Well, that took a while. The 8.10 release was in May 2020, and we've done quite a lot since then. With millions of people working from home and relying on VPNs for remote work, we have received a great deal of feedback, bug reports, feature requests, and new contributions in the last 21 months.
Notable additions are: • Three new supported VPN protocols (Fortinet, F5 BigIP, and Array Networks) • Performance improvements on Linux, thanks to vhost-net and epoll • Important bugfixes for Juniper and Pulse • Compatibility with newer servers for Pulse, AnyConnect, and GlobalProtect protocols • IPv6 support for GlobalProtect • Numerous bugfixes and regular builds of the OpenConnect command-line application for Windows, including support for the Wintun driver, • Extensive improvements to the standard routing and DNS configuration scripts, particularly for IPv6 support and for *BSD and MacOS (https://gitlab.com/openconnect/vpnc-scripts) • Clearer error and logging messages, and improved documentation (https://www.infradead.org/openconnect) The newly-supported Fortinet and F5 protocols are based on PPP. Yes, the same Point-to-Point Protocol that you last thought about when you used it for your dial-up Internet connection last millennium. It turns out to underpin a number of proprietary VPN protocols. OpenConnect now includes its own implementation of PPP, completely in userspace and independent of pppd, which should enable us to easily support other PPP-based protocols in the future. In implementing support for Fortinet, we were particularly grateful for the work of the Openfortivpn project ( https://github.com/adrienverge/openfortivpn), whose developers had already figured out many aspects of the Fortinet protocol and had implemented them as a wrapper around pppd. Behind the scenes, we've greatly improved our test infrastructure and test coverage as well. We're now relying more heavily on GitLab for continuous integration and testing, and for issue reporting and code contributions via merge requests. You can see the complete changelog at https://www.infradead.org/openconnect/changelog.html Multi-certificate support for AnyConnect is almost ready; the important parts are merged but we just need to put the final pieces in place with test cases. The other important thing coming up is SAML support for various protocols. There will likely be a new release soon (a lot less than another 21 months; maybe more like 21 days) with those features merged, but it was about time we pushed *something* out for those users who needed to use the fixes and compatibility improvements we already had in the development tree. Thanks to Daniel Lenski for writing most of this commit message, as part of coaxing me to actually make the release at least :) https://www.infradead.org/openconnect/download/openconnect-8.20.tar.gz https://www.infradead.org/openconnect/download/openconnect-8.20.tar.gz.asc Andreas Gnau (1): http: Allow passing header_cb to do_https_request André Draszik (1): csd-wrapper: make it work again if binaries are compressed Antonino Orlando (1): Add setCookie JNI method to LibOpenConnect.java Ash Holland (1): Juniper: support password and 2FA fields in the same form Daiki Ueno (3): Don't hard-code TSS 2.0 return codes for auth failure gnutls_tpm2_esys: Use Esys_Free instead of free gnutls_tpm2_esys: Mark globally defined templates as const Daniel Lenski (382): explain why --form-entry shouldn't be used for passwords Merge branch 'explain_why_form_entry_should_not_be_used_for_passwords' into 'master' fix tncc_emulate.py with Python 3.7 bugfix string/binary handling Merge branch 'fix_tncc_emulate.py_with_Python_3.7' into 'master' handle errors on initial TLS connection identically to subsequent reconnection don't switch to syslog logger until we're ready to background/daemonize Merge branch 'consistent_handling_of_initial_connection_errors' into 'master' Protocols should try explicitly request the same IP addresses on reconnect, since they will abort if new addresses are sent by the server. gpst.c should also return -EPERM when server changes IP address, not -EINVAL factor out check_address_sanity() from gpst.c and cstp.c, and use it in oncp.c and pulse.c as well add comment on openconnect__inet_aton(), which is not 100% compatible with "real" inet_aton() openconnect_make_cstp_connection should always set ssl_times.last_tx on successful connection Merge branch 'check_address_sanity' into 'master' enable csd-wrapper.sh/csd-post.sh to run insecurely (no cert validation) for compatibility with ancient cURL the -s/--silent option to cURL isn't related to cert validation; remove it from the PINNEDPUBKEY variable Merge branch 'enable_insecure_CSD_submission_for_ancient_cURL_versions' into 'master' fix CI Gitlab has CI images for Ubuntu 18.04, so let's include those too. re-add socket_wrapper and softhsm support to CentOS8 CI Merge branch 'fix_CI' into 'master' Merge branch 'hipreport' into 'master' fix duplicate bitfield constant Merge branch 'fix_duplicate_bitfield_constant' into 'master' Merge branch 'coverity' into 'master' Merge branch 'master' into 'master' bump emulated GlobalProtect version number changelog Merge branch 'bump_emulated_GlobalProtect_version_number' into 'master' Juniper unknown forms with action remediate.cgi seem to indicate TNCC/Host Checker failure: log error about this Merge branch 'Juniper_form_action_remediate.cgi_indicates_TNCC_failure' into 'master' style nitpicks, expand