OpenConnect 7.00 release
David Woodhouse
dwmw2 at infradead.org
Thu Nov 27 08:37:51 PST 2014
Lots of fun stuff here, especially on Windows. We now support keys from
the Windows certificate store, and the new NDIS6 TAP-Windows driver. And
should run on systems as far back as Windows XP.
In order to simplify string ownership rules and reduce the likelihood of
bugs, and to cope with restrictions that Windows 'DLL Hell' imposes, the
API has been completely changed so that strings do not change ownership
when they are passed into the library. API functions take 'const char *'
and will take a *copy* of the string if appropriate. The soname of the
library is bumped accordingly.
This release adds full Unicode handling for both Windows and legacy
non-UTF-8 POSIX platforms. All strings passed into, or out of, the
libopenconnect library should now be UTF-8 and it is the responsibility
of the application if running in a legacy environment to do any
conversions that are necessary.
The utun driver on OS X is now supported, so it's no longer necessary to
install a third-party unsigned kernel module.
OATH HOTP/TOTP keys stored in a Yubikey NEO using the ykneo-oath applet
are also now supported. Tested on OSX, Windows and Linux. Software HOTP
token support is now capable of using a token from a PSKC file and
updating the token counter therein, thus making it actually *useful*.
Thread-safety issues caused by using setenv()/putenv() within the
library have now been fixed.
A --no-system-trust option has been added, to prevent OpenConnect from
trusting any certificate authorities apart from those explicitly passed
to it with the --cafile option. Corresponding library APIs also exist.
Thanks to Nikos Mavrogiannopoulos and Kevin Cernekee in particular for
their significant contributions to this release. Their Android and
Windows clients are a major factor in continued improvements.
ftp://ftp.infradead.org/pub/openconnect/openconnect-7.00.tar.gz
ftp://ftp.infradead.org/pub/openconnect/openconnect-7.00.tar.gz.asc
Chad Catlett (1):
Check to avoid calling iconv_close(-1) in openconnect_vpninfo_free
David Woodhouse (204):
Fix crash on invocation with --token-mode but no --token-secret
Slightly optimise Proxy-Authenticate: header parsing
Improve reporting when GSSAPI auth requested but not compiled in
Fix off-by-one in xmlnode_msg() handling of error messages
Solaris 10 *still* doesn't have 'grep -q'
Revamp GSSAPI detection
Avoid retrying without XML POST when we didn't even manage to connect
Fix openconnect_base64_decode() to return the buffer
Cosmetic fix in cleanup_ntlm_auth()
Honour Proxy-Connection: close during authentication
Import translations from GNOME
Fix potential memory leak on GSSAPI failure
Improve GSSAPI error reporting
Don't force a reconnect if GSSAPI fails without trying
Use RegQueryValueEx() instead of RegGetValue() to support 32-bit Windows XP
Import translations from GNOME
Resync translations with sources
Sort openconnect.pot by file to avoid spurious changes
Fix signedness in url-encoding for legacy auth postings
Clean up return paths in openconnect_obtain_cookie()
Use oc_text_buf for auth postings
Return body from process_http_response() in oc_text_buf
Dynamically find GetVolumeInformationByHandleW(); old Windows lacks it
Add inet_pton() compatibility for Windows
Make buf_append_urlencoded() more conservative about non-ASCII chars.
Move buf_append_utf16le() to http.c and make it non-static
Use "Unicode" versions of SSPI functions
Add buf_append_from_utf16le() which appends UTF-8 to the buffer
Handle non-ASCII tun device names under Windows
Print name of Windows tun device not devname
Use read_stdin() instead of fgets() in certificate validation
Export asprintf() and vasprintf() compatibility functions
Refactor read_stdin() a little to prepare for charset conversion
Attempt to convert output to locale charset from UTF-8
Convert to UTF-8 when reading from stdin
Separate read_stdin() implementations for Windows vs. POSIX
Handle UTF-8 input on Windows
Handle UTF-8 output on Windows too
Fixes for buf_append_utf16le()
Use _wputenv() for Windows environment
Fix tun device matching with --interface on Windows
Move Windows UTF-8 stdio functions up to live with POSIX ones
Introduce dup_config_arg() macro
Add conversion to UTF-8 of command-line arguments
Add missing 'Proxy CONNECT request failed: %d' translation back
Use setlocale() unconditionally, complain if non-UTF8 locale and no iconv
Take a copy of the string that nl_langinfo() returns
Fix some arguments missing dup_config_arg()
Add openconnect_utf8_to_legacy() helper function for charset conversion
Add open_utf8() and fopen_utf8() functions for opening files
Use open_utf8() in GnuTLS load_datum()
Convert vpninfo->ifname to legacy charset for $TUNDEV and configuration
Convert $CISCO_BANNER environment variable to legacy charset
Convert vpnc_script to legacy charset (or UTF-16 for Windows)
Factor out OpenSSL install_extra_certs() from load_pkcs12_certificate()
Extend reload_pem_cert() to become load_cert_chain_file()
Avoid SSL_CTX_use_RSAPrivateKey_file() because it doesn't handle UTF-8.
