Send "config client" XML field after successful auth

This allows to advertise the XML configuration file for the
client to download, in recent openconnect clients. In addition
made support for the client XML file unconditional (no longer
depending on the anyconnect client compatibility flag).

src/config.c

@@ -801,9 +801,7 @@ size_t urlfw_size = 0;
 
 	READ_STRING("ocsp-response", config->ocsp_response);
 
-#ifdef ANYCONNECT_CLIENT_COMPAT
 	READ_STRING("user-profile", config->xml_config_file);
-#endif
 
 	READ_STRING("default-domain", config->default_domain);
 	READ_STRING("crl", config->crl);
@@ -1162,7 +1160,6 @@ static void check_cfg(struct perm_cfg_st *perm_config)
 		}
 	}
 
-#ifdef ANYCONNECT_CLIENT_COMPAT
 	if (perm_config->cert && perm_config->cert_hash == NULL) {
 		perm_config->cert_hash = calc_sha1_hash(perm_config, perm_config->cert[0], 1);
 	}
@@ -1185,7 +1182,6 @@ static void check_cfg(struct perm_cfg_st *perm_config)
 			exit(1);
 		}
 	}
-#endif
 
 	if (perm_config->config->keepalive == 0)
 		perm_config->config->keepalive = 3600;

src/vpn.h

@@ -316,10 +316,8 @@ struct cfg_st {
 	char *cgroup;
 	char *proxy_url;
 
-#ifdef ANYCONNECT_CLIENT_COMPAT
 	char *xml_config_file;
 	char *xml_config_hash;
-#endif
 
 	/* additional configuration files */
 	char *per_group_dir;

src/worker-auth.c

@@ -52,7 +52,20 @@ static const char oc_success_msg_head[] = "<?xml version=\"1.0\" encoding=\"UTF-
                         "<auth id=\"success\">\n"
                         "<title>SSL VPN Service</title>";
 
-static const char oc_success_msg_foot[] = "</auth></config-auth>\n";
+#define OC_SUCCESS_MSG_FOOT "</auth></config-auth>\n"
+#define OC_SUCCESS_MSG_FOOT_PROFILE \
+			"</auth>\n" \
+			"<config client=\"vpn\" type=\"private\">" \
+				"<vpn-profile-manifest>" \
+				"<vpn rev=\"1.0\">" \
+				"<file type=\"profile\" service-type=\"user\">" \
+				"<uri>/profiles/%s</uri>" \
+				"<hash type=\"sha1\">%s</hash>" \
+				"</file>" \
+				"</vpn>" \
+				"</vpn-profile-manifest>\n" \
+			"</config>" \
+			"</config-auth>"
 
 static const char ocv3_success_msg_head[] = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
                         "<auth id=\"success\">\n"
@@ -892,20 +905,30 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
 	size_t str_cookie_size = sizeof(str_cookie);
 	char msg[MAX_BANNER_SIZE + 32];
 	const char *success_msg_head;
-	const char *success_msg_foot;
+	char *success_msg_foot;
 	unsigned success_msg_head_size;
 	unsigned success_msg_foot_size;
 
 	if (ws->req.user_agent_type == AGENT_OPENCONNECT_V3) {
 		success_msg_head = ocv3_success_msg_head;
-		success_msg_foot = ocv3_success_msg_foot;
+		success_msg_foot = talloc_strdup(ws, ocv3_success_msg_foot);
 		success_msg_head_size = sizeof(ocv3_success_msg_head)-1;
-		success_msg_foot_size = sizeof(ocv3_success_msg_foot)-1;
+		success_msg_foot_size = strlen(success_msg_foot);
 	} else {
 		success_msg_head = oc_success_msg_head;
-		success_msg_foot = oc_success_msg_foot;
+		success_msg_foot = OC_SUCCESS_MSG_FOOT;
+		if (ws->config->xml_config_file) {
+			success_msg_foot = talloc_asprintf(ws, OC_SUCCESS_MSG_FOOT_PROFILE,
+				ws->config->xml_config_file, ws->config->xml_config_hash);
+		} else {
+			success_msg_foot = talloc_strdup(ws, OC_SUCCESS_MSG_FOOT);
+		}
+
+		if (success_msg_foot == NULL)
+			return -1;
+
 		success_msg_head_size = sizeof(oc_success_msg_head)-1;
-		success_msg_foot_size = sizeof(oc_success_msg_foot)-1;
+		success_msg_foot_size = strlen(success_msg_foot);
 	}
 
 	oc_base64_encode((char *)ws->cookie, sizeof(ws->cookie),
@@ -917,28 +940,28 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
 	cstp_cork(ws);
 	ret = cstp_printf(ws, "HTTP/1.%u 200 OK\r\n", http_ver);
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	ret = cstp_puts(ws, "Connection: Keep-Alive\r\n");
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	if (ws->selected_auth->type & AUTH_TYPE_GSSAPI && imsg != NULL && imsg[0] != 0) {
 		ret = cstp_printf(ws, "WWW-Authenticate: Negotiate %s\r\n", imsg);
 		if (ret < 0)
-			return -1;
+			goto fail;
 	}
 
 	ret = cstp_puts(ws, "Content-Type: text/xml\r\n");
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	if (ws->config->banner) {
 		size =
 		    snprintf(msg, sizeof(msg), "<banner>%s</banner>",
 			     ws->config->banner);
 		if (size <= 0)
-			return -1;
+			goto fail;
 		/* snprintf() returns not a very useful value, so we need to recalculate */
 		size = strlen(msg);
 	} else {
@@ -950,11 +973,11 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
 
 	ret = cstp_printf(ws, "Content-Length: %u\r\n", (unsigned)size);
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	ret = cstp_puts(ws, "X-Transcend-Version: 1\r\n");
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	if (ws->sid_set != 0) {
 		char context[BASE64_ENCODE_RAW_LENGTH(SID_SIZE) + 1];
@@ -967,7 +990,7 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
 			       "Set-Cookie: webvpncontext=%s; Secure\r\n",
 			       context);
 		if (ret < 0)
-			return -1;
+			goto fail;
 
 		oclog(ws, LOG_SENSITIVE, "sent sid: %s", context);
 	}
@@ -977,14 +1000,13 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
 		       "Set-Cookie: webvpn=%s; Secure\r\n",
 		       str_cookie);
 	if (ret < 0)
-		return -1;
+		goto fail;
 
-#ifdef ANYCONNECT_CLIENT_COMPAT
 	ret =
 	    cstp_puts(ws,
 		     "Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure\r\n");
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	if (ws->config->xml_config_file) {
 		ret =
@@ -1001,20 +1023,23 @@ int post_common_handler(worker_st * ws, unsigned http_ver, const char *imsg)
 	}
 
 	if (ret < 0)
-		return -1;
-#endif
+		goto fail;
 
 	ret =
 	    cstp_printf(ws,
 		       "\r\n%s%s%s", success_msg_head, msg, success_msg_foot);
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	ret = cstp_uncork(ws);
 	if (ret < 0)
-		return -1;
+		goto fail;
 
 	return 0;
+
+ fail:
+	talloc_free(success_msg_foot);
+	return -1;
 }
 
 /* Returns the contents of the password field in a newly allocated

src/worker-http-handlers.c

@@ -220,7 +220,6 @@ int get_ca_der_handler(worker_st * ws, unsigned http_ver)
 	return ca_handler(ws, http_ver, 1);
 }
 
-#ifdef ANYCONNECT_CLIENT_COMPAT
 int get_config_handler(worker_st *ws, unsigned http_ver)
 {
 	int ret;
@@ -257,6 +256,7 @@ int get_config_handler(worker_st *ws, unsigned http_ver)
 	return 0;
 }
 
+#ifdef ANYCONNECT_CLIENT_COMPAT
 #define VPN_VERSION "0,0,0000\n"
 #define XML_START "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<vpn rev=\"1.0\">\n</vpn>\n"
 

src/worker-http.c

@@ -59,6 +59,7 @@ const static struct known_urls_st known_urls[] = {
 	LL("/cert.cer", get_cert_der_handler, NULL),
 	LL("/ca.pem", get_ca_handler, NULL),
 	LL("/ca.cer", get_ca_der_handler, NULL),
+	LL_DIR("/profiles", get_config_handler, NULL),
 #ifdef ANYCONNECT_CLIENT_COMPAT
 	LL("/1/index.html", get_empty_handler, NULL),
 	LL("/1/Linux", get_empty_handler, NULL),
@@ -69,7 +70,6 @@ const static struct known_urls_st known_urls[] = {
 	LL("/1/VPNManifest.xml", get_string_handler, NULL),
 	LL("/1/binaries/update.txt", get_string_handler, NULL),
 
-	LL_DIR("/profiles", get_config_handler, NULL),
 	LL("/+CSCOT+/", get_string_handler, NULL),
 	LL("/logout", get_empty_handler, NULL),
 #endif