This adds support for authentication to SOCKS and HTTP proxies, via fairly much every method conceived to man. The XML profile (with the list of available servers in the rotation) is now downloaded in XML POST mode. Otherwise it was missing from the NetworkManager GUI. Various other compatibility improvements and bug fixes. ftp://ftp.infradead.org/pub/openconnect/openconnect-6.00.tar.gz ftp://ftp.infradead.org/pub/openconnect/openconnect-6.00.tar.gz.asc David Woodhouse (130): Fix GnuTLS 2.x build Fix 'missing initializer' warning on Solaris/GCC build Add autoconf test for functional groff with UTF-8 xhtml output Make pot file depend on version.sh, not Makefile Remove obsolete -DNO_BROKEN_DTLS_CHECK from Android build Consolidate into a single top-level .gitignore file Remove unneeded symbols from linker map Remove openconnect_print_err_cb() from linker map Remove asprintf() from linker map Merge branch 'rekey' of git://gitorious.org/openconnect-x/openconnect-x Import translations from GNOME Fix Windows tun read handling Import translations from GNOME Import translations from GNOME Import translations from GNOME Move fetch_config() invocation out to allow it to be used in XML POST mode Process XML POST response to find profile URL and download it Import translations from GNOME Resync translations with sources Don't fetch XML profile unless ->write_new_config() is set Make proxy_{read,write,gets}() return the same as the SSL methods Use callbacks in vpninfo for ssl_{read,write,gets} methods Use ssl_{read,write,gets} methods for unencrypted ("proxy") access too Use process_http_response() for proxy handling Propagate openconnect_open_https() return value First pass at adding proxy auth support Initial NTLM auth support Clean up ntlm_helper_fd on proxy done Print when attempting NTLM auth Rename buf_append() in cstp.c to cbuf_append() Make buf_append() from http.c visible elsewhere Add printf format attribute to buf_append() Use generic buf_append() in start_cstp_connection() Add FIXME in start_cstp_connection() Move NTLM out into ntlm.c Do not use winbind if given an NTLM password Add buf_append_bytes() function Add buf_append_base64() function Implement basic (ASCII-only) NTLMv1 support Add openconnect_md5() function for NTLMv2 Add NTLMv2 support Remove stray reference to b64_frag() Attempt to support non-ASCII passwords in NTLM Support non-ASCII usernames in NTLM Update changelog Start adding GSSAPI support Add openconnect_base64_decode() Do not retry authentication methods which failed Add GSSAPI support Print message when attempting GSSAPI auth Let GSSAPI fail when empty token comes in Solaris needs <alloca.h> Fix GSSAPI build on Solaris Fix non-GSSAPI build FreeBSD doesn't have alloca.h Fix off-by-one in openconnect_base64_decode() Add shell of Digest auth Make buf_append_bytes() NUL-terminate the buffer storage Implement Digest authentication Document proxy authentication support a little Drop proxy connection and reconnect when auth fails Move cleanup_ntlm_auth() out of http.c Factor our basic_authorization() to look like the others Use an array of auth states Abstract out the auth methods and cleanups Kill empty cleanup_digest_auth() Add openconnect_set_proxy_auth() Disable Basic auth by default Factor out one implementation of buf_ensure_space() Simplify basic_authorization() Simplify/optimise buf_append_base64() a little Check for buffer alloc failures Leave fewer copies of proxy password around in memory Move buf_append_ucs2le() before ntlm_nt_hash() Move UCS2 conversion into ntlm_nt_hash() to keep things simple Make buf_ensure_space() non-static Make md4sum() take a struct oc_text_buf to avoid alloca() Correct (I think) MD4 padding count for NTLM Preallocate UCS2 password/md4 buffer to avoid leaving a password after realloc Add MSYS to configure check Check python version before using it Fix inet_aton("255.255.255.255") on Windows Start to fix up SOCKS auth Add SOCKS password auth support Make proxy_read() return -ECONNRESET when the connection is closed Add SOCKS GSSAPI auth Fix memory leak of orig_host in openconnect_obtain_cookie() Make --proxy-auth=negotiate,basic work for SOCKS auth Accept 'GSSAPI' in place of 'Negotiate' in --proxy-auth= Fix valgrind warnings on NTLM setup_schedule() Import translations from GNOME Resync translations with sources Move DTLS secret initialisation to openconnect_setup_dtls() Clear got_cancel_cmd when returning from openconnect_obtain_cookie() Work around GnuTLS not checking IP addresses in certs Fix untranslated error message Fix DTLS master secret generation (harder) Add sanity check for uninitialised dtls_secret Move clearing of ->got_cancel_cmd to openconnect_reset_ssl() struct gss_buffer_desc.length is a size_t Fix OpenBSD build Attempt to fix up gssapi portability Capitulate to OpenBSD's whinging. Use snprintf Fix NetBSD ctype warnings: "array subscript has type 'char'" Attempt to make sense of GSSAPI mess Use autoheader. Ick. But the command lines were getting silly Fix cleanup_gssapi_auth() to stop it segfaulting on Solaris use cleanup_gssapi_auth() in failure path too Fix base64 decode in processing GSSAPI input Use SPNEGO for GSSAPI Update GSSAPI option flags for SOCKS to match RFC1961. Add strndup() compat function for OSX Use strndup() for processing IPv6 literals now that we have it GnuTLS 3.3.6 (partly) fixed the certificate check against IP literals Initial SSPI support for NTLM under Windows Add SSPI support for Kerberos/SPNEGO under Windows too Add SOCKS SSPI auth under Windows Import translations from GNOME Clean up argument types for openconnect_base64_decode() Improve GSSAPI error reporting a little NTLM password handling should be UTF16 not UCS2 Fix gss_init_sec_context() error message Update translations from GNOME Shuffle main.c around to reduce #ifdef noise Resync translations with sources Print trailing newline after password input on Windows too Remove obsolete ssl_ui.c and references to it Resync translations with sources Fix up POTFILES list Tag version 6.00 Jason Wessel (1): Add hidden password support for windows platform Jay Soffian (2): version.sh: respect GIT_DIR Allow libtoolize to be specified via environment variable Kevin Cernekee (48): www: Don't ignore groff errors www: Fix missing space on platforms page dtls: Align new-tunnel rekey behavior with Cisco clients cstp: Make cstp_reconnect() static again android: Build ARM with -march=armv7-a android: Upgrade nettle from v2.6 to v2.7 android: Update GnuTLS to 3.2.12 java: Add java/ directory to release tarballs Require autoconf 2.62+ to build from git Use AC_PATH_PROGS_FEATURE_CHECK to test groff usability android: Update libstoken to 0.5 gnutls: Fix double free() prompting for passphrase http: fetch_config() argument names are swapped xml: Make sure the config file descriptor gets closed on all error paths http: Don't leak the auth form when handling <client-cert-request> http: Don't leak form_path on error tun: Don't leak tun_fd on ioctl errors gnutls: Fix inverted return value check in GnuTLS 2.12 compatibility code cstp: Fix misplaced parentheses jni: Fix a couple of leaked strings dtls: Add missing dtls_reconnect() stub for !HAVE_DTLS case dtls: Free OpenSSL contexts when the library instance is freed cstp: Don't call dtls_reconnect() when DTLS is disabled gnutls: Handle empty (but not NULL) passwords on PKCS#12 certs openssl: Skip password prompt on unencrypted PKCS#12 files openssl: Support unencrypted PKCS#8 private keys http: Handle gateways that skip TLS cert requests on initial connect gnutls: Fix minor memory leak when trying blank passwords jni: Change cancelLock so it can be used from native code jni: Allow other threads to call setLogLevel() android: Introduce new "mirror fetcher" shell script android: Introduce $(FOO_TAR) variables for each dependency android: Add "make mirror-test" target android: Update openssl to 1.0.1g android: Update to GnuTLS 3.2.13 jni: Sync jni.c and LibOpenConnect.java jni: Change setPFS() to use a boolean argument man: Add hints on using --pfs option Export openconnect_set_pfs() and bump API version to 3.3 main: Use openconnect_set_pfs() instead of touching vpninfo->pfs Add "new library function checklist" www: Update changelog android: Update to GnuTLS 3.2.15 library: Add openconnect_set_dpd() Add OC_CMD_DETACH for "reconnectable abort" main: Refactor signal handling Change most PRG_TRACE prints to PRG_DEBUG http: Check asprintf() return value Mike Miller (1): Remove W3C icons from web pages Nikos Mavrogiannopoulos (1): Reset rekey time on the first DTLS handshake. Thomas Uhle (1): gnutls: fix spelling of GNUTLS_E_PREMATURE_TERMINATION -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140708/7fcecbb4/attachment.bin>