OpenConnect 6.00 release
David Woodhouse
dwmw2 at infradead.org
Tue Jul 8 08:55:51 PDT 2014
This adds support for authentication to SOCKS and HTTP proxies, via
fairly much every method conceived to man.
The XML profile (with the list of available servers in the rotation) is
now downloaded in XML POST mode. Otherwise it was missing from the
NetworkManager GUI.
Various other compatibility improvements and bug fixes.
ftp://ftp.infradead.org/pub/openconnect/openconnect-6.00.tar.gz
ftp://ftp.infradead.org/pub/openconnect/openconnect-6.00.tar.gz.asc
David Woodhouse (130):
Fix GnuTLS 2.x build
Fix 'missing initializer' warning on Solaris/GCC build
Add autoconf test for functional groff with UTF-8 xhtml output
Make pot file depend on version.sh, not Makefile
Remove obsolete -DNO_BROKEN_DTLS_CHECK from Android build
Consolidate into a single top-level .gitignore file
Remove unneeded symbols from linker map
Remove openconnect_print_err_cb() from linker map
Remove asprintf() from linker map
Merge branch 'rekey' of git://gitorious.org/openconnect-x/openconnect-x
Import translations from GNOME
Fix Windows tun read handling
Import translations from GNOME
Import translations from GNOME
Import translations from GNOME
Move fetch_config() invocation out to allow it to be used in XML POST mode
Process XML POST response to find profile URL and download it
Import translations from GNOME
Resync translations with sources
Don't fetch XML profile unless ->write_new_config() is set
Make proxy_{read,write,gets}() return the same as the SSL methods
Use callbacks in vpninfo for ssl_{read,write,gets} methods
Use ssl_{read,write,gets} methods for unencrypted ("proxy") access too
Use process_http_response() for proxy handling
Propagate openconnect_open_https() return value
First pass at adding proxy auth support
Initial NTLM auth support
Clean up ntlm_helper_fd on proxy done
Print when attempting NTLM auth
Rename buf_append() in cstp.c to cbuf_append()
Make buf_append() from http.c visible elsewhere
Add printf format attribute to buf_append()
Use generic buf_append() in start_cstp_connection()
Add FIXME in start_cstp_connection()
Move NTLM out into ntlm.c
Do not use winbind if given an NTLM password
Add buf_append_bytes() function
Add buf_append_base64() function
Implement basic (ASCII-only) NTLMv1 support
Add openconnect_md5() function for NTLMv2
Add NTLMv2 support
Remove stray reference to b64_frag()
Attempt to support non-ASCII passwords in NTLM
Support non-ASCII usernames in NTLM
Update changelog
Start adding GSSAPI support
Add openconnect_base64_decode()
Do not retry authentication methods which failed
Add GSSAPI support
Print message when attempting GSSAPI auth
Let GSSAPI fail when empty token comes in
Solaris needs <alloca.h>
Fix GSSAPI build on Solaris
Fix non-GSSAPI build
FreeBSD doesn't have alloca.h
Fix off-by-one in openconnect_base64_decode()
Add shell of Digest auth
Make buf_append_bytes() NUL-terminate the buffer storage
Implement Digest authentication
Document proxy authentication support a little
Drop proxy connection and reconnect when auth fails
Move cleanup_ntlm_auth() out of http.c
Factor our basic_authorization() to look like the others
Use an array of auth states
Abstract out the auth methods and cleanups
Kill empty cleanup_digest_auth()
Add openconnect_set_proxy_auth()
Disable Basic auth by default
Factor out one implementation of buf_ensure_space()
Simplify basic_authorization()
Simplify/optimise buf_append_base64() a little
Check for buffer alloc failures
Leave fewer copies of proxy password around in memory
Move buf_append_ucs2le() before ntlm_nt_hash()
Move UCS2 conversion into ntlm_nt_hash() to keep things simple
Make buf_ensure_space() non-static
Make md4sum() take a struct oc_text_buf to avoid alloca()
Correct (I think) MD4 padding count for NTLM
Preallocate UCS2 password/md4 buffer to avoid leaving a password after realloc
Add MSYS to configure check
Check python version before using it
Fix inet_aton("255.255.255.255") on Windows
Start to fix up SOCKS auth
Add SOCKS password auth support
Make proxy_read() return -ECONNRESET when the connection is closed
Add SOCKS GSSAPI auth
Fix memory leak of orig_host in openconnect_obtain_cookie()
Make --proxy-auth=negotiate,basic work for SOCKS auth
Accept 'GSSAPI' in place of 'Negotiate' in --proxy-auth=
Fix valgrind warnings on NTLM setup_schedule()
Import translations from GNOME
Resync translations with sources
Move DTLS secret initialisation to openconnect_setup_dtls()
Clear got_cancel_cmd when returning from openconnect_obtain_cookie()
Work around GnuTLS not checking IP addresses in certs
Fix untranslated error message
Fix DTLS master secret generation (harder)
Add sanity check for uninitialised dtls_secret
Move clearing of ->got_cancel_cmd to openconnect_reset_ssl()
struct gss_buffer_desc.length is a size_t
Fix OpenBSD build
Attempt to fix up gssapi portability
Capitulate to OpenBSD's whinging. Use snprintf
Fix NetBSD ctype warnings: "array subscript has type 'char'"
Attempt to make sense of GSSAPI mess
Use autoheader. Ick. But the command lines were getting silly
Fix cleanup_gssapi_auth() to stop it segfaulting on Solaris
use cleanup_gssapi_auth() in failure path too
Fix base64 decode in processing GSSAPI input
Use SPNEGO for GSSAPI
Update GSSAPI option flags for SOCKS to match RFC1961.
