OpenConnect 8.20 release
David Woodhouse
dwmw2 at infradead.org
Sun Feb 20 12:02:12 PST 2022
Well, that took a while. The 8.10 release was in May 2020, and we've
done quite a lot since then. With millions of people working from home
and relying on VPNs for remote work, we have received a great deal of
feedback, bug reports, feature requests, and new contributions in the
last 21 months.
Notable additions are:
• Three new supported VPN protocols (Fortinet, F5 BigIP, and Array
Networks)
• Performance improvements on Linux, thanks to vhost-net and epoll
• Important bugfixes for Juniper and Pulse
• Compatibility with newer servers for Pulse, AnyConnect, and
GlobalProtect protocols
• IPv6 support for GlobalProtect
• Numerous bugfixes and regular builds of the OpenConnect command-line
application for Windows, including support for the Wintun driver,
• Extensive improvements to the standard routing and DNS configuration
scripts, particularly for IPv6 support and for *BSD and MacOS
(https://gitlab.com/openconnect/vpnc-scripts)
• Clearer error and logging messages, and improved documentation
(https://www.infradead.org/openconnect)
The newly-supported Fortinet and F5 protocols are based on PPP. Yes,
the same Point-to-Point Protocol that you last thought about when you
used it for your dial-up Internet connection last millennium. It turns
out to underpin a number of proprietary VPN protocols. OpenConnect now
includes its own implementation of PPP, completely in userspace and
independent of pppd, which should enable us to easily support other
PPP-based protocols in the future.
In implementing support for Fortinet, we were particularly grateful for
the work of the Openfortivpn project (
https://github.com/adrienverge/openfortivpn), whose developers had
already figured out many aspects of the Fortinet protocol and had
implemented them as a wrapper around pppd.
Behind the scenes, we've greatly improved our test infrastructure and
test coverage as well. We're now relying more heavily on GitLab for
continuous integration and testing, and for issue reporting and code
contributions via merge requests.
You can see the complete changelog at
https://www.infradead.org/openconnect/changelog.html
Multi-certificate support for AnyConnect is almost ready; the important
parts are merged but we just need to put the final pieces in place with
test cases. The other important thing coming up is SAML support for
various protocols. There will likely be a new release soon (a lot less
than another 21 months; maybe more like 21 days) with those features
merged, but it was about time we pushed *something* out for those users
who needed to use the fixes and compatibility improvements we already
had in the development tree.
Thanks to Daniel Lenski for writing most of this commit message, as
part of coaxing me to actually make the release at least :)
https://www.infradead.org/openconnect/download/openconnect-8.20.tar.gz
https://www.infradead.org/openconnect/download/openconnect-8.20.tar.gz.asc
Andreas Gnau (1):
http: Allow passing header_cb to do_https_request
André Draszik (1):
csd-wrapper: make it work again if binaries are compressed
Antonino Orlando (1):
Add setCookie JNI method to LibOpenConnect.java
Ash Holland (1):
Juniper: support password and 2FA fields in the same form
Daiki Ueno (3):
Don't hard-code TSS 2.0 return codes for auth failure
gnutls_tpm2_esys: Use Esys_Free instead of free
gnutls_tpm2_esys: Mark globally defined templates as const
Daniel Lenski (382):
explain why --form-entry shouldn't be used for passwords
Merge branch 'explain_why_form_entry_should_not_be_used_for_passwords' into 'master'
fix tncc_emulate.py with Python 3.7
bugfix string/binary handling
Merge branch 'fix_tncc_emulate.py_with_Python_3.7' into 'master'
handle errors on initial TLS connection identically to subsequent reconnection
don't switch to syslog logger until we're ready to background/daemonize
Merge branch 'consistent_handling_of_initial_connection_errors' into 'master'
Protocols should try explicitly request the same IP addresses on reconnect, since they will abort if new addresses are sent by the server.
gpst.c should also return -EPERM when server changes IP address, not -EINVAL
factor out check_address_sanity() from gpst.c and cstp.c, and use it in oncp.c and pulse.c as well
add comment on openconnect__inet_aton(), which is not 100% compatible with "real" inet_aton()
openconnect_make_cstp_connection should always set ssl_times.last_tx on successful connection
Merge branch 'check_address_sanity' into 'master'
enable csd-wrapper.sh/csd-post.sh to run insecurely (no cert validation) for compatibility with ancient cURL
the -s/--silent option to cURL isn't related to cert validation; remove it from the PINNEDPUBKEY variable
Merge branch 'enable_insecure_CSD_submission_for_ancient_cURL_versions' into 'master'
fix CI
Gitlab has CI images for Ubuntu 18.04, so let's include those too.
re-add socket_wrapper and softhsm support to CentOS8 CI
Merge branch 'fix_CI' into 'master'
Merge branch 'hipreport' into 'master'
fix duplicate bitfield constant
Merge branch 'fix_duplicate_bitfield_constant' into 'master'
Merge branch 'coverity' into 'master'
Merge branch 'master' into 'master'
bump emulated GlobalProtect version number
changelog
Merge branch 'bump_emulated_GlobalProtect_version_number' into 'master'
Juniper unknown forms with action remediate.cgi seem to indicate TNCC/Host Checker failure: log error about this
Merge branch 'Juniper_form_action_remediate.cgi_indicates_TNCC_failure' into 'master'
style nitpicks, expand clarifying comment, changelog
Merge branch 'token_input_in_second_password_in_Juniper_frmLogin' into 'master'
add --allow-insecure-crypto, and corresponding API functions, to explicitly enable 3DES/RC4/SHA1
modify tests/common.sh so that launch_simple_sr_server() → test → cleanup() can be used repeatedly in a single script
add obsolete-server-crypto and pfs tests
Merge branch 'explicitly_allow_3DES-CBC_for_GnuTLS' into 'master'
GP: Fix the issue of a 0.0.0.0/0 "split"-include route by swapping the "split" route with the default netmask.
add secure_cookie protocol field to suppress other protocols' cookies from --dump-http-traffic as well
remove --no-cert-check from options list
Add `./configure --enable-insecure-debugging` option.
The resurrection of --no-cert-check was not met with universal acclaim
bugfix: ensure vpnc-script receives TUNDEV even without -i option
Merge branch 'add_secure_cookie_protocol_field' into 'master'
Merge branch 'bugfix_TUNDEV' into 'master'
finesse the URL-decoding of the GP login args
Merge branch 'coverity' into 'master'
Windows tuntap driver: accept modified ComponentId ('root\tap0901' instead of just 'tap0901')
add delay_tunnel_reason and delay_close
use delay_tunnel_reason for OC DTLS MTU detection and GPST ESP connection delays
we should still try to cleanly close the session if tun device creation fails
factor out print_connection_info()
use setup_tun callback to defer printing connection status AND backgrounding until tun_is_up
-b/--background: check for error when fork()ing
reduce level of delay_tunnel/delay_close logging
changelog
less confusing output when authentication fails
Merge branch 'less_confusing_output_when_authentication_fails' into 'master'
GP: ask user to report unexpected value of <connected-gw-ip>
Merge branch 'delay_tunnel_and_close' into 'master'
Merge branch 'enable_insecure_debugging' into 'master'
Merge branch 'GP_unexpected_value_of_connected-gw-ip' into 'master'
Merge branch 'GP_demangle_default_route_as_split_route' into 'master'
clarify some error messages which apply equally to TLS and DTLS sockets
Merge branch 'GP_finesse_URL_decoding' into 'master'
Merge branch 'clarify_some_error_messages_which_apply_equally_to_TLS_and_DTLS_sockets' into 'master'
fix undefined pointer error from !143
Merge branch 'bugfix_MR_143' into 'master'
more logging around Trojan script invocation (CSD/HIP/TNCC)
Merge branch 'more_logging_around_Trojan_script_invocation' into 'master'
little bit more GP IPv6 support
CSD XML tag and nostub are entirely protocol-specific and used in only one place
GP: explicitly warn when server has a missing ESP configuration
changelog
Merge branch 'GP_IPv6_baby_steps' into 'master'
include quit_reason in exit message
tncc-emulate.py: add TNCC_USER_AGENT override variable
Add `openconnect_get_auth_expiration` function to library and JNI
implement `auth_expiration` for Pulse protocol
Merge branch 'openconnect_get_auth_expiration' into 'master'
add SIGUSR1 as trigger to print detailed connection information and stats
defer the switch to syslog until AFTER the tunnel is fully up,
changelog
Merge branch 'tncc_override_user_agent' into 'master'
Merge branch 'stats_and_connection_info' into 'master'
Merge branch 'assign_privkey-bug' into 'master'
Merge branch 'clobbered-loop-counter-bug' into 'master'
only set OpenSSL security level to 0 when --allow-insecure-crypto is specified
add openconnect__win32_setenv function to compat.c
with --allow-insecure-crypto, additionally attempt to disable insecure systemwide minimum crypto settings
in tests/obsolete-server-crypto, do not override GNUTLS_SYSTEM_PRIORITY_FILE when invoking OpenConnect
update changelog with expanded scope
Merge branch 'openssl-sec-level' into 'master'
Pulse: one more known failcode (0x0e = client cert required)
Juniper forms with 'id' but not 'name'
Merge branch 'one_more_pulse_failcode' into 'master'
allow specification of multiple certificate fingerprints on command-line via --servercert
changelog
Merge branch 'allow_multiple_servercert_arguments' into 'master'
add pointer to vpnc-script repo to README
Merge branch 'remove_protocol_specific_values_from_global_state_object' into 'master'
changelog: more updates since v8.10
Try to generate static website using GitLab pages
static website tweaks
add openconnect_disable_dtls() API function
ensure that openconnect_disable_{dtls,ipv6} do nothing if vpninfo has ever been connected
return EPERM, not EINVAL, when GP gateways reject the cookie upon get-config or GET-tunnel
fix potential read overflow in compat.c replacement for strndup()
add .gitattributes file to mark binaries
Merge branch 'potential_read_overflow_in_openconnect__strndup' into 'master'
Merge branch 'add_DTLS_disable_to_API' into 'master'
bugfix: condition for incomplete ESP config with GP was inverted
Merge branch 'fix/field-instead-of-global' into 'master'
Merge branch 'fix/tncc-exception' into 'master'
cstp: don't send X-AnyConnect-Platform header
add changelog entry
add changelog entry
Merge branch 'jkuebart:fix/forms-without-action'
MingW32 builds: generate NSIS installers for Windows
NSIS installer: add compression, installer file properties, and docs
include vpnc-script-win.js in installer
add note about existence of installers in packaging docs
remove unneeded inc/* and openconnect.8.inc from public/HTML docs
create make-windows-installer.sh
remove unneeded inc/* and openconnect.8.inc from public/HTML docs
Merge branch 'master' into build_NSIS_based_installers_for_32bit_Windows
fix pfs and obsolete-server-crypto tests on Ubuntu
set OCCTL_SOCKET in tests/common.sh, if unset
remove now-unneeded make-windows-installer.sh, re-embed vpnc-script-win.js, embed OpenVPN TAP-Windows installer
Merge branch 'master' into build_NSIS_based_installers_for_32bit_Windows
CI: update artifact paths for MinGW* builds
add link to online documentation, put TAP-Windows in named section, and… changelog
make buf_append_{be16,be32,le16} global
oncp_control_queue → tcp_control_queue
auth-juniper.c simplifications (including ignoring submit_button if NULL)
add 'nullppp' protocol for testing
add OC_PROTO_HIDDEN and use this to hide nullppp from protocols displayed or shown by openconnect_get_supported_protocols
add ppp-over-tls tests (with pppd as the reference peer implementation)
Fix three sanitizer complaints
more accurate PPP-over-TLS MTU calculation
improve ppp-over-tls tests
give nullppp the option of cancelling/terminating itself after negotation
CI: re-enable PPP tests for CentOS7, Fedora, and Ubuntu
fix nakbuf leak
clarify un-HDLC logging a bit
