OpenConnect 5.99 release
David Woodhouse
dwmw2 at infradead.org
Wed Mar 5 06:29:59 EST 2014
This is the beta release for 6.0, with lots of shiny changes.
I'm not entirely convinced that the x.99 "releases" actually get that
much worthwhile testing, but they certainly don't hurt. Mostly this is a
call for Kevin and Nikos to bug me about anything they still have
outstanding that they really want in the 6.00 release...
This release adds support for Windows (32-bit and 64-bit builds with
MinGW), and basic support for RFC4226 HOTP tokens (although there's no
way to *store* the HOTP token counter).
It also adds split tunnelling support for IPv6 — which always would have
worked, in fact, but we need to explicitly *tell* the server that we
support it in order to receive an appropriate configuration.
It moves the VPN mainloop functionality into libopenconnect so that it
can be invoked through the library instead of having to spawn a separate
openconnect process — and adds Java bindings for libopenconnect.
There are also various crypto-related improvements, such as the ability
to enforce Perfect Forward Secrecy and new cipher suites in DTLS with
lower overhead.
Antonio Borneo (2):
fix bug in run_csd_script()
Fix --os=win
David Woodhouse (97):
Merge OpenConnect v5.03 bugfix
Do not use mmap() for reading XML config file
Fix cert expiry warning for Windows, which lacks gmtime_r()
Unify $host_os case statement in configure.ac
Add compatibility for systems lacking setenv() and unsetenv()
Start to clean up includes for MinGW build.
Add -no-undefined to libtool invocation
Add compatibility inet_aton() function for MinGW build
Use closesocket() and fix errno handling for MinGW
Set GnuTLS push/pull/errno functions on MinGW build
Open files in binary mode on MingGW
Fix setsockopt() warning on MinGW build
Use send() and recv() for proxy communication (for MinGW's benefit)
Disable CSD for MingGW build, make http.c build
Provide pipe() for MinGW build
Add openconnect_passphrase_from_fsid() implementation for MinGW
Add set_sock_nonblock() and set_fd_cloexec() compat functions
Make tun.c build for MinGW
Disable --script-tun option on MinGW
Disable --syslog option on MinGW
Fix read_stdin() for MingGW
Disable --setuid, --csd-user and --csd-wrapper options on MinGW
Disable hostname discovery on MinGW
Disable signal handling on MinGW
Disable --background and --pid-file options on MinGW
Hide GnuTLS MinGW push/pull functions when building with OpenSSL
Add openconnect__win32_sock_init() function to initialise sockets
Reorder header files to include <winsock2.h> before <windows.h>
Update changelog to reflect MinGW status
Add GnuTLS recv_timeout function for MinGW
Remove FSF address from copyright boilerplate
Update copyright year
Add basic support for opening Windows TAP driver
Import dumb_socketpair() and enable command fd for MinGW
Fix Windows error translation to make GnuTLS happy
Fix Windows set_sock_nonblock()
Fix setenv() with value==NULL on Windows
Remove Windows-specific pull/push/errno functions for GnuTLS
Move DTLS reconnect handling into dtls.c
Introduce dtls_state variable to make reconnect handling cleaner
Kill new_dtls_* variables
Fix up comment on GnuTLS dtls_ssl field
Abstract select() and FD_SET handling
Add event handling for Windows
Finally add tun handling for Windows
Make web pages work in out-of-tree builds
Remove obsolete VAR_CVSID variable
Remove references to Symbian
Use intptr_t for intermediate cast to gnutls_transport_ptr_t
Fix overflow warning in dumb_socketpair() on Win64
Fix Windows openconnect_passphrase_from_fsid()
Avoid building against GnuTLS v3.2.0-v3.2.9 on Windows
Print a message when ignoring a TAP device due to --interface option
Fix error printing when registry open fails
Print error when no TAP interfaces found
Move vpnc-script handling after platform detection in configure.ac
Clean up default vpnc-script handling for Windows
Update vpnc-script documentation for Windows
Update build documentation
Move set_script_env() to script.c
Move script_config_tun() to script.c
Factor out os_read_tun() from tun_mainloop()
Factor out os_write_tun() from tun_mainloop()
Move tun_mainloop() to mainloop.c
Split out os_shutdown_tun() for Windows vs. sane platforms
Move Windows openconnect_setup_tun_fd() to tun-win32.c
Split out os_setup_tun() for Windows vs. sane platforms
Move set_tun_mtu() into os_setup_tun()
Move openconnect_setup_tun_device() to library.c
Remove tun.c from Windows build
Move Windows interface name matching into search_taps() function
Clean up search_taps() function
Make openconnect_setup_tun_fd() work on Windows
Add openconnect_setup_tun_script() stub for Windows
Fix OpenBSD build
Fix crash with -C option
Update changelog
Import translations from GNOME
Clean up GnuTLS openconnect_SSL_{read,write,gets} functions
Do not abort when GnuTLS reports unclean shutdown
Include <errno.h> in xml.c to fix non-libstoken build
Remove Java_* wildcard from libopenconnect.map
android: Add android/ directory to release tarballs
Merge branch 'rekey' of git://gitorious.org/openconnect-x/openconnect-x
Prefer python2 if available
Add RFC4226 HOTP token support
Don't lose translations when merging from Transifex
Add update-po target
Sort new files imported from Transifex so 'update-po' won't touch them
Only include non-empty files in LINGUAS
Resync translations with sources
Update translations from Transifex
Update platforms.html information about Windows builds
Import translations from GNOME
Fix 'cast from pointer to integer of different size' warning in Win64 build
