Lots of fun stuff here, especially on Windows. We now support keys from the Windows certificate store, and the new NDIS6 TAP-Windows driver. And should run on systems as far back as Windows XP. In order to simplify string ownership rules and reduce the likelihood of bugs, and to cope with restrictions that Windows 'DLL Hell' imposes, the API has been completely changed so that strings do not change ownership when they are passed into the library. API functions take 'const char *' and will take a *copy* of the string if appropriate. The soname of the library is bumped accordingly. This release adds full Unicode handling for both Windows and legacy non-UTF-8 POSIX platforms. All strings passed into, or out of, the libopenconnect library should now be UTF-8 and it is the responsibility of the application if running in a legacy environment to do any conversions that are necessary. The utun driver on OS X is now supported, so it's no longer necessary to install a third-party unsigned kernel module. OATH HOTP/TOTP keys stored in a Yubikey NEO using the ykneo-oath applet are also now supported. Tested on OSX, Windows and Linux. Software HOTP token support is now capable of using a token from a PSKC file and updating the token counter therein, thus making it actually *useful*. Thread-safety issues caused by using setenv()/putenv() within the library have now been fixed. A --no-system-trust option has been added, to prevent OpenConnect from trusting any certificate authorities apart from those explicitly passed to it with the --cafile option. Corresponding library APIs also exist. Thanks to Nikos Mavrogiannopoulos and Kevin Cernekee in particular for their significant contributions to this release. Their Android and Windows clients are a major factor in continued improvements. ftp://ftp.infradead.org/pub/openconnect/openconnect-7.00.tar.gz ftp://ftp.infradead.org/pub/openconnect/openconnect-7.00.tar.gz.asc Chad Catlett (1): Check to avoid calling iconv_close(-1) in openconnect_vpninfo_free David Woodhouse (204): Fix crash on invocation with --token-mode but no --token-secret Slightly optimise Proxy-Authenticate: header parsing Improve reporting when GSSAPI auth requested but not compiled in Fix off-by-one in xmlnode_msg() handling of error messages Solaris 10 *still* doesn't have 'grep -q' Revamp GSSAPI detection Avoid retrying without XML POST when we didn't even manage to connect Fix openconnect_base64_decode() to return the buffer Cosmetic fix in cleanup_ntlm_auth() Honour Proxy-Connection: close during authentication Import translations from GNOME Fix potential memory leak on GSSAPI failure Improve GSSAPI error reporting Don't force a reconnect if GSSAPI fails without trying Use RegQueryValueEx() instead of RegGetValue() to support 32-bit Windows XP Import translations from GNOME Resync translations with sources Sort openconnect.pot by file to avoid spurious changes Fix signedness in url-encoding for legacy auth postings Clean up return paths in openconnect_obtain_cookie() Use oc_text_buf for auth postings Return body from process_http_response() in oc_text_buf Dynamically find GetVolumeInformationByHandleW(); old Windows lacks it Add inet_pton() compatibility for Windows Make buf_append_urlencoded() more conservative about non-ASCII chars. Move buf_append_utf16le() to http.c and make it non-static Use "Unicode" versions of SSPI functions Add buf_append_from_utf16le() which appends UTF-8 to the buffer Handle non-ASCII tun device names under Windows Print name of Windows tun device not devname Use read_stdin() instead of fgets() in certificate validation Export asprintf() and vasprintf() compatibility functions Refactor read_stdin() a little to prepare for charset conversion Attempt to convert output to locale charset from UTF-8 Convert to UTF-8 when reading from stdin Separate read_stdin() implementations for Windows vs. POSIX Handle UTF-8 input on Windows Handle UTF-8 output on Windows too Fixes for buf_append_utf16le() Use _wputenv() for Windows environment Fix tun device matching with --interface on Windows Move Windows UTF-8 stdio functions up to live with POSIX ones Introduce dup_config_arg() macro Add conversion to UTF-8 of command-line arguments Add missing 'Proxy CONNECT request failed: %d' translation back Use setlocale() unconditionally, complain if non-UTF8 locale and no iconv Take a copy of the string that nl_langinfo() returns Fix some arguments missing dup_config_arg() Add openconnect_utf8_to_legacy() helper function for charset conversion Add open_utf8() and fopen_utf8() functions for opening files Use open_utf8() in GnuTLS load_datum() Convert vpninfo->ifname to legacy charset for $TUNDEV and configuration Convert $CISCO_BANNER environment variable to legacy charset Convert vpnc_script to legacy charset (or UTF-16 for Windows) Factor out OpenSSL install_extra_certs() from load_pkcs12_certificate() Extend reload_pem_cert() to become load_cert_chain_file() Avoid SSL_CTX_use_RSAPrivateKey_file() because it doesn't handle UTF-8. Convert cafile to legacy charset for OpenSSL Convert last remaining OpenSSL code to open_utf8() Add web page about charset handling Update changelog Handle UTF-8 sslkey in BSD openconnect_passphrase_from_fsid Handle UTF-8 sslkey in Linux openconnect_passphrase_from_fsid Handle UTF-8 sslkey in Windows openconnect_passphrase_from_fsid Fix asprintf() handling in openconnect_passphrase_from_fsid() Remove static out_pkt Fix buf_append_utf16le() error handling harder Make buf_append_utf16le() suitable for validation-only Check inputs for invalid UTF-8 Fix csd_wrapper handling for non-UTF8 locales Wrap ifreq_set_ifname() in #ifndef __sun__ to shut the compiler up there Remove stray perror() in convert_str() Update GUI page Fix NetBSD compile warnings with isspace() Fix UTF-8 handling of config file name Use O_BINARY for xmlconfig file Silence iconv() compiler warnings on systems which expect (const char **) Update translations from GNOME Fix SOCKS GSSAPI auth to send final token client->server if needed Fix SOCKS SSPI auth to send final token client->server if needed Fix SSPI SOCKS auth crash on double-cleanup Fix endless loop when automatic NTLM auth fails Fix ntlm_auth handling to accept AF in auth reply Minor SSPI fixes Update translations from GNOME Convert all args using GetCommandLineW() on Windows Be consistent about spelling of cancel{l,}ed Update changelog For HOTP tokens increment vpninfo->token_time in do_gen_hotp_code() Allow whitespace at end of HOTP and TOTP tokens Allow HOTP/TOTP secrets to be specified in hex form Remember what form we got the HOTP secret in Add openconnect_set_token_callbacks() API Support writing back to token files from openconnect(8) itself Actually lock and unlock/write back HOTP tokens when counter updates Update changelog Add token lock/unlock callbacks to Java bindings Add PSKC support Shift TOTP/HOTP functions in auth.c under a single #ifdef HAVE_LIBOATH Shift TOTP/HOTP functions in library.c under a single #ifdef HAVE_LIBOATH Move HOTP/TOTP code to oath.c Move stoken code to stoken.c Add software token documentation Disable soft token on failure Reread token file in lock_token() Resync translations with sources Use BIO_CLOSE when importing PEM private key with OpenSSL Stop using obsolete vpninfo->cert_type in GnuTLS code Stop using obsolete vpninfo->cert_type in OpenSSL code Remove cert_type field from struct openconnect_info Clean up OpenSSL key loading Merge branch 'hotp-java-v1' of git://github.com/cernekee/openconnect Fix DeviceIoControl() calls to make NDIS6 TAP-Windows driver happy Use inet_pton() to provide inet_aton() functionality Import translations from GNOME Stop internal_parse_url() mangling its input Stop openconnect_set_proxy_auth() mangling its input. Remove _BSD_SOURCE for Linux builds Bump library soname and add 'const' to lots of char * arguments Fix up Java code for string handling changes Rename 'value' field of struct oc_form_opt to discourage direct access Update changelog Fix build with OpenSSL Add openconnect_free_cert_info() Fix cancel_fd handling under non-Windows Fix JNI code to use openconnect_free_cert_info() Add getCSTPCipher() and getDTLSCipher() methods to Java bindings Cache cstp_cipher string for GnuTLS only Add openconnect_set_system_trust() to library API Import translations from GNOME Resync translations with sources Print error message strings on Windows Trivial translation update for Windows error output Resync translations with sources Strip trailing \r\n from Windows error messages Fix incompatible-pointer-types-discards-qualifiers warning on GhostBSD/clang Fix some clang format-nonliteral warnings Include stdlib.h in GSSAPI test to fix detection on GhostBSD Fix FreeBSD with devfs_cloning off. Harder. Add utun support for OS X Allow 'utun0' device name on OSX Make openconnect_init_ssl() return success/failure code Add vpn_perror() macro and use it instead of perror() Make GNUTLS_E_PUSH_ERROR reporting for DTLS slightly more helpful Handle ERROR_OPERATION_ABORTED