Unconditionally bypass system crypto policy

This makes me extremely sad, but they rolled it out with *no* way to
selectively allow the user to say "connect anyway", as we've always had
for "invalid" certificates, etc.

It's just unworkable and incomplete as currently implemented in the
distributions, so we have no choice except to bypass it and wait for
it to be fixed.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
(cherry picked from commit 7e862f2
 and commit d29822c)

configure.ac

@@ -26,6 +26,7 @@ symver_getline=
 symver_asprintf=
 symver_vasprintf=
 symver_win32_strerror=
+symver_win32_setenv=
 
 case $host_os in
  *linux* | *gnu* | *nacl*)
@@ -54,6 +55,7 @@ case $host_os in
     # For asprintf()
     AC_DEFINE(_GNU_SOURCE, 1, [_GNU_SOURCE])
     symver_win32_strerror="openconnect__win32_strerror;"
+    symver_win32_setenv="openconnect__win32_setenv;"
     # Win32 does have the SCard API
     system_pcsc_libs="-lwinscard"
     system_pcsc_cflags=
@@ -156,6 +158,7 @@ AC_SUBST(SYMVER_GETLINE, $symver_getline)
 AC_SUBST(SYMVER_ASPRINTF, $symver_asprintf)
 AC_SUBST(SYMVER_VASPRINTF, $symver_vasprintf)
 AC_SUBST(SYMVER_WIN32_STRERROR, $symver_win32_strerror)
+AC_SUBST(SYMVER_WIN32_SETENV, $symver_win32_setenv)
 
 AS_COMPILER_FLAGS(WFLAGS,
         "-Wall

libopenconnect.map.in

@@ -109,7 +109,7 @@ OPENCONNECT_5_6 {
 } OPENCONNECT_5_5;
 
 OPENCONNECT_PRIVATE {
- global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ @SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@
+ global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ @SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@ @SYMVER_WIN32_SETENV@
 	openconnect_get_tls_library_version;
 	openconnect_fopen_utf8;
 	openconnect_open_utf8;

main.c

@@ -1436,6 +1436,29 @@ int main(int argc, char **argv)
 			openconnect_binary_version, openconnect_version_str);
 	}
 
+	/* Some systems have a crypto policy which completely prevents DTLSv1.0
+	 * from being used, which is entirely pointless and will just drive
+	 * users back to the crappy proprietary clients. Or drive OpenConnect
+	 * to implement its own DTLS instead of using the system crypto libs.
+	 * We're happy to conform by default to the system policy which is
+	 * carefully curated to keep up to date with developments in crypto
+	 * attacks —  but we also *need* to be able to override it and connect
+	 * anyway, when the user asks us to. Just as we *can* continue even
+	 * when the server has an invalid certificate, based on user input.
+	 * It was a massive oversight that GnuTLS implemented the system
+	 * policy *without* that basic override facility, so until/unless
+	 * it actually gets implemented properly we have to just disable it.
+	 * We can't do this from openconnect_init_ssl() since that would be
+	 * calling setenv() from a library in someone else's process. And
+	 * thankfully we don't really need to since the auth-dialogs don't
+	 * care; this is mostly for the DTLS connection.
+	 */
+#ifdef OPENCONNECT_GNUTLS
+	setenv("GNUTLS_SYSTEM_PRIORITY_FILE", DEVNULL, 0);
+#else
+	setenv("OPENSSL_CONF", DEVNULL, 0);
+#endif
+
 	openconnect_init_ssl();
 
 	vpninfo = openconnect_vpninfo_new((char *)"Open AnyConnect VPN Agent",

openconnect-internal.h

@@ -41,6 +41,15 @@
 
 #include "openconnect.h"
 
+/* Equivalent of "/dev/null" on Windows.
+ * See https://stackoverflow.com/a/44163934
+ */
+#ifdef _WIN32
+#define DEVNULL "NUL:"
+#else
+#define DEVNULL "/dev/null"
+#endif
+
 #if defined(OPENCONNECT_OPENSSL)
 #include <openssl/ssl.h>
 #include <openssl/err.h>

www/changelog.xml

@@ -16,6 +16,7 @@
    <li><b>OpenConnect HEAD</b>
      <ul>
        <li>Ignore failures to fetch the NC landing page if the authentication was successful.</li>
+       <li>Disable brittle "system policy" enforcement where it cannot be gracefully overridden at user request. <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1960763"><i>(RH#1960763)</i></a>.</li>
      </ul><br/>
   </li>
   <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.10.tar.gz">OpenConnect v8.10</a></b>