clarifying comment, changelog Merge branch 'token_input_in_second_password_in_Juniper_frmLogin' into 'master' add --allow-insecure-crypto, and corresponding API functions, to explicitly enable 3DES/RC4/SHA1 modify tests/common.sh so that launch_simple_sr_server() → test → cleanup() can be used repeatedly in a single script add obsolete-server-crypto and pfs tests Merge branch 'explicitly_allow_3DES-CBC_for_GnuTLS' into 'master' GP: Fix the issue of a 0.0.0.0/0 "split"-include route by swapping the "split" route with the default netmask. add secure_cookie protocol field to suppress other protocols' cookies from --dump-http-traffic as well remove --no-cert-check from options list Add `./configure --enable-insecure-debugging` option. The resurrection of --no-cert-check was not met with universal acclaim bugfix: ensure vpnc-script receives TUNDEV even without -i option Merge branch 'add_secure_cookie_protocol_field' into 'master' Merge branch 'bugfix_TUNDEV' into 'master' finesse the URL-decoding of the GP login args Merge branch 'coverity' into 'master' Windows tuntap driver: accept modified ComponentId ('root\tap0901' instead of just 'tap0901') add delay_tunnel_reason and delay_close use delay_tunnel_reason for OC DTLS MTU detection and GPST ESP connection delays we should still try to cleanly close the session if tun device creation fails factor out print_connection_info() use setup_tun callback to defer printing connection status AND backgrounding until tun_is_up -b/--background: check for error when fork()ing reduce level of delay_tunnel/delay_close logging changelog less confusing output when authentication fails Merge branch 'less_confusing_output_when_authentication_fails' into 'master' GP: ask user to report unexpected value of <connected-gw-ip> Merge branch 'delay_tunnel_and_close' into 'master' Merge branch 'enable_insecure_debugging' into 'master' Merge branch 'GP_unexpected_value_of_connected-gw-ip' into 'master' Merge branch 'GP_demangle_default_route_as_split_route' into 'master' clarify some error messages which apply equally to TLS and DTLS sockets Merge branch 'GP_finesse_URL_decoding' into 'master' Merge branch 'clarify_some_error_messages_which_apply_equally_to_TLS_and_DTLS_sockets' into 'master' fix undefined pointer error from !143 Merge branch 'bugfix_MR_143' into 'master' more logging around Trojan script invocation (CSD/HIP/TNCC) Merge branch 'more_logging_around_Trojan_script_invocation' into 'master' little bit more GP IPv6 support CSD XML tag and nostub are entirely protocol-specific and used in only one place GP: explicitly warn when server has a missing ESP configuration changelog Merge branch 'GP_IPv6_baby_steps' into 'master' include quit_reason in exit message tncc-emulate.py: add TNCC_USER_AGENT override variable Add `openconnect_get_auth_expiration` function to library and JNI implement `auth_expiration` for Pulse protocol Merge branch 'openconnect_get_auth_expiration' into 'master' add SIGUSR1 as trigger to print detailed connection information and stats defer the switch to syslog until AFTER the tunnel is fully up, changelog Merge branch 'tncc_override_user_agent' into 'master' Merge branch 'stats_and_connection_info' into 'master' Merge branch 'assign_privkey-bug' into 'master' Merge branch 'clobbered-loop-counter-bug' into 'master' only set OpenSSL security level to 0 when --allow-insecure-crypto is specified add openconnect__win32_setenv function to compat.c with --allow-insecure-crypto, additionally attempt to disable insecure systemwide minimum crypto settings in tests/obsolete-server-crypto, do not override GNUTLS_SYSTEM_PRIORITY_FILE when invoking OpenConnect update changelog with expanded scope Merge branch 'openssl-sec-level' into 'master' Pulse: one more known failcode (0x0e = client cert required) Juniper forms with 'id' but not 'name' Merge branch 'one_more_pulse_failcode' into 'master' allow specification of multiple certificate fingerprints on command-line via --servercert changelog Merge branch 'allow_multiple_servercert_arguments' into 'master' add pointer to vpnc-script repo to README Merge branch 'remove_protocol_specific_values_from_global_state_object' into 'master' changelog: more updates since v8.10 Try to generate static website using GitLab pages static website tweaks add openconnect_disable_dtls() API function ensure that openconnect_disable_{dtls,ipv6} do nothing if vpninfo has ever been connected return EPERM, not EINVAL, when GP gateways reject the cookie upon get-config or GET-tunnel fix potential read overflow in compat.c replacement for strndup() add .gitattributes file to mark binaries Merge branch 'potential_read_overflow_in_openconnect__strndup' into 'master' Merge branch 'add_DTLS_disable_to_API' into 'master' bugfix: condition for incomplete ESP config with GP was inverted Merge branch 'fix/field-instead-of-global' into 'master' Merge branch 'fix/tncc-exception' into 'master' cstp: don't send X-AnyConnect-Platform header add changelog entry add changelog entry Merge branch 'jkuebart:fix/forms-without-action' MingW32 builds: generate NSIS installers for Windows NSIS installer: add compression, installer file properties, and docs include vpnc-script-win.js in installer add note about existence of installers in packaging docs remove unneeded inc/* and openconnect.8.inc from public/HTML docs create make-windows-installer.sh remove unneeded inc/* and openconnect.8.inc from public/HTML docs Merge branch 'master' into build_NSIS_based_installers_for_32bit_Windows fix pfs and obsolete-server-crypto tests on Ubuntu set OCCTL_SOCKET in tests/common.sh, if unset remove now-unneeded make-windows-installer.sh, re-embed vpnc-script-win.js, embed OpenVPN TAP-Windows installer Merge branch 'master' into build_NSIS_based_installers_for_32bit_Windows CI: update artifact paths for MinGW* builds add link to online documentation, put TAP-Windows in named section, and… changelog make buf_append_{be16,be32,le16} global oncp_control_queue → tcp_control_queue auth-juniper.c simplifications (including ignoring submit_button if NULL) add 'nullppp' protocol for testing add OC_PROTO_HIDDEN and use this to hide nullppp from protocols displayed or shown by openconnect_get_supported_protocols add ppp-over-tls tests (with pppd as the reference peer implementation) Fix three sanitizer complaints more accurate PPP-over-TLS MTU calculation improve ppp-over-tls tests give nullppp the option of cancelling/terminating itself after negotation CI: re-enable PPP tests for CentOS7, Fedora, and Ubuntu fix nakbuf leak clarify un-HDLC logging a bit unset delay_tunnel_reason as soon as PPP reaches network state automatically disable pppd tests if socat or pppd are missing factor out internal_get_url function ppp: add comment about likely meaninglessness of server's LL IPv6 address split htmlnode_next and htmlnode_dive ppp-over-tls tests: try to keep CentOS 6 CI working, and improve flaky startup of pppd factor out internal_split_cookies from auth-juniper.c ppp-over-tls test: figured out how to make socat invoke pppd allegedly universal MTU calculator: use for GPST and PPP ppp-over-tls tests: /etc/ppp script permissions problems add openconnect__strchrnul function to compat.c ppp-over-tls tests: more comments about how hard it is to use pppd as a test fixture fix <select>/<option> parsing bug ppp-over-tls tests: give up on CentOS 6 Juniper: bugfix handling of loginForm.VerificationCode ppp-over-tls tests: fix PPP-over-IPv6 tests on Ubuntu use check_address_sanity for F5 too add test-f5-login.py script F5: implement f5_obtain_cookie F5: one of the GET requests in login flow appears unnecessary F5: fix old options leak on reconnect F5: pause-and-reconnect doesn't preserve IP addresses if we PPP-terminate add test-fortinet-login.py hard-code browser UA into test-fortinet-login.py parse real Fortinet config Fortinet: set HTTP user-agent to 'Mozilla/5.0 SV1' as openfortivpn does Fortinet: ignore 401/403 response to remote/index request Fortinet: explain to the user if connecting to an ancient server that doesn't support XML config Fortinet: socket switches abruptly from HTTP request to encapsulated PPP, with no HTTP-ish response Fortinet does not use HDLC framing Fortinet: server rejects asyncmap and header compression options Fortinet: note divergences of header values from openfortivpn, and absence of DTLS support Fortinet: implement auth_expiration Fortinet: remove unused function Fortinet: assume default route if no split routes received implement fortinet_obtain_cookie official Forticlient doesn't 'GET /remote/index', so let's not simpler fortinet_obtain_cookie() attempt to implement Fortinet challenge-based 2FA (ping #225) Fortinet: parse <split-dns> domains and DNS servers from config Fortinet's realm parameter comes from the URL-path add openconnect__strchrnul function to compat.c cleanup and clarify comments about tests that are XFAIL in CI add auth-fortinet tests add auth-f5 tests make F5 and Fortinet tests go through config-pulling (up to the point of tunnel connection), rather than stopping after authentication Fortinet: fix crash caused by absence of redirect Fortinet: fix token code generation turns out F5 can have an authgroup dropdown rename (resp_buf, form_buf) → (req_buf, resp_buf) in f5.c and fortinet.c test multi-domain logins in F5 tests F5: factor out plain_auth_form() don't require F5 forms other than first one to have any particular name/ID I do believe a changelog addition is in order flask-based tests: give up on CentOS7 bugfix !165 Juniper forms handling main.c CLI: replace confusingly-used `FILE *pid_fp` with `int wrote_pid` fix openconnect_disable_dtls / --no-dtls bugfix internal_get_url add fake-juniper-server.py and tests/juniper-auth add test path including frmSelectRoles make --authgroup fill EITHER the role and/or the realm for Juniper Merge branch 'juniper-auth-tests' into 'juniper-auth-tests' Use oc_text_buf for internal_get_url() Add note-to-self comments about DTLS for F5/Fortinet Expand F5 and Fortinet documentation Multi-protocol support documentation Update README.md (developer-facing docs on GitLab) Reference F5 and Fortinet support in manual page Set Fortinet DPD interval from server's config Remove attempt_period from protocol-specific udp_setup() functions Accept IPv6 netmasks like /dead:beef::, in addition to /N Update 'Getting Started / Connecting' docs NC/Pulse idle timeout Parse Pulse error/termination packets and print error codes and strings Add changelog entry Fix logout and options requests in fake-f5-server.py Don't call connection script in ssl_reconnect if tunnel is not up Handle F5 split-exclude routes Pulse should fallback to Juniper logout Fix missing newlines in ssl_nonblock_{read,write}() error message Speculatively enable no_terminate_on_pause for Fortinet Fix f5-auth-and-config tests not to depend on cookies Add start_dtls_anon_handshake() for PPP