Enforce the system wide crypto policies

Resolves: rhbz#1179331
f38
Nikos Mavrogiannopoulos 10 years ago
parent f01a25faa6
commit a948c6a3ee

@ -0,0 +1,200 @@
From 4892c7a53bb0adec98c4540a0b127b209625f82a Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 4 Mar 2015 10:29:06 +0100
Subject: [PATCH 2/2] when using gnutls enable only the DTLS ciphersuites that
were available during TLS
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
cstp.c | 3 ++
dtls.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++----
gnutls.c | 7 ++---
openconnect-internal.h | 2 ++
4 files changed, 81 insertions(+), 10 deletions(-)
diff --git a/cstp.c b/cstp.c
index d0d7eff..a06ca34 100644
--- a/cstp.c
+++ b/cstp.c
@@ -202,6 +202,9 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
vpninfo->ip_info.domain = vpninfo->ip_info.proxy_pac = NULL;
vpninfo->banner = NULL;
+ if (!vpninfo->dtls_ciphers)
+ vpninfo->dtls_ciphers = dtls_ciphers_from_conn(vpninfo);
+
for (i = 0; i < 3; i++)
vpninfo->ip_info.dns[i] = vpninfo->ip_info.nbns[i] = NULL;
free_split_routes(vpninfo);
diff --git a/dtls.c b/dtls.c
index abffbf1..6ac537d 100644
--- a/dtls.c
+++ b/dtls.c
@@ -222,6 +222,11 @@ static SSL_SESSION *generate_dtls_session(struct openconnect_info *vpninfo,
}
#endif
+char *dtls_ciphers_from_conn(struct openconnect_info *vpninfo)
+{
+ return NULL;
+}
+
static int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
{
STACK_OF(SSL_CIPHER) *ciphers;
@@ -438,27 +443,89 @@ void dtls_shutdown(struct openconnect_info *vpninfo)
#include <gnutls/dtls.h>
#include "gnutls.h"
+#define SSTR(x) x,sizeof(x)
struct {
const char *name;
+ unsigned name_len;
gnutls_protocol_t version;
gnutls_cipher_algorithm_t cipher;
gnutls_mac_algorithm_t mac;
const char *prio;
+ unsigned disabled;
} gnutls_dtls_ciphers[] = {
- { "AES128-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1,
+ { SSTR("AES128-SHA"), GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_MAC_SHA1,
"NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-128-CBC:+SHA1:+RSA:%COMPAT" },
- { "AES256-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_MAC_SHA1,
+ { SSTR("AES256-SHA"), GNUTLS_DTLS0_9, GNUTLS_CIPHER_AES_256_CBC, GNUTLS_MAC_SHA1,
"NONE:+VERS-DTLS0.9:+COMP-NULL:+AES-256-CBC:+SHA1:+RSA:%COMPAT" },
- { "DES-CBC3-SHA", GNUTLS_DTLS0_9, GNUTLS_CIPHER_3DES_CBC, GNUTLS_MAC_SHA1,
+ { SSTR("DES-CBC3-SHA"), GNUTLS_DTLS0_9, GNUTLS_CIPHER_3DES_CBC, GNUTLS_MAC_SHA1,
"NONE:+VERS-DTLS0.9:+COMP-NULL:+3DES-CBC:+SHA1:+RSA:%COMPAT" },
#if GNUTLS_VERSION_NUMBER >= 0x030207 /* if DTLS 1.2 is supported (and a bug in gnutls is solved) */
- { "OC-DTLS1_2-AES128-GCM", GNUTLS_DTLS1_2, GNUTLS_CIPHER_AES_128_GCM, GNUTLS_MAC_AEAD,
+ { SSTR("OC-DTLS1_2-AES128-GCM"), GNUTLS_DTLS1_2, GNUTLS_CIPHER_AES_128_GCM, GNUTLS_MAC_AEAD,
"NONE:+VERS-DTLS1.2:+COMP-NULL:+AES-128-GCM:+AEAD:+RSA:%COMPAT:+SIGN-ALL" },
- { "OC-DTLS1_2-AES256-GCM", GNUTLS_DTLS1_2, GNUTLS_CIPHER_AES_256_GCM, GNUTLS_MAC_AEAD,
+ { SSTR("OC-DTLS1_2-AES256-GCM"), GNUTLS_DTLS1_2, GNUTLS_CIPHER_AES_256_GCM, GNUTLS_MAC_AEAD,
"NONE:+VERS-DTLS1.2:+COMP-NULL:+AES-256-GCM:+AEAD:+RSA:%COMPAT:+SIGN-ALL" },
#endif
};
+char *dtls_ciphers_from_conn(struct openconnect_info *vpninfo)
+{
+ /* only enable the ciphers that would have been negotiated in the TLS channel */
+ unsigned i, j;
+ int ret;
+ unsigned idx;
+ gnutls_cipher_algorithm_t cipher;
+ gnutls_mac_algorithm_t mac;
+ struct oc_text_buf *buf;
+ gnutls_priority_t cache;
+ char *p;
+
+ /* everything is disabled by default */
+ for (i = 0; i < sizeof(gnutls_dtls_ciphers)/sizeof(gnutls_dtls_ciphers[0]); i++) {
+ gnutls_dtls_ciphers[i].disabled = 1;
+ }
+
+ ret = gnutls_priority_init(&cache, vpninfo->gnutls_default_prio, NULL);
+ if (ret < 0)
+ return NULL;
+
+ for (j=0;;j++) {
+ ret = gnutls_priority_get_cipher_suite_index(cache, j, &idx);
+ if (ret == GNUTLS_E_UNKNOWN_CIPHER_SUITE)
+ continue;
+ else if (ret < 0)
+ break;
+
+ if (gnutls_cipher_suite_info(idx, NULL, NULL, &cipher, &mac, NULL) != NULL) {
+ for (i = 0; i < sizeof(gnutls_dtls_ciphers)/sizeof(gnutls_dtls_ciphers[0]); i++) {
+ if (gnutls_dtls_ciphers[i].mac == mac && gnutls_dtls_ciphers[i].cipher == cipher) {
+ gnutls_dtls_ciphers[i].disabled = 0;
+ break;
+ }
+ }
+ }
+ }
+
+ buf = buf_alloc();
+
+ for (i = 0; i < sizeof(gnutls_dtls_ciphers)/sizeof(gnutls_dtls_ciphers[0]); i++) {
+ if (!gnutls_dtls_ciphers[i].disabled) {
+ if (buf->buf_len == 0) {
+ buf_append(buf, "%s", gnutls_dtls_ciphers[i].name);
+ } else {
+ buf_append(buf, ":%s", gnutls_dtls_ciphers[i].name);
+ }
+ }
+ }
+
+ /* steal buffer */
+ p = buf->data;
+ buf->data = NULL;
+
+ buf_free(buf);
+ gnutls_priority_deinit(cache);
+ return p;
+}
+
#define DTLS_SEND gnutls_record_send
#define DTLS_RECV gnutls_record_recv
#define DTLS_FREE gnutls_deinit
@@ -470,7 +537,7 @@ static int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
int cipher;
for (cipher = 0; cipher < sizeof(gnutls_dtls_ciphers)/sizeof(gnutls_dtls_ciphers[0]); cipher++) {
- if (!strcmp(vpninfo->dtls_cipher, gnutls_dtls_ciphers[cipher].name))
+ if (!strcmp(vpninfo->dtls_cipher, gnutls_dtls_ciphers[cipher].name) && !gnutls_dtls_ciphers[cipher].disabled)
goto found_cipher;
}
vpn_progress(vpninfo, PRG_ERR, _("Unknown DTLS parameters for requested CipherSuite '%s'\n"),
diff --git a/gnutls.c b/gnutls.c
index 34119da..e121842 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -2070,7 +2070,6 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
{
int ssl_sock = -1;
int err;
- const char * prio;
if (vpninfo->https_sess)
return 0;
@@ -2196,13 +2195,13 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
strlen(vpninfo->hostname));
if (vpninfo->pfs) {
- prio = DEFAULT_PRIO":-RSA";
+ vpninfo->gnutls_default_prio = DEFAULT_PRIO":-RSA";
} else {
- prio = DEFAULT_PRIO;
+ vpninfo->gnutls_default_prio = DEFAULT_PRIO;
}
err = gnutls_priority_set_direct(vpninfo->https_sess,
- prio, NULL);
+ vpninfo->gnutls_default_prio, NULL);
if (err) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to set TLS priority string: %s\n"),
diff --git a/openconnect-internal.h b/openconnect-internal.h
index 04cb226..7b7161c 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -469,6 +469,7 @@ struct openconnect_info {
gnutls_session_t https_sess;
gnutls_certificate_credentials_t https_cred;
char local_cert_md5[MD5_SIZE * 2 + 1]; /* For CSD */
+ const char *gnutls_default_prio;
#ifdef HAVE_TROUSERS
TSS_HCONTEXT tpm_context;
TSS_HKEY srk;
@@ -765,6 +766,7 @@ int dtls_setup(struct openconnect_info *vpninfo, int dtls_attempt_period);
int dtls_mainloop(struct openconnect_info *vpninfo, int *timeout);
void dtls_close(struct openconnect_info *vpninfo);
void dtls_shutdown(struct openconnect_info *vpninfo);
+char *dtls_ciphers_from_conn(struct openconnect_info *vpninfo);
/* cstp.c */
void cstp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
--
2.1.0

@ -0,0 +1,64 @@
From db955eceff87ecc7994348c952029ae012fc5b6a Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 3 Mar 2015 16:57:51 +0100
Subject: [PATCH 1/2] Allow overriding the default GnuTLS priority string
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
configure.ac | 9 +++++++++
gnutls.c | 18 ++++++++++--------
2 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/configure.ac b/configure.ac
index e5b5e80..ddb5c48 100644
--- a/configure.ac
+++ b/configure.ac
@@ -417,6 +417,15 @@ if test "$with_gnutls" = "yes"; then
LIBS="$oldlibs"
CFLAGS="$oldcflags"
fi
+
+AC_ARG_WITH([default-gnutls-priority],
+ AS_HELP_STRING([--with-default-gnutls-priority=STRING],
+ [Provide a default string as GnuTLS priority string]),
+ default_gnutls_priority=$withval)
+if test -n "$default_gnutls_priority"; then
+ AC_DEFINE_UNQUOTED([DEFAULT_PRIO], ["$default_gnutls_priority"], [The GnuTLS priority string])
+fi
+
if test "$with_openssl" = "yes" || test "$with_openssl" = "" || test "$ssl_library" = "both"; then
PKG_CHECK_MODULES(OPENSSL, openssl, [],
[oldLIBS="$LIBS"
diff --git a/gnutls.c b/gnutls.c
index 3f79a22..34119da 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -2052,15 +2052,17 @@ static int verify_peer(gnutls_session_t session)
* >= 3.2.9 as there the %COMPAT keyword ensures that the client hello
* will be outside that range.
*/
-#if GNUTLS_VERSION_NUMBER >= 0x030209
-# define DEFAULT_PRIO "NORMAL:-VERS-SSL3.0:%COMPAT"
-#else
-# define _DEFAULT_PRIO "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
+#ifndef DEFAULT_PRIO
+# if GNUTLS_VERSION_NUMBER >= 0x030209
+# define DEFAULT_PRIO "NORMAL:-VERS-SSL3.0:%COMPAT"
+# else
+# define _DEFAULT_PRIO "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:" \
"%COMPAT:%DISABLE_SAFE_RENEGOTIATION:%LATEST_RECORD_VERSION"
-# if GNUTLS_VERSION_MAJOR >= 3
-# define DEFAULT_PRIO _DEFAULT_PRIO":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA"
-#else
-# define DEFAULT_PRIO _DEFAULT_PRIO
+# if GNUTLS_VERSION_MAJOR >= 3
+# define DEFAULT_PRIO _DEFAULT_PRIO":-CURVE-ALL:-ECDHE-RSA:-ECDHE-ECDSA"
+# else
+# define DEFAULT_PRIO _DEFAULT_PRIO
+# endif
# endif
#endif
--
2.1.0

@ -21,13 +21,16 @@
Name: openconnect Name: openconnect
Version: 7.05 Version: 7.05
Release: 1%{?relsuffix}%{?dist} Release: 2%{?relsuffix}%{?dist}
Summary: Open client for Cisco AnyConnect VPN Summary: Open client for Cisco AnyConnect VPN
Group: Applications/Internet Group: Applications/Internet
License: LGPLv2+ License: LGPLv2+
URL: http://www.infradead.org/openconnect.html URL: http://www.infradead.org/openconnect.html
Source0: ftp://ftp.infradead.org/pub/openconnect/openconnect-%{version}%{?gitsuffix}.tar.gz Source0: ftp://ftp.infradead.org/pub/openconnect/openconnect-%{version}%{?gitsuffix}.tar.gz
Patch1: openconnect-7.05-override-default-prio-string.patch
Patch2: openconnect-7.05-ensure-dtls-ciphers-match-the-allowed.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: pkgconfig(openssl) pkgconfig(libxml-2.0) BuildRequires: pkgconfig(openssl) pkgconfig(libxml-2.0)
@ -70,8 +73,13 @@ for NetworkManager etc.
%prep %prep
%setup -q -n openconnect-%{version}%{?gitsuffix} %setup -q -n openconnect-%{version}%{?gitsuffix}
%patch1 -p1 -b .prio
%patch2 -p1 -b .ciphers
%build %build
autoreconf -fvi
%configure --with-vpnc-script=/etc/vpnc/vpnc-script \ %configure --with-vpnc-script=/etc/vpnc/vpnc-script \
--with-default-gnutls-priority="@SYSTEM" \
%if !%{use_gnutls} %if !%{use_gnutls}
--with-openssl --without-openssl-version-check \ --with-openssl --without-openssl-version-check \
%endif %endif
@ -106,6 +114,9 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/pkgconfig/openconnect.pc %{_libdir}/pkgconfig/openconnect.pc
%changelog %changelog
* Wed Mar 11 2015 Nikos Mavrogiannopoulos <nmav@redhat.com> - 7.05-2
- Utilize and enforce system-wide policies (#1179331)
* Sun Jan 25 2015 David Woodhouse <David.Woodhouse@intel.com> - 7.05-1 * Sun Jan 25 2015 David Woodhouse <David.Woodhouse@intel.com> - 7.05-1
- Update to 7.05 release - Update to 7.05 release

Loading…
Cancel
Save