OpenConnect 3.99 release (4.00 beta)

Wed Jun 13 19:24:58 EDT 2012

This is a prerelease of v4.00 to get a little more testing.

The main thing it does is add GnuTLS support. It supports PKCS#11 crypto
tokens, and also TPM keys. Thanks to Carolin Latze for the TPM support,
and especially to Nikos Mavrogiannopoulos for a lot of other help in
getting GnuTLS working, including DTLS support.

It still uses OpenSSL by default, unless you pass '--with-gnutls' on the
configure command line. If you aren't using a version of GnuTLS which
supports Cisco-DTLS, it'll still fall back to using OpenSSL for that,
while using GnuTLS for the HTTPS part.

Places where the library used to expose an OpenSSL 'X509' structure now
expose a generic pointer. It *might* be an X509, or it might be a
gnutls_x509_crt_t. There are functions to do various operations on it
(fingerprint, pretty-print as text) that the auth-dialogs were doing,
and a function to export it in DER form if an auth-dialog wants to do
something more advanced. All the callbacks for user interaction are also
cleaned up to use the ->process_auth_form() method, so auth-dialogs no
longer need to capture the OpenSSL UI method calls.

Note that TPM support is only available with GnuTLS 3.x; if you're stuck
on GnuTLS 2.12 then please file a bug with your Linux distribution to
get it updated. GnuTLS 3.0 was released almost a year ago! Other
functionality is subtly substandard when used with GnuTLS 2.12 too.

This release also also adds a $CISCO_SPLIT_DNS variable when invoking
vpnc-script, with a comma-separated list of search domains. (Patches to
vpnc-script welcome; NetworkManager is already updated.)

Finally it improves the MTU configuration to improve connectivity with
new servers by allowing different MTU for CSTP and DTLS connections.
Although it's not clear how Cisco's scheme for this is intended to work;
it looks like it'd work a lot better if their server didn't give an
artificially low MSS when accepting the TCP connection.

Oh, and the --cert-type option is gone from the command line. We've been
automatically detecting that for a *long* time, so the option was
unneeded.

ftp://ftp.infradead.org/pub/openconnect/openconnect-3.99.tar.gz
ftp://ftp.infradead.org/pub/openconnect/openconnect-3.99.tar.gz.asc

David Woodhouse (137):
      Add --with-pkgconfigdir to allow different environments like FreeBSD
      Make openconnect_open_https() and openconnect_close_https() more forgiving.
      Fix non-blocking support in fetch_config()
      Use openconnect_open_https() and openconnect_close_https() better.
      Add gnutls support to build system
      Fix API major/minor handling for out-of-source-tree build
      Move peer_cert handling to openconnect_open_https()
      Add openconnect_get_cert_details() function
      Add openconnect_sha1() function and use it instead of using OpenSSL directly
      Move basic process_auth_form() out to main.c
      Be more self-sufficient with header inclusions
      Add openconnect_get_cert_DER() function
      Add openconnect_random() function
      Split out connect_https_socket() function from openconnect_open_https()
      Move OpenSSL-specific functions from ssl.c to openssl.c
      Disable DTLS for GnuTLS build for now
      Remove OpenSSL dependency from http.c
      Add SSL library definition to CFLAGS in openconnect.pc
      Introduce semi-opaque OPENCONNECT_X509 type in library API
      Add barely functional GnuTLS support
      Refuse to build with GnuTLS < 2.12.16
      Make CSTP connection in a single SSL record
      Improve GnuTLS compatibility options
      Add client certificate support for GnuTLS
      Check cert expiry, at least for PEM certs
      Clean up GnuTLS PKCS#12 handling a little
      Add server certificate validation for GnuTLS
      Import pkcs12_parse() function from GnuTLS to fix PKCS#12 handling
      Make GnuTLS parse_pkcs12() return extra certificates from the PKCS#12 too
      GnuTLS: Add supporting certificates from PKCS#12 file
      Remove unused workaround_openssl_certchain_bug() function
      GnuTLS: Load trusted CAs before loading certificate
      GnuTLS: Import more than one certificate from PEM file
      Add GnuTLS to changelog
      Add openssl.c and gnutls.c to POTFILES
      Remove duplicate socket connect code from gnutls.c
      Fix vpninfo->peer_cert handling for GnuTLS
      Move openconnect_SSL_printf() to ssl.c
      Fix build on systems without O_CLOEXEC
      Remove stray debug printf
      Fix GnuTLS select() during handshake
      Bump API version, advertise get_cert_DER() and get_cert_details() functions
      Reduce priority of GnuTLS certificate verify failure message to PRG_INFO
      Fix GnuTLS request_passphrase() if no UI callback function
      openconnect_set_xmlsha1() takes a const char *
      Stop using OpenSSL UI for user interaction
      Add completely untested PIN callback for GnuTLS
      GnuTLS: Split logging of additional certs into a separate loop
      GnuTLS: Don't include root CA in the supporting evidence; only intermediates
      OpenSSL: Don't include root CA in the supporting evidence; only intermediates
      Fix FreeBSD compile
      Allow interface name to be specified on *BSD
      Fix FreeBSD tun handling with net.link.tun.devfs_cloning=0
      Update comment about gnutls_x509_privkey_import_pkcs8() password handling
      Move request_passphrase() to ssl.c
      Use request_passphrase() for OpenSSL PKCS#12
      Fix config_arg handling
      Fix config fetch
      Use request_passphrase() for OpenSSL PEM files
      Check for gnutls_pkcs12_simple_parse() in GnuTLS
      Split out OpenSSL_specific start_dtls_handshake() function
      Add DTLS support for GnuTLS
      Allow '--with-gnutls' in configure
      Add UI handling for OpenSSL TPM keys
      GnuTLS now uses gnutls_session_set_premaster()
      Fix GnuTLS PKCS#11 PIN request function
      Use p11-kit for directing PIN request to process_auth_form()
      Remove last traces of special UI and PIN handling from main.c
      Bump library soname to libopenconnect.so.2
      Kill old openconnect_vpninfo_new()
      Fix cbdata argument to process_auth_form()
      Change Requires: to Requires.private: in openconnect.pc
      Fix generation of version.c for out-of-tree builds
      Fix git-tree deps for version.c in out-of-tree build
      Don't hard-code cipher type in GnuTLS DTLS
      Set X-CSTP-Base-MTU: for new servers
      Make 'make dist' work for out-of-tree build
      Add gnutls_pkcs12 to dist
      Add gnutls.c and openssl.c to EXTRA_DIST too
      Add $CISCO_SPLIT_DNS environment variable for vpnc-script
      Update changelog
      Use X-DTLS-MTU response from server as well as X-CSTP-MTU
      Import updated gnutls_pkcs12_simple_parse() from GnuTLS
      Don't unregister p11-kit PIN callback until vpninfo is finished with
      Fix error handling when GnuTLS can't open key file
      Cope with SSL key being PKCS#11 but cert from file
      Use gnutls_certificate_set_x509_system_trust() where available
      GnuTLS: Fix expiry check and CA chain addition for PKCS#11 certs
      GnuTLS: Fix build with GnuTLS 2.12 and PKCS#11
      Set object-type on PKCS#11 URL for key and cert
      GnuTLS: Cache token PIN
      Remove obsolete GnuTLS FIXME comment
      Portability fixes for Solaris, *BSD
      Fix non-interactive mode
      Update docs for GnuTLS and PKCS#11 support
      GnuTLS: Print name of primary certificate
      OpenSSL: Print name of primary certificate
      Fix update-translations make target for out-of-tree build
      Fix upload-pot make target for out-of-tree build
      Update translations from Transifex
      Remove stray openssl includes
      Allow building against GnuTLS (for TCP) and GnuTLS (for DTLS) simultaneously
      Print SSL build options on --version or usage()
      Remove --cert-type option from command line
      Make --disable-ipv6 really do it
      Translate build option output
      Return error from OpenSSL load_certificate() for PKCS#11 URLs
      Add openconnect_has_pkcs11_support()
      Add --authenticate option
      Fix const char * warnings in GnuTLS pin_helper on FreeBSD
      Add openconnect_has_tss_blob_support()
      GnuTLS: Fix password memory leaks
      Fix useragent leak
      Make authentication valgrind-friendly
      OpenSSL: Fix password memory leaks
      OpenSSL: Clean up leaks in TPM ENGINE handling
      OpenSSL: Free BIO leak in reload_pem_cert()
      OpenSSL: Fix leak of cert_x509
      Explicitly check for gnutls_certificate_set_key(), separate it from p11-kit
      Fix DTLS fallback to OpenSSL for old GnuTLS
      Clean up build options printout
      Add TPM support for GnuTLS
      Remove redundancy in code which 'matches' cert to privkey
      Fix GnuTLS PIN cache leak when only *key* is PKCS#11 and not certificate.
      Implement certificate matching for TPM/PKCS#11 privkeys
      Fix error exits in GnuTLS load_certificate() function
      Try null SRK key (20 bytes of zero) first
      Give proper error reporting from tpm_sign_fn() TPM operations
      Handle TPM keys with their own authentication PIN
      Allow GUI to distinguish between PIN/passphrase callbacks
      Fix build with GnuTLS 2.12
      Update translations from Transifex
      Move dtls1_stop_timer() declaration inside the OPENCONNECT_OPENSSL section
      Link libopenconnect to trousers, not openconnect
      $CISCO_SPLIT_DNS is separated by commas in vpnc, not spaces
      Make 'make tag' work out of source tree
      Tag version 3.99

Mike Miller (2):
      Remove libopenconnect.map from EXTRA_DIST
      Show correct path to vpnc-script in the man page

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120614/aeaec5c9/attachment.bin>