The biggest thing here is the Juniper support, which is still experimental. This is actually the obsolescent Network Connect protocol; we'll probably end up also implementing Junos Pulse support which actually provides IPv6 rather than only Legacy IP. But not this week! This release adds HTTP authentication to VPN servers, as supported by ocserv 0.10.0. For users with CPUs that can't do arbitrary unaligned access, there's a fix for the LZS compression code. Also added support for SHA256 and SHA512 HOTP/TOTP keys, a workaround for issues with on-ASCII passwords set by older versions of the YubiOATH Android app, and various fixes for the OpenSSL build. ftp://ftp.infradead.org/pub/openconnect/openconnect-7.05.tar.gz ftp://ftp.infradead.org/pub/openconnect/openconnect-7.05.tar.gz.asc David Woodhouse (204): Start separating protocol-specific methods from generic VPN support Move DTLS methods into struct vpn_proto Move CSTP methods into struct vpn_proto Move CSTP authentication and obtain_cookie to auth.c List Cisco protocol-specific files separately in the Makefile Rename and move cstp_free_splits Move nuke_opt_values() and process_auth_form() to library.c Make many functions in auth.c static Move unhex to script.c Add 'replace' argument to http_add_cookie() Move cstp_read() and cstp_write() to openssl.c/gnutls.c and rename them Move some helpers out into auth-common.c Make connect_dtls_socket() and try_dtls_handshake() static Factor out udp_sockaddr() helper function Factor out udp_connect() helper function Make 'route' member of struct oc_split_include a const char * Add shell of Juniper support Add oncp_common_headers() First negotiation packets for oNCP Get slightly further in oNCP negotiation Final oNCP negotiation packet Primitive implementation of oncp_mainloop() WIP oNCP authentication Slightly more complete implementation of Juniper authentication Handle Juniper HTTP server brokenness with initial connect requests Endianness fixes Add some debugging for SSL reads Handle return value from ssl_write() Fix netmask option handling Dump outgoing data packet Fix length on outbound data packet Get KMP message type from right place Actually post auth entries Free XML doc in oNCP auth loop For oNCP, a redirect turns POST into GET Fix button name comparison Always check for auth success, not only when !form Don't free doc twice in quick succession Add missing newline Interpret some ESP TLVs Add ESP replay protection TLV Add ESP compression TLV Fix key lifetime TLV More config TLVs Add TNCC support Do not throw away form entries as soon as we get them Attempt ESP negotiation Fix ESP TLVs Add ESP decryption (unused) Implement ESP encryption Implement sequence number checking Add stub functions for ESP support Hook up ESP mainloop Set up poll() on oNCP fd Add ESP support for OpenSSL Treat SPI as a uint32_t instead of char[] Dump ESP parameters Handle incoming KMP messages with multiple packets Tell server when ESP is running Handle ESP rekeying Fix up ESP renegotiation reply Print when receiving ESP packets Accept packets on old ESP setup during changeover Handle multiple KMP messages in one SSL packet Handle split includes Check incoming data packets don't exceed MTU Improve debugging in oncp_receive_data() a little Attempt to handle large data messages exceeding a single SSL record size Add support for using esp-openssl.c with GnuTLS 2.12 Fix build for GnuTLS 2.12 without OpenSSL Render U+002D HYPHEN-MINUS in manual page where needed Add endian-specific word load/store functions Use endian-specific access functions in ntlm.c Use endian-specific access functions in cstp.c Use endian-specific access functions in gssapi.c Use endian-specific access functions in http.c Use endian-specific access functions in oncp.c Use endian-specific access functions in ssl.c Use endian-specific access functions in sspi.c Use endian-specific access functions in yubikey.c Use load_le16() and store_le16() for UTF-16 surrogate pairs Fix Win32 build warnings in esp.c Fix isspace() warning on *BSD. Again Don't use anonymous struct for oncp in struct pkt hdr Do not have separately named struct esp_hdr Use named struct for CSTP in struct pkt too Adjust static packets to build with GCC < 4.6 Disable ESP when OpenSSL lacks HMAC_CTX_copy() Credit Tiebing Update copyright year Implement esp_close() and esp_shutdown() Add LZO decompression support Fix check for HMAC_CTX_copy() Improve packet queue handling Work around gnutls_record_get_direction() bug Fix crash in create_script_env() if environment variables already exist Attempt to handle frmDefender and frmNextToken Move protocol-specific decisions about when to use tokencodes into protocol code Allow automatic OATH for Juniper Update Solaris bug ID for time() going backwards Update changelog to admit to Juniper support Treat form with OC_FORM_OPT_TOKEN as non-empty Use generic can_gen_tokencode() for oNCP Calculate TOTP/HOTP codes for ourselves Avoid using liboath in buf_append_base32() Avoid using liboath for decoding base32 Remove liboath dependency Support SHA256/SHA512 for OATH Fix OATH token generation for non-SHA1 with GnuTLS Fix token-secret parsing when HMAC algorithm is specified Fix leading zeroes on OATH tokencodes Fix handling of SHA512 Add openconnect_set_loglevel() Website updates Add TNCC documentation Make --authgroup work for Juniper Implement ESP keepalive and periodic reconnect attempt Add link to IRC channel Remove obsolete check against esp_enable_pkt Implement oNCP reconnect Update docs for Juniper now the reconnect is done Split out get_utf8char() from buf_append_utf16le() Fix OpenSSL build Add pwlen argument to openconnect_hash_yubikey_password() Fix memory leak if openconnect_hash_yubikey_password() fails Work around Yubikey/Android PBKDF2 bug Update changelog Handle Juniper session expiry Attempt to automatically select a session to kill when there's a choice Print debug message when sending ESP probes Set work_done when telling server to enable ESP Check padding bytes in ESP Dump invalid packet in connection Shift Juniper auth code out into its own file Merge branch 'master' of ssh://git.infradead.org/home/dwmw2/public_git/openconnect Allow larger 301 configuration packet Expand nonroot.html page and improve TUNSETIFF -EPERM error handling Change to a less Comic Sans-esque font Handle split exclude routes for Juniper Update translations from GNOME Remove stray debugging message from configure script Include more needed OpenSSL headers Regenerate SSL_SESSION each time for DTLS Shuffle DTLS SSL_SESSION regeneration to live together Split generate_dtls_session() for OpenSSL Fix openssl.c build with OpenSSL HEAD Fix dtls.c build with OpenSSL HEAD Add broken OpenSSL check for 1.0.2 Fix OpenSSL ESP HMAC calculation Allow CSTP and DTLS compression to be different Fix ASN.1 INTEGER encoding to avoid sign-extension issues Refer to OpenSSL RT#3703 and RT#3711 for OpenSSL 1.0.2 breakage Add DTLS1.2 and AES-GCM support for OpenSSL 1.0.2+ Fix typo Add lzo.h to dist Rename struct proxy_auth_state to struct http_auth_state Stop cleanup_ntlm_auth() using auth_state Start making HTTP authentication less proxy-specific Fix non-GSSAPI build Fix Windows NTLM build Fix Windows SSPI build Add unused http_auth states, add proxy argument to authorization methods Let cleanup functions distinguish between proxy and http auth Fix up Digest auth for non-proxy authentication Fix up Basic auth for non-proxy authentication Fix up NTLM auth for non-proxy authentication Fix up GSSAPI auth for non-proxy authentication Fix up SSPI auth for non-proxy authentication Don't close stdin on startup Cleaner fix for NTLM closing stdin on cleanup Fix some more proxy assumptions in HTTP auth Move HTTP authentication out into http-auth.c Finally add (non-proxy) HTTP authentication support Fix errors in moving auth code to http-auth.c Update changelog Add X-Support-HTTP-Auth: header for ocserv Support fallback from X-Support-HTTP-Auth Clean up handling of default disable for Basic auth Fix memory leak with --proxy-auth argument Add openconnect_set_http_auth() and --http-auth command line option Add openconnect_set_protocol() API Update Juniper docs Fix unaligned data reference in LZS Don't forget parens around macro arguments Update changelog Fix memory handling issues in Juniper parse_select_node() Fix memory leak in failure case Fix leak of request_body buf Fix reqbuf leak in error case Fix memory leak on error path Fix potential memory leaks in Digest auth Don't call send() with negative lengths if encrypt_esp_packet() fails Avoid apparent possibility of double-free of pending_deflated_pkt Check gnutls_hmac() return value Forbid pointless http_add_cookie() with value==NULL and !replace Stop using 1ULL as the base value to be shifted in LZS GET_BITS() Add explicit comment for switch() fall through case Fix memory leak in ntlm_nt_hash() error paths Fix regression in manual NTLM auth Add explicit check for user/pass before ntlm_manual_challenge() Remove unreached goto Fix leak of xmlfile on error path Resync translations with sources Tag version 7.05 Kevin Cernekee (5): android: Re-enable libxml HTML support android: Add liblz4 to build cstp: AC_PKT_DISCONN payload length can be 0 cstp: Add X-AnyConnnect-* mobile headers on CONNECT request auth-juniper: Check asprintf() return values Mike Miller (1): Fix undefined reference error when building with GnuTLS Nikos Mavrogiannopoulos (3): limit the number of newgroup attempts Move internal auth state in http_auth_state. Added an upper limit on the number of redirects -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150310/10fba230/attachment.bin>
