The GlobalProtect "cookie" is an overstuffed monstrosity, due to the
requirement to retain a few random, non-secret values in order to logout
successfully (see gpst_bye):
authcookie=
d41d8cd98f00b204e9800998ecf8427e&portal=Gateway-X&user=user.name&domain=big-corp
Until now, I've avoided including the computer field in this cookie, on the assumption that it
can reproduced at any time using vpninfo->localname. However, it appears that this value can't always
be reproduced correctly when running under NetworkManager:
https://github.com/dlenski/network-manager-openconnect/issues/7
In order to be more robust, this patch therefore also includes the local hostname in the cookie:
authcookie=
d41d8cd98f00b204e9800998ecf8427e&portal=Gateway-X&user=user.name&domain=big-corp&computer=hostname
free(value);
value = NULL;
}
+ append_opt(cookie, "computer", vpninfo->localname);
if (!buf_error(cookie)) {
vpninfo->cookie = cookie->data;
*
* Don't blame me. I didn't design this.
*/
- append_opt(request_body, "computer", vpninfo->localname);
- buf_append(request_body, "&%s", vpninfo->cookie);
+ buf_append(request_body, "%s", vpninfo->cookie);
if ((result = buf_error(request_body)))
goto out;
if (!vpninfo->csd_token)
return -ENOMEM;
- /* use localname and cookie (excluding volatile authcookie and preferred-ip) to build md5sum */
+ /* use cookie (excluding volatile authcookie and preferred-ip) to build md5sum */
buf = buf_alloc();
- append_opt(buf, "computer", vpninfo->localname);
filter_opts(buf, vpninfo->cookie, "authcookie,preferred-ip", 0);
if (buf_error(buf))
goto out;
const char *method = "POST";
char *xml_buf=NULL, *orig_path;
- /* cookie gives us these fields: authcookie, portal, user, domain, and (maybe the unnecessary) preferred-ip */
+ /* cookie gives us these fields: authcookie, portal, user, domain, computer, and (maybe the unnecessary) preferred-ip */
buf_append(request_body, "client-role=global-protect-full&%s", vpninfo->cookie);
- append_opt(request_body, "computer", vpninfo->localname);
append_opt(request_body, "client-ip", vpninfo->ip_info.addr);
if (report) {
/* XML report contains many characters requiring URL-encoding (%xx) */
hip_argv[i++] = openconnect_utf8_to_legacy(vpninfo, vpninfo->csd_wrapper);
hip_argv[i++] = (char *)"--cookie";
hip_argv[i++] = vpninfo->cookie;
- hip_argv[i++] = (char *)"--computer";
- hip_argv[i++] = vpninfo->localname;
hip_argv[i++] = (char *)"--client-ip";
hip_argv[i++] = (char *)vpninfo->ip_info.addr;
hip_argv[i++] = (char *)"--md5";
#
# --cookie: a URL-encoded string, as output by openconnect
# --authenticate --protocol=gp, which includes parameters
-# --from the /ssl-vpn/login.esp response
-#
-# --computer: local hostname, which can be overriden with
-# --openconnect local-hostname=HOSTNAME
+# from the /ssl-vpn/login.esp response
#
# --client-ip: IPv4 address allocated by the GlobalProtect VPN for
# this client (included in /ssl-vpn/getconfig.esp
# Read command line arguments into variables
COOKIE=
-COMPUTER=
IP=
MD5=
while [ "$1" ]; do
if [ "$1" = "--cookie" ]; then shift; COOKIE="$1"; fi
- if [ "$1" = "--computer" ]; then shift; COMPUTER="$1"; fi
if [ "$1" = "--client-ip" ]; then shift; IP="$1"; fi
if [ "$1" = "--md5" ]; then shift; MD5="$1"; fi
shift
done
-if [ -z "$COOKIE" -o -z "$COMPUTER" -o -z "$IP" -o -z "$MD5" ]; then
+if [ -z "$COOKIE" -o -z "$IP" -o -z "$MD5" ]; then
echo "Parameters --cookie, --computer, --client-ip, and --md5 are required" >&2
exit 1;
fi
-# Extract username and domain from cookie
+# Extract username and domain and computer from cookie
USER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)user=([^&]+)(&.+|$)/\2/p')
DOMAIN=$(echo "$COOKIE" | sed -rn 's/(.+&|^)domain=([^&]+)(&.+|$)/\2/p')
+COMPUTER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)computer=([^&]+)(&.+|$)/\2/p')
# Timestamp in the format expected by GlobalProtect server
NOW=$(date +'%m/%d/%Y %H:%M:%S')
projects / users / dwmw2 / openconnect.git / commitdiff