subject:"Re\: \[PATCH\] Fix stoken support for Juniper VPN"

Re: [PATCH] Fix stoken support for Juniper VPN

2018-11-05 Thread David Woodhouse

On Sun, 2018-11-04 at 15:45 -0600, Andy Wang wrote:
> David,
> This is the stoken patch that you asked about on my other thread.

Thanks. Rather than adding a third copy of the same code, I've shifted
it to the generic function. Please could you test git HEAD.


smime.p7s
Description: S/MIME cryptographic signature
___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: [PATCH] Fix stoken support for Juniper VPN

2018-11-04 Thread Andy Wang

David,
This is the stoken patch that you asked about on my other thread.

Thanks,
Andy

On Fri, Sep 7, 2018 at 10:49 AM Andy Wang  wrote:
>
> Ensure stoken seed is properly prepared using block copied from Cisco
> VPN support in auth.c
>
> Signed-off-by: Andy Wang 
> ---
>  auth-juniper.c | 8 
>  1 file changed, 8 insertions(+)
>
> diff --git a/auth-juniper.c b/auth-juniper.c
> index 30ceb3ae..bc560823 100644
> --- a/auth-juniper.c
> +++ b/auth-juniper.c
> @@ -576,6 +576,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
> char *form_id = NULL;
> int try_tncc = !!vpninfo->csd_wrapper;
>
> +#ifdef HAVE_LIBSTOKEN
> +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
> +ret = prepare_stoken(vpninfo);
> +if (ret)
> +goto out;
> +}
> +#endif
> +
> resp_buf = buf_alloc();
> if (buf_error(resp_buf))
> return -ENOMEM;
> --
> 2.17.1
>

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: [PATCH] Fix stoken support for Juniper VPN

2018-09-07 Thread Andy Wang

Per the discussion I had on a much older attempt to patch this with
Daniel Lenski, I pulled out the not-so-great attempt to fix the form
field for the token support and just patched the prepare_stoken chunk
that's required for the token to work.

Thanks,
Andy
On Fri, Sep 7, 2018 at 10:49 AM Andy Wang  wrote:
>
> Ensure stoken seed is properly prepared using block copied from Cisco
> VPN support in auth.c
>
> Signed-off-by: Andy Wang 
> ---
>  auth-juniper.c | 8 
>  1 file changed, 8 insertions(+)
>
> diff --git a/auth-juniper.c b/auth-juniper.c
> index 30ceb3ae..bc560823 100644
> --- a/auth-juniper.c
> +++ b/auth-juniper.c
> @@ -576,6 +576,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
> char *form_id = NULL;
> int try_tncc = !!vpninfo->csd_wrapper;
>
> +#ifdef HAVE_LIBSTOKEN
> +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
> +ret = prepare_stoken(vpninfo);
> +if (ret)
> +goto out;
> +}
> +#endif
> +
> resp_buf = buf_alloc();
> if (buf_error(resp_buf))
> return -ENOMEM;
> --
> 2.17.1
>

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: [PATCH] Fix stoken support for Juniper VPN

2018-04-10 Thread Daniel Lenski

On Tue, Apr 10, 2018 at 2:26 PM, Andy Wang  wrote:
>
> Another follow up on this.  Is there something I should change to get
> this considered for inclusion?

I don't know if there are any developers who have access to a Juniper
VPN with RSA soft-token in order to test this but…

> On Wed, Dec 20, 2017 at 9:05 PM, Andy Wang  wrote:
> > On Wed, Nov 22, 2017 at 8:33 PM, Andy Wang  wrote:
> >> Allow using stoken code for frmLogin form type.
> >> Ensure stoken seed is properly prepared using block copied from Cisco
> >> VPN support in auth.c
> >>
> >> Signed-off-by: Andy Wang 
> >> ---
> >>  auth-juniper.c | 11 ++-
> >>  1 file changed, 10 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/auth-juniper.c b/auth-juniper.c
> >> index 4b889d6..d818cf3 100644
> >> --- a/auth-juniper.c
> >> +++ b/auth-juniper.c
> >> @@ -77,7 +77,8 @@ static int oncp_can_gen_tokencode(struct 
> >> openconnect_info *vpninfo,
> >>
> >> if (strcmp(form->auth_id, "frmDefender") &&
> >> strcmp(form->auth_id, "frmNextToken") &&
> >> -   strcmp(form->auth_id, "ftmTotpToken"))
> >> +   strcmp(form->auth_id, "ftmTotpToken") &&
> >> +   strcmp(form->auth_id, "frmLogin"))
> >> return -EINVAL;
> >>
> >> return can_gen_tokencode(vpninfo, form, opt);

The concern here would be the frmLogin is the "default" login form for
Juniper. If there's a form field in frmLogin with type="password" …
how can openconnect distinguish whether this is the token field, or
the "normal" password field?

I believe most Juniper VPNs using RSA/stoken would use the token in a
secondary login form, with one of the form names that are already in
the source code.

There are a few reports on the mailing list of VPNs like yours where
the token-code goes in the "primary" password field, rather than a
specifically-identified "secondary" token field. No solution
implemented yet, but see David's proposal for a more general-purpose
solution here:
http://lists.infradead.org/pipermail/openconnect-devel/2017-August/004450.html

> >> @@ -570,6 +571,14 @@ int oncp_obtain_cookie(struct openconnect_info 
> >> *vpninfo)
> >> char *form_id = NULL;
> >> int try_tncc = !!vpninfo->csd_wrapper;
> >>
> >> +#ifdef HAVE_LIBSTOKEN
> >> +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
> >> +ret = prepare_stoken(vpninfo);
> >> +if (ret)
> >> +goto out;
> >> +}
> >> +#endif
> >> +
> >> resp_buf = buf_alloc();
> >> if (buf_error(resp_buf))
> >> return -ENOMEM;
> >> --
> >> 2.14.3
> >>

This one seems like a simple oversight that would be required for
_any_ Juniper VPN to use stoken correctly. Thumbs up.

Dan

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: [PATCH] Fix stoken support for Juniper VPN

2018-04-10 Thread Andy Wang

Another follow up on this.  Is there something I should change to get
this considered for inclusion?

Thanks,
Andy

On Wed, Dec 20, 2017 at 9:05 PM, Andy Wang  wrote:
> Any thoughts on this?  Something I should do different?
>
> Thanks,
> Andy
>
> On Wed, Nov 22, 2017 at 8:33 PM, Andy Wang  wrote:
>> Allow using stoken code for frmLogin form type.
>> Ensure stoken seed is properly prepared using block copied from Cisco
>> VPN support in auth.c
>>
>> Signed-off-by: Andy Wang 
>> ---
>>  auth-juniper.c | 11 ++-
>>  1 file changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/auth-juniper.c b/auth-juniper.c
>> index 4b889d6..d818cf3 100644
>> --- a/auth-juniper.c
>> +++ b/auth-juniper.c
>> @@ -77,7 +77,8 @@ static int oncp_can_gen_tokencode(struct openconnect_info 
>> *vpninfo,
>>
>> if (strcmp(form->auth_id, "frmDefender") &&
>> strcmp(form->auth_id, "frmNextToken") &&
>> -   strcmp(form->auth_id, "ftmTotpToken"))
>> +   strcmp(form->auth_id, "ftmTotpToken") &&
>> +   strcmp(form->auth_id, "frmLogin"))
>> return -EINVAL;
>>
>> return can_gen_tokencode(vpninfo, form, opt);
>> @@ -570,6 +571,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
>> char *form_id = NULL;
>> int try_tncc = !!vpninfo->csd_wrapper;
>>
>> +#ifdef HAVE_LIBSTOKEN
>> +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
>> +ret = prepare_stoken(vpninfo);
>> +if (ret)
>> +goto out;
>> +}
>> +#endif
>> +
>> resp_buf = buf_alloc();
>> if (buf_error(resp_buf))
>> return -ENOMEM;
>> --
>> 2.14.3
>>

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: [PATCH] Fix stoken support for Juniper VPN

2017-12-20 Thread Andy Wang

Any thoughts on this?  Something I should do different?

Thanks,
Andy

On Wed, Nov 22, 2017 at 8:33 PM, Andy Wang  wrote:
> Allow using stoken code for frmLogin form type.
> Ensure stoken seed is properly prepared using block copied from Cisco
> VPN support in auth.c
>
> Signed-off-by: Andy Wang 
> ---
>  auth-juniper.c | 11 ++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/auth-juniper.c b/auth-juniper.c
> index 4b889d6..d818cf3 100644
> --- a/auth-juniper.c
> +++ b/auth-juniper.c
> @@ -77,7 +77,8 @@ static int oncp_can_gen_tokencode(struct openconnect_info 
> *vpninfo,
>
> if (strcmp(form->auth_id, "frmDefender") &&
> strcmp(form->auth_id, "frmNextToken") &&
> -   strcmp(form->auth_id, "ftmTotpToken"))
> +   strcmp(form->auth_id, "ftmTotpToken") &&
> +   strcmp(form->auth_id, "frmLogin"))
> return -EINVAL;
>
> return can_gen_tokencode(vpninfo, form, opt);
> @@ -570,6 +571,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
> char *form_id = NULL;
> int try_tncc = !!vpninfo->csd_wrapper;
>
> +#ifdef HAVE_LIBSTOKEN
> +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
> +ret = prepare_stoken(vpninfo);
> +if (ret)
> +goto out;
> +}
> +#endif
> +
> resp_buf = buf_alloc();
> if (buf_error(resp_buf))
> return -ENOMEM;
> --
> 2.14.3
>

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: [PATCH] Fix stoken support for Juniper VPN

Re: [PATCH] Fix stoken support for Juniper VPN

Re: [PATCH] Fix stoken support for Juniper VPN

Re: [PATCH] Fix stoken support for Juniper VPN

Re: [PATCH] Fix stoken support for Juniper VPN

Re: [PATCH] Fix stoken support for Juniper VPN

6 matches

Site Navigation

Mail list logo

Footer information