main: Allow reading --token-secret from a file

If the token string starts with '@' or '/', assume it refers to a
filename.  None of the current token backends would recognize a string
starting with '@' or '/'.

The main use cases are:

 - Keeping token secrets from showing up in "ps" output
 - Allowing the use of SecurID SDTID XML files without import/conversion

This accepts "raw" HOTP/TOTP/SecurID tokens, not .stokenrc files.
Therefore it cannot use stoken_import_rcfile().

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

diff --git a/main.c b/main.c
index 2908f9c1dff4c11928ddd2b6b47dd5e32db8ca0d..06b4ef9c4ccfedb2a94c280570af434a56eaf886 100644 (file)
--- a/main.c
+++ b/main.c
@@ -1769,8 +1769,17 @@ static void init_token(struct openconnect_info *vpninfo,
                       oc_token_mode_t token_mode, const char *token_str)
 {
        int ret;
+       char *file_token = NULL;
 
-       ret = openconnect_set_token_mode(vpninfo, token_mode, token_str);
+       if (token_str) {
+               if (token_str[0] == '@')
+                       read_file_into_string(vpninfo, &token_str[1], &file_token);
+               else if (token_str[0] == '/')
+                       read_file_into_string(vpninfo, token_str, &file_token);
+       }
+
+       ret = openconnect_set_token_mode(vpninfo, token_mode, file_token ? : token_str);
+       free(file_token);
 
        switch (token_mode) {
        case OC_TOKEN_MODE_STOKEN:

diff --git a/openconnect.8.in b/openconnect.8.in
index 68dd2282aeabf144d890f9b71249c91cacea6104..0f02b678ccc4e6759c21a66bc17337244c8c2b5e 100644 (file)
--- a/openconnect.8.in
+++ b/openconnect.8.in
@@ -54,8 +54,8 @@ openconnect \- Connect to Cisco AnyConnect VPN
 .OP \-\-no\-xmlpost
 .OP \-\-non\-inter
 .OP \-\-passwd\-on\-stdin
-.OP \-\-token-mode mode
-.OP \-\-token-secret secret\fR[\fI,counter\fR]
+.OP \-\-token\-mode mode
+.OP \-\-token\-secret {secret\fR[\fI,counter\fR]|@\fIfile\fR}
 .OP \-\-reconnect\-timeout
 .OP \-\-servercert sha1
 .OP \-\-useragent string
@@ -394,12 +394,19 @@ will call liboath to generate an RFC 6238 time-based password, and
 .B \-\-token\-mode=hotp
 will call liboath to generate an RFC 4226 HMAC-based password.
 .TP
-.B \-\-token\-secret=SECRET[,COUNTER]
+.B \-\-token\-secret={ SECRET[,COUNTER] | @FILENAME }
 The secret to use when generating one-time passwords/verification codes.
 Base 32-encoded TOTP/HOTP secrets can be used by specifying "base32:" at the
 beginning of the secret, and for HOTP secrets the token counter can be
 specified following a comma.
 
+RSA SecurID secrets can be specified as an Android/iPhone URI or a raw numeric
+CTF string (with or without dashes).
+
+.IR FILENAME ,
+if specified, can contain any of the above strings.  Or, it can contain a
+SecurID XML (SDTID) seed.
+
 If this option is omitted, and \-\-token\-mode is
 "rsa", libstoken will try to use the software token seed saved in
 .B ~/.stokenrc