diff --git a/http.c b/http.c index 292970ac..7921a027 100644 --- a/http.c +++ b/http.c @@ -816,6 +816,32 @@ static int handle_redirect(struct openconnect_info *vpninfo) } } +static void dump_buf(struct openconnect_info *vpninfo, char prefix, char *buf) +{ + while (*buf) { + char *eol = buf; + char eol_char = 0; + + while (*eol) { + if (*eol == '\r' || *eol == '\n') { + eol_char = *eol; + *eol = 0; + break; + } + eol++; + } + + vpn_progress(vpninfo, PRG_TRACE, "%c %s\n", prefix, buf); + if (!eol_char) + break; + + *eol = eol_char; + buf = eol + 1; + if (eol_char == '\r' && *buf == '\n') + buf++; + } +} + /* Inputs: * method: GET or POST * vpninfo->hostname: Host DNS name @@ -895,6 +921,9 @@ static int do_https_request(struct openconnect_info *vpninfo, const char *method } } + if (vpninfo->dump_http_traffic) + dump_buf(vpninfo, '>', buf->data); + result = openconnect_SSL_write(vpninfo, buf->data, buf->pos); if (rq_retry && result < 0) { openconnect_close_https(vpninfo, 0); @@ -909,6 +938,8 @@ static int do_https_request(struct openconnect_info *vpninfo, const char *method /* We'll already have complained about whatever offended us */ return buflen; } + if (vpninfo->dump_http_traffic && *form_buf) + dump_buf(vpninfo, '<', *form_buf); if (result != 200 && vpninfo->redirect_url) { result = handle_redirect(vpninfo); diff --git a/main.c b/main.c index ef173aac..73313665 100644 --- a/main.c +++ b/main.c @@ -95,6 +95,7 @@ enum { OPT_CSD_WRAPPER, OPT_DISABLE_IPV6, OPT_DTLS_CIPHERS, + OPT_DUMP_HTTP, OPT_FORCE_DPD, OPT_KEY_PASSWORD_FROM_FSID, OPT_LIBPROXY, @@ -182,6 +183,7 @@ static struct option long_options[] = { OPTION("token-secret", 1, OPT_TOKEN_SECRET), OPTION("os", 1, OPT_OS), OPTION("no-xmlpost", 0, OPT_NO_XMLPOST), + OPTION("dump-http-traffic", 0, OPT_DUMP_HTTP), OPTION(NULL, 0, 0) }; @@ -276,6 +278,7 @@ static void usage(void) printf(" -u, --user=NAME %s\n", _("Set login username")); printf(" -V, --version %s\n", _("Report version number")); printf(" -v, --verbose %s\n", _("More output")); + printf(" --dump-http-traffic %s\n", _("Dump HTTP authentication traffic (implies --verbose")); printf(" -x, --xmlconfig=CONFIG %s\n", _("XML config file")); printf(" --authgroup=GROUP %s\n", _("Choose authentication login selection")); printf(" --authenticate %s\n", _("Authenticate only and print login info")); @@ -704,6 +707,8 @@ int main(int argc, char **argv) case 'q': verbose = PRG_ERR; break; + case OPT_DUMP_HTTP: + vpninfo->dump_http_traffic = 1; case 'v': verbose = PRG_TRACE; break; diff --git a/openconnect-internal.h b/openconnect-internal.h index d2c176ed..138b8caa 100644 --- a/openconnect-internal.h +++ b/openconnect-internal.h @@ -181,6 +181,7 @@ struct openconnect_info { char *csd_wrapper; int uid_csd_given; int no_http_keepalive; + int dump_http_traffic; int token_mode; int token_bypassed; diff --git a/openconnect.8.in b/openconnect.8.in index 3038c4f0..131b6deb 100644 --- a/openconnect.8.in +++ b/openconnect.8.in @@ -43,6 +43,7 @@ openconnect \- Connect to Cisco AnyConnect VPN .OP \-\-disable\-ipv6 .OP \-\-dtls\-ciphers list .OP \-\-dtls\-local\-port port +.OP \-\-dump\-http\-traffic .OP \-\-no\-cert\-check .OP \-\-no\-dtls .OP \-\-no\-http\-keepalive @@ -285,6 +286,15 @@ Do not advertise IPv6 capability to server .B \-\-dtls\-ciphers=LIST Set OpenSSL ciphers to support for DTLS .TP +.B \-\-dtls\-local\-port=PORT +Use +.I PORT +as the local port for DTLS datagrams +.TP +.B \-\-dump\-http\-traffic +Enable verbose output of all HTTP requests and the bodies of all responses +received from the server. +.TP .B \-\-no\-cert\-check Do not require server SSL certificate to be valid. Checks will still happen and failures will cause a warning message, but the connection will continue @@ -375,12 +385,6 @@ as 'User\-Agent:' field value in HTTP header. OS type to report to gateway. Recognized values are: linux, linux-64, mac, win. Reporting a different OS type may affect the security policy applied to the VPN session. -.TP -.B \-\-dtls\-local\-port=PORT -Use -.I PORT -as the local port for DTLS datagrams - .SH LIMITATIONS Note that although IPv6 has been tested on all platforms on which .B openconnect diff --git a/www/changelog.xml b/www/changelog.xml index e4d2e553..5e101c68 100644 --- a/www/changelog.xml +++ b/www/changelog.xml @@ -17,6 +17,7 @@