1. 13 Feb, 2013 8 commits
    • David Woodhouse's avatar
      09c69d7c
    • David Woodhouse's avatar
      Tag version 4.08 · 615670c0
      David Woodhouse authored
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      615670c0
    • David Woodhouse's avatar
      Update translations · 4265e86d
      David Woodhouse authored
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      4265e86d
    • David Woodhouse's avatar
      Update changelog · 31abfbcc
      David Woodhouse authored
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      31abfbcc
    • David Woodhouse's avatar
      Impose minimum MTU of 1280 bytes. · cae51780
      David Woodhouse authored
      Some people have seen extremely low pMTU values from the kernel. Not sure
      why, but let's impose a lower limit for now.
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      (cherry picked from commit b37161f6)
      cae51780
    • David Woodhouse's avatar
      Canonicalise hostname during authentication if necessary · 173c3143
      David Woodhouse authored
      Some people have round-robin servers, all addressed by the same hostname
      but with different SSL certificates. Where we do the authentication (and
      user-interactive approval of certificates) from a GUI via libopenconnect,
      or with 'openconnect --authenticate', we end up being given the SHA1 on
      the server's certificate and the non-interactive connection is going to
      expect to see exactly that certificate. So if there is more than one
      result in the original DNS lookup, *change* vpninfo->hostname to hold
      the IP address that we actually connected to.
      
      This means that the Host: header in what we send will be the numeric IP
      address instead of the hostname, but that doesn't seem to hurt. It could
      potentially, theoretically, break virtual hosts but I don't think that
      kind of setup could ever existing in practice.
      
      This also works only in the case where we're *not* connecting via a proxy.
      We currently let the proxy do the DNS lookups *for* us, and we'd have to
      do them locally and then ask the proxy for a connection by IP address
      even for the *first* connection.
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      (cherry picked from commit b0b4b34f
       and subsequent fix commit 3e6ecfa5)
      173c3143
    • Kevin Cernekee's avatar
      http: Fix overflow on HTTP request buffers (CVE-2012-6128) · bcc2f7f2
      Kevin Cernekee authored
      A malicious VPN gateway can send a very long hostname/path (for redirects)
      or cookie list (in general), which OpenConnect will attempt to sprintf()
      into a fixed length buffer.  Each HTTP server response line can add
      roughly MAX_BUF_LEN (131072) bytes to the next OpenConnect HTTP request,
      but the request buffer (buf) is capped at MAX_BUF_LEN bytes and is
      allocated on the stack.
      
      The result of passing a long "Location:" header looks like:
      
          Attempting to connect to server 127.0.0.1:443
          SSL negotiation with localhost
          Server certificate verify failed: self signed certificate in certificate chain
          Connected to HTTPS on localhost
          GET https://localhost/
          Got HTTP response: HTTP/1.0 301 Moved
          Ignoring unknown HTTP response line 'aaaaaaaaaaaaaaaaaa'
          SSL negotiation with localhost
          Server certificate verify failed: self signed certificate in certificate chain
          Connected to HTTPS on localhost
          *** buffer overflow detected ***: /scr/openconnect2/.libs/lt-openconnect terminated
          ======= Backtrace: =========
          /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7fd62729b82c]
          /lib/x86_64-linux-gnu/libc.so.6(+0x109700)[0x7fd62729a700]
          /lib/x86_64-linux-gnu/libc.so.6(+0x108b69)[0x7fd627299b69]
          /lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xdd)[0x7fd62720d13d]
          /lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ae7)[0x7fd6271db4a7]
          /lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x94)[0x7fd627299c04]
          /lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7fd627299b4d]
          /scr/openconnect2/.libs/libopenconnect.so.2(openconnect_obtain_cookie+0xc0)[0x7fd62832d210]
          /scr/openconnect2/.libs/lt-openconnect[0x40413f]
          /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed)[0x7fd6271b276d]
          /scr/openconnect2/.libs/lt-openconnect[0x404579]
      
      The proposed fix is to use dynamically allocated buffers with overflow
      checking.
      Signed-off-by: default avatarKevin Cernekee <cernekee@gmail.com>
      Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      (cherry picked from commit 26f752c3)
      bcc2f7f2
    • Nikos Mavrogiannopoulos's avatar
  2. 12 Feb, 2013 5 commits
  3. 07 Feb, 2013 2 commits
  4. 05 Feb, 2013 1 commit
  5. 04 Feb, 2013 4 commits
  6. 18 Jan, 2013 1 commit
  7. 30 Dec, 2012 1 commit
  8. 18 Dec, 2012 2 commits
  9. 03 Dec, 2012 2 commits
  10. 14 Nov, 2012 2 commits
  11. 12 Nov, 2012 2 commits
  12. 08 Nov, 2012 2 commits
  13. 07 Nov, 2012 2 commits
  14. 06 Nov, 2012 2 commits
  15. 05 Nov, 2012 4 commits