Up to [cvs.NetBSD.org] / pkgsrc / net / openconnect
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
Update to 9.12. From the changelog: - Fix FreeBSD build and tests. - Explicitly reject overly long tun device names. - Work around ambiguity between <json.h> from json-parser vs json-c (!476). - Fix symbol versioning for openconnect_set_sni(). - Increase maximum input size from stdin (#579). - Ignore 0.0.0.0 as NBNS address (!446, vpnc-scripts#58). - Fix Mac OS build of os-tcp-mtu tool (#612).
Update to 9.11. From the changelog: - Rebuild test suite certificate chains (which had expired: #609) - Fix stray (null) in URL path after Pulse authentication. - Fix config XML parsing mistake that left GlobalProtect ESP non-working in v9.10 (!475). - Fix case sensitivity in GPST header matching (!474). - Add external browser support for Windows (#553).
Update to 9.10. From the changelog: - Fix external browser authentication with KDE plasma-nm < 5.26. - Always redirect stdout to stderr when spawning external browser. - Increase default queue length to 32 packets (#582). - Make the Wintun Layer 3 TUN driver the default on Windows (!427). - Add support for and bundle Wintun 0.14.1 (!294). - Fix receiving multiple packets in one TLS frame, and single packets split across multiple TLS frames, for Array (#435). - Fix ESP failures under Windows (#427). - Add list-system-keys tool to assist Windows/MacOS users in setup. - Handle idiosyncratic variation in search domain separators for all protocols (#433, #443, !388). - Support region selection field for Pulse authentication (!399). - Support modified configuration packet from Pulse 9.1R16 servers (#472, !401) - Allow hidden form fields to be populated or converted to text fields on the command line (#493, #489, !409) - Support yet another strange way of encoding challenge-based 2FA for GlobalProtect (#495, !411) - Add --sni option (and corresponding C and Java API functions) to allow domain-fronting connections in censored/filtered network environments (!297, !451). - Parrot a GlobalProtect server's software version, if present, as the client version (!333) - Fix NULL pointer dereference that has left Android builds broken since v8.20 (!389). - Fix Fortinet authentication bug where repeated SVPNCOOKIE causes segfaults (#514, !418). - Support F5 VPNs which encode authentication forms only in JSON, not in HTML (#512, !431). - Persist Windows installers for tagged builds (#463, !391). - Support simultaneous IPv6 and Legacy IP ("dual-stack") for Fortinet (#568, !456). - Support "FTM-push" token mode for Fortinet VPNs (#555, !450). - Send IPv6-compatible version string in Pulse IF/T session establishment, and avoid its ESP/IP version layering idiocy on newer servers (#506, !414) - Add --no-external-auth option to not advertise external-browser authentication, as a workaround for servers which behave differently when it is advertised (#470, !398) - Emulate MacOS-specific contents in the HIP report for GlobalProtect (!471). - Many small improvements in server response parsing, and better logging messages and documentation.
Define environ before it's used, to fix build on at least NetBSD. Take MAINTAINER.
Update to 9.01. From the changelog: 9.01: - Fix library minor version (missing bump to 5.8). 9.00: - Add support for AnyConnect "Session Token Re-use Anchor Protocol" (STRAP) (#410). - Add support for AnyConnect "external browser" SSO mode (!354). - On Windows, fix crash on tunnel setup. (#370, 6a2ffbb) - Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20. (#388, !344) - Support Cisco's multiple-certificate authentication (!194). - Append internal=no to GlobalProtect authentication/configuration forms, for compatibility with servers which apparently require this to function properly. (#246, !337) - Revert GlobalProtect default route handling change from v8.20. (!367) - Support split-exclude routes for Fortinet. (#394, !345) - Add openconnect_set_useragent() function. - Add webview callback and SAML/SSO support for AnyConnect, GlobalProtect. (!126). 8.20: - When the queue length (-Q option) is 16 or more, try using vhost-net to accelerate tun device access. - Use epoll() where available. - Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect. (#249) - Make tncc-emulate.py work with Python 3.7+. (#152, !120) - Emulated a newer version of GlobalProtect official clients, 5.1.5-8; was 4.0.2-19 (!131) - Support Juniper login forms containing both password and 2FA token (!121) - Explicitly disable 3DES and RC4, unless enabled with --allow-insecure-crypto (!114) - Add obsolete-server-crypto test (!114) - Allow protocols to delay tunnel setup and shutdown (!117) - Support for GlobalProtect IPv6 (!155 and !188; previous work in d6db0ec) - SIGUSR1 causes OpenConnect to log detailed connection information and statistics (!154) - Allow --servercert to be specified multiple times in order to accept server certificates matching more than one possible fingerprint (!162, #25) - Add insecure debugging build mode for developers (!112) - Demangle default routes sent as split routes by GlobalProtect (!118) - Improve GlobalProtect login argument decoding (!143) - Add detection of authentication expiration date, intended to allow front-ends to cache and reuse authentication