return EPERM, not EINVAL, when GP gateways reject the cookie upon get…

…-config or GET-tunnel Tested against 2 real GlobalProtect gateway servers, which both exhibit these error behaviors: 1. 'GET /ssl-vpn/config' with bogus 'portal' field in cookie => XML error "Portal name not found" 2. 'GET /ssl-vpn/config' with 'user', 'authcookie', or 'portal' fields missing from cookie => HTTP/1.1 200, plaintext "errors getting SSL/VPN config" 3. 'GET /ssl-vpn-tunnel' with bogus 'user' or 'authcookie' => HTTP/1.1 504 (Gateway Timeout) Signed-off-by: Daniel Lenski <dlenski@gmail.com>
sailfishos-mirror · Feb 22, 2021 · 57e6d3d · 57e6d3d
1 parent 4138108
commit 57e6d3d
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/gpst.c b/gpst.c
@@ -288,7 +288,7 @@ int gpst_xml_or_error(struct openconnect_info *vpninfo, char *response,
 		vpn_progress(vpninfo, PRG_ERR,
 					 _("Failed to parse server response\n"));
 		vpn_progress(vpninfo, PRG_DEBUG,
-					 _("Response was:%s\n"), response);
+					 _("Response was: %s\n"), response);
 	}
 
 out:
@@ -298,6 +298,7 @@ int gpst_xml_or_error(struct openconnect_info *vpninfo, char *response,
 			vpn_progress(vpninfo, PRG_DEBUG, "%s\n", err);
 			result = -EEXIST;
 		} else if (!strcmp(err, "Invalid authentication cookie")           /* equivalent to custom HTTP status 512 */
+			   || !strcmp(err, "Portal name not found")                /* cookie is bogus */
 		           || !strcmp(err, "Valid client certificate is required") /* equivalent to custom HTTP status 513 */
 		           || !strcmp(err, "Allow Automatic Restoration of SSL VPN is disabled")) {
 			/* Any of these errors indicates that retrying won't help us reconnect (EPERM signals this to mainloop.) */
@@ -725,8 +726,14 @@ static int gpst_get_config(struct openconnect_info *vpninfo)
 	/* parse getconfig result */
 	if (result >= 0)
 		result = gpst_xml_or_error(vpninfo, xml_buf, gpst_parse_config_xml, NULL, NULL);
-	if (result)
+	if (result) {
+		/* XX: if our "cookie" is bogus (doesn't include at least 'user', 'authcookie',
+		 * and 'portal' fields) the server will respond like this.
+		 */
+		if (result == -EINVAL && !strcmp(xml_buf, "errors getting SSL/VPN config"))
+			result = -EPERM;
 		goto out;
+	}
 
 	if (!vpninfo->ip_info.mtu) {
 		/* FIXME: GP gateway config always seems to be <mtu>0</mtu> */
@@ -818,7 +825,8 @@ static int gpst_connect(struct openconnect_info *vpninfo)
 		}
 		vpn_progress(vpninfo, PRG_ERR,
 		             _("Got inappropriate HTTP GET-tunnel response: %.*s\n"), ret, buf);
-		ret = -EINVAL;
+		/* XX: this is what GP servers return when they don't like the cookie */
+		ret = !strncmp(buf, "HTTP/1.1 502 ", 13) ? -EPERM : -EINVAL;
 	}
 
 	if (ret < 0)