Updates for cisco's client.

src/ocserv-args.c

@@ -2,7 +2,7 @@
  *
  *  DO NOT EDIT THIS FILE   (ocserv-args.c)
  *
- *  It has been AutoGen-ed  April 29, 2013 at 12:12:15 AM by AutoGen 5.17.3
+ *  It has been AutoGen-ed  April 29, 2013 at 02:14:53 PM by AutoGen 5.17.3
  *  From the definitions    ocserv-args.def
  *  and the template file   options
  *

src/ocserv-args.def

@@ -367,6 +367,22 @@ doc-section = {
   ds-format = 'texi';
   ds-text   = <<-_EOT_
 The server has been tested to be compatible with the openconnect VPN client. 
-It isn't compatible with CISCO's AnyConnect clients (there is experimental code).
+To enable compatibility with CISCO's AnyConnect clients use a simple client
+policy that disables the downloader. An example policy file is shown below.
+@example
+<?xml version="1.0" encoding="UTF-8"?>
+<AnyConnectPreferences>
+<DefaultUser>my_user_name</DefaultUser>
+<BypassDownloader>true</BypassDownloader>
+<DefaultSecondUser></DefaultSecondUser>
+<ClientCertificateThumbprint></ClientCertificateThumbprint>
+<ServerCertificateThumbprint>2804076F5A73955FE7D92B656983EBA5BD48A276</ServerCertificateThumbprint>
+<DefaultHost>my_server_name</DefaultHost>
+<DefaultGroup></DefaultGroup>
+<ProxyHost></ProxyHost>
+<ProxyPort></ProxyPort>
+<ControllablePreferences></ControllablePreferences>
+</AnyConnectPreferences>
+@end example
 _EOT_;
 };

src/ocserv-args.h

@@ -2,7 +2,7 @@
  *
  *  DO NOT EDIT THIS FILE   (ocserv-args.h)
  *
- *  It has been AutoGen-ed  April 29, 2013 at 12:12:15 AM by AutoGen 5.17.3
+ *  It has been AutoGen-ed  April 29, 2013 at 02:14:53 PM by AutoGen 5.17.3
  *  From the definitions    ocserv-args.def
  *  and the template file   options
  *

src/tlslib.c

@@ -39,7 +39,7 @@
 #include <worker.h>
 #include <sys/un.h>
 #include <sys/uio.h>
-
+#include <c-ctype.h>
 
 ssize_t tls_send(gnutls_session_t session, const void *data,
 			size_t data_size)
@@ -576,6 +576,7 @@ gnutls_datum_t data;
 uint8_t digest[20];
 char * retval;
 gnutls_x509_crt_t crt;
+unsigned i;
 
 	ret = gnutls_load_file(file, &data);
 	if (ret < 0) {
@@ -622,5 +623,9 @@ gnutls_x509_crt_t crt;
 	}
 	retval[ret_size] = 0;
 	
+	/* convert to all caps */
+	for (i=0;i<ret_size;i++)
+	        retval[i] = c_toupper(retval[i]);
+	
 	return retval;
 }

src/worker-auth.c

@@ -92,7 +92,6 @@ int ret;
 		return -1;
 	
 	return 0;
-
 }
 
 static
@@ -404,11 +403,22 @@ char msg[MAX_BANNER_SIZE+32];
 		return -1;
 
 #ifdef ANYCONNECT_CLIENT_COMPAT
+        ret = tls_puts(ws->session, "Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure\r\n");
+       	if (ret < 0)
+       		return -1;
+
 	if (ws->config->xml_config_file) {
-		ret = tls_printf(ws->session, "Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:%s&lu:/+CSCOT+/translation-table?textdomain%%3DAnyConnect%%26type%%3Dmanifest&fu:profiles%%2Fprofile.xml&fh:%s\r\n", ws->config->cert_hash,ws->config->xml_config_hash);
-		if (ret < 0)
-			return -1;
+		ret = tls_printf(ws->session, "Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:%s&lu:/+CSCOT+/translation-table?textdomain%%3DAnyConnect%%26type%%3Dmanifest&fu:profiles%%2F%s&fh:%s; path=/; secure\r\n", 
+		        ws->config->cert_hash,
+		        ws->config->xml_config_file,
+		        ws->config->xml_config_hash);
+	} else {
+		ret = tls_printf(ws->session, "Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:%s; path=/; secure\r\n", 
+		        ws->config->cert_hash);
 	}
+
+	if (ret < 0)
+		return -1;
 #endif
 
 	ret = tls_printf(ws->session, "\r\n"SUCCESS_MSG_HEAD"%s"SUCCESS_MSG_FOOT, msg);

src/worker-vpn.c

@@ -190,10 +190,11 @@ int ret;
 #endif
 
 #define LL(x,y,z) {x, sizeof(x)-1, y, z}
-struct known_urls_st known_urls[] = {
+const static struct known_urls_st known_urls[] = {
 		LL("/", get_auth_handler, post_auth_handler),
 		LL("/auth", get_auth_handler, post_auth_handler),
 #ifdef ANYCONNECT_CLIENT_COMPAT
+		LL("/1/index.html", get_auth_handler, post_auth_handler),
 		LL("/profiles", get_config_handler, NULL),
 		LL("/+CSCOT+/translation-table", get_cscot_handler, NULL),
 #endif
@@ -202,7 +203,7 @@ struct known_urls_st known_urls[] = {
 
 static url_handler_fn get_url_handler(const char* url)
 {
-struct known_urls_st *p;
+const struct known_urls_st *p;
 unsigned len = strlen(url);
 
 	p = known_urls;
@@ -220,7 +221,7 @@ unsigned len = strlen(url);
 
 static url_handler_fn post_url_handler(const char* url)
 {
-struct known_urls_st *p;
+const struct known_urls_st *p;
 
 	p = known_urls;
 	do {
@@ -553,6 +554,8 @@ restart:
 	do {
 		nrecvd = tls_recv(session, buf, sizeof(buf));
 		if (nrecvd <= 0) {
+			if (nrecvd == 0)
+			        goto finish;
 			oclog(ws, LOG_INFO, "error receiving client data"); 
 			exit_worker(ws);
 		}
@@ -568,11 +571,10 @@ restart:
 		oclog(ws, LOG_DEBUG, "HTTP GET %s", ws->req.url); 
 		fn = get_url_handler(ws->req.url);
 		if (fn == NULL) {
-			oclog(ws, LOG_INFO, "unexpected URL %s", ws->req.url); 
-			tls_puts(session, "HTTP/1.1 404 Nah, go away\r\n\r\n");
+			oclog(ws, LOG_INFO, "unexpected URL %s", ws->req.url);
+			tls_puts(session, "HTTP/1.1 404 Not found\r\n\r\n");
 			goto finish;
-		}
-		
+                }		
 		ret = fn(ws, parser.http_minor);
 		if (ret == 0 && (parser.http_major != 1 || parser.http_minor != 0))
 			goto restart;
@@ -594,7 +596,7 @@ restart:
 		fn = post_url_handler(ws->req.url);
 		if (fn == NULL) {
 			oclog(ws, LOG_INFO, "unexpected POST URL %s", ws->req.url); 
-			tls_printf(session, "HTTP/1.%u 404 Nah, go away\r\n\r\n", parser.http_minor);
+			tls_puts(session, "HTTP/1.1 404 Not found\r\n\r\n");
 			goto finish;
 		}