Kevin Cernekee [Sun, 28 Oct 2012 04:36:11 +0000 (21:36 -0700)]
csd: Don't return from run_csd_script() in the forked process
If something in the CSD child process fails, we want it to exit. We
do not want it to return to openconnect_obtain_cookie() and cause two
instances of the latter function to run in parallel.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sun, 28 Oct 2012 04:14:07 +0000 (21:14 -0700)]
http: Record the last redirection type
The AnyConnect client uses the redirection type (new host, or just a
new URL on the same host) to figure out whether to use XML POST or
the old urlencoded scheme. Preserve this information for future use.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Wed, 24 Oct 2012 04:10:44 +0000 (21:10 -0700)]
library: Add call to change reported OS name
Newer gateways require the client to announce its platform name (win,
mac, linux, linux-64) in the HTTP headers and in the <config-auth>
section of each request. The gateway can be configured to apply different
security policies to different OSes, or even completely block access to
OSes that are not on the "approved" list.
Therefore, it is useful to be able to adjust the OS name that is reported
to the gateway.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Fri, 26 Oct 2012 04:53:10 +0000 (21:53 -0700)]
auth: Parse the new server response format
Newer AnyConnect installations use a different XML document tree
to pass information to the client. This patch allows OpenConnect
to parse the new format, and attempts to document both the old
format and the new format in the comments.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Fri, 26 Oct 2012 04:16:57 +0000 (21:16 -0700)]
auth: Remove obsolete trace message from parse_form()
parse_form() used to add hidden form fields to the query string on
the spot, but since it doesn't anymore, it should not display the
"Fixed options" trace message.
After making this change, we can remove the request / request_body
arguments.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 27 Oct 2012 19:25:50 +0000 (12:25 -0700)]
http: Fix overflow on HTTP request buffers
A malicious VPN gateway can send a very long hostname/path (for redirects)
or cookie list (in general), which OpenConnect will attempt to sprintf()
into a fixed length buffer. Each HTTP server response line can add
roughly MAX_BUF_LEN (131072) bytes to the next OpenConnect HTTP request,
but the request buffer (buf) is capped at MAX_BUF_LEN bytes and is
allocated on the stack.
The result of passing a long "Location:" header looks like:
Attempting to connect to server 127.0.0.1:443
SSL negotiation with localhost
Server certificate verify failed: self signed certificate in certificate chain
Connected to HTTPS on localhost
GET https://localhost/
Got HTTP response: HTTP/1.0 301 Moved
Ignoring unknown HTTP response line 'aaaaaaaaaaaaaaaaaa'
SSL negotiation with localhost
Server certificate verify failed: self signed certificate in certificate chain
Connected to HTTPS on localhost
*** buffer overflow detected ***: /scr/openconnect2/.libs/lt-openconnect terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fd62729b82c]
/lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fd62729a700]
/lib/x86_64-linux-gnu/libc.so.6(+0x108b69)[0x7fd627299b69]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fd62720d13d]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7fd6271db4a7]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fd627299c04]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fd627299b4d]
/scr/openconnect2/.libs/libopenconnect.so.2(openconnect_obtain_cookie+0xc0)[0x7fd62832d210]
/scr/openconnect2/.libs/lt-openconnect[0x40413f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fd6271b276d]
/scr/openconnect2/.libs/lt-openconnect[0x404579]
The proposed fix is to use dynamically allocated buffers with overflow
checking.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 20:06:18 +0000 (13:06 -0700)]
stoken: Fill in "password" fields with a generated tokencode
If the gateway prompts for a password and soft token information is
available, generate a tokencode and mark the form field as OPT_STOKEN
so the user is not prompted for a password.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 19:31:18 +0000 (12:31 -0700)]
stoken: Implement new auth form to gather soft token information
If the user has asked to use a soft token, libopenconnect will prompt
for devid/pass/pin (as necessary) to unlock the soft token, prior to
the initial server connection. If the user aborts, soft token mode will
be disabled and the user will need to enter his tokencode by hand.