cookies/sessions (!156) - Small bug fixes and clarification of many logging messages. - Support more Juniper login forms, including some SSO forms (!171) - Automatically build Windows installers for OpenConnect command-line interface (!176) - Restore compatibility with newer Cisco servers, by no longer sending them the X-AnyConnect-Platform header (#101, !175) - Add support for PPP-based protocols, currently over TLS only (!165). - Add support for two PPP-based protocols, F5 with --protocol=f5 and Fortinet with --protocol=fortinet (!169). - Add experimental support for Wintun Layer 3 TUN driver under Windows (#231, !178). - Clean up and improve Windows routing/DNS configuration script (vpnc-scripts!26, vpnc-scripts!41, vpnc-scripts!44). - On Windows, reclaim needed IP addresses from down network interfaces so that configuration script can succeed (!178). - Fix output redirection under Windows (#229) - More gracefully handle idle timeouts and other fatal errors for Juniper and Pulse (!187) - Ignore failures to fetch the Juniper/oNCP landing page if the authentication was successful (3e779436). - Add support for Array Networks SSL VPN (#102) - Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm and hardware TPM. (ed80bfac...ee1cd782) - Add openconnect_get_connect_url() to simplify passing correct server information to the connecting openconnect process. (NetworkManager-openconnect #46, #53) - Disable brittle "system policy" enforcement where it cannot be gracefully overridden at user request. (RH#1960763). - Pass "portal cookie" fields from GlobalProtect portal to gateway to avoid repetition of password- or SAML-based login (!199) - With --user, enter username supplied via command-line into all authentication forms, not just the first. (#267, !220). - Fix a subtle bug which has prevented ESP rekey and ESP-to-TLS fallback from working reliably with the Juniper/oNCP protocol since v8.04. (#322, !293). - Fix a bug in csd-wrapper.sh which has prevented it from correctly downloading compressed Trojan binaries since at least v8.00. (!305) - Make Windows socketpair emulation more robust in the face of Windows's ability to break its localhost routes. (#228, #361, !320) - Perform proper disconnect and routes cleanup on Windows when receiving Ctrl+C or Ctrl+Break. (#362, !323) - Improve logging in routing/DNS configuration scripts. (!328, vpnc-scripts!45) - Support modified configuration packet from Pulse 9.1R14 servers (#379, !331)
net: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes Not committed (merge conflicts...): net/radsecproxy/distinfo The following distfiles could not be fetched (fetched conditionally?): ./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz ./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch ./net/djbdns/distinfo djbdns-1.05-test28.diff.xz ./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch ./net/djbdns/distinfo djbdns-1.05-multiip.diff ./net/djbdns/distinfo djbdns-cachestats.patch
net: Remove SHA1 hashes for distfiles
net/openconnect: Upgrade to 8.10 Fixes build for Darwin Based on wip/openconnect with help from Louis Guillaume
Update to 8.05. From the changelog: - Fix GlobalProtect ESP stall (#55). - Fix HTTP chunked encoding buffer overflow (CVE-2019-16239).
Update to 8.04. From the changelog: - Rework DTLS MTU detection. (#10) - Add Pulse Connect Secure support. - OpenSSL build fixes (#51). - Add HMAC-SHA256-128 (RFC4868) support for ESP. - Support IPv6 in ESP. - Translate user-visible strings from openconnect_get_supported_protocols(). - Fix proxy username/password handling to allow special characters and escaping.
Update to 8.03. From the changelog: _ Fix detection of utun support on OS X (#18). _ Fix Cisco DTLSv1.2 support for AES256-GCM-SHA384. _ Fix Solaris 11.4 build by properly detecting memset_s(). _ Fix recognition of OTP password fields (#24).
Update to 8.02. From the changelog: - Fix GNU/Hurd build. - Discover vpnc-script in default packaged location on FreeBSD/OpenBSD. - Support split-exclude routes for GlobalProtect. - Fix GnuTLS builds without libtasn1. - Fix DTLS support with OpenSSL 1.1.1+. - Add Cisco-compatible DTLSv1.2 support. - Invoke script with reason=attempt-reconnect before doing so.
Update to 8.01. From the changelog: - Fix memset_s() arguments. - Fix OpenBSD build. - Clear form submissions (which may include passwords) before freeing (CVE-2018-20319). - Allow form responses to be provided on command line. - Add support for SSL keys stored in TPM2. - Fix ESP rekey when replay protection is disabled. - Drop support for GnuTLS older than 3.2.10. - Fix --passwd-on-stdin for Windows to not forcibly open console. - Fix portability of shell scripts in test suite. - Add Google Authenticator TOTP support for Juniper. - Add RFC7469 key PIN support for cert hashes. - Add protocol method to securely log out the Juniper session. - Relax requirements for Juniper hostname packet response to support old gateways. - Add API functions to query the supported protocols. - Verify ESP sequence numbers and warn even if replay protection is disabled. - Add support for PAN GlobalProtect VPN protocol (--protocol=gp). - Reorganize listing of command-line options, and include information on supported protocols. - SIGTERM cleans up the session similarly to SIGINT.
