[PATCH] Include --csd-wrapper script in openconnect arguments

dlenski at gmail.com (Daniel Lenski) · Wed, 6 Jun 2018 10:14:37 +0300

At least one protocol (GlobalProtect) requires the security checker ("CSD")
script to be invoked during the tunnel/connection phase, rather than the
authentication phase, because the access-enabling mechanism depends on
knowing the IP address(es) of the client in the internal network.  See
check_or_submit_hip_report() in cstp.c in OpenConnect.

Signed-off-by: Daniel Lenski <dlenski at gmail.com>
---
 src/nm-openconnect-service.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c
index 77934aa..c364600 100644
--- a/src/nm-openconnect-service.c
+++ b/src/nm-openconnect-service.c
@@ -392,6 +392,7 @@ nm_openconnect_start_openconnect_binary (NMOpenconnectPlugin *plugin,
 	GSource *openconnect_watch;
 	gint	stdin_fd;
 	const char *props_vpn_gw, *props_cookie, *props_cacert, *props_mtu, *props_gwcert, *props_proxy;
+	const char *props_csd_enable, *props_csd_wrapper;
 	const char *protocol;
 
 	/* Find openconnect */
@@ -477,6 +478,18 @@ nm_openconnect_start_openconnect_binary (NMOpenconnectPlugin *plugin,
 	g_ptr_array_add (openconnect_argv, (gpointer) "--script");
 	g_ptr_array_add (openconnect_argv, (gpointer) NM_OPENCONNECT_HELPER_PATH);
 
+	props_csd_enable = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE);
+	props_csd_wrapper = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_WRAPPER);
+	if (props_csd_enable && !strcmp (props_csd_enable, "yes") && props_csd_wrapper) {
+		/* Replicate the CSD parameters used in the authentication phase, for
+		   supported protocols which may need to invoke the security trojan ("CSD")
+		   in the tunnel/connection phase. */
+		g_ptr_array_add (openconnect_argv, (gpointer) "--csd-wrapper");
+		g_ptr_array_add (openconnect_argv, (gpointer) props_csd_wrapper);
+		g_ptr_array_add (openconnect_argv, (gpointer) "--csd-user");
+		g_ptr_array_add (openconnect_argv, (gpointer) g_strdup_printf ("%d", getuid()));
+	}
+
 	priv->tun_name = create_persistent_tundev ();
 	if (priv->tun_name) {
 		g_ptr_array_add (openconnect_argv, (gpointer) "--interface");
-- 
2.7.4







