->proxy?:vpninfo->hostname);
ssl_sock = -EINVAL;
+ if (vpninfo->peer_addr) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Reconnecting to DynDNS server
using previously cached IP address\n"));
+ goto reconnect;
+ }
goto out;
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/version.c
new/openconnect-7.01/version.c
--- old/openconnect-7.00/version.c 2014-11-27 17:13:52.000000000 +0100
+++ new/openconnect-7.01/version.c 2014-12-07 22:17:28.000000000 +0100
@@ -1 +1 @@
-const char *openconnect_version_str = "v7.00";
+const char *openconnect_version_str = "v7.01";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/version.sh
new/openconnect-7.01/version.sh
--- old/openconnect-7.00/version.sh 2014-11-27 17:13:43.000000000 +0100
+++ new/openconnect-7.01/version.sh 2014-12-07 22:17:20.000000000 +0100
@@ -1,6 +1,6 @@
#!/bin/sh
-v="v7.00"
+v="v7.01"
if [ -d ${GIT_DIR:-.git} ] && tag=`git describe --tags`; then
v="$tag"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/www/Makefile.am
new/openconnect-7.01/www/Makefile.am
--- old/openconnect-7.00/www/Makefile.am 2014-11-04 16:08:45.000000000
+0100
+++ new/openconnect-7.01/www/Makefile.am 2014-12-05 14:35:30.000000000
+0100
@@ -3,7 +3,7 @@
SUBDIRS = styles inc images
CONV = "$(srcdir)/html.py"
-FTR_PAGES = csd.html charset.html token.html features.html gui.html
nonroot.html
+FTR_PAGES = csd.html charset.html token.html pkcs11.html features.html
gui.html nonroot.html
START_PAGES = building.html connecting.html manual.html vpnc-script.html
INDEX_PAGES = changelog.html download.html index.html packages.html
platforms.html
TOPLEVEL_PAGES = contribute.html mail.html technical.html
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/www/Makefile.in
new/openconnect-7.01/www/Makefile.in
--- old/openconnect-7.00/www/Makefile.in 2014-11-27 17:13:46.000000000
+0100
+++ new/openconnect-7.01/www/Makefile.in 2014-12-07 22:17:23.000000000
+0100
@@ -83,12 +83,13 @@
subdir = www
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/iconv.m4 \
- $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
- $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
- $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
- $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
- $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_vscript.m4 \
+ $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
+ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
+ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
+ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
+ $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/acinclude.m4 \
+ $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
@@ -327,7 +328,7 @@
TSS_CFLAGS = @TSS_CFLAGS@
TSS_LIBS = @TSS_LIBS@
VERSION = @VERSION@
-VERSION_SCRIPT_ARG = @VERSION_SCRIPT_ARG@
+VSCRIPT_LDFLAGS = @VSCRIPT_LDFLAGS@
WFLAGS = @WFLAGS@
ZLIB_CFLAGS = @ZLIB_CFLAGS@
ZLIB_LIBS = @ZLIB_LIBS@
@@ -388,7 +389,7 @@
top_srcdir = @top_srcdir@
SUBDIRS = styles inc images
CONV = "$(srcdir)/html.py"
-FTR_PAGES = csd.html charset.html token.html features.html gui.html
nonroot.html
+FTR_PAGES = csd.html charset.html token.html pkcs11.html features.html
gui.html nonroot.html
START_PAGES = building.html connecting.html manual.html vpnc-script.html
INDEX_PAGES = changelog.html download.html index.html packages.html
platforms.html
TOPLEVEL_PAGES = contribute.html mail.html technical.html
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/www/changelog.xml
new/openconnect-7.01/www/changelog.xml