Manual entry could be useful for e.g. activating a new token.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sat, 13 Oct 2012 17:46:18 +0000 (10:46 -0700)]
stoken: Add software token functions to library API; bump to v2.1
openconnect_has_stoken_support(): returns 1 if the library was linked
with libstoken.
openconnect_set_stoken_mode(): enables/disables tokencode generation,
and tells the library how to locate the seed. Unless this function is
called, the library will not try to use a soft token.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Kevin Cernekee [Sun, 30 Sep 2012 03:02:35 +0000 (20:02 -0700)]
Delete references to long-removed SecurID code
Commit d707fc524 (Clean up auth form handling) removed securid.c and
the tokencode+PIN prompts, but the docs and headers still refer to these
features.
Signed-off-by: Kevin Cernekee <cernekee@gmail.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Mike Miller [Thu, 19 Jul 2012 05:10:42 +0000 (01:10 -0400)]
Check for system CA certificate file for GnuTLS
Look in certain well-known system paths for the default file to give to
gnutls_certificate_set_x509_trust_file() if required. Auto-detection is
inspired by the GnuTLS configure script.
Signed-off-by: Mike Miller <mtmiller@ieee.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Wed, 11 Jul 2012 16:58:32 +0000 (17:58 +0100)]
Use P11_KIT_URI_FOR_ANY to preserve all attributes in PKCS#11 URIs
Otherwise we were losing the attributes which specified a token... which is
a pain when the token doesn't list private keys until you're logged in. In
that case you do *have* to specify the token otherwise the object will never
be found.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 10 Jul 2012 14:30:26 +0000 (15:30 +0100)]
Don't forget key password on reconnect / change hosts in GUI.
As part of the password handling cleanup, we were clearing the stored
->cert_password after using it. This means we have to retain the https_ctx
or https_cred structure for the whole lifetime of the vpninfo, even across
reconnects. Fix openconnect_reset_ssl() accordingly.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Stuart Henderson [Sun, 8 Jul 2012 15:23:05 +0000 (17:23 +0200)]
mainloop.c - malloc without a prototype
I noticed a little problem building OpenConnect against gnutls 3;
mainloop.c uses malloc() in queue_new_packet(), somewhere in the chain
of openssl headers stdlib.h gets pulled in so it works ok there, but
this isn't the case with a gnutls build.
Signed-off-by: Stuart Henderson <sthen@openbsd.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
A missing break in the case statement meant that --no-proxy would not disable
the proxy at all; it would actually have the same effect as --libproxy.
This bug has been present since the --no-proxy option was first added in
v2.20 (commit 9c6d3f1b). Although it was falling through to the --script
option then.
Signed-off-by: Tiago Vignatti <tiago.vignatti@intel.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sun, 1 Jul 2012 21:23:01 +0000 (22:23 +0100)]
Update changelog
It looks like the problematic server wasn't really objecting to SSLv3; it
was the lack of 3DES cipher. It wouldn't accept AES which was the only
thing that GnuTLS was offering.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Sat, 30 Jun 2012 00:41:59 +0000 (01:41 +0100)]
Separate requested from received MTU settings
This fixes a bug where an MTU requested with the --mtu option will actually
be set as the interface MTU even if the server replies with a smaller value.
It also fixes reconnect behaviour, by not treating the MTU response from
the server on the original connection into an override for the reconnect.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Fri, 29 Jun 2012 23:55:06 +0000 (00:55 +0100)]
Fix GnuTLS DTLS MTU for GnuTLS 3.0.21 and above
The fix in 4.01 (commit c218e2ac) was relying on buggy behaviour of
GnuTLS. It shouldn't have been sufficient just to pass it the *data* MTU
plus 13 and rely on the fact that GnuTLS will happily send packets
larger than that. In fixing GnuTLS MTU handling and adding the new
gnutls_dtls_set_data_mtu() function in 3.0.21, I have broken my own
code. And it serves me right.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
projects / users / dwmw2 / openconnect.git / log