protocols Split fortinet_configure() from fortinet_connect() to prepare for DTLS Fortinet: don't keep retrying if cookie is invalid on reconnect Add Fortinet DTLS support Merge branch 'nc_pulse_idle_timeout' into 'master' GlobalProtect IPv6 support Make CLI print IPv6 address correctly Reduce noisy logging of GlobalProtect IPv6 config tags Warn if <quarantine> is set in GlobalProtect XML config Add GlobalProtect IPv6 to docs and changelog F5, Fortinet: ignore errors in landing page once we've got a cookie Fix Fortinet IPv6 config and add tests for it Fix sloppy cookie construction for Fortinet Split ESP checksum functions into csum_partial and csum_finish Log address family of ESP packets sent/received GP config: hush warning about unknown <quarantine>no</quarantine> Add IPv6/ICMPv6 header and flags to win32-ipicmp.h GlobalProtect IPv6 ESP support Add fake-gp-server.py and gp-auth-and-config test Consolidate check_http_status from gpst.c and ppp.c GP auth: don't modify URL path if it ends with .esp Add tests of GlobalProtect auth with gateway selection and challenge-based 2FA GP: fix bug in blind retry of login credentials after portal-to-gateway redirect GP: Pass 'preferred-ipv6' parameter among auth requests, just like 'preferred-ip' Replace all use of inet_ntoa() with inet_ntop() Keep comments next to live code in fortinet.c Improve Fortinet auth Bugfix GlobalProtect ESP magic pings over Legacy IP Print an error message if dtls_addr is NULL in dtls_setup() Clarify 'Certificate Validation Failure' error from Cisco servers Fix handling of concatenated PPP data packets Rename oncp_rec_size → partial_rec_size Fix PPP packets split across TLS records Fix Fortinet realm name extraction Mark obsolete-server-crypto test as XFAIL in Fedora/GnuTLS/* CI Don't save `portal-*cookie` values if they're "empty" Receiving a portal-*cookie should allow us to automatically retry the login on the gateway Add tests of using portal-userauthcookie to continue through gateway Update changelog Mark juniper-sso-auth test as using LD_PRELOAD Docs should link to Gitlab as the main repository for vpnc-script and vpnc-script-win.js Follow disable_ipv6 for Pulse and Fortinet PPP: Replace no_terminate_on_pause flag with terminate_on_pause flag Cleanup fortinet-auth-config Fortinet requires us to check for an HTTP error response only over TLS More complete comment about issues with proxies in connection phase Assume that a 'portal-*cookie' will allow us to bypass gateway SAML Merge branch 'https' into 'master' Fix typo and clarify openconnect_get_connect_url comment slightly Update documentation for the --authenticate option With --user, enter username in all forms, not just the first Update changelog Merge branch 'automatically_enter_username_into_all_forms' into 'master' Encourage use of csd-post.sh, and discourage use of csd-wrapper.sh Use sysctl to un-disable IPv6 for all CI runs where PPP tests are enabled Mark sync/no-HDLC PPP tests as XFAIL for all CI images Verify that TPMv2 startup tools are present in order to enable auth-swtpm tests Merge branch 'ci' into 'master' Merge branch 'tests_trailing_space' into 'master' Use more idiomatic super().__init__() in html.py Only remove ERR_GET_FUNC for OpenSSL v3.0 and newer Merge branch 'ERR_GET_FUNC_OpenSSL_3.0' into 'master' Merge branch 'lgtm' into 'master' Merge branch 'ERR_GET_FUNC_OpenSSL_3.0' into 'master' Merge branch 'flake8' into 'master' Use hostname as Wintun ifname (if ifname not specified) Remove TAP-Windows driver from installer, and update docs to reference Wintun's default inclusion Distinguish ERROR_ACCESS return value from create_wintun() Check vpnc-script exit status on all platforms including Windows Don't set Legacy IP address on Windows tunnel interface within OpenConnect itself Add check_address_conflicts() to tun-win32.c Try to delete-and-reclaim IP addresses from down interfaces Update changelog to reflect Wintun and vpnc-script-win.js improvements Provide the vpnc-script with our PID (as $VPNPID) Merge branch 'set_VPNPID_for_vpnc_script' into 'master' Merge branch 'wintun_doc_and_naming_tweaks' into 'master' Merge branch 'deepsource' into 'master' Fix missing newline in Windows error message Annotate vpnc-script-win.js with a header documenting its exact source revision Merge branch 'wintun-0.13' into 'master' bugfix openconnect__strchrnul function in compat.c Dump initial oNCP negotiation request if --dump-http-traffic is specified Add links to latest Windows builds to www/packages.html and README.md Attempt to determine whether Fortinet server really supports reconnect-after-drop (without reauth) Do request "ancient HTML config" in order to distinguish truly-ancient Fortinet servers from some reconnection problems Enable Fortinet DPD even if server doesn't say that reconnect-after-drop is allowed Merge branch 'refine_Fortinet_reconnect_and_DPD' into 'master' Update documentation on state of Fortinet reconnects Add flag to allow do_http_request() to return the server response body even on error Add support for Fortinet's HTML-type multi-factor authentication Test both tokeninfo- and HTML-based MFA challenges for Fortinet Merge branch 'Fortinet_HTML_form_based_MFA' into 'master' Merge branch 'python3' into 'master' Merge branch 'discourage_use_of_csd-wrapper.sh' into 'master' Merge branch 'vpn_progress_n' into 'master' Avoid code duplication in www/html.py Re-add TAP-Windows driver to installer, and update docs to reference