--- old/openconnect-7.00/www/changelog.xml 2014-11-27 17:13:43.000000000
+0100
+++ new/openconnect-7.01/www/changelog.xml 2014-12-07 22:17:20.000000000
+0100
@@ -18,6 +18,15 @@
<li><i>No changelog entries yet</i></li>
</ul><br/>
</li>
+ <li><b><a
href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.01.tar.gz";>OpenConnect
v7.01</a></b>
+ <i>(<a
href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.01.tar.gz.asc";>PGP
signature</a>)</i> — 2014-12-07
+ <ul>
+ <li>Try harder to find a PKCS#11 key to match a given certificate.</li>
+ <li>Handle '<tt>Connection: close</tt>' from proxies correctly.</li>
+ <li>Warn when MTU is set too low <i>(<1280)</i> to permit IPv6
connectivity.</li>
+ <li>Add support for <tt>X-CSTP-DynDNS</tt>, to trigger DNS lookup on
each reconnect.</li>
+ </ul><br/>
+ </li>
<li><b><a
href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.00.tar.gz";>OpenConnect
v7.00</a></b>
<i>(<a
href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.00.tar.gz.asc";>PGP
signature</a>)</i> — 2014-11-27
<ul>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/www/download.xml
new/openconnect-7.01/www/download.xml
--- old/openconnect-7.00/www/download.xml 2014-11-27 17:13:43.000000000
+0100
+++ new/openconnect-7.01/www/download.xml 2014-12-07 22:17:20.000000000
+0100
@@ -17,29 +17,14 @@
<p>
<!-- latest-release-start -->
-The latest release is <a
href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.00.tar.gz";>OpenConnect
v7.00</a>
-<i>(<a
href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.00.tar.gz.asc";>PGP
signature</a>)</i>,
-released on 2014-11-27 with the following changelog:</p>
+The latest release is <a
href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.01.tar.gz";>OpenConnect
v7.01</a>
+<i>(<a
href="ftp://ftp.infradead.org/pub/openconnect/openconnect-7.01.tar.gz.asc";>PGP
signature</a>)</i>,
+released on 2014-12-07 with the following changelog:</p>
<ul>
- <li>Add support for GnuTLS 3.4 <tt>system:</tt> keys including Windows
certificate store.</li>
- <li>Add support for HOTP/TOTP keys from Yubikey NEO devices.</li>
- <li>Add <tt>---no-system-trust</tt> option to disable default
certificate authorities.</li>
- <li>Improve <tt>libiconv</tt> and <tt>libintl</tt> detection.</li>
- <li>Stop calling <tt>setenv()</tt> from library functions.</li>
- <li>Support <tt>utun</tt> driver on OS X.</li>
- <li>Change library API so string ownership is never transferred.</li>
- <li>Support new NDIS6 TAP-Windows driver shipped with OpenVPN
2.3.4.</li>
- <li>Support using PSKC <i>(<a
href="http://tools.ietf.org/html/rfc6030";>RFC6030</a>)</i> token files for
HOTP/TOTP tokens.</li>
- <li>Support for updating HOTP token storage when token is used.</li>
- <li>Support for reading OTP token data from a file.</li>
- <li>Add full <a href="charset.html">character set handling</a> for
legacy non-UTF8 systems <i>(including Windows)</i>.</li>
- <li>Fix legacy <i>(i.e. not XML POST)</i> submission of non-ASCII form
entries <i>(even in UTF-8 locales)</i>.</li>
- <li>Add support for 32-bit Windows XP.</li>
- <li>Avoid retrying without XML POST, when we failed to even reach the
server.</li>
- <li>Fix off-by-one in parameter substitution in error messages.</li>
- <li>Improve reporting when GSSAPI auth requested but not compiled
in.</li>
- <li>Fix parsing of split include routes on Windows.</li>
- <li>Fix crash on invocation with <tt>--token-mode</tt> but no
<tt>--token-secret</tt>.</li>
+ <li>Try harder to find a PKCS#11 key to match a given certificate.</li>
