Commit 14a1c56a authored by Daniel Lenski's avatar Daniel Lenski

Merge branch 'openconnect_get_auth_expiration' into 'master'

add auth_expiration (AnyConnect, GP, Pulse) and openconnect_get_auth_expiration() API function

See merge request openconnect/openconnect!156
parents 64e97762 e646bf0f
......@@ -529,6 +529,18 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
if (!strcmp(buf + 7, "Keepalive")) {
vpninfo->ssl_times.keepalive = atol(colon);
} else if (!strcmp(buf + 7, "Lease-Duration") ||
!strcmp(buf + 7, "Session-Timeout") ||
!strcmp(buf + 7, "Session-Timeout-Remaining")) {
/* XX: Distinction between Lease-Duration and Session-Timeout is rather unclear. Cisco doc:
* https://www.cisco.com/assets/sol/sb/RV345P_Emulators/RV345P_Emulator_v1-0-01-17/help/help/t_SSL_VPN.html
* Empirically, it appears that the best behavior is to accept whichever of these headers has the
* lowest non-zero value.
*/
long j = atol(colon);
if (j && (!vpninfo->auth_expiration || j < vpninfo->auth_expiration))
vpninfo->auth_expiration = time(NULL) + j;
} else if (!strcmp(buf + 7, "Idle-Timeout")) {
vpninfo->idle_timeout = atol(colon);
} else if (!strcmp(buf + 7, "DPD")) {
......
......@@ -491,7 +491,7 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
} else if (!xmlnode_get_val(xml_node, "mtu", &s))
vpninfo->ip_info.mtu = atoi(s);
else if (!xmlnode_get_val(xml_node, "lifetime", &s))
vpn_progress(vpninfo, PRG_INFO, _("Session will expire after %d minutes.\n"), atoi(s)/60);
vpninfo->auth_expiration = time(NULL) + atol(s);
else if (!xmlnode_get_val(xml_node, "disconnect-on-idle", &s)) {
int sec = atoi(s);
vpn_progress(vpninfo, PRG_INFO, _("Idle timeout is %d minutes.\n"), sec/60);
......
......@@ -17,6 +17,7 @@ package com.example;
import java.io.*;
import java.util.*;
import java.time.Instant;
import org.infradead.libopenconnect.LibOpenConnect;
public final class LibTest {
......@@ -279,6 +280,8 @@ public final class LibTest {
int idleTimeout = lib.getIdleTimeout();
System.out.println("Idle Timeout: " + idleTimeout + " seconds");
Instant authExpiration = lib.getAuthExpiration();
System.out.println("Auth Expiration: " + authExpiration.toString());
printIPInfo(lib.getIPInfo());
if (lib.setupDTLS(60) != 0)
......
......@@ -17,6 +17,7 @@ package org.infradead.libopenconnect;
import java.util.ArrayList;
import java.util.HashMap;
import java.time.Instant;
public abstract class LibOpenConnect {
......@@ -166,6 +167,7 @@ public abstract class LibOpenConnect {
public synchronized native String getDTLSCompression();
public synchronized native String getProtocol();
public synchronized native int getIdleTimeout();
public synchronized native Instant getAuthExpiration();
/* certificate info */
......
......@@ -1164,6 +1164,36 @@ JNIEXPORT jint JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_getIdleT
return openconnect_get_idle_timeout(ctx->vpninfo);
}
JNIEXPORT jobject JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_getAuthExpiration(
JNIEnv *jenv, jobject jobj)
{
struct libctx *ctx = getctx(jenv, jobj);
jmethodID mid;
jobject result;
jclass jcls;
time_t auth_expiration;
if (!ctx)
return NULL;
auth_expiration = openconnect_get_auth_expiration(ctx->vpninfo);
jcls = (*ctx->jenv)->FindClass(ctx->jenv, "java/time/Instant");
if (jcls == NULL)
goto err;
mid = (*jenv)->GetStaticMethodID(jenv, jcls, "ofEpochSecond", "(J)Ljava/time/Instant;");
if (!mid)
goto err;
result = (*jenv)->CallStaticObjectMethod(jenv, jcls, mid, auth_expiration);
if (result == NULL)
goto err;
return result;
err:
return NULL;
}
/* simple cases: return a const string (no need to free it) */
#define RETURN_STRING_START \
......
......@@ -112,6 +112,7 @@ OPENCONNECT_5_7 {
global:
openconnect_set_cookie;
openconnect_set_allow_insecure_crypto;
openconnect_get_auth_expiration;
} OPENCONNECT_5_6;
OPENCONNECT_PRIVATE {
......
......@@ -611,6 +611,11 @@ int openconnect_get_idle_timeout(struct openconnect_info *vpninfo)
return vpninfo->idle_timeout;
}
time_t openconnect_get_auth_expiration(struct openconnect_info *vpninfo)
{
return vpninfo->auth_expiration;
}
int openconnect_get_ip_info(struct openconnect_info *vpninfo,
const struct oc_ip_info **info,
const struct oc_vpn_option **cstp_options,
......
......@@ -1420,6 +1420,9 @@ static void print_connection_info(struct openconnect_info *vpninfo)
ssl_compr ? " + " : "", ssl_compr ? : "",
vpninfo->proto->udp_protocol ? : "UDP", udp_compr ? " + " : "", udp_compr ? : "",
dtls_state);
if (vpninfo->auth_expiration != 0)
vpn_progress(vpninfo, PRG_INFO, _("Session authentication will expire at %s"),
ctime(&vpninfo->auth_expiration));
}
#ifndef _WIN32
......
......@@ -567,6 +567,7 @@ struct openconnect_info {
int reconnect_timeout;
int reconnect_interval;
int dtls_attempt_period;
time_t auth_expiration;
time_t new_dtls_started;
#if defined(OPENCONNECT_OPENSSL)
SSL_CTX *dtls_ctx;
......
......@@ -39,6 +39,7 @@ extern "C" {
* API version 5.7:
* - Add openconnect_set_cookie()
* - Add openconnect_set_allow_insecure_crypto()
* - Add openconnect_get_auth_expiration()
*
* API version 5.6 (v8.06; 2020-03-31):
* - Add openconnect_set_trojan_interval()
......@@ -532,6 +533,7 @@ void openconnect_set_reqmtu(struct openconnect_info *, int reqmtu);
void openconnect_set_dpd(struct openconnect_info *, int min_seconds);
void openconnect_set_trojan_interval(struct openconnect_info *, int seconds);
int openconnect_get_idle_timeout(struct openconnect_info *);
time_t openconnect_get_auth_expiration(struct openconnect_info *);
/* The returned structures are owned by the library and may be freed/replaced
due to rekey or reconnect. Assume that once the mainloop starts, the
......
......@@ -1761,6 +1761,15 @@ static int pulse_authenticate(struct openconnect_info *vpninfo, int connecting)
realms_found++;
} else if (avp_vendor == VENDOR_JUNIPER2 && avp_code == 0xd4f) {
realm_entry++;
} else if (avp_vendor == VENDOR_JUNIPER2 && avp_code == 0xd5c) {
uint32_t val;
if (avp_len != 4)
goto auth_unknown;
val = load_be32(avp_p);
if (val)
vpninfo->auth_expiration = time(NULL) + val;
} else if (avp_vendor == VENDOR_JUNIPER2 && avp_code == 0xd53) {
free(vpninfo->cookie);
vpninfo->cookie = strndup(avp_p, avp_len);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment