OpenConnect 6.00 release

David Woodhouse dwmw2 at
Tue Jul 8 08:55:51 PDT 2014

This adds support for authentication to SOCKS and HTTP proxies, via
fairly much every method conceived to man.

The XML profile (with the list of available servers in the rotation) is
now downloaded in XML POST mode. Otherwise it was missing from the
NetworkManager GUI.

Various other compatibility improvements and bug fixes.

David Woodhouse (130):
      Fix GnuTLS 2.x build
      Fix 'missing initializer' warning on Solaris/GCC build
      Add autoconf test for functional groff with UTF-8 xhtml output
      Make pot file depend on, not Makefile
      Remove obsolete -DNO_BROKEN_DTLS_CHECK from Android build
      Consolidate into a single top-level .gitignore file
      Remove unneeded symbols from linker map
      Remove openconnect_print_err_cb() from linker map
      Remove asprintf() from linker map
      Merge branch 'rekey' of git://
      Import translations from GNOME
      Fix Windows tun read handling
      Import translations from GNOME
      Import translations from GNOME
      Import translations from GNOME
      Move fetch_config() invocation out to allow it to be used in XML POST mode
      Process XML POST response to find profile URL and download it
      Import translations from GNOME
      Resync translations with sources
      Don't fetch XML profile unless ->write_new_config() is set
      Make proxy_{read,write,gets}() return the same as the SSL methods
      Use callbacks in vpninfo for ssl_{read,write,gets} methods
      Use ssl_{read,write,gets} methods for unencrypted ("proxy") access too
      Use process_http_response() for proxy handling
      Propagate openconnect_open_https() return value
      First pass at adding proxy auth support
      Initial NTLM auth support
      Clean up ntlm_helper_fd on proxy done
      Print when attempting NTLM auth
      Rename buf_append() in cstp.c to cbuf_append()
      Make buf_append() from http.c visible elsewhere
      Add printf format attribute to buf_append()
      Use generic buf_append() in start_cstp_connection()
      Add FIXME in start_cstp_connection()
      Move NTLM out into ntlm.c
      Do not use winbind if given an NTLM password
      Add buf_append_bytes() function
      Add buf_append_base64() function
      Implement basic (ASCII-only) NTLMv1 support
      Add openconnect_md5() function for NTLMv2
      Add NTLMv2 support
      Remove stray reference to b64_frag()
      Attempt to support non-ASCII passwords in NTLM
      Support non-ASCII usernames in NTLM
      Update changelog
      Start adding GSSAPI support
      Add openconnect_base64_decode()
      Do not retry authentication methods which failed
      Add GSSAPI support
      Print message when attempting GSSAPI auth
      Let GSSAPI fail when empty token comes in
      Solaris needs <alloca.h>
      Fix GSSAPI build on Solaris
      Fix non-GSSAPI build
      FreeBSD doesn't have alloca.h
      Fix off-by-one in openconnect_base64_decode()
      Add shell of Digest auth
      Make buf_append_bytes() NUL-terminate the buffer storage
      Implement Digest authentication
      Document proxy authentication support a little
      Drop proxy connection and reconnect when auth fails
      Move cleanup_ntlm_auth() out of http.c
      Factor our basic_authorization() to look like the others
      Use an array of auth states
      Abstract out the auth methods and cleanups
      Kill empty cleanup_digest_auth()
      Add openconnect_set_proxy_auth()
      Disable Basic auth by default
      Factor out one implementation of buf_ensure_space()
      Simplify basic_authorization()
      Simplify/optimise buf_append_base64() a little
      Check for buffer alloc failures
      Leave fewer copies of proxy password around in memory
      Move buf_append_ucs2le() before ntlm_nt_hash()
      Move UCS2 conversion into ntlm_nt_hash() to keep things simple
      Make buf_ensure_space() non-static
      Make md4sum() take a struct oc_text_buf to avoid alloca()
      Correct (I think) MD4 padding count for NTLM
      Preallocate UCS2 password/md4 buffer to avoid leaving a password after realloc
      Add MSYS to configure check
      Check python version before using it
      Fix inet_aton("") on Windows
      Start to fix up SOCKS auth
      Add SOCKS password auth support
      Make proxy_read() return -ECONNRESET when the connection is closed
      Add SOCKS GSSAPI auth
      Fix memory leak of orig_host in openconnect_obtain_cookie()
      Make --proxy-auth=negotiate,basic work for SOCKS auth
      Accept 'GSSAPI' in place of 'Negotiate' in --proxy-auth=
      Fix valgrind warnings on NTLM setup_schedule()
      Import translations from GNOME
      Resync translations with sources
      Move DTLS secret initialisation to openconnect_setup_dtls()
      Clear got_cancel_cmd when returning from openconnect_obtain_cookie()
      Work around GnuTLS not checking IP addresses in certs
      Fix untranslated error message
      Fix DTLS master secret generation (harder)
      Add sanity check for uninitialised dtls_secret
      Move clearing of ->got_cancel_cmd to openconnect_reset_ssl()
      struct gss_buffer_desc.length is a size_t
      Fix OpenBSD build
      Attempt to fix up gssapi portability
      Capitulate to OpenBSD's whinging. Use snprintf
      Fix NetBSD ctype warnings: "array subscript has type 'char'"
      Attempt to make sense of GSSAPI mess
      Use autoheader. Ick. But the command lines were getting silly
      Fix cleanup_gssapi_auth() to stop it segfaulting on Solaris
      use cleanup_gssapi_auth() in failure path too
      Fix base64 decode in processing GSSAPI input
      Use SPNEGO for GSSAPI
      Update GSSAPI option flags for SOCKS to match RFC1961.
      Add strndup() compat function for OSX
      Use strndup() for processing IPv6 literals now that we have it
      GnuTLS 3.3.6 (partly) fixed the certificate check against IP literals
      Initial SSPI support for NTLM under Windows
      Add SSPI support for Kerberos/SPNEGO under Windows too
      Add SOCKS SSPI auth under Windows
      Import translations from GNOME
      Clean up argument types for openconnect_base64_decode()
      Improve GSSAPI error reporting a little
      NTLM password handling should be UTF16 not UCS2
      Fix gss_init_sec_context() error message
      Update translations from GNOME
      Shuffle main.c around to reduce #ifdef noise
      Resync translations with sources
      Print trailing newline after password input on Windows too
      Remove obsolete ssl_ui.c and references to it
      Resync translations with sources
      Fix up POTFILES list
      Tag version 6.00

Jason Wessel (1):
      Add hidden password support for windows platform

Jay Soffian (2): respect GIT_DIR
      Allow libtoolize to be specified via environment variable

Kevin Cernekee (48):
      www: Don't ignore groff errors
      www: Fix missing space on platforms page
      dtls: Align new-tunnel rekey behavior with Cisco clients
      cstp: Make cstp_reconnect() static again
      android: Build ARM with -march=armv7-a
      android: Upgrade nettle from v2.6 to v2.7
      android: Update GnuTLS to 3.2.12
      java: Add java/ directory to release tarballs
      Require autoconf 2.62+ to build from git
      Use AC_PATH_PROGS_FEATURE_CHECK to test groff usability
      android: Update libstoken to 0.5
      gnutls: Fix double free() prompting for passphrase
      http: fetch_config() argument names are swapped
      xml: Make sure the config file descriptor gets closed on all error paths
      http: Don't leak the auth form when handling <client-cert-request>
      http: Don't leak form_path on error
      tun: Don't leak tun_fd on ioctl errors
      gnutls: Fix inverted return value check in GnuTLS 2.12 compatibility code
      cstp: Fix misplaced parentheses
      jni: Fix a couple of leaked strings
      dtls: Add missing dtls_reconnect() stub for !HAVE_DTLS case
      dtls: Free OpenSSL contexts when the library instance is freed
      cstp: Don't call dtls_reconnect() when DTLS is disabled
      gnutls: Handle empty (but not NULL) passwords on PKCS#12 certs
      openssl: Skip password prompt on unencrypted PKCS#12 files
      openssl: Support unencrypted PKCS#8 private keys
      http: Handle gateways that skip TLS cert requests on initial connect
      gnutls: Fix minor memory leak when trying blank passwords
      jni: Change cancelLock so it can be used from native code
      jni: Allow other threads to call setLogLevel()
      android: Introduce new "mirror fetcher" shell script
      android: Introduce $(FOO_TAR) variables for each dependency
      android: Add "make mirror-test" target
      android: Update openssl to 1.0.1g
      android: Update to GnuTLS 3.2.13
      jni: Sync jni.c and
      jni: Change setPFS() to use a boolean argument
      man: Add hints on using --pfs option
      Export openconnect_set_pfs() and bump API version to 3.3
      main: Use openconnect_set_pfs() instead of touching vpninfo->pfs
      Add "new library function checklist"
      www: Update changelog
      android: Update to GnuTLS 3.2.15
      library: Add openconnect_set_dpd()
      Add OC_CMD_DETACH for "reconnectable abort"
      main: Refactor signal handling
      Change most PRG_TRACE prints to PRG_DEBUG
      http: Check asprintf() return value

Mike Miller (1):
      Remove W3C icons from web pages

Nikos Mavrogiannopoulos (1):
      Reset rekey time on the first DTLS handshake.

Thomas Uhle (1):
      gnutls: fix spelling of GNUTLS_E_PREMATURE_TERMINATION

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list