Revision Log - vpnc http://src.mouf.net/vpnc/log http://src.mouf.net/vpnc/rss https://pubsubhubbub.appspot.com/ 2014-05-26T20:09:51 SVN::Web daily 1 1901-01-01T00:00+00:00 /trunk/tunip.c @ 550 http://src.mouf.net/vpnc/revision?rev=550 ]]> Joerg Mayer 2014-05-26T20:09:51 /trunk/vpnc-script @ 549 http://src.mouf.net/vpnc/revision?rev=549
David Woodhouse
Set MTU on Windows

]]>
Joerg Mayer 2014-05-26T20:00:45
/branches/vpnc-nortel/config.c @ 548 http://src.mouf.net/vpnc/revision?rev=548
Instead of printing the prompt before getpass(),
build prompt string in a buffer and pass it.
In this way, password helper gets the prompt.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2014-02-18T05:10:04
/branches/vpnc-nortel/config.c /branches/vpnc-nortel/config.h @ 547 http://src.mouf.net/vpnc/revision?rev=547
Allows to integrate UI, similar to ssh-askpass, program prompt user
for password and echo result to stdout.

Settings:
---
Password Helper /home/alonbl/vpnc/vpnc-getpass
Xauth interactive
---

vpn-getpass script for KDE:
---
prompt="$1"
exec kdialog --title "vpnc" --password "$prompt";
---

vpn-getpass script for KDE with SecurID:
---
prompt="$1"
pass="$(kdialog --title "vpnc" --password "$prompt")" || exit 1
otp="$(RSA_SecurID_getpasswd)" || exit 1
echo "${pass}${otp}"
exit 0
---

Based on original patch from Alon Bar-Lev
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2013-December/004039.html
rebased on current HEAD.

Author: Alon Bar-Lev <alon.barlev@gmail.com>
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2014-02-18T05:10:00
/trunk/config.c @ 546 http://src.mouf.net/vpnc/revision?rev=546
Instead of printing the prompt before getpass(),
build prompt string in a buffer and pass it.
In this way, password helper gets the prompt.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2014-02-18T05:09:56
/trunk/config.c /trunk/config.h @ 545 http://src.mouf.net/vpnc/revision?rev=545
Allows to integrate UI, similar to ssh-askpass, program prompt user
for password and echo result to stdout.

Settings:
---
Password Helper /home/alonbl/vpnc/vpnc-getpass
Xauth interactive
---

vpn-getpass script for KDE:
---
prompt="$1"
exec kdialog --title "vpnc" --password "$prompt";
---

vpn-getpass script for KDE with SecurID:
---
prompt="$1"
pass="$(kdialog --title "vpnc" --password "$prompt")" || exit 1
otp="$(RSA_SecurID_getpasswd)" || exit 1
echo "${pass}${otp}"
exit 0
---

Based on original patch from Alon Bar-Lev
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2013-December/004039.html
rebased on current HEAD.

Author: Alon Bar-Lev <alon.barlev@gmail.com>
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2014-02-18T05:09:52
/branches/vpnc-nortel/config.c /branches/vpnc-nortel/config.h /branches/vpnc-nortel/sysdep.h @ 544 http://src.mouf.net/vpnc/revision?rev=544
Function getpass(3) is reported as obsolete.
Replace it with new vpnc_getpass().
Differences with original implementation:
- output prompt on stdout, instead of /dev/tty;
- input from stdin, instead of /dev/tty;
- password length limited by vpnc_getline() to 200 chars.

