Add --no-passwd option. When certificate fails, fail immediately.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
sailfishos-mirror · Nov 4, 2008 · ed13012 · ed13012
1 parent afd96f6
commit ed13012
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 1 deletion.
diff --git a/http.c b/http.c
@@ -532,6 +532,11 @@ static int parse_xml_response(struct openconnect_info *vpninfo, char *response,
 		return 0;
 	}
 
+	if (vpninfo->nopasswd) {
+		vpninfo->progress(vpninfo, PRG_ERR, "Asked for password but nopasswd set\n");
+		return -EPERM;
+	}
+
 	form_message = form_error = NULL;
 	for (xml_node = xml_node->children; xml_node; xml_node = xml_node->next) {
 		if (xml_node->type != XML_ELEMENT_NODE)

diff --git a/main.c b/main.c
@@ -72,6 +72,7 @@ static struct option long_options[] = {
 	{"xmlconfig", 1, 0, 'x'},
 	{"cookie-on-stdin", 0, 0, '4'},
 	{"passwd-on-stdin", 0, 0, '5'},
+	{"no-passwd", 0, 0, '6'},
 	{NULL, 0, 0, 0},
 };
 
@@ -104,6 +105,7 @@ void usage(void)
 	printf("      --printcookie               Print webvpn cookie before connecting\n");
 	printf("      --cafile=FILE               Cert file for server verification\n");
 	printf("      --no-dtls                   Disable DTLS\n");
+	printf("      --no-passwd                 Disable password/SecurID authentication\n");
 	printf("      --passwd-on-stdin           Read password from standard input\n");
 	exit(1);
 }
@@ -190,6 +192,9 @@ int main(int argc, char **argv)
 		case '5':
 			read_stdin(&vpninfo->password);
 			break;
+		case '6':
+			vpninfo->nopasswd = 1;
+			break;
 		case 'C':
 			vpninfo->cookie = optarg;
 			break;

diff --git a/openconnect.8 b/openconnect.8
@@ -94,6 +94,9 @@ openconnect \- Connect to Cisco AnyConnect VPN
 .B --no-dtls
 ]
 [
+.B --no-passwd
+]
+[
 .B --passwd-on-stdin
 ]
 \fIserver\fR
@@ -210,6 +213,9 @@ Cert file for server verification
 .B --no-dtls
 Disable DTLS
 .TP
+.B --no-passwd
+Never attempt password (or SecurID) authentication
+.TP
 .B --passwd-on-stdin
 Read password from standard input
 

diff --git a/openconnect.h b/openconnect.h
@@ -86,6 +86,7 @@ struct openconnect_info {
 	char xmlsha1[(SHA_DIGEST_LENGTH * 2) + 1];
 	char *username;
 	char *password;
+	int nopasswd;
 
 	char *cookie;
 	struct vpn_option *cookies;

diff --git a/ssl.c b/ssl.c
@@ -207,8 +207,14 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 	if (!vpninfo->https_ctx) {
 		vpninfo->https_ctx = SSL_CTX_new(ssl3_method);
 
+		err = -EPERM;
 		if (vpninfo->cert)
-			load_certificate(vpninfo);
+			err = load_certificate(vpninfo);
+
+		if (err && vpninfo->nopasswd) {
+			vpninfo->progress(vpninfo, PRG_ERR, "No certificate and nopasswd set. Aborting\n");
+			return err;
+		}
 
 		if (vpninfo->cafile) {
 			SSL_CTX_load_verify_locations(vpninfo->https_ctx, vpninfo->cafile, NULL);