Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
add oncp_bye() to logout the Juniper session
The nc protocol lacked a .vpn_close_session function; without logout, the
VPN cookie remains active and can be used to restart the session, which is a
security hazard—especially when passing around OpenConnect logs on the
mailing list for development and troubleshooting.

Juniper logout is straightforward: GET /dana-na/auth/logout.cgi (with the
appropriate DSID cookie set).

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
  • Loading branch information
dlenski authored and dwmw2 committed May 14, 2017
1 parent bbcc2c5 commit df27381
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 1 deletion.
2 changes: 1 addition & 1 deletion library.c
Expand Up @@ -128,7 +128,7 @@ const struct vpn_proto openconnect_protos[] = {
.pretty_name = N_("Juniper Network Connect"),
.description = N_("Compatible with Juniper Network Connect / Pulse Secure SSL VPN"),
.flags = OC_PROTO_PROXY | OC_PROTO_CSD | OC_PROTO_AUTH_CERT | OC_PROTO_AUTH_OTP,
.vpn_close_session = NULL,
.vpn_close_session = oncp_bye,
.tcp_connect = oncp_connect,
.tcp_mainloop = oncp_mainloop,
.add_http_headers = oncp_common_headers,
Expand Down
25 changes: 25 additions & 0 deletions oncp.c
Expand Up @@ -1261,3 +1261,28 @@ int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout)
/* Work is not done if we just got rid of packets off the queue */
return work_done;
}

int oncp_bye(struct openconnect_info *vpninfo, const char *reason)
{
char *orig_path;
char *res_buf=NULL;
int ret;

/* We need to close and reopen the HTTPS connection (to kill
* the oncp tunnel) and submit a new HTTPS request to logout.
*/
openconnect_close_https(vpninfo, 0);

orig_path = vpninfo->urlpath;
vpninfo->urlpath = strdup("dana-na/auth/logout.cgi"); /* redirect segfaults without strdup */
ret = do_https_request(vpninfo, "GET", NULL, NULL, &res_buf, 0);
vpninfo->urlpath = orig_path;

if (ret < 0)
vpn_progress(vpninfo, PRG_ERR, _("Logout failed.\n"));
else
vpn_progress(vpninfo, PRG_INFO, _("Logout successful.\n"));

free(res_buf);
return ret;
}
1 change: 1 addition & 0 deletions openconnect-internal.h
Expand Up @@ -843,6 +843,7 @@ void oncp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *b
int queue_esp_control(struct openconnect_info *vpninfo, int enable);
int oncp_connect(struct openconnect_info *vpninfo);
int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout);
int oncp_bye(struct openconnect_info *vpninfo, const char *reason);

/* lzs.c */
int lzs_decompress(unsigned char *dst, int dstlen, const unsigned char *src, int srclen);
Expand Down

0 comments on commit df27381

Please sign in to comment.