Implement a function openconnect_set_useragent to allow external
programme that use libopenconnect to start a VPN (like NetworkManager)
to tune the Useragent of the connection like the option --useragent do.
If they only tune the useragent agent name by the variable passed
through the opeconnect_vpninfo_new function, the version number of
openconnect is automatically added after the string choosed.
AC_TRY_COMPILE is obsolete starting with autoconf 2.70
AC_COMPILE_IFELSE has been around since autoconf 2.50 at least,
according to "18.6.5 AC_ACT_IFELSE vs. AC_TRY_ACT":
https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/html_node/AC_005fACT_005fIFELSE-vs-AC_005fTRY_005fACT.html#AC_005fFOO_005fIFELSE-vs-AC_005fTRY_005fFOO
Since Autoconf 2.50, internal codes uses
AC_PREPROC_IFELSE, AC_COMPILE_IFELSE, AC_LINK_IFELSE, and AC_RUN_IFELSE
on one hand and
AC_LANG_SOURCE, and AC_LANG_PROGRAM
on the other hand instead of the deprecated
AC_TRY_CPP, AC_TRY_COMPILE, AC_TRY_LINK, and AC_TRY_RUN.
Fixes this Autoconf warning:
warning: The macro `AC_TRY_COMPILE' is obsolete.
m4/lib-ld.m4
m4/lib-link.m4
m4/lib-prefix.m4
the latest versions from gnulib
acinclude.m4 → m4/ax_jni_include_dir.m4
the latest release 2022.02.11 from the Autoconf Archive
acinclude.m4 → as-compiler-flag.m4
copied as is because the origin of this file is unclear
it is different from the latest version in the Autostar Sandbox
As enforced by autopudate, see 3.1.2 The Autoconf Language:
https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/html_node/Autoconf-Language.html
Daniel Lenski [Thu, 20 May 2021 00:01:01 +0000 (00:01 +0000)]
Do not ignore 0.0.0.0/0 specified as a "split"-{in,ex}clude route for oNCP
This addresses https://gitlab.com/openconnect/openconnect/-/issues/245. In the case
presented there, the oNCP server sends a Legacy IP netmask ("default route") of
255.255.255.255, and a "split"-include route of 0.0.0.0/0.0.0.0:
> Received split include route 0.0.0.0/0.0.0.0
> Received netmask 255.255.255.255
We also should not ignore 0.0.0.0/0 if specified as a "split"-exclude route, though
the purpose of such a route is unclear and we have never seen one in the wild.
Next, we should handle this case in the same way that we do for GlobalProtect,
as of https://gitlab.com/openconnect/openconnect/-/merge_requests/118; namely,
by replacing the 255.255.255.255 netmask with the 0.0.0.0/0 send as a "split"-include,
and removing the latter from the list of split-includes.
David Woodhouse [Fri, 22 Apr 2022 16:02:08 +0000 (17:02 +0100)]
Make all STRAP support conditional on HPKE
We really don't care about STRAP; we only did it for the external browser
support. The only case we've seen STRAP failing is when we *did* advertise
it and then didn't really do it, so omitting it completely seems harmless
for now.
And older GnuTLS such as on CentOS doesn't have some of the functions we
are using to obtain the Finished message or export the privkey, so just
disable it all. We *could* support the basic STRAP from GnuTLS 3.4.0 on
but there's not a lot of point.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Fri, 22 Apr 2022 15:14:17 +0000 (16:14 +0100)]
Silence static-analyser warning about redundant assignment to 'sep'
I did this for a reason. The *compiler* is clever enough not to bother
actually doing the assignment (not that it would matter anyway, since it
is hardly a fast path). But *developers*, including myself, are much less
likely to spot that it needs to be added in the 'deflate' case if we add
a new case at the end. So now in order to shut the tools up, I have to
turn a non-bug into a latent *actual* bug.
I suppose I could leave it there with a comment, or refactor it into a
loop over tuples of the form { COMPR_LZ4, "oc-lz4" }… but it probably
doesn't matter as we're unlikely to be adding more. Just suck it up.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
The assignment *was* necessary. The point was that the first time 'sep'
was used, it's a space. And *after* that, it's a comma. Using a comma
every time ends up sending headers which look like this:
X-DTLS-Accept-Encoding:,lzs
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Fri, 22 Apr 2022 14:39:14 +0000 (15:39 +0100)]
Export STRAP private key with AnyConnect cookie
For STRAP we need to reconnect using the same private key as the auth
process did. Thankfully we already have precedent for this; we can put
multiple 'cookies' into the opaque string that is passed from auth to
connection process, and use internal_split_cookies() to parse them.
So encode the privkey into an 'openconnect_strapkey' cookie which we
handle specially on ingestion.
Fix up a few places where vpninfo->cookie was handled directly, to make
it all work.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 21 Apr 2022 21:14:00 +0000 (22:14 +0100)]
Attempt to implement AnyConnect Session Token Re-use Anchor Protocol (STRAP)
In order to implement the external-browser SAML support we had to send
the X-AnyConnect-STRAP-Pubkey: header, even though we didn't really know
what that was.
