Signed-off-by: Daniel Lenski <dlenski@gmail.com>

See https://gitlab.com/openconnect/openconnect/-/issues/207#note_465454559 for use case and discussion
Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

These now point to gitlab.com.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

These are designed to ensure that we don't inadvertently break compatibility
with legacy/obsolete server crypto, and also that we don't *inadvertently
connect* to less-secure crypto than requested.

Current checks:

- connect to a server whose only ciphers are 3DES and/or RC4 [if and only
  if] `--allow-insecure-crypto` is specified
- connect to a server whose only KX is RSA KX [if and only if] `--pfs` is
  [not specified]

Tricky parts:

- Override GnuTLS system crypto policy in obsolete-server-crypto test config,
  because this may be needed for newer versions of GnuTLS to obey it. (per nmav:
  https://gitlab.com/openconnect/openconnect/-/issues/145#note_346497960)
- OpenSSL 1.1.0+ removes 3DES and RC4 from the default build
  (https://www.openssl.org/blog/blog/2016/08/24/sweet32), so there is no way
  to re-enable without rebuilding from source.  Therefore, obsolete-server-crypto
  test is marked as XFAIL on all CI builds using it.
- Recent GnuTLS versions which support TLS1.3 implicitly allow non-RSA KX (due to
  VERS-TLS1.3 ciphersuites) even when -KX-ALL:+RSA is in the priority string; in
  order to actually test RSA-only KX, we need to ensure that TLS1.3 is disabled.
  See #149.
Signed-off-by: Daniel Lenski <dlenski@gmail.com>

This closes #145, and adds tests intended to prevent similar situations from recurring.

Allowing the ancient, broken 3DES and RC4 ciphers is insecure; we do not
want to (re-)enable them by default.  (See discussion:
https://gitlab.com/openconnect/openconnect/-/issues/145#note_344687335)

However, some still-in-use VPN servers can't do any better. So instead, we
explicitly disable them, unless explicitly enabled with the
`--allow-insecure-crypto` option, or corresponding API functions.

Also attempts to future-proof --allow-obsolete-crypto a bit, by setting
`%VERIFY_ALLOW_SIGN_WITH_SHA1` (per nmav:
https://gitlab.com/openconnect/openconnect/-/merge_requests/114#note_346496796),
and explicitly enabling SHA1 (which was moved to GnuTLS “bad hashes list” in
1d75e116b1681d0e6b140d7530e7f0403088da88)
Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Fingerprint-checking monkey-patch for SSLSocket needs to be refined to work with Python 3.7+
Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

This is the common default installation pattern for quite some time
Signed-off-by: Luca Boccassi <bluca@debian.org>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

One significant user-facing entries left out of v8.09 changelog:
* modernized Juniper TNCC script

Two were labeled as being in v8.08 when in fact they weren't merged until v8.09:
* GlobalProtect MRs (!90, !93, !95)
* disabling of Nagle's algorithm for TLS sockets
Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

These functions return 1 for a successful match, 0 for a failed match,
-1 for an internal error, or -2 if the certificate is malformed.

OpenConnect has been treating any value other than zero as a success,
meaning that an attacker who could get a trusted CA to issue an invalid
certificate (on which the ASN.1 decoder fails, for example), could use
that to assume *any* identity.

This is CVE-2020-12105.

https://gitlab.com/openconnect/openconnect/-/merge_requests/96Signed-off-by: Jordy Zomer <jordy@simplyhacker.com>

Some VPN platforms (GlobalProtect, apparently) allow administrators to input
such non-canonical IPv4 routes, and some routing configuration utilities
(apparently *not* iproute2) simply do not accept such non-canonical IPv4
routes.

An example of the confusion this can cause:
    https://lists.infradead.org/pipermail/openconnect-devel/2020-April/005665.html

The robustness principle suggests that the best thing to do here is to fix
these routes, but complain about them while we're at it.
Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Fixes: #123 (for OpenSSL build)
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Copied from:
    https://github.com/dlenski/juniper-vpn-py/blob/5c5c6c021a80b926990e2598d27f18d3aba60513/tncc.pySigned-off-by: Daniel Lenski <dlenski@gmail.com>

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Fixes: #116
Reported-by: Dave Padden
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

When the auth-dialog is invoked from gnome-shell, it *closes* the other
end of our stderr. Detect this with ferror(stderr), and open /dev/null
instead. This prevents CSD scripts from taking SIGPIPE when writing to
stderr (which we also dup to be their stdout) and aborting.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Some of them do. Give people a grace period to fix them.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

Use a handshake hook, and abort the handshake if it fails.
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

This happens in the wild and the official clients seem not to care. It's
a pointless check anyway. It's too late, and it's only MD5.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

Upgrade to 3.6.13.
https://gitlab.com/gnutls/gnutls/-/issues/960Signed-off-by: David Woodhouse <dwmw2@infradead.org>