At least one protocol (GlobalProtect) requires the security checker ("CSD") script to be invoked during the tunnel/connection phase, rather than the authentication phase, because the access-enabling mechanism depends on knowing the IP address(es) of the client in the internal network. See check_or_submit_hip_report() in cstp.c in OpenConnect. Signed-off-by: Daniel Lenski <dlenski at gmail.com> --- src/nm-openconnect-service.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c index 77934aa..c364600 100644 --- a/src/nm-openconnect-service.c +++ b/src/nm-openconnect-service.c @@ -392,6 +392,7 @@ nm_openconnect_start_openconnect_binary (NMOpenconnectPlugin *plugin, GSource *openconnect_watch; gint stdin_fd; const char *props_vpn_gw, *props_cookie, *props_cacert, *props_mtu, *props_gwcert, *props_proxy; + const char *props_csd_enable, *props_csd_wrapper; const char *protocol; /* Find openconnect */ @@ -477,6 +478,18 @@ nm_openconnect_start_openconnect_binary (NMOpenconnectPlugin *plugin, g_ptr_array_add (openconnect_argv, (gpointer) "--script"); g_ptr_array_add (openconnect_argv, (gpointer) NM_OPENCONNECT_HELPER_PATH); + props_csd_enable = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE); + props_csd_wrapper = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_WRAPPER); + if (props_csd_enable && !strcmp (props_csd_enable, "yes") && props_csd_wrapper) { + /* Replicate the CSD parameters used in the authentication phase, for + supported protocols which may need to invoke the security trojan ("CSD") + in the tunnel/connection phase. */ + g_ptr_array_add (openconnect_argv, (gpointer) "--csd-wrapper"); + g_ptr_array_add (openconnect_argv, (gpointer) props_csd_wrapper); + g_ptr_array_add (openconnect_argv, (gpointer) "--csd-user"); + g_ptr_array_add (openconnect_argv, (gpointer) g_strdup_printf ("%d", getuid())); + } + priv->tun_name = create_persistent_tundev (); if (priv->tun_name) { g_ptr_array_add (openconnect_argv, (gpointer) "--interface"); -- 2.7.4