add oncp_bye() to logout the Juniper session

The nc protocol lacked a .vpn_close_session function; without logout, the
VPN cookie remains active and can be used to restart the session, which is a
security hazard—especially when passing around OpenConnect logs on the
mailing list for development and troubleshooting.

Juniper logout is straightforward: GET /dana-na/auth/logout.cgi (with the
appropriate DSID cookie set).

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/library.c b/library.c
index 59217a9e03e2f871dc685f67abc835ae1d088951..6ab74410e52f894e6eb064417652c65178df8724 100644 (file)
--- a/library.c
+++ b/library.c
@@ -128,7 +128,7 @@ const struct vpn_proto openconnect_protos[] = {
                .pretty_name = N_("Juniper Network Connect"),
                .description = N_("Compatible with Juniper Network Connect / Pulse Secure SSL VPN"),
                .flags = OC_PROTO_PROXY | OC_PROTO_CSD | OC_PROTO_AUTH_CERT | OC_PROTO_AUTH_OTP,
-               .vpn_close_session = NULL,
+               .vpn_close_session = oncp_bye,
                .tcp_connect = oncp_connect,
                .tcp_mainloop = oncp_mainloop,
                .add_http_headers = oncp_common_headers,

diff --git a/oncp.c b/oncp.c
index 2a2e354eb0f286d19b8350cd03ac19c6fbcd30d8..5bd8b9e03adf32d699d01834e55b99426a7fbd9b 100644 (file)
--- a/oncp.c
+++ b/oncp.c
@@ -1261,3 +1261,28 @@ int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout)
        /* Work is not done if we just got rid of packets off the queue */
        return work_done;
 }
+
+int oncp_bye(struct openconnect_info *vpninfo, const char *reason)
+{
+       char *orig_path;
+       char *res_buf=NULL;
+       int ret;
+
+       /* We need to close and reopen the HTTPS connection (to kill
+        * the oncp tunnel) and submit a new HTTPS request to logout.
+        */
+       openconnect_close_https(vpninfo, 0);
+
+       orig_path = vpninfo->urlpath;
+       vpninfo->urlpath = strdup("dana-na/auth/logout.cgi"); /* redirect segfaults without strdup */
+       ret = do_https_request(vpninfo, "GET", NULL, NULL, &res_buf, 0);
+       vpninfo->urlpath = orig_path;
+
+       if (ret < 0)
+               vpn_progress(vpninfo, PRG_ERR, _("Logout failed.\n"));
+       else
+               vpn_progress(vpninfo, PRG_INFO, _("Logout successful.\n"));
+
+       free(res_buf);
+       return ret;
+}

diff --git a/openconnect-internal.h b/openconnect-internal.h
index 0e87268fee1a91e2f675da2dc00c4b9d91867b54..117ca19e846554be34e0234f630792e433ce8565 100644 (file)
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -843,6 +843,7 @@ void oncp_common_headers(struct openconnect_info *vpninfo, struct oc_text_buf *b
 int queue_esp_control(struct openconnect_info *vpninfo, int enable);
 int oncp_connect(struct openconnect_info *vpninfo);
 int oncp_mainloop(struct openconnect_info *vpninfo, int *timeout);
+int oncp_bye(struct openconnect_info *vpninfo, const char *reason);
 
 /* lzs.c */
 int lzs_decompress(unsigned char *dst, int dstlen, const unsigned char *src, int srclen);