Well, that took a while. The 7.08 release was in December 2016, and we've done a fair amount since then. Notable additions are the PAN GlobalProtect support, entirely thanks to Dan Lenski, and TPMv2.0 support, thanks to much assistance from James Bottomley. This also fixes a potential information leak (CVE-2018-20319) reported by Tom Wilson. It's not something I'm going to lose sleep over ? things like passwords might sometimes be in memory of the VPN process, when we have finished using them. But frankly, if the attacker can already read the memory of the VPN process, you have bigger problems. But it is good practice for us to explicitly clear sensitive data after using it, and we've fixed most places to do so. There are going to still be a few cases, especially where passwords are included in XML documents generated with libxml, where we can't explicitly scrub the used memory before freeing. ftp://ftp.infradead.org/pub/openconnect/openconnect-8.00.tar.gz ftp://ftp.infradead.org/pub/openconnect/openconnect-8.00.tar.gz.asc Daniel Lenski (66): enumerate supported VPN protocols via openconnect_get_supported_protocols() list supported protocols in --version or --help output, using API functions add oncp_bye() to logout the Juniper session store length of ESP encryption and HMAC keys so that they can be manipulated separately for both Juniper and GP factor out common dump_buf_hex() and free_optlist() utility functions relax requirements for Juniper hostname packet response tweak the dtls_state handling in preparation for supporting GlobalProtect ESP add vpn_proto member functions .udp_send_probes and .udp_catch_probe in preparation for supporting GlobalProtect ESP add new_keys argument to esp_setup_keys() in preparation for supporting GlobalProtect ESP try alternate vpnc-script location (used by Debian-based distros) Loop when sending HTTP requests larger than the 16KiB SSL record max Save latest ESP sequence number even if replay protection isn't in use fix a bug leading to incorrect split-include netmasks move sending of ONCP control packets for enabling/disabling ESP into oncp.c fix memory leak in Juniper logout function (caught with valgrind) detect user[name], pass[word] form fields using only the first 4 characters add PAN GlobalProtect protocol support (HTTPS tunnel only) Add support for GlobalProtect ESP tunnel Add support for checking and submitting HIP reports prettify man page and include more information on supported protocols simplify ESP disabling for GP, because esp_shutdown() always destroys the keying material Allow specification of an "alternative secret" field for GP login form(s), instead of 'passwd'. GlobalProtect can apparently deliver the challenge 2FA forms as XML in addition to JavaScript reorder command-line options add section headers to listing of command-line options make the descriptions for the behavior of some command-line flags less AnyConnect-specific fix typo in Juniper TOTP form name check for oversize ESP packets, with 256 bytes of headroom above calculated MTU update csd-wrapper.sh to use -url argument, kill cstub after timeout, and fix small typos use curl with --pinnedpubkey to rely on sha256 hash of peer cert passed by openconnect Oops, leftover wget flag provide CSD_SHA256 via environment variable rather than command-line argument Add changelog entries for other significant changes since v7.08 Tolerate packets that are larger than negotiated MTU after decompression Align naming and commenting of mechanism for receiving oversize packets across protocols Clarify a few uncommented corners of the ESP support Clarify protocol description in connection message Fill in a few missing references to GlobalProtect, TNCC, and DTLS support in the docs Reduce unnecessary connection-rebuilding for Juniper Remove first oNCP negotiation request (only second is necessary) include computer name in the GP cookie add missing OC_PROTO_CSD flag to GP protocol include openconnect_get_protocol method for completeness add getProtocol, setProtocol, getSupportedProtocols, and VPNProto to Java bindings fix segfault in Java library test application describe and set protocol in Java test application Use waitpid() in a portable fashion fix misuse of write_new_config callback by GP, causing Java crashes add protocol-agnostic idle_timeout and openconnect_get_idle_timeout() API function allow overriding User-Agent in Java library