static struct oc_auth_form *plain_auth_form(void)
{
- struct oc_auth_form *form;
- struct oc_form_opt *opt, *opt2, *opt3;
-
- form = calloc(1, sizeof(*form));
- if (!form) {
- nomem:
- free_auth_form(form);
- return NULL;
- }
+ struct oc_auth_form *form;
+ struct oc_form_opt *opt, *opt2, *opt3;
+
+ form = calloc(1, sizeof(*form));
+ if (!form) {
+ nomem:
+ free_auth_form(form);
+ return NULL;
+ }
form->auth_id = strdup("form");
- opt = form->opts = calloc(1, sizeof(*opt));
- if (!opt)
- goto nomem;
- opt->label = strdup("authgroup:");
- opt->name = strdup("method");
- opt->type = OC_FORM_OPT_TEXT;
-
- opt2 = opt->next = calloc(1, sizeof(*opt2));
- if (!opt2)
- goto nomem;
- opt2->label = strdup("username:");
- opt2->name = strdup("uname");
- opt2->type = OC_FORM_OPT_TEXT;
-
- opt3 = opt2->next = calloc(1, sizeof(*opt3));
- if (!opt3)
- goto nomem;
- opt3->label = strdup("password:");
- opt3->name = strdup("pwd");
- opt3->type = OC_FORM_OPT_PASSWORD;
- return form;
+ opt = form->opts = calloc(1, sizeof(*opt));
+ if (!opt)
+ goto nomem;
+ opt->label = strdup("authgroup:");
+ opt->name = strdup("method");
+ opt->type = OC_FORM_OPT_TEXT;
+
+ opt2 = opt->next = calloc(1, sizeof(*opt2));
+ if (!opt2)
+ goto nomem;
+ opt2->label = strdup("username:");
+ opt2->name = strdup("uname");
+ opt2->type = OC_FORM_OPT_TEXT;
+
+ opt3 = opt2->next = calloc(1, sizeof(*opt3));
+ if (!opt3)
+ goto nomem;
+ opt3->label = strdup("password:");
+ opt3->name = strdup("pwd");
+ opt3->type = OC_FORM_OPT_PASSWORD;
+ return form;
}
int array_obtain_cookie(struct openconnect_info *vpninfo)
struct oc_text_buf *req_buf = buf_alloc();
int ret;
- if ((ret = buf_error(req_buf)))
- goto out;
+ if ((ret = buf_error(req_buf)))
+ goto out;
do {
ret = process_auth_form(vpninfo, form);
ret = -EPERM;
out:
- if (form) free_auth_form(form);
- if (req_buf) buf_free(req_buf);
+ if (form) free_auth_form(form);
+ if (req_buf) buf_free(req_buf);
printf("obtain return %d\n", ret);
- return ret;
+ return ret;
}
/* XXX: Lifted from oncp.c. Share it. */
out:
if (ret) {
free_optlist(new_opts);
- free_split_routes(&new_ip_info);
+ free_split_routes(&new_ip_info);
}
return ret;
}
* Currently using the heuristic that if the password field in
* the preceding form wasn't treated as a token field, treat this
* as a token field.
- */
+ */
if (!can_gen_tokencode(vpninfo, form, opt2) && opt2->type == OC_FORM_OPT_PASSWORD)
opt2->type = OC_FORM_OPT_TOKEN;
else
* or repeated --servercert in order to allow non-interactive
* authentication to gateways whose certs aren't trusted by the
* system but ARE trusted by the portal (see example at
- * https://github.com/dlenski/openconnect/issues/128).
+ * https://github.com/dlenski/openconnect/issues/128).
*/
if (xmlnode_is_named(xml_node, "policy")) {
for (x = xml_node->children; x; x = x->next) {
int result;
/* An alternate password/secret field may be specified in the "URL path" (or --usergroup).
- * Known possibilities are:
+ * Known possibilities are:
* /portal:portal-userauthcookie
* /gateway:prelogin-cookie
*/
return -EIO;
}
- /* Mainloop timers need to know the last Trojan was invoked */
+ /* Mainloop timers need to know the last Trojan was invoked */
vpninfo->last_trojan = time(NULL);
return buf_free(buf);
}
return ret;
} else {
- /* in child: will be reaped by init */
- char scertbuf[MD5_SIZE * 2 + 1];
- char ccertbuf[MD5_SIZE * 2 + 1];
- char *csd_argv[32];
- int i = 0;
-
- if (set_csd_user(vpninfo) < 0)
- exit(1);
- if (getuid() == 0 && !vpninfo->csd_wrapper) {
- fprintf(stderr, _("Warning: you are running insecure CSD code with root privileges\n"
- "\t Use command line option \"--csd-user\"\n"));
- }
- /*
+ /* in child: will be reaped by init */
+ char scertbuf[MD5_SIZE * 2 + 1];
+ char ccertbuf[MD5_SIZE * 2 + 1];
+ char *csd_argv[32];
+ int i = 0;
+
+ if (set_csd_user(vpninfo) < 0)
+ exit(1);
+ if (getuid() == 0 && !vpninfo->csd_wrapper) {
+ fprintf(stderr, _("Warning: you are running insecure CSD code with root privileges\n"
+ "\t Use command line option \"--csd-user\"\n"));
+ }
+ /*
* Spurious stdout output from the CSD trojan will break both
* the NM tool and the various cookieonly modes.
* Also, gnome-shell *closes* stderr so attempt to cope with that
close(nulfd);
}
}
- dup2(2, 1);
- if (vpninfo->csd_wrapper)
- csd_argv[i++] = openconnect_utf8_to_legacy(vpninfo,
- vpninfo->csd_wrapper);
- csd_argv[i++] = fname;
- csd_argv[i++] = (char *)"-ticket";
- if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->csd_ticket) == -1)
- goto out;
- csd_argv[i++] = (char *)"-stub";
- csd_argv[i++] = (char *)"\"0\"";
- csd_argv[i++] = (char *)"-group";
- if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->authgroup?:"") == -1)
- goto out;
-
- openconnect_local_cert_md5(vpninfo, ccertbuf);
- scertbuf[0] = 0;
- get_cert_md5_fingerprint(vpninfo, vpninfo->peer_cert, scertbuf);
- csd_argv[i++] = (char *)"-certhash";
- if (asprintf(&csd_argv[i++], "\"%s:%s\"", scertbuf, ccertbuf) == -1)
- goto out;
-
-
- csd_argv[i++] = (char *)"-url";
- if (asprintf(&csd_argv[i++], "\"https://%s%s\"", openconnect_get_hostname(vpninfo), vpninfo->csd_starturl) == -1)
- goto out;
-
- csd_argv[i++] = (char *)"-langselen";
- csd_argv[i++] = NULL;
-
- if (setenv("CSD_SHA256", openconnect_get_peer_cert_hash(vpninfo)+11, 1)) /* remove initial 'pin-sha256:' */
- goto out;
- if (setenv("CSD_TOKEN", vpninfo->csd_token, 1))
- goto out;
- if (setenv("CSD_HOSTNAME", openconnect_get_hostname(vpninfo), 1))
- goto out;
-
- apply_script_env(vpninfo->csd_env);
-
- execv(csd_argv[0], csd_argv);
-
- out:
- vpn_progress(vpninfo, PRG_ERR,
- _("Failed to exec CSD script %s\n"), vpninfo->csd_wrapper ?: fname);
- exit(1);
+ dup2(2, 1);
+ if (vpninfo->csd_wrapper)
+ csd_argv[i++] = openconnect_utf8_to_legacy(vpninfo,
+ vpninfo->csd_wrapper);
+ csd_argv[i++] = fname;
+ csd_argv[i++] = (char *)"-ticket";
+ if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->csd_ticket) == -1)
+ goto out;
+ csd_argv[i++] = (char *)"-stub";
+ csd_argv[i++] = (char *)"\"0\"";
+ csd_argv[i++] = (char *)"-group";
+ if (asprintf(&csd_argv[i++], "\"%s\"", vpninfo->authgroup?:"") == -1)
+ goto out;
+
+ openconnect_local_cert_md5(vpninfo, ccertbuf);
+ scertbuf[0] = 0;
+ get_cert_md5_fingerprint(vpninfo, vpninfo->peer_cert, scertbuf);
+ csd_argv[i++] = (char *)"-certhash";
+ if (asprintf(&csd_argv[i++], "\"%s:%s\"", scertbuf, ccertbuf) == -1)
+ goto out;
+
+
+ csd_argv[i++] = (char *)"-url";
+ if (asprintf(&csd_argv[i++], "\"https://%s%s\"", openconnect_get_hostname(vpninfo), vpninfo->csd_starturl) == -1)
