GlobalProtect: apparently, the parameter `clientos=Linux` value is not just allowed...

* Previously, I had received at least two reports of servers where
  `clientos=Windows` was required for the VPN to work correctly.

* Per https://github.com/dlenski/openconnect/issues/126, there is at least
  one report where *not* setting `clientos=Windows` was required for the VPN
  to work.

* The truly maddening part is not only the pointless and inconsistent
  behavior of the GlobalProtect servers, but also the fact that the servers
  give such misleading and irrelevant error messages ("Incorrect username or
  password" or "Unable to assign private IP address", etc.) rather than
  something that makes sense like "Unknown clientos value."

This patch makes `clientos=Linux` the default behavior when
`vpninfo->platname` is `linux-64` or `android`, while still allowing it to
be overridden with `--os=win` etc.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/auth-globalprotect.c b/auth-globalprotect.c
index f0247608a1ec5b65260adf4f66ba96bda68fbb02..61f0fbe86d6e67088f3cbf99ed8332fd3ee2dee2 100644 (file)
--- a/auth-globalprotect.c
+++ b/auth-globalprotect.c
@@ -447,9 +447,18 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, struct login
 
        /* Ask the user to fill in the auth form; repeat as necessary */
        for (;;) {
+               const char *clientos;
+               if (!strcmp(vpninfo->platname, "mac-intel") || !strcmp(vpninfo->platname, "apple-ios"))
+                       clientos = "Mac";
+               else if (!strcmp(vpninfo->platname, "linux-64") || !strcmp(vpninfo->platname, "android"))
+                       clientos = "Linux";
+               else
+                       clientos = "Windows";
+
                /* submit prelogin request to get form */
                orig_path = vpninfo->urlpath;
-               vpninfo->urlpath = strdup(portal ? "global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows" : "ssl-vpn/prelogin.esp");
+               asprintf(&vpninfo->urlpath, "%s/prelogin.esp?tmp=tmp&clientVer=4100&clientos=%s",
+                                portal ? "global-protect" : "ssl-vpn", clientos);
                result = do_https_request(vpninfo, "POST", NULL, NULL, &xml_buf, 0);
                free(vpninfo->urlpath);
                vpninfo->urlpath = orig_path;
@@ -476,7 +485,13 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, struct login
 
                /* submit gateway login (ssl-vpn/login.esp) or portal config (global-protect/getconfig.esp) request */
                buf_truncate(request_body);
-               buf_append(request_body, "jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&clientos=Windows");
+               buf_append(request_body, "jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:");
+               if (!strcmp(vpninfo->platname, "mac-intel") || !strcmp(vpninfo->platname, "apple-ios"))
+                       append_opt(request_body, "clientos", "Mac");
+               else if (!strcmp(vpninfo->platname, "linux-64") || !strcmp(vpninfo->platname, "android"))
+                       append_opt(request_body, "clientos", "Linux");
+               else
+                       append_opt(request_body, "clientos", "Windows");
                append_opt(request_body, "os-version", vpninfo->platname);
                append_opt(request_body, "server", vpninfo->hostname);
                append_opt(request_body, "computer", vpninfo->localname);

diff --git a/gpst.c b/gpst.c
index cae4e4f841e576313ed490b124094f431b7c58ad..5fa2fc40579bb97ffd654588b00b75b36abfd714 100644 (file)
--- a/gpst.c
+++ b/gpst.c
@@ -581,7 +581,13 @@ static int gpst_get_config(struct openconnect_info *vpninfo)
        char *xml_buf=NULL;
 
        /* submit getconfig request */
-       buf_append(request_body, "client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Windows");
+       buf_append(request_body, "client-type=1&protocol-version=p1&app-version=3.0.1-10");
+       if (!strcmp(vpninfo->platname, "mac-intel") || !strcmp(vpninfo->platname, "apple-ios"))
+               append_opt(request_body, "clientos", "Mac");
+       else if (!strcmp(vpninfo->platname, "linux-64") || !strcmp(vpninfo->platname, "android"))
+               append_opt(request_body, "clientos", "Linux");
+       else
+               append_opt(request_body, "clientos", "Windows");
        append_opt(request_body, "os-version", vpninfo->platname);
        append_opt(request_body, "hmac-algo", "sha1,md5");
        append_opt(request_body, "enc-algo", "aes-128-cbc,aes-256-cbc");