auth.c
1
2
3
/*
* OpenConnect (SSL + DTLS) VPN client
*
4
* Copyright © 2008-2015 Intel Corporation.
5
* Copyright © 2013 John Morrissey <jwm@horde.net>
6
7
8
9
10
11
12
13
14
15
16
17
18
*
* Author: David Woodhouse <dwmw2@infradead.org>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* version 2.1, as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*/
19
20
#include <config.h>
21
#include <stdio.h>
22
23
24
#include <unistd.h>
#include <fcntl.h>
#include <time.h>
25
#include <string.h>
26
#include <ctype.h>
27
#include <errno.h>
28
29
30
#include <sys/stat.h>
#include <sys/types.h>
#ifndef _WIN32
31
#include <sys/wait.h>
32
#include <pwd.h>
33
#include <grp.h>
35
36
37
38
#include <libxml/parser.h>
#include <libxml/tree.h>
39
#include "openconnect-internal.h"
41
static int xmlpost_append_form_opts(struct openconnect_info *vpninfo,
42
struct oc_auth_form *form, struct oc_text_buf *body);
43
44
45
static int cstp_can_gen_tokencode(struct openconnect_info *vpninfo,
struct oc_auth_form *form,
struct oc_form_opt *opt);
47
48
49
50
51
52
53
int openconnect_set_option_value(struct oc_form_opt *opt, const char *value)
{
if (opt->type == OC_FORM_OPT_SELECT) {
struct oc_form_opt_select *sopt = (void *)opt;
int i;
for (i=0; i<sopt->nr_choices; i++) {
54
if (!strcmp(value, sopt->choices[i]->name)) {
55
opt->_value = sopt->choices[i]->name;
56
57
58
59
60
61
return 0;
}
}
return -EINVAL;
}
62
63
opt->_value = strdup(value);
if (!opt->_value)
64
65
66
67
68
return -ENOMEM;
return 0;
}
69
70
71
72
73
74
75
76
77
78
79
static int prop_equals(xmlNode *xml_node, const char *name, const char *value)
{
char *tmp = (char *)xmlGetProp(xml_node, (unsigned char *)name);
int ret = 0;
if (tmp && !strcasecmp(tmp, value))
ret = 1;
free(tmp);
return ret;
}
80
static int parse_auth_choice(struct openconnect_info *vpninfo, struct oc_auth_form *form,
81
xmlNode *xml_node)
83
struct oc_form_opt_select *opt;
84
xmlNode *opt_node;
85
int max_choices = 0, selection = 0;
86
87
88
89
90
opt = calloc(1, sizeof(*opt));
if (!opt)
return -ENOMEM;
91
opt->form.type = OC_FORM_OPT_SELECT;
92
93
opt->form.name = (char *)xmlGetProp(xml_node, (unsigned char *)"name");
opt->form.label = (char *)xmlGetProp(xml_node, (unsigned char *)"label");
95
if (!opt->form.name) {
96
vpn_progress(vpninfo, PRG_ERR, _("Form choice has no name\n"));
97
free_opt((struct oc_form_opt *)opt);
98
99
100
return -EINVAL;
}
101
102
103
104
105
106
107
108
109
for (opt_node = xml_node->children; opt_node; opt_node = opt_node->next)
max_choices++;
opt->choices = calloc(1, max_choices * sizeof(struct oc_choice *));
if (!opt->choices) {
free_opt((struct oc_form_opt *)opt);
return -ENOMEM;
}
110
for (xml_node = xml_node->children; xml_node; xml_node = xml_node->next) {
111
char *form_id;
112
struct oc_choice *choice;
114
115
116
117
118
119
120
if (xml_node->type != XML_ELEMENT_NODE)
continue;
if (strcmp((char *)xml_node->name, "option"))
continue;
form_id = (char *)xmlGetProp(xml_node, (unsigned char *)"value");
121
122
if (!form_id)
form_id = (char *)xmlNodeGetContent(xml_node);
123
124
125
if (!form_id)
continue;
126
127
128
choice = calloc(1, sizeof(*choice));
if (!choice) {
free_opt((struct oc_form_opt *)opt);
129
return -ENOMEM;
131
132
133
134
135
136
choice->name = form_id;
choice->label = (char *)xmlNodeGetContent(xml_node);
choice->auth_type = (char *)xmlGetProp(xml_node, (unsigned char *)"auth-type");
choice->override_name = (char *)xmlGetProp(xml_node, (unsigned char *)"override-name");
choice->override_label = (char *)xmlGetProp(xml_node, (unsigned char *)"override-label");
138
139
140
141
142
143
144
choice->second_auth = prop_equals(xml_node, "second-auth", "1");
choice->secondary_username = (char *)xmlGetProp(xml_node,
(unsigned char *)"secondary_username");
choice->secondary_username_editable = prop_equals(xml_node,
"secondary_username_editable", "true");
choice->noaaa = prop_equals(xml_node, "noaaa", "1");
145
146
147
if (prop_equals(xml_node, "selected", "true"))
selection = opt->nr_choices;
148
opt->choices[opt->nr_choices++] = choice;
151
152
if (!strcmp(opt->form.name, "group_list")) {
form->authgroup_opt = opt;
153
form->authgroup_selection = selection;
156
157
158
159
/* We link the choice _first_ so it's at the top of what we present
to the user */
opt->form.next = form->opts;
form->opts = &opt->form;
160
161
162
return 0;
}
163
static int parse_form(struct openconnect_info *vpninfo, struct oc_auth_form *form,
164
xmlNode *xml_node)
166
char *input_type, *input_name, *input_label;
167
168
for (xml_node = xml_node->children; xml_node; xml_node = xml_node->next) {
169
struct oc_form_opt *opt, **p;
170
171
172
173
174
if (xml_node->type != XML_ELEMENT_NODE)
continue;
if (!strcmp((char *)xml_node->name, "select")) {
175
if (parse_auth_choice(vpninfo, form, xml_node))
176
177
178
179
return -EINVAL;
continue;
}
if (strcmp((char *)xml_node->name, "input")) {
180
vpn_progress(vpninfo, PRG_DEBUG,
181
_("name %s not input\n"), xml_node->name);
182
183
184
185
186
continue;
}
input_type = (char *)xmlGetProp(xml_node, (unsigned char *)"type");
if (!input_type) {
187
188
vpn_progress(vpninfo, PRG_INFO,
_("No input type in form\n"));
189
190
191
continue;
}
192
193
if (!strcmp(input_type, "submit") || !strcmp(input_type, "reset")) {
free(input_type);
197
198
input_name = (char *)xmlGetProp(xml_node, (unsigned char *)"name");
if (!input_name) {
199
200
vpn_progress(vpninfo, PRG_INFO,
_("No input name in form\n"));
201
free(input_type);
202
203
204
205
continue;
}
input_label = (char *)xmlGetProp(xml_node, (unsigned char *)"label");
206
opt = calloc(1, sizeof(*opt));
207
208
209
210
if (!opt) {
free(input_type);
free(input_name);
free(input_label);
211
return -ENOMEM;
214
215
opt->name = input_name;
opt->label = input_label;
216
opt->flags = prop_equals(xml_node, "second-auth", "1") ? OC_FORM_OPT_SECOND_AUTH : 0;
218
if (!strcmp(input_type, "hidden")) {
219
opt->type = OC_FORM_OPT_HIDDEN;
220
opt->_value = (char *)xmlGetProp(xml_node, (unsigned char *)"value");
221
} else if (!strcmp(input_type, "text")) {
222
opt->type = OC_FORM_OPT_TEXT;
223
} else if (!strcmp(input_type, "password")) {
224
if (!cstp_can_gen_tokencode(vpninfo, form, opt))
225
opt->type = OC_FORM_OPT_TOKEN;
227
228
opt->type = OC_FORM_OPT_PASSWORD;
} else {
229
vpn_progress(vpninfo, PRG_INFO,
230
231
_("Unknown input type %s in form\n"),
input_type);
232
233
234
free(input_type);
free(input_name);
free(input_label);
235
236
free(opt);
continue;
239
free(input_type);
240
241
242
243
244
245
p = &form->opts;
while (*p)
p = &(*p)->next;
*p = opt;
248
249
250
return 0;
}
251
static char *xmlnode_msg(xmlNode *xml_node)
253
char *fmt = (char *)xmlNodeGetContent(xml_node);
254
255
char *result, *params[2], *pct;
int len;
256
int nr_params = 0;
258
259
if (!fmt || !fmt[0]) {
free(fmt);
260
return NULL;
263
len = strlen(fmt) + 1;
265
266
267
268
269
270
271
272
273
274
275
params[0] = (char *)xmlGetProp(xml_node, (unsigned char *)"param1");
if (params[0])
len += strlen(params[0]);
params[1] = (char *)xmlGetProp(xml_node, (unsigned char *)"param2");
if (params[1])
len += strlen(params[1]);
result = malloc(len);
if (!result) {
result = fmt;
goto out;
276
277
}
278
strcpy(result, fmt);
279
free(fmt);
281
282
283
for (pct = strchr(result, '%'); pct;
(pct = strchr(pct, '%'))) {
int paramlen;
285
286
287
288
289
290
291
/* We only cope with '%s' */
if (pct[1] != 's')
goto out;
if (params[nr_params]) {
paramlen = strlen(params[nr_params]);
/* Move rest of fmt string up... */
292
memmove(pct + paramlen, pct + 2, strlen(pct + 2) + 1);
293
294
295
296
297
298
299
300
301
302
303
304
/* ... and put the string parameter in where the '%s' was */
memcpy(pct, params[nr_params], paramlen);
pct += paramlen;
} else
pct++;
if (++nr_params == 2)
break;
}
out:
free(params[0]);
free(params[1]);
305
return result;
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
static int xmlnode_get_text(xmlNode *xml_node, const char *name, char **var)
{
char *str;
if (name && !xmlnode_is_named(xml_node, name))
return -EINVAL;
str = xmlnode_msg(xml_node);
if (!str)
return -ENOENT;
free(*var);
*var = str;
return 0;
}
324
325
326
327
328
/*
* Legacy server response looks like:
*
* <auth id="<!-- "main" for initial attempt, "success" means we have a cookie -->">
* <title><!-- title to display to user --></title>
329
330
* <csd
* token="<!-- save to vpninfo->csd_token -->"
331
* ticket="<!-- save to vpninfo->csd_ticket -->" />
332
333
334
335
* <csd
* stuburl="<!-- save to vpninfo->csd_stuburl if --os=win -->"
* starturl="<!-- save to vpninfo->csd_starturl if --os=win -->"
* waiturl="<!-- save to vpninfo->csd_starturl if --os=win -->"
336
* <csdMac
337
338
339
* stuburl="<!-- save to vpninfo->csd_stuburl if --os=mac-intel -->"
* starturl="<!-- save to vpninfo->csd_starturl if --os=mac-intel -->"
* waiturl="<!-- save to vpninfo->csd_waiturl if --os=mac-intel -->" />
340
* <csdLinux
341
342
343
* stuburl="<!-- same as above, for Linux -->"
* starturl="<!-- same as above, for Linux -->"
* waiturl="<!-- same as above, for Linux -->" />
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
* <banner><!-- display this to the user --></banner>
* <message>Please enter your username and password.</message>
* <form method="post" action="/+webvpn+/index.html">
* <input type="text" name="username" label="Username:" />
* <input type="password" name="password" label="Password:" />
* <input type="hidden" name="<!-- save these -->" value="<!-- ... -->" />
* <input type="submit" name="Login" value="Login" />
* <input type="reset" name="Clear" value="Clear" />
* </form>
* </auth>
*
* New server response looks like:
*
* <config-auth>
* <version><!-- whatever --></version>
* <session-token><!-- if present, save to vpninfo->cookie --></session-token>
* <opaque>
* <!-- this could contain anything; copy to vpninfo->opaque_srvdata -->
* <tunnel-group>foobar</tunnel-group>
* <config-hash>1234567</config-hash>
* </opaque>
* <auth id="<!-- see above -->
* <!-- all of our old familiar fields -->
* </auth>
* <host-scan>
* <host-scan-ticket><!-- save to vpninfo->csd_ticket --></host-scan-ticket>
* <host-scan-token><!-- save to vpninfo->csd_token --></host-scan-token>
* <host-scan-base-uri><!-- save to vpninfo->csd_starturl --></host-scan-base-uri>
* <host-scan-wait-uri><!-- save to vpninfo->csd_waiturl --></host-scan-wait-uri>
* </host-scan>
* </config-auth>
*
* Notes:
*
* 1) The new host-scan-*-uri nodes do not map directly to the old CSD fields.
*
* 2) The new <form> tag tends to omit the method/action properties.
*/
383
384
385
386
387
388
389
390
391
static int parse_auth_node(struct openconnect_info *vpninfo, xmlNode *xml_node,
struct oc_auth_form *form)
{
int ret = 0;
for (xml_node = xml_node->children; xml_node; xml_node = xml_node->next) {
if (xml_node->type != XML_ELEMENT_NODE)
continue;
392
393
394
395
396
397
xmlnode_get_text(xml_node, "banner", &form->banner);
xmlnode_get_text(xml_node, "message", &form->message);
xmlnode_get_text(xml_node, "error", &form->error);
if (xmlnode_is_named(xml_node, "form")) {
398
399
400
401
/* defaults for new XML POST */
form->method = strdup("POST");
form->action = strdup("/");
402
403
404
xmlnode_get_prop(xml_node, "method", &form->method);
xmlnode_get_prop(xml_node, "action", &form->action);
405
406
407
408
409
410
411
412
413
414
415
416
if (!form->method || !form->action ||
strcasecmp(form->method, "POST") || !form->action[0]) {
vpn_progress(vpninfo, PRG_ERR,
_("Cannot handle form method='%s', action='%s'\n"),
form->method, form->action);
ret = -EINVAL;
goto out;
}
ret = parse_form(vpninfo, form, xml_node);
if (ret < 0)
goto out;
417
418
419
} else if (!vpninfo->csd_scriptname && xmlnode_is_named(xml_node, "csd")) {
xmlnode_get_prop(xml_node, "token", &vpninfo->csd_token);
xmlnode_get_prop(xml_node, "ticket", &vpninfo->csd_ticket);
420
421
422
423
424
425
} else if (xmlnode_is_named(xml_node, "authentication-complete")) {
/* Ick. Since struct oc_auth_form is public there's no
* simple way to add a flag to it. So let's abuse the
* auth_id string instead. */
free(form->auth_id);
form->auth_id = strdup("openconnect_authentication_complete");
426
427
428
429
430
431
}
/* For Windows, vpninfo->csd_xmltag will be "csd" and there are *two* <csd>
nodes; one with token/ticket and one with the URLs. Process them both
the same and rely on the fact that xmlnode_get_prop() will not *clear*
the variable if no such property is found. */
if (!vpninfo->csd_scriptname && xmlnode_is_named(xml_node, vpninfo->csd_xmltag)) {
432
433
434
/* ignore the CSD trojan binary on mobile platforms */
if (!vpninfo->csd_nostub)
xmlnode_get_prop(xml_node, "stuburl", &vpninfo->csd_stuburl);
435
436
xmlnode_get_prop(xml_node, "starturl", &vpninfo->csd_starturl);
xmlnode_get_prop(xml_node, "waiturl", &vpninfo->csd_waiturl);
437
438
439
440
441
442
443
444
vpninfo->csd_preurl = strdup(vpninfo->urlpath);
}
}
out:
return ret;
}
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
static int parse_host_scan_node(struct openconnect_info *vpninfo, xmlNode *xml_node)
{
/* ignore this whole section if the CSD trojan has already run */
if (vpninfo->csd_scriptname)
return 0;
for (xml_node = xml_node->children; xml_node; xml_node = xml_node->next) {
if (xml_node->type != XML_ELEMENT_NODE)
continue;
xmlnode_get_text(xml_node, "host-scan-ticket", &vpninfo->csd_ticket);
xmlnode_get_text(xml_node, "host-scan-token", &vpninfo->csd_token);
xmlnode_get_text(xml_node, "host-scan-base-uri", &vpninfo->csd_starturl);
xmlnode_get_text(xml_node, "host-scan-wait-uri", &vpninfo->csd_waiturl);
}
return 0;
}
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
static void parse_profile_node(struct openconnect_info *vpninfo, xmlNode *xml_node)
{
/* ignore this whole section if we already have a URL */
if (vpninfo->profile_url && vpninfo->profile_sha1)
return;
/* Find <vpn rev="1.0"> child... */
xml_node = xml_node->children;
while (1) {
if (!xml_node)
return;
if (xml_node->type == XML_ELEMENT_NODE &&
xmlnode_is_named(xml_node, "vpn") &&
!xmlnode_match_prop(xml_node, "rev", "1.0"))
break;
xml_node = xml_node->next;
}
/* Find <file type="profile" service-type="user"> */
