From df273812d14b2b7c8d80f5a2b73a37a2d295307f Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Sun, 8 Jan 2017 12:27:54 -0800 Subject: [PATCH] add oncp_bye() to logout the Juniper session MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The nc protocol lacked a .vpn_close_session function; without logout, the VPN cookie remains active and can be used to restart the session, which is a security hazard—especially when passing around OpenConnect logs on the mailing list for development and troubleshooting. Juniper logout is straightforward: GET /dana-na/auth/logout.cgi (with the appropriate DSID cookie set). Signed-off-by: Daniel Lenski Signed-off-by: David Woodhouse --- library.c | 2 +- oncp.c | 25 +++++++++++++++++++++++++ openconnect-internal.h | 1 + 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/library.c b/library.c index 59217a9e..6ab74410 100644 --- a/library.c +++ b/library.c @@ -128,7 +128,7 @@ const struct vpn_proto openconnect_protos[] = { .pretty_name = N_("Juniper Network Connect"), .description = N_("Compatible with Juniper Network Connect / Pulse Secure SSL VPN"), .flags = OC_PROTO_PROXY | OC_PROTO_CSD | OC_PROTO_AUTH_CERT | OC_PROTO_AUTH_OTP, - .vpn_close_session = NULL, + .vpn_close_session = oncp_bye, .tcp_connect = oncp_connect, .tcp_mainloop = oncp_mainloop, .add_http_headers = oncp_common_headers, diff --git a/oncp.c b/oncp.c index 2a2e354e..5bd8b9e0 100644 --- a/oncp.c +++ b/oncp.c @@ -1261,3 +1261,28 @@ int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout) /* Work is not done if we just got rid of packets off the queue */ return work_done; } + +int oncp_bye(struct openconnect_info *vpninfo, const char *reason) +{ + char *orig_path; + char *res_buf=NULL; + int ret; + + /* We need to close and reopen the HTTPS connection (to kill + * the oncp tunnel) and submit a new HTTPS request to logout. + */ + openconnect_close_https(vpninfo, 0); + + orig_path = vpninfo->urlpath; + vpninfo->urlpath = strdup("dana-na/auth/logout.cgi"); /* redirect segfaults without strdup */ + ret = do_https_request(vpninfo, "GET", NULL, NULL, &res_buf, 0); + vpninfo->urlpath = orig_path; + + if (ret < 0) + vpn_progress(vpninfo, PRG_ERR, _("Logout failed.\n")); + else + vpn_progress(vpninfo, PRG_INFO, _("Logout successful.\n")); + + free(res_buf); + return ret; +} diff --git a/openconnect-internal.h b/openconnect-internal.h index 0e87268f..117ca19e 100644 --- a/openconnect-internal.h +++ b/openconnect-internal.h @@ -843,6 +843,7 @@ void oncp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *b int queue_esp_control(struct openconnect_info *vpninfo, int enable); int oncp_connect(struct openconnect_info *vpninfo); int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout); +int oncp_bye(struct openconnect_info *vpninfo, const char *reason); /* lzs.c */ int lzs_decompress(unsigned char *dst, int dstlen, const unsigned char *src, int srclen);