David Woodhouse [Thu, 25 Apr 2019 11:01:02 +0000 (13:01 +0200)]
Clean up memset_s() detection a bit more.
Definining __STDC_WANT_LIB_EXT1__ to get memset_s() is required by the C11
standard, not a Solaris-ism. It's no use just to check for its presence
in the library with AC_CHECK_FUNC() if it isn't going to compile, so make
sure we check for it with AC_LINK_IFELSE() *and* with the warning flags
that might include -Werror-implicit-function-declarations.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Tue, 9 Apr 2019 15:45:33 +0000 (18:45 +0300)]
Don't read from non-readable fds
By removing the unneeded reads from file descriptors that we know aren't
readable, ESP TX performance goes from 1700Mb/s to 1760Mb/s on my current
test setup.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Wed, 10 Apr 2019 14:42:43 +0000 (17:42 +0300)]
more careful gpst_esp_catch_probe()
Previous version of gpst_esp_catch_probe would catch/filter *any* ping reply sent over the tunnel
from the "magical" ESP "gateway" address. (Heavy-handed scare quotes intentional.)
This may result in confusing behavior in some testing/debugging scenarios, as described in this thread:
Daniel Lenski [Wed, 3 Apr 2019 14:22:08 +0000 (17:22 +0300)]
bugfix for OTP "challenge" form handling
In the patch entitled 'Recognise auth forms named "challenge" as token
requests' (commit 51f8feb6, released in v8.00) the condition for using an
OTP token in an AnyConnect login form was changed from:
(field is named `secondary_password`)
… to:
(field is named `secondary_password`) AND (form is named `challenge`)
This was almost certainly a mistake, and should have been as follows:
(field is named `secondary_password`) OR (form is named `challenge`)
This patch rewrites the condition to do just that, in a clearer form, and
should fix GitLab issue #24 (https://gitlab.com/openconnect/openconnect/issues/24#note_157035052).
Marc St-Amand [Tue, 5 Feb 2019 13:35:22 +0000 (08:35 -0500)]
auth-juniper.c: ignore non-empty lines from TNCC after DSPREAUTH cookie
This skips over a seemingly harmless DSPREAUTH failure:
Unexpected non-empty line from TNCC after DSPREAUTH cookie: '0'
Failed to read response from TNCC
Failed to obtain WebVPN cookie
After the unexpected '0', TNCC sends an empty line response and the
authentication sequence can proceed normally. In case other TNCC
variants send more chatter, the function ignores and logs up to 10
non-empty lines before giving up.
Signed-off-by: Marc St-Amand <pedalling.philosopher@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Tue, 15 Jan 2019 15:16:08 +0000 (17:16 +0200)]
Add 'attempt-reconnect' vpnc-script reason
In https://gitlab.com/openconnect/openconnect/issues/17 we think we need
to give the vpnc-script a chance to reinstate the host route to the VPN
server before we can reconnect.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Mike Miller [Sat, 12 Jan 2019 01:04:09 +0000 (17:04 -0800)]
Define IPV6_TCLASS when it isn't defined on Hurd
Per https://bugs.debian.org/738646, Hurd uses the *BSD definition for
the socket option IPV6_TCLASS, but it is not yet provided in any system
header files.
Daniel Lenski [Sun, 6 Jan 2019 10:07:51 +0000 (02:07 -0800)]
no need to send multiple probe packets as an ESP keepalive
Both Juniper and GlobalProtect ESP send special probe packets to initiate the ESP connection, and as keepalives.
Multiple packets are sent to initiate the connection, because a lack of response will cause a total fallback to TLS.
However, one probe packet (per keepalive interval) is enough for the keepalive packets. GlobalProtect ESP already
did this, but Juniper did not.
This patch is motivated by me having access to the highest-latency Juniper VPN server in the known universe.
David Woodhouse [Wed, 9 Jan 2019 16:27:10 +0000 (16:27 +0000)]
Clean up DTLS cipher selection for OpenSSL >= 1.1.0
Where we have SSL_get1_supported_ciphers(), use it to generate the list we
advertise to the server in the first place. This stops us from advertising
DES support when we're not really going to do it, for example.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 9 Jan 2019 12:02:57 +0000 (12:02 +0000)]
OpenSSL: Loop over DTLS ciphersuites looking for the one we asked for.
As of OpenSSL 1.1.1, the trick of using SSL_CTX_set_cipher_list() and then
expecting only the one ciphersuite to be present in what we get back from
SSL_get_ciphers(), is no longer working. It now always returns the TLSv1.3
ciphers, even though we don't have DTLSv1.3 yet.
Reported as https://github.com/openssl/openssl/issues/8004 but probably
not going to change; the most likely outcome there is that I'm told that
I'm Doing It Wrong™ and a different approach is suggested.
In the meantime, just loop over the results and pick the one that we
actually asked for.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David GEIGER [Sat, 5 Jan 2019 22:27:24 +0000 (22:27 +0000)]
Fix Mageia TSS2_ESYS build
On Mageia Cauldron latest openconnect 8.00 and 8.01 fais to build with
TSS2_ESYS support due to a missing header in gnutls_tpm2_esys.c file, so
adding #include <errno.h> in gnutls_tpm2_esys.c fixes build.
Signed-off-by: David Geiger (Mageia Linux Team Packager) <geiger.david68210@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Fri, 4 Jan 2019 23:51:47 +0000 (23:51 +0000)]
Explicitly reference python2 in shebang for tncc-wrapper.py
The RPM build complains:
BUILDSTDERR: *** ERROR: ambiguous python shebang in /usr/libexec/openconnect/tncc-wrapper.py: #!/usr/bin/python. Change it to python3 (or python2) explicitly.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Fri, 4 Jan 2019 14:37:14 +0000 (14:37 +0000)]
Clean up TNCC error handling
As suggested by Daniel Lenski, create the oc_text_buf for the request
only once the TNCC wrapper has been spawned, to make the error handling
a bit saner. And remember to close the socketpair if fork() fails, too.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Fri, 4 Jan 2019 12:44:33 +0000 (12:44 +0000)]
Use cancellable_gets() for TNCC communication
Just keep things simple. This avoids SOCK_SEQPACKET which doesn't work on
OSX, and stops assuming that TNCC will send the whole response in a single
send() call.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 3 Jan 2019 21:39:08 +0000 (21:39 +0000)]
Encrypt digests being signed with IBM TSS2.
The digest itself will end up on the wire. But the computed hash including
the secrets should probably be obsecured. For the TPM that's an input
parameter, which it must decrypt. Hence TPMA_SESSION_DECRYPT.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Fri, 21 Dec 2018 15:45:42 +0000 (15:45 +0000)]
Fix re-prompting for empty parent key password with TCG TSS2
It's odd, but persistent keys can be generated with empty password yet
still without the NODA flag.
It's OK to prompt the user for the (empty) password in that case, but
not to do it more than once, after already authenticating successfully
the first time.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
projects / users / dwmw2 / openconnect.git / log