OpenConnect 7.00 release

David Woodhouse dwmw2 at
Thu Nov 27 08:37:51 PST 2014

Lots of fun stuff here, especially on Windows. We now support keys from
the Windows certificate store, and the new NDIS6 TAP-Windows driver. And
should run on systems as far back as Windows XP.

In order to simplify string ownership rules and reduce the likelihood of
bugs, and to cope with restrictions that Windows 'DLL Hell' imposes, the
API has been completely changed so that strings do not change ownership
when they are passed into the library. API functions take 'const char *'
and will take a *copy* of the string if appropriate. The soname of the
library is bumped accordingly.

This release adds full Unicode handling for both Windows and legacy
non-UTF-8 POSIX platforms. All strings passed into, or out of, the
libopenconnect library should now be UTF-8 and it is the responsibility
of the application if running in a legacy environment to do any
conversions that are necessary.

The utun driver on OS X is now supported, so it's no longer necessary to
install a third-party unsigned kernel module.

OATH HOTP/TOTP keys stored in a Yubikey NEO using the ykneo-oath applet
are also now supported. Tested on OSX, Windows and Linux. Software HOTP
token support is now capable of using a token from a PSKC file and
updating the token counter therein, thus making it actually *useful*.

Thread-safety issues caused by using setenv()/putenv() within the
library have now been fixed.

A --no-system-trust option has been added, to prevent OpenConnect from
trusting any certificate authorities apart from those explicitly passed
to it with the --cafile option. Corresponding library APIs also exist.

Thanks to Nikos Mavrogiannopoulos and Kevin Cernekee in particular for
their significant contributions to this release. Their Android and
Windows clients are a major factor in continued improvements.

Chad Catlett (1):
      Check to avoid calling iconv_close(-1) in openconnect_vpninfo_free