its inclusion Merge branch 'revert_to_using_TAPWindows_by_default' into 'master' Fix missing protocol flag for Juniper NC Fix/update comments in fake-*-server.py scripts If oNCP negotiation response is a redirect, cookie is invalid Juniper/NC ESP rekey fix Add changelog entry The option '--force-dpd' should be followed even if the server specifies a lesser DPD interval Update documentation of --force-dpd to reflect its new behavior Merge branch 'repeat' into 'master' Bugfix F5 'plain' login form Refuse to handle forms without ->auth_id (but do it in the right place, and noisily) Merge branch 'fix_F5_plain_auth_form' into 'master' Update changelog Merge branch 'csd-wrapper-compressed' into 'master' Merge branch 'm4' into 'master' Merge branch 'force_dpd_even_if_greater_than_server_interval' into 'master' openconnect_set_reported_os should reject illegal values When running on Windows, the default OS value should be 'win' Merge branch 'reject_bogus_OS_names' into 'master' Merge branch 'wintun-0.10.2-0.13' into 'master' .mailmap update dumb_socketpair(): try to use AF_UNIX socketpair on Windows 10 and newer dumb_socketpair(): generate named socket path more carefully dumb_socketpair(): fallback from AF_UNIX to AF_INET if AF_UNIX fails dumb_socketpair(): Try a whole series of plausible temporary/writable directories for AF_UNIX sockets Update changelog Merge branch 'Windows_10_has_AF_UNIX_socket' into 'master' Merge branch 'windows_ctrl_signal_handler' into 'master' Fix dumb_socketpair() comments Fix changelog links/labels Remove unnecessarily repeated IPv6-enablement in .gitlab-ci.yml Change library ordering when testing for library availability with autoconf Cleanup whitespace in all human-maintained files Build docs should mention that ./configure looks for vpnc-script in TWO places Update "Contributing" docs The GitLab repo is more than an "experiment" at this point Add new documentation on how to observe/MITM VPN clients Remove the 'verbose' global variable Pass verbosity level in vpnc-script environment as LOG_LEVEL Update changelog Mention other Windows vpnc-script improvement MRs in changelog Merge branch 'pass_LOG_LEVEL_to_vpnc_script' into 'master' Merge branch 'master' into 'master' Merge branch 'doc_updates' into 'master' Fix memory leak in pulse.c Update changelog Merge branch 'pulse-config-on-9.1' into 'master' Pulse IPv6 is now known to work on real-world servers Remove already-disabled code copied from oncp.c into pulse.c Mention that some Pulse VPNs need to spoof official UA/OS to make IPv6 work Print Pulse server's IPv6 internal gateway address (in addition to Legacy IP) Mention support for DTLSv1.2 in F5 BIG-IP v16 or newer Print warning if Fortinet server doesn't indicate support/no-support for reconnect-after-drop Clarify Fortinet no-valid-cookie error paths Merge branch 'pulse_IPv6_docs' into 'master' In dumb_socketpair(), delete Unix-domain socket path once no longer needed Merge branch 'tmp-fedora35' into 'master' David Overton (2): Bugfix Legacy IP split include/exclude routes for Pulse Pulse: handle 0x2e20f000 main configuration packet David Woodhouse (221): Fix COPR release builds for mingw-openconnect Work around SoftHSM lockup in CI Remove Fedora updates-testing packages now pushed to stable Update packages documentation Run Coverity only in openconnect/openconnect repo Check for Signed-off-by: in CI Merge branch 'add_set_cookie' of gitlab.com:randymoss/openconnect Fix Signed-off-by CI check Add basic NSIS installer Drop web page handling Fix pfs test for out-of-tree builds Fix up string handling for ciphersuite_config Add obsolete-server-crypto to XFAIL tests in Fedora package Add makensis to mingw COPR builds Fix obsolete-server-crypto in the GnuTLS build not the OpenSSL one. Fix up NSIS ProductVersion for RPM version strings Actually create installer packages for MinGW builds Merge branch 'handle_GP_cookie_rejected_errors' of gitlab.com:openconnect/openconnect Fix Win32 build warnings about _putenv_s() redeclaration Fix Windows build warning: No %zd for size_t on Windows Merge branch 'no_more_X-AnyConnect-Platform_header' of gitlab.com:openconnect/openconnect Fix non-Windows compilation. I hate autoconf. Update translations from GNOME Resync translations with sources Cast GetVolumeInformationByHandleW to (void *) Fix printf types in stats output add support for PPP-based protocols First attempt at F5 support Add basic attempt at Fortinet support Turn off -Wdeclaration-after-statement and allow C99 Fix handling of downloaded files Include wintun dll in installer Fix installer deps Merge branch 'pre_PPP_cross_protocol_bits' of gitlab.com:openconnect/openconnect Merge branch 'ppp_core' of gitlab.com:openconnect/openconnect Fix build warnings Merge branch 'add_f5_and_fortinet' of gitlab.com:openconnect/openconnect Merge branch 'master' of gitlab.com:openconnect/openconnect Add basic docs for (or at least admit the existence of) f5/fortinet Resync translations with sources Import translations from GNOME Add Wintun support Fix output redirection under Windows Fix stray close paren in changelog Fix key filename mangling in auth-certificate test Fix test paths for out-of-tree builds Use out-of-tree builds in CI Fix Juniper auth tests for out-of-tree builds Merge branch 'juniper-auth-tests' of gitlab.com:openconnect/openconnect Fix link to Jailbreak Revert "www: updated links to vpnc-script" Update main web page Add 'proto' integer value to struct vpn_proto Fix --disable-ipv6 option Fix CI artifact list for out-of-tree builds Fix memory leak in F5 config parsing Avoid free of argv[] when ciphersuite_config provided Handle empty response buf in process_http_response() Fix DTLS MTU probe timeouts Fix -EAGAIN on writing DTLS socket for PPP mainloop Fix leak of ppp structure on reconnect Remove Cisco-specific option handling from dtls_setup() Consolidate the various add_option() functions Fix leak of simulated F5 netmask options Add DTLS support to ssl_nonblock_read() / ssl_nonblock_write() Factor out openconnect_install_ctx_verify() for OpenSSL Fix timeout handling for DTLS handshake retries Add DTLS_ESTABLISHED state ppp: Clean up negotiated IP/DNS option handling Implement ppp_reset() Split out core ppp_mainloop() and add basic DTLS support to it Fix handling of lost TERMACK Add full DTLS support for PPP Add F5 DTLS support Ignore errors fetching NC landing page if auth was successful Rework cstp_options and ip_info handling Merge branch 'master' of gitlab.com:openconnect/openconnect Add IPv6 support for Fortinet Only set ip_info addresses from PPP if they aren't already set Abort if PPP transport is closed in PPPS_ESTABLISH Abort when install_vpn_options() fails Don't fetch legacy Fortinet config Attempt to allow Fortinet reconnect over TCP Ensure pulse_connect() can never attempt to monitor fd -1 Fix potential memory leaks in ppp.c Fix potential leak of 'domains' in parse_fortinet_xml_config() Fix potential NULL dereference in Java example code Partial fix for Fortinet auth Fix Juniper role select form to have an auth_id too Refuse to handle forms without ->auth_id Fix EXTRA_DIST to include all $(POTFILES) Fix setting of IP addresses in ip_info from PPP DTLS: Don't require secure renegotiation from Cisco Add OPENSSL_SUPPRESS_DEPRECATED openssl: Add SSL_OP_LEGACY_SERVER_CONNECT to allow-insecure-crypto Merge branch 'do_not_use_inet_ntoa' of gitlab.com:openconnect/openconnect Merge branch 'add_GP_flask_tests' of gitlab.com:openconnect/openconnect Fix DTLS state reporting Use BIO_dgram for OpenSSL DTLS Import json-parser library json: Fix undefined behaviour when converting integer to double json_parse_ex: Remove redundant assignment to unused 'b'. Initial shell of Array Networks SSL VPN support Add hackish array auth Start to implement config parsing for Array Implement DTLS support for Array Add documentation for array protocol, remove HIDDEN flag Only require json-parser for Fedora packages, not EPEL Fix Coverity complaints about array.c kill redundant free_certs argument to GnuTLS assign_privkey() function GnuTLS: Start to factor out load_certificate() for reuse Move cert/sslkey/cert_password into a 'struct cert_info' GnuTLS: Pass certinfo into load_certificate() and subordinate functions OpenSSL: Pass certinfo through load_certificate() functions GnuTLS: Extend certinfo to callbacks GnuTLS: Split out free_gtls_cert_info() GnuTLS: Really only install certs from load_primary_certificate() GnuTLS: Move TPMv1 context to certinfo GnuTLS: Move TPMv2 context to certinfo OpenSSL: Factor out load_certificate() from load_primary_certificate() OpenSSL: Fix user-visible strings and dialog auth_id for multicert GnuTLS: Fix user-visible strings and dialog auth_id for multicert tss2-esys: Don't try password for TPM2 keys with emptyauth set Tell TPMv2 the hash type based on size Support TLSv1.3 sign functions on SECP curves with TPMv2 Allow TSS2 library to be chosen by --with-gnutls-tss2 Add IBM TSS CI build on Fedora Implement RSA-PSS padding for TPMv2 Resync translations with sources Update translations from GNOME Allow TPM_INTERFACE_TYPE=socsim to force swtpm even for Intel TSS Add tests for TPMv2 with both swtpm and hardware Add swtpm-tools to COPR build too, to enable auth-swtpm test Disable swtpm testing for ancient Fedora/EPEL Add NIST P384 curve to swtpm tests Actually add P384 files so they aren't generated locally Update TPMv2 documentation a little, add changelog for TLSv1.3 and swtpm Update translations from GNOME Update translations from GNOME Add openconnect_get_connect_url(), use it in --authenticate output GnuTLS: Refactor test sign/verify loop over available digests Add line length argument to buf_append_base64() Move oc_text_buf functions out to textbuf.c for easier unit testing Limit oc_text_buf to 16MiB, start adding test cases Fix fallback/big-endian store_le16() and store_le32() Fix buftest to build on Windows Update translations from GNOME Don't leak memory in buftest Validate line_len argument to buf_append_base64() too Fix first line length in buf_append_base64() Add more buf_append_base64() tests... and fix it. Fix store_le16/store_le32 harder Fix MinGW CI build to use their own docker images, now we have them. Increase SO_SNDBUF on UDP socket Add Android CI builds Bump Android dependencies Fix out-of-tree builds with ASAN Merge branch 'clarify_Certificate_Validation_Failure_error' of gitlab.com:openconnect/openconnect Fix static-analyzer CI builds Merge branch 'obsolete_http_configuration' of gitlab.com:DimitriPapadopoulos/openconnect Merge branch 'chmod-x_tun-win32.c' of gitlab.com:DimitriPapadopoulos/openconnect Revert "with --allow-insecure-crypto, additionally attempt to disable insecure systemwide minimum crypto settings" Disable ASAN tests for now Unconditionally bypass system crypto policy Add changelog for system policy disable Remove reference to --allow-obsolete-crypto bypassing policies Use