+ goto out;
+
+ csd_argv[i++] = (char *)"-langselen";
+ csd_argv[i++] = NULL;
+
+ if (setenv("CSD_SHA256", openconnect_get_peer_cert_hash(vpninfo)+11, 1)) /* remove initial 'pin-sha256:' */
+ goto out;
+ if (setenv("CSD_TOKEN", vpninfo->csd_token, 1))
+ goto out;
+ if (setenv("CSD_HOSTNAME", openconnect_get_hostname(vpninfo), 1))
+ goto out;
+
+ apply_script_env(vpninfo->csd_env);
+
+ execv(csd_argv[0], csd_argv);
+
+ out:
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Failed to exec CSD script %s\n"), vpninfo->csd_wrapper ?: fname);
+ exit(1);
}
#endif /* !_WIN32 && !__native_client__ */
#include <sec_api/stdlib_s.h> /* errno_t, size_t */
#ifndef HAVE_GETENV_S_DECL
errno_t getenv_s(
- size_t *ret_required_buf_size,
- char *buf,
- size_t buf_size_in_bytes,
- const char *name
+ size_t *ret_required_buf_size,
+ char *buf,
+ size_t buf_size_in_bytes,
+ const char *name
);
#endif
#ifndef HAVE_PUTENV_S_DECL
errno_t _putenv_s(
- const char *varname,
- const char *value_string
+ const char *varname,
+ const char *value_string
);
#endif
#endif
gettimeofday(&now_tv, NULL);
if (now_tv.tv_sec > start_tv.tv_sec + 10) {
- if (absolute_min == min) {
- /* Hm, we never got *anything* back successfully? */
- vpn_progress(vpninfo, PRG_ERR,
- _("Too long time in MTU detect loop; assuming negotiated MTU.\n"));
- goto fail;
- } else {
- vpn_progress(vpninfo, PRG_ERR,
- _("Too long time in MTU detect loop; MTU set to %d.\n"), min);
+ if (absolute_min == min) {
+ /* Hm, we never got *anything* back successfully? */
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Too long time in MTU detect loop; assuming negotiated MTU.\n"));
+ goto fail;
+ } else {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("Too long time in MTU detect loop; MTU set to %d.\n"), min);
ret = min;
goto out;
- }
+ }
}
int st = xmlnode_bool_or_int_value(xml_node);
vpn_progress(vpninfo, PRG_INFO, _("Got SplitTunneling0 value of %d\n"), st);
/* XX: Should we ignore split-{in,ex}cludes if this is zero? */
- }
+ }
/* XX: This is an objectively stupid way to use XML, a hierarchical data format. */
else if ( (!strncmp((char *)xml_node->name, "DNS", 3) && isdigit(xml_node->name[3]))
|| (!strncmp((char *)xml_node->name, "DNS6_", 5) && isdigit(xml_node->name[5])) ) {
if (ret || (*ipv4 < 1 && *ipv6 < 1) || !*ur_z || !*session_id) {
free_optlist(new_opts);
- free_split_routes(&new_ip_info);
+ free_split_routes(&new_ip_info);
err:
vpn_progress(vpninfo, PRG_ERR,
_("Failed to find VPN options\n"));
if (!vpninfo->ip_info.addr6 && !vpninfo->ip_info.netmask6)
inet_pton(AF_INET6, val, &ppp->out_ipv6_addr);
}
- /* XX: The server's IP address(es) X-VPN-server-{IP,IPv6} are also
- * sent, but the utility of these is unclear. As remarked in oncp.c,
+ /* XX: The server's IP address(es) X-VPN-server-{IP,IPv6} are also
+ * sent, but the utility of these is unclear. As remarked in oncp.c,
* "this is a tunnel; having a gateway is meaningless." */
return 0;
}
* precisely the same cert that we get from the HTTPS service,
* but we tried that for EAP-TTLS in the Pulse protocol and the
* theory was disproven, so we ended up doing this there too.
- */
+ */
gnutls_credentials_set(dtls_ssl, GNUTLS_CRD_CERTIFICATE, vpninfo->https_cred);
/* The F5 BIG-IP server before v16, will crap itself if we
vpninfo->hostname,
strlen(vpninfo->hostname));
- /*
- * If a ClientHello is between 256 and 511 bytes, the
- * server cannot distinguish between a SSLv2 formatted
- * packet and a SSLv3 formatted packet.
- *
- * F5 BIG-IP reverse proxies in particular will
- * silently drop an ambiguous ClientHello.
- *
- * GnuTLS fixes this in v3.2.9+ by padding ClientHello
- * packets to at least 512 bytes if %COMPAT or %DUMBFW
- * is specified.
- *
- * Discussion:
- * https://www.ietf.org/mail-archive/web/tls/current/msg10423.html
- *
- * GnuTLS commits:
- * b6d29bb1737f96ac44a8ef9cc9fe7f9837e20465
- * a9bd8c4d3a639c40adb964349297f891f583a21b
- * 531bec47037e882af32963f8461988f8c724919e
- * 7c45ebbdd877cd994b6b938bd6faef19558a01e1
- * 8d28901a3ebd2589d0fc9941475d50f04047f6fe
- * 28065ce3896b1b0f87972d0bce9b17641ebb69b9
- */
-
- if (!vpninfo->ciphersuite_config) {
+ /*
+ * If a ClientHello is between 256 and 511 bytes, the
+ * server cannot distinguish between a SSLv2 formatted
+ * packet and a SSLv3 formatted packet.
+ *
+ * F5 BIG-IP reverse proxies in particular will
+ * silently drop an ambiguous ClientHello.
+ *
+ * GnuTLS fixes this in v3.2.9+ by padding ClientHello
+ * packets to at least 512 bytes if %COMPAT or %DUMBFW
+ * is specified.
+ *
+ * Discussion:
+ * https://www.ietf.org/mail-archive/web/tls/current/msg10423.html
+ *
+ * GnuTLS commits:
+ * b6d29bb1737f96ac44a8ef9cc9fe7f9837e20465
+ * a9bd8c4d3a639c40adb964349297f891f583a21b
+ * 531bec47037e882af32963f8461988f8c724919e
+ * 7c45ebbdd877cd994b6b938bd6faef19558a01e1
+ * 8d28901a3ebd2589d0fc9941475d50f04047f6fe
+ * 28065ce3896b1b0f87972d0bce9b17641ebb69b9
+ */
+
+ if (!vpninfo->ciphersuite_config) {
struct oc_text_buf *buf = buf_alloc();
#ifdef DEFAULT_PRIO
buf_append(buf, "%s", DEFAULT_PRIO ":%COMPAT");
vpninfo->ciphersuite_config = buf->data;
buf->data = NULL;
buf_free(buf);
- }
+ }
err = gnutls_priority_set_direct(vpninfo->https_sess,
vpninfo->ciphersuite_config, NULL);
if (ret)
goto out;
- /* XX: last_trojan is used both as a sentinel to detect the
- * first time we check/submit HIP, and for the mainloop to timeout
- * when periodic re-checking is required.
- */
+ /* XX: last_trojan is used both as a sentinel to detect the
+ * first time we check/submit HIP, and for the mainloop to timeout
+ * when periodic re-checking is required.
+ */
vpninfo->last_trojan = time(NULL);
/* Default HIP re-checking to 3600 seconds unless already set by
static const char spnego_OID[] = "\x2b\x06\x01\x05\x05\x02";
static const gss_OID_desc gss_mech_spnego = {
- 6,
+ 6,
(void *)&spnego_OID
};
free(vpninfo->redirect_url);
vpninfo->redirect_url = NULL;
return 0;
- } else if (vpninfo->redirect_url[0] == '/') {
- /* Absolute redirect within same host */
- free(vpninfo->urlpath);
- vpninfo->urlpath = strdup(vpninfo->redirect_url + 1);
- free(vpninfo->redirect_url);
- vpninfo->redirect_url = NULL;
- return 0;
+ } else if (vpninfo->redirect_url[0] == '/') {
+ /* Absolute redirect within same host */
+ free(vpninfo->urlpath);
+ vpninfo->urlpath = strdup(vpninfo->redirect_url + 1);
+ free(vpninfo->redirect_url);
+ vpninfo->redirect_url = NULL;
+ return 0;
} else if (strstr(vpninfo->redirect_url, "://")) {
vpn_progress(vpninfo, PRG_ERR,
_("Cannot follow redirection to non-https URL '%s'\n"),
struct oc_vpn_proto *pr;
int i, j;
- /* The original version of this function included an all-zero
- * sentinel value at the end of the array, so we must continue
- * to do so for ABI compatibility even though it's
- * functionally redundant as a marker of the array's length,
- * along with the explicit length in the return value.