That turns out to cause a regression for some user (issue #410), as the
server then rejects us we don't include a valid X-AnyConnect-STRAP-Verify:
header in our CONNECT request.
That header is supposed to contain our Finished message from the TLS
handshake, hashed and signed with our STRAP-Pubkey. Or if we rekey, it's
a signed hash of the Finished message concatenated with the (DER) public
key that we also send in a new X-AnyConnect-STRAP-Pubkey: header.
Lightly tested, as we can't actually work out how to make *our* servers
reject the connections for this offence, and Cisco's documentation is
very sparse. But it shouldn't make things worse for anyone.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Fri, 11 Feb 2022 18:13:46 +0000 (10:13 -0800)]
GP: add 'internal=no' flag to the login and configuration requests
Without these flags, one user reports consistently hitting the "Matching
client config not found" error in response to the /ssl-vpn/getconfig.esp
request. See https://gitlab.com/openconnect/openconnect/-/issues/246
I *suspect* that 'internal=no' is the implicit default if unspecified
(https://gitlab.com/openconnect/openconnect/-/issues/246#note_836128670),
but we should get more testing on other GlobalProtect VPNs to confirm that
this works fine with them. If there is variation in whether this parameter
is allowed/expected, then we need a way to automatically detect the correct
value.
Daniel Lenski [Wed, 20 Apr 2022 03:43:27 +0000 (20:43 -0700)]
Fix initial client request XML structure when announcing multicert capability
Having a separate 'announce_multicert_capability' function wasn't ideal:
1. Building the initial '<config-auth>' XML was more spread out and complex
than necessary due to an extra layer of functions.
2. When multicert auth is offered by the client, the resultant XML actually
contained *two* nested capabilities/auth-method tags:
What Cisco clients appear to send is a *single* '<capabilities>' tag
containing multiple '<auth-method>', as shown in the MITM capture in the
comments of f51ecb36bedcd370086586295978627daeabade4 ("Converse the multiple certificate authentication (multicert) protocol."),
which introduced this structural mistake.
With the non-repeated '<capabilities>' tag, we can also fix the multicert
auth tests, where the check that the client was offering multicert was
disabled in 45da3b07dfc8f808e7b0d0bf80fbf7e73b1b0721 ("fake-cisco-server.py: Disable check for `multiple-cert` support"),
probably due to confusion over the XML structure and xmltodict's handling
of it.
DWORD is unsigned, so PRIu32 would be the proper format specifier for
DWORD, not PRId32. Except DWORD is defined as 'unsigned long int', while
PRIu32 is defined as u, and "%u" is the format specifier for 'unsigned int'.
What a mess! It looks like the only viable format specifier is "%lu".
obs workflow: add xdg-utils build-dep on openconnect.dsc too
Due to <reasons> we need to duplicate the list of build deps for Debian builds.
https://gitlab.com/openconnect/openconnect/-/commit/9b5a9e004af579bd3b24e115061fb99c94504bce
added this package to .obs/debian/control, also add it to .obs/openconnect.dsc
David Woodhouse [Tue, 12 Apr 2022 09:56:26 +0000 (11:56 +0200)]
fake-cisco-server.py: Disable check for `multiple-cert` support
Now we support SSO, there are *multiple* auth-method nodes, not just one.
We should check that *one* of them contains 'multiple-cert'. Comment it
out for now.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Sun, 10 Apr 2022 21:11:39 +0000 (22:11 +0100)]
Add openconnect_set_external_browser_callback() and defaults
There is a little bit of duplication here since the *library* will spawn
the default (xdg-open) and the application (main.c) has basically the same
code, but that's because we don't want to *require* that the app register
the callback. With suitable default behaviour from the library, it will
work even with existing versions of the NM auth-dialog or other GUI tools.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 7 Apr 2022 11:30:21 +0000 (12:30 +0100)]
AnyConnect: Add support for external browser SSO
For external browser SSO we need to listen on a local port to accept the
encoded token from the browser, as it's passed to us via a redirect to
http://localhost:29786/api/sso/<base64>
This implements a simple listening loop, accepting connections and decoding
the blob we get back.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Mike Gilbert [Sun, 10 Apr 2022 16:21:57 +0000 (12:21 -0400)]
openssl: allow ALL ciphers when allow-insecure-crypto is enabled
Previously, the cipher list was set to "DEFAULT:+3DES:+RC4". However,
according to ciphers(1), the DEFAULT keyword cannot be combined with
other strings using the + characters. In other words, ":+3DES:+RC4" gets
ignored.
The user is opting into insecure behavior, so let's keep it simple and
just allow everything.
This change fixes the obsolete-server-crypto test when openconnect is
built against openssl-1.1.x.
projects / users / dwmw2 / openconnect.git / log