on Windows TAP device Switch to using AM_ICONV Import AM_ICONV implementation Fix mingw32 build where libtool was failing to check for egrep Use ICONV_CONST now that we have it Detect libintl in $prefix too, like we to do libiconv Fix Solaris build Avoid writing directly to stderr on OpenSSL UI error Avoid writing directly to stderr on Solaris tun error Start to clean up #ifdef mess in tun.c Clean up Linux and BSD/OSX functionality in tun.c Fix thread-unsafe setenv() usage Allow console output from vpnc-script on Windows Stop calling setenv() from JNI code Update changelog Do not call vpn_progress() after forking Kill OPENCONNECT_X509, let certain functions only operate on peer_cert Provide openconnect_check_peer_cert_hash() function Add --no-system-trust command line option Switch to using SHA1 of server public key Update changelog Fix error handling for --servercert mismatch Do not allow Darwin to autoallocate utun devices Fix lifetime of cstp_cipher and peer_cert_hash strings Avoid leaking vpninfo->platname Fix up some more memory leaks Make set_peer_cert_hash() static Fix libintl linkage in pkg-config Fix GnuTLS openconnect_local_cert_md5() to give text output not binary Handle gnutls_certificate_get_ours() only returning the cert if it's used Update Java bindings for peer certificate handling changes Fix double-free in gnutls_pkcs12_simple_parse() Build for Java 1.5 to avoid compatibility issues Add initial support for TOTP/HOTP keys in Yubikey NEO Free PC/SC contexts in openconnect_vpninfo_free() SCard API cleanups Make Yubikey support build on Windows Improve error message when yubikey applet select fails Make Yubikey support build on OS X Document YubiOATH support Add openconnect_yubikey_challenge() Factor out select_yubioath_applet() function and make it do authentication Implement password request for Yubikey Avoid keeping the real Yubikey PIN around Add comment about Yubikey password charset brain-damage Rename --token-mode=yubikey to --token-mode=yubioath Use SCardListReadersW()/SCardConnectW() in Windows Fix GnuTLS 2.12 build Use native GnuTLS PIN callback instead of p11-kit where possible Remove vpninfo->servercert Sort linker script Admit Yubioath support in header comments Print YubiOATH support status in test Java app Fix Windows documentation for --script argument Documentation updates Add support for GnuTLS system keys Update changelog Add openconnect_has_system_key_support() Resync translations with sources Tag version 7.00 Joe Hu (1): Fix incorrect return value of inet_aton() shim Kevin Cernekee (18): http: Fix memory leak in do_https_request() http: Call buf_truncate() before appending XML POST data http: Don't leak orig_host or orig_path http: Fix CSD https requests xml: Make a generic function to read a file into a string xml: Trim whitespace from xmlconfig entries xml: Call openconnect_parse_url() on <HostAddress> entries main: Restore tty state if password prompt is aborted main: Allow reading --token-secret from a file auth: Rearrange stoken support code auth: Refactor stoken form handling Rename and export open_utf8(), fopen_utf8() ssl: Allow openconnect_open_utf8() to be used with O_CREAT ssl: Support more read/write modes in openconnect_fopen_utf8() Use openconnect_[f]open_utf8() for xmlconfig, pidfile, config_file java: Add constant for OC_TOKEN_MODE_HOTP jni: Fix onTokenLock() invocation from native code www: Add notes on SecurID PIN usage Nikos Mavrogiannopoulos (16): Added a default timeout value in CSTP handshake using gnutls use windows types and return codes for socket errors use recv() and closesocket() on the cmd_fd on windows use CreateProcess instead of system to run scripts. define _GNU_SOURCE to get asprintf's definition in mingw32 mention openconnect-gui do not take ownership of any of the provided strings define openconnect_set_option_value() to set the value in oc_form_opt clear all cookies when doing a reset SSL remove the disable safe renegotiation flag from DTLS corrected gnutls version number check Added API to read the ciphersuites used for CSTP and DTLS Make the cipher strings consistent based on which library is in use Added openconnect_set_system_trust() Add setSystemTrust() to Java bindings force DTLS reconnect if the session ID we get from TLS changes Paul Donohue (1): Fix invalid/double free if PKCS#11 token does not include CA certs Stuart Henderson (1): GNUism in www/Makefile -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20141127/83cf4916/attachment.bin>
