Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
GlobalProtect: always set clientos=Windows in relevant requests, rega…
…rdless of actual OS

I've tried, whenever possible not to lie to the server about the client
configuration.  However, there are now multiple cases where a GlobalProtect
server responds with a misleading error when the `ssl-vpn/login.esp` request doesn't
contain the exact, magic value of `clientos=Windows`.

* dlenski/openconnect#86
  ("Assign private IP address failed" unless `clientos=Windows` in `ssl-vpn/login.esp` request)

* dlenski/openconnect#116
  ("Invalid username or password" unless `clientos=Windows` in `ssl-vpn/login.esp` request)

These cases are very difficult to debug because they seem to be suggesting totally unrelated
errors.

For reliability, this patch makes openconnect always specify `clientos=Windows` in relevant
requests, regardless of the actual `vpninfo->platname`. (The `vpninfo->platname` value can
still be sent in the "free-form" `os-version` field, as far as I can tell.)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
  • Loading branch information
dlenski authored and dwmw2 committed Sep 21, 2018
1 parent 7eda652 commit 6cb2da2
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 10 deletions.
7 changes: 2 additions & 5 deletions auth-globalprotect.c
Expand Up @@ -362,11 +362,8 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, char *pw_or_

/* submit gateway login (ssl-vpn/login.esp) or portal config (global-protect/getconfig.esp) request */
buf_truncate(request_body);
buf_append(request_body, "jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:");
if (!strcmp(vpninfo->platname, "win"))
append_opt(request_body, "clientos", "Windows");
else
append_opt(request_body, "clientos", vpninfo->platname);
buf_append(request_body, "jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&clientos=Windows");
append_opt(request_body, "os-version", vpninfo->platname);
append_opt(request_body, "server", vpninfo->hostname);
append_opt(request_body, "computer", vpninfo->localname);
if (vpninfo->ip_info.addr)
Expand Down
6 changes: 1 addition & 5 deletions gpst.c
Expand Up @@ -590,12 +590,8 @@ static int gpst_get_config(struct openconnect_info *vpninfo)
char *xml_buf=NULL;

/* submit getconfig request */
buf_append(request_body, "client-type=1&protocol-version=p1&app-version=3.0.1-10");
buf_append(request_body, "client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Windows");
append_opt(request_body, "os-version", vpninfo->platname);
if (!strcmp(vpninfo->platname, "win"))
append_opt(request_body, "clientos", "Windows");
else
append_opt(request_body, "clientos", vpninfo->platname);
append_opt(request_body, "hmac-algo", "sha1,md5");
append_opt(request_body, "enc-algo", "aes-128-cbc,aes-256-cbc");
if (old_addr) {
Expand Down

0 comments on commit 6cb2da2

Please sign in to comment.