From ce7378bd005c4aa0dbfb1418154eca4f96741f8b Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Sat, 12 Jun 2021 08:33:10 +0100
Subject: [PATCH] Revert "with --allow-insecure-crypto, additionally attempt to
 disable insecure systemwide minimum crypto settings"

This reverts commit 4e07eecaf04a48c3253a5dfd69d817673194e154.
---
 gnutls.c               | 15 ++-------------
 library.c              |  4 +++-
 main.c                 |  8 ++------
 openconnect-internal.h | 11 +----------
 openconnect.8.in       |  7 ++-----
 openssl.c              | 17 ++---------------
 6 files changed, 12 insertions(+), 50 deletions(-)

diff --git a/gnutls.c b/gnutls.c
index 8420ef4e..926e286a 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -78,23 +78,12 @@ const char *openconnect_get_tls_library_version()
 
 int can_enable_insecure_crypto()
 {
-	int ret = 0;
-
-	if (setenv("GNUTLS_SYSTEM_PRIORITY_FILE", DEVNULL, 1) < 0)
-		return -errno;
-
-	gnutls_global_deinit();
-	ret = openconnect_init_ssl();
-	if (ret)
-		return ret;
-
 	/* XX: As of GnuTLS 3.6.13, no released version has (yet) removed 3DES/RC4 from default builds,
 	 * but like OpenSSL (removed in 1.1.0) it may happen. */
 	if (gnutls_cipher_get_id("3DES-CBC") == GNUTLS_CIPHER_UNKNOWN ||
 	    gnutls_cipher_get_id("ARCFOUR-128") == GNUTLS_CIPHER_UNKNOWN)
-		ret = -ENOENT;
-
-	return ret;
+		return -ENOENT;
+	return 0;
 }
 
 /* Helper functions for reading/writing lines over TLS/DTLS. */
diff --git a/library.c b/library.c
index e4bea9d0..13cb6e68 100644
--- a/library.c
+++ b/library.c
@@ -1010,8 +1010,10 @@ void openconnect_set_pfs(struct openconnect_info *vpninfo, unsigned val)
 int openconnect_set_allow_insecure_crypto(struct openconnect_info *vpninfo, unsigned val)
 {
 	int ret = can_enable_insecure_crypto();
+	if (ret)
+		return ret;
 	vpninfo->allow_insecure_crypto = val;
-	return ret;
+	return 0;
 }
 
 void openconnect_set_cancel_fd(struct openconnect_info *vpninfo, int fd)
diff --git a/main.c b/main.c
index a0809def..36c683ce 100644
--- a/main.c
+++ b/main.c
@@ -955,7 +955,6 @@ static void usage(void)
 	printf("      --no-http-keepalive         %s\n", _("Disable HTTP connection re-use"));
 	printf("      --no-xmlpost                %s\n", _("Do not attempt XML POST authentication"));
 	printf("      --allow-insecure-crypto     %s\n", _("Allow use of the ancient, insecure 3DES and RC4 ciphers"));
-	printf("  				  %s\n", _("(and attempt to override OS crypto policies)"));
 
 	printf("\n");
 
@@ -1722,12 +1721,9 @@ int main(int argc, char **argv)
 			openconnect_set_pfs(vpninfo, 1);
 			break;
 		case OPT_ALLOW_INSECURE_CRYPTO:
-			ret = openconnect_set_allow_insecure_crypto(vpninfo, 1);
-			if (ret == -ENOENT)
-				fprintf(stderr, _("WARNING: cannot enable insecure 3DES and/or RC4 ciphers, because the library\n"
+			if (openconnect_set_allow_insecure_crypto(vpninfo, 1)) {
+				fprintf(stderr, _("Cannot enable insecure 3DES or RC4 ciphers, because the library\n"
 						  "%s no longer supports them.\n"), openconnect_get_tls_library_version());
-			else if (ret < 0) {
-				fprintf(stderr, _("Unknown error while enabling insecure crypto.\n"));
 				exit(1);
 			}
 			break;
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 34715a59..86c79145 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -49,15 +49,6 @@
 
 #include "openconnect.h"
 
-/* Equivalent of "/dev/null" on Windows.
- * See https://stackoverflow.com/a/44163934
- */
-#ifdef _WIN32
-#define DEVNULL "NUL"
-#else
-#define DEVNULL "/dev/null"
-#endif
-
 #if defined(OPENCONNECT_OPENSSL)
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -1240,7 +1231,7 @@ int do_gen_hotp_code(struct openconnect_info *vpninfo,
 		     struct oc_auth_form *form,
 		     struct oc_form_opt *opt);
 
-int set_oidc_token(struct openconnect_info *vpninfo,
+int set_oidc_token(struct openconnect_info *vpninfo, 
 		     const char *token_str);
 
 /* stoken.c */
diff --git a/openconnect.8.in b/openconnect.8.in
index e9a358a3..0f8f69d3 100644
--- a/openconnect.8.in
+++ b/openconnect.8.in
@@ -476,11 +476,8 @@ The ancient, broken 3DES and RC4 ciphers are insecure; we explicitly
 disable them by default. However, some still-in-use VPN servers can't do
 any better.
 
-This option
-.B attempts
-to enable use of these insecure ciphers, as well as
-the use of SHA1 for server certificate validation, and to override any
-other system policies regarding minimum crypto requirements.
+This option enables use of these insecure ciphers, as well as the use
+of SHA1 for server certificate validation.
 .TP
 .B \-\-non\-inter
 Do not expect user input; exit if it is required.
diff --git a/openssl.c b/openssl.c
index e3358544..8a1c393b 100644
--- a/openssl.c
+++ b/openssl.c
@@ -63,23 +63,10 @@ const char *openconnect_get_tls_library_version()
 
 int can_enable_insecure_crypto()
 {
-	int ret = 0;
-
-	if (setenv("OPENSSL_CONF", DEVNULL, 1) < 0)
-		return -errno;
-
-	/* FIXME: deinitialize and reinitialize library, as is done for GnuTLS,
-	 * to ensure that updated value is used.
-	 *
-	 * Cleaning up and reinitalizing OpenSSL appears to be complex:
-	 *   https://wiki.openssl.org/index.php/Library_Initialization#Cleanup
-	 */
-
 	if (EVP_des_ede3_cbc() == NULL ||
 	    EVP_rc4() == NULL)
-		ret = -ENOENT;
-
-	return ret;
+		return -ENOENT;
+	return 0;
 }
 
 int openconnect_sha1(unsigned char *result, void *data, int len)
-- 
2.49.0