unset delay_tunnel_reason as soon as PPP reaches network state
automatically disable pppd tests if socat or pppd are missing
factor out internal_get_url function
ppp: add comment about likely meaninglessness of server's LL IPv6 address
split htmlnode_next and htmlnode_dive
ppp-over-tls tests: try to keep CentOS 6 CI working, and improve flaky startup of pppd
factor out internal_split_cookies from auth-juniper.c
ppp-over-tls test: figured out how to make socat invoke pppd
allegedly universal MTU calculator: use for GPST and PPP
ppp-over-tls tests: /etc/ppp script permissions problems
add openconnect__strchrnul function to compat.c
ppp-over-tls tests: more comments about how hard it is to use pppd as a test fixture
fix <select>/<option> parsing bug
ppp-over-tls tests: give up on CentOS 6
Juniper: bugfix handling of loginForm.VerificationCode
ppp-over-tls tests: fix PPP-over-IPv6 tests on Ubuntu
use check_address_sanity for F5 too
add test-f5-login.py script
F5: implement f5_obtain_cookie
F5: one of the GET requests in login flow appears unnecessary
F5: fix old options leak on reconnect
F5: pause-and-reconnect doesn't preserve IP addresses if we PPP-terminate
add test-fortinet-login.py
hard-code browser UA into test-fortinet-login.py
parse real Fortinet config
Fortinet: set HTTP user-agent to 'Mozilla/5.0 SV1' as openfortivpn does
Fortinet: ignore 401/403 response to remote/index request
Fortinet: explain to the user if connecting to an ancient server that doesn't support XML config
Fortinet: socket switches abruptly from HTTP request to encapsulated PPP, with no HTTP-ish response
Fortinet does not use HDLC framing
Fortinet: server rejects asyncmap and header compression options
Fortinet: note divergences of header values from openfortivpn, and absence of DTLS support
Fortinet: implement auth_expiration
Fortinet: remove unused function
Fortinet: assume default route if no split routes received
implement fortinet_obtain_cookie
official Forticlient doesn't 'GET /remote/index', so let's not
simpler fortinet_obtain_cookie()
attempt to implement Fortinet challenge-based 2FA (ping #225)
Fortinet: parse <split-dns> domains and DNS servers from config
Fortinet's realm parameter comes from the URL-path
add openconnect__strchrnul function to compat.c
cleanup and clarify comments about tests that are XFAIL in CI
add auth-fortinet tests
add auth-f5 tests
make F5 and Fortinet tests go through config-pulling (up to the point of tunnel connection), rather than stopping after authentication
Fortinet: fix crash caused by absence of redirect
Fortinet: fix token code generation
turns out F5 can have an authgroup dropdown
rename (resp_buf, form_buf) → (req_buf, resp_buf) in f5.c and fortinet.c
test multi-domain logins in F5 tests
F5: factor out plain_auth_form()
don't require F5 forms other than first one to have any particular name/ID
I do believe a changelog addition is in order
flask-based tests: give up on CentOS7
bugfix !165 Juniper forms handling
main.c CLI: replace confusingly-used `FILE *pid_fp` with `int wrote_pid`
fix openconnect_disable_dtls / --no-dtls
bugfix internal_get_url
add fake-juniper-server.py and tests/juniper-auth
add test path including frmSelectRoles
make --authgroup fill EITHER the role and/or the realm for Juniper
Merge branch 'juniper-auth-tests' into 'juniper-auth-tests'
Use oc_text_buf for internal_get_url()
Add note-to-self comments about DTLS for F5/Fortinet
Expand F5 and Fortinet documentation
Multi-protocol support documentation
Update README.md (developer-facing docs on GitLab)
Reference F5 and Fortinet support in manual page
Set Fortinet DPD interval from server's config
Remove attempt_period from protocol-specific udp_setup() functions
Accept IPv6 netmasks like /dead:beef::, in addition to /N
Update 'Getting Started / Connecting' docs
NC/Pulse idle timeout
Parse Pulse error/termination packets and print error codes and strings
Add changelog entry
Fix logout and options requests in fake-f5-server.py
Don't call connection script in ssl_reconnect if tunnel is not up
Handle F5 split-exclude routes
Pulse should fallback to Juniper logout
Fix missing newlines in ssl_nonblock_{read,write}() error message
Speculatively enable no_terminate_on_pause for Fortinet
Fix f5-auth-and-config tests not to depend on cookies
Add start_dtls_anon_handshake() for PPP protocols
Split fortinet_configure() from fortinet_connect() to prepare for DTLS
Fortinet: don't keep retrying if cookie is invalid on reconnect
Add Fortinet DTLS support
Merge branch 'nc_pulse_idle_timeout' into 'master'
GlobalProtect IPv6 support
Make CLI print IPv6 address correctly
Reduce noisy logging of GlobalProtect IPv6 config tags
Warn if <quarantine> is set in GlobalProtect XML config
Add GlobalProtect IPv6 to docs and changelog
F5, Fortinet: ignore errors in landing page once we've got a cookie
Fix Fortinet IPv6 config and add tests for it
Fix sloppy cookie construction for Fortinet
Split ESP checksum functions into csum_partial and csum_finish
Log address family of ESP packets sent/received
GP config: hush warning about unknown <quarantine>no</quarantine>
Add IPv6/ICMPv6 header and flags to win32-ipicmp.h
GlobalProtect IPv6 ESP support
Add fake-gp-server.py and gp-auth-and-config test
Consolidate check_http_status from gpst.c and ppp.c
GP auth: don't modify URL path if it ends with .esp
Add tests of GlobalProtect auth with gateway selection and challenge-based 2FA
GP: fix bug in blind retry of login credentials after portal-to-gateway redirect
GP: Pass 'preferred-ipv6' parameter among auth requests, just like 'preferred-ip'
Replace all use of inet_ntoa() with inet_ntop()
Keep comments next to live code in fortinet.c
Improve Fortinet auth
Bugfix GlobalProtect ESP magic pings over Legacy IP
Print an error message if dtls_addr is NULL in dtls_setup()
Clarify 'Certificate Validation Failure' error from Cisco servers
Fix handling of concatenated PPP data packets
Rename oncp_rec_size → partial_rec_size
Fix PPP packets split across TLS records
Fix Fortinet realm name extraction
Mark obsolete-server-crypto test as XFAIL in Fedora/GnuTLS/* CI
Don't save `portal-*cookie` values if they're "empty"
Receiving a portal-*cookie should allow us to automatically retry the login on the gateway
Add tests of using portal-userauthcookie to continue through gateway
Update changelog
Mark juniper-sso-auth test as using LD_PRELOAD
Docs should link to Gitlab as the main repository for vpnc-script and vpnc-script-win.js
Follow disable_ipv6 for Pulse and Fortinet
PPP: Replace no_terminate_on_pause flag with terminate_on_pause flag
Cleanup fortinet-auth-config
Fortinet requires us to check for an HTTP error response only over TLS
More complete comment about issues with proxies in connection phase
Assume that a 'portal-*cookie' will allow us to bypass gateway SAML
Merge branch 'https' into 'master'
Fix typo and clarify openconnect_get_connect_url comment slightly
Update documentation for the --authenticate option
With --user, enter username in all forms, not just the first
Update changelog
Merge branch 'automatically_enter_username_into_all_forms' into 'master'
Encourage use of csd-post.sh, and discourage use of csd-wrapper.sh
Use sysctl to un-disable IPv6 for all CI runs where PPP tests are enabled
Mark sync/no-HDLC PPP tests as XFAIL for all CI images
Verify that TPMv2 startup tools are present in order to enable auth-swtpm tests
Merge branch 'ci' into 'master'
Merge branch 'tests_trailing_space' into 'master'
Use more idiomatic super().__init__() in html.py
Only remove ERR_GET_FUNC for OpenSSL v3.0 and newer
Merge branch 'ERR_GET_FUNC_OpenSSL_3.0' into 'master'
Merge branch 'lgtm' into 'master'
Merge branch 'ERR_GET_FUNC_OpenSSL_3.0' into 'master'
Merge branch 'flake8' into 'master'
Use hostname as Wintun ifname (if ifname not specified)
Remove TAP-Windows driver from installer, and update docs to reference Wintun's default inclusion
Distinguish ERROR_ACCESS return value from create_wintun()
Check vpnc-script exit status on all platforms including Windows
Don't set Legacy IP address on Windows tunnel interface within OpenConnect itself
Add check_address_conflicts() to tun-win32.c
Try to delete-and-reclaim IP addresses from down interfaces
Update changelog to reflect Wintun and vpnc-script-win.js improvements
Provide the vpnc-script with our PID (as $VPNPID)
Merge branch 'set_VPNPID_for_vpnc_script' into 'master'
Merge branch 'wintun_doc_and_naming_tweaks' into 'master'
Merge branch 'deepsource' into 'master'
Fix missing newline in Windows error message
Annotate vpnc-script-win.js with a header documenting its exact source revision
Merge branch 'wintun-0.13' into 'master'
bugfix openconnect__strchrnul function in compat.c
Dump initial oNCP negotiation request if --dump-http-traffic is specified
Add links to latest Windows builds to www/packages.html and README.md
Attempt to determine whether Fortinet server really supports reconnect-after-drop (without reauth)
Do request "ancient HTML config" in order to distinguish truly-ancient Fortinet servers from some reconnection problems
Enable Fortinet DPD even if server doesn't say that reconnect-after-drop is allowed
Merge branch 'refine_Fortinet_reconnect_and_DPD' into 'master'
Update documentation on state of Fortinet reconnects
Add flag to allow do_http_request() to return the server response body even on error
Add support for Fortinet's HTML-type multi-factor authentication
Test both tokeninfo- and HTML-based MFA challenges for Fortinet
Merge branch 'Fortinet_HTML_form_based_MFA' into 'master'
Merge branch 'python3' into 'master'
Merge branch 'discourage_use_of_csd-wrapper.sh' into 'master'
Merge branch 'vpn_progress_n' into 'master'
Avoid code duplication in www/html.py
Re-add TAP-Windows driver to installer, and update docs to reference its inclusion
Merge branch 'revert_to_using_TAPWindows_by_default' into 'master'
Fix missing protocol flag for Juniper NC
Fix/update comments in fake-*-server.py scripts
If oNCP negotiation response is a redirect, cookie is invalid
Juniper/NC ESP rekey fix
Add changelog entry
The option '--force-dpd' should be followed even if the server specifies a lesser DPD interval
Update documentation of --force-dpd to reflect its new behavior
Merge branch 'repeat' into 'master'
Bugfix F5 'plain' login form
Refuse to handle forms without ->auth_id (but do it in the right place, and noisily)
Merge branch 'fix_F5_plain_auth_form' into 'master'
Update changelog
Merge branch 'csd-wrapper-compressed' into 'master'
Merge branch 'm4' into 'master'
Merge branch 'force_dpd_even_if_greater_than_server_interval' into 'master'
openconnect_set_reported_os should reject illegal values
When running on Windows, the default OS value should be 'win'
Merge branch 'reject_bogus_OS_names' into 'master'
Merge branch 'wintun-0.10.2-0.13' into 'master'
.mailmap update
dumb_socketpair(): try to use AF_UNIX socketpair on Windows 10 and newer
dumb_socketpair(): generate named socket path more carefully
dumb_socketpair(): fallback from AF_UNIX to AF_INET if AF_UNIX fails
dumb_socketpair(): Try a whole series of plausible temporary/writable directories for AF_UNIX sockets
Update changelog
Merge branch 'Windows_10_has_AF_UNIX_socket' into 'master'
Merge branch 'windows_ctrl_signal_handler' into 'master'
Fix dumb_socketpair() comments
Fix changelog links/labels
Remove unnecessarily repeated IPv6-enablement in .gitlab-ci.yml
Change library ordering when testing for library availability with autoconf
Cleanup whitespace in all human-maintained files
Build docs should mention that ./configure looks for vpnc-script in TWO places
Update "Contributing" docs
The GitLab repo is more than an "experiment" at this point
Add new documentation on how to observe/MITM VPN clients
Remove the 'verbose' global variable
Pass verbosity level in vpnc-script environment as LOG_LEVEL
Update changelog
Mention other Windows vpnc-script improvement MRs in changelog
Merge branch 'pass_LOG_LEVEL_to_vpnc_script' into 'master'
Merge branch 'master' into 'master'
Merge branch 'doc_updates' into 'master'
Fix memory leak in pulse.c
Update changelog
Merge branch 'pulse-config-on-9.1' into 'master'
Pulse IPv6 is now known to work on real-world servers
Remove already-disabled code copied from oncp.c into pulse.c
Mention that some Pulse VPNs need to spoof official UA/OS to make IPv6 work
Print Pulse server's IPv6 internal gateway address (in addition to Legacy IP)
Mention support for DTLSv1.2 in F5 BIG-IP v16 or newer
Print warning if Fortinet server doesn't indicate support/no-support for reconnect-after-drop
Clarify Fortinet no-valid-cookie error paths
Merge branch 'pulse_IPv6_docs' into 'master'
In dumb_socketpair(), delete Unix-domain socket path once no longer needed
Merge branch 'tmp-fedora35' into 'master'
David Overton (2):
Bugfix Legacy IP split include/exclude routes for Pulse
Pulse: handle 0x2e20f000 main configuration packet
David Woodhouse (221):
Fix COPR release builds for mingw-openconnect
Work around SoftHSM lockup in CI
Remove Fedora updates-testing packages now pushed to stable
Update packages documentation
Run Coverity only in openconnect/openconnect repo
Check for Signed-off-by: in CI
Merge branch 'add_set_cookie' of gitlab.com:randymoss/openconnect
Fix Signed-off-by CI check
Add basic NSIS installer
Drop web page handling
Fix pfs test for out-of-tree builds
Fix up string handling for ciphersuite_config
Add obsolete-server-crypto to XFAIL tests in Fedora package
Add makensis to mingw COPR builds
Fix obsolete-server-crypto in the GnuTLS build not the OpenSSL one.
Fix up NSIS ProductVersion for RPM version strings
Actually create installer packages for MinGW builds
Merge branch 'handle_GP_cookie_rejected_errors' of gitlab.com:openconnect/openconnect
Fix Win32 build warnings about _putenv_s() redeclaration
Fix Windows build warning: No %zd for size_t on Windows
Merge branch 'no_more_X-AnyConnect-Platform_header' of gitlab.com:openconnect/openconnect
Fix non-Windows compilation. I hate autoconf.
Update translations from GNOME
Resync translations with sources
Cast GetVolumeInformationByHandleW to (void *)
Fix printf types in stats output
add support for PPP-based protocols
First attempt at F5 support
Add basic attempt at Fortinet support
Turn off -Wdeclaration-after-statement and allow C99
Fix handling of downloaded files
Include wintun dll in installer
Fix installer deps
Merge branch 'pre_PPP_cross_protocol_bits' of gitlab.com:openconnect/openconnect
Merge branch 'ppp_core' of gitlab.com:openconnect/openconnect
Fix build warnings
Merge branch 'add_f5_and_fortinet' of gitlab.com:openconnect/openconnect
Merge branch 'master' of gitlab.com:openconnect/openconnect
Add basic docs for (or at least admit the existence of) f5/fortinet
Resync translations with sources
Import translations from GNOME
Add Wintun support
Fix output redirection under Windows
Fix stray close paren in changelog
Fix key filename mangling in auth-certificate test
Fix test paths for out-of-tree builds
Use out-of-tree builds in CI
Fix Juniper auth tests for out-of-tree builds
Merge branch 'juniper-auth-tests' of gitlab.com:openconnect/openconnect
Fix link to Jailbreak
Revert "www: updated links to vpnc-script"
Update main web page
Add 'proto' integer value to struct vpn_proto
Fix --disable-ipv6 option
Fix CI artifact list for out-of-tree builds
Fix memory leak in F5 config parsing
Avoid free of argv[] when ciphersuite_config provided
Handle empty response buf in process_http_response()
Fix DTLS MTU probe timeouts
Fix -EAGAIN on writing DTLS socket for PPP mainloop
Fix leak of ppp structure on reconnect
Remove Cisco-specific option handling from dtls_setup()
Consolidate the various add_option() functions
Fix leak of simulated F5 netmask options
Add DTLS support to ssl_nonblock_read() / ssl_nonblock_write()
Factor out openconnect_install_ctx_verify() for OpenSSL
Fix timeout handling for DTLS handshake retries
Add DTLS_ESTABLISHED state
ppp: Clean up negotiated IP/DNS option handling
Implement ppp_reset()
Split out core ppp_mainloop() and add basic DTLS support to it
Fix handling of lost TERMACK
Add full DTLS support for PPP
Add F5 DTLS support
Ignore errors fetching NC landing page if auth was successful
Rework cstp_options and ip_info handling
Merge branch 'master' of gitlab.com:openconnect/openconnect
Add IPv6 support for Fortinet
Only set ip_info addresses from PPP if they aren't already set
Abort if PPP transport is closed in PPPS_ESTABLISH
Abort when install_vpn_options() fails
Don't fetch legacy Fortinet config
Attempt to allow Fortinet reconnect over TCP
Ensure pulse_connect() can never attempt to monitor fd -1
Fix potential memory leaks in ppp.c
Fix potential leak of 'domains' in parse_fortinet_xml_config()
Fix potential NULL dereference in Java example code
Partial fix for Fortinet auth
Fix Juniper role select form to have an auth_id too
Refuse to handle forms without ->auth_id
Fix EXTRA_DIST to include all $(POTFILES)
Fix setting of IP addresses in ip_info from PPP
DTLS: Don't require secure renegotiation from Cisco
Add OPENSSL_SUPPRESS_DEPRECATED
openssl: Add SSL_OP_LEGACY_SERVER_CONNECT to allow-insecure-crypto
Merge branch 'do_not_use_inet_ntoa' of gitlab.com:openconnect/openconnect
Merge branch 'add_GP_flask_tests' of gitlab.com:openconnect/openconnect
Fix DTLS state reporting
Use BIO_dgram for OpenSSL DTLS
Import json-parser library
json: Fix undefined behaviour when converting integer to double
json_parse_ex: Remove redundant assignment to unused 'b'.
Initial shell of Array Networks SSL VPN support
Add hackish array auth
Start to implement config parsing for Array
Implement DTLS support for Array
Add documentation for array protocol, remove HIDDEN flag
Only require json-parser for Fedora packages, not EPEL
Fix Coverity complaints about array.c
kill redundant free_certs argument to GnuTLS assign_privkey() function
GnuTLS: Start to factor out load_certificate() for reuse
Move cert/sslkey/cert_password into a 'struct cert_info'
GnuTLS: Pass certinfo into load_certificate() and subordinate functions
OpenSSL: Pass certinfo through load_certificate() functions
GnuTLS: Extend certinfo to callbacks
GnuTLS: Split out free_gtls_cert_info()
GnuTLS: Really only install certs from load_primary_certificate()
GnuTLS: Move TPMv1 context to certinfo
GnuTLS: Move TPMv2 context to certinfo
OpenSSL: Factor out load_certificate() from load_primary_certificate()
OpenSSL: Fix user-visible strings and dialog auth_id for multicert
GnuTLS: Fix user-visible strings and dialog auth_id for multicert
tss2-esys: Don't try password for TPM2 keys with emptyauth set
Tell TPMv2 the hash type based on size
Support TLSv1.3 sign functions on SECP curves with TPMv2
Allow TSS2 library to be chosen by --with-gnutls-tss2
Add IBM TSS CI build on Fedora
Implement RSA-PSS padding for TPMv2
Resync translations with sources
Update translations from GNOME
Allow TPM_INTERFACE_TYPE=socsim to force swtpm even for Intel TSS
Add tests for TPMv2 with both swtpm and hardware
Add swtpm-tools to COPR build too, to enable auth-swtpm test
Disable swtpm testing for ancient Fedora/EPEL
Add NIST P384 curve to swtpm tests
Actually add P384 files so they aren't generated locally
Update TPMv2 documentation a little, add changelog for TLSv1.3 and swtpm
Update translations from GNOME
Update translations from GNOME
Add openconnect_get_connect_url(), use it in --authenticate output
GnuTLS: Refactor test sign/verify loop over available digests
Add line length argument to buf_append_base64()
Move oc_text_buf functions out to textbuf.c for easier unit testing
Limit oc_text_buf to 16MiB, start adding test cases
Fix fallback/big-endian store_le16() and store_le32()
Fix buftest to build on Windows
Update translations from GNOME
Don't leak memory in buftest
Validate line_len argument to buf_append_base64() too
Fix first line length in buf_append_base64()
Add more buf_append_base64() tests... and fix it.
Fix store_le16/store_le32 harder
Fix MinGW CI build to use their own docker images, now we have them.
Increase SO_SNDBUF on UDP socket
Add Android CI builds
Bump Android dependencies
Fix out-of-tree builds with ASAN
Merge branch 'clarify_Certificate_Validation_Failure_error' of gitlab.com:openconnect/openconnect
Fix static-analyzer CI builds
Merge branch 'obsolete_http_configuration' of gitlab.com:DimitriPapadopoulos/openconnect
Merge branch 'chmod-x_tun-win32.c' of gitlab.com:DimitriPapadopoulos/openconnect
Revert "with --allow-insecure-crypto, additionally attempt to disable insecure systemwide minimum crypto settings"
Disable ASAN tests for now
Unconditionally bypass system crypto policy
Add changelog for system policy disable
Remove reference to --allow-obsolete-crypto bypassing policies
Use https://www.infradead.org/openconnect/download/ URLs
Switch to https for all URLs
Update translations from GNOME
Support non-AEAD ciphersuites in DTLSv1.2 with GnuTLS
Offer OpenConnect-specific DTLSv1.2 AEAD suites with OpenSSL again
Add +SIGN-ALL to GnuTLS DTLS ciphersuite configs
We can admit that the FTP site exists too.
