obs workflow: add xdg-utils build-dep on openconnect.dsc too
Due to <reasons> we need to duplicate the list of build deps for Debian builds.
https://gitlab.com/openconnect/openconnect/-/commit/9b5a9e004af579bd3b24e115061fb99c94504bce
added this package to .obs/debian/control, also add it to .obs/openconnect.dsc
David Woodhouse [Tue, 12 Apr 2022 09:56:26 +0000 (11:56 +0200)]
fake-cisco-server.py: Disable check for `multiple-cert` support
Now we support SSO, there are *multiple* auth-method nodes, not just one.
We should check that *one* of them contains 'multiple-cert'. Comment it
out for now.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Sun, 10 Apr 2022 21:11:39 +0000 (22:11 +0100)]
Add openconnect_set_external_browser_callback() and defaults
There is a little bit of duplication here since the *library* will spawn
the default (xdg-open) and the application (main.c) has basically the same
code, but that's because we don't want to *require* that the app register
the callback. With suitable default behaviour from the library, it will
work even with existing versions of the NM auth-dialog or other GUI tools.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 7 Apr 2022 11:30:21 +0000 (12:30 +0100)]
AnyConnect: Add support for external browser SSO
For external browser SSO we need to listen on a local port to accept the
encoded token from the browser, as it's passed to us via a redirect to
http://localhost:29786/api/sso/<base64>
This implements a simple listening loop, accepting connections and decoding
the blob we get back.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Mike Gilbert [Sun, 10 Apr 2022 16:21:57 +0000 (12:21 -0400)]
openssl: allow ALL ciphers when allow-insecure-crypto is enabled
Previously, the cipher list was set to "DEFAULT:+3DES:+RC4". However,
according to ciphers(1), the DEFAULT keyword cannot be combined with
other strings using the + characters. In other words, ":+3DES:+RC4" gets
ignored.
The user is opting into insecure behavior, so let's keep it simple and
just allow everything.
This change fixes the obsolete-server-crypto test when openconnect is
built against openssl-1.1.x.
It's just a quirk that free takes non-const: it doesn't actually modify
the value pointed to, either conceptually or in practice, it merely looks
up the memory block using the pointer and deallocates it.
Unfortunately, the compiler will emit warning when attempting to free()
a "const char *". So either switch to a pointer to non-const or cast to
(void *) when calling free() on a pointer to const.
David Woodhouse [Wed, 6 Apr 2022 15:42:09 +0000 (16:42 +0100)]
epoll: Handle EPOLLERR as 'readable'
When we use select(), an error event on a file descriptor causes it to
be reported as readable, and some of the handlers will only clean it up
if that happens. So set the 'readable' flag on EPOLLERR too.
This is part of #389.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
However, we forget to make stoken.c set the `auth_id` for the forms that it
creates for RSA SecurID token decryption and PIN entry. Let's name these:
- `_rsa_unlock`, for token decryption.
- `_rsa_pin`, for PIN entry. Also, rename the numeric PIN field to `pin`
rather than `password`; there can't be any existing users relying on
`--form-entry` to set its value, because that wouldn't work without the
`auth_id`.
Luca Boccassi [Wed, 2 Mar 2022 16:35:29 +0000 (16:35 +0000)]
Add --enable-docs option
Allow to explicitly disable building documentation. Some
platforms are too old (RHEL 7) and even if Python is available due
to build macros, building documentation fails. Allow to disable it
explicitly.
David Woodhouse [Sat, 26 Feb 2022 17:34:26 +0000 (17:34 +0000)]
Fix Windows tun setup crash
The intention was to use vpninfo->hostname, by passing it as a parameter
to the create_ifname_w() function. But that function still just uses
vpninfo->ifname unconditionally, ignoring the argument. And causing the
crash in #370.
Fix up some bogus formatting while we're at it. We don't do open braces
on the same line as the function declaration.
Fixes: 48bd28aadd ("Use hostname as Wintun ifname (if ifname not specified)") Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Dimitri Papadopoulos [Sat, 20 Nov 2021 08:34:14 +0000 (09:34 +0100)]
Avoid assert statement outside of tests
This fixes DeepSource alerts:
Assert statement used outside of tests
Usage of assert statement in application logic is discouraged. assert is
removed with compiling to optimized byte code. Consider raising an
exception instead. Ideally, assert statement should be used only in tests.
Dimitri Papadopoulos [Sat, 20 Nov 2021 08:18:24 +0000 (09:18 +0100)]
Local variable redefined argument
This fixes a DeepSource alert:
Argument redefined from local
A local name is redefining an argument, which might suggest a potential
error. This is taken into account only for a handful of name binding
operations, such as for iterations, with statements, and exception
handler assignments.
Use `()` and `{}` instead of `list()` and `dict()`
This fixes a DeepSource alert:
Consider using literal syntax to create the data structure
Using the literal syntax can give minor performance bumps compared to
using function calls to create dict, list and tuple.
This is because here, the name dict must be looked up in the global
scope in case it has been rebound. Same goes for the other two types
list() and tuple().
Overridden methods should have identical parameters
This fixes a DeepSource alert:
Mismatched parameters in overridden method
Python will allow this, but if the overridden method is intended to be
executed from external code, you may want to reconsider this.
Overriding a method without ensuring that both methods accept the
same number and type of parameters has the potential to cause an
error when the overriding method is called with a number of parameters
that is illegal for the overridden method. This violates the Liskov
substitution principle.
Calls to `next()` should be inside `try-except` block.
When the iterator is exhausted, `StopIteration` exception is raised. When
used inside a generator, this can cause unexpected behavior. If not
handled, it will propagate out of the generator causing termination.
PEP-479 has been accepted to fix this problem. It will modify the
behavior of `StopIteration` in generators.
Each call to `next()` should be wrapped in a `try-except` block to explicitly
handle `StopIteration` exceptions.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
Veuillez saisir le message de validation pour vos modifications. Les lignes
Defining a local variable or function with the same name as a built-in
object makes the built-in object unusable within the current scope and
makes the code prone to bugs.
Dimitri Papadopoulos [Thu, 30 Dec 2021 21:35:37 +0000 (22:35 +0100)]
Check return value of sigaction()
It shouldn't fail, but you never know. Check the return value and print
an error message. Yet do not bale out, as OpenConnect might still be
able to create the VPN connection.
These fprintf() calls occur in functions called with an active vpninfo,
not from main(). Therefore prefer vpn_progress() so that error messages
can be properly displayed, for example in a GUI.
Dimitri Papadopoulos [Thu, 30 Dec 2021 21:57:26 +0000 (22:57 +0100)]
Consistency in error messages
- When ReadConsoleW() fails, the error message refers to the generic
ReadConsole() function, not its A or W version. Use the same rule
for CommandLineToArgW().
- Use similar error messages for fgets() and fgetws().
Dimitri Papadopoulos [Sat, 1 Jan 2022 19:28:03 +0000 (20:28 +0100)]
Win32: gai_strerror → WSAGetLastError
The Windows Sockets documentation recommends using WSAGetLastError()
instead of gai_strerror(), because the latter is not thread safe:
https://docs.microsoft.com/en-us/windows/win32/winsock/error-codes-errno-h-errno-and-wsagetlasterror-2
Properly decode the output using openconnect__win32_strerror().
projects / users / dwmw2 / openconnect.git / log