+ <li>Handle '<tt>Connection: close</tt>' from proxies correctly.</li>
+ <li>Warn when MTU is set too low <i>(<1280)</i> to permit IPv6
connectivity.</li>
+ <li>Add support for <tt>X-CSTP-DynDNS</tt>, to trigger DNS lookup on
each reconnect.</li>
</ul>
<!-- latest-release-end -->
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/www/images/Makefile.in
new/openconnect-7.01/www/images/Makefile.in
--- old/openconnect-7.00/www/images/Makefile.in 2014-11-27 17:13:46.000000000
+0100
+++ new/openconnect-7.01/www/images/Makefile.in 2014-12-07 22:17:23.000000000
+0100
@@ -82,12 +82,13 @@
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(dist_images_DATA)
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/iconv.m4 \
- $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
- $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
- $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
- $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
- $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_vscript.m4 \
+ $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
+ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
+ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
+ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
+ $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/acinclude.m4 \
+ $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
@@ -266,7 +267,7 @@
TSS_CFLAGS = @TSS_CFLAGS@
TSS_LIBS = @TSS_LIBS@
VERSION = @VERSION@
-VERSION_SCRIPT_ARG = @VERSION_SCRIPT_ARG@
+VSCRIPT_LDFLAGS = @VSCRIPT_LDFLAGS@
WFLAGS = @WFLAGS@
ZLIB_CFLAGS = @ZLIB_CFLAGS@
ZLIB_LIBS = @ZLIB_LIBS@
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/www/inc/Makefile.in
new/openconnect-7.01/www/inc/Makefile.in
--- old/openconnect-7.00/www/inc/Makefile.in 2014-11-27 17:13:46.000000000
+0100
+++ new/openconnect-7.01/www/inc/Makefile.in 2014-12-07 22:17:23.000000000
+0100
@@ -82,12 +82,13 @@
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(dist_tmpldata_DATA)
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/iconv.m4 \
- $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
- $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
- $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
- $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
- $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_vscript.m4 \
+ $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
+ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
+ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
+ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
+ $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/acinclude.m4 \
+ $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
@@ -266,7 +267,7 @@
TSS_CFLAGS = @TSS_CFLAGS@
TSS_LIBS = @TSS_LIBS@
VERSION = @VERSION@
-VERSION_SCRIPT_ARG = @VERSION_SCRIPT_ARG@
+VSCRIPT_LDFLAGS = @VSCRIPT_LDFLAGS@
WFLAGS = @WFLAGS@
ZLIB_CFLAGS = @ZLIB_CFLAGS@
ZLIB_LIBS = @ZLIB_LIBS@
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/www/menu2-features.xml
new/openconnect-7.01/www/menu2-features.xml
--- old/openconnect-7.00/www/menu2-features.xml 2014-11-13 23:59:31.000000000
+0100
+++ new/openconnect-7.01/www/menu2-features.xml 2014-12-05 14:36:41.000000000
+0100
@@ -6,5 +6,6 @@
<MENU topic="GUI" link="gui.html" mode="VAR_SEL_FEATURE_GUI" />
<MENU topic="Character sets" link="charset.html"
mode="VAR_SEL_FEATURE_CHARSET" />
<MENU topic="One Time Passwords" link="token.html"
mode="VAR_SEL_FEATURE_TOKEN" />
