openconnect: Added configuration options for hash and user cert/key pairs

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

2 files changed, 27 insertions, 12 deletions

diff --git a/net/openconnect/files/openconnect.sh b/net/openconnect/files/openconnect.sh
index 261019438..e14c0d091 100755
--- a/net/openconnect/files/openconnect.sh
+++ b/net/openconnect/files/openconnect.sh
@@ -7,7 +7,8 @@ proto_openconnect_init_config() {
 	proto_config_add_string "server"
 	proto_config_add_int "port"
 	proto_config_add_string "username"
-	proto_config_add_string "cookie"
+	proto_config_add_string "serverhash"
+	proto_config_add_string "authgroup"
 	proto_config_add_string "password"
 	no_device=1
 	available=1
@@ -16,17 +17,18 @@ proto_openconnect_init_config() {
 proto_openconnect_setup() {
 	local config="$1"
 
-	json_get_vars server port username cookie password
+	json_get_vars server port username serverhash authgroup password vgroup
 
 	grep -q tun /proc/modules || insmod tun
 
+	logger -t openconnect "initializing..."
 	serv_addr=
 	for ip in $(resolveip -t 5 "$server"); do
 		proto_add_host_dependency "$config" "$server"
 		serv_addr=1
 	done
 	[ -n "$serv_addr" ] || {
-		echo "Could not resolve server address"
+		logger -t openconnect "Could not resolve server address"
 		sleep 5
 		proto_setup_failed "$config"
 		exit 1
@@ -34,9 +36,13 @@ proto_openconnect_setup() {
 
 	[ -n "$port" ] && port=":$port"
 
-	cmdline="$server$port -i vpn-$config --no-cert-check --non-inter --syslog --script /lib/netifd/vpnc-script"
+	cmdline="$server$port -i vpn-$config --non-inter --syslog --script /lib/netifd/vpnc-script"
 
-	[ -n "$cookie" ] && append cmdline "-C $cookie"
+	[ -f /etc/openconnect/ca.pem ] && append cmdline "--cafile /etc/openconnect/ca.pem"
+	[ -f /etc/openconnect/user-cert.pem ] && append cmdline "-c /etc/openconnect/user-cert.pem"
+	[ -f /etc/openconnect/user-key.pem ] && append cmdline "--sslkey /etc/openconnect/user-key.pem"
+	[ -n "$serverhash" ] && append cmdline "--servercert=$serverhash"
+	[ -n "$authgroup" ] && append cmdline "--authgroup $authgroup"
 	[ -n "$username" ] && append cmdline "-u $username"
 	[ -n "$password" ] && {
 		umask 077
@@ -46,10 +52,20 @@ proto_openconnect_setup() {
 	}
 
 	proto_export INTERFACE="$config"
-	proto_run_command "$config" /usr/sbin/openconnect $cmdline <$pwfile
+	logger -t openconnect "executing 'openconnect $cmdline'"
+
+	if [ -f "$pwfile" ];then
+		proto_run_command "$config" /usr/sbin/openconnect $cmdline <$pwfile
+	else
+		proto_run_command "$config" /usr/sbin/openconnect $cmdline
+	fi
 }
 
 proto_openconnect_teardown() {
+	pwfile="/var/run/openconnect-$config.passwd"
+
+	rm -f $pwfile
+	logger -t openconnect "bringing down openconnect"
 	proto_kill_command "$config"
 }
 
diff --git a/net/openconnect/files/vpnc-script b/net/openconnect/files/vpnc-script
index 4d12d7e20..c8151471b 100755
--- a/net/openconnect/files/vpnc-script
+++ b/net/openconnect/files/vpnc-script
@@ -49,9 +49,8 @@
 
 do_connect() {
 	if [ -n "$CISCO_BANNER" ]; then
-		echo "Connect Banner:"
-		echo "$CISCO_BANNER" | while read LINE ; do echo "|" "$LINE" ; done
-		echo
+		logger -t openconnect "Connect Banner:"
+		logger -t openconnect "$CISCO_BANNER" | while read LINE ; do logger -t openconnect "|" "$LINE" ; done
 	fi
 
 	proto_init_update "$TUNDEV" 1
@@ -126,11 +125,11 @@ do_disconnect() {
 #### Main
 
 if [ -z "$reason" ]; then
-	echo "this script must be called from vpnc" 1>&2
+	logger -t openconnect "this script must be called from vpnc" 1>&2
 	exit 1
 fi
 if [ -z "$INTERFACE" ]; then
-	echo "this script must be called for an active interface"
+	logger -t openconnect "this script must be called for an active interface"
 	exit 1
 fi
 
@@ -148,7 +147,7 @@ case "$reason" in
 	reconnect)
 		;;
 	*)
-		echo "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2
+		logger -t openconnect "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2
 		exit 1
 		;;
 esac