OpenConnect 7.05 release
David Woodhouse
dwmw2 at infradead.org
Tue Mar 10 14:37:17 PDT 2015
The biggest thing here is the Juniper support, which is still
experimental. This is actually the obsolescent Network Connect protocol;
we'll probably end up also implementing Junos Pulse support which
actually provides IPv6 rather than only Legacy IP. But not this week!
This release adds HTTP authentication to VPN servers, as supported by
ocserv 0.10.0.
For users with CPUs that can't do arbitrary unaligned access, there's a
fix for the LZS compression code.
Also added support for SHA256 and SHA512 HOTP/TOTP keys, a workaround
for issues with on-ASCII passwords set by older versions of the YubiOATH
Android app, and various fixes for the OpenSSL build.
ftp://ftp.infradead.org/pub/openconnect/openconnect-7.05.tar.gz
ftp://ftp.infradead.org/pub/openconnect/openconnect-7.05.tar.gz.asc
David Woodhouse (204):
Start separating protocol-specific methods from generic VPN support
Move DTLS methods into struct vpn_proto
Move CSTP methods into struct vpn_proto
Move CSTP authentication and obtain_cookie to auth.c
List Cisco protocol-specific files separately in the Makefile
Rename and move cstp_free_splits
Move nuke_opt_values() and process_auth_form() to library.c
Make many functions in auth.c static
Move unhex to script.c
Add 'replace' argument to http_add_cookie()
Move cstp_read() and cstp_write() to openssl.c/gnutls.c and rename them
Move some helpers out into auth-common.c
Make connect_dtls_socket() and try_dtls_handshake() static
Factor out udp_sockaddr() helper function
Factor out udp_connect() helper function
Make 'route' member of struct oc_split_include a const char *
Add shell of Juniper support
Add oncp_common_headers()
First negotiation packets for oNCP
Get slightly further in oNCP negotiation
Final oNCP negotiation packet
Primitive implementation of oncp_mainloop()
WIP oNCP authentication
Slightly more complete implementation of Juniper authentication
Handle Juniper HTTP server brokenness with initial connect requests
Endianness fixes
Add some debugging for SSL reads
Handle return value from ssl_write()
Fix netmask option handling
Dump outgoing data packet
Fix length on outbound data packet
Get KMP message type from right place
Actually post auth entries
Free XML doc in oNCP auth loop
For oNCP, a redirect turns POST into GET
Fix button name comparison
Always check for auth success, not only when !form
Don't free doc twice in quick succession
Add missing newline
Interpret some ESP TLVs
Add ESP replay protection TLV
Add ESP compression TLV
Fix key lifetime TLV
More config TLVs
Add TNCC support
Do not throw away form entries as soon as we get them
Attempt ESP negotiation
Fix ESP TLVs
Add ESP decryption (unused)
Implement ESP encryption
Implement sequence number checking
Add stub functions for ESP support
Hook up ESP mainloop
Set up poll() on oNCP fd
Add ESP support for OpenSSL
Treat SPI as a uint32_t instead of char[]
Dump ESP parameters
Handle incoming KMP messages with multiple packets
Tell server when ESP is running
Handle ESP rekeying
Fix up ESP renegotiation reply
Print when receiving ESP packets
Accept packets on old ESP setup during changeover
Handle multiple KMP messages in one SSL packet
Handle split includes
Check incoming data packets don't exceed MTU
Improve debugging in oncp_receive_data() a little
Attempt to handle large data messages exceeding a single SSL record size
Add support for using esp-openssl.c with GnuTLS 2.12
Fix build for GnuTLS 2.12 without OpenSSL
Render U+002D HYPHEN-MINUS in manual page where needed
Add endian-specific word load/store functions
Use endian-specific access functions in ntlm.c
Use endian-specific access functions in cstp.c
Use endian-specific access functions in gssapi.c
Use endian-specific access functions in http.c
Use endian-specific access functions in oncp.c
Use endian-specific access functions in ssl.c
Use endian-specific access functions in sspi.c
Use endian-specific access functions in yubikey.c
Use load_le16() and store_le16() for UTF-16 surrogate pairs
Fix Win32 build warnings in esp.c
Fix isspace() warning on *BSD. Again
Don't use anonymous struct for oncp in struct pkt hdr
Do not have separately named struct esp_hdr
Use named struct for CSTP in struct pkt too
Adjust static packets to build with GCC < 4.6
Disable ESP when OpenSSL lacks HMAC_CTX_copy()
Credit Tiebing
Update copyright year
Implement esp_close() and esp_shutdown()
Add LZO decompression support
Fix check for HMAC_CTX_copy()
Improve packet queue handling
Work around gnutls_record_get_direction() bug
Fix crash in create_script_env() if environment variables already exist
Attempt to handle frmDefender and frmNextToken
Move protocol-specific decisions about when to use tokencodes into protocol code
Allow automatic OATH for Juniper
Update Solaris bug ID for time() going backwards
Update changelog to admit to Juniper support
