A bunch of fixes, including Juniper compatibility with Junos Pulse 8.2 servers, and some other new form support in Juniper. We really ought to support handling this with a 'proper' web browser, at least for the GUI clients. The hard-coded hacks to parse known HTML forms are getting nastier with each special case we add. I've added a certificate torture test suite and fixed a number of the bugs it showed with various esoteric (and not so esoteric) file formats. Distributors, please ensure you run 'make check' in your package build, and chase up any failures caused by the libraries you're building against. It supports the new DTLS 'real negotiation' support with ocserv, instead of deciding the cipher suites in advance. And does run-time probing for the data MTU. Some Windows fixes, including support for point-to-point routing. For those building against OpenSSL, this adds support for the final OpenSSL 1.1 release. And fixes a security issue ? OpenSSL-built clients failed to *check* that the DTLS session was actually being resumed, and hypothetically an attacker could have captured the DTLS session by just performing a full handshake. So the client would be exchanging IP packets with the attacker instead of the real VPN network. I have managed to reproduce that attack using OpenSSL-built OpenConnect against ocserv, where it uses standard DTLS protocols. Since Cisco's pre-1.0 version of DTLS isn't fully supported by OpenSSL for full handshakes (it's only ever used for resumes), I wasn't trivially able to reproduce when talking to a Cisco ASA ? but I believe it should be possible. If you build OpenConnect against OpenSSL then you should upgrade immediately. GnuTLS builds are not affected as they would never succeed in performing a full negotiation in this situation anyway. ftp://ftp.infradead.org/pub/openconnect/openconnect-7.08.tar.gz ftp://ftp.infradead.org/pub/openconnect/openconnect-7.08.tar.gz.asc Bj?rn Ketelaars (2): Fix indentation in manpage openconnect Small error in openconnect.8 Dan Lenski (1): Correctly handle IPv4 route specified as either 10.1.2.0/255.255.255.0 or 10.1.2.0/24 Daniel Lenski (3): append_opt() and buf_append_urlencoded() should take const char * Make buf_append_urlencoded() percent-encode fewer characters. Unset got_cancel_cmd after reacting to it, as is already done for got_pause_cmd David Woodhouse (181): Handle Juniper pre-auth message too Revert to original OpenSSL workaround now we can access get_issuer() Fix OpenSSL 1.1 compiler warning Fix warning about unused esp_kmp_hdr in non-ESP build Add configure check for OpenSSL RT#4631 Fix condition for GnuTLS ESP Add 1.0.1q to 1.0.1u-dev to broken OpenSSL versions (RT#4631) Add bad_dtls_test from OpenSSL PR#1296 Use DTLS_client_method() and TLS_client_method() for OpenSSL 1.1+ Fix non-const warning in legacy generate_dtls_session() Use X509_V_FLAG_PARTIAL_CHAIN for OpenSSL >= 1.0.2 Kill PACKET_starts() from bad_dtls_test More OpenSSL 1.1 API breakage... Build openconnect before we test it Print correct filename when key not found Add cert format torture test Fix GnuTLS handling of OpenSSL encrypted PEM files Add support for DER-encoded PKCS#1 and PKCS#8 files with OpenSSL Add support for DER-encoded PKCS#1 and PKCS#8 files with GnuTLS Add more certificate tests: PKCs8-PBES1, and DER forms of everything Update changelog More explicit PKCS#12 tests Add VERBOSE=1 to gitlab make check Fix auth-certificate test Try unencrypted PKCS#8 DER specifically. Allow DTLS unit test to be disabled Use AS_HELP_STRING() consistently Move lzstest to tests/ Output summary from configure script Only set DTLS_GNUTLS if it's true Fix pretty-printing of $ssl_library. "both" means we're using GnuTLS. Do not set HAVE_GNUTLS_SESSION_SET_PREMASTER Don't check for SSL_OP_CISCO_ANYCONNECT Instead of disabling the DTLS test, make it XFAIL Use oc_text_buf for constructing proxy URL Use oc_text_buf for constructing group-access node Quote SSL_DTLS_PC Add OpenSSL-only CI build Fix retry on tun fd when it isn't a Linux tun device Update translations from GNOME Resync translations with sources Add translations for 'Enter PKCS#8 pass phrase:' Add r?le selection for Juniper auth Fix mingw build warning Fix typo in r?le table matching Fix crash in install_extra_certs() on PKCS#12 file containing no cert Add newlines to PKCS#12 error messages Update translations from GNOME Add some more PKCS#12 test cases, including a mixed one that upsets GnuTLS Fix ESP replay integer overflow problems Increase ESP packet backlog to 64 packets Do not define _POSIX_C_SOURCE Include <string.h> from openconnect-internal.h Split ESP sequence number handling into a separate file Prevent ESP seq# wrap-around Add ESP seq# test Fix portability of lzstest Run tests even without CWRAP Fix up translation for ESP debug messages Resync translations with sources Update translations from GNOME Fix translation search/replace errors Disable known GnuTLS failures to make gitlab tests pass again Fix uninitialised variable usage in parse_roles_form_node() Fix FreeBSD9 build warnings Attempt to add FreeBSD CI build Fix gitlab CI config Slight cleanup for verify_packet_seqno Add --with-vpnc-script to FreeBSD CI biuld Run all cert tests by default with manual invocation Explicitly detect, and reject building with, LibreSSL We don't need cwrap for bad_dtls_test any more Add support for EC PKCS#1 certs Fix crash in init_esp_ciphers with OpenSSL < 1.1 Add DSA and EC keys to torture tests Remove stray key files Make MAX definition conditional to make FreeBSD happy Fix main.o dependency on version.c Fix main.o dependency harder More LibreSSL build fixes Add missing user-cert.prm Use --key-password for OpenSSL PKCS#11 PIN Add PKCS#11 tests Add softhsm2.conf Missing auth-pkcs11 Enable EC PKCS#11 test PKCS#11 test shouldn't be unconditional FFS, eventually I'll get the condition right Fix softhsm check Support pin-value= for PKCS#11 URI with OpenSSL Import keys for SoftHSM with softhsm2-util Re-import SoftHSM token Disable DSA tests for GnuTLS too Fix uninitialised cert pointer in load_pkcs11_certificate() Only run test-pkcs11 if we have cwrap Update changelog Add missing distfiles Change tar format to allow softhsm objects to fit Fix ESP replay problem Reorder ESP sequence checks Update comment Fix compiler warning in verify_packet_seqno() Fix format warning in openconnect_win32__strerror() Use shared runners Don't discard output from ocserv in tests Create ocserv config files from configure script Put test sockdir in build dir Add pubkey-less PKCS#11 tests Use --no-mark-private for all objects in token=openconnect-test1 Add PKCS#11 test with CKA_PRIVATE on certs Check for errors from SSL_CTX_use_PrivateKey() Fix PKCS#11 error reporting Work around OpenSSL crash with EC keys lacking public key Fix OpenSSL 1.1 build of EC workaround Suggest using --servercert when certificate validation fails Kill --no-cert-check Call SSL_CTX_check_private_key() to validate cert+key match Update translations from GNOME Fix 'Got no issuer from PKCS#11' message Escape 'PKCS#11 support' in configure summary Remove unused variable from bad_dtls_test.c Fix configure reporting of Yubikey support Allow explicit disabling of DSA tests Enable CentOS CI builds Fix Windows inet_pton() build warning CI cleanups Revamp GnuTLS/OpenSSL detection Simplify ESP conditionals Simplify DTLS conditionals Remove bad-random test stuff Split crypto library parts out from dtls.c to {gnutls,openssl}-dtls.c Reinstate 'make check' warning for OpenSSL builds Add serverhash test tool Kill DTLS_FREE macro Fix build from clean Add openconnect_init_ssl() in serverhash.c Fix Windows build of serverhash Fix serverhash build with local OpenSSL Report actual DTLS cipher for OpenSSL Allow OpenSSL to use TLSv1.2 Set SSL_OP_TLSEXT_PADDING to work around F5 firewall bugs Update changelog Update translations from GNOME Single pipeline for creating openconnect.8.inc Support --key-password for GnuTLS PKCS#11 PIN DTLS MTU detection fixes Update test suite Change DSA test key to 1024 bits Update CONFIG_STATUS_DEPENDENCIES Enable DSA-SHA1 in ocserv config Fix IPv6 setup on Solaris Update changelog Fix 'make install' from clean too. Add DTLS files back to translation Update translations from GNOME Explicitly disallow non-resumed sessions for legacy DTLS establishment Add session resume check for GnuTLS too Attempt to re-open CONIN$ if stdin has been redirected on Windows Limit netmask on Windows TAP setup to 255.255.255.254 Remember the X-CSTP-Base-MTU: value that the server sends back Add GNUTLS_NO_EXTENSIONS to DTLS setup Better attempt at handling TAP-Windows tun setup Add TUNIDX for Windows vpnc-script Increase oNCP configuration buffer size Update changelog Update translations from GNOME Fix pcsclite dependency in openconnect.pc Fix openssl dependency in openssl.pc Remove unused LIBS/CFLAGS manipulation in configure.ac Update translations from GNOME Update translations from GNOME Enable DHE ciphers for Cisco DTLS Don't resume OpenSSL DTLS session for PSK-NEGOTIATE Allow DTLS version negotiation with PSK-NEGOTIATE and OpenSSL 1.0.2 Calculate MTU for PSK-NEGOTIATE Add TPM documentation Changelog entry for SHA256 hashes Stop using deprecated LZ4 functions Update translations from GNOME Resync translations with sources Tag version 7.08 Jon DeVree (1): Add Content-Length header to mimic official pulse client Mathias Schuepany (1): Patch for servers that do not listen on TCP 443 Nikolay Martynov (1): IPv6 packet size field doesn't include header size, take this into account Nikos Mavrogiannopoulos (8): Always calculate the base_mtu value Indicate the the --mtu option is used by legacy servers only Extended MTU discovery to work even when compiled with openssl Enable DTLS protocol negotiation Introduce SHA2-256 as a peer certificate hash and make it the default openconnect_check_peer_cert_hash: allow partial server hash matches Introduced buf_append_hex() tests: added check for operation under different --servercert parameters Piotr Kubaj (1): Fix build with LibreSSL. Ralph Schmieder (1): Add --passtos option to copy TOS/TCLASS from VPN packets Thorsten Bonhagen (1): gnutls GNUTLS_E_INTERRUPTED same behavior as GNUTLS_E_AGAIN -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5760 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20161213/38264df6/attachment-0001.bin>
