Subject: CVS commit: pkgsrc/net/openconnect
From: Amitai Schleier
Date: 2022-10-18 03:18:10
Message id: 20221018011810.8941BFA90@cvs.NetBSD.org

Log Message:
Update to 9.01. From the changelog:

9.01:
- Fix library minor version (missing bump to 5.8).

9.00:
- Add support for AnyConnect "Session Token Re-use Anchor Protocol"
  (STRAP) (#410).
- Add support for AnyConnect "external browser" SSO mode (!354).
- On Windows, fix crash on tunnel setup. (#370, 6a2ffbb)
- Bugfix RSA SecurID token decryption and PIN entry forms, broken in
  v8.20. (#388, !344)
- Support Cisco's multiple-certificate authentication (!194).
- Append internal=no to GlobalProtect authentication/configuration
  forms, for compatibility with servers which apparently require this to
  function properly. (#246, !337)
- Revert GlobalProtect default route handling change from v8.20. (!367)
- Support split-exclude routes for Fortinet. (#394, !345)
- Add openconnect_set_useragent() function.
- Add webview callback and SAML/SSO support for AnyConnect,
  GlobalProtect. (!126).

8.20:
- When the queue length (-Q option) is 16 or more, try using vhost-net
  to accelerate tun device access.
- Use epoll() where available.
- Support non-AEAD ciphersuites in DTLSv1.2 with AnyConnect. (#249)
- Make tncc-emulate.py work with Python 3.7+. (#152, !120)
- Emulated a newer version of GlobalProtect official clients, 5.1.5-8;
  was 4.0.2-19 (!131)
- Support Juniper login forms containing both password and 2FA
  token (!121)
- Explicitly disable 3DES and RC4, unless enabled with
  --allow-insecure-crypto (!114)
- Add obsolete-server-crypto test (!114)
- Allow protocols to delay tunnel setup and shutdown (!117)
- Support for GlobalProtect IPv6 (!155 and !188; previous work in
  d6db0ec)
- SIGUSR1 causes OpenConnect to log detailed connection information and
  statistics (!154)
- Allow --servercert to be specified multiple times in order to accept
  server certificates matching more than one possible fingerprint
  (!162, #25)
- Add insecure debugging build mode for developers (!112)
- Demangle default routes sent as split routes by GlobalProtect (!118)
- Improve GlobalProtect login argument decoding (!143)
- Add detection of authentication expiration date, intended to allow
  front-ends to cache and reuse authentication cookies/sessions (!156)
- Small bug fixes and clarification of many logging messages.
- Support more Juniper login forms, including some SSO forms (!171)
- Automatically build Windows installers for OpenConnect command-line
  interface (!176)
- Restore compatibility with newer Cisco servers, by no longer sending
  them the X-AnyConnect-Platform header (#101, !175)
- Add support for PPP-based protocols, currently over TLS only (!165).
- Add support for two PPP-based protocols, F5 with --protocol=f5 and
  Fortinet with --protocol=fortinet (!169).
- Add experimental support for Wintun Layer 3 TUN driver under Windows
  (#231, !178).
- Clean up and improve Windows routing/DNS configuration script
  (vpnc-scripts!26, vpnc-scripts!41, vpnc-scripts!44).
- On Windows, reclaim needed IP addresses from down network interfaces
  so that configuration script can succeed (!178).
- Fix output redirection under Windows (#229)
- More gracefully handle idle timeouts and other fatal errors for
  Juniper and Pulse (!187)
- Ignore failures to fetch the Juniper/oNCP landing page if the
  authentication was successful (3e779436).
- Add support for Array Networks SSL VPN (#102)
- Support TLSv1.3 with TPMv2 EC and RSA keys, add test cases for swtpm
  and hardware TPM. (ed80bfac...ee1cd782)
- Add openconnect_get_connect_url() to simplify passing correct server
  information to the connecting openconnect process.
  (NetworkManager-openconnect #46, #53)
- Disable brittle "system policy" enforcement where it cannot be
  gracefully overridden at user request. (RH#1960763).
- Pass "portal cookie" fields from GlobalProtect portal to gateway to
  avoid repetition of password- or SAML-based login (!199)
- With --user, enter username supplied via command-line into all
  authentication forms, not just the first. (#267, !220).
- Fix a subtle bug which has prevented ESP rekey and ESP-to-TLS fallback
  from working reliably with the Juniper/oNCP protocol since v8.04.
  (#322, !293).
- Fix a bug in csd-wrapper.sh which has prevented it from correctly
  downloading compressed Trojan binaries since at least v8.00. (!305)
- Make Windows socketpair emulation more robust in the face of Windows's
  ability to break its localhost routes. (#228, #361, !320)
- Perform proper disconnect and routes cleanup on Windows when receiving
  Ctrl+C or Ctrl+Break. (#362, !323)
- Improve logging in routing/DNS configuration scripts. (!328,
  vpnc-scripts!45)
- Support modified configuration packet from Pulse 9.1R14 servers
  (#379, !331)

Files:
RevisionActionfile
1.23modifypkgsrc/net/openconnect/Makefile
1.14modifypkgsrc/net/openconnect/distinfo
1.1removepkgsrc/net/openconnect/patches/patch-configure