Commit 6cb2da23 authored by Daniel Lenski's avatar Daniel Lenski Committed by David Woodhouse

GlobalProtect: always set clientos=Windows in relevant requests, regardless of actual OS

I've tried, whenever possible not to lie to the server about the client
configuration.  However, there are now multiple cases where a GlobalProtect
server responds with a misleading error when the `ssl-vpn/login.esp` request doesn't
contain the exact, magic value of `clientos=Windows`.

* https://github.com/dlenski/openconnect/issues/86
  ("Assign private IP address failed" unless `clientos=Windows` in `ssl-vpn/login.esp` request)

* https://github.com/dlenski/openconnect/issues/116
  ("Invalid username or password" unless `clientos=Windows` in `ssl-vpn/login.esp` request)

These cases are very difficult to debug because they seem to be suggesting totally unrelated
errors.

For reliability, this patch makes openconnect always specify `clientos=Windows` in relevant
requests, regardless of the actual `vpninfo->platname`. (The `vpninfo->platname` value can
still be sent in the "free-form" `os-version` field, as far as I can tell.)
Signed-off-by: default avatarDaniel Lenski <dlenski@gmail.com>
parent 7eda6529
......@@ -362,11 +362,8 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, char *pw_or_
/* submit gateway login (ssl-vpn/login.esp) or portal config (global-protect/getconfig.esp) request */
buf_truncate(request_body);
buf_append(request_body, "jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:");
if (!strcmp(vpninfo->platname, "win"))
append_opt(request_body, "clientos", "Windows");
else
append_opt(request_body, "clientos", vpninfo->platname);
buf_append(request_body, "jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&clientos=Windows");
append_opt(request_body, "os-version", vpninfo->platname);
append_opt(request_body, "server", vpninfo->hostname);
append_opt(request_body, "computer", vpninfo->localname);
if (vpninfo->ip_info.addr)
......
......@@ -590,12 +590,8 @@ static int gpst_get_config(struct openconnect_info *vpninfo)
char *xml_buf=NULL;
/* submit getconfig request */
buf_append(request_body, "client-type=1&protocol-version=p1&app-version=3.0.1-10");
buf_append(request_body, "client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Windows");
append_opt(request_body, "os-version", vpninfo->platname);
if (!strcmp(vpninfo->platname, "win"))
append_opt(request_body, "clientos", "Windows");
else
append_opt(request_body, "clientos", vpninfo->platname);
append_opt(request_body, "hmac-algo", "sha1,md5");
append_opt(request_body, "enc-algo", "aes-128-cbc,aes-256-cbc");
if (old_addr) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment