Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add openconnect_get_auth_expiration function to library and JNI
This allows protocols to save the moment when a session's authentication
(`vpninfo->cookie`) is expected to expire and no longer be useful for
reconnection.

The motivation is to eventually allow front-ends to know whether
reauthentication is needed, or whether they should try using a cached
cookie.

Current state:

- AnyConnect protocol: expiration is determined from the CONNECT
  response header `X-CSTP-Session-Timeout-Remaining` (with
  `X-CSTP-Session-Timeout` or `X-CSTP-Lease-Duration` as upper bounds in its
  absence)
- GlobalProtect protocol: expiration is determined from the `<lifetime>` tag of
  the XML config.
- Juniper Network Connect protocol: no currently known way to determine
  expiration. The `DSID` cookie is a standard HTTP cookie, so perhaps its
  expiration timestamp is intended for this purpose; however, I can find
  no real-world case where it has an expiration timestamp set.
- None of the currently-supported protocols provide the expiration
  timestamp until the connection phase, so it can't be obtained for
  export by the `--authenticate` option.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
  • Loading branch information
dlenski committed Dec 14, 2020
1 parent 64e9776 commit f152cf7
Show file tree
Hide file tree
Showing 10 changed files with 60 additions and 1 deletion.
12 changes: 12 additions & 0 deletions cstp.c
Expand Up @@ -529,6 +529,18 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)

if (!strcmp(buf + 7, "Keepalive")) {
vpninfo->ssl_times.keepalive = atol(colon);
} else if (!strcmp(buf + 7, "Lease-Duration") ||
!strcmp(buf + 7, "Session-Timeout") ||
!strcmp(buf + 7, "Session-Timeout-Remaining")) {

/* XX: Distinction between Lease-Duration and Session-Timeout is rather unclear. Cisco doc:
* https://www.cisco.com/assets/sol/sb/RV345P_Emulators/RV345P_Emulator_v1-0-01-17/help/help/t_SSL_VPN.html
* Empirically, it appears that the best behavior is to accept whichever of these headers has the
* lowest non-zero value.
*/
long j = atol(colon);
if (j && (!vpninfo->auth_expiration || j < vpninfo->auth_expiration))
vpninfo->auth_expiration = time(NULL) + j;
} else if (!strcmp(buf + 7, "Idle-Timeout")) {
vpninfo->idle_timeout = atol(colon);
} else if (!strcmp(buf + 7, "DPD")) {
Expand Down
2 changes: 1 addition & 1 deletion gpst.c
Expand Up @@ -491,7 +491,7 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
} else if (!xmlnode_get_val(xml_node, "mtu", &s))
vpninfo->ip_info.mtu = atoi(s);
else if (!xmlnode_get_val(xml_node, "lifetime", &s))
vpn_progress(vpninfo, PRG_INFO, _("Session will expire after %d minutes.\n"), atoi(s)/60);
vpninfo->auth_expiration = time(NULL) + atol(s);
else if (!xmlnode_get_val(xml_node, "disconnect-on-idle", &s)) {
int sec = atoi(s);
vpn_progress(vpninfo, PRG_INFO, _("Idle timeout is %d minutes.\n"), sec/60);
Expand Down
3 changes: 3 additions & 0 deletions java/src/com/example/LibTest.java
Expand Up @@ -17,6 +17,7 @@

import java.io.*;
import java.util.*;
import java.time.Instant;
import org.infradead.libopenconnect.LibOpenConnect;

public final class LibTest {
Expand Down Expand Up @@ -279,6 +280,8 @@ else if (ret > 0)

int idleTimeout = lib.getIdleTimeout();
System.out.println("Idle Timeout: " + idleTimeout + " seconds");
Instant authExpiration = lib.getAuthExpiration();
System.out.println("Auth Expiration: " + authExpiration.toString());
printIPInfo(lib.getIPInfo());

if (lib.setupDTLS(60) != 0)
Expand Down
2 changes: 2 additions & 0 deletions java/src/org/infradead/libopenconnect/LibOpenConnect.java
Expand Up @@ -17,6 +17,7 @@

import java.util.ArrayList;
import java.util.HashMap;
import java.time.Instant;

public abstract class LibOpenConnect {

Expand Down Expand Up @@ -166,6 +167,7 @@ public synchronized native void setMobileInfo(String mobilePlatformVersion,
public synchronized native String getDTLSCompression();
public synchronized native String getProtocol();
public synchronized native int getIdleTimeout();
public synchronized native Instant getAuthExpiration();

/* certificate info */

Expand Down
30 changes: 30 additions & 0 deletions jni.c
Expand Up @@ -1164,6 +1164,36 @@ JNIEXPORT jint JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_getIdleT
return openconnect_get_idle_timeout(ctx->vpninfo);
}

JNIEXPORT jobject JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_getAuthExpiration(
JNIEnv *jenv, jobject jobj)
{
struct libctx *ctx = getctx(jenv, jobj);
jmethodID mid;
jobject result;
jclass jcls;
time_t auth_expiration;

if (!ctx)
return NULL;

auth_expiration = openconnect_get_auth_expiration(ctx->vpninfo);
jcls = (*ctx->jenv)->FindClass(ctx->jenv, "java/time/Instant");
if (jcls == NULL)
goto err;
mid = (*jenv)->GetStaticMethodID(jenv, jcls, "ofEpochSecond", "(J)Ljava/time/Instant;");
if (!mid)
goto err;
result = (*jenv)->CallStaticObjectMethod(jenv, jcls, mid, auth_expiration);
if (result == NULL)
goto err;

return result;

err:
return NULL;
}


/* simple cases: return a const string (no need to free it) */

#define RETURN_STRING_START \
Expand Down
1 change: 1 addition & 0 deletions libopenconnect.map.in
Expand Up @@ -112,6 +112,7 @@ OPENCONNECT_5_7 {
global:
openconnect_set_cookie;
openconnect_set_allow_insecure_crypto;
openconnect_get_auth_expiration;
} OPENCONNECT_5_6;

OPENCONNECT_PRIVATE {
Expand Down
5 changes: 5 additions & 0 deletions library.c
Expand Up @@ -611,6 +611,11 @@ int openconnect_get_idle_timeout(struct openconnect_info *vpninfo)
return vpninfo->idle_timeout;
}

time_t openconnect_get_auth_expiration(struct openconnect_info *vpninfo)
{
return vpninfo->auth_expiration;
}

int openconnect_get_ip_info(struct openconnect_info *vpninfo,
const struct oc_ip_info **info,
const struct oc_vpn_option **cstp_options,
Expand Down
3 changes: 3 additions & 0 deletions main.c
Expand Up @@ -1420,6 +1420,9 @@ static void print_connection_info(struct openconnect_info *vpninfo)
ssl_compr ? " + " : "", ssl_compr ? : "",
vpninfo->proto->udp_protocol ? : "UDP", udp_compr ? " + " : "", udp_compr ? : "",
dtls_state);
if (vpninfo->auth_expiration != 0)
vpn_progress(vpninfo, PRG_INFO, _("Session authentication will expire at %s"),
ctime(&vpninfo->auth_expiration));
}

#ifndef _WIN32
Expand Down
1 change: 1 addition & 0 deletions openconnect-internal.h
Expand Up @@ -567,6 +567,7 @@ struct openconnect_info {
int reconnect_timeout;
int reconnect_interval;
int dtls_attempt_period;
time_t auth_expiration;
time_t new_dtls_started;
#if defined(OPENCONNECT_OPENSSL)
SSL_CTX *dtls_ctx;
Expand Down
2 changes: 2 additions & 0 deletions openconnect.h
Expand Up @@ -39,6 +39,7 @@ extern "C" {
* API version 5.7:
* - Add openconnect_set_cookie()
* - Add openconnect_set_allow_insecure_crypto()
* - Add openconnect_get_auth_expiration()
*
* API version 5.6 (v8.06; 2020-03-31):
* - Add openconnect_set_trojan_interval()
Expand Down Expand Up @@ -532,6 +533,7 @@ void openconnect_set_reqmtu(struct openconnect_info *, int reqmtu);
void openconnect_set_dpd(struct openconnect_info *, int min_seconds);
void openconnect_set_trojan_interval(struct openconnect_info *, int seconds);
int openconnect_get_idle_timeout(struct openconnect_info *);
time_t openconnect_get_auth_expiration(struct openconnect_info *);

/* The returned structures are owned by the library and may be freed/replaced
due to rekey or reconnect. Assume that once the mainloop starts, the
Expand Down

0 comments on commit f152cf7

Please sign in to comment.