xml_node = xml_node->children;
while (1) {
if (!xml_node)
return;
if (xml_node->type == XML_ELEMENT_NODE &&
xmlnode_is_named(xml_node, "file") &&
!xmlnode_match_prop(xml_node, "type", "profile") &&
!xmlnode_match_prop(xml_node, "service-type", "user"))
break;
xml_node = xml_node->next;
}
for (xml_node = xml_node->children; xml_node; xml_node = xml_node->next) {
if (xml_node->type != XML_ELEMENT_NODE)
continue;
xmlnode_get_text(xml_node, "uri", &vpninfo->profile_url);
/* FIXME: Check for <hash type="sha1"> */
xmlnode_get_text(xml_node, "hash", &vpninfo->profile_sha1);
}
}
static void parse_config_node(struct openconnect_info *vpninfo, xmlNode *xml_node)
{
for (xml_node = xml_node->children; xml_node; xml_node = xml_node->next) {
if (xml_node->type != XML_ELEMENT_NODE)
continue;
if (xmlnode_is_named(xml_node, "vpn-profile-manifest"))
parse_profile_node(vpninfo, xml_node);
}
}
519
520
/* Return value:
* < 0, on error
521
* = 0, on success; *form is populated
523
524
static int parse_xml_response(struct openconnect_info *vpninfo, char *response,
struct oc_auth_form **formp, int *cert_rq)
526
struct oc_auth_form *form;
527
528
xmlDocPtr xml_doc;
xmlNode *xml_node;
530
531
532
533
534
if (*formp) {
free_auth_form(*formp);
*formp = NULL;
}
535
536
if (cert_rq)
*cert_rq = 0;
538
if (!response) {
539
vpn_progress(vpninfo, PRG_DEBUG,
540
541
542
543
_("Empty response from server\n"));
return -EINVAL;
}
544
545
546
form = calloc(1, sizeof(*form));
if (!form)
return -ENOMEM;
547
548
xml_doc = xmlReadMemory(response, strlen(response), "noname.xml", NULL,
XML_PARSE_NOERROR|XML_PARSE_RECOVER);
549
if (!xml_doc) {
550
551
vpn_progress(vpninfo, PRG_ERR,
_("Failed to parse server response\n"));
552
vpn_progress(vpninfo, PRG_DEBUG,
553
_("Response was:%s\n"), response);
554
555
556
free(form);
return -EINVAL;
}
558
xml_node = xmlDocGetRootElement(xml_doc);
559
while (xml_node) {
561
562
563
564
565
566
567
568
569
if (xml_node->type != XML_ELEMENT_NODE) {
xml_node = xml_node->next;
continue;
}
if (xmlnode_is_named(xml_node, "config-auth")) {
/* if we do have a config-auth node, it is the root element */
xml_node = xml_node->children;
continue;
570
571
572
573
574
} else if (xmlnode_is_named(xml_node, "client-cert-request")) {
if (cert_rq)
*cert_rq = 1;
else {
vpn_progress(vpninfo, PRG_ERR,
575
_("Received <client-cert-request> when not expected.\n"));
576
577
ret = -EINVAL;
}
578
579
580
581
582
583
584
585
586
587
588
} else if (xmlnode_is_named(xml_node, "auth")) {
xmlnode_get_prop(xml_node, "id", &form->auth_id);
ret = parse_auth_node(vpninfo, xml_node, form);
} else if (xmlnode_is_named(xml_node, "opaque")) {
if (vpninfo->opaque_srvdata)
xmlFreeNode(vpninfo->opaque_srvdata);
vpninfo->opaque_srvdata = xmlCopyNode(xml_node, 1);
if (!vpninfo->opaque_srvdata)
ret = -ENOMEM;
} else if (xmlnode_is_named(xml_node, "host-scan")) {
ret = parse_host_scan_node(vpninfo, xml_node);
589
590
} else if (xmlnode_is_named(xml_node, "config")) {
parse_config_node(vpninfo, xml_node);
591
592
593
594
595
596
597
598
599
600
} else {
xmlnode_get_text(xml_node, "session-token", &vpninfo->cookie);
xmlnode_get_text(xml_node, "error", &form->error);
}
if (ret)
goto out;
xml_node = xml_node->next;
}
601
if (!form->auth_id && (!cert_rq || !*cert_rq)) {
602
vpn_progress(vpninfo, PRG_ERR,
603
_("XML response has no \"auth\" node\n"));
604
ret = -EINVAL;
605
606
goto out;
}
608
609
610
*formp = form;
xmlFreeDoc(xml_doc);
return 0;
612
613
614
out:
xmlFreeDoc(xml_doc);
free_auth_form(form);
615
return ret;
616
617
618
619
}
/* Return value:
* < 0, on error
