If we claim to be a new enough client, and the Pulse server is configured
for *optional* certificates, then it tunnels EAP-TLS *through* the
established EAP-TTLS session if we didn't provide a certificate the first
time. I don't know why; we'll always have provided a client cert in the
outer EAP-TTLS session anyway.
Looks like rejecting it with EAP_TYPE_NAK, and even sending a fatal 'no
certificate' alert inside EAP-TLS, don't work. We might actually have to
go through with a full handshake.
Signed-off-by: David Woodhouse <email address hidden>
Add --no-external-auth option, and follow it for Cisco protocol
This option is intended to prevent OpenConnect from advertising to the
server that it supports any kind of authentication mode that requires an
external browser. Some servers will force the client to use such an
authentication mode if the client advertises it, but fallback to a
"scriptable" authentication mode if the client doesn't appear to support it.
See https://gitlab.com/openconnect/openconnect/-/issues/470#note_1028595620
for an example.
This option is only implemented here for the Cisco protocol, in which case
it causes OpenConnect not to advertise the 'single-sign-on-v2' or
'single-sign-on-external-browser' auth-methods.
If we have a --server argument, we shouldn't expect to find a positional
argument at argv[optind]. We mostly got this right, except that we still
called config_lookup_host() with argv[optind] even when --server was
given.
The only thing that saved us from dying with a strcmp() on NULL was
the fact that the loop over the XML elements is using the fact that
vpninfo->hostname gets set as its terminating condition, so it never
got that far.
Fix that, because it's icky. And make the --server argument work for
XML config lookups too.
Fixes: a2fd6f4f2e8a ("New option to define server name in config file")
Signed-off-by: David Woodhouse <email address hidden>
Generate $(INSTALLER_PREFIX) automatically instead of having to pass it
in explicitly, and then the COPR builds should probably work again.
It's kind of awful that we can't get the real version string in the
Makefile so we don't actually know what the true target name is, but
we can live with it.
Fixes: a2dbef082512 ("Unique names for each variant openconnect-installer.exe")
Signed-off-by: David Woodhouse <email address hidden>
The json_object_entry structure doesn't exist in json-parser 1.1.0, which
is the latest release and what's shipped by distributions. It's an
anonymous struct as part of the union there, so reference its 'name'
and 'value' as separate pointers.
This should fix the COPR package builds which have been failing.
Fixes: 514cacaff59f ("Parse JSON login forms for F5")
Signed-off-by: David Woodhouse <email address hidden>
Redirect stdout to stderr when spawning external browser
When running in --authenticate mode we don't want to pollute stdout. So
just redirect it to stderr instead.
Chrome is known to be noisy to stdout when it's reusing an existing
session, and we've already patched NetworkManager to do the same because
it also suffers from stdout pollution.
Signed-off-by: David Woodhouse <email address hidden>