From: David Woodhouse Date: Sat, 15 Jun 2019 21:20:50 +0000 (+0100) Subject: Revert "Look a lot more like the Windows client..." X-Git-Tag: v8.04~16 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=3fb7645608e49c875c20f55352990c7c883bbf96;p=users%2Fdwmw2%2Fopenconnect.git Revert "Look a lot more like the Windows client..." This reverts commit 8b3f467a9280dabc5b151feb88b894895178bf91, which was only really for testing and I never meant to push it to the master branch. Apparently it makes the server do EAP-TLS within EAP-TTLS if no certificate is presented by the client. I am not ready for that level of insanity just yet. Signed-off-by: David Woodhouse --- diff --git a/pulse.c b/pulse.c index 9bb1a39a..220c2f5b 100644 --- a/pulse.c +++ b/pulse.c @@ -57,6 +57,7 @@ #define EAP_TYPE_IDENTITY 1 #define EAP_TYPE_GTC 6 +#define EAP_TYPE_TLS 0x0d #define EAP_TYPE_TTLS 0x15 #define EAP_TYPE_EXPANDED 0xfe @@ -1418,9 +1419,14 @@ static int pulse_authenticate(struct openconnect_info *vpninfo, int connecting) buf_append_ift_hdr(reqbuf, VENDOR_TCG, IFT_CLIENT_AUTH_RESPONSE); buf_append_be32(reqbuf, JUNIPER_1); /* IF-T/TLS Auth Type */ eap_ofs = buf_append_eap_hdr(reqbuf, EAP_RESPONSE, eap_ident, EAP_TYPE_EXPANDED, 1); + +#if 0 /* Their client sends a lot of other stuff here, which we don't * understand and which doesn't appear to be mandatory. So leave - * it out for now until/unless it becomes necessary. */ + * it out for now until/unless it becomes necessary. It seems that + * sending Pulse-Secure/4.0.0.0 or anything newer makes it do + * EAP-TLS *within* the EAP-TTLS session if you don't actually + * present a certificate. */ buf_append_avp_be32(reqbuf, 0xd49, 3); buf_append_avp_be32(reqbuf, 0xd61, 0); buf_append_avp_string(reqbuf, 0xd5e, "Windows"); @@ -1430,6 +1436,9 @@ static int pulse_authenticate(struct openconnect_info *vpninfo, int connecting) buf_append_avp_string(reqbuf, 0xd5f, "en-US"); buf_append_avp_string(reqbuf, 0xd6c, "\x02\xe9\xa7\x51\x92\x4e"); buf_append_avp_be32(reqbuf, 0xd84, 0); +#else + buf_append_avp_string(reqbuf, 0xd70, vpninfo->useragent); +#endif if (vpninfo->cookie) buf_append_avp_string(reqbuf, 0xd53, vpninfo->cookie); buf_fill_eap_len(reqbuf, eap_ofs);