Browse Source

Merge pull request #1442 from nmav/oc

openconnect: added support for supplying a fixed second password.
lilik-openwrt-22.03
Nikos Mavrogiannopoulos 10 years ago
parent
commit
1b426f5bcf
3 changed files with 141 additions and 3 deletions
  1. +13
    -2
      net/openconnect/README
  2. +3
    -1
      net/openconnect/files/openconnect.sh
  3. +125
    -0
      net/openconnect/patches/001-Allow-processing-two-passwords-from-stdin-in-non-int.patch

+ 13
- 2
net/openconnect/README View File

@ -10,11 +10,22 @@ config interface 'MYVPN'
option username 'test' option username 'test'
option password 'secret' option password 'secret'
option serverhash 'AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25' option serverhash 'AE7FF6A0426F0A0CD0A02EB9EC3C5066FAEB0B25'
option token_mode 'rsa' # when built with stoken support
option token_secret 'secret' # when built with stoken support
option defaultroute '0' option defaultroute '0'
option authgroup 'DEFAULT' option authgroup 'DEFAULT'
# For second factor auth:
# when a fixed 2FA password can be used
#option password2 'my-fixed-2fa-password'
# RSA tokens, must be built with stoken support
#option token_mode 'rsa'
#option token_secret 'secret'
# HOTP/TOTP tokens
#option token_mode 'hotp'
#option token_secret '00'
The additional files are also used: The additional files are also used:
/etc/openconnect/user-cert-vpn-MYVPN.pem: The user certificate /etc/openconnect/user-cert-vpn-MYVPN.pem: The user certificate
/etc/openconnect/user-key-vpn-MYVPN.pem: The user private key /etc/openconnect/user-key-vpn-MYVPN.pem: The user private key


+ 3
- 1
net/openconnect/files/openconnect.sh View File

@ -10,6 +10,7 @@ proto_openconnect_init_config() {
proto_config_add_string "serverhash" proto_config_add_string "serverhash"
proto_config_add_string "authgroup" proto_config_add_string "authgroup"
proto_config_add_string "password" proto_config_add_string "password"
proto_config_add_string "password2"
proto_config_add_string "token_mode" proto_config_add_string "token_mode"
proto_config_add_string "token_secret" proto_config_add_string "token_secret"
proto_config_add_string "interface" proto_config_add_string "interface"
@ -22,7 +23,7 @@ proto_openconnect_init_config() {
proto_openconnect_setup() { proto_openconnect_setup() {
local config="$1" local config="$1"
json_get_vars server port username serverhash authgroup password interface token_mode token_secret os csd_wrapper
json_get_vars server port username serverhash authgroup password password2 interface token_mode token_secret os csd_wrapper
grep -q tun /proc/modules || insmod tun grep -q tun /proc/modules || insmod tun
@ -65,6 +66,7 @@ proto_openconnect_setup() {
mkdir -p /var/etc mkdir -p /var/etc
pwfile="/var/etc/openconnect-$config.passwd" pwfile="/var/etc/openconnect-$config.passwd"
echo "$password" > "$pwfile" echo "$password" > "$pwfile"
[ -n "$password2" ] && echo "$password2" >> "$pwfile"
append cmdline "--passwd-on-stdin" append cmdline "--passwd-on-stdin"
} }


+ 125
- 0
net/openconnect/patches/001-Allow-processing-two-passwords-from-stdin-in-non-int.patch View File

@ -0,0 +1,125 @@
From 5f2e24fdc9935d049a7e4a5b6e10461e9467597f Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Date: Thu, 18 Jun 2015 22:38:05 +0200
Subject: [PATCH] Allow processing two passwords from stdin in non-interactive
mode
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
---
main.c | 38 ++++++++++++++++++++++++++------------
1 file changed, 26 insertions(+), 12 deletions(-)
diff --git a/main.c b/main.c
index 3b976d8..f853afe 100644
--- a/main.c
+++ b/main.c
@@ -85,6 +85,7 @@ static int do_passphrase_from_fsid;
static int nocertcheck;
static int non_inter;
static int cookieonly;
+static int allow_stdin_read;
static char *token_filename;
static char *server_cert = NULL;
@@ -358,7 +359,7 @@ static char *convert_arg_to_utf8(char **argv, char *arg)
#define vfprintf vfprintf_utf8
#define is_arg_utf8(str) (0)
-static void read_stdin(char **string, int hidden)
+static void read_stdin(char **string, int hidden, int allow_fail)
{
CONSOLE_READCONSOLE_CONTROL rcc = { sizeof(rcc), 0, 13, 0 };
HANDLE stdinh = GetStdHandle(STD_INPUT_HANDLE);
@@ -375,6 +376,7 @@ static void read_stdin(char **string, int hidden)
char *errstr = openconnect__win32_strerror(GetLastError());
fprintf(stderr, _("ReadConsole() failed: %s\n"), errstr);
free(errstr);
+ *string = NULL;
goto out;
}
@@ -622,7 +624,7 @@ static void print_build_opts(void)
#ifndef _WIN32
static const char default_vpncscript[] = DEFAULT_VPNCSCRIPT;
-static void read_stdin(char **string, int hidden)
+static void read_stdin(char **string, int hidden, int allow_fail)
{
char *c, *buf = malloc(1025);
int fd = fileno(stdin);
@@ -648,8 +650,14 @@ static void read_stdin(char **string, int hidden)
}
if (!buf) {
- perror(_("fgets (stdin)"));
- exit(1);
+ if (allow_fail) {
+ *string = NULL;
+ free(buf);
+ return;
+ } else {
+ perror(_("fgets (stdin)"));
+ exit(1);
+ }
}
c = strchr(buf, '\n');
@@ -1160,13 +1168,14 @@ int main(int argc, char **argv)
cookieonly = 3;
break;
case OPT_COOKIE_ON_STDIN:
- read_stdin(&vpninfo->cookie, 0);
+ read_stdin(&vpninfo->cookie, 0, 0);
/* If the cookie is empty, ignore it */
if (!*vpninfo->cookie)
vpninfo->cookie = NULL;
break;
case OPT_PASSWORD_ON_STDIN:
- read_stdin(&password, 0);
+ read_stdin(&password, 0, 0);
+ allow_stdin_read = 1;
break;
case OPT_NO_PASSWD:
vpninfo->nopasswd = 1;
@@ -1708,7 +1717,7 @@ static int validate_peer_cert(void *_vpninfo, const char *reason)
fprintf(stderr, _("Enter '%s' to accept, '%s' to abort; anything else to view: "),
_("yes"), _("no"));
- read_stdin(&response, 0);
+ read_stdin(&response, 0, 0);
if (!response)
return -EINVAL;
@@ -1779,19 +1788,24 @@ static char *prompt_for_input(const char *prompt,
struct openconnect_info *vpninfo,
int hidden)
{
- char *response;
+ char *response = NULL;
fprintf(stderr, "%s", prompt);
fflush(stderr);
if (non_inter) {
- fprintf(stderr, "***\n");
- vpn_progress(vpninfo, PRG_ERR,
+ if (allow_stdin_read) {
+ read_stdin(&response, hidden, 1);
+ }
+ if (response == NULL) {
+ fprintf(stderr, "***\n");
+ vpn_progress(vpninfo, PRG_ERR,
_("User input required in non-interactive mode\n"));
- return NULL;
+ }
+ return response;
}
- read_stdin(&response, hidden);
+ read_stdin(&response, hidden, 0);
return response;
}
--
2.1.4

Loading…
Cancel
Save