Resync translations with sources
Tag version 5.99
Jeremy Visser (2):
Support IPv6 split tunnelling
Assign Address-IP6 field to netmask instead of address
Kevin Cernekee (83):
library: Use named constants for process_auth_form() return value
main: Rename process_auth_form() to avoid conflict with library
Create a common process_auth_form() wrapper function
auth: Remove outdated comment for parse_auth_choice()
auth: Introduce free_opt() helper function
library: Change oc_form_opt_select->choices to a pointer array
auth: Provide information on which auth choice is currently selected
process_auth_form: Add code to support NEWGROUP return status from UI
main: Extend read_stdin() to accept hidden (password) input
main: Split process_auth_form_cb() into smaller functions
main: Make the authgroup picker CLI more user-friendly
auth: Parse second-auth-related properties from the auth form
auth: Hide unused form fields based on the selected authgroup
Revert "auth: Temporarily disable XML POST if an authgroup dropdown exists"
auth: Add OC_FORM_OPT_NUMERIC hint and apply it to token PIN entry
library: Bump API version to 3.0 and document changes
main: Update CLI to handle hidden fields and NEWGROUP
main: Avoid infinite "303 See Other" loops on certificate-only authgroups
main: Don't free password if it isn't used in the first auth form
library: Clean up partially completed auth forms on error
Unconditionally redirect CSD stdout to stderr
ssl: Set FD_CLOEXEC on all sockets
gnutls: Remove unused local variable
Introduce new helper functions for cancel_fd checking
library: Rename cancel_fd to cmd_fd
library: Add new openconnect_setup_cmd_pipe() call
Add new helper functions to support cmd_fd feature
Temporarily build ssl.c + deps into the main executable
Move signal handling out of mainloop
cstp: Propagate error status up to the mainloop
mainloop: Convert vpn_mainloop() into a library function
dtls: Add dtls_close() helper function and call it on library cleanup
mainloop: Add OC_CMD_PAUSE operation
main: Introduce xstrdup() function
tun: Export setup_tun() functionality
Move vpninfo default settings into library
library: Check for failed allocations in openconnect_vpninfo_new()
dtls: Export setup_dtls() function
cstp: Export make_cstp_connection()
library: Move the mainloop guts into libopenconnect
library: Update openconnect.pc.in
cstp: Close socket after failed connection attempt
tun, cstp: Don't exit() on failure
library: Free zlib state
cstp: Clean up split include/exclude/DNS lists when freeing vpninfo
library: Add get/set functions for servercert, ifname, reqmtu
library: Move IP information into a public struct
library: Make vpn_option a public struct
library: Export VPN configuration info to callers
library: Tweak openconnect.h comment formatting for consistency
library: Add protect_socket callback
library: Add support for mobile headers
library: Add openconnect_set_xmlpost() to support different CSD modes
library: Add new callback for obtaining TX/RX statistics
ssl: Don't let cmd_fd activity break timeouts
library: Update changelog and bump minor version
main: Add openconnect_vpninfo_free() on a couple of exit paths
buildsys: Allow overriding -W flags
acinclude: Add AX_JNI_INCLUDE_DIR macro
JNI: Initial commit of C wrapper functions
JNI: Initial commit of Java library + example program
android: Enable JNI in build
android: Add libstoken to build
android: Add liboath to build
android: Add "sources" target
main: Add --timestamp option
library: Fix incorrect platform ID for Mac
Update documentation/help with the correct "--os" names
www: Update changelog
Fix a few minor memory leaks
Add liboath version check
http: Don't retry on user cancellation
cstp_reconnect: Don't sleep if the user terminated the connection
android: Explicitly disable symbol versioning
android: Use make-standalone-toolchain.sh from NDK
android: Install stripped binaries under $(TRIPLET)/out
cstp: Make sure outbound packets are sent over CSTP if DTLS is down
dtls: Set rekey_method correctly if the header is missing
Sanity-check CSTP and DTLS rekey times
mainloop: Use consistent logic for rekey timeout check
dtls: Fix link error on !HAVE_DTLS builds
Avoid deprecated AC_OUTPUT syntax
mainloop: Simplify the keepalive functions
Nikos Mavrogiannopoulos (18):
mention DTLS ciphersuite name
Added support for GCM ciphersuites (require DTLS 1.2).
Enable a padding when sending password, to avoid leakage of password length.
Added --pfs option to force perfect forward secrecy
When selecting TLS protocol options for GnuTLS set the same defaults as in openssl.
Added openconnect_set_pfs() and its JNI counterpart
link to Kevin's android port.
Updated changelog for previous changes.
Distinguish between the different rekey methods.
Increased DTLS timeout value to 12 seconds.
Do an SSL rehandshake when the server sends "X-CSTP-Rekey-Method: ssl".
Do rehandshake on the DTLS channel as well.
When CSTP rehandshake or reconnection succeeds, reconnect DTLS.
Removed the new-tunnel reconnection option from DTLS.
Revert "dtls: Set rekey_method correctly if the header is missing"
Notify on rekey time when we are not in REKEY_NONE state.
If DTLS rehandshake fails, then reconnect.
Advertise the hostname we connect using SNI.
ftp://ftp.infradead.org/pub/openconnect/openconnect-5.99.tar.gz
ftp://ftp.infradead.org/pub/openconnect/openconnect-5.99.tar.gz.asc
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140305/bdf0f09e/attachment.bin>
More information about the openconnect-devel
mailing list