vimacs
pushed to h3cssl at vimacs/openconnect
- a8c89f9683 Add h3c TLS VPN protocol
This implements the protocol used by the H3C VPN client
version iNode PC 7.3 (E0583).
- 0e82c93714 Do not add 'single-sign-on' to the capabilities list for AnyConnect auth requests
In 024336a8ddeb1754ae5e8fb18770e90c206070b1, we added 'single-sign-on-v2' to
the list of auth-methods capabilities in AnyConnect auth requests, and also
included 'single-sign-on' (no '-v2') because we had seen it included in a
MITM capture from a Cisco client. See discussion at
https://gitlab.com/openconnect/openconnect/-/merge_requests/126#note_853084596.
However, OpenConnect does not actually know how to handle the
'single-sign-on' case, and include it appears to confuse Cisco servers and
cause them not to return the expected XML structure in their subsequent
responses. See
https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/72 and
further discussion on
https://gitlab.com/openconnect/openconnect/-/merge_requests/394.
Removing 'single-sign-on' from the list of auth-methods capabilities should
resolve this issue.
Signed-off-by: Rahul Rameshbabu <sergeantsagara@protonmail.com>
Co-Authored-By: Eric Work <work.eric@gmail.com>
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
- 745126b750 Parse GlobalProtect XML more leniently
This will cause the parser to ignore errant '&' characters, and should thus
fix https://gitlab.com/openconnect/openconnect/-/issues/466.
A similar fix was needed for Cisco's XML responses back in
https://gitlab.com/openconnect/openconnect/-/commit/1b7537d7ec1638e23c93165f5fe28bae2b1cd488,
and the F5 and Fortinet protocols also now use it when parsing XML.
The GlobalProtect protocol can (insanely) provide either XML or Javascript-y
responses, with no warning or other obviously differentiators, in this case
we need to use the XML_PARSE_RECOVER flag very carefully, since it causes
*anything* to be parsed successfully as an XML document, even if an empty
one.
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
- cb2be91062 Distinguish XML and non-XML error paths in gpst_xml_or_error
This should help with debugging https://gitlab.com/openconnect/openconnect/-/issues/466
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
- e48fd023cf Don't set xmlReadMemory's URL argument to "noname.xml"
This argument has been present "since the beginning" (aka 2008,
https://gitlab.com/openconnect/openconnect/eaa41be14d94694b5523c3d97bd5af38c472ab23),
but it's neither meaningful or necessary, even if we were to enable
libxml2's built-in printing of XML parse errors.
So let's remove it.
Signed-off-by: Daniel Lenski <dlenski@gmail.com>
2 years ago