/
auth.c
1047 lines (904 loc) · 26.7 KB
1
2
3
/*
* OpenConnect (SSL + DTLS) VPN client
*
4
* Copyright © 2008-2011 Intel Corporation.
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
* Copyright © 2008 Nick Andrew <nick@nick-andrew.net>
*
* Author: David Woodhouse <dwmw2@infradead.org>
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public License
* version 2.1, as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to:
*
* Free Software Foundation, Inc.
* 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301 USA
*/
26
#include <stdio.h>
27
28
29
30
#include <netdb.h>
#include <unistd.h>
#include <fcntl.h>
#include <time.h>
31
#include <string.h>
32
#include <ctype.h>
33
#include <errno.h>
34
35
36
37
38
#ifdef LIBSTOKEN_HDR
#include LIBSTOKEN_HDR
#endif
39
40
41
#include <libxml/parser.h>
#include <libxml/tree.h>
42
#include "openconnect-internal.h"
43
44
45
static int xmlpost_append_form_opts(struct openconnect_info *vpninfo,
struct oc_auth_form *form, char *body, int bodylen);
46
47
static int can_gen_tokencode(struct openconnect_info *vpninfo,
struct oc_auth_form *form, struct oc_form_opt *opt);
48
49
static int do_gen_tokencode(struct openconnect_info *vpninfo, struct oc_auth_form *form);
50
51
52
53
54
55
56
57
58
59
60
static int append_opt(char *body, int bodylen, char *opt, char *name)
{
int len = strlen(body);
if (len) {
if (len >= bodylen - 1)
return -ENOSPC;
body[len++] = '&';
}
while (*opt) {
61
if (isalnum((int)(unsigned char)*opt)) {
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
if (len >= bodylen - 1)
return -ENOSPC;
body[len++] = *opt;
} else {
if (len >= bodylen - 3)
return -ENOSPC;
sprintf(body+len, "%%%02x", *opt);
len += 3;
}
opt++;
}
if (len >= bodylen - 1)
return -ENOSPC;
body[len++] = '=';
78
while (name && *name) {
79
if (isalnum((int)(unsigned char)*name)) {
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
if (len >= bodylen - 1)
return -ENOSPC;
body[len++] = *name;
} else {
if (len >= bodylen - 3)
return -ENOSPC;
sprintf(body+len, "%%%02X", *name);
len += 3;
}
name++;
}
body[len] = 0;
return 0;
}
96
97
98
99
100
101
102
103
104
105
106
107
108
109
static int append_form_opts(struct openconnect_info *vpninfo,
struct oc_auth_form *form, char *body, int bodylen)
{
struct oc_form_opt *opt;
int ret;
for (opt = form->opts; opt; opt = opt->next) {
ret = append_opt(body, bodylen, opt->name, opt->value);
if (ret)
return ret;
}
return 0;
}
110
111
112
113
114
115
116
/*
* Maybe we should offer this choice to the user. So far we've only
* ever seen it offer bogus choices though -- between certificate and
* password authentication, when the former has already failed.
* So we just accept the first option with an auth-type property.
*/
117
static int parse_auth_choice(struct openconnect_info *vpninfo, struct oc_auth_form *form,
118
xmlNode *xml_node)
119
{
120
struct oc_form_opt_select *opt;
121
122
123
124
125
opt = calloc(1, sizeof(*opt));
if (!opt)
return -ENOMEM;
126
opt->form.type = OC_FORM_OPT_SELECT;
127
128
opt->form.name = (char *)xmlGetProp(xml_node, (unsigned char *)"name");
opt->form.label = (char *)xmlGetProp(xml_node, (unsigned char *)"label");
129
130
if (!opt->form.name) {
131
vpn_progress(vpninfo, PRG_ERR, _("Form choice has no name\n"));
132
free(opt);
133
134
135
136
return -EINVAL;
}
for (xml_node = xml_node->children; xml_node; xml_node = xml_node->next) {
137
char *form_id;
138
struct oc_choice *choice;
139
140
141
142
143
144
145
146
if (xml_node->type != XML_ELEMENT_NODE)
continue;
if (strcmp((char *)xml_node->name, "option"))
continue;
form_id = (char *)xmlGetProp(xml_node, (unsigned char *)"value");
147
148
if (!form_id)
form_id = (char *)xmlNodeGetContent(xml_node);
149
150
151
if (!form_id)
continue;
152
opt->nr_choices++;
153
154
realloc_inplace(opt, sizeof(*opt) +
opt->nr_choices * sizeof(*choice));
155
156
157
158
159
160
161
162
163
164
if (!opt)
return -ENOMEM;
choice = &opt->choices[opt->nr_choices-1];
choice->name = form_id;
choice->label = (char *)xmlNodeGetContent(xml_node);
choice->auth_type = (char *)xmlGetProp(xml_node, (unsigned char *)"auth-type");
choice->override_name = (char *)xmlGetProp(xml_node, (unsigned char *)"override-name");
choice->override_label = (char *)xmlGetProp(xml_node, (unsigned char *)"override-label");
165
}
166
167
168
169
170
/* We link the choice _first_ so it's at the top of what we present
to the user */
opt->form.next = form->opts;
form->opts = &opt->form;
171
172
173
174
175
176
177
178
return 0;
}
/* Return value:
* < 0, on error
* = 0, when form was cancelled
* = 1, when form was parsed
*/
179
static int parse_form(struct openconnect_info *vpninfo, struct oc_auth_form *form,
180
xmlNode *xml_node)
181
{
182
char *input_type, *input_name, *input_label;
183
184
for (xml_node = xml_node->children; xml_node; xml_node = xml_node->next) {
185
struct oc_form_opt *opt, **p;
186
187
188
189
190
if (xml_node->type != XML_ELEMENT_NODE)
continue;
if (!strcmp((char *)xml_node->name, "select")) {
191
if (parse_auth_choice(vpninfo, form, xml_node))
192
193
194
195
return -EINVAL;
continue;
}
if (strcmp((char *)xml_node->name, "input")) {
196
197
vpn_progress(vpninfo, PRG_TRACE,
_("name %s not input\n"), xml_node->name);
198
199
200
201
202
continue;
}
input_type = (char *)xmlGetProp(xml_node, (unsigned char *)"type");
if (!input_type) {
203
204
vpn_progress(vpninfo, PRG_INFO,
_("No input type in form\n"));
205
206
207
continue;
}
208
209
if (!strcmp(input_type, "submit") || !strcmp(input_type, "reset")) {
free(input_type);
210
continue;
211
}
212
213
214
input_name = (char *)xmlGetProp(xml_node, (unsigned char *)"name");
if (!input_name) {
215
216
vpn_progress(vpninfo, PRG_INFO,
_("No input name in form\n"));
217
free(input_type);
218
219
220
221
continue;
}
input_label = (char *)xmlGetProp(xml_node, (unsigned char *)"label");
222
opt = calloc(1, sizeof(*opt));
223
224
225
226
if (!opt) {
free(input_type);
free(input_name);
free(input_label);
227
return -ENOMEM;
228
}
229
230
231
232
opt->name = input_name;
opt->label = input_label;
233
if (!strcmp(input_type, "hidden")) {
234
opt->type = OC_FORM_OPT_HIDDEN;
235
236
opt->value = (char *)xmlGetProp(xml_node, (unsigned char *)"value");
} else if (!strcmp(input_type, "text"))
237
opt->type = OC_FORM_OPT_TEXT;
238
else if (!strcmp(input_type, "password")) {
239
if (vpninfo->use_stoken && !can_gen_tokencode(vpninfo, form, opt))
240
241
242
243
opt->type = OC_FORM_OPT_STOKEN;
else
opt->type = OC_FORM_OPT_PASSWORD;
} else {
244
vpn_progress(vpninfo, PRG_INFO,
245
246
_("Unknown input type %s in form\n"),
input_type);
247
248
249
free(input_type);
free(input_name);
free(input_label);
250
251
free(opt);
continue;
252
}
253
254
free(input_type);
255
256
257
258
259
260
p = &form->opts;
while (*p)
p = &(*p)->next;
*p = opt;
261
262
}
263
264
265
return 0;
}
266
static char *xmlnode_msg(xmlNode *xml_node)
267
{
268
char *fmt = (char *)xmlNodeGetContent(xml_node);
269
270
char *result, *params[2], *pct;
int len;
271
int nr_params = 0;
272
273
274
if (!fmt || !fmt[0]) {
free(fmt);
275
return NULL;
276
}
277
278
279
280
281
282
283
284
285
286
287
288
289
290
len = strlen(fmt) + 1;
params[0] = (char *)xmlGetProp(xml_node, (unsigned char *)"param1");
if (params[0])
len += strlen(params[0]);
params[1] = (char *)xmlGetProp(xml_node, (unsigned char *)"param2");
if (params[1])
len += strlen(params[1]);
result = malloc(len);
if (!result) {
result = fmt;
goto out;
291
292
}
293
294
strcpy(result, fmt);
free (fmt);
295
296
297
298
for (pct = strchr(result, '%'); pct;
(pct = strchr(pct, '%'))) {
int paramlen;
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
/* We only cope with '%s' */
if (pct[1] != 's')
goto out;
if (params[nr_params]) {
paramlen = strlen(params[nr_params]);
/* Move rest of fmt string up... */
memmove(pct - 1 + paramlen, pct + 2, strlen(pct) - 1);
/* ... and put the string parameter in where the '%s' was */
memcpy(pct, params[nr_params], paramlen);
pct += paramlen;
} else
pct++;
if (++nr_params == 2)
break;
}
out:
free(params[0]);
free(params[1]);
320
return result;
321
322
}
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
static int xmlnode_is_named(xmlNode *xml_node, const char *name)
{
return !strcmp((char *)xml_node->name, name);
}
static int xmlnode_get_prop(xmlNode *xml_node, const char *name, char **var)
{
char *str = (char *)xmlGetProp(xml_node, (unsigned char *)name);
if (!str)
return -ENOENT;
free(*var);
*var = str;
return 0;
}
static int xmlnode_get_text(xmlNode *xml_node, const char *name, char **var)
{
char *str;
if (name && !xmlnode_is_named(xml_node, name))
return -EINVAL;
str = xmlnode_msg(xml_node);
if (!str)
return -ENOENT;
free(*var);
*var = str;
return 0;
}
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
/*
* Legacy server response looks like:
*
* <auth id="<!-- "main" for initial attempt, "success" means we have a cookie -->">
* <title><!-- title to display to user --></title>
* <csd token="<!-- save to vpninfo->csd_token -->"
* ticket="<!-- save to vpninfo->csd_ticket -->" />
* <csd stuburl="<!-- ignore -->"
* starturl="<!-- ignore -->"
* waiturl="<!-- ignore -->"
* <csdMac
* stuburl="<!-- save to vpninfo->csd_stuburl on Mac only -->"
* starturl="<!-- save to vpninfo->csd_starturl on Mac only -->"
* waiturl="<!-- save to vpninfo->csd_waiturl on Mac only -->" />
* <csdLinux
* stuburl="<!-- same as above, for Linux -->"
* starturl="<!-- same as above, for Linux -->"
* waiturl="<!-- same as above, for Linux -->" />
* <banner><!-- display this to the user --></banner>
* <message>Please enter your username and password.</message>
* <form method="post" action="/+webvpn+/index.html">
* <input type="text" name="username" label="Username:" />
* <input type="password" name="password" label="Password:" />
* <input type="hidden" name="<!-- save these -->" value="<!-- ... -->" />
* <input type="submit" name="Login" value="Login" />
* <input type="reset" name="Clear" value="Clear" />
* </form>
* </auth>
*
* New server response looks like:
*
* <config-auth>
* <version><!-- whatever --></version>
* <session-token><!-- if present, save to vpninfo->cookie --></session-token>
* <opaque>
* <!-- this could contain anything; copy to vpninfo->opaque_srvdata -->
* <tunnel-group>foobar</tunnel-group>
* <config-hash>1234567</config-hash>
* </opaque>
* <auth id="<!-- see above -->
* <!-- all of our old familiar fields -->
* </auth>
* <host-scan>
* <host-scan-ticket><!-- save to vpninfo->csd_ticket --></host-scan-ticket>
* <host-scan-token><!-- save to vpninfo->csd_token --></host-scan-token>
* <host-scan-base-uri><!-- save to vpninfo->csd_starturl --></host-scan-base-uri>
* <host-scan-wait-uri><!-- save to vpninfo->csd_waiturl --></host-scan-wait-uri>
* </host-scan>
* </config-auth>
*
* Notes:
*
* 1) The new host-scan-*-uri nodes do not map directly to the old CSD fields.
