[RFC] Support new authentication exchange format

Kevin Cernekee cernekee at gmail.com
Sun Oct 28 04:52:17 EDT 2012

Newer AnyConnect installations may have compatibility issues with
OpenConnect for several reasons:

1) The gateway may look for new HTTP headers that are currently
missing (but recent versions of the AnyConnect client do send them).

2) The gateway can be configured to check those headers for
information like the client's host OS, and deny access if it doesn't
say e.g. "Windows."

3) They expect the auth POST data to be in XML format, rather than
just a urlencoded query string.

4) They expect other information in the POST data (like copying an
"opaque" field from the auth request).  Some of this information is
used for things like aborting the VPN connection if the server
configuration has changed since the form was first rendered.

5) CSD/Hostscan looks like it might be more closely integrated with
vpnui/vpn now.  The gateway no longer provides a valid URL to the
trojan binary, and it isn't clear how to run it on its own anymore.

I took a crack at addressing these items, and it is working for me
now.  But there were quite a few changes and it would be good to get
some additional review and/or test coverage.

Web: https://github.com/cernekee/openconnect/commits/xmlpost-v1

The following changes since commit b65bf54c330d3d45414f004009cf6a94e37e33f9:

  Fix missing verb in Solaris error message (2012-10-22 17:00:05 +0100)

are available in the git repository at:

  git://github.com/cernekee/openconnect xmlpost-v1

for you to fetch changes up to d7f91bbd038dcee3ca803a90d38f7456fe8229f2:

  stoken: Fix CSD/stoken interaction (2012-10-28 01:22:56 -0700)

Kevin Cernekee (21):
      openssl: Fix missing newline on "Failed to write" error string
      http: Split HTTP redirect and cookie clear logic into helper functions
      http: Fix overflow on HTTP request buffers
      http: Create add_common_headers() to simplify HTTP request code
      auth: Remove obsolete trace message from parse_form()
      auth: Move <auth> node parsing into a separate function
      auth: Introduce new XML helper functions for parse_auth_node()
      auth: Don't forget to free OC_FORM_OPT_STOKEN entries
      auth: Split auth form prompt logic from parsing logic
      auth: Parse the new server response format
      library: Add call to change reported OS name
      Allow setting reported OS from the command line
      auth: Add new XML POST capability
      http: Split GET/POST logic into a helper function
      http: Add new X-* HTTP headers
      http: Record the last redirection type
      csd: Don't return from run_csd_script() in the forked process
      csd: Export some useful environment variables
      http: Rewrite openconnect_obtain_cookie() loop
      Fix a couple of valgrind warnings
      stoken: Fix CSD/stoken interaction

 auth.c                 |  481 ++++++++++++++++++++++++++++++-------
 http.c                 |  620 ++++++++++++++++++++++++++++++++++--------------
 libopenconnect.map.in  |    5 +
 library.c              |   41 +++-
 main.c                 |   15 +-
 openconnect-internal.h |   18 +-
 openconnect.h          |    4 +
 openssl.c              |    2 +-
 8 files changed, 916 insertions(+), 270 deletions(-)

More information about the openconnect-devel mailing list