+ <MENU topic="Smart Cards / PKCS#11" link="pkcs11.html"
mode="VAR_SEL_FEATURE_PKCS11" />
<ENDMENU />
</PAGE>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/www/pkcs11.xml
new/openconnect-7.01/www/pkcs11.xml
--- old/openconnect-7.00/www/pkcs11.xml 1970-01-01 01:00:00.000000000 +0100
+++ new/openconnect-7.01/www/pkcs11.xml 2014-12-05 21:19:02.000000000 +0100
@@ -0,0 +1,207 @@
+<PAGE>
+ <INCLUDE file="inc/header.tmpl" />
+
+ <VAR match="VAR_SEL_FEATURES" replace="selected" />
+ <VAR match="VAR_SEL_FEATURE_PKCS11" replace="selected" />
+ <PARSE file="menu1.xml" />
+ <PARSE file="menu2-features.xml" />
+
+ <INCLUDE file="inc/content.tmpl" />
+
+<h1>Smart Card / PKCS#11 support</h1>
+
+<p>OpenConnect supports the use of X.509 certificates and keys from
+smart cards <i>(as well as software storage such as GNOME Keyring and
+SoftHSM)</i> by means of the PKCS#11 standard. Objects from PKCS#11 tokens
+are specified by a <a
href="http://p11-glue.freedesktop.org/pkcs11-uris.html";>PKCS#11 URI</a>.</p>
+
+<p>In order to use a certificate or key with OpenConnect, you must
+provide a PKCS#11 URI which identifies it sufficiently. That can be as simple
+as the following example:
+<ul><li> <tt>openconnect -c <i>pkcs11:id=%01</i> vpn.example.com</tt></li></ul>
+
+However, if you're now looking blankly at a USB crypto device and
+wondering what PKCS#11 URI to use, the following documentation should
+hopefully assist you in working it out.</p>
+
+<h2>Identifying the token</h2>
+<p>In order to use a PKCS#11 token with OpenConnect, first it must be installed
+appropriately in the system's
+<a href="http://p11-glue.freedesktop.org/doc/p11-kit/config.html";>p11-kit
configuration</a>.
+You shouldn't need to worry about this; it should automatically be the case for
+properly packaged software on any modern operating system.</p>
+
+<p>Typically, the smart card support is likely to be
+provided by <a href="https://github.com/OpenSC/OpenSC/wiki";>OpenSC</a> and a
+distribution's packaging of OpenSC should automatically have registered
+the OpenSC module with p11-kit by creating a file such as
+<tt>/usr/share/p11-kit/modules/opensc.module</tt>.</p>
+
+<p>In order to query the available PKCS#11 modules, and the certificates
+stored therein, the best tool to use is the
+<a
href="http://www.gnutls.org/manual/html_node/p11tool-Invocation.html";>p11tool</a>
+distributed with GnuTLS. In Fedora it's in the <tt>gnutls-utils</tt>
package.</p>
+
+<p>First identify the PKCS#11 modules which are available by using the
<tt>--list-tokens</tt> option:</p>
+<ul><li><tt>p11tool --list-tokens</tt></li></ul>
+This should produce output including something like the following:
+<table border="1"><tr><td><pre>
+Token 7:
+ URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29
+ Label: PIV_II (PIV Card Holder pin)
+ Type: Hardware token
+ Manufacturer: piv_II
+ Model: PKCS#15 emulated
+ Serial: 108421384210c3f5
+</pre></td></tr></table>
+
+<p>This example shows the relatively common <a
href="https://www.opensc-project.org/opensc/wiki/UnitedStatesPIV";>PIV</a>
+SmartCard, in this case in a <a
href="https://developers.yubico.com/yubico-piv-tool/YubiKey-NEO-PIV-Introduction.html";>Yubikey
NEO</a> device.</p>
+
+<h2>Locating the certificate</h2>
+
+<p>Having established that the token is present and registered correctly with
p11-kit, the next
+step is to identify the URI of the certificate you wish to use. You will note
that
+the above output of <tt>p11tool --list-tokens</tt> gave a PKCS#11 URI for each
token.
+With that, we can now query the objects available <em>within</em> a specific
token, using the <tt>--list-all-certs</tt>
+option. We can cut and paste the PKCS#11 URI for the token, but be careful to
put it within
+quotes because it contains semicolons:</p>
+<ul><li><tt>p11tool --list-all-certs
'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29'</tt></li></ul>
+
+<p>Note that the PKCS#11 URI specifies a list of attributes which must
+match. Some of these match criteria may be redundant — in this case
+ we've asked it to list the certificates in a token
+which has a model of <i>"PKCS#15 emulated"</i> <b>and</b> a
+manufacturer of <i>"piv_II"</i> <b>and</b> serial number
+<i>108421384210c3f5</i> <b>and</b> token label <i>"PIV_II (PIV Card
+Holder pin)"</i>. Since any <em>one</em> of those criteria would probably
+be sufficient to uniquely identify this token from the other configured tokens
+in our system, a simpler command line would also work. For example:</p>
+<ul><li><tt>p11tool --list-all-certs pkcs11:manufacturer=piv_II</tt></li></ul>
+
+The output of either such command should look something like this:
+<table border="1"><tr><td><pre>Object 0:
+ URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=Certificate%20for%20PIV%20Authentication;object-type=cert
+ Type: X.509 Certificate
+ Label: Certificate for PIV Authentication
+ ID: 01
+
+Object 1:
+ URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=Certificate%20for%20Digital%20Signature;object-type=cert
+ Type: X.509 Certificate
+ Label: Certificate for Digital Signature
+ ID: 02
+
+Object 2:
+ URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%03;object=Certificate%20for%20Key%20Management;object-type=cert
+ Type: X.509 Certificate
+ Label: Certificate for Key Management
+ ID: 03
+
+Object 3:
+ URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%04;object=Certificate%20for%20Card%20Authentication;object-type=cert
+ Type: X.509 Certificate
+ Label: Certificate for Card Authentication
+ ID: 04
+</pre></td></tr></table>
+
+
+
+<p>This device has four certificates installed; the URL for each one
+is given in the output. <i>(Choosing <em>between</em> the certificates on
+a given device, if there is more than one, is left as an exercise for
+the user. You may need to try each one.)</i></p>
+
+<p>Some devices may not even permit you to list the certificates
+without logging in. In that case add <tt>--login</tt> to the
+<tt>p11tool</tt> command line above, and provide the PIN when
+requested</p>
+
+<p>For OpenConnect 7.01 we should be able to use the URI seen here in
+its entirety, and the software will be cunning enough to
+find the corresponding key:
+
+<ul><li><tt>openconnect -c
'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=Certificate%20for%20PIV%20Authentication;object-type=cert'
vpn.example.com</tt></li></ul>
+
+Older versions, however, may require a little help...</p>
+
+<h2>Helping OpenConnect find the key</h2>
+
+<p>If no explicit <tt>-k</tt> argument is given to specify the key,
+OpenConnect will use the contents of the <tt>-c</tt> argument as the
+basis for finding <em>both</em> certificate and key.</p>
+
+<p>It will sensibly add <tt>object-type=cert</tt> or
<tt>object-type=private</tt>
+for itself, according to which object it is trying to locate each time. But in
+version 7.00 and earlier, it would <em>not</em> do that if the URI you provide
+already contained any <tt>object-type=</tt> element. So the first thing you
need to do with
+older versions of OpenConnect is trim that part of the URI. So the above
example might now be:
+<ul><li><tt>openconnect -c
'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=Certificate%20for%20PIV%20Authentication'
vpn.example.com</tt></li></ul>
+</p>
+
+<p>Additionally, it can sometimes be the case that although the ID
+(<tt>id=</tt>) for a certificate should match the ID of its matching
+key, the label (<tt>object=</tt>) might <em>not</em> match. Newer versions
+of OpenConnect (7.01+), on failing to find a key, will <em>strip</em> the label
+from the search URI and add the ID of the certificate that was found (even if
+no ID was part of the original search terms provided with the <tt>-c</tt>
option). But older versions don't.</p>
+
+<p>So it can be useful also to remove the <tt>object=</tt> part of the URI and
leave only the <tt>id=</tt> attribute to specify the individual object, so that
you're giving search criteria which are true for both the certificate
<em>and</em> the key:
+<ul><li><tt>openconnect -c
'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01'
vpn.example.com</tt></li></ul>
+</p>
+
+<p>And while we're at it, that's <em>still</em> a massively redundant way of
specifying which token
+to look in, so we can cut that down as we did before just to make it less
unwieldy:
+<ul><li><tt>openconnect -c 'pkcs11:manufacturer=piv_II;id=%01'
vpn.example.com</tt></li></ul>
+
+<h2>Searching for the key manually</h2>
+
+<p>If the heuristics for finding the key don't work, you can always
+provide an explicit PKCS#11 URI for the key with the <tt>-k</tt>
+option. You can look for them by using the <tt>--list-privkeys</tt> option to
<tt>p11tool</tt>. You will almost certainly want to use the <tt>--login</tt>
option too:</p>
+<ul><li><tt>p11tool --list-privkeys --login
pkcs11:manufacturer=piv_II</tt></li></ul>
+<table border="1"><tr><td><pre>Token 'PIV_II (PIV Card Holder pin)' with URL
'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29'
requires user PIN
+Enter PIN:
+Object 0:
+ URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key;object-type=private
+ Type: Private key
+ Label: PIV AUTH key
+ Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
+ ID: 01
+
+Object 1:
+ URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=private
+ Type: Private key
+ Label: SIGN key
+ Flags: CKA_PRIVATE; CKA_SENSITIVE;
+ ID: 02
+
+Object 2:
+ URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%03;object=KEY%20MAN%20key;object-type=private
+ Type: Private key
+ Label: KEY MAN key
+ Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
+ ID: 03
+
+Object 3:
+ URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%04;object=CARD%20AUTH%20key;object-type=private
+ Type: Private key
+ Label: CARD AUTH key
+ Flags: CKA_SENSITIVE;
+ ID: 04
+</pre></td></tr></table>
+<p>
+Here's the full longhand specification of both certificate <em>and</em> key:
+<ul><li><tt>openconnect -c
'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=Certificate%20for%20PIV%20Authentication;object-type=cert'
-k
'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key;object-type=private'
vpn.example.com</tt></li></ul>
+
+
+OpenConnect doesn't care; you can use certificate and key from entirely
+<em>different</em> hardware tokens if you want to. Or one from a file. Or a key
+from a TPM and a certificate from a PKCS#11 hardware token. Or all kinds of
bizarre combinations. But if it's a <em>sensible</em> combination on a sanely
configured PKCS#11 token, and OpenConnect can't infer the key location from the
certificate, then please <a href="mail.html">send us an email</a> and we'll try
to fix it.</p>
+</p>
+
+
+
+
+<INCLUDE file="inc/footer.tmpl" />
+</PAGE>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openconnect-7.00/www/styles/Makefile.in
new/openconnect-7.01/www/styles/Makefile.in
--- old/openconnect-7.00/www/styles/Makefile.in 2014-11-27 17:13:46.000000000
+0100
+++ new/openconnect-7.01/www/styles/Makefile.in 2014-12-07 22:17:23.000000000
+0100
@@ -82,12 +82,13 @@
DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
$(dist_stylesdata_DATA)
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/iconv.m4 \
- $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
- $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
- $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
- $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
- $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.ac
+am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_vscript.m4 \
+ $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \
+ $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
+ $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \
+ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
+ $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/acinclude.m4 \
+ $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
mkinstalldirs = $(install_sh) -d
@@ -266,7 +267,7 @@
TSS_CFLAGS = @TSS_CFLAGS@
TSS_LIBS = @TSS_LIBS@
VERSION = @VERSION@
-VERSION_SCRIPT_ARG = @VERSION_SCRIPT_ARG@
+VSCRIPT_LDFLAGS = @VSCRIPT_LDFLAGS@
WFLAGS = @WFLAGS@
ZLIB_CFLAGS = @ZLIB_CFLAGS@
ZLIB_LIBS = @ZLIB_LIBS@
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