Treat form with OC_FORM_OPT_TOKEN as non-empty
Use generic can_gen_tokencode() for oNCP
Calculate TOTP/HOTP codes for ourselves
Avoid using liboath in buf_append_base32()
Avoid using liboath for decoding base32
Remove liboath dependency
Support SHA256/SHA512 for OATH
Fix OATH token generation for non-SHA1 with GnuTLS
Fix token-secret parsing when HMAC algorithm is specified
Fix leading zeroes on OATH tokencodes
Fix handling of SHA512
Add openconnect_set_loglevel()
Website updates
Add TNCC documentation
Make --authgroup work for Juniper
Implement ESP keepalive and periodic reconnect attempt
Add link to IRC channel
Remove obsolete check against esp_enable_pkt
Implement oNCP reconnect
Update docs for Juniper now the reconnect is done
Split out get_utf8char() from buf_append_utf16le()
Fix OpenSSL build
Add pwlen argument to openconnect_hash_yubikey_password()
Fix memory leak if openconnect_hash_yubikey_password() fails
Work around Yubikey/Android PBKDF2 bug
Update changelog
Handle Juniper session expiry
Attempt to automatically select a session to kill when there's a choice
Print debug message when sending ESP probes
Set work_done when telling server to enable ESP
Check padding bytes in ESP
Dump invalid packet in connection
Shift Juniper auth code out into its own file
Merge branch 'master' of ssh://git.infradead.org/home/dwmw2/public_git/openconnect
Allow larger 301 configuration packet
Expand nonroot.html page and improve TUNSETIFF -EPERM error handling
Change to a less Comic Sans-esque font
Handle split exclude routes for Juniper
Update translations from GNOME
Remove stray debugging message from configure script
Include more needed OpenSSL headers
Regenerate SSL_SESSION each time for DTLS
Shuffle DTLS SSL_SESSION regeneration to live together
Split generate_dtls_session() for OpenSSL
Fix openssl.c build with OpenSSL HEAD
Fix dtls.c build with OpenSSL HEAD
Add broken OpenSSL check for 1.0.2
Fix OpenSSL ESP HMAC calculation
Allow CSTP and DTLS compression to be different
Fix ASN.1 INTEGER encoding to avoid sign-extension issues
Refer to OpenSSL RT#3703 and RT#3711 for OpenSSL 1.0.2 breakage
Add DTLS1.2 and AES-GCM support for OpenSSL 1.0.2+
Fix typo
Add lzo.h to dist
Rename struct proxy_auth_state to struct http_auth_state
Stop cleanup_ntlm_auth() using auth_state
Start making HTTP authentication less proxy-specific
Fix non-GSSAPI build
Fix Windows NTLM build
Fix Windows SSPI build
Add unused http_auth states, add proxy argument to authorization methods
Let cleanup functions distinguish between proxy and http auth
Fix up Digest auth for non-proxy authentication
Fix up Basic auth for non-proxy authentication
Fix up NTLM auth for non-proxy authentication
Fix up GSSAPI auth for non-proxy authentication
Fix up SSPI auth for non-proxy authentication
Don't close stdin on startup
Cleaner fix for NTLM closing stdin on cleanup
Fix some more proxy assumptions in HTTP auth
Move HTTP authentication out into http-auth.c
Finally add (non-proxy) HTTP authentication support
Fix errors in moving auth code to http-auth.c
Update changelog
Add X-Support-HTTP-Auth: header for ocserv
Support fallback from X-Support-HTTP-Auth
Clean up handling of default disable for Basic auth
Fix memory leak with --proxy-auth argument
Add openconnect_set_http_auth() and --http-auth command line option
Add openconnect_set_protocol() API
Update Juniper docs
Fix unaligned data reference in LZS
Don't forget parens around macro arguments
Update changelog
Fix memory handling issues in Juniper parse_select_node()
Fix memory leak in failure case
Fix leak of request_body buf
Fix reqbuf leak in error case
Fix memory leak on error path
Fix potential memory leaks in Digest auth
Don't call send() with negative lengths if encrypt_esp_packet() fails
Avoid apparent possibility of double-free of pending_deflated_pkt
Check gnutls_hmac() return value
Forbid pointless http_add_cookie() with value==NULL and !replace
Stop using 1ULL as the base value to be shifted in LZS GET_BITS()
Add explicit comment for switch() fall through case
Fix memory leak in ntlm_nt_hash() error paths
Fix regression in manual NTLM auth
Add explicit check for user/pass before ntlm_manual_challenge()
Remove unreached goto
Fix leak of xmlfile on error path
Resync translations with sources
Tag version 7.05
Kevin Cernekee (5):
android: Re-enable libxml HTML support
android: Add liblz4 to build
cstp: AC_PKT_DISCONN payload length can be 0
cstp: Add X-AnyConnnect-* mobile headers on CONNECT request
auth-juniper: Check asprintf() return values
Mike Miller (1):
Fix undefined reference error when building with GnuTLS
Nikos Mavrogiannopoulos (3):
limit the number of newgroup attempts
Move internal auth state in http_auth_state.
Added an upper limit on the number of redirects
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150310/10fba230/attachment.bin>
More information about the openconnect-devel
mailing list