Convert cafile to legacy charset for OpenSSL
Convert last remaining OpenSSL code to open_utf8()
Add web page about charset handling
Update changelog
Handle UTF-8 sslkey in BSD openconnect_passphrase_from_fsid
Handle UTF-8 sslkey in Linux openconnect_passphrase_from_fsid
Handle UTF-8 sslkey in Windows openconnect_passphrase_from_fsid
Fix asprintf() handling in openconnect_passphrase_from_fsid()
Remove static out_pkt
Fix buf_append_utf16le() error handling harder
Make buf_append_utf16le() suitable for validation-only
Check inputs for invalid UTF-8
Fix csd_wrapper handling for non-UTF8 locales
Wrap ifreq_set_ifname() in #ifndef __sun__ to shut the compiler up there
Remove stray perror() in convert_str()
Update GUI page
Fix NetBSD compile warnings with isspace()
Fix UTF-8 handling of config file name
Use O_BINARY for xmlconfig file
Silence iconv() compiler warnings on systems which expect (const char **)
Update translations from GNOME
Fix SOCKS GSSAPI auth to send final token client->server if needed
Fix SOCKS SSPI auth to send final token client->server if needed
Fix SSPI SOCKS auth crash on double-cleanup
Fix endless loop when automatic NTLM auth fails
Fix ntlm_auth handling to accept AF in auth reply
Minor SSPI fixes
Update translations from GNOME
Convert all args using GetCommandLineW() on Windows
Be consistent about spelling of cancel{l,}ed
Update changelog
For HOTP tokens increment vpninfo->token_time in do_gen_hotp_code()
Allow whitespace at end of HOTP and TOTP tokens
Allow HOTP/TOTP secrets to be specified in hex form
Remember what form we got the HOTP secret in
Add openconnect_set_token_callbacks() API
Support writing back to token files from openconnect(8) itself
Actually lock and unlock/write back HOTP tokens when counter updates
Update changelog
Add token lock/unlock callbacks to Java bindings
Add PSKC support
Shift TOTP/HOTP functions in auth.c under a single #ifdef HAVE_LIBOATH
Shift TOTP/HOTP functions in library.c under a single #ifdef HAVE_LIBOATH
Move HOTP/TOTP code to oath.c
Move stoken code to stoken.c
Add software token documentation
Disable soft token on failure
Reread token file in lock_token()
Resync translations with sources
Use BIO_CLOSE when importing PEM private key with OpenSSL
Stop using obsolete vpninfo->cert_type in GnuTLS code
Stop using obsolete vpninfo->cert_type in OpenSSL code
Remove cert_type field from struct openconnect_info
Clean up OpenSSL key loading
Merge branch 'hotp-java-v1' of git://github.com/cernekee/openconnect
Fix DeviceIoControl() calls to make NDIS6 TAP-Windows driver happy
Use inet_pton() to provide inet_aton() functionality
Import translations from GNOME
Stop internal_parse_url() mangling its input
Stop openconnect_set_proxy_auth() mangling its input.
Remove _BSD_SOURCE for Linux builds
Bump library soname and add 'const' to lots of char * arguments
Fix up Java code for string handling changes
Rename 'value' field of struct oc_form_opt to discourage direct access
Update changelog
Fix build with OpenSSL
Add openconnect_free_cert_info()
Fix cancel_fd handling under non-Windows
Fix JNI code to use openconnect_free_cert_info()
Add getCSTPCipher() and getDTLSCipher() methods to Java bindings
Cache cstp_cipher string for GnuTLS only
Add openconnect_set_system_trust() to library API
Import translations from GNOME
Resync translations with sources
Print error message strings on Windows
Trivial translation update for Windows error output
Resync translations with sources
Strip trailing \r\n from Windows error messages
Fix incompatible-pointer-types-discards-qualifiers warning on GhostBSD/clang
Fix some clang format-nonliteral warnings
Include stdlib.h in GSSAPI test to fix detection on GhostBSD
Fix FreeBSD with devfs_cloning off. Harder.
