On Sat, 2018-09-08 at 14:57 +0200, rschmied at janus.inka.de wrote:
> [ ok, sending plain text without wrapping long lines seems to be harder
> than it should be. sorry for the additional list submission]
>
> I've included a patch that provides better compatibility with CSD on
> ASA head ends. E.g. it allows to specify the version string that is
> presented to the ASA. Previous to this patch, OC presents it's own
> version e.g. 0.7.8 but that could cause rejection on the head end if
> it looks for a matching AC version string.
>
> It also contains a change that allows to even control more of the
> client system data that is passed in the XML during authentication.
> This part is entirely optional but might help to provide better
> compatibility going forward.
>
> The patch works for me... especially the version-string seems to be
> important in some environments to allow a successful connection, the
> XML changes using the mobile_info struct might be seen as experimental
> / optional.
Hi Ralph, thanks for the patch. Apologies for the delay in responding.
I'm not quite sure about the environment variables... perhaps we should
take these parameters on the command line?
> +# get system information from DMI
> +DMI=$(sudo dmidecode | grep -A8 'System Information')
> +
> +# extract stuff we're interested in
> +MANUFACTURER=$(echo "$DMI" | grep 'Manufacturer' | cut -d: -f2)
> +PRODUCT=$(echo "$DMI" | grep 'Product Name' | cut -d: -f2)
> +SERIAL=$(echo "$DMI" | grep 'Serial Number' | cut -d: -f2)
> +UUID=$(echo "$DMI" | grep 'UUID' | cut -d: -f2)
> +
> +# synthesize / acquire device information
> +OC_DEVICE_TYPE="${MANUFACTURER## } ${PRODUCT## }"
> +OC_PLATFORM_VERSION=$(uname -srvp)
> +OC_UNIQUE_ID=$(echo $UUID$SERIAL | openssl sha256 | sed 's/^.* //' | tr [[:lower:]] [[:upper:]])
> +
> +# get the device that has the default route
> +GW_DEV=$(ip route | sed -nr '/^default/s/.* dev ([[:alnum:]]+) .*$/\1/p')
> +
> +# does it exist and is it different from tun?
> +# (if tunnel is running it potentially has the default route)
> +# if not, set it to all-zeroes
> +if [[ -n ${GW_DEV} && ! "${GW_DEV}" =~ ^tun[0-9]+$ ]]; then
> + OC_MAC_ADDRESS=$(ip link show dev ${GW_DEV} | \
> + sed -nr '2s/^.*ether (([0-9a-f]{2}(:?)){6}) .*$/\1/p' | \
> + tr ':' '-')
> +else
> + OC_MAC_ADDRESS="00-00-00-00-00-00"
> +fi
Alternatively (or additionally, for the default responses), I wonder if
we could reasonably make OpenConnect gather this for itself? All but
the MAC address should be relatively simple (the DMI information will
be in sysfs).
> @@ -276,11 +277,13 @@ int openconnect_set_reported_os(struct openconnect_info *vpninfo,
> int openconnect_set_mobile_info(struct openconnect_info *vpninfo,
> const char *mobile_platform_version,
> const char *mobile_device_type,
> - const char *mobile_device_uniqueid)
> + const char *mobile_device_uniqueid,
> + const char *mobile_mac_address)
> {
> STRDUP(vpninfo->mobile_platform_version, mobile_platform_version);
> STRDUP(vpninfo->mobile_device_type, mobile_device_type);
> STRDUP(vpninfo->mobile_device_uniqueid, mobile_device_uniqueid);
> + STRDUP(vpninfo->mobile_mac_address, mobile_mac_address);
>
> return 0;
> }
This one is a public function; we can't change it without breaking the
soname. We'll need to add an openconnect_set_mobile_info2() function
with the additional argument, or a separate function to set the MAC
address field.
@@ -875,6 +877,8 @@ static void usage(void)
> printf(" --useragent=STRING %s\n", _("HTTP header User-Agent: field"));
> printf(" --local-hostname=STRING %s\n", _("Local hostname to advertise to server"));
> printf(" --os=STRING %s\n", _("OS type (linux,linux-64,win,...) to report"));
> + printf(" --version-string=STRING %s\n", _("reported version string during authentication"));
> + printf(" (%s %s)\n", _("default:"), openconnect_version_str);
>
> #ifndef _WIN32
> printf("\n%s:\n", _("Trojan binary (CSD) execution"));
Indentation there.
Let's start with a single patch to do the version_string thing, please
(which will also need a public openconnect_set_version_string()
function. Then we can look at the additional mobile-info part next.
Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5213 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20181014/74065891/attachment.bin>
