~mamarley/openconnect/+git/gitlab-main:dlenski-master

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

908c2bb... by Dan Lenski on 2020-10-15

finesse the URL-decoding of the GP login args

Unsurprisingly, it's messier than I thought it was. Some of them definitely
need to be URL-decoded, and some definitely shouldn't be.
https://gitlab.com/openconnect/openconnect/-/issues/147#note_429943037

Signed-off-by: Daniel Lenski <email address hidden>

767f47e... by Dan Lenski on 2020-10-15

Merge https://gitlab.com/openconnect/openconnect/-/merge_requests/114

Signed-off-by: Daniel Lenski <email address hidden>

ae4c06c... by Dan Lenski on 2020-05-22

add tests/obsolete-server-crypto to XFAIL on all CI using OpenSSL 1.1.0+

OpenSSL 1.1.0+ removes 3DES and RC4 from the default build: https://www.openssl.org/blog/blog/2016/08/24/sweet32/

There is no way to re-enable without rebuilding from source.

Signed-off-by: Daniel Lenski <email address hidden>

a63086a... by Dan Lenski on 2020-05-18

add 'obsolete-server-crypto' and 'pfs' tests

These are designed to ensure that we don't inadvertently break compatibility
with legacy/obsolete server crypto, and also that we don't *inadvertently
connect* to less-secure crypto than requested.

May need to override system crypto policy in order for GnuTLS to allow old crypto in CI.
(per nmav: https://gitlab.com/openconnect/openconnect/-/issues/145#note_346497960)

- 'pfs': connect to a server whose only KX is RSA KX [if and only if]
  `--pfs` is [not specified]
- 'obsolete-server-crypt': connect to a server whose only ciphers are 3DES
  and/or RC4 [if and only if] `--allow-insecure-crypto` is specified

Signed-off-by: Daniel Lenski <email address hidden>

6c508a2... by Dan Lenski on 2020-05-18

modify tests/common.sh so that launch_simple_sr_server() → test → cleanup() can be used repeatedly in a single script

Signed-off-by: Daniel Lenski <email address hidden>

f3aee6d... by Dan Lenski on 2020-05-23

with --allow-insecure-crypto, check if it can be enabled by the library and fail if not

Fixes the issue of silent failure both with and without this option.

Getting the ciphers in OpenSSL 1.1.0 is extremely tedious.

Signed-off-by: Daniel Lenski <email address hidden>

662e4d9... by Dan Lenski on 2020-05-18

Attempt to future-proof --allow-obsolete-crypto

`--allow-obsolete-crypto` with GnuTLS 3.6.0+ should set `%VERIFY_ALLOW_SIGN_WITH_SHA1` as well
(per nmav: https://gitlab.com/openconnect/openconnect/-/merge_requests/114#note_346496796),
and should explicitly reenable SHA1
(moved to GnuTLS “bad hashes list” in 1d75e116b1681d0e6b140d7530e7f0403088da88)

Signed-off-by: Daniel Lenski <email address hidden>

4c1213a... by Dan Lenski on 2020-05-18

rework MR to add --allow-insecure-crypto, and corresponding API functions

Allowing the ancient, broken 3DES and RC4 ciphers is insecure; we do not
want to (re-)enable them by default. (See discussion:
https://gitlab.com/openconnect/openconnect/-/issues/145#note_344687335)

However, some still-in-use VPN servers can't do any better. So instead, we
explicitly disable them, unless explicitly enabled with the
`--allow-insecure-crypto` option, or corresponding API functions.

Signed-off-by: Daniel Lenski <email address hidden>

6f09997... by Dan Lenski on 2020-10-15

Merge https://gitlab.com/openconnect/openconnect/-/merge_requests/117

Signed-off-by: Daniel Lenski <email address hidden>

d3af00e... by Dan Lenski on 2020-10-15

Merge https://gitlab.com/openconnect/openconnect/-/merge_requests/123

Signed-off-by: Daniel Lenski <email address hidden>