mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-09 08:16:58 +08:00
996d021e1b
The VPN client that comes with the Cisco IP-Phone Enterprise firmware is based on AnyConnect but was unable to authenticate with ocserv. The phone makes an initial GET request and looks for a cookie named 'webvpn' that has an expiry attribute and a cookie named 'webvpnlogin' containing a non-empty value. When username+password mode is configured, the phone will then send a POST request containing those credentials. When using certificate authentication an empty POST request is sent. A handler that implements this new behaviour has been added under the '/svc' path. To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must be 443, a new 'cisco-svc-client-compat' option automatically checks those settings. New test cases test-pass-svc and test-cert-svc check the above behaviour. Older versions of the phone's firmware will fail to create the DTLS tunnel if the cipher negotiated for HTTPS does not match that selected for DTLS. To work-around this either disable DTLS or only allow the RSA-AES-256-CBC/SHA1 or RSA-AES-128-CBC/SHA1 cipher to be used. doc/README-cisco-svc.md includes additional information. Note: 'Enterprise' here is used to differentiate between that firmware and the MPP (Multi-Platform) firmware which uses the same hardware. Signed-off-by: Gareth Palmer <gareth.palmer3@gmail.com>
79 lines
3.2 KiB
Bash
Executable File
79 lines
3.2 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# Copyright (C) 2023 Gareth Palmer
|
|
#
|
|
# This file is part of ocserv.
|
|
#
|
|
# ocserv is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU General Public License as published by the
|
|
# Free Software Foundation; either version 2 of the License, or (at
|
|
# your option) any later version.
|
|
#
|
|
# ocserv is distributed in the hope that it will be useful, but
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
# General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with GnuTLS; if not, write to the Free Software Foundation,
|
|
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
|
SERV="${SERV:-../src/ocserv}"
|
|
srcdir=${srcdir:-.}
|
|
NO_NEED_ROOT=1
|
|
PIDFILE=ocserv-pid.$$.tmp
|
|
TMPFILE=test-pass-svc.$$.tmp
|
|
|
|
. `dirname $0`/common.sh
|
|
|
|
eval "${GETPORT}"
|
|
|
|
echo "Testing local backend with username-password... "
|
|
|
|
update_config test1.config
|
|
echo "udp-port = 0" >>${CONFIG}
|
|
echo "cisco-svc-client-compat = true" >>${CONFIG}
|
|
launch_sr_server -d 1 -p ${PIDFILE} -f -c ${CONFIG} & PID=$!
|
|
wait_server $PID
|
|
|
|
echo "Connecting to obtain non-auth cookies... "
|
|
( LD_PRELOAD=libsocket_wrapper.so curl --user-agent "Cisco SVC IPPhone Client v1.0" --silent --insecure https://$ADDRESS:$PORT/svc --include --request GET --output $TMPFILE ) ||
|
|
fail $PID "GET request failed"
|
|
|
|
grep -q "^Set-Cookie: webvpn=; expires=" $TMPFILE || fail $PID "Did not receive cookie"
|
|
grep -q "^Set-Cookie: webvpnlogin=1" $TMPFILE || fail $PID "Did not receive non-auth cookie"
|
|
|
|
echo "Connecting to obtain cookie... "
|
|
( LD_PRELOAD=libsocket_wrapper.so curl --user-agent "Cisco SVC IPPhone Client v1.0" --silent --insecure https://$ADDRESS:$PORT/svc --include --request POST --data "username=test&password=test" --output $TMPFILE ) ||
|
|
fail $PID "POST request failed"
|
|
|
|
grep -q "^Set-Cookie: webvpn=[^;]\+" $TMPFILE || fail $PID "Did not receive cookie"
|
|
|
|
echo "Connecting to obtain cookie with wrong password... "
|
|
( LD_PRELOAD=libsocket_wrapper.so curl --user-agent "Cisco SVC IPPhone Client v1.0" --silent --insecure https://$ADDRESS:$PORT/svc --include --request POST --data "username=test&password=tost" --output $TMPFILE ) ||
|
|
fail $PID "POST request failed"
|
|
|
|
grep -q "Set-Cookie: webvpn=[^;]\+" $TMPFILE && fail $PID "Received cookie when we shouldn't"
|
|
|
|
echo "Connecting to obtain cookie with empty password... "
|
|
( LD_PRELOAD=libsocket_wrapper.so curl --user-agent "Cisco SVC IPPhone Client v1.0" --silent --insecure https://$ADDRESS:$PORT/svc --include --request POST --data "username=test&password=" --output $TMPFILE ) ||
|
|
fail $PID "POST request failed"
|
|
|
|
grep -q "Set-Cookie: webvpn=[^;]\+" $TMPFILE && fail $PID "Received cookie when we shouldn't"
|
|
|
|
echo "Connecting to obtain cookie with wrong username... "
|
|
( LD_PRELOAD=libsocket_wrapper.so curl --user-agent "Cisco SVC IPPhone Client v1.0" --silent --insecure https://$ADDRESS:$PORT/svc --include --request POST --data "username=tost&password=test" --output $TMPFILE ) ||
|
|
fail $PID "POST request failed"
|
|
|
|
grep -q "Set-Cookie: webvpn=[^;]\+" $TMPFILE && fail $PID "Received cookie when we shouldn't"
|
|
|
|
if ! test -f ${PIDFILE};then
|
|
fail $PID "Could not find pid file ${PIDFILE}"
|
|
fi
|
|
|
|
cleanup
|
|
|
|
rm -f "$TMPFILE"
|
|
|
|
exit 0
|