- */
+ /* The original version of this function included an all-zero
+ * sentinel value at the end of the array, so we must continue
+ * to do so for ABI compatibility even though it's
+ * functionally redundant as a marker of the array's length,
+ * along with the explicit length in the return value.
+ */
*protos = pr = calloc(NR_PROTOS + 1, sizeof(*pr));
if (!pr)
return -ENOMEM;
return NULL;
#endif
}
- return vpninfo->dtls_cipher_desc;
+ return vpninfo->dtls_cipher_desc;
}
int openconnect_set_csd_environ(struct openconnect_info *vpninfo,
int n;
n = openconnect_get_supported_protocols(&protos);
- if (n>=0) {
+ if (n>=0) {
printf(_("Supported protocols:"));
for (p=protos; n; p++, n--) {
printf("%s%s%s", sep, p->name, p==protos ? _(" (default)") : "");
int n;
n = openconnect_get_supported_protocols(&protos);
- if (n>=0) {
+ if (n>=0) {
printf("\n%s:\n", _("Set VPN protocol"));
for (p=protos; n; p++, n--)
printf(" --protocol=%-16s %s%s\n",
vpn_progress(vpninfo, PRG_TRACE, _("Using base_mtu of %d\n"), base_mtu);
- /* base_mtu is now (we hope) the PMTU between our external network interface
+ /* base_mtu is now (we hope) the PMTU between our external network interface
* and the VPN gateway */
if (!mtu) {
vpn_progress(vpninfo, PRG_TRACE, _("After removing %s/IPv%d headers, MTU of %d\n"),
(is_udp ? "UDP" : "TCP"), vpninfo->peer_addr->sa_family == AF_INET6 ? 6 : 4, mtu);
- /* MTU is now (we hope) the number of payload bytes that can fit in a UDP or
+ /* MTU is now (we hope) the number of payload bytes that can fit in a UDP or
* TCP packet exchanged with the VPN gateway. */
mtu -= unpadded_overhead; /* remove protocol-specific overhead that isn't affected by padding */
struct http_auth_state *auth_state,
struct oc_text_buf *buf, const char *challenge)
{
- SECURITY_STATUS status;
- SecBufferDesc input_desc, output_desc;
- SecBuffer in_token, out_token;
- ULONG ret_flags;
+ SECURITY_STATUS status;
+ SecBufferDesc input_desc, output_desc;
+ SecBuffer in_token, out_token;
+ ULONG ret_flags;
if (challenge) {
int token_len = -EINVAL;
in_token.cbBuffer = token_len;
}
- output_desc.cBuffers = 1;
- output_desc.pBuffers = &out_token;
- output_desc.ulVersion = SECBUFFER_VERSION;
+ output_desc.cBuffers = 1;
+ output_desc.pBuffers = &out_token;
+ output_desc.ulVersion = SECBUFFER_VERSION;
- out_token.BufferType = SECBUFFER_TOKEN;
- out_token.cbBuffer = 0;
- out_token.pvBuffer = NULL;
+ out_token.BufferType = SECBUFFER_TOKEN;
+ out_token.cbBuffer = 0;
+ out_token.pvBuffer = NULL;
status = InitializeSecurityContextW(&auth_state->ntlm_sspi_cred,
challenge ? &auth_state->ntlm_sspi_ctx : NULL,
struct http_auth_state *auth_state,
struct oc_text_buf *buf)
{
- SECURITY_STATUS status;
+ SECURITY_STATUS status;
int ret;
status = AcquireCredentialsHandleW(NULL, (SEC_WCHAR *)L"NTLM",
#define LM_PASSWORD_MAGIC "\x4B\x47\x53\x21\x40\x23\x24\x25" \
"\x4B\x47\x53\x21\x40\x23\x24\x25" \
- "\x00\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00"
static void ntlm_lanmanager_hash (const char *password, char hash[21])
{
#ifndef HAVE_SSL_CIPHER_FIND
static const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr)
{
- return ssl->method->get_cipher_by_char(ptr);
+ return ssl->method->get_cipher_by_char(ptr);
}
#endif
}
out:
- buf_free(buf);
+ buf_free(buf);
return ret;
}
len = load_be16(p + 2);
}
- if (code > 0 && code <= 11)
+ if (code > 0 && code <= 11)
vpn_progress(vpninfo, PRG_TRACE, _("Received %s/id %d %s from server\n"), proto_names(proto), id, lcp_names[code]);
switch (code) {
case CONFREQ:
projects / users / dwmw2 / openconnect.git / commitdiff