patch: Sync with upstream

The latest NaCl patch set has been merged, so eliminate the local
diffs.

Change-Id: I0aaafe53a7c88a7dc76549143eed8de569a0c41d
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
diff --git a/Makefile b/Makefile
index 839ef08..866467d 100644
--- a/Makefile
+++ b/Makefile
@@ -11,6 +11,8 @@
 WEBPORTS ?= $(TOPDIR)/webports/src/bin/webports
 GCLIENT ?= $(TOPDIR)/depot_tools/gclient
 
+LIBOPENCONNECT_COMMIT := 489cb6c1023dac9d003f82cd70a7285108e5f110
+
 # Project Build flags
 WARNINGS := -Wall -Wextra -Wno-unused-parameter
 CXXFLAGS := -O2 -std=gnu++0x -pthread $(WARNINGS)
@@ -93,7 +95,7 @@
 	rm -rf openconnect
 	git clone git://git.infradead.org/users/dwmw2/openconnect.git
 	cd openconnect && \
-		git checkout 11ad105e8000af52e1d4b73b539b8d21c2ae141a && \
+		git checkout $(LIBOPENCONNECT_COMMIT) && \
 		git am -3 $(TOPDIR)/patch/*.patch
 	touch $@
 
diff --git a/patch/0001-HACK-Add-temporary-NaCl-build-files.patch b/patch/0001-HACK-Add-temporary-NaCl-build-files.patch
index 42c59d6..424904e 100644
--- a/patch/0001-HACK-Add-temporary-NaCl-build-files.patch
+++ b/patch/0001-HACK-Add-temporary-NaCl-build-files.patch
@@ -1,4 +1,4 @@
-From b9853949e4d104af89ea9530a5b4525c80015859 Mon Sep 17 00:00:00 2001
+From c2f5cb9d2c48208f7042cfa7b1d0947d37ddbd2c Mon Sep 17 00:00:00 2001
 From: Kevin Cernekee <cernekee@gmail.com>
 Date: Fri, 22 Apr 2016 18:53:13 -0700
 Subject: [PATCH 1/8] HACK: Add temporary NaCl build files
@@ -13,7 +13,7 @@
 
 diff --git a/build.sh b/build.sh
 new file mode 100644
-index 0000000..c2394ed
+index 0000000..01a1166
 --- /dev/null
 +++ b/build.sh
 @@ -0,0 +1,36 @@
diff --git a/patch/0002-dtls-Fix-memcmp-arguments-in-MTU-detection-code.patch b/patch/0002-dtls-Fix-memcmp-arguments-in-MTU-detection-code.patch
deleted file mode 100644
index 90ebb5b..0000000
--- a/patch/0002-dtls-Fix-memcmp-arguments-in-MTU-detection-code.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From a99cb8f503f3f31f6bf31dc7762d41ebb4f933f6 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@gmail.com>
-Date: Thu, 14 Apr 2016 22:14:26 -0700
-Subject: [PATCH 2/8] dtls: Fix memcmp() arguments in MTU detection code
-
-Fix the length argument and return value checks.  Caught by clang
-warnings.
-
-Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
----
- dtls.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/dtls.c b/dtls.c
-index a1a5a72..3b9cbbe 100644
---- a/dtls.c
-+++ b/dtls.c
-@@ -1170,7 +1170,7 @@ static int detect_mtu_ipv4(struct openconnect_info *vpninfo, unsigned char *buf)
- 				goto fail;
- 		} while(ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED);
- 
--		if (ret > 0 && (buf[0] != AC_PKT_DPD_RESP || memcmp(&buf[1], id, sizeof(buf) != 0))) {
-+		if (ret > 0 && (buf[0] != AC_PKT_DPD_RESP || memcmp(&buf[1], id, sizeof(id)) != 0)) {
- 			vpn_progress(vpninfo, PRG_DEBUG,
- 			     _("Received unexpected packet (%.2x) in MTU detection; skipping.\n"), (unsigned)buf[0]);
- 			goto reread; /* resend */
-@@ -1255,7 +1255,7 @@ static int detect_mtu_ipv6(struct openconnect_info *vpninfo, unsigned char *buf)
- 			continue;
- 
- 		/* something unexpected was received, let's ignore it */
--		if (ret > 0 && (buf[0] != AC_PKT_DPD_RESP || memcmp(&buf[1], id, sizeof(buf) != 0))) {
-+		if (ret > 0 && (buf[0] != AC_PKT_DPD_RESP || memcmp(&buf[1], id, sizeof(id)) != 0)) {
- 			vpn_progress(vpninfo, PRG_DEBUG,
- 			     _("Received unexpected packet (%.2x) in MTU detection; skipping.\n"), (unsigned)buf[0]);
- 			goto reread;
--- 
-1.9.1
-
diff --git a/patch/0003-NaCl-Disable-IPV6_PATHMTU-getsockopt-call.patch b/patch/0003-NaCl-Disable-IPV6_PATHMTU-getsockopt-call.patch
deleted file mode 100644
index 5497b85..0000000
--- a/patch/0003-NaCl-Disable-IPV6_PATHMTU-getsockopt-call.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 9bb382493bb3cd39b06233d4c1d087be396a884a Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@gmail.com>
-Date: Thu, 14 Apr 2016 22:26:07 -0700
-Subject: [PATCH 3/8] NaCl: Disable IPV6_PATHMTU getsockopt() call
-
-Unfortunately this feature is not yet supported under NaCl, and it
-results in a compile error.
-
-Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
----
- dtls.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/dtls.c b/dtls.c
-index 3b9cbbe..a875255 100644
---- a/dtls.c
-+++ b/dtls.c
-@@ -1265,7 +1265,7 @@ static int detect_mtu_ipv6(struct openconnect_info *vpninfo, unsigned char *buf)
- 		break;
- 	} while(max_resends-- > 0);
- 
--#ifndef _WIN32
-+#if !defined(_WIN32) && !defined(__native_client__)
- 	/* If we received back our DPD packet, do nothing; otherwise,
- 	 * attempt to get MTU from the ICMP6 packet we received */
- 	if (ret <= 0) {
--- 
-1.9.1
-
diff --git a/patch/0004-Allow-OC_CMD_PAUSE-to-abort-connection-attempts.patch b/patch/0004-Allow-OC_CMD_PAUSE-to-abort-connection-attempts.patch
deleted file mode 100644
index d3ace3c..0000000
--- a/patch/0004-Allow-OC_CMD_PAUSE-to-abort-connection-attempts.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From cdf86434c0485f0755c0cb949c729353a032ffd2 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@gmail.com>
-Date: Sun, 10 Apr 2016 19:19:24 -0700
-Subject: [PATCH 4/8] Allow OC_CMD_PAUSE to abort connection attempts
-
-Currently OC_CMD_PAUSE does not abort connection attempts in all cases.
-One example of this can be seen in openssl.c:openconnect_open_https(),
-which can get stuck forever if the socket hangs.
-
-Change the helper function so that either OC_CMD_PAUSE or OC_CMD_CANCEL
-exits the mainloop; the main difference is whether it is handled as a
-temporary or permanent disconnection.
-
-Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
----
- ssl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl.c b/ssl.c
-index 55a1ecd..c82a22e 100644
---- a/ssl.c
-+++ b/ssl.c
-@@ -806,7 +806,7 @@ void check_cmd_fd(struct openconnect_info *vpninfo, fd_set *fds)
- int is_cancel_pending(struct openconnect_info *vpninfo, fd_set *fds)
- {
- 	check_cmd_fd(vpninfo, fds);
--	return vpninfo->got_cancel_cmd;
-+	return vpninfo->got_cancel_cmd || vpninfo->got_pause_cmd;
- }
- 
- void poll_cmd_fd(struct openconnect_info *vpninfo, int timeout)
--- 
-1.9.1
-
diff --git a/patch/0005-library-Add-reconnected-callback.patch b/patch/0005-library-Add-reconnected-callback.patch
deleted file mode 100644
index 4724f8e..0000000
--- a/patch/0005-library-Add-reconnected-callback.patch
+++ /dev/null
@@ -1,156 +0,0 @@
-From cd3c0ba439af2c22744629ea5e69a6b33a7047a7 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@gmail.com>
-Date: Sun, 10 Apr 2016 21:11:10 -0700
-Subject: [PATCH 5/8] library: Add reconnected() callback
-
-Currently, library callers can pause the connection and then re-enter the
-mainloop later on, reusing the same cookie they obtained during the
-initial login.  But they do not have an easy way to tell when the VPN
-has successfully reconnected and is able to pass traffic.  This could be
-useful for informing the host OS (and/or UI) that the VPN has
-transitioned back from Reconnecting->Connected.
-
-A callback is only needed on reconnection, not initial connection, because
-for the latter case CSTP is started through the
-openconnect_make_cstp_connection() API call before entering the mainloop.