620
621
622
* = OC_FORM_RESULT_OK (0), when form parsed and POST required
* = OC_FORM_RESULT_CANCELLED, when response was cancelled by user
* = OC_FORM_RESULT_LOGGEDIN, when form indicates that login was already successful
624
625
626
static int handle_auth_form(struct openconnect_info *vpninfo, struct oc_auth_form *form,
struct oc_text_buf *request_body, const char **method,
const char **request_body_type)
627
628
{
int ret;
629
struct oc_vpn_option *opt, *next;
630
631
if (!strcmp(form->auth_id, "success"))
632
return OC_FORM_RESULT_LOGGEDIN;
634
if (vpninfo->nopasswd) {
635
636
vpn_progress(vpninfo, PRG_ERR,
_("Asked for password but '--no-passwd' set\n"));
637
return -EPERM;
640
if (vpninfo->csd_token && vpninfo->csd_ticket && vpninfo->csd_starturl && vpninfo->csd_waiturl) {
641
642
643
644
645
646
647
648
649
/* AB: remove all cookies */
for (opt = vpninfo->cookies; opt; opt = next) {
next = opt->next;
free(opt->option);
free(opt->value);
free(opt);
}
vpninfo->cookies = NULL;
650
return OC_FORM_RESULT_OK;
652
if (!form->opts) {
653
if (form->message)
654
vpn_progress(vpninfo, PRG_INFO, "%s\n", form->message);
655
if (form->error)
656
vpn_progress(vpninfo, PRG_ERR, "%s\n", form->error);
657
658
if (!strcmp(form->auth_id, "openconnect_authentication_complete"))
goto justpost;
659
return -EPERM;
660
661
}
662
ret = process_auth_form(vpninfo, form);
664
return ret;
666
667
/* tokencode generation is deferred until after username prompts and CSD */
ret = do_gen_tokencode(vpninfo, form);
668
669
670
if (ret) {
vpn_progress(vpninfo, PRG_ERR, _("Failed to generate OTP tokencode; disabling token\n"));
vpninfo->token_bypassed = 1;
671
return ret;
673
justpost:
674
ret = vpninfo->xmlpost ?
675
676
xmlpost_append_form_opts(vpninfo, form, request_body) :
append_form_opts(vpninfo, form, request_body);
677
678
679
680
if (!ret) {
*method = "POST";
*request_body_type = "application/x-www-form-urlencoded";
}
681
682
683
return ret;
}
684
685
686
687
688
689
690
691
692
/*
* Old submission format is just an HTTP query string:
*
* password=12345678&username=joe
*
* New XML format is more complicated:
*
* <config-auth client="vpn" type="<!-- init or auth-reply -->">
* <version who="vpn"><!-- currently just the OpenConnect version --></version>
693
* <device-id><!-- linux, linux-64, win, ... --></device-id>
694
695
696
697
698
699
700
701
702
703
704
705
* <opaque is-for="<!-- some name -->">
* <!-- just copy this verbatim from whatever the gateway sent us -->
* </opaque>
*
* For init only, add:
* <group-access>https://<!-- insert hostname here --></group-access>
*
* For auth-reply only, add:
* <auth>
* <username><!-- same treatment as the old form options --></username>
* <password><!-- ditto -->
* </auth>
706
* <group-select><!-- name of selected authgroup --></group-select>
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
* <host-scan-token><!-- vpninfo->csd_ticket --></host-scan-token>
*/
#define XCAST(x) ((const xmlChar *)(x))
static xmlDocPtr xmlpost_new_query(struct openconnect_info *vpninfo, const char *type,
xmlNodePtr *rootp)
{
xmlDocPtr doc;
xmlNodePtr root, node;
doc = xmlNewDoc(XCAST("1.0"));
if (!doc)
return NULL;
*rootp = root = xmlNewNode(NULL, XCAST("config-auth"));
if (!root)
goto bad;
if (!xmlNewProp(root, XCAST("client"), XCAST("vpn")))
goto bad;
if (!xmlNewProp(root, XCAST("type"), XCAST(type)))
goto bad;
xmlDocSetRootElement(doc, root);
731
732
node = xmlNewTextChild(root, NULL, XCAST("version"),
XCAST(vpninfo->version_string ? : openconnect_version_str));
733
734
735
736
737
if (!node)
goto bad;
