At least one protocol (GlobalProtect) requires the security checker ("CSD")
script to be invoked during the tunnel/connection phase, rather than the
authentication phase, because the access-enabling mechanism depends on knowing
the IP address(es) of the client in the internal network.
See check_or_submit_hip_report() in cstp.c in OpenConnect.
Signed-off-by: Daniel Lenski <dlenski at gmail.com>
---
src/nm-openconnect-service.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c
index 77934aa..b18b1a2 100644
--- a/src/nm-openconnect-service.c
+++ b/src/nm-openconnect-service.c
@@ -392,6 +392,7 @@ nm_openconnect_start_openconnect_binary (NMOpenconnectPlugin *plugin,
GSource *openconnect_watch;
gint stdin_fd;
const char *props_vpn_gw, *props_cookie, *props_cacert, *props_mtu, *props_gwcert, *props_proxy;
+ const char *props_csd_enable, *props_csd_wrapper;
const char *protocol;
/* Find openconnect */
@@ -477,6 +478,13 @@ nm_openconnect_start_openconnect_binary (NMOpenconnectPlugin *plugin,
g_ptr_array_add (openconnect_argv, (gpointer) "--script");
g_ptr_array_add (openconnect_argv, (gpointer) NM_OPENCONNECT_HELPER_PATH);
+ props_csd_enable = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE);
+ props_csd_wrapper = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_WRAPPER);
+ if (props_csd_enable && !strcmp (props_csd_enable, "yes") && props_csd_wrapper) {
+ g_ptr_array_add (openconnect_argv, (gpointer) "--csd-wrapper");
+ g_ptr_array_add (openconnect_argv, (gpointer) props_csd_wrapper);
+ }
+
priv->tun_name = create_persistent_tundev ();
if (priv->tun_name) {
g_ptr_array_add (openconnect_argv, (gpointer) "--interface");
--
2.7.4
