Add `./configure --enable-insecure-debugging` option.

This re-enables --no-cert-check (removed in v7.08 as insecure), and makes SIGINT / Control-C not logout the session.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/configure.ac b/configure.ac
index 4b31d5070632b35e66ad52d53cb4f633bacc4250..7a2250dda542efacbebd1dd71b0e8f7080cceb8b 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -989,6 +989,16 @@ if test "$jni_standalone" = "yes" ; then
 fi
 AC_SUBST(SYMVER_JAVA, $symver_java)
 
+AC_ARG_ENABLE([insecure-debugging],
+       AS_HELP_STRING([--enable-insecure-debugging],
+                      [Enable --no-cert-check option, and don't logout on SIGINT]),
+       [insecure_debugging=yes],[insecure_debugging=no])
+
+if test "$insecure_debugging" = "yes"; then
+    oldcflags="$CFLAGS"
+    CFLAGS="$CFLAGS -DINSECURE_DEBUGGING"
+fi
+
 AC_CHECK_HEADER([if_tun.h],
     [AC_DEFINE([IF_TUN_HDR], ["if_tun.h"], [if_tun.h include path])],
     [AC_CHECK_HEADER([linux/if_tun.h],
@@ -1121,6 +1131,7 @@ SUMMARY([Java bindings], [$with_java])
 SUMMARY([Build docs], [$build_www])
 SUMMARY([Unit tests], [$have_cwrap])
 SUMMARY([Net namespace tests], [$have_netns])
+SUMMARY([Insecure debugging], [$insecure_debugging])
 
 if test "$ssl_library" = "OpenSSL"; then
     AC_MSG_WARN([[

diff --git a/main.c b/main.c
index 60b2fac57906fafd7bbf0f19528800ceaefcb3d0..3f365eb8260242d1b5e963e8925516aeafe76853 100644 (file)
--- a/main.c
+++ b/main.c
@@ -82,6 +82,9 @@ static int verbose = PRG_INFO;
 static int timestamp;
 int background;
 static int do_passphrase_from_fsid;
+#ifdef INSECURE_DEBUGGING
+static int nocertcheck;
+#endif
 static int non_inter;
 static int cookieonly;
 static int allow_stdin_read;
@@ -741,12 +744,18 @@ static void handle_signal(int sig)
 
        switch (sig) {
        case SIGTERM:
-       case SIGINT:
                cmd = OC_CMD_CANCEL;
                break;
        case SIGHUP:
                cmd = OC_CMD_DETACH;
                break;
+       case SIGINT:
+#ifdef INSECURE_DEBUGGING
+               cmd = OC_CMD_DETACH;
+#else
+               cmd = OC_CMD_CANCEL;
+#endif
+               break;
        case SIGUSR2:
        default:
                cmd = OC_CMD_PAUSE;
@@ -1438,6 +1447,12 @@ int main(int argc, char **argv)
                        openconnect_binary_version, openconnect_version_str);
        }
 
+#ifdef INSECURE_DEBUGGING
+       fprintf(stderr,
+               _("WARNING: This build is intended only for debugging purposes and\n"
+                 "         may allow you to establish insecure connections.\n"));
+#endif
+
        openconnect_init_ssl();
 
        vpninfo = openconnect_vpninfo_new((char *)"Open AnyConnect VPN Agent",
@@ -1686,10 +1701,14 @@ int main(int argc, char **argv)
                        vpninfo->no_http_keepalive = 1;
                        break;
                case OPT_NO_CERT_CHECK:
+#ifdef INSECURE_DEBUGGING
+                       nocertcheck = 1;
+#else
                        fprintf(stderr,
                                _("The --no-cert-check option was insecure and has been removed.\n"
                                  "Fix your server's certificate or use --servercert to trust it.\n"));
                        exit(1);
+#endif
                        break;
                case 's':
                        vpnc_script = dup_config_arg();
@@ -2014,11 +2033,23 @@ int main(int argc, char **argv)
                ret = 1;
                break;
        case -EINTR:
-               vpn_progress(vpninfo, PRG_INFO, _("User cancelled (SIGINT/SIGTERM); exiting.\n"));
+               vpn_progress(vpninfo, PRG_INFO, _("User cancelled (SIGTERM%s); exiting.\n"),
+#ifdef INSECURE_DEBUGGING
+                            ""
+#else
+                            "/SIGINT"
+#endif
+                            );
                ret = 0;
                break;
        case -ECONNABORTED:
-               vpn_progress(vpninfo, PRG_INFO, _("User detached from session (SIGHUP); exiting.\n"));
+               vpn_progress(vpninfo, PRG_INFO, _("User detached from session (SIGHUP%s); exiting.\n"),
+#ifdef INSECURE_DEBUGGING
+                            "/SIGINT"
+#else
+                            ""
+#endif
+                            );
                ret = 0;
                break;
        default:
@@ -2114,6 +2145,14 @@ static int validate_peer_cert(void *_vpninfo, const char *reason)
                return -EINVAL;
        }
 
+#ifdef INSECURE_DEBUGGING
+       if (nocertcheck) {
+               vpn_progress(vpninfo, PRG_ERR,
+                            _("Ignoring because you built with --enable-insecure-debugging and invoked with --no-cert-check"));
+               return 0;
+       }
+#endif
+
        fingerprint = openconnect_get_peer_cert_hash(vpninfo);
 
        for (this = accepted_certs; this; this = this->next) {