Kevin Cernekee [Sat, 27 Oct 2012 19:25:50 +0000 (12:25 -0700)]
http: Fix overflow on HTTP request buffers
A malicious VPN gateway can send a very long hostname/path (for redirects)
or cookie list (in general), which OpenConnect will attempt to sprintf()
into a fixed length buffer. Each HTTP server response line can add
roughly MAX_BUF_LEN (131072) bytes to the next OpenConnect HTTP request,
but the request buffer (buf) is capped at MAX_BUF_LEN bytes and is
allocated on the stack.
The result of passing a long "Location:" header looks like:
Attempting to connect to server 127.0.0.1:443
SSL negotiation with localhost
Server certificate verify failed: self signed certificate in certificate chain
Connected to HTTPS on localhost
GET https://localhost/
Got HTTP response: HTTP/1.0 301 Moved
Ignoring unknown HTTP response line 'aaaaaaaaaaaaaaaaaa'
SSL negotiation with localhost
Server certificate verify failed: self signed certificate in certificate chain
Connected to HTTPS on localhost
*** buffer overflow detected ***: /scr/openconnect2/.libs/lt-openconnect terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fd62729b82c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fd62729a700]
/lib/x86_64-linux-gnu/libc.so.6(+0x108b69)[0x7fd627299b69]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fd62720d13d]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7fd6271db4a7]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fd627299c04]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fd627299b4d]
/scr/openconnect2/.libs/libopenconnect.so.2(openconnect_obtain_cookie+0xc0)[0x7fd62832d210]
/scr/openconnect2/.libs/lt-openconnect[0x40413f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fd6271b276d]
/scr/openconnect2/.libs/lt-openconnect[0x404579]
The proposed fix is to use dynamically allocated buffers with overflow
checking.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 20:06:18 +0000 (13:06 -0700)]
stoken: Fill in "password" fields with a generated tokencode
If the gateway prompts for a password and soft token information is
available, generate a tokencode and mark the form field as OPT_STOKEN
so the user is not prompted for a password.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 19:31:18 +0000 (12:31 -0700)]
stoken: Implement new auth form to gather soft token information
If the user has asked to use a soft token, libopenconnect will prompt
for devid/pass/pin (as necessary) to unlock the soft token, prior to
the initial server connection. If the user aborts, soft token mode will
be disabled and the user will need to enter his tokencode by hand.
Manual entry could be useful for e.g. activating a new token.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 17:46:18 +0000 (10:46 -0700)]
stoken: Add software token functions to library API; bump to v2.1
openconnect_has_stoken_support(): returns 1 if the library was linked
with libstoken.
openconnect_set_stoken_mode(): enables/disables tokencode generation,
and tells the library how to locate the seed. Unless this function is
called, the library will not try to use a soft token.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sun, 30 Sep 2012 03:02:35 +0000 (20:02 -0700)]
Delete references to long-removed SecurID code
Commit d707fc524 (Clean up auth form handling) removed securid.c and
the tokencode+PIN prompts, but the docs and headers still refer to these
features.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Mike Miller [Thu, 19 Jul 2012 05:10:42 +0000 (01:10 -0400)]
Check for system CA certificate file for GnuTLS
Look in certain well-known system paths for the default file to give to
gnutls_certificate_set_x509_trust_file() if required. Auto-detection is
inspired by the GnuTLS configure script.
Signed-off-by: Mike Miller <mtmiller@ieee.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 11 Jul 2012 16:58:32 +0000 (17:58 +0100)]
Use P11_KIT_URI_FOR_ANY to preserve all attributes in PKCS#11 URIs
Otherwise we were losing the attributes which specified a token... which is
a pain when the token doesn't list private keys until you're logged in. In
that case you do *have* to specify the token otherwise the object will never
be found.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 10 Jul 2012 14:30:26 +0000 (15:30 +0100)]
Don't forget key password on reconnect / change hosts in GUI.
As part of the password handling cleanup, we were clearing the stored
->cert_password after using it. This means we have to retain the https_ctx
or https_cred structure for the whole lifetime of the vpninfo, even across
reconnects. Fix openconnect_reset_ssl() accordingly.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Stuart Henderson [Sun, 8 Jul 2012 15:23:05 +0000 (17:23 +0200)]
mainloop.c - malloc without a prototype
I noticed a little problem building OpenConnect against gnutls 3;
mainloop.c uses malloc() in queue_new_packet(), somewhere in the chain
of openssl headers stdlib.h gets pulled in so it works ok there, but
this isn't the case with a gnutls build.
Signed-off-by: Stuart Henderson <sthen@openbsd.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
A missing break in the case statement meant that --no-proxy would not disable
the proxy at all; it would actually have the same effect as --libproxy.
This bug has been present since the --no-proxy option was first added in
v2.20 (commit 9c6d3f1b). Although it was falling through to the --script
option then.
Signed-off-by: Tiago Vignatti <tiago.vignatti@intel.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 1 Jul 2012 21:23:01 +0000 (22:23 +0100)]
Update changelog
It looks like the problematic server wasn't really objecting to SSLv3; it
was the lack of 3DES cipher. It wouldn't accept AES which was the only
thing that GnuTLS was offering.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 30 Jun 2012 00:41:59 +0000 (01:41 +0100)]
Separate requested from received MTU settings
This fixes a bug where an MTU requested with the --mtu option will actually
be set as the interface MTU even if the server replies with a smaller value.
It also fixes reconnect behaviour, by not treating the MTU response from
the server on the original connection into an override for the reconnect.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 29 Jun 2012 23:55:06 +0000 (00:55 +0100)]
Fix GnuTLS DTLS MTU for GnuTLS 3.0.21 and above
The fix in 4.01 (commit c218e2ac) was relying on buggy behaviour of
GnuTLS. It shouldn't have been sufficient just to pass it the *data* MTU
plus 13 and rely on the fact that GnuTLS will happily send packets
larger than that. In fixing GnuTLS MTU handling and adding the new
gnutls_dtls_set_data_mtu() function in 3.0.21, I have broken my own
code. And it serves me right.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 26 Jun 2012 14:41:16 +0000 (15:41 +0100)]
Clean up Transifex import some more
Don't let local msgmerge use fuzzy translations either, don't care about
Translation-Team: changing, and use 'diff' so we actually see the changes
(since more often than not they're false positives, so it eases debugging).
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
projects / users / dwmw2 / openconnect.git / log