Functions tcgetattr()/tcsetattr() return error if stdin
is not a terminal but, e.g., a pipe or a file. I simply
ignore the error, since no need to disable ECHO on them.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2014-02-18T05:09:48
/branches/vpnc-nortel/config.c /branches/vpnc-nortel/sysdep.c /branches/vpnc-nortel/sysdep.h @ 543 http://src.mouf.net/vpnc/revision?rev=543
based on original patch from Dan Williams <dcbw@redhat.com>
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2013-December/004043.html

vpnc's config file processing logic uses EOF to determine when to stop
processing the config input, but if stdin is actually a pipe from a
controlling process, EOF only happens if the pipe is closed. Which
means the controlling process can't respond to any interactive requests
for information. So we need to add some other mechanism to indicate
that config processing is done that does not rely on closing stdin to
indicate this.

Also, getline() only returns on EOF (which has the problems described
above) or when it encounters sufficient newline characters;
unfortunately this precludes using getline() to handle single bytes.
Switch to fgetc() and build up the line ourselves so that we can
recognize a custom CEOT character (0x04/Ctl-D) which also terminates
reading configuration without requiring the pipe to be closed.

Modification wrt Dan's proposal:
- use same prototype as getline();
- remove trailing newline. Avoids code duplication;
- allocate buffer only if required (as getline());
- pass error through errno since feof() is not valid on CEOT;
- remove getline() from sysdep.[ch].

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2014-02-18T05:09:45
/trunk/config.c /trunk/config.h /trunk/sysdep.h @ 542 http://src.mouf.net/vpnc/revision?rev=542
Function getpass(3) is reported as obsolete.
Replace it with new vpnc_getpass().
Differences with original implementation:
- output prompt on stdout, instead of /dev/tty;
- input from stdin, instead of /dev/tty;
- password length limited by vpnc_getline() to 200 chars.

Functions tcgetattr()/tcsetattr() return error if stdin
is not a terminal but, e.g., a pipe or a file. I simply
ignore the error, since no need to disable ECHO on them.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2014-02-18T05:09:39
/trunk/config.c /trunk/sysdep.c /trunk/sysdep.h @ 541 http://src.mouf.net/vpnc/revision?rev=541
based on original patch from Dan Williams <dcbw@redhat.com>
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2013-December/004043.html

vpnc's config file processing logic uses EOF to determine when to stop
processing the config input, but if stdin is actually a pipe from a
controlling process, EOF only happens if the pipe is closed. Which
means the controlling process can't respond to any interactive requests
for information. So we need to add some other mechanism to indicate
that config processing is done that does not rely on closing stdin to
indicate this.

Also, getline() only returns on EOF (which has the problems described
above) or when it encounters sufficient newline characters;
unfortunately this precludes using getline() to handle single bytes.
Switch to fgetc() and build up the line ourselves so that we can
recognize a custom CEOT character (0x04/Ctl-D) which also terminates
reading configuration without requiring the pipe to be closed.

Modification wrt Dan's proposal:
- use same prototype as getline();
- remove trailing newline. Avoids code duplication;
- allocate buffer only if required (as getline());
- pass error through errno since feof() is not valid on CEOT;
- remove getline() from sysdep.[ch].

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2014-02-18T05:09:33
/branches/vpnc-nortel/tunip.c /trunk/tunip.c @ 540 http://src.mouf.net/vpnc/revision?rev=540
Bug introduced in commit r528, "Always run vpnc-script at exit".

When vpnc goes background, the foreground task have to exit
without calling the handler registerd with atexit(), otherwise
vpnc-script would modify routing tables.

Bug found by Alon Bar-Lev <alon.barlev@gmail.com>

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2014-01-14T14:54:13
/branches/vpnc-nortel /branches/vpnc-nortel/test /branches/vpnc-nortel/test/README.txt @ 539 http://src.mouf.net/vpnc/revision?rev=539
One certificate in test folder is already expired, other
will follow.
The original private keys to rebuild the certificates are
not available, so no way to re-sign the same certificates.

Document why and how the test is performed.
Put in a Makefile the whole set of commands to rebuild
the certificates and encrypt the binary test.
Replace all the certificates and the encrypted binary
with new versions.

New certificates will expire in 2033.

OpenSSL is required only to re-build the certificates.
No need for OpenSSL to compile VPNC or to run the test.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2013-12-04T13:41:04
/branches/vpnc-nortel /branches/vpnc-nortel/test-crypto.c /branches/vpnc-nortel/test/dec_data.bin @ 538 http://src.mouf.net/vpnc/revision?rev=538
The test program embeds encrypted binary data, but the
encryption key is not made available from the original
developer.
Move the binary data out of the code, so later we can
replace it with data encrypted under our control.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2013-12-04T13:40:55
/branches/vpnc-nortel /trunk @ 537 http://src.mouf.net/vpnc/revision?rev=537
Remove temporarily cert0.pem from the certificate chain.
"make test" is now working.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2013-12-04T13:40:45
/branches/vpnc-nortel/config.c /trunk/config.c @ 536 http://src.mouf.net/vpnc/revision?rev=536
When called from e.g. NetworkManager, vpnc's stderr log messages
are redirected to logfiles where they are sometimes hard to spot,
e.g. they appear to be coming from NetworkManager itself.

Fix this by prepending "vpnc: " to them.

Patch already present in openSUSE package

Author: Stefan Seyfried <seife+obs@b1-sytems.com>
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2013-12-01T12:23:38
/branches/vpnc-nortel/config.c /branches/vpnc-nortel/vpnc-disconnect /trunk/config.c @ 535 http://src.mouf.net/vpnc/revision?rev=535
Patch present in openSUSE package.

/var/run can be cleared on every boot (tmpfs) and thus folder
/var/run/vpnc would not exist.
Just use /var/run/vpnc.pid instead of /var/run/vpnc/pid, vpnc
needs to run as root anyway, so this should be fine.

vpnc-script is still using /var/run/vpnc for other stuff (resolv.conf
backup etc) but creates the directory on demand, so no harm is done
there.
This patch fix the case of vpnc run without executing the default
vpnc-script

Author: Stefan Seyfried <seife+obs@b1-systems.com>
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2013-12-01T12:23:32
/branches/vpnc-nortel/makeman.pl /trunk/makeman.pl @ 534 http://src.mouf.net/vpnc/revision?rev=534
makeman.pl internal script adds local build time. Change
it to the source man template filetime instead, so we avoid
republishing this package every month.

Patch already present in openSUSE package.

Author: Cristian Rodriguez <cristian.rodriguez@opensuse.org>
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2013-12-01T12:23:25
/branches/vpnc-nortel/vpnc.c /trunk/vpnc.c @ 533 http://src.mouf.net/vpnc/revision?rev=533
In AnyConnect the server seems to offer an X-CSTP-Split-DNS: header,
which can appear multiple times, with search domains for the client to
use. I'm exporting these in $CISCO_SPLIT_DNS, space-separated.
(A. Borneo: in recent openconnect it is now comma-separated)

I see that there's an ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_DNS, but we
don't seem to *do* anything with it. Like the IPv6 attributes which we
also ignore, just make vpnc clear the environment variable.

We really ought to make vpnc *support* these, given that we know how to
recognise them. But that's left as an exercise for someone who actually
has access to a server.

A. Borneo:
This patch completes Evan Broder's one.

Author: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2013-12-01T10:20:19
/branches/vpnc-nortel/vpnc-script /branches/vpnc-nortel/vpnc.c /trunk/vpnc-script @ 532 http://src.mouf.net/vpnc/revision?rev=532
Cisco servers can optionally include a list of domain names that are
configured using split DNS.

Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/vpnc/+bug/954747

Author: Evan Broder <evan@ebroder.net>
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2013-12-01T10:20:15
/branches/vpnc-nortel /trunk @ 531 http://src.mouf.net/vpnc/revision?rev=531
Patch from Justin Lecher <jlec@gentoo.org>
"vpnc-0.5.3_p514-as-needed.patch"
Already applyed in Gentoo at build time.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>]]>
Antonio Borneo 2013-12-01T09:44:31