David Woodhouse (204):
      Fix crash on invocation with --token-mode but no --token-secret
      Slightly optimise Proxy-Authenticate: header parsing
      Improve reporting when GSSAPI auth requested but not compiled in
      Fix off-by-one in xmlnode_msg() handling of error messages
      Solaris 10 *still* doesn't have 'grep -q'
      Revamp GSSAPI detection
      Avoid retrying without XML POST when we didn't even manage to connect
      Fix openconnect_base64_decode() to return the buffer
      Cosmetic fix in cleanup_ntlm_auth()
      Honour Proxy-Connection: close during authentication
      Import translations from GNOME
      Fix potential memory leak on GSSAPI failure
      Improve GSSAPI error reporting
      Don't force a reconnect if GSSAPI fails without trying
      Use RegQueryValueEx() instead of RegGetValue() to support 32-bit Windows XP
      Import translations from GNOME
      Resync translations with sources
      Sort openconnect.pot by file to avoid spurious changes
      Fix signedness in url-encoding for legacy auth postings
      Clean up return paths in openconnect_obtain_cookie()
      Use oc_text_buf for auth postings
      Return body from process_http_response() in oc_text_buf
      Dynamically find GetVolumeInformationByHandleW(); old Windows lacks it
      Add inet_pton() compatibility for Windows
      Make buf_append_urlencoded() more conservative about non-ASCII chars.
      Move buf_append_utf16le() to http.c and make it non-static
      Use "Unicode" versions of SSPI functions
      Add buf_append_from_utf16le() which appends UTF-8 to the buffer
      Handle non-ASCII tun device names under Windows
      Print name of Windows tun device not devname
      Use read_stdin() instead of fgets() in certificate validation
      Export asprintf() and vasprintf() compatibility functions
      Refactor read_stdin() a little to prepare for charset conversion
      Attempt to convert output to locale charset from UTF-8
      Convert to UTF-8 when reading from stdin
      Separate read_stdin() implementations for Windows vs. POSIX
      Handle UTF-8 input on Windows
      Handle UTF-8 output on Windows too
      Fixes for buf_append_utf16le()
      Use _wputenv() for Windows environment
      Fix tun device matching with --interface on Windows
      Move Windows UTF-8 stdio functions up to live with POSIX ones
      Introduce dup_config_arg() macro
      Add conversion to UTF-8 of command-line arguments
      Add missing 'Proxy CONNECT request failed: %d' translation back
      Use setlocale() unconditionally, complain if non-UTF8 locale and no iconv
      Take a copy of the string that nl_langinfo() returns
      Fix some arguments missing dup_config_arg()
      Add openconnect_utf8_to_legacy() helper function for charset conversion
      Add open_utf8() and fopen_utf8() functions for opening files
      Use open_utf8() in GnuTLS load_datum()
      Convert vpninfo->ifname to legacy charset for $TUNDEV and configuration
      Convert $CISCO_BANNER environment variable to legacy charset
      Convert vpnc_script to legacy charset (or UTF-16 for Windows)
      Factor out OpenSSL install_extra_certs() from load_pkcs12_certificate()
      Extend reload_pem_cert() to become load_cert_chain_file()
      Avoid SSL_CTX_use_RSAPrivateKey_file() because it doesn't handle UTF-8.
      Convert cafile to legacy charset for OpenSSL
      Convert last remaining OpenSSL code to open_utf8()
      Add web page about charset handling
      Update changelog
      Handle UTF-8 sslkey in BSD openconnect_passphrase_from_fsid
      Handle UTF-8 sslkey in Linux openconnect_passphrase_from_fsid
      Handle UTF-8 sslkey in Windows openconnect_passphrase_from_fsid
      Fix asprintf() handling in openconnect_passphrase_from_fsid()
      Remove static out_pkt
      Fix buf_append_utf16le() error handling harder
      Make buf_append_utf16le() suitable for validation-only
      Check inputs for invalid UTF-8
      Fix csd_wrapper handling for non-UTF8 locales
      Wrap ifreq_set_ifname() in #ifndef __sun__ to shut the compiler up there
      Remove stray perror() in convert_str()
      Update GUI page
      Fix NetBSD compile warnings with isspace()
      Fix UTF-8 handling of config file name
      Use O_BINARY for xmlconfig file
      Silence iconv() compiler warnings on systems which expect (const char **)
      Update translations from GNOME
      Fix SOCKS GSSAPI auth to send final token client->server if needed
      Fix SOCKS SSPI auth to send final token client->server if needed
      Fix SSPI SOCKS auth crash on double-cleanup
      Fix endless loop when automatic NTLM auth fails
      Fix ntlm_auth handling to accept AF in auth reply
      Minor SSPI fixes
      Update translations from GNOME
      Convert all args using GetCommandLineW() on Windows
      Be consistent about spelling of cancel{l,}ed
      Update changelog
      For HOTP tokens increment vpninfo->token_time in do_gen_hotp_code()
      Allow whitespace at end of HOTP and TOTP tokens
      Allow HOTP/TOTP secrets to be specified in hex form
      Remember what form we got the HOTP secret in
      Add openconnect_set_token_callbacks() API
      Support writing back to token files from openconnect(8) itself
      Actually lock and unlock/write back HOTP tokens when counter updates
      Update changelog
      Add token lock/unlock callbacks to Java bindings
      Add PSKC support
      Shift TOTP/HOTP functions in auth.c under a single #ifdef HAVE_LIBOATH
      Shift TOTP/HOTP functions in library.c under a single #ifdef HAVE_LIBOATH
      Move HOTP/TOTP code to oath.c
      Move stoken code to stoken.c
      Add software token documentation
      Disable soft token on failure
      Reread token file in lock_token()
      Resync translations with sources
      Use BIO_CLOSE when importing PEM private key with OpenSSL
      Stop using obsolete vpninfo->cert_type in GnuTLS code
      Stop using obsolete vpninfo->cert_type in OpenSSL code
      Remove cert_type field from struct openconnect_info
      Clean up OpenSSL key loading
      Merge branch 'hotp-java-v1' of git://
      Fix DeviceIoControl() calls to make NDIS6 TAP-Windows driver happy
      Use inet_pton() to provide inet_aton() functionality
      Import translations from GNOME
      Stop internal_parse_url() mangling its input
      Stop openconnect_set_proxy_auth() mangling its input.
      Remove _BSD_SOURCE for Linux builds
      Bump library soname and add 'const' to lots of char * arguments
      Fix up Java code for string handling changes
      Rename 'value' field of struct oc_form_opt to discourage direct access
      Update changelog
      Fix build with OpenSSL
      Add openconnect_free_cert_info()
      Fix cancel_fd handling under non-Windows
      Fix JNI code to use openconnect_free_cert_info()
      Add getCSTPCipher() and getDTLSCipher() methods to Java bindings
      Cache cstp_cipher string for GnuTLS only
      Add openconnect_set_system_trust() to library API
      Import translations from GNOME
      Resync translations with sources
      Print error message strings on Windows
      Trivial translation update for Windows error output
      Resync translations with sources
      Strip trailing \r\n from Windows error messages
      Fix incompatible-pointer-types-discards-qualifiers warning on GhostBSD/clang
      Fix some clang format-nonliteral warnings
      Include stdlib.h in GSSAPI test to fix detection on GhostBSD
      Fix FreeBSD with devfs_cloning off. Harder.
      Add utun support for OS X
      Allow 'utun0' device name on OSX
      Make openconnect_init_ssl() return success/failure code
      Add vpn_perror() macro and use it instead of perror()
      Make GNUTLS_E_PUSH_ERROR reporting for DTLS slightly more helpful
      Handle ERROR_OPERATION_ABORTED on Windows TAP device
      Switch to using AM_ICONV
      Import AM_ICONV implementation
      Fix mingw32 build where libtool was failing to check for egrep
      Use ICONV_CONST now that we have it
      Detect libintl in $prefix too, like we to do libiconv
      Fix Solaris build
      Avoid writing directly to stderr on OpenSSL UI error
      Avoid writing directly to stderr on Solaris tun error
      Start to clean up #ifdef mess in tun.c
      Clean up Linux and BSD/OSX functionality in tun.c
      Fix thread-unsafe setenv() usage
      Allow console output from vpnc-script on Windows
      Stop calling setenv() from JNI code
      Update changelog
      Do not call vpn_progress() after forking
      Kill OPENCONNECT_X509, let certain functions only operate on peer_cert
      Provide openconnect_check_peer_cert_hash() function
      Add --no-system-trust command line option
      Switch to using SHA1 of server public key
      Update changelog
      Fix error handling for --servercert mismatch
      Do not allow Darwin to autoallocate utun devices
      Fix lifetime of cstp_cipher and peer_cert_hash strings
      Avoid leaking vpninfo->platname
      Fix up some more memory leaks
      Make set_peer_cert_hash() static
      Fix libintl linkage in pkg-config
      Fix GnuTLS openconnect_local_cert_md5() to give text output not binary
      Handle gnutls_certificate_get_ours() only returning the cert if it's used
      Update Java bindings for peer certificate handling changes
      Fix double-free in gnutls_pkcs12_simple_parse()
      Build for Java 1.5 to avoid compatibility issues
      Add initial support for TOTP/HOTP keys in Yubikey NEO
      Free PC/SC contexts in openconnect_vpninfo_free()
      SCard API cleanups
      Make Yubikey support build on Windows
      Improve error message when yubikey applet select fails
      Make Yubikey support build on OS X
      Document YubiOATH support
      Add openconnect_yubikey_challenge()
      Factor out select_yubioath_applet() function and make it do authentication
      Implement password request for Yubikey
      Avoid keeping the real Yubikey PIN around
      Add comment about Yubikey password charset brain-damage
      Rename --token-mode=yubikey to --token-mode=yubioath
      Use SCardListReadersW()/SCardConnectW() in Windows
      Fix GnuTLS 2.12 build
      Use native GnuTLS PIN callback instead of p11-kit where possible
      Remove vpninfo->servercert
      Sort linker script
      Admit Yubioath support in header comments
      Print YubiOATH support status in test Java app
      Fix Windows documentation for --script argument
      Documentation updates
      Add support for GnuTLS system keys
      Update changelog
      Add openconnect_has_system_key_support()
      Resync translations with sources
      Tag version 7.00

