Piotr Kubaj [Fri, 12 May 2017 13:24:37 +0000 (14:24 +0100)]
Fix build with LibreSSL 2.5.1 and higher.
We don't actually care if we use the read or write state; we're only
calculating the cipher/protocol overheads which are the same in both
directions.
In LibreSSL they were all removed in
https://github.com/libressl-portable/openbsd/commit/122ecd906da7
and the read side was restored in
https://github.com/libressl-portable/openbsd/commit/0d7a7d5f5a44
so just use that.
Signed-off-by: Piotr Kubaj <pkubaj@anongoth.pl> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Wed, 14 Dec 2016 20:30:47 +0000 (20:30 +0000)]
Rely on SoftHSM being installed correctly with a p11-kit .module file
I don't actually remember why I added my own; it *ought* to be installed
correctly by the distribution's packaging of SoftHSM.
There was a brief discussion about my hard-coded version being
Fedora-specific, followed by a suggestion that I could pick up the
proper path from and existing module file, followed by the realisation
that said existing module file would suffice anyway. So just require it.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Janne Juntunen [Tue, 29 Nov 2016 22:37:22 +0000 (22:37 +0000)]
Add support for Google Authenticator 2fa on Juniper VPN
We resently changed our Juniper VPN from SMS 2fa to use Google
Authenticator instead. Before it worked perfectly with "openconnect
--juniper" switch, but after the change all we got was:
Unknown form ID 'frmTotpToken'
and a dump of the form.
I spent some time debugging the issue, and managed to write a very
simple fix for it.
Signed-off-by: Janne Juntunen <janne.juntunen@hermanit.fi> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Mike Miller [Wed, 14 Dec 2016 18:02:13 +0000 (10:02 -0800)]
tests: avoid using eval with variable assignments
For shell portability, avoid using eval with variable assignments to set
openconnect's environment. Shell implementations vary on whether
variable assignments in front of eval are marked as environment
variables or just treated as ordinary shell assignments.
Every call to $OPENCONNECT already has LD_PRELOAD=libsocket_wrapper.so
in front of it, so the "eval LD_PRELOAD=libsocket_wrapper.so" was
redundant anyway.
Signed-off-by: Mike Miller <mtmiller@debian.org> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Nikolay Martynov [Thu, 17 Nov 2016 03:26:17 +0000 (22:26 -0500)]
IPv6 packet size field doesn't include header size, take this into account
IPv6 packet's 'length' field contains length of payload excluding headers.
Header's length (40) needs to be added to that to get complete packet length.
This patch seems to be fixing random VPN drops.
Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Dan Lenski [Sun, 16 Oct 2016 01:56:30 +0000 (18:56 -0700)]
Correctly handle IPv4 route specified as either 10.1.2.0/255.255.255.0 or 10.1.2.0/24
The existing process_split_xxclude() only handles IPv4 routes
formatted as "10.1.2.0/255.255.255.0", not those formatted as
"10.1.2.0/24".
It's possible to unambiguously distinguish the two and handle the
latter case correctly, because no IPv4 netmask address can possibly
have a decimal integer value <= 32.
Signed-off-by: Daniel Lenski <dlenski@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Sat, 15 Oct 2016 01:46:34 +0000 (18:46 -0700)]
Unset got_cancel_cmd after reacting to it, as is already done for got_pause_cmd
Per David Woodhouse (http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004034.html):
> I think it's probably OK to set vpninfo->got_cancel_cmd=0 in the mainloop
> right before calling proto->vpn_close_session. If we get cancelled
> *again* then we'll give up on that too.
Without this fix, do_https_request() can't be used to close the
session — it interrupts itself as soon as it sees that got_cancel_cmd is
set.
Signed-off-by: Daniel Lenski <dlenski@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Daniel Lenski [Sun, 16 Oct 2016 19:37:58 +0000 (12:37 -0700)]
Make buf_append_urlencoded() percent-encode fewer characters.
Per RFC 3986, the characters '-', '_', '.', '~' don't need to be
percent-encoded anywhere in a URL or query string.
Removed special case for ' ' → '+' to prevent incompatibility with ocserv:
http://lists.infradead.org/pipermail/openconnect-devel/2016-October/004042.html
/* else if (c==' ')
buf_append_bytes(buf, "+", 1); */
Signed-off-by: Dan Lenski <dlenski@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Tue, 13 Dec 2016 11:36:15 +0000 (11:36 +0000)]
Stop using deprecated LZ4 functions
../cstp.c:865:3: warning: ‘LZ4_compress_limitedOutput’ is deprecated: use LZ4_compress_default() instead [-Wdeprecated-declarations]
ret = LZ4_compress_default((void*)this->data, (void*)vpninfo->deflate_pkt->data,
^~~
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Nikos Mavrogiannopoulos [Tue, 1 Nov 2016 08:32:31 +0000 (09:32 +0100)]
openconnect_check_peer_cert_hash: allow partial server hash matches
That is allow the user specifying a small part of the hash (e.g., 'sha256:6429')
in order to be able to connect. This is to ease test connections, when copy-paste
is not possible.
[dwmw2: Fix man page to say 'at least 4 characters' not 'more than']
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Tue, 4 Oct 2016 22:26:33 +0000 (23:26 +0100)]
Don't resume OpenSSL DTLS session for PSK-NEGOTIATE
Now that we are using a custom extension instead of the session-id
hack, we no longer need to pretend to resume a session. It was causing
a session-id of 32 zeroes to be included in the ClientHello. With
OpenSSL 1.1+, that was causing fragmentation which ocserv couldn't
cope with.
Perhaps ocserv *should* have coped with that fragmentation, and perhaps
we should increase our initial idea of the MTU to avoid the fragmentation.
But certainly we shouldn't be including an all-zero session-id for
resumption either.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 25 Sep 2016 19:32:17 +0000 (20:32 +0100)]
Fix openssl dependency in openssl.pc
When we discover a native system OpenSSL without pkg-config, don't
require openssl in openconnect.pc; instead add $OPENSSL_LIBS to
Libs.private. Only when we found it automatically though; when we
use --with-openssl=/where/I/built/openssl then we build statically
anyway so there's no need.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 25 Sep 2016 19:12:13 +0000 (20:12 +0100)]
Fix pcsclite dependency in openconnect.pc
On Windows and OSX, the PCSC support is provided by the system and not
a separate installation of libpcsclite. So don't require the pcsclite
package in the openconnect.pc file; instead add the appropriate thing
to Libs.private.
Reported-by: Björn Ketelaars <bjorn.ketelaars@hydroxide.nl> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Björn Ketelaars [Sun, 25 Sep 2016 15:02:59 +0000 (17:02 +0200)]
Small error in openconnect.8
openconnect.8 discusses 'basemtu' as option. Unfortunately this option is not
recognized. A quick glance in the source learned that 'base-mtu' should be
used.
Signed-off-by: Björn Ketelaars <bjorn.ketelaars@hydroxide.nl> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 23 Sep 2016 14:29:25 +0000 (15:29 +0100)]
Limit netmask on Windows TAP setup to 255.255.255.254
This makes a start on the problems with point-to-point configurations,
discussed in https://github.com/openconnect/openconnect-gui/issues/132
Some work is required in vpnc-script-win.js to make the routing do
anything useful, but at least it's not now *impossible* to persuade
it to pass any traffic.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 23 Sep 2016 13:56:17 +0000 (14:56 +0100)]
Attempt to re-open CONIN$ if stdin has been redirected on Windows
This should hopefully fix the problem with --passwd-on-stdin, described
in https://github.com/openconnect/openconnect-gui/issues/101
It doesn't actually work for me in wine, as I get 'Access Denied' when
trying to use ReadConsoleW() on the resulting handle. But wine is strange,
and this at least shouldn't make things any *worse*.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 23 Sep 2016 11:33:13 +0000 (12:33 +0100)]
Add session resume check for GnuTLS too
It's actually doing nothing here; no existing version of GnuTLS would
have let the session get established since we do not install any
credentials which would permit any key exchange. But it wasn't
*explicitly* prevented. And now it is.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Jon DeVree [Tue, 20 Sep 2016 01:00:18 +0000 (21:00 -0400)]
Add Content-Length header to mimic official pulse client
The official pulse client sends in a fixed "Content-Length: 256" header
with these two HTTP requests. Some versions of the VPN server will
reject requests with an HTTP 400 error if they do not have this header.
Signed-off-by: Jon DeVree <nuxi@vault24.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
The new negotiation is as follows: If the client's X-DTLS-CipherSuite
contains the "PSK-NEGOTIATE" keyword, the server will reply with
"X-DTLS-CipherSuite: PSK-NEGOTIATE" and will enable DTLS-PSK negotiation on the
DTLS channel.
That change utilizes the value provided by sever's X-DTLS-App-ID header
and sets that value to a TLS extension on client hello. The
extension used is defined on (draft-mavrogiannopoulos-app-id).
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 14 Sep 2016 16:22:45 +0000 (17:22 +0100)]
DTLS MTU detection fixes
Most importantly, in some circumstances it was setting the "detected"
MTU to the value of the first *failing* packet size, not the last
working one. But also fix up various other issues too, and optimise it
for the common case where the negotiated MTU *is* actually working.
There are still issues with the way we choose the next candidate address,
and it might never reach the actual best MTU. But it's better than it was.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 10 Sep 2016 17:09:54 +0000 (18:09 +0100)]
Revamp GnuTLS/OpenSSL detection
Clean this up somewhat, and remove the support for building with both at
once. There's no point in that any more — GnuTLS has had DTLS support for
ages, and we've have PKCS#11 support with OpenSSL for ages. So just pick
one and use it; don't mix and match.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 8 Sep 2016 20:08:23 +0000 (21:08 +0100)]
Escape 'PKCS#11 support' in configure summary
Otherwise, autoconf 2.63 on CentOS6 complains:
/usr/bin/m4:configure.ac:1088: ERROR: end of file in argument list
autom4te: /usr/bin/m4 failed with exit status: 1
aclocal: autom4te failed with exit status: 1
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 7 Sep 2016 19:35:15 +0000 (20:35 +0100)]
Call SSL_CTX_check_private_key() to validate cert+key match
OpenSSL does this for you... *only* if the key types match. But load a
cert for an EC key, and a non-matching RSA or DSA key to go with it,
and it won't tell you. It'll just silently fail to do any authentication
on the wire.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 5 Sep 2016 09:32:06 +0000 (10:32 +0100)]
Add pubkey-less PKCS#11 tests
Disabled for OpenSSL because it triggers a SEGV in EC_POINT_cmp() when
called from X509_check_private_key():
https://github.com/openssl/openssl/issues/1532
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 3 Sep 2016 22:57:19 +0000 (23:57 +0100)]
Create ocserv config files from configure script
When creating them from the scripts, they were overwriting each other
in parallel builds. Obviously we could just unique filenames for each
test, but this is nicer.
It does mean that the username/group is hard-coded at configure time,
but I don't think many people will ever notice or care about that.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
projects / users / dwmw2 / openconnect.git / log