Merge branch 'xmlpost-v2' of git://github.com/cernekee/openconnect

sailfishos-mirror · Nov 5, 2012 · 4a8a947 · 4a8a947
2 parents 70253b3 + c7ddd3b
commit 4a8a947
Show file tree

Hide file tree

Showing 10 changed files with 927 additions and 271 deletions.
diff --git a/auth.c b/auth.c
diff --git a/http.c b/http.c
diff --git a/libopenconnect.map.in b/libopenconnect.map.in
@@ -1,3 +1,8 @@
+OPENCONNECT_2.2 {
+ global:
+	openconnect_set_reported_os;
+};
+
 OPENCONNECT_2.1 {
  global:
 	openconnect_has_stoken_support;

diff --git a/library.c b/library.c
@@ -30,6 +30,8 @@
 #include LIBSTOKEN_HDR
 #endif
 
+#include <libxml/tree.h>
+
 #include "openconnect-internal.h"
 
 struct openconnect_info *openconnect_vpninfo_new (char *useragent,
@@ -50,11 +52,7 @@ struct openconnect_info *openconnect_vpninfo_new (char *useragent,
 	vpninfo->progress = progress;
 	vpninfo->cbdata = privdata?:vpninfo;
 	vpninfo->cancel_fd = -1;
-#ifdef __APPLE__
-	vpninfo->csd_xmltag = "csdMac";
-#else
-	vpninfo->csd_xmltag = "csdLinux";
-#endif
+	openconnect_set_reported_os(vpninfo, NULL);
 
 #ifdef ENABLE_NLS
 	bindtextdomain("openconnect", LOCALEDIR);
@@ -63,6 +61,30 @@ struct openconnect_info *openconnect_vpninfo_new (char *useragent,
 	return vpninfo;
 }
 
+int openconnect_set_reported_os (struct openconnect_info *vpninfo, const char *os)
+{
+	if (!os) {
+#if defined(__APPLE__)
+		os = "mac";
+#else
+		os = sizeof(long) > 4 ? "linux-64" : "linux";
+#endif
+	}
+
+	/* FIXME: is there a special platname for 64-bit Windows? */
+	if (!strcmp(os, "mac"))
+		vpninfo->csd_xmltag = "csdMac";
+	else if (!strcmp(os, "linux") || !strcmp(os, "linux-64"))
+		vpninfo->csd_xmltag = "csdLinux";
+	else if (!strcmp(os, "win"))
+		vpninfo->csd_xmltag = "csd";
+	else
+		return -EINVAL;
+
+	vpninfo->platname = os;
+	return 0;
+}
+
 static void free_optlist (struct vpn_option *opt)
 {
 	struct vpn_option *next;
@@ -87,11 +109,20 @@ void openconnect_vpninfo_free (struct openconnect_info *vpninfo)
 	free(vpninfo->redirect_url);
 	free(vpninfo->proxy_type);
 	free(vpninfo->proxy);
+
 	if (vpninfo->csd_scriptname) {
 		unlink(vpninfo->csd_scriptname);
 		free(vpninfo->csd_scriptname);
 	}
+	free(vpninfo->csd_token);
+	free(vpninfo->csd_ticket);
 	free(vpninfo->csd_stuburl);
+	free(vpninfo->csd_starturl);
+	free(vpninfo->csd_waiturl);
+	free(vpninfo->csd_preurl);
+	if (vpninfo->opaque_srvdata)
+		xmlFreeNode(vpninfo->opaque_srvdata);
+
 	/* These are const in openconnect itself, but for consistency of
 	   the library API we do take ownership of the strings we're given,
 	   and thus we have to free them too. */

diff --git a/main.c b/main.c
@@ -111,6 +111,7 @@ enum {
 	OPT_NON_INTER,
 	OPT_DTLS_LOCAL_PORT,
 	OPT_STOKEN,
+	OPT_OS,
 };
 
 #ifdef __sun__
@@ -175,6 +176,7 @@ static struct option long_options[] = {
 	OPTION("non-inter", 0, OPT_NON_INTER),
 	OPTION("dtls-local-port", 1, OPT_DTLS_LOCAL_PORT),
 	OPTION("stoken", 2, OPT_STOKEN),
+	OPTION("os", 1, OPT_OS),
 	OPTION(NULL, 0, 0)
 };
 
@@ -286,6 +288,7 @@ static void usage(void)
 	printf("      --reconnect-timeout         %s\n", _("Connection retry timeout in seconds"));
 	printf("      --servercert=FINGERPRINT    %s\n", _("Server's certificate SHA1 fingerprint"));
 	printf("      --useragent=STRING          %s\n", _("HTTP header User-Agent: field"));
+	printf("      --os=STRING                 %s\n", _("OS type (linux,linux-64,mac,win) to report"));
 	printf("      --dtls-local-port=PORT      %s\n", _("Set local port for DTLS datagrams"));
 	printf("\n");
 
@@ -479,11 +482,7 @@ int main(int argc, char **argv)
 	vpninfo->reconnect_timeout = 300;
 	vpninfo->uid_csd = 0;
 	/* We could let them override this on the command line some day, perhaps */
-#ifdef __APPLE__
-	vpninfo->csd_xmltag = "csdMac";
-#else
-	vpninfo->csd_xmltag = "csdLinux";
-#endif
+	openconnect_set_reported_os(vpninfo, NULL);
 	vpninfo->uid_csd = 0;
 	vpninfo->uid_csd_given = 0;
 	vpninfo->validate_peer_cert = validate_peer_cert;
@@ -717,6 +716,13 @@ int main(int argc, char **argv)
 			use_stoken = 1;
 			token_str = keep_config_arg();
 			break;
+		case OPT_OS:
+			if (openconnect_set_reported_os(vpninfo, config_arg)) {
+				fprintf(stderr, _("Invalid OS identity \"%s\"\n"),
+					config_arg);
+				exit(1);
+			}
+			break;
 		default:
 			usage();
 		}

diff --git a/openconnect-internal.h b/openconnect-internal.h
@@ -74,6 +74,8 @@
 #endif
 #define N_(s) s
 
