Don't abort if CSD wrapper returns non-zero

Some of them do. Give people a grace period to fix them.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

auth.c

@@ -1135,12 +1135,18 @@ static int run_csd_script(struct openconnect_info *vpninfo, char *buf, int bufle
 			             _("CSD script '%s' exited abnormally\n"),
 			             vpninfo->csd_wrapper ?: fname);
 			ret = -EINVAL;
-		} else if (WEXITSTATUS(status) != 0) {
-			vpn_progress(vpninfo, PRG_ERR,
-                                     _("CSD script '%s' returned non-zero status: %d\n"),
-                                     vpninfo->csd_wrapper ?: fname, WEXITSTATUS(status));
-			ret = -EINVAL;
 		} else {
+			if (WEXITSTATUS(status) != 0) {
+				vpn_progress(vpninfo, PRG_ERR,
+					     _("CSD script '%s' returned non-zero status: %d\n"),
+					     vpninfo->csd_wrapper ?: fname, WEXITSTATUS(status));
+				/* Some scripts do exit non-zero, and it's never mattered.
+				 * Don't abort for now. */
+				vpn_progress(vpninfo, PRG_ERR,
+					     _("Authentication may fail. If your script is not returning zero, fix it.\n"
+					       "Future versions of openconnect will abort on this error.\n"));
+			}
+
 			free(vpninfo->urlpath);
 			vpninfo->urlpath = strdup(vpninfo->csd_waiturl +
 			                          (vpninfo->csd_waiturl[0] == '/' ? 1 : 0));

www/changelog.xml

@@ -17,6 +17,7 @@
      <ul>
        <li>Don't abort Pulse connection when server-provided certificate MD5 doesn't match.</li>
        <li>Fix off-by-one in check for bad GnuTLS versions, and add build and run time checks.</li>
+       <li>Don't abort connection if CSD wrapper script returns non-zero (for now).</li>
      </ul><br/>
   </li>
   <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.06.tar.gz">OpenConnect v8.06</a></b>