On Fri, 2018-10-05 at 13:45 +0100, David Woodhouse wrote:
> On Thu, 2018-10-04 at 14:50 -0400, Ray Lambert wrote:
> > On 10/4/18 11:23 AM, David Woodhouse wrote:
> > > Ah, I suspect the issue here is that the "form" at the end isn't
> > > actually asking for anything. So we fail to parse it (or at least fail
> > > to send any kind of response).
> > > 
> > > We should send back the hostscan token even if there's no username or
> > > password or anything else.
> > 
> > David,
> > 
> > Is the <authentication-complete> tag the key to this, by any chance?  I'm 
> > just guessing (I don't know the protocol) but I don't see it being handled 
> > in 
> > the code.
> > 
> > I tried adding some code to handle it but I'm not really sure what to do 
> > with 
> > it; my first attempt failed (i.e. exiting handle_auth_form() with 
> > OC_FORM_RESULT_OK if the tag has been seen).
> 
> Yeah, that won't work because it won't post anything back. Try
> something like this...

Or this slightly (but only slightly) nicer variant:

diff --git a/auth.c b/auth.c
index 799a031..fe26316 100644
--- a/auth.c
+++ b/auth.c
@@ -417,6 +417,12 @@ static int parse_auth_node(struct openconnect_info 
*vpninfo, xmlNode *xml_node,
                } else if (!vpninfo->csd_scriptname && 
xmlnode_is_named(xml_node, "csd")) {
                        xmlnode_get_prop(xml_node, "token", 
&vpninfo->csd_token);
                        xmlnode_get_prop(xml_node, "ticket", 
&vpninfo->csd_ticket);
+               } else if (xmlnode_is_named(xml_node, 
"authentication-complete")) {
+                       /* Ick. Since struct oc_auth_form is public there's no
+                        * simple way to add a flag to it. So let's abuse the
+                        * auth_id string instead. */
+                       free(form->auth_id);
+                       form->auth_id = 
strdup("openconnect_authentication_complete");
                }
                /* For Windows, vpninfo->csd_xmltag will be "csd" and there are 
*two* <csd>
                   nodes; one with token/ticket and one with the URLs. Process 
them both
@@ -648,6 +654,8 @@ static int handle_auth_form(struct openconnect_info 
*vpninfo, struct oc_auth_for
                        vpn_progress(vpninfo, PRG_INFO, "%s\n", form->message);
                if (form->error)
                        vpn_progress(vpninfo, PRG_ERR, "%s\n", form->error);
+               if (!strcmp(form->auth_id, 
"openconnect_authentication_complete"))
+                       goto justpost;
                return -EPERM;
        }
 
@@ -662,7 +670,7 @@ static int handle_auth_form(struct openconnect_info 
*vpninfo, struct oc_auth_for
                vpninfo->token_bypassed = 1;
                return ret;
        }
-
+ justpost:
        ret = vpninfo->xmlpost ?
              xmlpost_append_form_opts(vpninfo, form, request_body) :
              append_form_opts(vpninfo, form, request_body);

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Reply via email to