+#include <libxml/tree.h>
+
 #define SHA1_SIZE 20
 #define MD5_SIZE 16
 
@@ -127,10 +129,16 @@ struct pin_cache {
 #define CERT_TYPE_PKCS12	2
 #define CERT_TYPE_TPM		3
 
+#define REDIR_TYPE_NONE		0
+#define REDIR_TYPE_NEWHOST	1
+#define REDIR_TYPE_LOCAL	2
+
 struct openconnect_info {
 	char *redirect_url;
+	int redirect_type;
 
 	const char *csd_xmltag;
+	const char *platname;
 	char *csd_token;
 	char *csd_ticket;
 	char *csd_stuburl;
@@ -139,6 +147,7 @@ struct openconnect_info {
 	char *csd_preurl;
 
 	char *csd_scriptname;
+	xmlNode *opaque_srvdata;
 
 #ifdef LIBPROXY_HDR
 	pxProxyFactory *proxy_factory;
@@ -402,9 +411,12 @@ extern int killed;
 int config_lookup_host(struct openconnect_info *vpninfo, const char *host);
 
 /* auth.c */
-int parse_xml_response(struct openconnect_info *vpninfo, char *response,
-		       char *request_body, int req_len, const char **method,
-		       const char **request_body_type);
+int parse_xml_response(struct openconnect_info *vpninfo, char *response, struct oc_auth_form **form);
+int handle_auth_form(struct openconnect_info *vpninfo, struct oc_auth_form *form,
+		     char *request_body, int req_len, const char **method,
+		     const char **request_body_type, int xmlpost);
+void free_auth_form(struct oc_auth_form *form);
+int xmlpost_initial_req(struct openconnect_info *vpninfo, char *request_body, int req_len);
 int prepare_stoken(struct openconnect_info *vpninfo);
 
 /* http.c */

diff --git a/openconnect.8.in b/openconnect.8.in
@@ -53,6 +53,7 @@ openconnect \- Connect to Cisco AnyConnect VPN
 .OP \-\-reconnect\-timeout
 .OP \-\-servercert sha1
 .OP \-\-useragent string
+.OP \-\-os string
 .B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]
 .YS
 
@@ -344,6 +345,11 @@ Use
 as 'User\-Agent:' field value in HTTP header.
 (e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
 .TP
+.B \-\-os=STRING
+OS type to report to gateway.  Recognized values are: linux, linux-64, mac,
+win.  Reporting a different OS type may affect the security policy applied
+to the VPN session.
+.TP
 .B \-\-dtls\-local\-port=PORT
 Use
 .I PORT

diff --git a/openconnect.h b/openconnect.h
@@ -34,6 +34,9 @@
 #define OPENCONNECT_API_VERSION_MINOR 1
 
 /*
+ * API version 2.2:
+ *  - Add openconnect_set_reported_os()
+ *
  * API version 2.1:
  *  - Add openconnect_set_stoken_mode(), openconnect_has_stoken_support()
  *
@@ -175,6 +178,7 @@ void openconnect_set_xmlsha1 (struct openconnect_info *, const char *, int size)
 
 void openconnect_set_cafile (struct openconnect_info *, char *);
 void openconnect_setup_csd (struct openconnect_info *, uid_t, int silent, char *wrapper);
+int openconnect_set_reported_os (struct openconnect_info *, const char *os);
 void openconnect_set_client_cert (struct openconnect_info *, char *cert, char *sslkey);
 
 /* This is *not* yours and must not be destroyed with X509_free(). It

diff --git a/openssl.c b/openssl.c
@@ -107,7 +107,7 @@ int openconnect_SSL_write(struct openconnect_info *vpninfo, char *buf, size_t le
 			else if (err == SSL_ERROR_WANT_WRITE)
 				FD_SET(vpninfo->ssl_fd, &wr_set);
 			else {
-				vpn_progress(vpninfo, PRG_ERR, _("Failed to write to SSL socket"));
+				vpn_progress(vpninfo, PRG_ERR, _("Failed to write to SSL socket\n"));
 				openconnect_report_ssl_errors(vpninfo);
 				return -EIO;
 			}

diff --git a/www/changelog.xml b/www/changelog.xml
@@ -17,7 +17,10 @@
 <ul>
    <li><b>OpenConnect HEAD</b>
      <ul>
-       <li>Add SecurID token support using <a href="http://sourceforge.net/p/stoken/wiki/Home/">libstoken</a>.</li>
+       <li>Add <tt>--os</tt> switch to report a different OS type to the gateway.</li>
+       <li>Support new XML POST format.</li>
+       <li>Fix buffer overflow on long <tt>Location:</tt> and <tt>Set-Cookie:</tt> headers sent from server.</li>
+       <li>Add SecurID token support using <a href="http://stoken.sourceforge.net/">libstoken</a>.</li>
        <li>Fix some harmless issues reported by Coverity.</li>
        <li>Improve <tt>"Attempting to connect..."</tt> message to be explicit when it's connecting to a proxy.</li>
      </ul><br/>