-
-Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
----
- .../src/org/infradead/libopenconnect/LibOpenConnect.java |  1 +
- jni.c                                                    | 16 ++++++++++++++++
- libopenconnect.map.in                                    |  1 +
- library.c                                                |  6 ++++++
- openconnect-internal.h                                   |  1 +
- openconnect.h                                            |  6 ++++++
- ssl.c                                                    |  4 ++++
- 7 files changed, 35 insertions(+)
-
-diff --git a/java/src/org/infradead/libopenconnect/LibOpenConnect.java b/java/src/org/infradead/libopenconnect/LibOpenConnect.java
-index bf545b5..8dc7452 100644
---- a/java/src/org/infradead/libopenconnect/LibOpenConnect.java
-+++ b/java/src/org/infradead/libopenconnect/LibOpenConnect.java
-@@ -63,6 +63,7 @@ public abstract class LibOpenConnect {
- 	public int onTokenLock() { return 0; }
- 	public int onTokenUnlock(String newToken) { return 0; }
- 	public void onSetupTun() { }
-+	public void onReconnected() { }
- 
- 	/* create/destroy library instances */
- 
-diff --git a/jni.c b/jni.c
-index bb843a4..b5aa92d 100644
---- a/jni.c
-+++ b/jni.c
-@@ -309,6 +309,21 @@ static void setup_tun_cb(void *privdata)
- 	(*ctx->jenv)->PopLocalFrame(ctx->jenv, NULL);
- }
- 
-+static void reconnected_cb(void *privdata)
-+{
-+	struct libctx *ctx = privdata;
-+	jmethodID mid;
-+
-+	if ((*ctx->jenv)->PushLocalFrame(ctx->jenv, 256) < 0)
-+		return;
-+
-+	mid = get_obj_mid(ctx, ctx->jobj, "onReconnected", "()V");
-+	if (mid)
-+		(*ctx->jenv)->CallVoidMethod(ctx->jenv, ctx->jobj, mid);
-+
-+	(*ctx->jenv)->PopLocalFrame(ctx->jenv, NULL);
-+}
-+
- static jobject new_auth_form(struct libctx *ctx, struct oc_auth_form *form)
- {
- 	jmethodID mid;
-@@ -625,6 +640,7 @@ JNIEXPORT jlong JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_init(
- 	openconnect_set_protect_socket_handler(ctx->vpninfo, protect_socket_cb);
- 	openconnect_set_stats_handler(ctx->vpninfo, stats_cb);
- 	openconnect_set_setup_tun_handler(ctx->vpninfo, setup_tun_cb);
-+	openconnect_set_reconnected_handler(ctx->vpninfo, reconnected_cb);
- 
- 	ctx->cmd_fd = openconnect_setup_cmd_pipe(ctx->vpninfo);
- 	if (ctx->cmd_fd < 0)
-diff --git a/libopenconnect.map.in b/libopenconnect.map.in
-index 7c99c86..ea63e2e 100644
---- a/libopenconnect.map.in
-+++ b/libopenconnect.map.in
-@@ -42,6 +42,7 @@ OPENCONNECT_5.0 {
- 	openconnect_set_protect_socket_handler;
- 	openconnect_set_proxy_auth;
- 	openconnect_set_reported_os;
-+	openconnect_set_reconnected_handler;
- 	openconnect_set_reqmtu;
- 	openconnect_set_setup_tun_handler;
- 	openconnect_set_stats_handler;
-diff --git a/library.c b/library.c
-index 5c4028b..97be310 100644
---- a/library.c
-+++ b/library.c
-@@ -786,6 +786,12 @@ void openconnect_set_setup_tun_handler(struct openconnect_info *vpninfo,
- 	vpninfo->setup_tun = setup_tun;
- }
- 
-+void openconnect_set_reconnected_handler(struct openconnect_info *vpninfo,
-+				         openconnect_reconnected_vfn reconnected)
-+{
-+	vpninfo->reconnected = reconnected;
-+}
-+
- void openconnect_set_stats_handler(struct openconnect_info *vpninfo,
- 				   openconnect_stats_vfn stats_handler)
- {
-diff --git a/openconnect-internal.h b/openconnect-internal.h
-index fa729d2..b339ef6 100644
---- a/openconnect-internal.h
-+++ b/openconnect-internal.h
-@@ -611,6 +611,7 @@ struct openconnect_info {
- 	openconnect_protect_socket_vfn protect_socket;
- 	openconnect_getaddrinfo_vfn getaddrinfo_override;
- 	openconnect_setup_tun_vfn setup_tun;
-+	openconnect_reconnected_vfn reconnected;
- 
- 	int (*ssl_read)(struct openconnect_info *vpninfo, char *buf, size_t len);
- 	int (*ssl_gets)(struct openconnect_info *vpninfo, char *buf, size_t len);
-diff --git a/openconnect.h b/openconnect.h
-index 23a8fb3..22f7c5e 100644
---- a/openconnect.h
-+++ b/openconnect.h
-@@ -44,6 +44,7 @@ extern "C" {
-  *  - Add openconnect_disable_ipv6().
-  *  - Add ip_info->gateway_addr.
-  *  - Add openconnect_set_setup_tun_handler().
-+ *  - Add openconnect_set_reconnected_handler().
-  *
-  * API version 5.2 (v7.05; 2015-03-10):
-  *  - Add openconnect_set_http_auth(), openconnect_set_protocol().