openconnect_base64_decode: fix sign of error return value GlobalProtect: always set clientos=Windows in relevant requests, regardless of actual OS command-line client should fill in any password field with value supplied via --passwd-on-stdin GPST should follow --csd-user, as done by CSTP handle multiple search domains for GPST catch 'Valid client certificate is required' as EPERM simplify gpst_xml_or_error handling and config parsing GlobalProtect: query and parse prelogin.esp and use it to build auth forms, including preliminary SAML support Don't segfault when search domain list is empty (and thus `domains->pos == 0`) Fix issue causing front-ends/GUIs to be insensitive to changes in the Juniper realm dropdown Fix GlobalProtect authgroup handling GlobalProtect: apparently, the parameter `clientos=Linux` value is not just allowed, but necessary, for some VPNs. asprintf() returns -1 on error move trojans (csd-post.sh, csd-wrapper.sh, hipreport.sh, tncc-wrapper.py) to trojans/ subdirectory and expand and clarify their documentation make csd-post.sh continue with a warning without xmlstarlet (using Poor Man's vary speshul XML parsing) set CLOEXEC for GP's HIP pipes as well David Woodhouse (122): Rely on SoftHSM being installed correctly with a p11-kit .module file Import translations from GNOME Fix build breakage in OpenSSL ESP Fix charset handling for --key-password on command line Add test case for non-ASCII password on PKCS#12 keys Fix make dist Add -g to test CFLAGS Make dup_config_arg() always duplicate the argument Warn if setlocale() fails Update translations from GNOME Add glibc-langpack-cs to gitlab CI environment Allow reading stdin on Windows instead of forcibly opening console Require GnuTLS 3.2.10+ for GnuTLS builds Kill HAVE_GNUTLS_DTLS_SET_DATA_MTU Kill HAVE_GNUTLS_PKCS11_GET_RAW_ISSUER Kill HAVE_GNUTLS_CERTIFICATE_SET_X509_SYSTEM_TRUST Build ESP and DTLS unconditionally with GnuTLS Kill HAVE_GNUTLS_PKCS12_SIMPLE_PARSE Kill HAVE_GNUTLS_CERTIFICATE_SET_KEY Kill HAVE_GNUTLS_PK_TO_SIGN Kill HAVE_GNUTLS_PUBKEY_EXPORT2 Kill HAVE_GNUTLS_X509_CRT_SET_PIN_FUNCTION Kill HAVE_GNUTLS_URL_IS_SUPPORTED Use LC_ALL for auth-nonascii test, not LC_CTYPE Merge branch 'android-20180211-v2' of https://github.com/cernekee/openconnect Install cs_CZ locales on CentOS test builds Move Juniper ESP probe handling to oncp.c Update translations from GNOME Fix translation of ESP warning messages Cope with gnutls_pkcs11_obj_get_info() ABI change in 3.6.0 Gitlab CI updates Fix const warnings for PCSC errors Merge branch 'feature/cleanup_options_list' into 'master' Update translations from GNOME Update translations from GNOME Merge branch 'include_csd-wrapper.sh' of gitlab.com:dlenski/openconnect Provide unique hostname to CSD script Clean up csd-wrapper.sh Add alternative CSD script to post results directly Merge branch 'master' of gitlab.com:dlenski/openconnect Don't treat Juniper 'realm' field as authgroup Merge branch 'feature/update-dnf-yum-cache' of gitlab.com:horar/openconnect Revert "Don't treat Juniper 'realm' field as authgroup" Update translations from GNOME Update translations from GNOME Merge branch 'gp_always_clientos_Windows' into 'master' Merge branch 'fix_base64_decode' of gitlab.com:dlenski/openconnect Merge branch 'master' of gitlab.com:KyleJ61782/openconnect Merge branch 'fill_in_any_password_type_field' into 'master' Use OpenSSL TPM2 engine Add Changelog for OpenSSL TPM2 support Add support for files from the *other* OpenSSL TPM2 engine. FFS. Merge branch 'master' of gitlab.com:j.l-w/openconnect into HEAD Make yubikey less picky about what it'll generate tokens for Shift PC/SC context out of generic vpninfo Shift TSS context out of generic vpninfo Add shell of TPM2 support Update TPM documentation to mention TPMv2 Merge branch 'multiple_search_domains_GPST' into 'master' Merge branch 'fix_authgroup_dropdown_handling' of gitlab.com:dlenski/openconnect Post CSD results even when no other auth is needed. Parse TPM2 ASN.1 blob First pass at proper TPM2 support for GnuTLS using tss2-esys Support TPM2 auth Add TPM2 ECC support Fix TPM2 emptyauth handling Tell GnuTLS the TPM2 can't do SHA512 Update licence and TPM docs Add openconnect_has_tss2_blob_support() Add openconnect_set_key_password() Factor out sign_hash functions for tpm2 Fix signedness handling for EC signatures Move non-TSS-specific code to gnutls_tpm2.c Skeleton IBM TSS support Allow parsing of permanent handles for TPM2 parents Add support for persistent parent keys and other hierarchies Update changelog. TPM2 is no longer OpenSSL-only. First cut at IBM TSS support, mostly copied from James's tpm2 engine. Add tss2-devel to CI Factor out PKCS#1 padding Switch to standard TSS2 PEM format tpm2-esys: Check parent NODA flag and demand password if needed Remove static ui_vpninfo hack for ENGINE callbacks Remove legacy tpm2tss PEM support Reinstate support for TPM2 'TSS2 KEY BLOB' support with GnuTLS Clean up persistent/generated handle checks a little Consolidate tpm2_get_session_handle() Clean up ibmtss error reporting to use vpn_progress() Fall back to tpm2tss engine Update TPM docs Update translations from GNOME Resync translations with sources Check TPM2 key OIDs Move prepare_stoken() call to generic openconnect_obtain_cookie() Allow form responses to be provided on command line Merge branch 'tmp-fix-sigterm' of gitlab.com:nmav/openconnect Clear full buffer in buf_truncate() and buf_free() Allow --form-entry on win32 builds too Fix re-prompting for empty parent key password with TCG TSS2 Clear form field entries in free_auth_form() Use free_pass() for yubikey PIN Use free_pass() for freeing certificate passwords Use free_pass() for TCG TSS2 Use free_pass() in openconnect_vpninfo_free() More free_pass() for TPMv1 passwords Clear TCG TSS2 auth passwords on free Merge branch 'fix_asprintf' into 'master' Disable TLSv1.3 when hardware RSA keys can't support PSS Encrypt digests being signed with IBM TSS2. Merge branch 'oh_what_fun_it_is_to_spoof' of gitlab.com:dlenski/openconnect Update translations from GNOME Include all keys in dist Split out cancellable recv/send/gets functions from proxy code Use cancellable_gets() for TNCC communication Fix order of dup2 args in spawning TNCC, and add comments Clean up TNCC error handling Fix memset_s() parameters. Merge branch 'CLOEXEC_for_GP_HIP' of gitlab.com:dlenski/openconnect Install trojan scripts to $(pkglibexecdir) Explicitly reference python2 in shebang for tncc-wrapper.py Resync translations with sources Tag version 8.00 Fran?ois Grenier (1): juniper: Support 'username' form input type James Laird-Wah (1): Recognise auth forms named "challenge" as token requests Janne Juntunen (1): Add support for Google Authenticator 2fa on Juniper VPN Joerg Mayer (1): Check whether glibtoolize is available in addition to libtoolize Kevin Cernekee (13): Fix crash on DTLS resumption android: Allow stronger hashes on fetched tarballs android: Drop MIPS build android: Drop OpenSSL support android: Upgrade liboath android: Upgrade from NDK r10d -> r16b and switch to clang android: Upgrade crypto libraries android: Upgrade other libraries android: Build libraries --with-pic android: Update mirror list java: Bump to Java 8 android: Re-enable optimization android: Enable arm64 and x86_64 builds Kyle Johnson (1): Toggle TAP status to force Windows to re-run NLA. L?ubomi?r Carik (1): Update yum/dnf cache before package installation Mike Miller (1): tests: avoid using eval with variable assignments Nick Parrin (1): TNCC periodic host checking fix Nikolay Martynov (3): Do not leak memory when tun was not created yet Do not try to establish DTLS on reconnect if it wasn't established before Do not drop vpn connection if packet arrived is larger than MTU Nikolay Panin (1): include default csd-wrapper.sh Nikos Mavrogiannopoulos (11): Store only the SHA1 and SHA256 of the public key internally Added support for RFC7469 key PIN Switched the default output for key PIN to be the RFC7469 key PIN tests: serverhash: added newline to usage added news entry for RFC7469 key PIN support .gitlab-ci.yml: added explicit XFAIL_TESTS for known issues openconnect.8: reference ocserv(8) Use the client hello session identifier to transmit the client identifier No longer send the TLS extension for the PSK protocol tests: added data transfer test under DTLS SIGTERM cleans up the session similarly to SIGINT Piotr Kubaj (1): Fix build with LibreSSL 2.5.1 and higher. Ralph Schmieder (1): chg: add --version-string Youfu Zhang (1): NUL-terminate gai->value for OPT_RESOLVE, fix out-of-bound read ?ubom?r Carik (2): Windows application icon Solve few fall-through warnings -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5174 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20190105/b68652ba/attachment.bin>
