help with upgraded Cisco AnyConnect VPN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2018-10-05 at 13:45 +0100, David Woodhouse wrote:
> On Thu, 2018-10-04 at 14:50 -0400, Ray Lambert wrote:
> > On 10/4/18 11:23 AM, David Woodhouse wrote:
> > > Ah, I suspect the issue here is that the "form" at the end isn't
> > > actually asking for anything. So we fail to parse it (or at least fail
> > > to send any kind of response).
> > > 
> > > We should send back the hostscan token even if there's no username or
> > > password or anything else.
> > 
> > David,
> > 
> > Is the <authentication-complete> tag the key to this, by any chance?  I'm 
> > just guessing (I don't know the protocol) but I don't see it being handled in 
> > the code.
> > 
> > I tried adding some code to handle it but I'm not really sure what to do with 
> > it; my first attempt failed (i.e. exiting handle_auth_form() with 
> > OC_FORM_RESULT_OK if the tag has been seen).
> 
> Yeah, that won't work because it won't post anything back. Try
> something like this...

Or this slightly (but only slightly) nicer variant:

diff --git a/auth.c b/auth.c
index 799a031..fe26316 100644
--- a/auth.c
+++ b/auth.c
@@ -417,6 +417,12 @@ static int parse_auth_node(struct openconnect_info *vpninfo, xmlNode *xml_node,
 		} else if (!vpninfo->csd_scriptname && xmlnode_is_named(xml_node, "csd")) {
 			xmlnode_get_prop(xml_node, "token", &vpninfo->csd_token);
 			xmlnode_get_prop(xml_node, "ticket", &vpninfo->csd_ticket);
+		} else if (xmlnode_is_named(xml_node, "authentication-complete")) {
+			/* Ick. Since struct oc_auth_form is public there's no
+			 * simple way to add a flag to it. So let's abuse the
+			 * auth_id string instead. */
+			free(form->auth_id);
+			form->auth_id = strdup("openconnect_authentication_complete");
 		}
 		/* For Windows, vpninfo->csd_xmltag will be "csd" and there are *two* <csd>
 		   nodes; one with token/ticket and one with the URLs. Process them both
@@ -648,6 +654,8 @@ static int handle_auth_form(struct openconnect_info *vpninfo, struct oc_auth_for
 			vpn_progress(vpninfo, PRG_INFO, "%s\n", form->message);
 		if (form->error)
 			vpn_progress(vpninfo, PRG_ERR, "%s\n", form->error);
+		if (!strcmp(form->auth_id, "openconnect_authentication_complete"))
+			goto justpost;
 		return -EPERM;
 	}
 
@@ -662,7 +670,7 @@ static int handle_auth_form(struct openconnect_info *vpninfo, struct oc_auth_for
 		vpninfo->token_bypassed = 1;
 		return ret;
 	}
-
+ justpost:
 	ret = vpninfo->xmlpost ?
 	      xmlpost_append_form_opts(vpninfo, form, request_body) :
 	      append_form_opts(vpninfo, form, request_body);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5213 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20181005/eb46b683/attachment.bin>


[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux