1. 08 Jan, 2021 2 commits
    • Daniel Lenski's avatar
      Merge branch 'assign_privkey-bug' into 'master' · 4a1fda35
      Daniel Lenski authored
      Small memory leak in gnutls.c:assign_privkey
      
      See merge request openconnect/openconnect!160
      4a1fda35
    • Tom Carroll's avatar
      Free pcerts array for all assign_privkey paths. · 3c9479ae
      Tom Carroll authored
      Ensure the array pcerts is free'd for both success/fail paths. The function
      gnutls_certificate_set_key() is odd as it takes ownership of the contents of
      pcerts, but not the pcerts array itself. See:
      
      gnutls-3.6.15/lib/cert-cred.c:gnutls_certificate_set_key()
      ...
      new_pcert_list = gnutls_malloc(sizeof(gnutls_pcert_st) * pcert_list_size);
      if (new_pcert_list == NULL) {
        return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
      }
      memcpy(new_pcert_list, pcert_list, sizeof(gnutls_pcert_st) * pcert_list_size);
      Signed-off-by: default avatarTom Carroll <incentivedesign@gmail.com>
      3c9479ae
  2. 05 Jan, 2021 5 commits
  3. 14 Dec, 2020 3 commits
    • Daniel Lenski's avatar
      Merge branch 'openconnect_get_auth_expiration' into 'master' · 14a1c56a
      Daniel Lenski authored
      add auth_expiration (AnyConnect, GP, Pulse) and openconnect_get_auth_expiration() API function
      
      See merge request openconnect/openconnect!156
      14a1c56a
    • Daniel Lenski's avatar
      implement `auth_expiration` for Pulse protocol · e646bf0f
      Daniel Lenski authored
      We have many examples of this field (AVP 0x583/0xd5c) being multiples of 60 or 3600,
      strongly suggesting that it's the remaining auth lifetime:
      
      - https://gitlab.com/openconnect/openconnect/-/issues/98: `AVP 0x583/0xd5c: 00 01 fa 40` (0x1fa40 seconds = 36 hours)
      - private communication: `AVP 0x583/0xd5c: 00 00 a9 ec` (0xa9ec seconds = 12 hours)
      - private communication: `AVP 0x583/0xd5c: 00 00 0a 70` (0xa70 seconds = 44 minutes)
      Signed-off-by: default avatarDaniel Lenski <dlenski@gmail.com>
      e646bf0f
    • Daniel Lenski's avatar
      Add `openconnect_get_auth_expiration` function to library and JNI · f152cf7d
      Daniel Lenski authored
      This allows protocols to save the moment when a session's authentication
      (`vpninfo->cookie`) is expected to expire and no longer be useful for
      reconnection.
      
      The motivation is to eventually allow front-ends to know whether
      reauthentication is needed, or whether they should try using a cached
      cookie.
      
      Current state:
      
      - AnyConnect protocol: expiration is determined from the CONNECT
        response header `X-CSTP-Session-Timeout-Remaining` (with
        `X-CSTP-Session-Timeout` or `X-CSTP-Lease-Duration` as upper bounds in its
        absence)
      - GlobalProtect protocol: expiration is determined from the `<lifetime>` tag of
        the XML config.
      - Juniper Network Connect protocol: no currently known way to determine
        expiration. The `DSID` cookie is a standard HTTP cookie, so perhaps its
        expiration timestamp is intended for this purpose; however, I can find
        no real-world case where it has an expiration timestamp set.
      - None of the currently-supported protocols provide the expiration
        timestamp until the connection phase, so it can't be obtained for
        export by the `--authenticate` option.
      Signed-off-by: default avatarDaniel Lenski <dlenski@gmail.com>
      f152cf7d
  4. 13 Dec, 2020 1 commit
  5. 10 Dec, 2020 1 commit
  6. 09 Dec, 2020 3 commits
  7. 08 Dec, 2020 1 commit
  8. 03 Dec, 2020 1 commit
  9. 01 Dec, 2020 2 commits
  10. 30 Nov, 2020 4 commits
  11. 19 Nov, 2020 5 commits
  12. 17 Nov, 2020 12 commits