[PATCH] openconnect: add initial support for openconnect ssl vpn.

[Jason]

On Thu, Jul 14, 2011 at 08:17:01PM -0700, David Woodhouse wrote:
> On Fri, 2011-07-15 at 01:38 +0000, openconnect at lakedaemon.net wrote:
> > 
> > +        if(strcmp("--passwd-on-stdin", argv[i]) == 0) {
> > +            data = strdup(argv[i + 1]);
> > +            i++; 
> 
> Seriously, just *don't* support that. The only invocation of openconnect
> that you ever want mtp to do is

Yep, that was just for me to get early success.  I'll remove it before
submitting to Cyanogen and after I add the webform dialog.

>  openconnect --cookie-on-stdin $HOSTNAME:$PORT --servercert $FINGERPRINT
> 
> Four fixed arguments (including the cookie). And maybe --script would be
> a fifth.
> 
> Note also that if you really want privilege separation so openconnect
> doesn't run as root, you need to:
>  - Set up the tun device for it in advance (TUNSETPERSIST, TUNSETOWNER)
> 
>  - Arrange for the routing setup to be done somewhere other than in the
>    script that it spawns. That script obviously won't have root privs 
>    *either*, so won't be allowed to configure the network. In the
>    NetworkManager case, the --script argument points to a simple DBus
>    client that sends all the information back to NetworkManager, which
>    does the setup accordingly.

I was thinking about setting up a return pipe from openconnect to mtpd.
Would you be amenable to a patch writing the config out stdout or
stderr?  mtpd could then configure everything as needed.  No script
option would be necessary at all.

I would also push log messages out the same pipe so mtpd on up could
parse for status changes.

thanks for the review and comments,

Jason.