From baca906ad5ecc22c7f4c561f4ebcd4971702608c Mon Sep 17 00:00:00 2001 From: Manuel Thalmann Date: Mon, 3 Apr 2023 19:11:10 +0200 Subject: [PATCH] Add a script for patching `networkmanager-openconnect` --- allow_insecure_crypto.patch | 25 +++++++++++++++++++++++++ install.sh | 33 +++++++++++++++++++++++++++++++++ openssl_insecure_crypto.cnf | 13 +++++++++++++ 3 files changed, 71 insertions(+) create mode 100644 allow_insecure_crypto.patch create mode 100755 install.sh create mode 100644 openssl_insecure_crypto.cnf diff --git a/allow_insecure_crypto.patch b/allow_insecure_crypto.patch new file mode 100644 index 0000000..d10dd67 --- /dev/null +++ b/allow_insecure_crypto.patch @@ -0,0 +1,25 @@ +diff --git a/auth-dialog/main.c b/auth-dialog/main.c +index fa26426..6c4ae72 100644 +--- a/auth-dialog/main.c ++++ b/auth-dialog/main.c +@@ -1970,6 +1970,8 @@ static gpointer init_connection (auth_ui_data *ui_data) + + int main (int argc, char **argv) + { ++ g_setenv ("OPENSSL_CONF", "/usr/local/etc/ssl/openssl_insecure_crypto.cnf", FALSE); ++ + char *vpn_name = NULL, *vpn_uuid = NULL, *vpn_service = NULL; + GHashTable *options = NULL, *secrets = NULL; + gboolean allow_interaction = FALSE; +diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c +index 05e8095..ba87e93 100644 +--- a/src/nm-openconnect-service.c ++++ b/src/nm-openconnect-service.c +@@ -447,6 +447,7 @@ nm_openconnect_start_openconnect_binary (NMOpenconnectPlugin *plugin, + + openconnect_argv = g_ptr_array_new (); + g_ptr_array_add (openconnect_argv, (gpointer) (*openconnect_binary)); ++ g_ptr_array_add (openconnect_argv, (gpointer) "--allow-insecure-crypto"); + + protocol = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_PROTOCOL); + if (protocol && strcmp (protocol, "anyconnect")) { diff --git a/install.sh b/install.sh new file mode 100755 index 0000000..3b0a670 --- /dev/null +++ b/install.sh @@ -0,0 +1,33 @@ +#!/bin/bash +if [ ! "$UID" -eq 0 ] +then + sudo bash "$BASH_SOURCE"; +else + scriptRoot="$(realpath "${BASH_SOURCE%/*}")"; + workingDir="$(pwd)"; + contextDir="$(mktemp -d)"; + patchFile="allow_insecure_crypto.patch"; + patchedConfig="openssl_insecure_crypto.cnf"; + chmod a+rwx "$contextDir" + + git clone https://aur.archlinux.org/networkmanager-openconnect-useragent-git.git "$contextDir"; + cd "$contextDir"; + cp "$scriptRoot/$patchFile" .; + cp "$scriptRoot/$patchedConfig" .; + + sed -i \ + -e "s/^\(source=(.*\)\()\)/\1 \"local:\/\/$patchFile\" \"local:\/\/$patchedConfig\"\2/" \ + -e "s/^\(sha256sums=(.*\)\()\)/\1 'SKIP' 'SKIP'\2/" \ + -e "/^build() {/{" \ + -e 'a\' \ + -e ' cd NetworkManager-openconnect\' \ + -e ' git apply "${srcdir}/'"$patchFile"'"\' \ + -e " cd .." \ + -e "}" \ + -e "/^package() {/{" \ + -e 'a mkdir -p "${pkgdir}/usr/local/etc/ssl"' \ + -e 'a cp "${srcdir}/'"$patchedConfig"'" "${pkgdir}/usr/local/etc/ssl/openssl_insecure_crypto.cnf"' \ + -e "}" \ + PKGBUILD + echo "$contextDir"; +fi; diff --git a/openssl_insecure_crypto.cnf b/openssl_insecure_crypto.cnf new file mode 100644 index 0000000..97e85df --- /dev/null +++ b/openssl_insecure_crypto.cnf @@ -0,0 +1,13 @@ +# Custom configuration to solve some problems while using openconnect-sso. +# See: https://github.com/vlaci/openconnect-sso/issues/81#issuecomment-1363355533 + +openssl_conf = openssl_init + +[openssl_init] +ssl_conf = ssl_sect + +[ssl_sect] +system_default = system_default_sect + +[system_default_sect] +Options = UnsafeLegacyRenegotiation