if (!xmlNewProp(node, XCAST("who"), XCAST("vpn")))
goto bad;
738
739
node = xmlNewTextChild(root, NULL, XCAST("device-id"), XCAST(vpninfo->platname));
if (!node)
740
goto bad;
741
742
743
744
745
746
if (vpninfo->mobile_platform_version) {
if (!xmlNewProp(node, XCAST("platform-version"), XCAST(vpninfo->mobile_platform_version)) ||
!xmlNewProp(node, XCAST("device-type"), XCAST(vpninfo->mobile_device_type)) ||
!xmlNewProp(node, XCAST("unique-id"), XCAST(vpninfo->mobile_device_uniqueid)))
goto bad;
}
747
748
749
750
751
752
753
754
return doc;
bad:
xmlFreeDoc(doc);
return NULL;
}
755
static int xmlpost_complete(xmlDocPtr doc, struct oc_text_buf *body)
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
{
xmlChar *mem = NULL;
int len, ret = 0;
if (!body) {
xmlFree(doc);
return 0;
}
xmlDocDumpMemoryEnc(doc, &mem, &len, "UTF-8");
if (!mem) {
xmlFreeDoc(doc);
return -ENOMEM;
}
771
buf_append_bytes(body, mem, len);
772
773
774
775
776
777
778
xmlFreeDoc(doc);
xmlFree(mem);
return ret;
}
779
780
static int xmlpost_initial_req(struct openconnect_info *vpninfo,
struct oc_text_buf *request_body, int cert_fail)
781
782
783
{
xmlNodePtr root, node;
xmlDocPtr doc = xmlpost_new_query(vpninfo, "init", &root);
784
struct oc_text_buf *url_buf;
785
786
787
788
if (!doc)
return -ENOMEM;
789
790
791
792
793
794
795
url_buf = buf_alloc();
buf_append(url_buf, "https://%s", vpninfo->hostname);
if (vpninfo->port != 443)
buf_append(url_buf, ":%d", vpninfo->port);
/* Do we *need* to omit the trailing / here when no path? */
if (vpninfo->urlpath)
buf_append(url_buf, "/%s", vpninfo->urlpath);
797
798
if (buf_error(url_buf)) {
buf_free(url_buf);
799
goto bad;
800
801
802
}
node = xmlNewTextChild(root, NULL, XCAST("group-access"), XCAST(url_buf->data));
buf_free(url_buf);
803
804
if (!node)
goto bad;
805
806
807
808
809
if (cert_fail) {
node = xmlNewTextChild(root, NULL, XCAST("client-cert-fail"), NULL);
if (!node)
goto bad;
}
810
811
812
813
814
if (vpninfo->authgroup) {
node = xmlNewTextChild(root, NULL, XCAST("group-select"), XCAST(vpninfo->authgroup));
if (!node)
goto bad;
}
815
return xmlpost_complete(doc, request_body);
816
817
bad:
818
buf_free(url_buf);
819
xmlpost_complete(doc, NULL);
820
821
822
823
return -ENOMEM;
}
static int xmlpost_append_form_opts(struct openconnect_info *vpninfo,
824
struct oc_auth_form *form, struct oc_text_buf *body)
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
{
xmlNodePtr root, node;
xmlDocPtr doc = xmlpost_new_query(vpninfo, "auth-reply", &root);
struct oc_form_opt *opt;
if (!doc)
return -ENOMEM;
if (vpninfo->opaque_srvdata) {
node = xmlCopyNode(vpninfo->opaque_srvdata, 1);
if (!node)
goto bad;
if (!xmlAddChild(root, node))
goto bad;
}
node = xmlNewChild(root, NULL, XCAST("auth"), NULL);
if (!node)
goto bad;
for (opt = form->opts; opt; opt = opt->next) {
846
847
/* group_list: create a new <group-select> node under <config-auth> */
if (!strcmp(opt->name, "group_list")) {
848
if (!xmlNewTextChild(root, NULL, XCAST("group-select"), XCAST(opt->_value)))
849
850
851
852
goto bad;
continue;
}
853
854
855
856
/* answer,whichpin,new_password: rename to "password" */
if (!strcmp(opt->name, "answer") ||
!strcmp(opt->name, "whichpin") ||
!strcmp(opt->name, "new_password")) {
857
if (!xmlNewTextChild(node, NULL, XCAST("password"), XCAST(opt->_value)))
858
859
860
861
862
863
864
865
866
867
goto bad;
continue;
}
/* verify_pin,verify_password: ignore */
if (!strcmp(opt->name, "verify_pin") ||
!strcmp(opt->name, "verify_password")) {
continue;
}
868
/* everything else: create <foo>user_input</foo> under <auth> */
869
