Skip to content

Commit

Permalink
GlobalProtect: always set clientos=Windows in relevant requests, rega…
Browse files Browse the repository at this point in the history 
…rdless of actual OS

I've tried, whenever possible not to lie to the server about the client
configuration.  However, there are now multiple cases where a GlobalProtect
server responds with a misleading error when the `ssl-vpn/login.esp` request doesn't
contain the exact, magic value of `clientos=Windows`.

* dlenski#86
  ("Assign private IP address failed" unless `clientos=Windows` in `ssl-vpn/login.esp` request)

* dlenski#116
  ("Invalid username or password" unless `clientos=Windows` in `ssl-vpn/login.esp` request)

These cases are very difficult to debug because they seem to be suggesting totally unrelated
errors.

For reliability, this patch makes openconnect always specify `clientos=Windows` in relevant
requests, regardless of the actual `vpninfo->platname`. (The `vpninfo->platname` value can
still be sent in the "free-form" `os-version` field, as far as I can tell.)

Signed-off-by: Daniel Lenski <[email protected]>
  • Loading branch information
@dlenski @crazymanjinn
dlenski authored and crazymanjinn committed Sep 28, 2018
1 parent 89c1161 commit e85c3c9
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 10 deletions.
7 changes: 2 additions & 5 deletions auth-globalprotect.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -362,11 +362,8 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, char *pw_or_

/* submit gateway login (ssl-vpn/login.esp) or portal config (global-protect/getconfig.esp) request */
buf_truncate(request_body);
buf_append(request_body, "jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:");
if (!strcmp(vpninfo->platname, "win"))
append_opt(request_body, "clientos", "Windows");
else
append_opt(request_body, "clientos", vpninfo->platname);
buf_append(request_body, "jnlpReady=jnlpReady&ok=Login&direct=yes&clientVer=4100&prot=https:&clientos=Windows");
append_opt(request_body, "os-version", vpninfo->platname);
append_opt(request_body, "server", vpninfo->hostname);
append_opt(request_body, "computer", vpninfo->localname);
if (vpninfo->ip_info.addr)
Expand Down
6 changes: 1 addition & 5 deletions gpst.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -590,12 +590,8 @@ static int gpst_get_config(struct openconnect_info *vpninfo)
char *xml_buf=NULL;

/* submit getconfig request */
buf_append(request_body, "client-type=1&protocol-version=p1&app-version=3.0.1-10");
buf_append(request_body, "client-type=1&protocol-version=p1&app-version=3.0.1-10&clientos=Windows");
append_opt(request_body, "os-version", vpninfo->platname);
if (!strcmp(vpninfo->platname, "win"))
append_opt(request_body, "clientos", "Windows");
else
append_opt(request_body, "clientos", vpninfo->platname);
append_opt(request_body, "hmac-algo", "sha1,md5");
append_opt(request_body, "enc-algo", "aes-128-cbc,aes-256-cbc");
if (old_addr) {
Expand Down

0 comments on commit e85c3c9

Please sign in to comment.