Joe Hu (1):
      Fix incorrect return value of inet_aton() shim

Kevin Cernekee (18):
      http: Fix memory leak in do_https_request()
      http: Call buf_truncate() before appending XML POST data
      http: Don't leak orig_host or orig_path
      http: Fix CSD https requests
      xml: Make a generic function to read a file into a string
      xml: Trim whitespace from xmlconfig entries
      xml: Call openconnect_parse_url() on <HostAddress> entries
      main: Restore tty state if password prompt is aborted
      main: Allow reading --token-secret from a file
      auth: Rearrange stoken support code
      auth: Refactor stoken form handling
      Rename and export open_utf8(), fopen_utf8()
      ssl: Allow openconnect_open_utf8() to be used with O_CREAT
      ssl: Support more read/write modes in openconnect_fopen_utf8()
      Use openconnect_[f]open_utf8() for xmlconfig, pidfile, config_file
      java: Add constant for OC_TOKEN_MODE_HOTP
      jni: Fix onTokenLock() invocation from native code
      www: Add notes on SecurID PIN usage

Nikos Mavrogiannopoulos (16):
      Added a default timeout value in CSTP handshake using gnutls
      use windows types and return codes for socket errors
      use recv() and closesocket() on the cmd_fd on windows
      use CreateProcess instead of system to run scripts.
      define _GNU_SOURCE to get asprintf's definition in mingw32
      mention openconnect-gui
      do not take ownership of any of the provided strings
      define openconnect_set_option_value() to set the value in oc_form_opt
      clear all cookies when doing a reset SSL
      remove the disable safe renegotiation flag from DTLS
      corrected gnutls version number check
      Added API to read the ciphersuites used for CSTP and DTLS
      Make the cipher strings consistent based on which library is in use
      Added openconnect_set_system_trust()
      Add setSystemTrust() to Java bindings
      force DTLS reconnect if the session ID we get from TLS changes

Paul Donohue (1):
      Fix invalid/double free if PKCS#11 token does not include CA certs

Stuart Henderson (1):
      GNUism in www/Makefile

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list