if (!xmlNewTextChild(node, NULL, XCAST(opt->name), XCAST(opt->_value)))
870
871
872
873
874
875
876
goto bad;
}
if (vpninfo->csd_token &&
!xmlNewTextChild(root, NULL, XCAST("host-scan-token"), XCAST(vpninfo->csd_token)))
goto bad;
877
return xmlpost_complete(doc, body);
878
879
bad:
880
xmlpost_complete(doc, NULL);
881
882
883
return -ENOMEM;
}
884
885
886
887
/* Return value:
* < 0, if unable to generate a tokencode
* = 0, on success
*/
888
889
890
static int cstp_can_gen_tokencode(struct openconnect_info *vpninfo,
struct oc_auth_form *form,
struct oc_form_opt *opt)
892
893
894
895
if (vpninfo->token_mode == OC_TOKEN_MODE_NONE ||
vpninfo->token_bypassed)
return -EINVAL;
896
#ifdef HAVE_LIBSTOKEN
897
898
899
900
if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
if (strcmp(opt->name, "password") &&
strcmp(opt->name, "answer"))
return -EINVAL;
901
return can_gen_stoken_code(vpninfo, form, opt);
903
#endif
904
/* Otherwise it's an OATH token of some kind. */
905
906
if (strcmp(opt->name, "secondary_password") &&
(!form->auth_id || strcmp(form->auth_id, "challenge")))
907
return -EINVAL;
909
return can_gen_tokencode(vpninfo, form, opt);
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
static int fetch_config(struct openconnect_info *vpninfo)
{
struct oc_text_buf *buf;
int result;
unsigned char local_sha1_bin[SHA1_SIZE];
char local_sha1_ascii[(SHA1_SIZE * 2)+1];
int i;
if (!vpninfo->profile_url || !vpninfo->profile_sha1 || !vpninfo->write_new_config)
return -ENOENT;
if (!strncasecmp(vpninfo->xmlsha1, vpninfo->profile_sha1, SHA1_SIZE * 2)) {
vpn_progress(vpninfo, PRG_TRACE,
_("Not downloading XML profile because SHA1 already matches\n"));
return 0;
}
if ((result = openconnect_open_https(vpninfo))) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to open HTTPS connection to %s\n"),
vpninfo->hostname);
return result;
}
buf = buf_alloc();
937
938
939
940
941
if (vpninfo->port != 443)
buf_append(buf, "GET %s:%d HTTP/1.1\r\n", vpninfo->profile_url, vpninfo->port);
else
buf_append(buf, "GET %s HTTP/1.1\r\n", vpninfo->profile_url);
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
cstp_common_headers(vpninfo, buf);
if (vpninfo->xmlpost)
buf_append(buf, "Cookie: webvpn=%s\r\n", vpninfo->cookie);
buf_append(buf, "\r\n");
if (buf_error(buf))
return buf_free(buf);
if (vpninfo->ssl_write(vpninfo, buf->data, buf->pos) != buf->pos) {
vpn_progress(vpninfo, PRG_ERR,
_("Failed to send GET request for new config\n"));
buf_free(buf);
return -EIO;
}
result = process_http_response(vpninfo, 0, NULL, buf);
if (result < 0) {
/* We'll already have complained about whatever offended us */
buf_free(buf);
return -EINVAL;
}
if (result != 200) {
buf_free(buf);
return -EINVAL;
}
openconnect_sha1(local_sha1_bin, buf->data, buf->pos);
for (i = 0; i < SHA1_SIZE; i++)
sprintf(&local_sha1_ascii[i*2], "%02x", local_sha1_bin[i]);
if (strcasecmp(vpninfo->profile_sha1, local_sha1_ascii)) {
vpn_progress(vpninfo, PRG_ERR,
_("Downloaded config file did not match intended SHA1\n"));
buf_free(buf);
return -EINVAL;
}
vpn_progress(vpninfo, PRG_DEBUG, _("Downloaded new XML profile\n"));
result = vpninfo->write_new_config(vpninfo->cbdata, buf->data, buf->pos);
buf_free(buf);
return result;
}
988
989
990
991
992
993
994
995
996
997
998
999
1000
int set_csd_user(struct openconnect_info *vpninfo)
{
#if defined(_WIN32) || defined(__native_client__)
vpn_progress(vpninfo, PRG_ERR,
_("Error: Running the 'Cisco Secure Desktop' trojan on this platform is not yet implemented.\n"));
return -EPERM;
#else
setsid();
if (vpninfo->uid_csd_given && vpninfo->uid_csd != getuid()) {
struct passwd *pw;
int e;