David Woodhouse [Thu, 8 Nov 2012 13:31:23 +0000 (13:31 +0000)]
Include version.c from build dir in preference to source dir
This should fix out-of-source-tree builds from a tarball, which
otherwise would use the autogenerated $(objdir)/version.c for building
the library, but the pre-packaged $(srcdir)/version.c for the
executable. This is because the latter was included directly from main.c
by #include "version.c". By changing to #include <main.c> instead, we get
to use the new auto-generated one instead if anything's been changed.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Kevin Cernekee [Sun, 28 Oct 2012 07:41:32 +0000 (00:41 -0700)]
stoken: Fix CSD/stoken interaction
When using CSD, the auth form could be parsed more than once per
connection. Change the accounting so that stoken_tries only gets
incremented if a tokencode is actually generated.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sun, 28 Oct 2012 04:36:11 +0000 (21:36 -0700)]
csd: Don't return from run_csd_script() in the forked process
If something in the CSD child process fails, we want it to exit. We
do not want it to return to openconnect_obtain_cookie() and cause two
instances of the latter function to run in parallel.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sun, 28 Oct 2012 04:14:07 +0000 (21:14 -0700)]
http: Record the last redirection type
The AnyConnect client uses the redirection type (new host, or just a
new URL on the same host) to figure out whether to use XML POST or
the old urlencoded scheme. Preserve this information for future use.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Wed, 24 Oct 2012 04:10:44 +0000 (21:10 -0700)]
library: Add call to change reported OS name
Newer gateways require the client to announce its platform name (win,
mac, linux, linux-64) in the HTTP headers and in the <config-auth>
section of each request. The gateway can be configured to apply different
security policies to different OSes, or even completely block access to
OSes that are not on the "approved" list.
Therefore, it is useful to be able to adjust the OS name that is reported
to the gateway.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Fri, 26 Oct 2012 04:53:10 +0000 (21:53 -0700)]
auth: Parse the new server response format
Newer AnyConnect installations use a different XML document tree
to pass information to the client. This patch allows OpenConnect
to parse the new format, and attempts to document both the old
format and the new format in the comments.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Fri, 26 Oct 2012 04:16:57 +0000 (21:16 -0700)]
auth: Remove obsolete trace message from parse_form()
parse_form() used to add hidden form fields to the query string on
the spot, but since it doesn't anymore, it should not display the
"Fixed options" trace message.
After making this change, we can remove the request / request_body
arguments.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 27 Oct 2012 19:25:50 +0000 (12:25 -0700)]
http: Fix overflow on HTTP request buffers
A malicious VPN gateway can send a very long hostname/path (for redirects)
or cookie list (in general), which OpenConnect will attempt to sprintf()
into a fixed length buffer. Each HTTP server response line can add
roughly MAX_BUF_LEN (131072) bytes to the next OpenConnect HTTP request,
but the request buffer (buf) is capped at MAX_BUF_LEN bytes and is
allocated on the stack.
The result of passing a long "Location:" header looks like:
Attempting to connect to server 127.0.0.1:443
SSL negotiation with localhost
Server certificate verify failed: self signed certificate in certificate chain
Connected to HTTPS on localhost
GET https://localhost/
Got HTTP response: HTTP/1.0 301 Moved
Ignoring unknown HTTP response line 'aaaaaaaaaaaaaaaaaa'
SSL negotiation with localhost
Server certificate verify failed: self signed certificate in certificate chain
Connected to HTTPS on localhost
*** buffer overflow detected ***: /scr/openconnect2/.libs/lt-openconnect terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fd62729b82c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fd62729a700]
/lib/x86_64-linux-gnu/libc.so.6(+0x108b69)[0x7fd627299b69]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fd62720d13d]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7fd6271db4a7]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fd627299c04]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fd627299b4d]
/scr/openconnect2/.libs/libopenconnect.so.2(openconnect_obtain_cookie+0xc0)[0x7fd62832d210]
/scr/openconnect2/.libs/lt-openconnect[0x40413f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fd6271b276d]
/scr/openconnect2/.libs/lt-openconnect[0x404579]
The proposed fix is to use dynamically allocated buffers with overflow
checking.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 20:06:18 +0000 (13:06 -0700)]
stoken: Fill in "password" fields with a generated tokencode
If the gateway prompts for a password and soft token information is
available, generate a tokencode and mark the form field as OPT_STOKEN
so the user is not prompted for a password.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 19:31:18 +0000 (12:31 -0700)]
stoken: Implement new auth form to gather soft token information
If the user has asked to use a soft token, libopenconnect will prompt
for devid/pass/pin (as necessary) to unlock the soft token, prior to
the initial server connection. If the user aborts, soft token mode will
be disabled and the user will need to enter his tokencode by hand.
Manual entry could be useful for e.g. activating a new token.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 17:46:18 +0000 (10:46 -0700)]
stoken: Add software token functions to library API; bump to v2.1
openconnect_has_stoken_support(): returns 1 if the library was linked
with libstoken.
openconnect_set_stoken_mode(): enables/disables tokencode generation,
and tells the library how to locate the seed. Unless this function is
called, the library will not try to use a soft token.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sun, 30 Sep 2012 03:02:35 +0000 (20:02 -0700)]
Delete references to long-removed SecurID code
Commit d707fc524 (Clean up auth form handling) removed securid.c and
the tokencode+PIN prompts, but the docs and headers still refer to these
features.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Mike Miller [Thu, 19 Jul 2012 05:10:42 +0000 (01:10 -0400)]
Check for system CA certificate file for GnuTLS
Look in certain well-known system paths for the default file to give to
gnutls_certificate_set_x509_trust_file() if required. Auto-detection is
inspired by the GnuTLS configure script.
Signed-off-by: Mike Miller <mtmiller@ieee.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 11 Jul 2012 16:58:32 +0000 (17:58 +0100)]
Use P11_KIT_URI_FOR_ANY to preserve all attributes in PKCS#11 URIs
Otherwise we were losing the attributes which specified a token... which is
a pain when the token doesn't list private keys until you're logged in. In
that case you do *have* to specify the token otherwise the object will never
be found.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 10 Jul 2012 14:30:26 +0000 (15:30 +0100)]
Don't forget key password on reconnect / change hosts in GUI.
As part of the password handling cleanup, we were clearing the stored
->cert_password after using it. This means we have to retain the https_ctx
or https_cred structure for the whole lifetime of the vpninfo, even across
reconnects. Fix openconnect_reset_ssl() accordingly.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
projects / users / dwmw2 / openconnect.git / log