Add strndup() compat function for OSX
Use strndup() for processing IPv6 literals now that we have it
GnuTLS 3.3.6 (partly) fixed the certificate check against IP literals
Initial SSPI support for NTLM under Windows
Add SSPI support for Kerberos/SPNEGO under Windows too
Add SOCKS SSPI auth under Windows
Import translations from GNOME
Clean up argument types for openconnect_base64_decode()
Improve GSSAPI error reporting a little
NTLM password handling should be UTF16 not UCS2
Fix gss_init_sec_context() error message
Update translations from GNOME
Shuffle main.c around to reduce #ifdef noise
Resync translations with sources
Print trailing newline after password input on Windows too
Remove obsolete ssl_ui.c and references to it
Resync translations with sources
Fix up POTFILES list
Tag version 6.00
Jason Wessel (1):
Add hidden password support for windows platform
Jay Soffian (2):
version.sh: respect GIT_DIR
Allow libtoolize to be specified via environment variable
Kevin Cernekee (48):
www: Don't ignore groff errors
www: Fix missing space on platforms page
dtls: Align new-tunnel rekey behavior with Cisco clients
cstp: Make cstp_reconnect() static again
android: Build ARM with -march=armv7-a
android: Upgrade nettle from v2.6 to v2.7
android: Update GnuTLS to 3.2.12
java: Add java/ directory to release tarballs
Require autoconf 2.62+ to build from git
Use AC_PATH_PROGS_FEATURE_CHECK to test groff usability
android: Update libstoken to 0.5
gnutls: Fix double free() prompting for passphrase
http: fetch_config() argument names are swapped
xml: Make sure the config file descriptor gets closed on all error paths
http: Don't leak the auth form when handling <client-cert-request>
http: Don't leak form_path on error
tun: Don't leak tun_fd on ioctl errors
gnutls: Fix inverted return value check in GnuTLS 2.12 compatibility code
cstp: Fix misplaced parentheses
jni: Fix a couple of leaked strings
dtls: Add missing dtls_reconnect() stub for !HAVE_DTLS case
dtls: Free OpenSSL contexts when the library instance is freed
cstp: Don't call dtls_reconnect() when DTLS is disabled
gnutls: Handle empty (but not NULL) passwords on PKCS#12 certs
openssl: Skip password prompt on unencrypted PKCS#12 files
openssl: Support unencrypted PKCS#8 private keys
http: Handle gateways that skip TLS cert requests on initial connect
gnutls: Fix minor memory leak when trying blank passwords
jni: Change cancelLock so it can be used from native code
jni: Allow other threads to call setLogLevel()
android: Introduce new "mirror fetcher" shell script
android: Introduce $(FOO_TAR) variables for each dependency
android: Add "make mirror-test" target
android: Update openssl to 1.0.1g
android: Update to GnuTLS 3.2.13
jni: Sync jni.c and LibOpenConnect.java
jni: Change setPFS() to use a boolean argument
man: Add hints on using --pfs option
Export openconnect_set_pfs() and bump API version to 3.3
main: Use openconnect_set_pfs() instead of touching vpninfo->pfs
Add "new library function checklist"
www: Update changelog
android: Update to GnuTLS 3.2.15
library: Add openconnect_set_dpd()
Add OC_CMD_DETACH for "reconnectable abort"
main: Refactor signal handling
Change most PRG_TRACE prints to PRG_DEBUG
http: Check asprintf() return value
Mike Miller (1):
Remove W3C icons from web pages
Nikos Mavrogiannopoulos (1):
Reset rekey time on the first DTLS handshake.
Thomas Uhle (1):
gnutls: fix spelling of GNUTLS_E_PREMATURE_TERMINATION
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140708/7fcecbb4/attachment.bin>
More information about the openconnect-devel
mailing list