Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
include computer name in the GP cookie
The GlobalProtect "cookie" is an overstuffed monstrosity, due to the
requirement to retain a few random, non-secret values in order to logout
successfully (see gpst_bye):

    authcookie=d41d8cd98f00b204e9800998ecf8427e&portal=Gateway-X&user=user.name&domain=big-corp

Until now, I've avoided including the computer field in this cookie, on the assumption that it
can reproduced at any time using vpninfo->localname. However, it appears that this value can't always
be reproduced correctly when running under NetworkManager:

    dlenski/network-manager-openconnect#7

In order to be more robust, this patch therefore also includes the local hostname in the cookie:

    authcookie=d41d8cd98f00b204e9800998ecf8427e&portal=Gateway-X&user=user.name&domain=big-corp&computer=hostname
  • Loading branch information
dlenski committed Aug 4, 2018
1 parent 62c60ba commit 2f270d2
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 16 deletions.
4 changes: 2 additions & 2 deletions auth-globalprotect.c
Expand Up @@ -173,6 +173,7 @@ static int parse_login_xml(struct openconnect_info *vpninfo, xmlNode *xml_node)
free(value);
value = NULL;
}
append_opt(cookie, "computer", vpninfo->localname);

if (!buf_error(cookie)) {
vpninfo->cookie = cookie->data;
Expand Down Expand Up @@ -475,8 +476,7 @@ int gpst_bye(struct openconnect_info *vpninfo, const char *reason)
*
* Don't blame me. I didn't design this.
*/
append_opt(request_body, "computer", vpninfo->localname);
buf_append(request_body, "&%s", vpninfo->cookie);
buf_append(request_body, "%s", vpninfo->cookie);
if ((result = buf_error(request_body)))
goto out;

Expand Down
8 changes: 2 additions & 6 deletions gpst.c
Expand Up @@ -789,9 +789,8 @@ static int build_csd_token(struct openconnect_info *vpninfo)
if (!vpninfo->csd_token)
return -ENOMEM;

/* use localname and cookie (excluding volatile authcookie and preferred-ip) to build md5sum */
/* use cookie (excluding volatile authcookie and preferred-ip) to build md5sum */
buf = buf_alloc();
append_opt(buf, "computer", vpninfo->localname);
filter_opts(buf, vpninfo->cookie, "authcookie,preferred-ip", 0);
if (buf_error(buf))
goto out;
Expand All @@ -815,9 +814,8 @@ static int check_or_submit_hip_report(struct openconnect_info *vpninfo, const ch
const char *method = "POST";
char *xml_buf=NULL, *orig_path;

/* cookie gives us these fields: authcookie, portal, user, domain, and (maybe the unnecessary) preferred-ip */
/* cookie gives us these fields: authcookie, portal, user, domain, computer, and (maybe the unnecessary) preferred-ip */
buf_append(request_body, "client-role=global-protect-full&%s", vpninfo->cookie);
append_opt(request_body, "computer", vpninfo->localname);
append_opt(request_body, "client-ip", vpninfo->ip_info.addr);
if (report) {
/* XML report contains many characters requiring URL-encoding (%xx) */
Expand Down Expand Up @@ -912,8 +910,6 @@ static int run_hip_script(struct openconnect_info *vpninfo)
hip_argv[i++] = openconnect_utf8_to_legacy(vpninfo, vpninfo->csd_wrapper);
hip_argv[i++] = (char *)"--cookie";
hip_argv[i++] = vpninfo->cookie;
hip_argv[i++] = (char *)"--computer";
hip_argv[i++] = vpninfo->localname;
hip_argv[i++] = (char *)"--client-ip";
hip_argv[i++] = (char *)vpninfo->ip_info.addr;
hip_argv[i++] = (char *)"--md5";
Expand Down
12 changes: 4 additions & 8 deletions hipreport.sh
Expand Up @@ -6,10 +6,7 @@
#
# --cookie: a URL-encoded string, as output by openconnect
# --authenticate --protocol=gp, which includes parameters
# --from the /ssl-vpn/login.esp response
#
# --computer: local hostname, which can be overriden with
# --openconnect local-hostname=HOSTNAME
# from the /ssl-vpn/login.esp response
#
# --client-ip: IPv4 address allocated by the GlobalProtect VPN for
# this client (included in /ssl-vpn/getconfig.esp
Expand All @@ -22,26 +19,25 @@

# Read command line arguments into variables
COOKIE=
COMPUTER=
IP=
MD5=

while [ "$1" ]; do
if [ "$1" = "--cookie" ]; then shift; COOKIE="$1"; fi
if [ "$1" = "--computer" ]; then shift; COMPUTER="$1"; fi
if [ "$1" = "--client-ip" ]; then shift; IP="$1"; fi
if [ "$1" = "--md5" ]; then shift; MD5="$1"; fi
shift
done

if [ -z "$COOKIE" -o -z "$COMPUTER" -o -z "$IP" -o -z "$MD5" ]; then
if [ -z "$COOKIE" -o -z "$IP" -o -z "$MD5" ]; then
echo "Parameters --cookie, --computer, --client-ip, and --md5 are required" >&2
exit 1;
fi

# Extract username and domain from cookie
# Extract username and domain and computer from cookie
USER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)user=([^&]+)(&.+|$)/\2/p')
DOMAIN=$(echo "$COOKIE" | sed -rn 's/(.+&|^)domain=([^&]+)(&.+|$)/\2/p')
COMPUTER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)computer=([^&]+)(&.+|$)/\2/p')

# Timestamp in the format expected by GlobalProtect server
NOW=$(date +'%m/%d/%Y %H:%M:%S')
Expand Down

0 comments on commit 2f270d2

Please sign in to comment.