Add --dump-http-traffic option

I'm tired of manually doing this and asking people to apply a patch before
re-testing.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

http.c

@@ -816,6 +816,32 @@ static int handle_redirect(struct openconnect_info *vpninfo)
 	}
 }
 
+static void dump_buf(struct openconnect_info *vpninfo, char prefix, char *buf)
+{
+	while (*buf) {
+		char *eol = buf;
+		char eol_char = 0;
+
+		while (*eol) {
+			if (*eol == '\r' || *eol == '\n') {
+				eol_char = *eol;
+				*eol = 0;
+				break;
+			}
+			eol++;
+		}
+
+		vpn_progress(vpninfo, PRG_TRACE, "%c %s\n", prefix, buf);
+		if (!eol_char)
+			break;
+
+		*eol = eol_char;
+		buf = eol + 1;
+		if (eol_char == '\r' && *buf == '\n')
+			buf++;
+	}
+}
+
 /* Inputs:
  *  method:             GET or POST
  *  vpninfo->hostname:  Host DNS name
@@ -895,6 +921,9 @@ static int do_https_request(struct openconnect_info *vpninfo, const char *method
 		}
 	}
 
+	if (vpninfo->dump_http_traffic)
+		dump_buf(vpninfo, '>', buf->data);
+
 	result = openconnect_SSL_write(vpninfo, buf->data, buf->pos);
 	if (rq_retry && result < 0) {
 		openconnect_close_https(vpninfo, 0);
@@ -909,6 +938,8 @@ static int do_https_request(struct openconnect_info *vpninfo, const char *method
 		/* We'll already have complained about whatever offended us */
 		return buflen;
 	}
+	if (vpninfo->dump_http_traffic && *form_buf)
+		dump_buf(vpninfo, '<', *form_buf);
 
 	if (result != 200 && vpninfo->redirect_url) {
 		result = handle_redirect(vpninfo);

main.c

@@ -95,6 +95,7 @@ enum {
 	OPT_CSD_WRAPPER,
 	OPT_DISABLE_IPV6,
 	OPT_DTLS_CIPHERS,
+	OPT_DUMP_HTTP,
 	OPT_FORCE_DPD,
 	OPT_KEY_PASSWORD_FROM_FSID,
 	OPT_LIBPROXY,
@@ -182,6 +183,7 @@ static struct option long_options[] = {
 	OPTION("token-secret", 1, OPT_TOKEN_SECRET),
 	OPTION("os", 1, OPT_OS),
 	OPTION("no-xmlpost", 0, OPT_NO_XMLPOST),
+	OPTION("dump-http-traffic", 0, OPT_DUMP_HTTP),
 	OPTION(NULL, 0, 0)
 };
 
@@ -276,6 +278,7 @@ static void usage(void)
 	printf("  -u, --user=NAME                 %s\n", _("Set login username"));
 	printf("  -V, --version                   %s\n", _("Report version number"));
 	printf("  -v, --verbose                   %s\n", _("More output"));
+	printf("      --dump-http-traffic         %s\n", _("Dump HTTP authentication traffic (implies --verbose"));
 	printf("  -x, --xmlconfig=CONFIG          %s\n", _("XML config file"));
 	printf("      --authgroup=GROUP           %s\n", _("Choose authentication login selection"));
 	printf("      --authenticate              %s\n", _("Authenticate only and print login info"));
@@ -704,6 +707,8 @@ int main(int argc, char **argv)
 		case 'q':
 			verbose = PRG_ERR;
 			break;
+		case OPT_DUMP_HTTP:
+			vpninfo->dump_http_traffic = 1;
 		case 'v':
 			verbose = PRG_TRACE;
 			break;

openconnect-internal.h

@@ -181,6 +181,7 @@ struct openconnect_info {
 	char *csd_wrapper;
 	int uid_csd_given;
 	int no_http_keepalive;
+	int dump_http_traffic;
 
 	int token_mode;
 	int token_bypassed;

openconnect.8.in

@@ -43,6 +43,7 @@ openconnect \- Connect to Cisco AnyConnect VPN
 .OP \-\-disable\-ipv6
 .OP \-\-dtls\-ciphers list
 .OP \-\-dtls\-local\-port port
+.OP \-\-dump\-http\-traffic
 .OP \-\-no\-cert\-check
 .OP \-\-no\-dtls
 .OP \-\-no\-http\-keepalive
@@ -285,6 +286,15 @@ Do not advertise IPv6 capability to server
 .B \-\-dtls\-ciphers=LIST
 Set OpenSSL ciphers to support for DTLS
 .TP
+.B \-\-dtls\-local\-port=PORT
+Use
+.I PORT
+as the local port for DTLS datagrams
+.TP
+.B \-\-dump\-http\-traffic
+Enable verbose output of all HTTP requests and the bodies of all responses
+received from the server.
+.TP
 .B \-\-no\-cert\-check
 Do not require server SSL certificate to be valid. Checks will still happen
 and failures will cause a warning message, but the connection will continue
@@ -375,12 +385,6 @@ as 'User\-Agent:' field value in HTTP header.
 OS type to report to gateway.  Recognized values are: linux, linux-64, mac,
 win.  Reporting a different OS type may affect the security policy applied
 to the VPN session.
-.TP
-.B \-\-dtls\-local\-port=PORT
-Use
-.I PORT
-as the local port for DTLS datagrams
-
 .SH LIMITATIONS
 Note that although IPv6 has been tested on all platforms on which
 .B openconnect

www/changelog.xml

@@ -17,6 +17,7 @@
 <ul>
    <li><b>OpenConnect HEAD</b>
      <ul>
+       <li>Add <tt>--dump-http-traffic</tt> option for debugging.</li>
        <li>Be more permissive in parsing XML forms.</li>
        <li>Use original URL when falling back to non-XML POST mode.</li>
        <li>Add <tt>--no-xmlpost</tt> option to revert to older, compatible behaviour.</li>