-@@ -615,6 +616,11 @@ typedef void (*openconnect_setup_tun_vfn) (void *privdata);
- void openconnect_set_setup_tun_handler(struct openconnect_info *vpninfo,
- 				       openconnect_setup_tun_vfn setup_tun);
- 
-+/* Callback for indicating that a TCP reconnection succeeded. */
-+typedef void (*openconnect_reconnected_vfn) (void *privdata);
-+void openconnect_set_reconnected_handler(struct openconnect_info *vpninfo,
-+				         openconnect_reconnected_vfn reconnected_fn);
-+
- #ifdef __cplusplus
- }
- #endif
-diff --git a/ssl.c b/ssl.c
-index c82a22e..118fb2d 100644
---- a/ssl.c
-+++ b/ssl.c
-@@ -1024,6 +1024,10 @@ int ssl_reconnect(struct openconnect_info *vpninfo)
- 		if (interval > RECONNECT_INTERVAL_MAX)
- 			interval = RECONNECT_INTERVAL_MAX;
- 	}
-+
- 	script_config_tun(vpninfo, "reconnect");
-+	if (vpninfo->reconnected)
-+		vpninfo->reconnected(vpninfo->cbdata);
-+
- 	return 0;
- }
--- 
-1.9.1
-
diff --git a/patch/0006-library-Add-openconnect_get_dnsname.patch b/patch/0006-library-Add-openconnect_get_dnsname.patch
deleted file mode 100644
index 38236aa..0000000
--- a/patch/0006-library-Add-openconnect_get_dnsname.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-From 5c61996cb5bdf23ebc4280cabb2d65dbab7597ec Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@gmail.com>
-Date: Sun, 10 Apr 2016 22:01:37 -0700
-Subject: [PATCH 6/8] library: Add openconnect_get_dnsname()
-
-openconnect_get_hostname() usually returns an IP, because it is used
-for two-stage connections.  Add a new API call that returns a hostname
-so certificate validation can be handled externally.
-
-Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
----
- java/src/org/infradead/libopenconnect/LibOpenConnect.java |  1 +
- jni.c                                                     |  8 ++++++++
- libopenconnect.map.in                                     |  1 +
- library.c                                                 |  5 +++++
- openconnect.h                                             | 14 ++++++++++++++
- 5 files changed, 29 insertions(+)
-
-diff --git a/java/src/org/infradead/libopenconnect/LibOpenConnect.java b/java/src/org/infradead/libopenconnect/LibOpenConnect.java
-index 8dc7452..3f70b2b 100644
---- a/java/src/org/infradead/libopenconnect/LibOpenConnect.java
-+++ b/java/src/org/infradead/libopenconnect/LibOpenConnect.java
-@@ -139,6 +139,7 @@ public abstract class LibOpenConnect {
- 	/* connection info */
- 
- 	public synchronized native String getHostname();
-+	public synchronized native String getDNSName();
- 	public synchronized native String getUrlpath();
- 	public synchronized native int getPort();
- 	public synchronized native String getCookie();
-diff --git a/jni.c b/jni.c
-index b5aa92d..bfcdaa5 100644
---- a/jni.c
-+++ b/jni.c
-@@ -1084,6 +1084,14 @@ JNIEXPORT jstring JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_getHo
- 	RETURN_STRING_END
- }
- 
-+JNIEXPORT jstring JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_getDNSName(
-+	JNIEnv *jenv, jobject jobj)
-+{
-+	RETURN_STRING_START
-+	buf = openconnect_get_dnsname(ctx->vpninfo);
-+	RETURN_STRING_END
-+}
-+
- JNIEXPORT jstring JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_getUrlpath(
- 	JNIEnv *jenv, jobject jobj)
- {
-diff --git a/libopenconnect.map.in b/libopenconnect.map.in
-index ea63e2e..deaf058 100644
---- a/libopenconnect.map.in
-+++ b/libopenconnect.map.in
-@@ -5,6 +5,7 @@ OPENCONNECT_5.0 {
- 	openconnect_free_cert_info;
- 	openconnect_get_cookie;
- 	openconnect_get_cstp_cipher;
-+	openconnect_get_dnsname;
- 	openconnect_get_dtls_cipher;
- 	openconnect_get_hostname;
- 	openconnect_get_ifname;
-diff --git a/library.c b/library.c
-index 97be310..8524c15 100644
---- a/library.c
-+++ b/library.c
-@@ -376,6 +376,11 @@ const char *openconnect_get_hostname(struct openconnect_info *vpninfo)
- 	return vpninfo->unique_hostname?:vpninfo->hostname;
- }
- 
-+const char *openconnect_get_dnsname(struct openconnect_info *vpninfo)
-+{
-+	return vpninfo->hostname;
-+}
-+
- int openconnect_set_hostname(struct openconnect_info *vpninfo,
- 			     const char *hostname)
- {
-diff --git a/openconnect.h b/openconnect.h
-index 22f7c5e..d34aae0 100644
---- a/openconnect.h
-+++ b/openconnect.h
-@@ -45,6 +45,7 @@ extern "C" {
-  *  - Add ip_info->gateway_addr.
-  *  - Add openconnect_set_setup_tun_handler().
-  *  - Add openconnect_set_reconnected_handler().
-+ *  - Add openconnect_get_dnsname().
-  *
-  * API version 5.2 (v7.05; 2015-03-10):
-  *  - Add openconnect_set_http_auth(), openconnect_set_protocol().
-@@ -391,7 +392,20 @@ const char *openconnect_get_dtls_cipher(struct openconnect_info *);
- const char *openconnect_get_cstp_compression(struct openconnect_info *);
- const char *openconnect_get_dtls_compression(struct openconnect_info *);
- 
-+/* Returns the IP address of the exact host to which the connection
-+ * was made. In --cookieonly mode or in any other scenario involving
-+ * a "two stage" connection, it is important to reconnect by IP because
-+ * the server side may be using DNS trickery for load balancing.
-+ *
-+ * If the IP address is unavailable due to the use of a proxy, this will
-+ * fall back to returning the DNS name. */
- const char *openconnect_get_hostname(struct openconnect_info *);
-+
-+/* Returns the hostname parsed out of the server name URL. This is
-+ * intended to be used by the validate_peer_cert callback to check that
-+ * the certificate matches the server name. */
-+const char *openconnect_get_dnsname(struct openconnect_info *);
-+
- int openconnect_set_hostname(struct openconnect_info *, const char *);
- char *openconnect_get_urlpath(struct openconnect_info *);
- int openconnect_set_urlpath(struct openconnect_info *, const char *);
--- 
-1.9.1
-
diff --git a/patch/0007-library-Add-openconnect_get_peer_cert_chain.patch b/patch/0007-library-Add-openconnect_get_peer_cert_chain.patch
deleted file mode 100644
index e3a4188..0000000
--- a/patch/0007-library-Add-openconnect_get_peer_cert_chain.patch
+++ /dev/null
@@ -1,316 +0,0 @@
-From 28bea7d86e2f5f83ff02a2d92c349c8d3af6bb1c Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@gmail.com>
-Date: Sun, 10 Apr 2016 23:13:08 -0700
-Subject: [PATCH 7/8] library: Add openconnect_get_peer_cert_chain()
-
-Allow external validation of the entire certificate chain, not just the
-peer_cert.  Tested using a letsencrypt cert on Chrome OS.
-
-Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
----
- gnutls.c                                           | 39 ++++++++++++++-
- java/src/com/example/LibTest.java                  |  2 +
- .../infradead/libopenconnect/LibOpenConnect.java   |  1 +
- jni.c                                              | 49 +++++++++++++++++++
- libopenconnect.map.in                              |  2 +
- openconnect-internal.h                             |  2 +
- openconnect.h                                      | 18 +++++++
- openssl.c                                          | 55 ++++++++++++++++++++--
- 8 files changed, 163 insertions(+), 5 deletions(-)
-
-diff --git a/gnutls.c b/gnutls.c
-index 2a93dac..338f7a7 100644
---- a/gnutls.c
-+++ b/gnutls.c
-@@ -1948,6 +1948,38 @@ void openconnect_free_cert_info(struct openconnect_info *vpninfo,
- 	gnutls_free(buf);
- }
- 
-+int openconnect_get_peer_cert_chain(struct openconnect_info *vpninfo,
-+				    struct oc_cert **chainp)
-+{
-+	struct oc_cert *chain, *p;
-+	const gnutls_datum_t *cert_list = vpninfo->cert_list_handle;
-+	int i, cert_list_size = vpninfo->cert_list_size;
-+
-+	if (!cert_list)
-+		return -EINVAL;
-+
-+	if (cert_list_size <= 0)
-+		return -EIO;
-+
-+	p = chain = calloc(cert_list_size, sizeof(struct oc_cert));
-+	if (!chain)
-+		return -ENOMEM;
-+
-+	for (i = 0; i < cert_list_size; i++, p++) {
-+		p->der_data = (unsigned char *)cert_list[i].data;
-+		p->der_len = cert_list[i].size;
-+	}
-+
-+	*chainp = chain;
-+	return cert_list_size;
-+}
-+
-+void openconnect_free_peer_cert_chain(struct openconnect_info *vpninfo,
-+				      struct oc_cert *chain)
-+{
-+	free(chain);
-+}
-+
- static int verify_peer(gnutls_session_t session)
- {
- 	struct openconnect_info *vpninfo = gnutls_session_get_ptr(session);
-@@ -2079,10 +2111,13 @@ static int verify_peer(gnutls_session_t session)
- 		vpn_progress(vpninfo, PRG_INFO,
- 			     _("Server certificate verify failed: %s\n"),
- 			     reason);
--		if (vpninfo->validate_peer_cert)
-+		if (vpninfo->validate_peer_cert) {
-+			vpninfo->cert_list_handle = (void *)cert_list;
-+			vpninfo->cert_list_size = cert_list_size;
- 			err = vpninfo->validate_peer_cert(vpninfo->cbdata,
- 							  reason) ? GNUTLS_E_CERTIFICATE_ERROR : 0;
--		else
-+			vpninfo->cert_list_handle = NULL;
-+		} else
- 			err = GNUTLS_E_CERTIFICATE_ERROR;
- 	}
- 
-diff --git a/java/src/com/example/LibTest.java b/java/src/com/example/LibTest.java
-index da073b7..78e77b5 100644
---- a/java/src/com/example/LibTest.java
-+++ b/java/src/com/example/LibTest.java
-@@ -49,6 +49,8 @@ public final class LibTest {
- 
- 			byte der[] = getPeerCertDER();
- 			System.out.println("DER is " + der.length + " bytes long");
-+			byte chain[][] = getPeerCertChain();
-+			System.out.println("Chain has " + chain.length + " certs");
- 
- 			System.out.print("\nAccept this certificate? [n] ");
- 			String s = getline();
-diff --git a/java/src/org/infradead/libopenconnect/LibOpenConnect.java b/java/src/org/infradead/libopenconnect/LibOpenConnect.java
-index 3f70b2b..ce4ffcc 100644
---- a/java/src/org/infradead/libopenconnect/LibOpenConnect.java
-+++ b/java/src/org/infradead/libopenconnect/LibOpenConnect.java
-@@ -156,6 +156,7 @@ public abstract class LibOpenConnect {
- 	public synchronized native String getPeerCertHash();
- 	public synchronized native String getPeerCertDetails();
- 	public synchronized native byte[] getPeerCertDER();
-+	public synchronized native byte[][] getPeerCertChain();
- 
- 	/* library info */
- 
-diff --git a/jni.c b/jni.c
-index bfcdaa5..d72ac2e 100644
---- a/jni.c
-+++ b/jni.c
-@@ -785,6 +785,55 @@ JNIEXPORT jbyteArray JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_ge
- 	return jresult;
- }
- 
-+/* special handling: callee-allocated, caller-freed binary buffer */
-+JNIEXPORT jbyteArray JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_getPeerCertChain(
-+	JNIEnv *jenv, jobject jobj)
-+{
-+	struct libctx *ctx = getctx(jenv, jobj);
-+	struct oc_cert *chain = NULL, *p;
-+	int cert_list_size, i;
-+	jobjectArray jresult = NULL;
-+	jclass jcls;
-+
-+	if (!ctx)
-+		goto err;
-+	cert_list_size = openconnect_get_peer_cert_chain(ctx->vpninfo, &chain);
-+	if (cert_list_size <= 0)
-+		goto err;
-+
-+	jcls = (*ctx->jenv)->FindClass(ctx->jenv, "[B");
-+	if (!jcls)
-+		goto err;
-+
-+	jresult = (*ctx->jenv)->NewObjectArray(ctx->jenv, cert_list_size, jcls, NULL);
-+	if (!jresult)
-+		goto err;
-+
-+	if ((*ctx->jenv)->PushLocalFrame(ctx->jenv, 256) < 0)
-+		goto err;
-+
-+	for (i = 0, p = chain; i < cert_list_size; i++, p++) {
-+		jbyteArray cert = (*ctx->jenv)->NewByteArray(ctx->jenv, p->der_len);
-+		if (!cert)
-+			goto err2;
-+		(*ctx->jenv)->SetByteArrayRegion(ctx->jenv, cert, 0, p->der_len, (jbyte *)p->der_data);
-+		(*ctx->jenv)->SetObjectArrayElement(ctx->jenv, jresult, i, cert);
-+	}
-+
-+	(*ctx->jenv)->PopLocalFrame(ctx->jenv, NULL);
-+	openconnect_free_peer_cert_chain(ctx->vpninfo, chain);
-+	return jresult;
-+
-+err2:
-+	(*ctx->jenv)->PopLocalFrame(ctx->jenv, NULL);
-+err:
-+	if (jresult)
-+		(*ctx->jenv)->DeleteLocalRef(ctx->jenv, jresult);
-+	if (chain)
-+		openconnect_free_peer_cert_chain(ctx->vpninfo, chain);
-+	return NULL;
-+}
-+
- /* special handling: two string arguments */
- JNIEXPORT void JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_setClientCert(
- 	JNIEnv *jenv, jobject jobj, jstring jcert, jstring jsslkey)
-diff --git a/libopenconnect.map.in b/libopenconnect.map.in
-index deaf058..f832dda 100644
---- a/libopenconnect.map.in
-+++ b/libopenconnect.map.in
-@@ -3,6 +3,7 @@ OPENCONNECT_5.0 {
- 	openconnect_check_peer_cert_hash;
- 	openconnect_clear_cookie;
- 	openconnect_free_cert_info;
-+	openconnect_free_peer_cert_chain;
- 	openconnect_get_cookie;
- 	openconnect_get_cstp_cipher;
- 	openconnect_get_dnsname;
-@@ -11,6 +12,7 @@ OPENCONNECT_5.0 {
- 	openconnect_get_ifname;
- 	openconnect_get_ip_info;
- 	openconnect_get_peer_cert_DER;
-+	openconnect_get_peer_cert_chain;
- 	openconnect_get_peer_cert_details;
- 	openconnect_get_peer_cert_hash;
- 	openconnect_get_port;
-diff --git a/openconnect-internal.h b/openconnect-internal.h
-index b339ef6..4ded761 100644
---- a/openconnect-internal.h
-+++ b/openconnect-internal.h
-@@ -443,6 +443,8 @@ struct openconnect_info {
- 
- 	void *peer_cert;
- 	char *peer_cert_hash;
-+	void *cert_list_handle;
-+	int cert_list_size;
- 
- 	char *cookie; /* Pointer to within cookies list */
- 	struct oc_vpn_option *cookies;
-diff --git a/openconnect.h b/openconnect.h
-index d34aae0..904a92a 100644
---- a/openconnect.h
-+++ b/openconnect.h
-@@ -46,6 +46,8 @@ extern "C" {
-  *  - Add openconnect_set_setup_tun_handler().
-  *  - Add openconnect_set_reconnected_handler().
-  *  - Add openconnect_get_dnsname().
-+ *  - Add openconnect_get_peer_cert_chain() and
-+ *        openconnect_free_peer_cert_chain().
-  *
-  * API version 5.2 (v7.05; 2015-03-10):
-  *  - Add openconnect_set_http_auth(), openconnect_set_protocol().
-@@ -273,6 +275,12 @@ struct oc_stats {
- 	uint64_t rx_bytes;
- };
- 
-+struct oc_cert {
-+	int der_len;
-+	unsigned char *der_data;
-+	void *reserved;
-+};
-+
- /****************************************************************************/
- 
- #define PRG_ERR		0
-@@ -367,6 +375,16 @@ int openconnect_get_peer_cert_DER(struct openconnect_info *vpninfo,
- 				  unsigned char **buf);
- void openconnect_free_cert_info(struct openconnect_info *vpninfo,
- 				void *buf);
-+
-+/* Creates a list of all certs in the peer's chain, returning the
-+   number of certs in the chain (or <0 on error). Only valid inside the
-+   validate_peer_cert callback. The caller should free the chain,
-+   but should not modify the contents. */
-+int openconnect_get_peer_cert_chain(struct openconnect_info *vpninfo,
-+				    struct oc_cert **chain);
-+void openconnect_free_peer_cert_chain(struct openconnect_info *vpninfo,
-+				      struct oc_cert *chain);
-+
- /* Contains a comma-separated list of authentication methods to enabled.
-    Currently supported: Negotiate,NTLM,Digest,Basic */
- int openconnect_set_http_auth(struct openconnect_info *vpninfo,
-diff --git a/openssl.c b/openssl.c
-index 007809b..8a5ef56 100644
---- a/openssl.c
-+++ b/openssl.c
-@@ -1325,6 +1325,48 @@ static void workaround_openssl_certchain_bug(struct openconnect_info *vpninfo,
- 	X509_STORE_CTX_cleanup(&ctx);
- }
- 
-+int openconnect_get_peer_cert_chain(struct openconnect_info *vpninfo,
-+				    struct oc_cert **chainp)
-+{
-+	struct oc_cert *chain, *p;
-+	X509_STORE_CTX *ctx = vpninfo->cert_list_handle;
-+	int i, cert_list_size;
-+
-+	if (!ctx)
-+		return -EINVAL;
-+
-+	cert_list_size = sk_X509_num(ctx->untrusted);
-+	if (!cert_list_size)
-+		return -EIO;
-+
-+	p = chain = calloc(cert_list_size, sizeof(struct oc_cert));
-+	if (!chain)
-+		return -ENOMEM;
-+
-+	for (i = 0; i < cert_list_size; i++, p++) {
-+		X509 *cert = sk_X509_value(ctx->untrusted, i);
-+
-+		p->der_len = i2d_X509(cert, &p->der_data);
-+		if (p->der_len < 0) {
-+			openconnect_free_peer_cert_chain(vpninfo, chain);
-+			return -ENOMEM;
-+		}
-+	}
-+
-+	*chainp = chain;
-+	return cert_list_size;
-+}
-+
-+void openconnect_free_peer_cert_chain(struct openconnect_info *vpninfo,
-+				      struct oc_cert *chain)
-+{
-+	int i;
-+
-+	for (i = 0; i < vpninfo->cert_list_size; i++)
-+		OPENSSL_free(chain[i].der_data);
-+	free(chain);
-+}
-+
- static int ssl_app_verify_callback(X509_STORE_CTX *ctx, void *arg)
- {
- 	struct openconnect_info *vpninfo = arg;
-@@ -1375,9 +1417,16 @@ static int ssl_app_verify_callback(X509_STORE_CTX *ctx, void *arg)
- 		     _("Server certificate verify failed: %s\n"),
- 		     err_string);
- 
--	if (vpninfo->validate_peer_cert &&
--	    !vpninfo->validate_peer_cert(vpninfo->cbdata, err_string))
--		return 1;
-+	if (vpninfo->validate_peer_cert) {
-+		int ret;
-+
-+		vpninfo->cert_list_handle = ctx;
-+		ret = vpninfo->validate_peer_cert(vpninfo->cbdata, err_string);
-+		vpninfo->cert_list_handle = NULL;
-+
-+		if (!ret)
-+			return 1;
-+	}
- 
- 	return 0;
- }
--- 
-1.9.1
-
diff --git a/patch/0008-Fix-missing-llz4-in-static-builds.patch b/patch/0008-Fix-missing-llz4-in-static-builds.patch
deleted file mode 100644
index 99c48c9..0000000
--- a/patch/0008-Fix-missing-llz4-in-static-builds.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From eb84443cc949a77daabc9333fc903fad87ca01cd Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@gmail.com>
-Date: Mon, 18 Apr 2016 22:04:22 -0700
-Subject: [PATCH 8/8] Fix missing -llz4 in static builds
-
-List liblz4 under Requires.private in the pkg-config file.
