Fortinet: fix token code generation

And make fake server require this field to be non-empty, in order to test it.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/fortinet.c b/fortinet.c
index c7d955904a5c4edc91301068702e051ce9293ba3..c1a451a0d3149c705ba243e562639ab33e5f6470 100644 (file)
--- a/fortinet.c
+++ b/fortinet.c
@@ -160,6 +160,14 @@ int fortinet_obtain_cookie(struct openconnect_info *vpninfo)
                if (ret == OC_FORM_RESULT_CANCELLED || ret < 0)
                        goto out;
 
+               /* generate token code if specified */
+               ret = do_gen_tokencode(vpninfo, form);
+               if (ret) {
+                       vpn_progress(vpninfo, PRG_ERR, _("Failed to generate OTP tokencode; disabling token\n"));
+                       vpninfo->token_bypassed = 1;
+                       goto out;
+               }
+
                buf_truncate(resp_buf);
                append_form_opts(vpninfo, form, resp_buf);
                buf_append(resp_buf, "&realm=%s", realm ?: ""); /* XX: already URL-escaped */

diff --git a/library.c b/library.c
index 6558d6c094036ca192840ecc58877574b8e5dc33..0d3d33a6b9bdb436d27bddba5f4c249a12df69c4 100644 (file)
--- a/library.c
+++ b/library.c
@@ -173,7 +173,7 @@ static const struct vpn_proto openconnect_protos[] = {
                .name = "pulse",
                .pretty_name = N_("Pulse Connect Secure"),
                .description = N_("Compatible with Pulse Connect Secure SSL VPN"),
-               .flags = OC_PROTO_PROXY,
+               .flags = OC_PROTO_PROXY | OC_PROTO_AUTH_CERT | OC_PROTO_AUTH_OTP | OC_PROTO_AUTH_STOKEN,
                .vpn_close_session = pulse_bye,
                .tcp_connect = pulse_connect,
                .tcp_mainloop = pulse_mainloop,
@@ -192,7 +192,7 @@ static const struct vpn_proto openconnect_protos[] = {
                .name = "f5",
                .pretty_name = N_("F5 BIG-IP SSL VPN"),
                .description = N_("Compatible with F5 BIG-IP SSL VPN"),
-               .flags = OC_PROTO_PROXY,
+               .flags = OC_PROTO_PROXY | OC_PROTO_AUTH_CERT,
                .vpn_close_session = f5_bye,
                .tcp_connect = f5_connect,
                .tcp_mainloop = ppp_mainloop,
@@ -212,7 +212,7 @@ static const struct vpn_proto openconnect_protos[] = {
                .name = "fortinet",
                .pretty_name = N_("Fortinet SSL VPN"),
                .description = N_("Compatible with FortiGate SSL VPN"),
-               .flags = OC_PROTO_PROXY,
+               .flags = OC_PROTO_PROXY | OC_PROTO_AUTH_CERT | OC_PROTO_AUTH_OTP | OC_PROTO_AUTH_STOKEN,
                .vpn_close_session = fortinet_bye,
                .tcp_connect = fortinet_connect,
                .tcp_mainloop = ppp_mainloop,

diff --git a/tests/fake-fortinet-server.py b/tests/fake-fortinet-server.py
index 757fe989e266d825807fa7e5d557a7bbe15e7656..e88396aa170e8a0e36bd69d1dd4c053f3f063a5d 100755 (executable)
--- a/tests/fake-fortinet-server.py
+++ b/tests/fake-fortinet-server.py
@@ -108,11 +108,11 @@ def login():
 def logincheck():
     want_2fa = session.get('want_2fa')
 
-    if (want_2fa and 'code' in request.form):
+    if (want_2fa and request.form.get('code')):
         return complete_2fa()
-    elif (want_2fa and 'credential' in request.form):
+    elif (want_2fa and request.form.get('username') and request.form.get('credential')):
         return send_2fa_challenge()
-    elif ('credential' in request.form):
+    elif (request.form.get('username') and request.form.get('credential')):
         return complete_non_2fa()
     abort(405)