Commit fe32beb7 authored by Daniel Lenski's avatar Daniel Lenski Committed by David Woodhouse

Add hipreport-android.sh

The desktop version of the HIP report doesn't work on Android in part
because the here-doc appears to exceed the size of the read buffer in
Android's rather primitive /system/bin/sh.  This is a rather confusing bug
to identify and diagnose.

Include an alternate script with minimal contents (hipreport-minimal.sh)
which is suitable for use on Android.
Signed-off-by: Daniel Lenski's avatarDaniel Lenski <dlenski@gmail.com>
parent 3bb1c3a9
......@@ -137,7 +137,8 @@ EXTRA_DIST += $(shell cd "$(top_srcdir)" && \
DISTCLEANFILES = $(pkgconfig_DATA)
pkglibexec_SCRIPTS = trojans/csd-post.sh trojans/csd-wrapper.sh trojans/hipreport.sh trojans/tncc-wrapper.py
pkglibexec_SCRIPTS = trojans/csd-post.sh trojans/csd-wrapper.sh trojans/tncc-wrapper.py \
trojans/hipreport.sh trojans/hipreport-android.sh
# main.c includes version.c
openconnect-main.$(OBJEXT): version.c
......
#!/system/bin/sh
# These values may need to be extracted from the official HIP report, if made-up values are not accepted.
PLATFORM_VERSION="4.3"
PLATFORM_NAME="Android-x86"
HOSTID="deadbeef-dead-beef-dead-beefdeadbeef"
# Read command line arguments into variables
COOKIE=
IP=
IPV6=
MD5=
while [ "$1" ]; do
if [ "$1" = "--cookie" ]; then shift; COOKIE="$1"; fi
if [ "$1" = "--client-ip" ]; then shift; IP="$1"; fi
if [ "$1" = "--client-ipv6" ]; then shift; IPV6="$1"; fi
if [ "$1" = "--md5" ]; then shift; MD5="$1"; fi
shift
done
if [ -z "$COOKIE" -o -z "$MD5" -o -z "$IP$IPV6" ]; then
echo "Parameters --cookie, --md5, and --client-ip and/or --client-ipv6 are required" >&2
exit 1;
fi
# Extract username and domain and computer from cookie
USER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)user=([^&]+)(&.+|$)/\2/p')
DOMAIN=$(echo "$COOKIE" | sed -rn 's/(.+&|^)domain=([^&]+)(&.+|$)/\2/p')
COMPUTER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)computer=([^&]+)(&.+|$)/\2/p')
# Timestamp in the format expected by GlobalProtect server
NOW=$(date +'%m/%d/%Y %H:%M:%S')
# WARNING: Replacing this with a here-doc (cat <<EOF) does not work
# with Android's /system/bin/sh, likely due to an insufficient read
# buffer size.
echo '<hip-report name="hip-report">'
echo " <md5-sum>$MD5</md5-sum>"
echo " <user-name>$USER</user-name>"
echo " <domain>$DOMAIN</domain>"
echo " <host-name>$COMPUTER</host-name>"
echo " <host-id>$HOSTID</host-id>"
echo " <ip-address>$IP</ip-address>"
echo " <ipv6-address>$IPV6</ipv6-address>"
echo " <generate-time>$NOW</generate-time>"
echo ' <categories>'
echo ' <entry name="host-info">'
echo ' <client-version>4.0.2-19</client-version>'
echo " <os>$PLATFORM_NAME $PLATFORM_VERSION</os>"
echo ' <os-vendor>Google</os-vendor>'
echo " <domain>$DOMAIN.internal</domain>"
echo " <host-name>$COMPUTER</host-name>"
echo " <host-id>$HOSTID</host-id>"
echo ' </entry>'
echo ' </categories>'
echo '</hip-report>'
......@@ -16,6 +16,11 @@
# exactly what this is the md5 digest *of*, but all that
# really matters is that the value in the HIP report
# submission should match the value in the HIP report check.
#
# This hipreport.sh does not work as-is on Android. The large here-doc
# (cat <<EOF) does not appear to work with Android's /system/bin/sh,
# likely due to an insufficient read buffer size.
# Try hipreport-android.sh instead.
# Read command line arguments into variables
COOKIE=
......
......@@ -69,8 +69,11 @@ server. This shell script must output the HIP report to standard output and exit
<h2>Generating/spoofing a HIP report</h2>
<p>An example <tt>hipreport.sh</tt> script is included in the
OpenConnect distribution, in the <tt>trojans/</tt> subdirectory.</p>
<p>Two example scripts are included in the OpenConnect distribution,
in the <tt>trojans/</tt> subdirectory: <tt>hipreport.sh</tt> (which
reproduces the behavior of a GlobalProtect Windows client) and
<tt>hipreport-android.sh</tt> (a report with minimal contents
suitable for use on an Android device).</p>
<p>Depending on how picky your GlobalProtect
VPN is, it may be necessary to spoof or alter some of the parameters
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment