OpenConnect 5.99 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is the beta release for 6.0, with lots of shiny changes.

I'm not entirely convinced that the x.99 "releases" actually get that
much worthwhile testing, but they certainly don't hurt. Mostly this is a
call for Kevin and Nikos to bug me about anything they still have
outstanding that they really want in the 6.00 release...


This release adds support for Windows (32-bit and 64-bit builds with
MinGW), and basic support for RFC4226 HOTP tokens (although there's no
way to *store* the HOTP token counter).

It also adds split tunnelling support for IPv6 ? which always would have
worked, in fact, but we need to explicitly *tell* the server that we
support it in order to receive an appropriate configuration.

It moves the VPN mainloop functionality into libopenconnect so that it
can be invoked through the library instead of having to spawn a separate
openconnect process ? and adds Java bindings for libopenconnect.

There are also various crypto-related improvements, such as the ability
to enforce Perfect Forward Secrecy and new cipher suites in DTLS with
lower overhead. 


Antonio Borneo (2):
      fix bug in run_csd_script()
      Fix --os=win

David Woodhouse (97):
      Merge OpenConnect v5.03 bugfix
      Do not use mmap() for reading XML config file
      Fix cert expiry warning for Windows, which lacks gmtime_r()
      Unify $host_os case statement in configure.ac
      Add compatibility for systems lacking setenv() and unsetenv()
      Start to clean up includes for MinGW build.
      Add -no-undefined to libtool invocation
      Add compatibility inet_aton() function for MinGW build
      Use closesocket() and fix errno handling for MinGW
      Set GnuTLS push/pull/errno functions on MinGW build
      Open files in binary mode on MingGW
      Fix setsockopt() warning on MinGW build
      Use send() and recv() for proxy communication (for MinGW's benefit)
      Disable CSD for MingGW build, make http.c build
      Provide pipe() for MinGW build
      Add openconnect_passphrase_from_fsid() implementation for MinGW
      Add set_sock_nonblock() and set_fd_cloexec() compat functions
      Make tun.c build for MinGW
      Disable --script-tun option on MinGW
      Disable --syslog option on MinGW
      Fix read_stdin() for MingGW
      Disable --setuid, --csd-user and --csd-wrapper options on MinGW
      Disable hostname discovery on MinGW
      Disable signal handling on MinGW
      Disable --background and --pid-file options on MinGW
      Hide GnuTLS MinGW push/pull functions when building with OpenSSL
      Add openconnect__win32_sock_init() function to initialise sockets
      Reorder header files to include <winsock2.h> before <windows.h>
      Update changelog to reflect MinGW status
      Add GnuTLS recv_timeout function for MinGW
      Remove FSF address from copyright boilerplate
      Update copyright year
      Add basic support for opening Windows TAP driver
      Import dumb_socketpair() and enable command fd for MinGW
      Fix Windows error translation to make GnuTLS happy
      Fix Windows set_sock_nonblock()
      Fix setenv() with value==NULL on Windows
      Remove Windows-specific pull/push/errno functions for GnuTLS
      Move DTLS reconnect handling into dtls.c
      Introduce dtls_state variable to make reconnect handling cleaner
      Kill new_dtls_* variables
      Fix up comment on GnuTLS dtls_ssl field
      Abstract select() and FD_SET handling
      Add event handling for Windows
      Finally add tun handling for Windows
      Make web pages work in out-of-tree builds
      Remove obsolete VAR_CVSID variable
      Remove references to Symbian
      Use intptr_t for intermediate cast to gnutls_transport_ptr_t
      Fix overflow warning in dumb_socketpair() on Win64
      Fix Windows openconnect_passphrase_from_fsid()
      Avoid building against GnuTLS v3.2.0-v3.2.9 on Windows
      Print a message when ignoring a TAP device due to --interface option
      Fix error printing when registry open fails
      Print error when no TAP interfaces found
      Move vpnc-script handling after platform detection in configure.ac
      Clean up default vpnc-script handling for Windows
      Update vpnc-script documentation for Windows
      Update build documentation
      Move set_script_env() to script.c
      Move script_config_tun() to script.c
      Factor out os_read_tun() from tun_mainloop()
      Factor out os_write_tun() from tun_mainloop()
      Move tun_mainloop() to mainloop.c
      Split out os_shutdown_tun() for Windows vs. sane platforms
      Move Windows openconnect_setup_tun_fd() to tun-win32.c
      Split out os_setup_tun() for Windows vs. sane platforms
      Move set_tun_mtu() into os_setup_tun()
      Move openconnect_setup_tun_device() to library.c
      Remove tun.c from Windows build
      Move Windows interface name matching into search_taps() function
      Clean up search_taps() function
      Make openconnect_setup_tun_fd() work on Windows
      Add openconnect_setup_tun_script() stub for Windows
      Fix OpenBSD build
      Fix crash with -C option
      Update changelog
      Import translations from GNOME
      Clean up GnuTLS openconnect_SSL_{read,write,gets} functions
      Do not abort when GnuTLS reports unclean shutdown
      Include <errno.h> in xml.c to fix non-libstoken build
      Remove Java_* wildcard from libopenconnect.map
      android: Add android/ directory to release tarballs
      Merge branch 'rekey' of git://gitorious.org/openconnect-x/openconnect-x
      Prefer python2 if available
      Add RFC4226 HOTP token support
      Don't lose translations when merging from Transifex
      Add update-po target
      Sort new files imported from Transifex so 'update-po' won't touch them
      Only include non-empty files in LINGUAS
      Resync translations with sources
      Update translations from Transifex
      Update platforms.html information about Windows builds
      Import translations from GNOME
      Fix 'cast from pointer to integer of different size' warning in Win64 build
      Resync translations with sources
      Tag version 5.99