Merge branch 'server' into 'master'
Merge branch 'recognise' into 'master'
Update translations from GNOME
Fix Yubikey/Android PBKDF2 bug URLs
Merge branch 'assert' into 'master'
Merge branch 'm4' into 'master'
Merge branch 'include' of gitlab.com:DimitriPapadopoulos/openconnect
Merge branch 'yubi' of gitlab.com:DimitriPapadopoulos/openconnect
Merge branch 'lzo' of gitlab.com:DimitriPapadopoulos/openconnect
Stop polling cmd_fd while busy
Add alloc_pkt() and free_pkt() helpers
Reuse packets
Merge branch 'vpnc-script_s' into 'master'
Merge branch 'update_authenticate_docs_for_RESOLVE_and_CONNECT_URL' into 'master'
Merge branch 'small_PPP_fixes' into 'master'
Merge branch 'obey_IPv6_in_Pulse_and_Fortinet' into 'master'
Merge branch 'suspect_code_indent' into 'master'
Merge branch 'vpnc-script_links_on_GitLab' into 'master'
Merge branch 'rondom-do-https-request-header-cb' into 'master'
Merge branch 'GP_portal_to_gateway_auth_with_cookies' into 'master'
Use epoll() instead of select()
Merge branch 'epoll' of gitlab.com:openconnect/openconnect
Merge branch 'include' into 'master'
Merge branch 'linux_kernel_coding_style' into 'master'
Fix epoll support for connection pause/restart
Add SIGUSR2 to dtls-psk test
Clear epoll_fd after forking to background self
Stop accepting DTLS packets when the queue is full
Initial vhost-net support
Use vhost for dtls-psk and sigterm tests
vhost: Avoid TX queue when writing directly is faster
vhost: Add USED_EVENT and AVAIL_EVENT macros
Fix double close of vhost_fd on error
Check eventfd read/write returns
Tweak vhost ring handling to stop Coverity thinking we leak packets
Reads from the vhost_call_fd do return -EINTR when we loop multiple times
Fix RSA-PSS padding with SHA384 for TPMv2 keys
Do not truncate RSA-PSS salt length for small keys
Make all cert rules order-only
Merge branch 'codespell' into 'master'
Update translations from GNOME
Update translations from GNOME
Merge branch 'wip/dueno/tss2-rc' of gitlab.com:dueno/openconnect
Update translations from GNOME
Resync translations with sources
Avoid printing spurious ENOENT error from EPOLL_CTL_DEL
Fix EXTRA_DIST for ocserv config files
Tag version 8.20
Dimitri Papadopoulos (107):
Better document obsolete code and why we keep it
chmod -x
ise → ize
New option to define server name in config file
Remove assert
http:// -> https://
Update m4 files
Get rid of trailing spaces
Remove duplicate includes
Further fix Yubikey/Android PBKDF2 bug URL
Latest version of lzo.c
Merge branch 'trailing_spaces' into 'master'
Fix URL of repository of vpnc-script
Fix suspect code indent
Fix bad function definition
Fix open brace '{' following function definition
Fix Linux kernel coding style errors and warnings
Reorganize #include
Fix Linux kernel coding style warning
Merge branch 'STATIC_CONST_CHAR_ARRAY' into 'master'
Fix Linux kernel coding style error
Merge branch 'POINTER_LOCATION' into 'master'
Fix Linux kernel coding style warning
Merge branch 'ARRAY_SIZE' into 'master'
Fix Linux kernel coding style warning
Merge branch 'SPACE_BEFORE_TAB' into 'master'
Fix Linux kernel coding style warning
Merge branch 'REPEATED_WORD' into 'master'
Fix Linux kernel coding style error
Merge branch 'INLINE_LOCATION' into 'master'
Fix Linux kernel coding style error
Merge branch 'OPEN_BRACE' into 'master'
Fix Linux kernel coding style warning
Merge branch 'SUSPECT_CODE_INDENT' into 'master'
Fix Linux kernel coding style warning
Merge branch 'EMBEDDED_FUNCTION_NAME' into 'master'
Fix Linux kernel coding style error
Merge branch 'MULTISTATEMENT_MACRO_USE_DO_WHILE' into 'master'
Fix Linux kernel coding style error
Merge branch 'COMPLEX_MACRO' into 'master'
Fix Linux kernel coding style warning
Merge branch 'RETURN_VOID' into 'master'
Fix Linux kernel coding style error
Merge branch 'SWITCH_CASE_INDENT_LEVEL' into 'master'
Fix Linux kernel coding style warning
Merge branch 'DEFAULT_NO_BREAK' into 'master'
Fix Linux kernel coding style warning
Merge branch 'SPLIT_STRING' into 'master'
Fix Linux kernel coding style warning
Merge branch 'SINGLE_STATEMENT_DO_WHILE_MACRO' into 'master'
Fix typo from 275d838
Fix Linux kernel coding style warning
Merge branch 'LINE_CONTINUATIONS' into 'master'
Merge branch 'ooops' into 'master'
Fix Linux kernel coding style warning
Fix Linux kernel coding style error
Shut static analyser up
Merge branch 'INITIALISED_STATIC' into 'master'
Merge branch 'DeviceIoControl_TAP_IOCTL_GET_VERSION' into 'master'
Mark auth-swtpm test as XFAIL on Fedora/OpenSSL and Fedora/OpenSSL/clang
Typos caught by codespell
Build with OpenSSL 3.0 beta 2 Release Candidate
Remove spurious trailing space
LGTM warning: Unnecessary pass
LGTM recommendation: Unused import
LGTM recommendation: Unused import
LGTM error: Missing call to `__init__` during object initialization
LGTM recommendation: Unused local variable
Build with OpenSSL 3.0 beta 2 Release Candidate
Typos caught by codespell
Merge branch 'codespell' into 'master'
Flake8 errors and warnings
Document --force-trojan as available on _WIN32
LGTM recommendations: Except block handles 'BaseException'
Nuke tabs in Python
Wintun 0.10.2 (2021-02-16) → 0.13 (2021-08-02)
Fix DeepSource alert
Fix DeepSource alert
Fix DeepSource alert
Fix DeepSource alert
This is a Python 3 script
Fix DeepSource alert
Fix DeepSource alert
Fix DeepSource alert
Fix DeepSource alert
Fix DeepSource alert
