OpenConnect 9.00 release
David Woodhouse
dwmw2 at infradead.org
Fri Apr 29 09:01:46 PDT 2022
This release finally contains the SAML/SSO support for AnyConnect and
GlobalProtect, and the multiple certificate support for AnyConnect.
These have been ourstanding for a long time, and I'd really like to thank Steven Walter and Tom Carroll for their work and especially their patience.
Thanks also to Luca Boccassi and Dimitri Papadopoulos for their notable
contributions, and to Daniel Lenski as usual.
https://www.infradead.org/openconnect/download/openconnect-9.00.tar.gz
https://www.infradead.org/openconnect/download/openconnect-9.00.tar.gz.asc
Ambroise Rosset (1):
Implement a function openconnect_set_useragent
Daniel Lenski (25):
Don't try to set MTU on tunnel interface within (lib)openconnect itself
Re-enabling tests/auth-multicert
Cleanup and simplify fake-cisco-server.py
Cleanup and clarify lengthy comment on multiple certificate authentication
Add openconnect_set_mca_{cert,key_password} to public API
Add setMCACert and setMCAKeyPassword to Java API
Add OC_PROTO_AUTH_MCA flag
Describe --mca-{certificate,key,key-password} options in manual
Remove repeated flexible array member which is confusing Coverity
make .sso_detect_done a protocol-specific VFN, and use in openconnect_webview_load_changed
openconnect_open_webview_vfn should return int, and accept callback data
split OC_FORM_OPT_SSO into _TOKEN and _USER versions, and don't open_webview until after "normal" form processing
start adding GP SSO support
Add changelog entry
Bugfix RSA SecurID token decryption and PIN entry forms
Add changelog entry
Fix GP fake server parameters so that gateway-interface 2FA is actually tested
Handle Fortinet split-exclude routes
Update changelog
Factor out parse_split_routes for Fortinet
Fix initial client request XML structure when announcing multicert capability
GP: add 'internal=no' flag to the login and configuration requests
Update changelog
Merge branch 'GP_internal_no_flag_for_issue_246' into 'master'
Do not ignore 0.0.0.0/0 specified as a "split"-{in,ex}clude route for oNCP
David Woodhouse (76):
OpenSSL implementation of multicert challenge
Support vhost on more than just x86_64
Make buf_append_utf16le() robust against being passed NULL
Fix Windows tun setup crash
epoll: Handle EPOLLERR as 'readable'
esp: Close socket on error
stoken: Fix const warnings
Merge branch 'master' into 'master'
Merge branch 'reconnection_report_PRG_ERROR' into 'master'
Merge branch 'man' into 'master'
Merge branch 'dump_buf_hex_performance' into 'master'
Merge branch 'obs' into 'master'
Merge branch 'sigaction' into 'master'
Merge branch 'gai_strerror' into 'master'
Merge branch 'vpn_progress_wintun_version' into 'master'
Merge branch 'free_const_char' into 'master'
Merge branch 'cast_char' into 'master'
Merge branch 'const_char' into 'master'
Merge branch 'code_climate_deepsource' into 'master'
Merge branch 'no_MTU_setting_in_openconnect_itself' into 'master'
Merge branch 'remove_unnecessary_struct_member_to_quiet_Coverity' into 'master'
AnyConnect: Generate EC keys for X-AnyConnect-STRAP-{DH-,}Pubkey
Add cancellable_accept(), make cancellable_send() take a const buffer
Add OpenSSL crypto support for HKPE
Add GnuTLS crypto support for HPKE
AnyConnect: Add support for external browser SSO
Add openconnect_set_external_browser_callback() and defaults
Fix translated wintun version strings
Update translations from GNOME
Fix translations mangled by sed
Merge branch 'obs' into 'master'
Merge branch 'multicert' of gitlab.com:openconnect/openconnect
fake-cisco-server.py: Disable check for `multiple-cert` support
Merge branch 'errors' into 'master'
Add xdg-utils for xdg-open (default external browser)
Merge branch 'master' of gitlab.com:openconnect/openconnect
Merge branch 'insecure-openssl' into 'master'
Merge branch 'errors' into 'master'
Merge branch 'obs' of gitlab.com:bluca/openconnect
Increase server delay for fake server tests
Reduce the 'bus factor' for translation sync a bit
Import translations from GNOME
Fix hogweed/gmp library linkage for HPKE by actually using $(HPKE_LIBS)
Merge branch 'obs' into 'master'
Attempt to make posix_spawn() work on OSX
Merge branch 'vhost-portable' of gitlab.com:openconnect/openconnect
Import translations from GNOME
Merge branch 'master' of gitlab.com:openconnect/openconnect
Use 'open' to spawn browser on OSX
Merge branch 'align' into 'master'
Merge branch 'field_precision_specifier_expects_int' into 'master'
Merge branch 'DWORD_PRId32_PRIo32' into 'master'
Fix lost translations for PRId64 → PRIu64 change
Import translations from GNOME
Attempt to implement AnyConnect Session Token Re-use Anchor Protocol (STRAP)
Export STRAP private key with AnyConnect cookie
Revert "append_compr_types: removed unnecessary assignment"
Silence static-analyser warning about redundant assignment to 'sep'
Make all STRAP support conditional on HPKE
Always send STRAP pubkey even when we don't change it
Add changelog for STRAP
Revert "GP: Fix the issue of a 0.0.0.0/0 "split"-include route by swapping the "split" route with the default netmask."
Only abort on certificate fail for CERT2_REQUESTED
Allow gmp without pkgconfig
Fix potential leak of cookie_buf on error path
Fix setsockopt(SO_REUSEADDR) warnings
Merge branch 'codespell' of gitlab.com:DimitriPapadopoulos/openconnect
Merge branch 'obs' of gitlab.com:bluca/openconnect
Import translations from GNOME
Merge branch 'scootergrisen-master-patch-59421' of gitlab.com:DimitriPapadopoulos/openconnect
Resync translations with sources
Add missing export-strings.sh
Merge branch 'fortinet_split_excludes' of gitlab.com:openconnect/openconnect
Merge branch 'autoconf' into 'master'
Add changelog entry for SAML/SSO
Tag version 9.00
Dimitri Papadopoulos (42):
Win32: gai_strerror → WSAGetLastError
Consistency in error messages
Fix error reporting in main() and friends
fprintf(stderr, ...) → vpn_progress(stderr, VPN_ERR, ...)
No need to cache errno before _()
Check return value of sigaction()
Fix Linux kernel coding style error and warnings
Do not use `type` as a variable name
Squash two identical `if` branches
Protect next() calls wit try/except inside generators
Overridden methods should have identical parameters
Use `()` and `{}` instead of `list()` and `dict()`
Avoid code duplication
Avoid code complexity
Local variable redefined argument
Avoid assert statement outside of tests
Remove unused imports
Condition `len>=0` is true after `if (len < 0)`
Condition `!dtlsver` is true after `else if (dtlsver)`
Decorate with `@staticmethod` if `self` is not used
Fix --reconnect-timeout documentation
Silence compiler warning [-Wformat=]
Consistency in man page
Skip dump_buf_hex() when the log level is low enough
No need to cast `const char *` to `char *`
Declare C string constants using array syntax
Adjust verbosity level of Fortinet-related logging
Silence compiler warnings [-Wdiscarded-qualifiers]
No embedded URLs in translatable strings
Fix Linux kernel coding style error and warnings
Align output of openconnect --help
Fix MinGW compiler warning
The format specifier for DWORD is "%lu"
The format specifier for uint64_t is PRIu64
Fix typo found by codespell
Change "openconnect" to "OpenConnect"
No need to support RHEL 5
AC_PROG_CC_C99 is obsolete starting with autoconf 2.70
Arguments should be enclosed within ‘[’ and ‘]’
Update m4 files
AC_TRY_COMPILE is obsolete starting with autoconf 2.70
Add missing host-cpu-c-abi.m4
Luca Boccassi (20):
Docs: note that GP + SAML is supported by network-manager-openconnect
GP SAML: fix some memory handling
GP SAML: handle redirect case
AC SAML: do not assume the cookie will be on the final page
AC SAML: cookies might be empty
GP SAML: support legacy workflow
Add --enable-docs option
Add packaging files for OBS build
Add OBS workflow configuration file
Store OBS _service file
Merge branch 'fix_388' into 'master'
obs workflow: rebuild on each push/merge to master
obs workflow: add xdg-utils build-dep on openconnect.dsc too
obs: remove libpskc-dev dependency from libopenconnect-dev
OBS: remove ancient requires on vpnc from RPM
www: remove link to PPA, not updated anymore
www: link OBS setup instructions in packages.xml
obs workflow: trigger release repository rebuilds when a tag is pushed
obs: switch version format to 'tag+n_commits_over_tag+gHASH'
obs: add a strict versioned dependency from openconnect to libopenconnect5
Maxim Storchak (1):
Set loglevel as soon as it's known
Mike Gilbert (2):
openssl: allow ALL ciphers when allow-insecure-crypto is enabled
Do not XFAIL obsolete-server-crypto on Fedora/CentOS
Steven Walter (1):
Support AnyConnect single-sign-on-v2
Tom Carroll (13):
Add multicert fields to openconnect_info struct
Add constants and string maps for AnyConnect multicert auth
Converse the multiple certificate authentication (mulitcert) protocol.
gnutls crypto implementation for signing multicert challenge.
Test server stub to exercise the multiple-certificate authentication.
Abort multiple-certificate authentication if certificate load fail.
Add field to cert_info, prototypes for revised certifiate handling API.
Updated multicert string maps to revised certificate API.
GnuTLS implementation of revised certificate API.
Implement multiple certificate authentication with revised certificate handling API.
Ensure that certificate resources are released.
OpenSSL implementation of revised certificate API.
Implement public multiple certificate authentication API.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5965 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20220429/69827148/attachment.p7s>
More information about the openconnect-devel
mailing list