Jeremy Visser (2):
      Support IPv6 split tunnelling
      Assign Address-IP6 field to netmask instead of address

Kevin Cernekee (83):
      library: Use named constants for process_auth_form() return value
      main: Rename process_auth_form() to avoid conflict with library
      Create a common process_auth_form() wrapper function
      auth: Remove outdated comment for parse_auth_choice()
      auth: Introduce free_opt() helper function
      library: Change oc_form_opt_select->choices to a pointer array
      auth: Provide information on which auth choice is currently selected
      process_auth_form: Add code to support NEWGROUP return status from UI
      main: Extend read_stdin() to accept hidden (password) input
      main: Split process_auth_form_cb() into smaller functions
      main: Make the authgroup picker CLI more user-friendly
      auth: Parse second-auth-related properties from the auth form
      auth: Hide unused form fields based on the selected authgroup
      Revert "auth: Temporarily disable XML POST if an authgroup dropdown exists"
      auth: Add OC_FORM_OPT_NUMERIC hint and apply it to token PIN entry
      library: Bump API version to 3.0 and document changes
      main: Update CLI to handle hidden fields and NEWGROUP
      main: Avoid infinite "303 See Other" loops on certificate-only authgroups
      main: Don't free password if it isn't used in the first auth form
      library: Clean up partially completed auth forms on error
      Unconditionally redirect CSD stdout to stderr
      ssl: Set FD_CLOEXEC on all sockets
      gnutls: Remove unused local variable
      Introduce new helper functions for cancel_fd checking
      library: Rename cancel_fd to cmd_fd
      library: Add new openconnect_setup_cmd_pipe() call
      Add new helper functions to support cmd_fd feature
      Temporarily build ssl.c + deps into the main executable
      Move signal handling out of mainloop
      cstp: Propagate error status up to the mainloop
      mainloop: Convert vpn_mainloop() into a library function
      dtls: Add dtls_close() helper function and call it on library cleanup
      mainloop: Add OC_CMD_PAUSE operation
      main: Introduce xstrdup() function
      tun: Export setup_tun() functionality
      Move vpninfo default settings into library
      library: Check for failed allocations in openconnect_vpninfo_new()
      dtls: Export setup_dtls() function
      cstp: Export make_cstp_connection()
      library: Move the mainloop guts into libopenconnect
      library: Update openconnect.pc.in
      cstp: Close socket after failed connection attempt
      tun, cstp: Don't exit() on failure
      library: Free zlib state
      cstp: Clean up split include/exclude/DNS lists when freeing vpninfo
      library: Add get/set functions for servercert, ifname, reqmtu
      library: Move IP information into a public struct
      library: Make vpn_option a public struct
      library: Export VPN configuration info to callers
      library: Tweak openconnect.h comment formatting for consistency
      library: Add protect_socket callback
      library: Add support for mobile headers
      library: Add openconnect_set_xmlpost() to support different CSD modes
      library: Add new callback for obtaining TX/RX statistics
      ssl: Don't let cmd_fd activity break timeouts
      library: Update changelog and bump minor version
      main: Add openconnect_vpninfo_free() on a couple of exit paths
      buildsys: Allow overriding -W flags
      acinclude: Add AX_JNI_INCLUDE_DIR macro
      JNI: Initial commit of C wrapper functions
      JNI: Initial commit of Java library + example program
      android: Enable JNI in build
      android: Add libstoken to build
      android: Add liboath to build
      android: Add "sources" target
      main: Add --timestamp option
      library: Fix incorrect platform ID for Mac
      Update documentation/help with the correct "--os" names
      www: Update changelog
      Fix a few minor memory leaks
      Add liboath version check
      http: Don't retry on user cancellation
      cstp_reconnect: Don't sleep if the user terminated the connection
      android: Explicitly disable symbol versioning
      android: Use make-standalone-toolchain.sh from NDK
      android: Install stripped binaries under $(TRIPLET)/out
      cstp: Make sure outbound packets are sent over CSTP if DTLS is down
      dtls: Set rekey_method correctly if the header is missing
      Sanity-check CSTP and DTLS rekey times
      mainloop: Use consistent logic for rekey timeout check
      dtls: Fix link error on !HAVE_DTLS builds
      Avoid deprecated AC_OUTPUT syntax
      mainloop: Simplify the keepalive functions

Nikos Mavrogiannopoulos (18):
      mention DTLS ciphersuite name
      Added support for GCM ciphersuites (require DTLS 1.2).
      Enable a padding when sending password, to avoid leakage of password length.
      Added --pfs option to force perfect forward secrecy
      When selecting TLS protocol options for GnuTLS set the same defaults as in openssl.
      Added openconnect_set_pfs() and its JNI counterpart
      link to Kevin's android port.
      Updated changelog for previous changes.
      Distinguish between the different rekey methods.
      Increased DTLS timeout value to 12 seconds.
      Do an SSL rehandshake when the server sends "X-CSTP-Rekey-Method: ssl".
      Do rehandshake on the DTLS channel as well.
      When CSTP rehandshake or reconnection succeeds, reconnect DTLS.
      Removed the new-tunnel reconnection option from DTLS.
      Revert "dtls: Set rekey_method correctly if the header is missing"
      Notify on rekey time when we are not in REKEY_NONE state.
      If DTLS rehandshake fails, then reconnect.
      Advertise the hostname we connect using SNI.

ftp://ftp.infradead.org/pub/openconnect/openconnect-5.99.tar.gz
ftp://ftp.infradead.org/pub/openconnect/openconnect-5.99.tar.gz.asc

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140305/bdf0f09e/attachment.bin>


[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux