OpenConnect 7.05 release

David Woodhouse dwmw2 at
Tue Mar 10 14:37:17 PDT 2015

The biggest thing here is the Juniper support, which is still
experimental. This is actually the obsolescent Network Connect protocol;
we'll probably end up also implementing Junos Pulse support which
actually provides IPv6 rather than only Legacy IP. But not this week!

This release adds HTTP authentication to VPN servers, as supported by
ocserv 0.10.0.

For users with CPUs that can't do arbitrary unaligned access, there's a
fix for the LZS compression code.

Also added support for SHA256 and SHA512 HOTP/TOTP keys, a workaround
for issues with on-ASCII passwords set by older versions of the YubiOATH
Android app, and various fixes for the OpenSSL build.

David Woodhouse (204):
      Start separating protocol-specific methods from generic VPN support
      Move DTLS methods into struct vpn_proto
      Move CSTP methods into struct vpn_proto
      Move CSTP authentication and obtain_cookie to auth.c
      List Cisco protocol-specific files separately in the Makefile
      Rename and move cstp_free_splits
      Move nuke_opt_values() and process_auth_form() to library.c
      Make many functions in auth.c static
      Move unhex to script.c
      Add 'replace' argument to http_add_cookie()
      Move cstp_read() and cstp_write() to openssl.c/gnutls.c and rename them
      Move some helpers out into auth-common.c
      Make connect_dtls_socket() and try_dtls_handshake() static
      Factor out udp_sockaddr() helper function
      Factor out udp_connect() helper function
      Make 'route' member of struct oc_split_include a const char *
      Add shell of Juniper support
      Add oncp_common_headers()
      First negotiation packets for oNCP
      Get slightly further in oNCP negotiation
      Final oNCP negotiation packet
      Primitive implementation of oncp_mainloop()
      WIP oNCP authentication
      Slightly more complete implementation of Juniper authentication
      Handle Juniper HTTP server brokenness with initial connect requests
      Endianness fixes
      Add some debugging for SSL reads
      Handle return value from ssl_write()
      Fix netmask option handling
      Dump outgoing data packet
      Fix length on outbound data packet
      Get KMP message type from right place
      Actually post auth entries
      Free XML doc in oNCP auth loop
      For oNCP, a redirect turns POST into GET
      Fix button name comparison
      Always check for auth success, not only when !form
      Don't free doc twice in quick succession
      Add missing newline
      Interpret some ESP TLVs
      Add ESP replay protection TLV
      Add ESP compression TLV
      Fix key lifetime TLV
      More config TLVs
      Add TNCC support
      Do not throw away form entries as soon as we get them
      Attempt ESP negotiation
      Fix ESP TLVs
      Add ESP decryption (unused)
      Implement ESP encryption
      Implement sequence number checking
      Add stub functions for ESP support
      Hook up ESP mainloop
      Set up poll() on oNCP fd
      Add ESP support for OpenSSL
      Treat SPI as a uint32_t instead of char[]
      Dump ESP parameters
      Handle incoming KMP messages with multiple packets
      Tell server when ESP is running
      Handle ESP rekeying
      Fix up ESP renegotiation reply
      Print when receiving ESP packets
      Accept packets on old ESP setup during changeover
      Handle multiple KMP messages in one SSL packet
      Handle split includes
      Check incoming data packets don't exceed MTU
      Improve debugging in oncp_receive_data() a little
      Attempt to handle large data messages exceeding a single SSL record size
      Add support for using esp-openssl.c with GnuTLS 2.12
      Fix build for GnuTLS 2.12 without OpenSSL
      Render U+002D HYPHEN-MINUS in manual page where needed
      Add endian-specific word load/store functions
      Use endian-specific access functions in ntlm.c
      Use endian-specific access functions in cstp.c
      Use endian-specific access functions in gssapi.c
      Use endian-specific access functions in http.c
      Use endian-specific access functions in oncp.c
      Use endian-specific access functions in ssl.c
      Use endian-specific access functions in sspi.c
      Use endian-specific access functions in yubikey.c
      Use load_le16() and store_le16() for UTF-16 surrogate pairs
      Fix Win32 build warnings in esp.c
      Fix isspace() warning on *BSD. Again
      Don't use anonymous struct for oncp in struct pkt hdr
      Do not have separately named struct esp_hdr
      Use named struct for CSTP in struct pkt too
      Adjust static packets to build with GCC < 4.6
      Disable ESP when OpenSSL lacks HMAC_CTX_copy()
      Credit Tiebing
      Update copyright year
      Implement esp_close() and esp_shutdown()
      Add LZO decompression support
      Fix check for HMAC_CTX_copy()
      Improve packet queue handling
      Work around gnutls_record_get_direction() bug
      Fix crash in create_script_env() if environment variables already exist
      Attempt to handle frmDefender and frmNextToken
      Move protocol-specific decisions about when to use tokencodes into protocol code
      Allow automatic OATH for Juniper
      Update Solaris bug ID for time() going backwards
      Update changelog to admit to Juniper support
      Treat form with OC_FORM_OPT_TOKEN as non-empty
      Use generic can_gen_tokencode() for oNCP
      Calculate TOTP/HOTP codes for ourselves
      Avoid using liboath in buf_append_base32()
      Avoid using liboath for decoding base32
      Remove liboath dependency
      Support SHA256/SHA512 for OATH
      Fix OATH token generation for non-SHA1 with GnuTLS
      Fix token-secret parsing when HMAC algorithm is specified
      Fix leading zeroes on OATH tokencodes
      Fix handling of SHA512
      Add openconnect_set_loglevel()
      Website updates
      Add TNCC documentation
      Make --authgroup work for Juniper
      Implement ESP keepalive and periodic reconnect attempt
      Add link to IRC channel
      Remove obsolete check against esp_enable_pkt
      Implement oNCP reconnect
      Update docs for Juniper now the reconnect is done
      Split out get_utf8char() from buf_append_utf16le()
      Fix OpenSSL build
      Add pwlen argument to openconnect_hash_yubikey_password()
      Fix memory leak if openconnect_hash_yubikey_password() fails
      Work around Yubikey/Android PBKDF2 bug
      Update changelog
      Handle Juniper session expiry
      Attempt to automatically select a session to kill when there's a choice
      Print debug message when sending ESP probes
      Set work_done when telling server to enable ESP
      Check padding bytes in ESP
      Dump invalid packet in connection
      Shift Juniper auth code out into its own file
      Merge branch 'master' of ssh://
      Allow larger 301 configuration packet
      Expand nonroot.html page and improve TUNSETIFF -EPERM error handling
      Change to a less Comic Sans-esque font
      Handle split exclude routes for Juniper
      Update translations from GNOME
      Remove stray debugging message from configure script
      Include more needed OpenSSL headers
      Regenerate SSL_SESSION each time for DTLS
      Shuffle DTLS SSL_SESSION regeneration to live together
      Split generate_dtls_session() for OpenSSL
      Fix openssl.c build with OpenSSL HEAD
      Fix dtls.c build with OpenSSL HEAD
      Add broken OpenSSL check for 1.0.2
      Fix OpenSSL ESP HMAC calculation
      Allow CSTP and DTLS compression to be different
      Fix ASN.1 INTEGER encoding to avoid sign-extension issues
      Refer to OpenSSL RT#3703 and RT#3711 for OpenSSL 1.0.2 breakage
      Add DTLS1.2 and AES-GCM support for OpenSSL 1.0.2+
      Fix typo
      Add lzo.h to dist
      Rename struct proxy_auth_state to struct http_auth_state
      Stop cleanup_ntlm_auth() using auth_state
      Start making HTTP authentication less proxy-specific
      Fix non-GSSAPI build
      Fix Windows NTLM build
      Fix Windows SSPI build
      Add unused http_auth states, add proxy argument to authorization methods
      Let cleanup functions distinguish between proxy and http auth
      Fix up Digest auth for non-proxy authentication
      Fix up Basic auth for non-proxy authentication
      Fix up NTLM auth for non-proxy authentication
      Fix up GSSAPI auth for non-proxy authentication
      Fix up SSPI auth for non-proxy authentication
      Don't close stdin on startup
      Cleaner fix for NTLM closing stdin on cleanup
      Fix some more proxy assumptions in HTTP auth
      Move HTTP authentication out into http-auth.c
      Finally add (non-proxy) HTTP authentication support
      Fix errors in moving auth code to http-auth.c
      Update changelog
      Add X-Support-HTTP-Auth: header for ocserv
      Support fallback from X-Support-HTTP-Auth
      Clean up handling of default disable for Basic auth
      Fix memory leak with --proxy-auth argument
      Add openconnect_set_http_auth() and --http-auth command line option
      Add openconnect_set_protocol() API
      Update Juniper docs
      Fix unaligned data reference in LZS
      Don't forget parens around macro arguments
      Update changelog
      Fix memory handling issues in Juniper parse_select_node()
      Fix memory leak in failure case
      Fix leak of request_body buf
      Fix reqbuf leak in error case
      Fix memory leak on error path
      Fix potential memory leaks in Digest auth
      Don't call send() with negative lengths if encrypt_esp_packet() fails
      Avoid apparent possibility of double-free of pending_deflated_pkt
      Check gnutls_hmac() return value
      Forbid pointless http_add_cookie() with value==NULL and !replace
      Stop using 1ULL as the base value to be shifted in LZS GET_BITS()
      Add explicit comment for switch() fall through case
      Fix memory leak in ntlm_nt_hash() error paths
      Fix regression in manual NTLM auth
      Add explicit check for user/pass before ntlm_manual_challenge()
      Remove unreached goto
      Fix leak of xmlfile on error path
      Resync translations with sources
      Tag version 7.05

Kevin Cernekee (5):
      android: Re-enable libxml HTML support
      android: Add liblz4 to build
      cstp: AC_PKT_DISCONN payload length can be 0
      cstp: Add X-AnyConnnect-* mobile headers on CONNECT request
      auth-juniper: Check asprintf() return values

Mike Miller (1):
      Fix undefined reference error when building with GnuTLS

Nikos Mavrogiannopoulos (3):
      limit the number of newgroup attempts
      Move internal auth state in http_auth_state.
      Added an upper limit on the number of redirects

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list