Add missing '\n' to vpn_progress() messages
Remove extra '\n' from a vpn_perror() message
Resync translations with sources
These are Python 3 scripts
Remove repeated words from documentation
AC_CONFIG_MACRO_DIRS
AC_LANG_C → AC_LANG([C])
AC_PROG_LIBTOOL → LT_INIT
Fix Windows installer so that it uninstalls cleanly
Fix grammar/typos in comments and diagnostic messages
AC_ERROR → AC_MSG_ERROR
Load wintun.dll from the application directory only
Follow Wintun example to the letter (versions 0.10.2 or 0.13)
Windows: fix instability with Wintun as tunnel device driver
Latest version of vendored dumb_socketpair()
Option --version prints default script location
Add jq as a build dependency to fix COPR builds
Print detailed error information when opening cmd pipe/socketpair fails
Use ARRAY_SIZE(array) macro instead of hard-coded sizeof(array)/N
Fix typos not found by codespell
html.py must run with either Python 2 or 3 to support COPR builds
Elias Norberg (1):
Always set security level to 0 for openssl versions >= 1.1.0
Ivan Afonichev (1):
Absolute redirect with '://' in URL param should be valid
Joachim Kuebart (10):
fix: use field instead of global variable
fix: support forms without "action"
fix: keep going when forms have only hidden fields
feat: support Microsoft SSO
nit: silence deprecation warning
fix: don't raise when TNCC_CERTS is unset
add juniper-sso-auth test: add unit test for Azure MFA SSO
fix: fix Juniper Azure SSO login
fix: generalise check for user name field
fix: add missing licence to fake-tncc.py.
Joerg Mayer (1):
Add HAVE_EPOLL check to fix macOS build failure
Justin Kendrick (1):
Add missing files to tarball for win32 build
Kevin Yue (1):
Pass the `portal-*cookie` values received in the portal config to the gateway login
Luca Boccassi (1):
libopenconnect: add public interface stubs for SAML support
Lukáš Karas (3):
setup default port 443 in openconnect_vpninfo_new
remove port setup in ssl connect
check that port is in valid range
Nikos Mavrogiannopoulos (46):
Fixed failing tests
.mailmap: set gmail as primary email of Nikos
.gitlab-ci.yml: fix on fedora32
gnutls: try multiple hashes when checking for pub/priv key match
.gitlab-ci.yml: updated to fedora33
Merge branch 'tmp-fix-tests' into 'master'
.gitlab-ci.yml: run coverity weekly with a scheduled run
.gitlab-ci.yml: use prebuilt images from project's registry
www: updated links to vpnc-script
windows builds: run the right openconnect executable
Merge branch 'tmp-link-vpnc-script-gitlab' into 'master'
Merge branch 'tmp-use-presaved-images' into 'master'
Merge branch 'vpninfo-port' into 'master'
.gitlab-ci.yml: use centos8 build for coverity
Merge branch 'Windows_tuntap_fix_196' into 'master'
Free memory obtained from openconnect_get_peer_cert_DER
.gitlab-ci.yml: added address and undefined sanitizer runs
main: avoid unnecessary memory copy (and leak)
Merge branch 'tmp-add-ubsan-asan' into 'master'
.gitlab-ci.yml: added clang's static analyzer
parse_hex: avoid zero length allocation
run_hip_script: made error handling consistent
process_http_response: avoid memory leak
cleanup_gssapi_auth: avoid null pointer dereference
start_cstp_connection: avoid unused assignment
do_https_request: removed unused assignment
parse_prelogin_xml: removed unnecessary initialization
dtls_detect_mtu: removed unnecessary initialization
buf_tlv: corrected TLV decoding
append_compr_types: removed unnecessary assignment
decrypt_stoken: avoid code without side effects
oncp_connect: bail on error
process_http_response: removed default error code
oncp_connect: avoid code without side-effects
openconnect_set_token_mode: propagate error code
gnutls: removed unused assignments, and use gnutls_calloc()
ntlm_manual_challenge: initialize hash to zero
internal_parse_url: fix memory leak
Merge branch 'tmp-add-scan-build' into 'master'
dtls-psk: use ping -6 to ping an ipv6 address
.gitlab-ci.yml: CentosOS7/OpenSSL: mark failing test as XFAIL
Merge branch 'tmp-fix-centos7-failure' into 'master'
.gitlab-ci.yml: build on fedora35
.gitlab-ci.yml: remove unnecessary installations
.gitlab-ci.yml: removed legacy references to rdrand
Merge branch 'spelling' into 'master'
Randy Moss (1):
Add `openconnect_set_cookie` function to library and jni Signed-off-by: Randy Moss <kasaxet794 at homedepinst.com>
Roberto Leinardi (1):
Added platform name to the HIP report script
Sabin Rapan (1):
Fix selection of TPM2 key gen tools
Steven Luo (1):
Make correct TUNDEV value available to vpnc-script during pre-init
Tim De Baets (3):
Install a custom signal handler on Windows using SetConsoleCtrlHandler()
Issue OC_CMD_DETACH instead of OC_CMD_CANCEL on Ctrl+Break
Update changelog
Tom Carroll (9):
Free pcerts array for all assign_privkey paths.
Use separate counters for inner and outer loop.
Remove field free_certs from gtls_cert_info.
Convert x509_privkey to abstract privkey in load_certificates.
Remove NULL checks before deinit GnuTLS objects.
gnutls.c:943:21: warning: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Wsign-compare]
Check gnutls_pubkey_init return code.
Correct calculation of base64 encode buffer length.
Use C99 initializer instead of memset.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5965 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20220220/866aa993/attachment-0001.p7s>
More information about the openconnect-devel
mailing list