Unconditionally bypass system crypto policy

This makes me extremely sad, but they rolled it out with *no* way to
selectively allow the user to say "connect anyway", as we've always had
for "invalid" certificates, etc.

It's just unworkable and incomplete as currently implemented in the
distributions, so we have no choice except to bypass it and wait for
it to be fixed.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/configure.ac b/configure.ac
index bd9dde5092062515fae0c4c2928b5c828b65d7b6..91b1a5e61dcd797f2a3ddbc7b405e49ea9ff9bcb 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -26,6 +26,7 @@ symver_getline=
 symver_asprintf=
 symver_vasprintf=
 symver_win32_strerror=
+symver_win32_setenv=
 
 # Autoconf is stupid and if the first time it needs to find the C compiler
 # is conditional (as it is here for some of the MinGW checks), it forgets
@@ -60,6 +61,7 @@ case $host_os in
     # For asprintf()
     AC_DEFINE(_GNU_SOURCE, 1, [_GNU_SOURCE])
     symver_win32_strerror="openconnect__win32_strerror;"
+    symver_win32_setenv="openconnect__win32_setenv;"
     # Win32 does have the SCard API
     system_pcsc_libs="-lwinscard"
     system_pcsc_cflags=
@@ -207,6 +209,7 @@ AC_SUBST(SYMVER_GETLINE, $symver_getline)
 AC_SUBST(SYMVER_ASPRINTF, $symver_asprintf)
 AC_SUBST(SYMVER_VASPRINTF, $symver_vasprintf)
 AC_SUBST(SYMVER_WIN32_STRERROR, $symver_win32_strerror)
+AC_SUBST(SYMVER_WIN32_SETENV, $symver_win32_setenv)
 
 AS_COMPILER_FLAGS(WFLAGS,
         "-Wall

diff --git a/libopenconnect.map.in b/libopenconnect.map.in
index 2e87f68e00866848dfa065d876b9dfdd242ce7ee..9e47bdf47fdb6ea63a9db7672e77271c54fa1e37 100644 (file)
--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
@@ -118,7 +118,7 @@ OPENCONNECT_5_7 {
 } OPENCONNECT_5_6;
 
 OPENCONNECT_PRIVATE {
- global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ @SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@
+ global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ @SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@ @SYMVER_WIN32_SETENV@
        openconnect_get_tls_library_version;
        openconnect_fopen_utf8;
        openconnect_open_utf8;

diff --git a/main.c b/main.c
index 36c683ce2b899f5f3a55de232b43cb8da8ab0e13..6ad456e3b7f4f49580b9beac368560b3dafbd449 100644 (file)
--- a/main.c
+++ b/main.c
@@ -1617,6 +1617,29 @@ int main(int argc, char **argv)
                  "         may allow you to establish insecure connections.\n"));
 #endif
 
+       /* Some systems have a crypto policy which completely prevents DTLSv1.0
+        * from being used, which is entirely pointless and will just drive
+        * users back to the crappy proprietary clients. Or drive OpenConnect
+        * to implement its own DTLS instead of using the system crypto libs.
+        * We're happy to conform by default to the system policy which is
+        * carefully curated to keep up to date with developments in crypto
+        * attacks —  but we also *need* to be able to override it and connect
+        * anyway, when the user asks us to. Just as we *can* continue even
+        * when the server has an invalid certificate, based on user input.
+        * It was a massive oversight that GnuTLS implemented the system
+        * policy *without* that basic override facility, so until/unless
+        * it actually gets implemented properly we have to just disable it.
+        * We can't do this from openconnect_init_ssl() since that would be
+        * calling setenv() from a library in someone else's process. And
+        * thankfully we don't really need to since the auth-dialogs don't
+        * care; this is mostly for the DTLS connection.
+        */
+#ifdef OPENCONNECT_GNUTLS
+       setenv("GNUTLS_SYSTEM_PRIORITY_FILE", DEVNULL, 0);
+#else
+       setenv("OPENSSL_CONF", DEVNULL, 0);
+#endif
+
        openconnect_init_ssl();
 
        vpninfo = openconnect_vpninfo_new((char *)"Open AnyConnect VPN Agent",

diff --git a/openconnect-internal.h b/openconnect-internal.h
index 86c79145db84c2abc8e752c0670777cc94bd8a38..97f0ba2411cbaaba1dc11176e08cadc2e6279b54 100644 (file)
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -49,6 +49,15 @@
 
 #include "openconnect.h"
 
+/* Equivalent of "/dev/null" on Windows.
+ * See https://stackoverflow.com/a/44163934
+ */
+#ifdef _WIN32
+#define DEVNULL "NUL:"
+#else
+#define DEVNULL "/dev/null"
+#endif
+
 #if defined(OPENCONNECT_OPENSSL)
 #include <openssl/ssl.h>
 #include <openssl/err.h>