https://www.infradead.org/openconnect/download/ URLs Switch to https for all URLs Update translations from GNOME Support non-AEAD ciphersuites in DTLSv1.2 with GnuTLS Offer OpenConnect-specific DTLSv1.2 AEAD suites with OpenSSL again Add +SIGN-ALL to GnuTLS DTLS ciphersuite configs We can admit that the FTP site exists too. Merge branch 'server' into 'master' Merge branch 'recognise' into 'master' Update translations from GNOME Fix Yubikey/Android PBKDF2 bug URLs Merge branch 'assert' into 'master' Merge branch 'm4' into 'master' Merge branch 'include' of gitlab.com:DimitriPapadopoulos/openconnect Merge branch 'yubi' of gitlab.com:DimitriPapadopoulos/openconnect Merge branch 'lzo' of gitlab.com:DimitriPapadopoulos/openconnect Stop polling cmd_fd while busy Add alloc_pkt() and free_pkt() helpers Reuse packets Merge branch 'vpnc-script_s' into 'master' Merge branch 'update_authenticate_docs_for_RESOLVE_and_CONNECT_URL' into 'master' Merge branch 'small_PPP_fixes' into 'master' Merge branch 'obey_IPv6_in_Pulse_and_Fortinet' into 'master' Merge branch 'suspect_code_indent' into 'master' Merge branch 'vpnc-script_links_on_GitLab' into 'master' Merge branch 'rondom-do-https-request-header-cb' into 'master' Merge branch 'GP_portal_to_gateway_auth_with_cookies' into 'master' Use epoll() instead of select() Merge branch 'epoll' of gitlab.com:openconnect/openconnect Merge branch 'include' into 'master' Merge branch 'linux_kernel_coding_style' into 'master' Fix epoll support for connection pause/restart Add SIGUSR2 to dtls-psk test Clear epoll_fd after forking to background self Stop accepting DTLS packets when the queue is full Initial vhost-net support Use vhost for dtls-psk and sigterm tests vhost: Avoid TX queue when writing directly is faster vhost: Add USED_EVENT and AVAIL_EVENT macros Fix double close of vhost_fd on error Check eventfd read/write returns Tweak vhost ring handling to stop Coverity thinking we leak packets Reads from the vhost_call_fd do return -EINTR when we loop multiple times Fix RSA-PSS padding with SHA384 for TPMv2 keys Do not truncate RSA-PSS salt length for small keys Make all cert rules order-only Merge branch 'codespell' into 'master' Update translations from GNOME Update translations from GNOME Merge branch 'wip/dueno/tss2-rc' of gitlab.com:dueno/openconnect Update translations from GNOME Resync translations with sources Avoid printing spurious ENOENT error from EPOLL_CTL_DEL Fix EXTRA_DIST for ocserv config files Tag version 8.20 Dimitri Papadopoulos (107): Better document obsolete code and why we keep it chmod -x ise → ize New option to define server name in config file Remove assert http:// -> https:// Update m4 files Get rid of trailing spaces Remove duplicate includes Further fix Yubikey/Android PBKDF2 bug URL Latest version of lzo.c Merge branch 'trailing_spaces' into 'master' Fix URL of repository of vpnc-script Fix suspect code indent Fix bad function definition Fix open brace '{' following function definition Fix Linux kernel coding style errors and warnings Reorganize #include Fix Linux kernel coding style warning Merge branch 'STATIC_CONST_CHAR_ARRAY' into 'master' Fix Linux kernel coding style error Merge branch 'POINTER_LOCATION' into 'master' Fix Linux kernel coding style warning Merge branch 'ARRAY_SIZE' into 'master' Fix Linux kernel coding style warning Merge branch 'SPACE_BEFORE_TAB' into 'master' Fix Linux kernel coding style warning Merge branch 'REPEATED_WORD' into 'master' Fix Linux kernel coding style error Merge branch 'INLINE_LOCATION' into 'master' Fix Linux kernel coding style error Merge branch 'OPEN_BRACE' into 'master' Fix Linux kernel coding style warning Merge branch 'SUSPECT_CODE_INDENT' into 'master' Fix Linux kernel coding style warning Merge branch 'EMBEDDED_FUNCTION_NAME' into 'master' Fix Linux kernel coding style error Merge branch 'MULTISTATEMENT_MACRO_USE_DO_WHILE' into 'master' Fix Linux kernel coding style error Merge branch 'COMPLEX_MACRO' into 'master' Fix Linux kernel coding style warning Merge branch 'RETURN_VOID' into 'master' Fix Linux kernel coding style error Merge branch 'SWITCH_CASE_INDENT_LEVEL' into 'master' Fix Linux kernel coding style warning Merge branch 'DEFAULT_NO_BREAK' into 'master' Fix Linux kernel coding style warning Merge branch 'SPLIT_STRING' into 'master' Fix Linux kernel coding style warning Merge branch 'SINGLE_STATEMENT_DO_WHILE_MACRO' into 'master' Fix typo from 275d838 Fix Linux kernel coding style warning Merge branch 'LINE_CONTINUATIONS' into 'master' Merge branch 'ooops' into 'master' Fix Linux kernel coding style warning Fix Linux kernel coding style error Shut static analyser up Merge branch 'INITIALISED_STATIC' into 'master' Merge branch 'DeviceIoControl_TAP_IOCTL_GET_VERSION' into 'master' Mark auth-swtpm test as XFAIL on Fedora/OpenSSL and Fedora/OpenSSL/clang Typos caught by codespell Build with OpenSSL 3.0 beta 2 Release Candidate Remove spurious trailing space LGTM warning: Unnecessary pass LGTM recommendation: Unused import LGTM recommendation: Unused import LGTM error: Missing call to `__init__` during object initialization LGTM recommendation: Unused local variable Build with OpenSSL 3.0 beta 2 Release Candidate Typos caught by codespell Merge branch 'codespell' into 'master' Flake8 errors and warnings Document --force-trojan as available on _WIN32 LGTM recommendations: Except block handles 'BaseException' Nuke tabs in Python Wintun 0.10.2 (2021-02-16) → 0.13 (2021-08-02) Fix DeepSource alert Fix DeepSource alert Fix DeepSource alert Fix DeepSource alert This is a Python 3 script Fix DeepSource alert Fix DeepSource alert Fix DeepSource alert Fix DeepSource alert Fix DeepSource alert Add missing '\n' to vpn_progress() messages Remove extra '\n' from a vpn_perror() message Resync translations with sources These are Python 3 scripts Remove repeated words from documentation AC_CONFIG_MACRO_DIRS AC_LANG_C → AC_LANG([C]) AC_PROG_LIBTOOL → LT_INIT Fix Windows installer so that it uninstalls cleanly Fix grammar/typos in comments and diagnostic messages AC_ERROR → AC_MSG_ERROR Load wintun.dll from the application directory only Follow Wintun example to the letter (versions 0.10.2 or 0.13) Windows: fix instability with Wintun as tunnel device driver Latest version of vendored dumb_socketpair() Option --version prints default script location Add jq as a build dependency to fix COPR builds Print detailed error information when opening cmd pipe/socketpair fails Use ARRAY_SIZE(array) macro instead of hard-coded sizeof(array)/N Fix typos not found by codespell html.py must run with either Python 2 or 3 to support COPR builds Elias Norberg (1): Always set security level to 0 for openssl versions >= 1.1.0 Ivan Afonichev (1): Absolute redirect with '://' in URL param should be valid Joachim Kuebart (10): fix: use field instead of global variable fix: support forms without "action" fix: keep going when forms have only hidden fields feat: support Microsoft SSO nit: silence deprecation warning fix: don't raise when TNCC_CERTS is unset add juniper-sso-auth test: add unit test for Azure MFA SSO fix: fix Juniper Azure SSO login fix: generalise check for user name field fix: add missing licence to fake-tncc.py. Joerg Mayer (1): Add HAVE_EPOLL check to fix macOS build failure Justin Kendrick (1): Add missing files to tarball for win32 build Kevin Yue (1): Pass the `portal-*cookie` values received in the portal config to the gateway login Luca Boccassi (1): libopenconnect: add public interface stubs for SAML support Lukáš Karas (3): setup default port 443 in openconnect_vpninfo_new remove port setup in ssl connect check that port is in valid range Nikos Mavrogiannopoulos (46): Fixed failing tests .mailmap: set gmail as primary email of Nikos .gitlab-ci.yml: fix on fedora32 gnutls: try multiple hashes when checking for pub/priv key match .gitlab-ci.yml: updated to fedora33 Merge branch 'tmp-fix-tests' into 'master' .gitlab-ci.yml: run coverity weekly with a scheduled run .gitlab-ci.yml: use prebuilt images from project's registry www: updated links to vpnc-script windows builds: run the right openconnect executable Merge branch 'tmp-link-vpnc-script-gitlab' into 'master' Merge branch 'tmp-use-presaved-images' into 'master' Merge branch 'vpninfo-port' into 'master' .gitlab-ci.yml: use centos8 build for coverity Merge branch 'Windows_tuntap_fix_196' into 'master' Free memory obtained from openconnect_get_peer_cert_DER .gitlab-ci.yml: added address and undefined sanitizer runs main: avoid unnecessary memory copy (and leak) Merge branch 'tmp-add-ubsan-asan' into 'master' .gitlab-ci.yml: added clang's static analyzer parse_hex: avoid zero length allocation run_hip_script: made error handling consistent process_http_response: avoid memory leak cleanup_gssapi_auth: avoid null pointer dereference start_cstp_connection: avoid unused assignment do_https_request: removed unused assignment parse_prelogin_xml: removed unnecessary initialization dtls_detect_mtu: removed unnecessary initialization buf_tlv: corrected TLV decoding append_compr_types: removed unnecessary assignment decrypt_stoken: avoid code without side effects oncp_connect: bail on error process_http_response: removed default error code oncp_connect: avoid code without side-effects openconnect_set_token_mode: propagate error code gnutls: removed unused assignments, and use gnutls_calloc() ntlm_manual_challenge: initialize hash to zero internal_parse_url: fix memory leak Merge branch 'tmp-add-scan-build' into 'master' dtls-psk: use ping -6 to ping an ipv6 address .gitlab-ci.yml: CentosOS7/OpenSSL: mark failing test as XFAIL Merge branch 'tmp-fix-centos7-failure' into 'master' .gitlab-ci.yml: build on fedora35 .gitlab-ci.yml: remove unnecessary installations .gitlab-ci.yml: removed legacy references to rdrand Merge branch 'spelling' into 'master' Randy Moss (1): Add `openconnect_set_cookie` function to library and jni Signed-off-by: Randy Moss <kasaxet...@homedepinst.com> Roberto Leinardi (1): Added platform name to the HIP report script Sabin Rapan (1): Fix selection of TPM2 key gen tools Steven Luo (1): Make correct TUNDEV value available to vpnc-script during pre-init Tim De Baets (3): Install a custom signal handler on Windows using SetConsoleCtrlHandler() Issue OC_CMD_DETACH instead of OC_CMD_CANCEL on Ctrl+Break Update changelog Tom Carroll (9): Free pcerts array for all assign_privkey paths. Use separate counters for inner and outer loop. Remove field free_certs from gtls_cert_info. Convert x509_privkey to abstract privkey in load_certificates. Remove NULL checks before deinit GnuTLS objects. gnutls.c:943:21: warning: comparison of integer expressions of different signedness: ‘int’ and ‘unsigned int’ [-Wsign-compare] Check gnutls_pubkey_init return code. Correct calculation of base64 encode buffer length. Use C99 initializer instead of memset.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
