This is a prerelease of v4.00 to get a little more testing. The main thing it does is add GnuTLS support. It supports PKCS#11 crypto tokens, and also TPM keys. Thanks to Carolin Latze for the TPM support, and especially to Nikos Mavrogiannopoulos for a lot of other help in getting GnuTLS working, including DTLS support. It still uses OpenSSL by default, unless you pass '--with-gnutls' on the configure command line. If you aren't using a version of GnuTLS which supports Cisco-DTLS, it'll still fall back to using OpenSSL for that, while using GnuTLS for the HTTPS part. Places where the library used to expose an OpenSSL 'X509' structure now expose a generic pointer. It *might* be an X509, or it might be a gnutls_x509_crt_t. There are functions to do various operations on it (fingerprint, pretty-print as text) that the auth-dialogs were doing, and a function to export it in DER form if an auth-dialog wants to do something more advanced. All the callbacks for user interaction are also cleaned up to use the ->process_auth_form() method, so auth-dialogs no longer need to capture the OpenSSL UI method calls. Note that TPM support is only available with GnuTLS 3.x; if you're stuck on GnuTLS 2.12 then please file a bug with your Linux distribution to get it updated. GnuTLS 3.0 was released almost a year ago! Other functionality is subtly substandard when used with GnuTLS 2.12 too. This release also also adds a $CISCO_SPLIT_DNS variable when invoking vpnc-script, with a comma-separated list of search domains. (Patches to vpnc-script welcome; NetworkManager is already updated.) Finally it improves the MTU configuration to improve connectivity with new servers by allowing different MTU for CSTP and DTLS connections. Although it's not clear how Cisco's scheme for this is intended to work; it looks like it'd work a lot better if their server didn't give an artificially low MSS when accepting the TCP connection. Oh, and the --cert-type option is gone from the command line. We've been automatically detecting that for a *long* time, so the option was unneeded. ftp://ftp.infradead.org/pub/openconnect/openconnect-3.99.tar.gz ftp://ftp.infradead.org/pub/openconnect/openconnect-3.99.tar.gz.asc David Woodhouse (137): Add --with-pkgconfigdir to allow different environments like FreeBSD Make openconnect_open_https() and openconnect_close_https() more forgiving. Fix non-blocking support in fetch_config() Use openconnect_open_https() and openconnect_close_https() better. Add gnutls support to build system Fix API major/minor handling for out-of-source-tree build Move peer_cert handling to openconnect_open_https() Add openconnect_get_cert_details() function Add openconnect_sha1() function and use it instead of using OpenSSL directly Move basic process_auth_form() out to main.c Be more self-sufficient with header inclusions Add openconnect_get_cert_DER() function Add openconnect_random() function Split out connect_https_socket() function from openconnect_open_https() Move OpenSSL-specific functions from ssl.c to openssl.c Disable DTLS for GnuTLS build for now Remove OpenSSL dependency from http.c Add SSL library definition to CFLAGS in openconnect.pc Introduce semi-opaque OPENCONNECT_X509 type in library API Add barely functional GnuTLS support Refuse to build with GnuTLS < 2.12.16 Make CSTP connection in a single SSL record Improve GnuTLS compatibility options Add client certificate support for GnuTLS Check cert expiry, at least for PEM certs Clean up GnuTLS PKCS#12 handling a little Add server certificate validation for GnuTLS Import pkcs12_parse() function from GnuTLS to fix PKCS#12 handling Make GnuTLS parse_pkcs12() return extra certificates from the PKCS#12 too GnuTLS: Add supporting certificates from PKCS#12 file Remove unused workaround_openssl_certchain_bug() function GnuTLS: Load trusted CAs before loading certificate GnuTLS: Import more than one certificate from PEM file Add GnuTLS to changelog Add openssl.c and gnutls.c to POTFILES Remove duplicate socket connect code from gnutls.c Fix vpninfo->peer_cert handling for GnuTLS Move openconnect_SSL_printf() to ssl.c Fix build on systems without O_CLOEXEC Remove stray debug printf Fix GnuTLS select() during handshake Bump API version, advertise get_cert_DER() and get_cert_details() functions Reduce priority of GnuTLS certificate verify failure message to PRG_INFO Fix GnuTLS request_passphrase() if no UI callback function openconnect_set_xmlsha1() takes a const char * Stop using OpenSSL UI for user interaction Add completely untested PIN callback for GnuTLS GnuTLS: Split logging of additional certs into a separate loop GnuTLS: Don't include root CA in the supporting evidence; only intermediates OpenSSL: Don't include root CA in the supporting evidence; only intermediates Fix FreeBSD compile Allow interface name to be specified on *BSD Fix FreeBSD tun handling with net.link.tun.devfs_cloning=0 Update comment about gnutls_x509_privkey_import_pkcs8() password handling Move request_passphrase() to ssl.c Use request_passphrase() for OpenSSL PKCS#12 Fix config_arg handling Fix config fetch Use request_passphrase() for OpenSSL PEM files Check for gnutls_pkcs12_simple_parse() in GnuTLS Split out OpenSSL_specific start_dtls_handshake() function Add DTLS support for GnuTLS Allow '--with-gnutls' in configure Add UI handling for OpenSSL TPM keys GnuTLS now uses gnutls_session_set_premaster() Fix GnuTLS PKCS#11 PIN request function Use p11-kit for directing PIN request to process_auth_form() Remove last traces of special UI and PIN handling from main.c Bump library soname to libopenconnect.so.2 Kill old openconnect_vpninfo_new() Fix cbdata argument to process_auth_form() Change Requires: to Requires.private: in openconnect.pc Fix generation of version.c for out-of-tree builds Fix git-tree deps for version.c in out-of-tree build Don't hard-code cipher type in GnuTLS DTLS Set X-CSTP-Base-MTU: for new servers Make 'make dist' work for out-of-tree build Add gnutls_pkcs12 to dist Add gnutls.c and openssl.c to EXTRA_DIST too Add $CISCO_SPLIT_DNS environment variable for vpnc-script Update changelog Use X-DTLS-MTU response from server as well as X-CSTP-MTU Import updated gnutls_pkcs12_simple_parse() from GnuTLS Don't unregister p11-kit PIN callback until vpninfo is finished with Fix error handling when GnuTLS can't open key file Cope with SSL key being PKCS#11 but cert from file Use gnutls_certificate_set_x509_system_trust() where available GnuTLS: Fix expiry check and CA chain addition for PKCS#11 certs GnuTLS: Fix build with GnuTLS 2.12 and PKCS#11 Set object-type on PKCS#11 URL for key and cert GnuTLS: Cache token PIN Remove obsolete GnuTLS FIXME comment Portability fixes for Solaris, *BSD Fix non-interactive mode Update docs for GnuTLS and PKCS#11 support GnuTLS: Print name of primary certificate OpenSSL: Print name of primary certificate Fix update-translations make target for out-of-tree build Fix upload-pot make target for out-of-tree build Update translations from Transifex Remove stray openssl includes Allow building against GnuTLS (for TCP) and GnuTLS (for DTLS) simultaneously Print SSL build options on --version or usage() Remove --cert-type option from command line Make --disable-ipv6 really do it Translate build option output Return error from OpenSSL load_certificate() for PKCS#11 URLs Add openconnect_has_pkcs11_support() Add --authenticate option Fix const char * warnings in GnuTLS pin_helper on FreeBSD Add openconnect_has_tss_blob_support() GnuTLS: Fix password memory leaks Fix useragent leak Make authentication valgrind-friendly OpenSSL: Fix password memory leaks OpenSSL: Clean up leaks in TPM ENGINE handling OpenSSL: Free BIO leak in reload_pem_cert() OpenSSL: Fix leak of cert_x509 Explicitly check for gnutls_certificate_set_key(), separate it from p11-kit Fix DTLS fallback to OpenSSL for old GnuTLS Clean up build options printout Add TPM support for GnuTLS Remove redundancy in code which 'matches' cert to privkey Fix GnuTLS PIN cache leak when only *key* is PKCS#11 and not certificate. Implement certificate matching for TPM/PKCS#11 privkeys Fix error exits in GnuTLS load_certificate() function Try null SRK key (20 bytes of zero) first Give proper error reporting from tpm_sign_fn() TPM operations Handle TPM keys with their own authentication PIN Allow GUI to distinguish between PIN/passphrase callbacks Fix build with GnuTLS 2.12 Update translations from Transifex Move dtls1_stop_timer() declaration inside the OPENCONNECT_OPENSSL section Link libopenconnect to trousers, not openconnect $CISCO_SPLIT_DNS is separated by commas in vpnc, not spaces Make 'make tag' work out of source tree Tag version 3.99 Mike Miller (2): Remove libopenconnect.map from EXTRA_DIST Show correct path to vpnc-script in the man page -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6171 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120614/aeaec5c9/attachment.bin>
