openconnect: update to 7.03

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
2026-04-30 07:28:39 +01:00 · 2015-01-10 11:04:19 +01:00
parent a4ed431521
commit 9cb5b3864d
5 changed files with 90 additions and 24 deletions
@@ -22,7 +22,17 @@ cleanup()
 	exit 0
 }

-trap cleanup 1 2 3 6 15
+cleanup2()
+{
+	if ! test -z "$pid";then
+		kill -2 $pid
+		wait $pid
+	fi
+	exit 0
+}
+
+trap cleanup2 2
+trap cleanup 1 3 6 15

 rm -f "$pidfile"
 /usr/sbin/openconnect $* <$pwfile &
@@ -17,7 +17,7 @@ proto_openconnect_init_config() {
 proto_openconnect_setup() {
 	local config="$1"

-	json_get_vars server port username serverhash authgroup password vgroup
+	json_get_vars server port username serverhash authgroup password vgroup token_mode token_secret

 	grep -q tun /proc/modules || insmod tun

@@ -38,10 +38,23 @@ proto_openconnect_setup() {

 	cmdline="$server$port -i vpn-$config --non-inter --syslog --script /lib/netifd/vpnc-script"

-	[ -f /etc/openconnect/ca-vpn-$config.pem ] && append cmdline "--cafile /etc/openconnect/ca-vpn-$config.pem"
-	[ -f /etc/openconnect/user-cert-vpn-$config.pem ] && append cmdline "-c /etc/openconnect/user-cert-vpn-$config.pem"
-	[ -f /etc/openconnect/user-key-vpn-$config.pem ] && append cmdline "--sslkey /etc/openconnect/user-key-vpn-$config.pem"
-	[ -n "$serverhash" ] && append cmdline "--servercert=$serverhash"
+	# migrate to new config files
+	[ -f /etc/openconnect/user-cert-vpn-$config.pem ] && mv "/etc/openconnect/user-cert-vpn-$config.pem" "/etc/config/openconnect-user-cert-vpn-$config.pem"
+	[ -f /etc/openconnect/user-key-vpn-$config.pem ] && mv "/etc/openconnect/user-key-vpn-$config.pem" "/etc/config/openconnect-user-key-vpn-$config.pem"
+	[ -f /etc/openconnect/ca-vpn-$config.pem ] && mv "/etc/openconnect/ca-vpn-$config.pem" "/etc/config/openconnect-ca-vpn-$config.pem"
+
+	# read new config files
+	[ -f /etc/config/openconnect-user-cert-vpn-$config.pem ] && append cmdline "-c /etc/config/openconnect-user-cert-vpn-$config.pem"
+	[ -f /etc/config/openconnect-user-key-vpn-$config.pem ] && append cmdline "--sslkey /etc/config/openconnect-user-key-vpn-$config.pem"
+	[ -f /etc/config/openconnect-ca-vpn-$config.pem ] && {
+		append cmdline "--cafile /etc/openconnect/ca-vpn-$config.pem"
+		append cmdline "--no-system-trust"
+	}
+
+	[ -n "$serverhash" ] && {
+		append cmdline " --servercert=$serverhash"
+		append cmdline "--no-system-trust"
+	}
 	[ -n "$authgroup" ] && append cmdline "--authgroup $authgroup"
 	[ -n "$username" ] && append cmdline "-u $username"
 	[ -n "$password" ] && {
@@ -51,10 +64,13 @@ proto_openconnect_setup() {
 		append cmdline "--passwd-on-stdin"
 	}

+	[ -n "$token_mode" ] && append cmdline "--token-mode=$token_mode"
+	[ -n "$token_secret" ] && append cmdline "--token-secret=$token_secret"
+
 	proto_export INTERFACE="$config"
 	logger -t openconnect "executing 'openconnect $cmdline'"

-	if [ -f "$pwfile" ];then
+	if [ -f "$pwfile" ]; then
 		proto_run_command "$config" /usr/sbin/openconnect-wrapper $pwfile $cmdline
 	else
 		proto_run_command "$config" /usr/sbin/openconnect $cmdline
@@ -68,7 +84,7 @@ proto_openconnect_teardown() {

 	rm -f $pwfile
 	logger -t openconnect "bringing down openconnect"
-	proto_kill_command "$config"
+	proto_kill_command "$config" 2
 }

 add_protocol openconnect
@@ -26,6 +26,8 @@
 #* CISCO_IPV6_SPLIT_INC_%d_ADDR -- IPv6 network address
 #* CISCO_IPV6_SPLIT_INC_$%d_MASKLEN -- IPv6 subnet masklen

+HOOKS_DIR=/etc/openconnect
+
 # FIXMEs:

 # Section A: route handling
@@ -44,13 +46,12 @@

 # Section B: Split DNS handling

-# 1) Maybe dnsmasq can do something like that
-# 2) Parse dns packets going out via tunnel and redirect them to original dns-server
+# 1) We parse CISCO_SPLIT_DNS and use dnsmasq to set it

 do_connect() {
 	if [ -n "$CISCO_BANNER" ]; then
 		logger -t openconnect "Connect Banner:"
-		logger -t openconnect "$CISCO_BANNER" | while read LINE ; do logger -t openconnect "|" "$LINE" ; done
+		echo "$CISCO_BANNER" | while read LINE ; do logger -t openconnect "|" "$LINE" ; done
 	fi

 	proto_init_update "$TUNDEV" 1
@@ -80,8 +81,23 @@ do_connect() {
 		[[ "$addr" != "$mask" ]] && proto_add_ipv6_address "$addr" "$mask"
 	fi

-	[ -n "$INTERNAL_IP4_DNS" ] && proto_add_dns_server "$INTERNAL_IP4_DNS"
-	[ -n "$CISCO_DEF_DOMAIN" ] && proto_add_dns_search "$CISCO_DEF_DOMAIN"
+	if [ -n "$CISCO_SPLIT_DNS" ] && [ -d "/tmp/dnsmasq.d/" ];then
+		SDNS=`echo $CISCO_SPLIT_DNS|sed 's/,/\n/g'`
+		DNSMASQ_FILE="/tmp/dnsmasq.d/openconnect.$TUNDEV"
+		rm -f $DNSMASQ_FILE
+		echo "$SDNS" | while read i; do
+			if [ -n "$INTERNAL_IP4_DNS" ];then
+				echo "server=/$i/$INTERNAL_IP4_DNS" >> $DNSMASQ_FILE
+			fi
+			if [ -n "$INTERNAL_IP6_DNS" ];then
+				echo "server=/$i/$INTERNAL_IP6_DNS" >> $DNSMASQ_FILE
+			fi
+		done
+		/etc/init.d/dnsmasq restart
+	else
+		[ -n "$INTERNAL_IP4_DNS" ] && proto_add_dns_server "$INTERNAL_IP4_DNS"
+		[ -n "$CISCO_DEF_DOMAIN" ] && proto_add_dns_search "$CISCO_DEF_DOMAIN"
+	fi

 	if [ -n "$CISCO_SPLIT_INC" ]; then
 		i=0
@@ -118,10 +134,22 @@ do_connect() {
 }

 do_disconnect() {
+	rm -f "/tmp/dnsmasq.d/openconnect.$TUNDEV"
 	proto_init_update "$TUNDEV" 0
 	proto_send_update "$INTERFACE"
 }

+#### Hooks
+run_hooks() {
+	HOOK="$1"
+
+	if [ -d ${HOOKS_DIR}/${HOOK}.d ]; then
+		for script in ${HOOKS_DIR}/${HOOK}.d/* ; do
+			[ -f $script ] && . $script
+		done
+	fi
+}
+
 #### Main

 if [ -z "$reason" ]; then
@@ -137,14 +165,20 @@ fi

 case "$reason" in
 	pre-init)
+		run_hooks pre-init
 		;;
 	connect)
+		run_hooks connect
 		do_connect
+		run_hooks post-connect
 		;;
 	disconnect)
+		run_hooks disconnect
 		do_disconnect
+		run_hooks post-disconnect
 		;;
 	reconnect)
+		run_hooks reconnect
 		;;
 	*)
 		logger -t openconnect "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2