From 51c1c551251496d4831ada625dbd37e68a6faa39 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 4 Jun 2014 23:17:54 +0200 Subject: [PATCH] openconnect: Added configuration options for hash and user cert/key pairs Signed-off-by: Nikos Mavrogiannopoulos --- net/openconnect/Makefile | 1 + net/openconnect/files/openconnect.sh | 28 ++++++++++++++++++++++------ net/openconnect/files/vpnc-script | 11 +++++------ 3 files changed, 28 insertions(+), 12 deletions(-) diff --git a/net/openconnect/Makefile b/net/openconnect/Makefile index 106e9bbf6..10092eee0 100644 --- a/net/openconnect/Makefile +++ b/net/openconnect/Makefile @@ -48,6 +48,7 @@ CONFIGURE_ARGS += \ endif define Package/openconnect/install + $(INSTALL_DIR) $(1)/etc/openconnect/ $(INSTALL_DIR) $(1)/lib/netifd/proto $(INSTALL_BIN) ./files/openconnect.sh $(1)/lib/netifd/proto/ $(INSTALL_BIN) ./files/vpnc-script $(1)/lib/netifd/ diff --git a/net/openconnect/files/openconnect.sh b/net/openconnect/files/openconnect.sh index 261019438..e14c0d091 100755 --- a/net/openconnect/files/openconnect.sh +++ b/net/openconnect/files/openconnect.sh @@ -7,7 +7,8 @@ proto_openconnect_init_config() { proto_config_add_string "server" proto_config_add_int "port" proto_config_add_string "username" - proto_config_add_string "cookie" + proto_config_add_string "serverhash" + proto_config_add_string "authgroup" proto_config_add_string "password" no_device=1 available=1 @@ -16,17 +17,18 @@ proto_openconnect_init_config() { proto_openconnect_setup() { local config="$1" - json_get_vars server port username cookie password + json_get_vars server port username serverhash authgroup password vgroup grep -q tun /proc/modules || insmod tun + logger -t openconnect "initializing..." serv_addr= for ip in $(resolveip -t 5 "$server"); do proto_add_host_dependency "$config" "$server" serv_addr=1 done [ -n "$serv_addr" ] || { - echo "Could not resolve server address" + logger -t openconnect "Could not resolve server address" sleep 5 proto_setup_failed "$config" exit 1 @@ -34,9 +36,13 @@ proto_openconnect_setup() { [ -n "$port" ] && port=":$port" - cmdline="$server$port -i vpn-$config --no-cert-check --non-inter --syslog --script /lib/netifd/vpnc-script" + cmdline="$server$port -i vpn-$config --non-inter --syslog --script /lib/netifd/vpnc-script" - [ -n "$cookie" ] && append cmdline "-C $cookie" + [ -f /etc/openconnect/ca.pem ] && append cmdline "--cafile /etc/openconnect/ca.pem" + [ -f /etc/openconnect/user-cert.pem ] && append cmdline "-c /etc/openconnect/user-cert.pem" + [ -f /etc/openconnect/user-key.pem ] && append cmdline "--sslkey /etc/openconnect/user-key.pem" + [ -n "$serverhash" ] && append cmdline "--servercert=$serverhash" + [ -n "$authgroup" ] && append cmdline "--authgroup $authgroup" [ -n "$username" ] && append cmdline "-u $username" [ -n "$password" ] && { umask 077 @@ -46,10 +52,20 @@ proto_openconnect_setup() { } proto_export INTERFACE="$config" - proto_run_command "$config" /usr/sbin/openconnect $cmdline <$pwfile + logger -t openconnect "executing 'openconnect $cmdline'" + + if [ -f "$pwfile" ];then + proto_run_command "$config" /usr/sbin/openconnect $cmdline <$pwfile + else + proto_run_command "$config" /usr/sbin/openconnect $cmdline + fi } proto_openconnect_teardown() { + pwfile="/var/run/openconnect-$config.passwd" + + rm -f $pwfile + logger -t openconnect "bringing down openconnect" proto_kill_command "$config" } diff --git a/net/openconnect/files/vpnc-script b/net/openconnect/files/vpnc-script index 4d12d7e20..c8151471b 100755 --- a/net/openconnect/files/vpnc-script +++ b/net/openconnect/files/vpnc-script @@ -49,9 +49,8 @@ do_connect() { if [ -n "$CISCO_BANNER" ]; then - echo "Connect Banner:" - echo "$CISCO_BANNER" | while read LINE ; do echo "|" "$LINE" ; done - echo + logger -t openconnect "Connect Banner:" + logger -t openconnect "$CISCO_BANNER" | while read LINE ; do logger -t openconnect "|" "$LINE" ; done fi proto_init_update "$TUNDEV" 1 @@ -126,11 +125,11 @@ do_disconnect() { #### Main if [ -z "$reason" ]; then - echo "this script must be called from vpnc" 1>&2 + logger -t openconnect "this script must be called from vpnc" 1>&2 exit 1 fi if [ -z "$INTERFACE" ]; then - echo "this script must be called for an active interface" + logger -t openconnect "this script must be called for an active interface" exit 1 fi @@ -148,7 +147,7 @@ case "$reason" in reconnect) ;; *) - echo "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2 + logger -t openconnect "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2 exit 1 ;; esac