From 882474738c118688eb07e7e873740c43f7d29448 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Wed, 14 Apr 2021 12:40:37 -0700 Subject: [PATCH] Fortinet: don't keep retrying if cookie is invalid on reconnect The fortinet_configure() requests return 302 redirects to '/remote/login' if the auth session/cookie is no longer valid. We should detect this and return -EPERM rather than -EINVAL, so that ssl_reconnect() doesn't keep trying to reconnect. NB: Detecting this redirect is perhaps a bit harder than it should be, because do_https_request() returns 0, rather than the real HTTP status code (e.g. 302), in the case of an successful-but-unfetched redirect. Signed-off-by: Daniel Lenski --- fortinet.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/fortinet.c b/fortinet.c index e6ad038a..f9958c57 100644 --- a/fortinet.c +++ b/fortinet.c @@ -451,6 +451,17 @@ static int fortinet_configure(struct openconnect_info *vpninfo) ret = do_https_request(vpninfo, "GET", NULL, NULL, &res_buf, 0); if (ret < 0) goto out; + else if (ret == 0) { + /* This is normally a redirect to /remote/login, which + * indicates that the auth session/cookie is no longer valid. + * + * XX: See do_https_request() for why ret==0 can only happen + * if there was a successful-but-unfetched redirect. + */ + invalid_cookie: + ret = -EPERM; + goto out; + } /* We don't care what it returned as long as it was successful */ free(res_buf); res_buf = NULL; @@ -464,7 +475,8 @@ static int fortinet_configure(struct openconnect_info *vpninfo) vpn_progress(vpninfo, PRG_ERR, _("Server doesn't support XML config format. Ancient HTML format is not currently implemented.\n")); goto out; - } + } else if (ret == 0) + goto invalid_cookie; ret = parse_fortinet_xml_config(vpninfo, res_buf, ret, &ipv4, &ipv6); if (ret) -- 2.50.1