From 21d3cfd8715113c9b6edccfc5de030625cb8a8a5 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Mon, 22 Feb 2021 00:42:21 -0800 Subject: [PATCH] Fortinet: fix token code generation And make fake server require this field to be non-empty, in order to test it. Signed-off-by: Daniel Lenski --- fortinet.c | 8 ++++++++ library.c | 6 +++--- tests/fake-fortinet-server.py | 6 +++--- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/fortinet.c b/fortinet.c index c7d95590..c1a451a0 100644 --- a/fortinet.c +++ b/fortinet.c @@ -160,6 +160,14 @@ int fortinet_obtain_cookie(struct openconnect_info *vpninfo) if (ret == OC_FORM_RESULT_CANCELLED || ret < 0) goto out; + /* generate token code if specified */ + ret = do_gen_tokencode(vpninfo, form); + if (ret) { + vpn_progress(vpninfo, PRG_ERR, _("Failed to generate OTP tokencode; disabling token\n")); + vpninfo->token_bypassed = 1; + goto out; + } + buf_truncate(resp_buf); append_form_opts(vpninfo, form, resp_buf); buf_append(resp_buf, "&realm=%s", realm ?: ""); /* XX: already URL-escaped */ diff --git a/library.c b/library.c index 6558d6c0..0d3d33a6 100644 --- a/library.c +++ b/library.c @@ -173,7 +173,7 @@ static const struct vpn_proto openconnect_protos[] = { .name = "pulse", .pretty_name = N_("Pulse Connect Secure"), .description = N_("Compatible with Pulse Connect Secure SSL VPN"), - .flags = OC_PROTO_PROXY, + .flags = OC_PROTO_PROXY | OC_PROTO_AUTH_CERT | OC_PROTO_AUTH_OTP | OC_PROTO_AUTH_STOKEN, .vpn_close_session = pulse_bye, .tcp_connect = pulse_connect, .tcp_mainloop = pulse_mainloop, @@ -192,7 +192,7 @@ static const struct vpn_proto openconnect_protos[] = { .name = "f5", .pretty_name = N_("F5 BIG-IP SSL VPN"), .description = N_("Compatible with F5 BIG-IP SSL VPN"), - .flags = OC_PROTO_PROXY, + .flags = OC_PROTO_PROXY | OC_PROTO_AUTH_CERT, .vpn_close_session = f5_bye, .tcp_connect = f5_connect, .tcp_mainloop = ppp_mainloop, @@ -212,7 +212,7 @@ static const struct vpn_proto openconnect_protos[] = { .name = "fortinet", .pretty_name = N_("Fortinet SSL VPN"), .description = N_("Compatible with FortiGate SSL VPN"), - .flags = OC_PROTO_PROXY, + .flags = OC_PROTO_PROXY | OC_PROTO_AUTH_CERT | OC_PROTO_AUTH_OTP | OC_PROTO_AUTH_STOKEN, .vpn_close_session = fortinet_bye, .tcp_connect = fortinet_connect, .tcp_mainloop = ppp_mainloop, diff --git a/tests/fake-fortinet-server.py b/tests/fake-fortinet-server.py index 757fe989..e88396aa 100755 --- a/tests/fake-fortinet-server.py +++ b/tests/fake-fortinet-server.py @@ -108,11 +108,11 @@ def login(): def logincheck(): want_2fa = session.get('want_2fa') - if (want_2fa and 'code' in request.form): + if (want_2fa and request.form.get('code')): return complete_2fa() - elif (want_2fa and 'credential' in request.form): + elif (want_2fa and request.form.get('username') and request.form.get('credential')): return send_2fa_challenge() - elif ('credential' in request.form): + elif (request.form.get('username') and request.form.get('credential')): return complete_non_2fa() abort(405) -- 2.49.0