-
-Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
----
- configure.ac      | 7 +++----
- openconnect.pc.in | 2 +-
- 2 files changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/configure.ac b/configure.ac
-index 7da44dc..0851f9f 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -577,11 +577,10 @@ AC_ARG_WITH(lz4,
-   test_for_lz4=$withval,
-   test_for_lz4=yes)
- 
--enable_lz4=no
--if test "$test_for_lz4" = yes;then
-+if test "$test_for_lz4" = yes; then
- PKG_CHECK_MODULES([LIBLZ4], [liblz4], [
--enable_lz4=yes
--AC_DEFINE([HAVE_LZ4], [], [LZ4 was found])
-+	AC_SUBST(LIBLZ4_PC, liblz4)
-+	AC_DEFINE([HAVE_LZ4], [], [LZ4 was found])
- ],
- [
- 	AC_MSG_WARN([[
-diff --git a/openconnect.pc.in b/openconnect.pc.in
-index 53449df..8e295c4 100644
---- a/openconnect.pc.in
-+++ b/openconnect.pc.in
-@@ -7,7 +7,7 @@ includedir=@includedir@
- Name: openconnect
- Description: OpenConnect VPN client
- Version: @VERSION@
--Requires.private: @LIBPROXY_PC@ @ZLIB_PC@ @SSL_DTLS_PC@ @P11KIT_PC@ @LIBSTOKEN_PC@ @LIBPSKC_PC@ @LIBPCSCLITE_PC@ libxml-2.0
-+Requires.private: @LIBPROXY_PC@ @ZLIB_PC@ @LIBLZ4_PC@ @SSL_DTLS_PC@ @P11KIT_PC@ @LIBSTOKEN_PC@ @LIBPSKC_PC@ @LIBPCSCLITE_PC@ libxml-2.0
- Libs: -L${libdir} -lopenconnect
- Libs.private: @INTL_LIBS@
- Cflags: -I${includedir}
--- 
-1.9.1
-
diff --git a/patch/0009-Load-app-keys-by-URL.patch b/patch/0009-Load-app-keys-by-URL.patch
deleted file mode 100644
index 05fb2e8..0000000
--- a/patch/0009-Load-app-keys-by-URL.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 20fbdaabb9a4f1a126dd2f217f51c585ba33bb53 Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@gmail.com>
-Date: Sun, 24 Apr 2016 21:00:25 -0700
-Subject: [PATCH] Load "app:" keys by URL
-
-Chrome OS supports the notion of hardware-bound system keys, but it
-doesn't provide APIs that can be called directly by GnuTLS or p11kit.
-Instead, the application's NaCl module needs to pass certificate
-queries and signing requests back to JavaScript code that invokes the
-chrome.platformKeys APIs.  This is implemented by registering a handler
-for URLs starting with the (somewhat arbitrarily chosen) "app:" prefix.
-
-Allow openconnect to recognize these URLs and handle them through the
-same code paths as "system:" URLs.
-
-Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
----
- gnutls.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/gnutls.c b/gnutls.c
-index 338f7a7..544fb51 100644
---- a/gnutls.c
-+++ b/gnutls.c
-@@ -1001,8 +1001,10 @@ static int load_certificate(struct openconnect_info *vpninfo)
- 
- 	key_is_p11 = !strncmp(vpninfo->sslkey, "pkcs11:", 7);
- 	cert_is_p11 = !strncmp(vpninfo->cert, "pkcs11:", 7);
--	key_is_sys = !strncmp(vpninfo->sslkey, "system:", 7);
--	cert_is_sys = !strncmp(vpninfo->cert, "system:", 7);
-+	key_is_sys = !strncmp(vpninfo->sslkey, "system:", 7) ||
-+		     !strncmp(vpninfo->sslkey, "app:", 4);
-+	cert_is_sys = !strncmp(vpninfo->cert, "system:", 7) ||
-+		      !strncmp(vpninfo->cert, "app:", 4);
- 
- #ifndef HAVE_GNUTLS_SYSTEM_KEYS
- 	if (key_is_sys || cert_is_sys) {
--- 
-1.9.1
-