[PATCH] add oncp_bye() to logout the Juniper session

dlenski at gmail.com (Daniel Lenski) · Sun, 8 Jan 2017 12:39:17 -0800

The nc protocol lacked a .vpn_close_session function; without logout, the
VPN cookie remains active and can be used to restart the session, which is a
security hazard?especially when passing around OpenConnect logs on the
mailing list for development and troubleshooting.

Juniper logout is straightforward: GET /dana-na/auth/logout.cgi (with the
appropriate DSID cookie set).

Signed-off-by: Daniel Lenski <dlenski at gmail.com>
---
 library.c              |  2 +-
 oncp.c                 | 25 +++++++++++++++++++++++++
 openconnect-internal.h |  1 +
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/library.c b/library.c
index 824338e..6fb90ed 100644
--- a/library.c
+++ b/library.c
@@ -122,7 +122,7 @@ const struct vpn_proto openconnect_protos[] = {
 #endif
 	}, {
 		.name = "nc",
-		.vpn_close_session = NULL,
+		.vpn_close_session = oncp_bye,
 		.tcp_connect = oncp_connect,
 		.tcp_mainloop = oncp_mainloop,
 		.add_http_headers = oncp_common_headers,
diff --git a/oncp.c b/oncp.c
index 3c7cfa1..f8f7a25 100644
--- a/oncp.c
+++ b/oncp.c
@@ -1257,3 +1257,28 @@ int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout)
 	/* Work is not done if we just got rid of packets off the queue */
 	return work_done;
 }
+
+int oncp_bye(struct openconnect_info *vpninfo, const char *reason)
+{
+	char *orig_path;
+	char *res_buf=NULL;
+	int ret;
+
+	/* We need to close and reopen the HTTPS connection (to kill
+	 * the oncp tunnel) and submit a new HTTPS request to logout.
+	 */
+	openconnect_close_https(vpninfo, 0);
+
+	orig_path = vpninfo->urlpath;
+	vpninfo->urlpath = strdup("dana-na/auth/logout.cgi"); /* redirect segfaults without strdup */
+	ret = do_https_request(vpninfo, "GET", NULL, NULL, &res_buf, 0);
+	vpninfo->urlpath = orig_path;
+
+	if (ret < 0)
+		vpn_progress(vpninfo, PRG_ERR, _("Logout failed.\n"));
+	else
+		vpn_progress(vpninfo, PRG_INFO, _("Logout successful.\n"));
+
+	free(res_buf);
+	return ret;
+}
diff --git a/openconnect-internal.h b/openconnect-internal.h
index a24a9e4..ead2e43 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -840,6 +840,7 @@ void oncp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *b
 int queue_esp_control(struct openconnect_info *vpninfo, int enable);
 int oncp_connect(struct openconnect_info *vpninfo);
 int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout);
+int oncp_bye(struct openconnect_info *vpninfo, const char *reason);
 
 /* lzs.c */
 int lzs_decompress(unsigned char *dst, int dstlen, const unsigned char *src, int srclen);
-- 
2.7.4







