Drop X-Aggregate-Auth: header in fallback mode

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/http.c b/http.c
index 7921a02721ff38583f9ba38af715bb0946127496..8bf27135ef6664919a1c118c7faeab68f3786603 100644 (file)
--- a/http.c
+++ b/http.c
@@ -447,8 +447,11 @@ static void add_common_headers(struct openconnect_info *vpninfo, struct oc_text_
                                      opt->value, opt->next ? "; " : "\r\n");
        }
        buf_append(buf, "X-Transcend-Version: 1\r\n");
-       buf_append(buf, "X-Aggregate-Auth: 1\r\n");
-       buf_append(buf, "X-AnyConnect-Platform: %s\r\n", vpninfo->platname);
+       if (vpninfo->xmlpost) {
+               buf_append(buf, "X-Aggregate-Auth: 1\r\n");
+               buf_append(buf, "X-AnyConnect-Platform: %s\r\n",
+                          vpninfo->platname);
+       }
 }
 
 static int fetch_config(struct openconnect_info *vpninfo, char *fu, char *bu,
@@ -1000,7 +1003,6 @@ int openconnect_obtain_cookie(struct openconnect_info *vpninfo)
        const char *method = "POST";
        char *orig_host = NULL, *orig_path = NULL;
        int orig_port = 0;
-       int xmlpost = 1;
 
        /* Step 1: Unlock software token (if applicable) */
        if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
@@ -1009,7 +1011,7 @@ int openconnect_obtain_cookie(struct openconnect_info *vpninfo)
                        return result;
        }
 
-       if (vpninfo->noxmlpost)
+       if (!vpninfo->xmlpost)
                goto fail;
 
        /*
@@ -1032,10 +1034,10 @@ int openconnect_obtain_cookie(struct openconnect_info *vpninfo)
        for (tries = 0; ; tries++) {
                if (tries == 3) {
                fail:
-                       if (xmlpost) {
+                       if (vpninfo->xmlpost) {
                                /* Try without XML POST this time... */
                                tries = 0;
-                               xmlpost = 0;
+                               vpninfo->xmlpost = 0;
                                request_body_type = NULL;
                                request_body[0] = 0;
                                method = "GET";
@@ -1061,7 +1063,8 @@ int openconnect_obtain_cookie(struct openconnect_info *vpninfo)
                        return buflen;
 
                /* XML POST does not allow local redirects, but GET does. */
-               if (xmlpost && vpninfo->redirect_type == REDIR_TYPE_LOCAL)
+               if (vpninfo->xmlpost &&
+                   vpninfo->redirect_type == REDIR_TYPE_LOCAL)
                        goto fail;
                else if (vpninfo->redirect_type != REDIR_TYPE_NONE)
                        continue;
@@ -1076,7 +1079,7 @@ int openconnect_obtain_cookie(struct openconnect_info *vpninfo)
                }
                break;
        }
-       if (xmlpost)
+       if (vpninfo->xmlpost)
                vpn_progress(vpninfo, PRG_INFO, _("XML POST enabled\n"));
 
        free (orig_host);
@@ -1135,7 +1138,8 @@ int openconnect_obtain_cookie(struct openconnect_info *vpninfo)
                free(vpninfo->urlpath);
                vpninfo->urlpath = form_path;
 
-               result = do_https_request(vpninfo, xmlpost ? "POST" : "GET",
+               result = do_https_request(vpninfo,
+                                         vpninfo->xmlpost ? "POST" : "GET",
                                          request_body_type, request_body, &form_buf, 1);
                if (result < 0)
                        goto out;
@@ -1149,7 +1153,7 @@ int openconnect_obtain_cookie(struct openconnect_info *vpninfo)
        while (1) {
                request_body[0] = 0;
                result = handle_auth_form(vpninfo, form, request_body, sizeof(request_body),
-                                         &method, &request_body_type, xmlpost);
+                                         &method, &request_body_type, vpninfo->xmlpost);
                if (result < 0 || result == 1)
                        goto out;
                if (result == 2)

diff --git a/library.c b/library.c
index c6f7a40ab54903e20fe640a9acc54b7fc4c49648..66bf89b045c3f8e57f40036bab0089a82653b5eb 100644 (file)
--- a/library.c
+++ b/library.c
@@ -57,6 +57,7 @@ struct openconnect_info *openconnect_vpninfo_new(char *useragent,
        vpninfo->progress = progress;
        vpninfo->cbdata = privdata ? : vpninfo;
        vpninfo->cancel_fd = -1;
+       vpninfo->xmlpost = 1;
        openconnect_set_reported_os(vpninfo, NULL);
 
 #ifdef ENABLE_NLS

diff --git a/main.c b/main.c
index 73313665e813668bae446bf1ab17bbccd207dfc2..5ddd9b8d414a0ae0655f265e277152f154563c5c 100644 (file)
--- a/main.c
+++ b/main.c
@@ -508,6 +508,7 @@ int main(int argc, char **argv)
        vpninfo->cert_expire_warning = 60 * 86400;
        vpninfo->vpnc_script = DEFAULT_VPNCSCRIPT;
        vpninfo->cancel_fd = -1;
+       vpninfo->xmlpost = 1;
 
        if (!uname(&utsbuf))
                vpninfo->localname = utsbuf.nodename;
@@ -568,7 +569,7 @@ int main(int argc, char **argv)
                        vpninfo->nopasswd = 1;
                        break;
                case OPT_NO_XMLPOST:
-                       vpninfo->noxmlpost = 1;
+                       vpninfo->xmlpost = 0;
                        break;
                case OPT_NON_INTER:
                        non_inter = 1;

diff --git a/openconnect-internal.h b/openconnect-internal.h
index 138b8caaf8400c95edd1a83381b8e3e5c1354482..16f4b6ddf7fe8181e475e033b5a2e954ff01169f 100644 (file)
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -175,7 +175,7 @@ struct openconnect_info {
        char *password;
        char *authgroup;
        int nopasswd;
-       int noxmlpost;
+       int xmlpost;
        char *dtls_ciphers;
        uid_t uid_csd;
        char *csd_wrapper;

diff --git a/www/changelog.xml b/www/changelog.xml
index dc28f06532d3608111408db64ad5318718d9f93d..8d6f76534fabb0598d7016a375d464fab658c2ca 100644 (file)
--- a/www/changelog.xml
+++ b/www/changelog.xml
@@ -17,6 +17,7 @@
 <ul>
    <li><b>OpenConnect HEAD</b>
      <ul>
+       <li>Don't include <tt>X-Aggregate-Auth:</tt> header in fallback mode.</li>
        <li>Enable AES256 mode for DTLS with GnuTLS <a href="https://bugzilla.redhat.com/show_bug.cgi?id=955710"><i>(RH#955710)</i></a>.</li>
        <li>Add <tt>--dump-http-traffic</tt> option for debugging.</li>
        <li>Be more permissive in parsing XML forms.</li>