From f2f3f3ffbb7ce32c81290bf0b5113abc83df5e0e Mon Sep 17 00:00:00 2001
From: Daniel Lenski <dlenski@gmail.com>
Date: Tue, 31 Aug 2021 17:49:27 -0700
Subject: [PATCH] Clarify Fortinet no-valid-cookie error paths
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

When requesting connection options in XML format…

1. A redirect indicates invalid cookie only if it is to /remote/login
2. A 403 followed by a fetch of the HTML format connection options
   indicates an ancient FortiOS version only if the HTML fetch is actually
   *successful* (200)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
---
 fortinet.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/fortinet.c b/fortinet.c
index 725f402d..bd422c88 100644
--- a/fortinet.c
+++ b/fortinet.c
@@ -636,7 +636,7 @@ static int fortinet_configure(struct openconnect_info *vpninfo)
 			 */
 			vpninfo->urlpath = strdup("remote/fortisslvpn");
 			int ret2 = do_https_request(vpninfo, "GET", NULL, NULL, &res_buf, NULL, HTTP_NO_FLAGS);
-			if (ret2 == 0)
+			if (ret2 > 0)
 				vpn_progress(vpninfo, PRG_ERR,
 					     _("Ancient Fortinet server (<v5?) only supports ancient HTML config, which is not implemented by OpenConnect.\n"));
 			else
@@ -649,16 +649,17 @@ static int fortinet_configure(struct openconnect_info *vpninfo)
 		}
 		goto out;
 	} else if (ret == 0) {
-		/* This is normally a redirect to /remote/login, which
-		 * indicates that the auth session/cookie is no longer valid.
+		/* A redirect to /remote/login also indicates that the auth session/cookie
+		 * is no longer valid, and appears to occur only on older FortiGate
+		 * versions.
 		 *
 		 * XX: See do_https_request() for why ret==0 can only happen
 		 * if there was a successful-but-unfetched redirect.
 		 */
-#if 0
-	invalid_cookie:
-#endif
-		ret = -EPERM;
+		if (vpninfo->urlpath && !strncmp(vpninfo->urlpath, "remote/login", 12))
+			ret = -EPERM;
+		else
+			ret = -EINVAL;
 		goto out;
 	}
 
-- 
2.50.1