Update openconnect to version 7.08 Changelog: Add SHA256 support for server cert hashes. Enable DHE ciphers for Cisco DTLS. Increase initial oNCP configuration buffer size. Reopen CONIN$ when stdin is redirected on Windows. Improve support for point-to-point routing on Windows. Check for non-resumed DTLS sessions which may indicate a MiTM attack. Add TUNIDX environment variable on Windows. Fix compatibility with Pulse Secure 8.2R5. Fix IPv6 support in Solaris. Support DTLS automatic negotiation. Support --key-password for GnuTLS PKCS#11 PIN. Support automatic DTLS MTU detection with OpenSSL. Drop support for combined GnuTLS/OpenSSL build. Update OpenSSL to allow TLSv1.2, improve compatibility options. Remove --no-cert-check option. It was being (mis)used. Fix OpenSSL support for PKCS#11 EC keys without public key. Support for final OpenSSL 1.1 release. Fix polling/retry on "tun" socket when buffers full. Fix AnyConnect server-side MTU setting. Fix ESP replay detection. Allow build with LibreSSL (for fetishists only; do not use this as DTLS is broken). Add certificate torture test suite. Support PKCS#11 PIN via pin-value= and --key-password for OpenSSL. Fix integer overflow issues with ESP packet replay detection. Add --pass-tos option as in OpenVPN. Support rôle selection form in Juniper VPN. Support DER-format certificates, add certificate format torture tests. For OpenSSL >= 1.0.2, fix certificate validation when only an intermediate CA is specified with the --cafile option. Support Juniper "Pre Sign-in Message".
Updated openconnect to 7.07. From Kai-Uwe Eckhardt in PR 51576. OpenConnect v7.07 (PGP signature) — 2016-07-11 More fixes for OpenSSL 1.1 build. Support Juniper "Post Sign-in Message". Add --protocol option. Fix ChaCha20-Poly1305 cipher suite to reflect final standard. Add ability to disable IPv6 support via library API. Set groups appropriately when using setuid(). Automatic DTLS MTU detection. Support SSL client certificate authentication with Juniper servers. Revamp SSL certificate validation for OpenSSL and stop supporting OpenSSL older than 0.9.8. Fix handling of multiple DNS search domains with Network Connect. Fix handling of large configuration packets for Network Connect. Enable SNI when built with OpenSSL (1.0.1g or later). Add --resolve and --local-hostname options to command line.
Add SHA512 digests for distfiles for net category Problems found with existing digests: Package haproxy distfile haproxy-1.5.14.tar.gz 159f5beb8fdc6b8059ae51b53dc935d91c0fb51f [recorded] da39a3ee5e6b4b0d3255bfef95601890afd80709 [calculated] Problems found locating distfiles: Package bsddip: missing distfile bsddip-1.02.tar.Z Package citrix_ica: missing distfile citrix_ica-10.6.115659/en.linuxx86.tar.gz Package djbdns: missing distfile djbdns-1.05-test25.diff.bz2 Package djbdns: missing distfile djbdns-cachestats.patch Package djbdns: missing distfile 0002-dnscache-cache-soa-records.patch Package gated: missing distfile gated-3-5-11.tar.gz Package owncloudclient: missing distfile owncloudclient-2.0.2.tar.xz Package poink: missing distfile poink-1.6.tar.gz Package ra-rtsp-proxy: missing distfile rtspd-src-1.0.0.0.tar.gz Package ucspi-ssl: missing distfile ucspi-ssl-0.70-ucspitls-0.1.patch Package waste: missing distfile waste-source.tar.gz Otherwise, existing SHA1 digests verified and found to be the same on the machine holding the existing distfiles (morden). All existing SHA1 digests retained for now as an audit trail.
Update to 7.06, based on PR 50336 by Kai-Uwe Eckhardt: OpenConnect v7.06 (PGP signature) — 2015-03-17 Fix openconnect.pc breakage after liboath removal. Refactor Juniper Network Connect receive loop. Fix some memory leaks. Add Bosnian translation. OpenConnect v7.05 (PGP signature) — 2015-03-10 Fix alignment issue which broke LZS compression on ARM etc. Support HTTP authentication to servers, not just proxies. Work around Yubikey issue with non-ASCII passphrase set on pre-KitKat Android. Add SHA256/SHA512 support for OATH. Remove liboath dependency. Support DTLS v1.2 and AES-GCM with OpenSSL 1.0.2. Add OpenSSL 1.0.2 to known-broken releases (RT#3703, RT#3711). Fix build with OpenSSL HEAD (OpenSSL 1.1.x). Preliminary support for Juniper SSL VPN.
Import openconnect-7.04 as net/openconnect, packaged for wip by pdtafti, hfath, asau, kristerw, jakllsch, and keckhardt. OpenConnect is a client for Cisco's AnyConnect SSL VPN released under LGPL v2.1.