Add utun support for OS X
Allow 'utun0' device name on OSX
Make openconnect_init_ssl() return success/failure code
Add vpn_perror() macro and use it instead of perror()
Make GNUTLS_E_PUSH_ERROR reporting for DTLS slightly more helpful
Handle ERROR_OPERATION_ABORTED on Windows TAP device
Switch to using AM_ICONV
Import AM_ICONV implementation
Fix mingw32 build where libtool was failing to check for egrep
Use ICONV_CONST now that we have it
Detect libintl in $prefix too, like we to do libiconv
Fix Solaris build
Avoid writing directly to stderr on OpenSSL UI error
Avoid writing directly to stderr on Solaris tun error
Start to clean up #ifdef mess in tun.c
Clean up Linux and BSD/OSX functionality in tun.c
Fix thread-unsafe setenv() usage
Allow console output from vpnc-script on Windows
Stop calling setenv() from JNI code
Update changelog
Do not call vpn_progress() after forking
Kill OPENCONNECT_X509, let certain functions only operate on peer_cert
Provide openconnect_check_peer_cert_hash() function
Add --no-system-trust command line option
Switch to using SHA1 of server public key
Update changelog
Fix error handling for --servercert mismatch
Do not allow Darwin to autoallocate utun devices
Fix lifetime of cstp_cipher and peer_cert_hash strings
Avoid leaking vpninfo->platname
Fix up some more memory leaks
Make set_peer_cert_hash() static
Fix libintl linkage in pkg-config
Fix GnuTLS openconnect_local_cert_md5() to give text output not binary
Handle gnutls_certificate_get_ours() only returning the cert if it's used
Update Java bindings for peer certificate handling changes
Fix double-free in gnutls_pkcs12_simple_parse()
Build for Java 1.5 to avoid compatibility issues
Add initial support for TOTP/HOTP keys in Yubikey NEO
Free PC/SC contexts in openconnect_vpninfo_free()
SCard API cleanups
Make Yubikey support build on Windows
Improve error message when yubikey applet select fails
Make Yubikey support build on OS X
Document YubiOATH support
Add openconnect_yubikey_challenge()
Factor out select_yubioath_applet() function and make it do authentication
Implement password request for Yubikey
Avoid keeping the real Yubikey PIN around
Add comment about Yubikey password charset brain-damage
Rename --token-mode=yubikey to --token-mode=yubioath
Use SCardListReadersW()/SCardConnectW() in Windows
Fix GnuTLS 2.12 build
Use native GnuTLS PIN callback instead of p11-kit where possible
Remove vpninfo->servercert
Sort linker script
Admit Yubioath support in header comments
Print YubiOATH support status in test Java app
Fix Windows documentation for --script argument
Documentation updates
Add support for GnuTLS system keys
Update changelog
Add openconnect_has_system_key_support()
Resync translations with sources
Tag version 7.00
Joe Hu (1):
Fix incorrect return value of inet_aton() shim
Kevin Cernekee (18):
http: Fix memory leak in do_https_request()
http: Call buf_truncate() before appending XML POST data
http: Don't leak orig_host or orig_path
http: Fix CSD https requests
xml: Make a generic function to read a file into a string
xml: Trim whitespace from xmlconfig entries
xml: Call openconnect_parse_url() on <HostAddress> entries
main: Restore tty state if password prompt is aborted
main: Allow reading --token-secret from a file
auth: Rearrange stoken support code
auth: Refactor stoken form handling
Rename and export open_utf8(), fopen_utf8()
ssl: Allow openconnect_open_utf8() to be used with O_CREAT
ssl: Support more read/write modes in openconnect_fopen_utf8()
Use openconnect_[f]open_utf8() for xmlconfig, pidfile, config_file
java: Add constant for OC_TOKEN_MODE_HOTP
jni: Fix onTokenLock() invocation from native code
www: Add notes on SecurID PIN usage
Nikos Mavrogiannopoulos (16):
Added a default timeout value in CSTP handshake using gnutls
use windows types and return codes for socket errors
use recv() and closesocket() on the cmd_fd on windows
use CreateProcess instead of system to run scripts.
define _GNU_SOURCE to get asprintf's definition in mingw32
mention openconnect-gui
do not take ownership of any of the provided strings
define openconnect_set_option_value() to set the value in oc_form_opt
clear all cookies when doing a reset SSL
remove the disable safe renegotiation flag from DTLS
corrected gnutls version number check
Added API to read the ciphersuites used for CSTP and DTLS
Make the cipher strings consistent based on which library is in use
Added openconnect_set_system_trust()
Add setSystemTrust() to Java bindings
force DTLS reconnect if the session ID we get from TLS changes
Paul Donohue (1):
Fix invalid/double free if PKCS#11 token does not include CA certs
Stuart Henderson (1):
GNUism in www/Makefile
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141127/83cf4916/attachment.bin>
More information about the openconnect-devel
mailing list