*
* 2) The new <form> tag tends to omit the method/action properties.
*/
413
414
415
416
417
418
419
420
421
static int parse_auth_node(struct openconnect_info *vpninfo, xmlNode *xml_node,
struct oc_auth_form *form)
{
int ret = 0;
for (xml_node = xml_node->children; xml_node; xml_node = xml_node->next) {
if (xml_node->type != XML_ELEMENT_NODE)
continue;
422
423
424
425
426
427
xmlnode_get_text(xml_node, "banner", &form->banner);
xmlnode_get_text(xml_node, "message", &form->message);
xmlnode_get_text(xml_node, "error", &form->error);
if (xmlnode_is_named(xml_node, "form")) {
428
429
430
431
/* defaults for new XML POST */
form->method = strdup("POST");
form->action = strdup("/");
432
433
434
xmlnode_get_prop(xml_node, "method", &form->method);
xmlnode_get_prop(xml_node, "action", &form->action);
435
436
437
438
439
440
441
442
443
444
445
446
if (!form->method || !form->action ||
strcasecmp(form->method, "POST") || !form->action[0]) {
vpn_progress(vpninfo, PRG_ERR,
_("Cannot handle form method='%s', action='%s'\n"),
form->method, form->action);
ret = -EINVAL;
goto out;
}
ret = parse_form(vpninfo, form, xml_node);
if (ret < 0)
goto out;
447
448
449
450
451
452
453
} else if (!vpninfo->csd_scriptname && xmlnode_is_named(xml_node, "csd")) {
xmlnode_get_prop(xml_node, "token", &vpninfo->csd_token);
xmlnode_get_prop(xml_node, "ticket", &vpninfo->csd_ticket);
} else if (!vpninfo->csd_scriptname && xmlnode_is_named(xml_node, vpninfo->csd_xmltag)) {
xmlnode_get_prop(xml_node, "stuburl", &vpninfo->csd_stuburl);
xmlnode_get_prop(xml_node, "starturl", &vpninfo->csd_starturl);
xmlnode_get_prop(xml_node, "waiturl", &vpninfo->csd_waiturl);
454
455
456
457
458
459
460
461
vpninfo->csd_preurl = strdup(vpninfo->urlpath);
}
}
out:
return ret;
}
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
static int parse_host_scan_node(struct openconnect_info *vpninfo, xmlNode *xml_node)
{
/* ignore this whole section if the CSD trojan has already run */
if (vpninfo->csd_scriptname)
return 0;
for (xml_node = xml_node->children; xml_node; xml_node = xml_node->next) {
if (xml_node->type != XML_ELEMENT_NODE)
continue;
xmlnode_get_text(xml_node, "host-scan-ticket", &vpninfo->csd_ticket);
xmlnode_get_text(xml_node, "host-scan-token", &vpninfo->csd_token);
xmlnode_get_text(xml_node, "host-scan-base-uri", &vpninfo->csd_starturl);
xmlnode_get_text(xml_node, "host-scan-wait-uri", &vpninfo->csd_waiturl);
}
return 0;
}
480
481
/* Return value:
* < 0, on error
482
* = 0, on success; *form is populated
483
*/
484
int parse_xml_response(struct openconnect_info *vpninfo, char *response, struct oc_auth_form **formp)
485
{
486
struct oc_auth_form *form;
487
488
xmlDocPtr xml_doc;
xmlNode *xml_node;
489
int ret = -EINVAL;
490
491
492
493
494
if (*formp) {
free_auth_form(*formp);
*formp = NULL;
}
495
496
497
498
499
500
501
form = calloc(1, sizeof(*form));
if (!form)
return -ENOMEM;
xml_doc = xmlReadMemory(response, strlen(response), "noname.xml", NULL, 0);
if (!xml_doc) {
502
503
504
505
vpn_progress(vpninfo, PRG_ERR,
_("Failed to parse server response\n"));
vpn_progress(vpninfo, PRG_TRACE,
_("Response was:%s\n"), response);
506
507
508
free(form);
return -EINVAL;
}
509
510
xml_node = xmlDocGetRootElement(xml_doc);
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
while (xml_node) {
int ret = 0;
if (xml_node->type != XML_ELEMENT_NODE) {
xml_node = xml_node->next;
continue;
}
if (xmlnode_is_named(xml_node, "config-auth")) {
/* if we do have a config-auth node, it is the root element */
xml_node = xml_node->children;
continue;
} else if (xmlnode_is_named(xml_node, "auth")) {
xmlnode_get_prop(xml_node, "id", &form->auth_id);
ret = parse_auth_node(vpninfo, xml_node, form);
} else if (xmlnode_is_named(xml_node, "opaque")) {
if (vpninfo->opaque_srvdata)
xmlFreeNode(vpninfo->opaque_srvdata);
vpninfo->opaque_srvdata = xmlCopyNode(xml_node, 1);
if (!vpninfo->opaque_srvdata)
ret = -ENOMEM;
} else if (xmlnode_is_named(xml_node, "host-scan")) {
ret = parse_host_scan_node(vpninfo, xml_node);
} else {
xmlnode_get_text(xml_node, "session-token", &vpninfo->cookie);
xmlnode_get_text(xml_node, "error", &form->error);
}
if (ret)
goto out;
xml_node = xml_node->next;
}
if (!form->auth_id) {
544
vpn_progress(vpninfo, PRG_ERR,
545
_("XML response has no \"auth\" node\n"));
546
547
goto out;
}
548
549
550
551
*formp = form;
xmlFreeDoc(xml_doc);
return 0;
552
553
554
555
out:
xmlFreeDoc(xml_doc);
free_auth_form(form);
556
return ret;
557
558
559
560
561
562
563
564
565
566
}
/* Return value:
* < 0, on error
* = 0, when form parsed and POST required
* = 1, when response was cancelled by user
* = 2, when form indicates that login was already successful
*/
int handle_auth_form(struct openconnect_info *vpninfo, struct oc_auth_form *form,
char *request_body, int req_len, const char **method,
567
const char **request_body_type, int xmlpost)
568
569
570
571
572
573
574
{
int ret;
struct vpn_option *opt, *next;
if (!strcmp(form->auth_id, "success"))
return 2;
575
if (vpninfo->nopasswd) {
576
577
vpn_progress(vpninfo, PRG_ERR,
_("Asked for password but '--no-passwd' set\n"));
578
return -EPERM;
579
580
}
581
if (vpninfo->csd_token && vpninfo->csd_ticket && vpninfo->csd_starturl && vpninfo->csd_waiturl) {
582
583
584
585
586
587
588
589
590
/* AB: remove all cookies */
for (opt = vpninfo->cookies; opt; opt = next) {
next = opt->next;
free(opt->option);
free(opt->value);
free(opt);
}
vpninfo->cookies = NULL;
591
return 0;
592
}
593
if (!form->opts) {
594
if (form->message)
595
vpn_progress(vpninfo, PRG_INFO, "%s\n", form->message);
596
if (form->error)
597
vpn_progress(vpninfo, PRG_ERR, "%s\n", form->error);
598
return -EPERM;
599
600
}
601
if (vpninfo->process_auth_form)
602
ret = vpninfo->process_auth_form(vpninfo->cbdata, form);
603
else {
604
vpn_progress(vpninfo, PRG_ERR, _("No form handler; cannot authenticate.\n"));
605
606
ret = 1;
}
607
if (ret)
608
return ret;
609
610
611
612
/* tokencode generation is deferred until after username prompts and CSD */
ret = do_gen_tokencode(vpninfo, form);
if (ret)
613
return ret;
614
615
616
617
ret = xmlpost ?
xmlpost_append_form_opts(vpninfo, form, request_body, req_len) :
append_form_opts(vpninfo, form, request_body, req_len);
618
619
620
621
if (!ret) {
*method = "POST";
*request_body_type = "application/x-www-form-urlencoded";
}
622
623
624
625
626
627
628
return ret;
}
void free_auth_form(struct oc_auth_form *form)
{
if (!form)
return;
629
while (form->opts) {
630
631
struct oc_form_opt *tmp = form->opts->next;
if (form->opts->type == OC_FORM_OPT_TEXT ||
632
form->opts->type == OC_FORM_OPT_PASSWORD ||
633
634
form->opts->type == OC_FORM_OPT_HIDDEN ||
form->opts->type == OC_FORM_OPT_STOKEN)
635
free(form->opts->value);
636
637
638
639
640
641
642
643
644
645
646
647
648
649
else if (form->opts->type == OC_FORM_OPT_SELECT) {
struct oc_form_opt_select *sel = (void *)form->opts;
int i;
for (i=0; i < sel->nr_choices; i++) {
free(sel->choices[i].name);
free(sel->choices[i].label);
free(sel->choices[i].auth_type);
free(sel->choices[i].override_name);
free(sel->choices[i].override_label);
}
}
free(form->opts->label);
free(form->opts->name);
650
651
652
free(form->opts);
form->opts = tmp;
}
653
654
655
656
657
658
free(form->error);
free(form->message);
free(form->banner);
free(form->auth_id);
free(form->method);
free(form->action);
659
660
661
free(form);
}
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
/*
* Old submission format is just an HTTP query string:
*
* password=12345678&username=joe
*
* New XML format is more complicated:
*
* <config-auth client="vpn" type="<!-- init or auth-reply -->">
* <version who="vpn"><!-- currently just the OpenConnect version --></version>
* <device-id><!-- linux, linux-64, mac, win --></device-id>
* <opaque is-for="<!-- some name -->">
* <!-- just copy this verbatim from whatever the gateway sent us -->
* </opaque>
*
* For init only, add:
* <group-access>https://<!-- insert hostname here --></group-access>
*
* For auth-reply only, add:
* <auth>
* <username><!-- same treatment as the old form options --></username>
* <password><!-- ditto -->
* </auth>
684
* <group-select><!-- name of selected authgroup --></group-select>
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
* <host-scan-token><!-- vpninfo->csd_ticket --></host-scan-token>
*/
#define XCAST(x) ((const xmlChar *)(x))
static xmlDocPtr xmlpost_new_query(struct openconnect_info *vpninfo, const char *type,
xmlNodePtr *rootp)
{
xmlDocPtr doc;
xmlNodePtr root, node;
doc = xmlNewDoc(XCAST("1.0"));
if (!doc)
return NULL;
*rootp = root = xmlNewNode(NULL, XCAST("config-auth"));
if (!root)
goto bad;
if (!xmlNewProp(root, XCAST("client"), XCAST("vpn")))
goto bad;
if (!xmlNewProp(root, XCAST("type"), XCAST(type)))
goto bad;
xmlDocSetRootElement(doc, root);
node = xmlNewTextChild(root, NULL, XCAST("version"), XCAST(openconnect_version_str));
if (!node)
goto bad;
if (!xmlNewProp(node, XCAST("who"), XCAST("vpn")))
goto bad;
if (!xmlNewTextChild(root, NULL, XCAST("device-id"), XCAST(vpninfo->platname)))
goto bad;
return doc;
bad:
xmlFreeDoc(doc);
return NULL;
}
static int xmlpost_complete(xmlDocPtr doc, char *body, int bodylen)
{
xmlChar *mem = NULL;
int len, ret = 0;
if (!body) {
xmlFree(doc);
return 0;
}
xmlDocDumpMemoryEnc(doc, &mem, &len, "UTF-8");
if (!mem) {
xmlFreeDoc(doc);
return -ENOMEM;
}
if (len > bodylen)
ret = -E2BIG;
else {
memcpy(body, mem, len);
body[len] = 0;
}
xmlFreeDoc(doc);
xmlFree(mem);
return ret;
}
int xmlpost_initial_req(struct openconnect_info *vpninfo, char *request_body, int req_len)
{
xmlNodePtr root, node;
xmlDocPtr doc = xmlpost_new_query(vpninfo, "init", &root);
char *url;
if (!doc)
return -ENOMEM;
if (asprintf(&url, "https://%s", vpninfo->hostname) == -1)
goto bad;
node = xmlNewTextChild(root, NULL, XCAST("group-access"), XCAST(url));
free(url);
if (!node)
goto bad;
return xmlpost_complete(doc, request_body, req_len);
bad:
xmlpost_complete(doc, NULL, 0);
return -ENOMEM;
}
static int xmlpost_append_form_opts(struct openconnect_info *vpninfo,
struct oc_auth_form *form, char *body, int bodylen)
{
xmlNodePtr root, node;
xmlDocPtr doc = xmlpost_new_query(vpninfo, "auth-reply", &root);
struct oc_form_opt *opt;
if (!doc)
return -ENOMEM;
if (vpninfo->opaque_srvdata) {
node = xmlCopyNode(vpninfo->opaque_srvdata, 1);
if (!node)
goto bad;
if (!xmlAddChild(root, node))
goto bad;
}
node = xmlNewChild(root, NULL, XCAST("auth"), NULL);
if (!node)
goto bad;
for (opt = form->opts; opt; opt = opt->next) {
800
801
802
803
804
805
806
/* group_list: create a new <group-select> node under <config-auth> */
if (!strcmp(opt->name, "group_list")) {
if (!xmlNewTextChild(root, NULL, XCAST("group-select"), XCAST(opt->value)))
goto bad;
continue;
}
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
/* answer,whichpin,new_password: rename to "password" */
if (!strcmp(opt->name, "answer") ||
!strcmp(opt->name, "whichpin") ||
!strcmp(opt->name, "new_password")) {
if (!xmlNewTextChild(node, NULL, XCAST("password"), XCAST(opt->value)))
goto bad;
continue;
}
/* verify_pin,verify_password: ignore */
if (!strcmp(opt->name, "verify_pin") ||
!strcmp(opt->name, "verify_password")) {
continue;
}
822
/* everything else: create <foo>user_input</foo> under <auth> */
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
if (!xmlNewTextChild(node, NULL, XCAST(opt->name), XCAST(opt->value)))
goto bad;
}
if (vpninfo->csd_token &&
!xmlNewTextChild(root, NULL, XCAST("host-scan-token"), XCAST(vpninfo->csd_token)))
goto bad;
return xmlpost_complete(doc, body, bodylen);
bad:
xmlpost_complete(doc, NULL, 0);
return -ENOMEM;
}
839
#ifdef LIBSTOKEN_HDR
840
841
842
843
844
845
846
static void nuke_opt_values(struct oc_form_opt *opt)
{
for (; opt; opt = opt->next) {
free(opt->value);
opt->value = NULL;
}
}
847
#endif
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
/*
* If the user clicks OK without entering any data, we will continue
* connecting but bypass soft token generation for the duration of
* this "obtain_cookie" session.
*
* If the user clicks Cancel, we will abort the connection.
*
* Return value:
* < 0, on error
* = 0, on success (or if the user bypassed soft token init)
* = 1, if the user cancelled the form submission
*/
int prepare_stoken(struct openconnect_info *vpninfo)
{
#ifdef LIBSTOKEN_HDR
struct oc_auth_form form;
struct oc_form_opt opts[3], *opt = opts;
char **devid = NULL, **pass = NULL, **pin = NULL;
int ret = 0;
memset(&form, 0, sizeof(form));
memset(&opts, 0, sizeof(opts));
form.opts = opts;
form.message = _("Enter credentials to unlock software token.");
vpninfo->stoken_tries = 0;
vpninfo->stoken_bypassed = 0;
if (stoken_devid_required(vpninfo->stoken_ctx)) {
opt->type = OC_FORM_OPT_TEXT;
opt->name = (char *)"devid";
opt->label = _("Device ID:");
devid = &opt->value;
opt++;
}
if (stoken_pass_required(vpninfo->stoken_ctx)) {
opt->type = OC_FORM_OPT_PASSWORD;
opt->name = (char *)"password";
opt->label = _("Password:");
pass = &opt->value;
opt++;
}
if (stoken_pin_required(vpninfo->stoken_ctx)) {
opt->type = OC_FORM_OPT_PASSWORD;
opt->name = (char *)"password";
opt->label = _("PIN:");
pin = &opt->value;
opt++;
}
opts[0].next = opts[1].type ? &opts[1] : NULL;
opts[1].next = opts[2].type ? &opts[2] : NULL;
902
903
904
while (1) {
nuke_opt_values(opts);
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
if (!opts[0].type) {
/* don't bug the user if there's nothing to enter */
ret = 0;
} else if (vpninfo->process_auth_form) {
int some_empty = 0, all_empty = 1;
/* < 0 for error; 1 if cancelled */
ret = vpninfo->process_auth_form(vpninfo->cbdata, &form);
if (ret)
break;
for (opt = opts; opt; opt = opt->next) {
if (!opt->value || !strlen(opt->value))
some_empty = 1;
else
all_empty = 0;
}
if (all_empty) {
vpn_progress(vpninfo, PRG_INFO,
_("User bypassed soft token.\n"));
vpninfo->stoken_bypassed = 1;
ret = 0;
break;
}
if (some_empty) {
vpn_progress(vpninfo, PRG_INFO,
_("All fields are required; try again.\n"));
continue;
}
} else {
vpn_progress(vpninfo, PRG_ERR,
_("No form handler; cannot authenticate.\n"));
ret = -EIO;
break;
}
ret = stoken_decrypt_seed(vpninfo->stoken_ctx,
pass ? *pass : NULL,
devid ? *devid : NULL);
if (ret == -EIO || (ret && !devid && !pass)) {
vpn_progress(vpninfo, PRG_ERR,
_("General failure in libstoken.\n"));
break;
} else if (ret != 0) {
vpn_progress(vpninfo, PRG_INFO,
_("Incorrect device ID or password; try again.\n"));
continue;
}
if (pin) {
if (stoken_check_pin(vpninfo->stoken_ctx, *pin) != 0) {
vpn_progress(vpninfo, PRG_INFO,
_("Invalid PIN format; try again.\n"));
continue;
}
free(vpninfo->stoken_pin);
vpninfo->stoken_pin = strdup(*pin);
if (!vpninfo->stoken_pin) {
ret = -ENOMEM;
break;
}
}
vpn_progress(vpninfo, PRG_DEBUG, _("Soft token init was successful.\n"));
ret = 0;
break;
}
nuke_opt_values(opts);
return ret;
#else
return -EOPNOTSUPP;
#endif
}
979
980
981
982
983
/* Return value:
* < 0, if unable to generate a tokencode
* = 0, on success
*/
984
985
static int can_gen_tokencode(struct openconnect_info *vpninfo, struct oc_auth_form *form,
struct oc_form_opt *opt)
986
987
{
#ifdef LIBSTOKEN_HDR
988
989
if ((strcmp(opt->name, "password") && strcmp(opt->name, "answer")) ||
vpninfo->stoken_bypassed)
990
991
992
993
994
return -EINVAL;
if (vpninfo->stoken_tries == 0) {
vpn_progress(vpninfo, PRG_DEBUG,
_("OK to generate INITIAL tokencode\n"));
vpninfo->stoken_time = 0;
995
996
} else if (vpninfo->stoken_tries == 1 && form->message &&
strcasestr(form->message, "next tokencode")) {
997
998
999
1000
vpn_progress(vpninfo, PRG_DEBUG,
_("OK to generate NEXT tokencode\n"));
vpninfo->stoken_time += 60;
} else {