Fix crypto-policy breakage, merge Juniper redirect fix

3 years ago · d452e6f197
parent 91c24fefe0
commit d452e6f197
3 changed files with 207 additions and 1 deletions
--- a/0001-Ignore-errors-fetching-NC-landing-page-if-auth-was-s.patch
+++ b/0001-Ignore-errors-fetching-NC-landing-page-if-auth-was-s.patch
@ -0,0 +1,65 @@
+From 4ff991c46e6b202cabd623eeffa5ae1af1ba5c8e Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Fri, 23 Apr 2021 10:40:44 +0100
+Subject: [PATCH 1/2] Ignore errors fetching NC landing page if auth was
+ successful
+
+Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+(cherry picked from commit 3e77943692b511719d9217d2ecc43588b7c6c08b)
+---
+ auth-juniper.c    | 18 +++++++++++-------
+ www/changelog.xml |  2 +-
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/auth-juniper.c b/auth-juniper.c
+index 19d43978..63af3bfc 100644
+--- a/auth-juniper.c
+++ b/auth-juniper.c
+@@ -663,6 +663,17 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
+ 			ret = do_https_request(vpninfo, "GET", NULL, NULL,
+ 					       &form_buf, 2);
+ 
+		/* After login, the server will redirect the "browser" to a landing page.
+		 * https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784
+		 * turned some of those landing pages into a 403 but we don't *care*
+		 * about that as long as we have the cookie we wanted. So check for
+		 * cookie success *before* checking 'ret'. */
+		if (!check_cookie_success(vpninfo)) {
+			free(form_buf);
+			ret = 0;
+			break;
+		}
+
+ 		if (ret < 0)
+ 			break;
+ 
+@@ -680,13 +691,6 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
+ 			break;
+ 		}
+ 
+-		if (!check_cookie_success(vpninfo)) {
+-			buf_free(url);
+-			free(form_buf);
+-			ret = 0;
+-			break;
+-		}
+-
+ 		doc = htmlReadMemory(form_buf, ret, url->data, NULL,
+ 				     HTML_PARSE_RECOVER|HTML_PARSE_NOERROR|HTML_PARSE_NOWARNING|HTML_PARSE_NONET);
+ 		buf_free(url);
+diff --git a/www/changelog.xml b/www/changelog.xml
+index bca5c8e2..1a05eda7 100644
+--- a/www/changelog.xml
+++ b/www/changelog.xml
+@@ -15,7 +15,7 @@
+ <ul>
+    <li><b>OpenConnect HEAD</b>
+      <ul>
+-       <li><i>No changelog entries yet</i></li>
+       <li>Ignore failures to fetch the NC landing page if the authentication was successful.</li>
+      </ul><br/>
+   </li>
+   <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz">OpenConnect v8.10</a></b>
+-- 
+2.31.1
+
--- a/0002-Unconditionally-bypass-system-crypto-policy.patch
+++ b/0002-Unconditionally-bypass-system-crypto-policy.patch
@ -0,0 +1,134 @@
+From cc4658504b21eb87f9fa6bf7c1e42b83b6f64aaa Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dwmw2@infradead.org>
+Date: Sat, 12 Jun 2021 08:50:09 +0100
+Subject: [PATCH 2/2] Unconditionally bypass system crypto policy
+
+This makes me extremely sad, but they rolled it out with *no* way to
+selectively allow the user to say "connect anyway", as we've always had
+for "invalid" certificates, etc.
+
+It's just unworkable and incomplete as currently implemented in the
+distributions, so we have no choice except to bypass it and wait for
+it to be fixed.
+
+Signed-off-by: David Woodhouse <dwmw2@infradead.org>
+(cherry picked from commit 7e862f2f0352409357fa7a4762481fde49909eb8
+ and commit d29822cf30293d5f8b039baf3306eed2769fa0b5)
+---
+ configure.ac           |  3 +++
+ libopenconnect.map.in  |  2 +-
+ main.c                 | 23 +++++++++++++++++++++++
+ openconnect-internal.h |  9 +++++++++
+ www/changelog.xml      |  1 +
+ 5 files changed, 37 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 8b1b540f..3ea5e9cc 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -26,6 +26,7 @@ symver_getline=
+ symver_asprintf=
+ symver_vasprintf=
+ symver_win32_strerror=
+symver_win32_setenv=
+ 
+ case $host_os in
+  *linux* | *gnu* | *nacl*)
+@@ -54,6 +55,7 @@ case $host_os in
+     # For asprintf()
+     AC_DEFINE(_GNU_SOURCE, 1, [_GNU_SOURCE])
+     symver_win32_strerror="openconnect__win32_strerror;"
+    symver_win32_setenv="openconnect__win32_setenv;"
+     # Win32 does have the SCard API
+     system_pcsc_libs="-lwinscard"
+     system_pcsc_cflags=
+@@ -156,6 +158,7 @@ AC_SUBST(SYMVER_GETLINE, $symver_getline)
+ AC_SUBST(SYMVER_ASPRINTF, $symver_asprintf)
+ AC_SUBST(SYMVER_VASPRINTF, $symver_vasprintf)
+ AC_SUBST(SYMVER_WIN32_STRERROR, $symver_win32_strerror)
+AC_SUBST(SYMVER_WIN32_SETENV, $symver_win32_setenv)
+ 
+ AS_COMPILER_FLAGS(WFLAGS,
+         "-Wall
+diff --git a/libopenconnect.map.in b/libopenconnect.map.in
+index 5b4bc5d7..1039aacf 100644
+--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
+@@ -109,7 +109,7 @@ OPENCONNECT_5_6 {
+ } OPENCONNECT_5_5;
+ 
+ OPENCONNECT_PRIVATE {
+- global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ @SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@
+ global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ @SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@ @SYMVER_WIN32_SETENV@
+ 	openconnect_get_tls_library_version;
+ 	openconnect_fopen_utf8;
+ 	openconnect_open_utf8;
+diff --git a/main.c b/main.c
+index cc3dd91e..129755a1 100644
+--- a/main.c
+++ b/main.c
+@@ -1436,6 +1436,29 @@ int main(int argc, char **argv)
+ 			openconnect_binary_version, openconnect_version_str);
+ 	}
+ 
+	/* Some systems have a crypto policy which completely prevents DTLSv1.0
+	 * from being used, which is entirely pointless and will just drive
+	 * users back to the crappy proprietary clients. Or drive OpenConnect
+	 * to implement its own DTLS instead of using the system crypto libs.
+	 * We're happy to conform by default to the system policy which is
+	 * carefully curated to keep up to date with developments in crypto
+	 * attacks —  but we also *need* to be able to override it and connect
+	 * anyway, when the user asks us to. Just as we *can* continue even
+	 * when the server has an invalid certificate, based on user input.
+	 * It was a massive oversight that GnuTLS implemented the system
+	 * policy *without* that basic override facility, so until/unless
+	 * it actually gets implemented properly we have to just disable it.
+	 * We can't do this from openconnect_init_ssl() since that would be
+	 * calling setenv() from a library in someone else's process. And
+	 * thankfully we don't really need to since the auth-dialogs don't
+	 * care; this is mostly for the DTLS connection.
+	 */
+#ifdef OPENCONNECT_GNUTLS
+	setenv("GNUTLS_SYSTEM_PRIORITY_FILE", DEVNULL, 0);
+#else
+	setenv("OPENSSL_CONF", DEVNULL, 0);
+#endif
+
+ 	openconnect_init_ssl();
+ 
+ 	vpninfo = openconnect_vpninfo_new((char *)"Open AnyConnect VPN Agent",
+diff --git a/openconnect-internal.h b/openconnect-internal.h
+index 92edf763..9eb274c2 100644
+--- a/openconnect-internal.h
+++ b/openconnect-internal.h
+@@ -41,6 +41,15 @@
+ 
+ #include "openconnect.h"
+ 
+/* Equivalent of "/dev/null" on Windows.
+ * See https://stackoverflow.com/a/44163934
+ */
+#ifdef _WIN32
+#define DEVNULL "NUL:"
+#else
+#define DEVNULL "/dev/null"
+#endif
+
+ #if defined(OPENCONNECT_OPENSSL)
+ #include <openssl/ssl.h>
+ #include <openssl/err.h>
+diff --git a/www/changelog.xml b/www/changelog.xml
+index 1a05eda7..ca90413f 100644
+--- a/www/changelog.xml
+++ b/www/changelog.xml
+@@ -16,6 +16,7 @@
+    <li><b>OpenConnect HEAD</b>
+      <ul>
+        <li>Ignore failures to fetch the NC landing page if the authentication was successful.</li>
+       <li>Disable brittle "system policy" enforcement where it cannot be gracefully overridden at user request. <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1960763"><i>(RH#1960763)</i></a>.</li>
+      </ul><br/>
+   </li>
+   <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz">OpenConnect v8.10</a></b>
+-- 
+2.31.1
+
--- a/openconnect.spec
+++ b/openconnect.spec
@ -40,7 +40,7 @@

 Name:		openconnect
 Version:	8.10
-Release:	5%{?relsuffix}%{?dist}
+Release:	6%{?relsuffix}%{?dist}
 Summary:	Open client for Cisco AnyConnect VPN, Juniper Network Connect/Pulse, PAN GlobalProtect

 License:	LGPLv2+
@ -52,6 +52,9 @@ Source1:	ftp://ftp.infradead.org/pub/openconnect/openconnect-%{version}%{?gitsuf
 Source2:	gpgkey-BE07D9FD54809AB2C4B0FF5F63762CDA67E2F359.asc
 Source3:	macros.gpg

+Patch0001:	0001-Ignore-errors-fetching-NC-landing-page-if-auth-was-s.patch
+Patch0002:	0002-Unconditionally-bypass-system-crypto-policy.patch
+
 BuildRequires: make
 BuildRequires:	pkgconfig(libxml-2.0) pkgconfig(libpcsclite) krb5-devel gnupg2
 BuildRequires:	autoconf automake libtool gettext pkgconfig(liblz4)
@ -161,6 +164,10 @@ make VERBOSE=1 check
 %{_libdir}/pkgconfig/openconnect.pc

 %changelog
+* Sat Jun 12 2021 David Woodhouse <dwmw2@infradead.org> - 8.10-6
+- Explicitly disable too-brittle system crypto policies (#1960763)
+- Ignore with errors fetching Juniper landing page when login was successful anyway.
+
 * Sun Feb 14 2021 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com> - 8.10-5
 - Rebuilt while skipping the (PKCS#11) failing tests