Re: [PATCH] Fix stoken support for Juniper VPN

2018-11-04 Thread Andy Wang 
David,
This is the stoken patch that you asked about on my other thread.

Thanks,
Andy

On Fri, Sep 7, 2018 at 10:49 AM Andy Wang  wrote:
>
> Ensure stoken seed is properly prepared using block copied from Cisco
> VPN support in auth.c
>
> Signed-off-by: Andy Wang 
> ---
>  auth-juniper.c | 8 
>  1 file changed, 8 insertions(+)
>
> diff --git a/auth-juniper.c b/auth-juniper.c
> index 30ceb3ae..bc560823 100644
> --- a/auth-juniper.c
> +++ b/auth-juniper.c
> @@ -576,6 +576,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
> char *form_id = NULL;
> int try_tncc = !!vpninfo->csd_wrapper;
>
> +#ifdef HAVE_LIBSTOKEN
> +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
> +ret = prepare_stoken(vpninfo);
> +if (ret)
> +goto out;
> +}
> +#endif
> +
> resp_buf = buf_alloc();
> if (buf_error(resp_buf))
> return -ENOMEM;
> --
> 2.17.1
>

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: Complicated web login flows with Pulse Secure VPN

2018-11-04 Thread Andy Wang 
On Sun, Nov 4, 2018 at 11:55 AM David Woodhouse  wrote:
>
> Remind me of those please. As I prepare for the 8.0 release it would be
> good to pull those in unless they're completely horrible hacks specific
> to your setup.
>

The second patch I mentioned was a pretty bad hack (especially after
discussing it with Daniei Lenski).  Worked for me but definitely not
the right solution.  The issue is my work vpn used the same loginForm
form ID for both password and stoken input.  So there was no easy way
to distinguish the two and I made an ugly hack that worked but results
failed login attempts as it tries the token id as the password field.
I'll re-send the stoken patch request and add you to the thread so you
can see that one.

>
> It's been talked about, repeatedly :)
>
> The first step is to add a 'webview' callback method which the GUI
> authentications can implement, which bypasses the current hackish HTML
> screen-scraping. That much is relatively easy, in fact, but then we'd
> need to do the WebKitGtk stuff inside the NetworkManager auth-dialog
> for GNOME and KDE, etc.
>
> If there's a volunteer for the latter, I could certainly put together
> the former. I'm just not that keen on throwing together the API change
> for the webview callback without properly testing it.

I'd definitely be interested, but I haven't done any C/C++ programming
in nearly 2 decades now :)
If I get some time on this I might try to dust off the rust and see
how I can do with it, but I'm not counting on making any real headway
at least not soon.  If I get some serious time I'll let you know.

Thanks for the info,
Andy

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Complicated web login flows with Pulse Secure VPN

2018-10-30 Thread Andy Wang 
I was, up until very recently, using openconnect and
NetworkManager-openconnect to connect to my work VPN.  I had a private
hack to make the stoken stuff work (it was submitted in an email on
this list) as well as another hack to deal with our token form not
having the same expected form type.

A couple of weeks ago we moved to a whole new login flow, where we now
are redirected to a saml login page for authentication and then
prompted to choose one of two types of MFA access - token code or
mobile application notification based.

With the more complicated flow I've had to switch back to the pulse
secure client which embeds a webkitgtk UI to handle those flows.

Just curious but is there anyone working on some similar flow support
with NetworkManager-openconnect?  I'm guessing that this type of
authentication is way outside of the scope of openconnect's built in
html client.  (Pulse Secure's cli client can't handle this login flow
either).

Unfortunately I'm so removed from c/c++ programming that I wouldn't
even know where to begin on something like this, but just wondering if
there's anything on the horizon I can help with, even if it's just
being able to test stuff.

Thanks,

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: [PATCH] Fix stoken support for Juniper VPN

2018-09-07 Thread Andy Wang 
Per the discussion I had on a much older attempt to patch this with
Daniel Lenski, I pulled out the not-so-great attempt to fix the form
field for the token support and just patched the prepare_stoken chunk
that's required for the token to work.

Thanks,
Andy
On Fri, Sep 7, 2018 at 10:49 AM Andy Wang  wrote:
>
> Ensure stoken seed is properly prepared using block copied from Cisco
> VPN support in auth.c
>
> Signed-off-by: Andy Wang 
> ---
>  auth-juniper.c | 8 
>  1 file changed, 8 insertions(+)
>
> diff --git a/auth-juniper.c b/auth-juniper.c
> index 30ceb3ae..bc560823 100644
> --- a/auth-juniper.c
> +++ b/auth-juniper.c
> @@ -576,6 +576,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
> char *form_id = NULL;
> int try_tncc = !!vpninfo->csd_wrapper;
>
> +#ifdef HAVE_LIBSTOKEN
> +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
> +ret = prepare_stoken(vpninfo);
> +if (ret)
> +goto out;
> +}
> +#endif
> +
> resp_buf = buf_alloc();
> if (buf_error(resp_buf))
> return -ENOMEM;
> --
> 2.17.1
>

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

[PATCH] Fix stoken support for Juniper VPN

2018-09-07 Thread Andy Wang 
Ensure stoken seed is properly prepared using block copied from Cisco
VPN support in auth.c

Signed-off-by: Andy Wang 
---
 auth-juniper.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/auth-juniper.c b/auth-juniper.c
index 30ceb3ae..bc560823 100644
--- a/auth-juniper.c
+++ b/auth-juniper.c
@@ -576,6 +576,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
char *form_id = NULL;
int try_tncc = !!vpninfo->csd_wrapper;
 
+#ifdef HAVE_LIBSTOKEN
+if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
+ret = prepare_stoken(vpninfo);
+if (ret)
+goto out;
+}
+#endif
+
resp_buf = buf_alloc();
if (buf_error(resp_buf))
return -ENOMEM;
-- 
2.17.1


___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: [PATCH] Fix stoken support for Juniper VPN

2018-04-10 Thread Andy Wang 
Another follow up on this.  Is there something I should change to get
this considered for inclusion?

Thanks,
Andy

On Wed, Dec 20, 2017 at 9:05 PM, Andy Wang <do...@moonteeth.com> wrote:
> Any thoughts on this?  Something I should do different?
>
> Thanks,
> Andy
>
> On Wed, Nov 22, 2017 at 8:33 PM, Andy Wang <do...@moonteeth.com> wrote:
>> Allow using stoken code for frmLogin form type.
>> Ensure stoken seed is properly prepared using block copied from Cisco
>> VPN support in auth.c
>>
>> Signed-off-by: Andy Wang <do...@moonteeth.com>
>> ---
>>  auth-juniper.c | 11 ++-
>>  1 file changed, 10 insertions(+), 1 deletion(-)
>>
>> diff --git a/auth-juniper.c b/auth-juniper.c
>> index 4b889d6..d818cf3 100644
>> --- a/auth-juniper.c
>> +++ b/auth-juniper.c
>> @@ -77,7 +77,8 @@ static int oncp_can_gen_tokencode(struct openconnect_info 
>> *vpninfo,
>>
>> if (strcmp(form->auth_id, "frmDefender") &&
>> strcmp(form->auth_id, "frmNextToken") &&
>> -   strcmp(form->auth_id, "ftmTotpToken"))
>> +   strcmp(form->auth_id, "ftmTotpToken") &&
>> +   strcmp(form->auth_id, "frmLogin"))
>> return -EINVAL;
>>
>> return can_gen_tokencode(vpninfo, form, opt);
>> @@ -570,6 +571,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
>> char *form_id = NULL;
>> int try_tncc = !!vpninfo->csd_wrapper;
>>
>> +#ifdef HAVE_LIBSTOKEN
>> +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
>> +ret = prepare_stoken(vpninfo);
>> +if (ret)
>> +goto out;
>> +}
>> +#endif
>> +
>> resp_buf = buf_alloc();
>> if (buf_error(resp_buf))
>> return -ENOMEM;
>> --
>> 2.14.3
>>

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: [PATCH] Fix stoken support for Juniper VPN

2017-12-20 Thread Andy Wang 
Any thoughts on this?  Something I should do different?

Thanks,
Andy

On Wed, Nov 22, 2017 at 8:33 PM, Andy Wang <do...@moonteeth.com> wrote:
> Allow using stoken code for frmLogin form type.
> Ensure stoken seed is properly prepared using block copied from Cisco
> VPN support in auth.c
>
> Signed-off-by: Andy Wang <do...@moonteeth.com>
> ---
>  auth-juniper.c | 11 ++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/auth-juniper.c b/auth-juniper.c
> index 4b889d6..d818cf3 100644
> --- a/auth-juniper.c
> +++ b/auth-juniper.c
> @@ -77,7 +77,8 @@ static int oncp_can_gen_tokencode(struct openconnect_info 
> *vpninfo,
>
> if (strcmp(form->auth_id, "frmDefender") &&
> strcmp(form->auth_id, "frmNextToken") &&
> -   strcmp(form->auth_id, "ftmTotpToken"))
> +   strcmp(form->auth_id, "ftmTotpToken") &&
> +   strcmp(form->auth_id, "frmLogin"))
> return -EINVAL;
>
> return can_gen_tokencode(vpninfo, form, opt);
> @@ -570,6 +571,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
> char *form_id = NULL;
> int try_tncc = !!vpninfo->csd_wrapper;
>
> +#ifdef HAVE_LIBSTOKEN
> +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
> +ret = prepare_stoken(vpninfo);
> +if (ret)
> +goto out;
> +}
> +#endif
> +
> resp_buf = buf_alloc();
> if (buf_error(resp_buf))
> return -ENOMEM;
> --
> 2.14.3
>

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: openconnect stoken support not working properly with our form

2017-11-15 Thread Andy Wang 
On Mon, Nov 13, 2017 at 11:57 PM, Kevin Cernekee  wrote:
>
> You can delete "Step 1" since oncp_obtain_cookie() isn't annotated the
> same way as cstp_obtain_cookie().
>

>
> This can probably reuse |ret| (otherwise |ret| will be left
> uninitialized).  Be sure to test the case where the user hits Cancel
> on the PIN form, and the case where libstoken returns an error (like
> from a missing stokenrc file).
>
>> +}
>> +#endif
>> +
>> resp_buf = buf_alloc();
>> if (buf_error(resp_buf))
>> return -ENOMEM;

Thanks,
I can't figure out how line wrap a diff from git for it to be happy
with gmail so trying the new patch as an attachment.  If the stokenrc
file doesn't exist it exits gracefully with
Can't open ~/.stokenrc file

I'm not sure what you mean by hits cancel on the pin form.  There is
no UI for that in the command line openconnect right?
If you're referring to the networkmanager ui, that was actually my
next step.  The patched openconnect doesn't work there and I can't
figure out why.  I have literally no clue what I'm doing looking at
the network-manager-openconnect repo.  It looks like it mostly uses
libopenconnect to interface, but it also appears to exec an
openconnect binary without the --token-* arguments.
That's where I'm hoping to learn more when I have a bit of time.

Andy
---
 auth-juniper.c | 11 ++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/auth-juniper.c b/auth-juniper.c
index 4b889d6..d818cf3 100644
--- a/auth-juniper.c
+++ b/auth-juniper.c
@@ -77,7 +77,8 @@ static int oncp_can_gen_tokencode(struct openconnect_info *vpninfo,
 
 	if (strcmp(form->auth_id, "frmDefender") &&
 	strcmp(form->auth_id, "frmNextToken") &&
-	strcmp(form->auth_id, "ftmTotpToken"))
+	strcmp(form->auth_id, "ftmTotpToken") &&
+	strcmp(form->auth_id, "frmLogin"))
 		return -EINVAL;
 
 	return can_gen_tokencode(vpninfo, form, opt);
@@ -570,6 +571,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo)
 	char *form_id = NULL;
 	int try_tncc = !!vpninfo->csd_wrapper;
 
+#ifdef HAVE_LIBSTOKEN
+if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
+ret = prepare_stoken(vpninfo);
+if (ret)
+goto out;
+}
+#endif
+
 	resp_buf = buf_alloc();
 	if (buf_error(resp_buf))
 		return -ENOMEM;
___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Re: openconnect stoken support not working properly with our form

2017-11-13 Thread Andy Wang 
On Sun, Nov 12, 2017 at 11:16 AM, Kevin Cernekee  wrote:
> I worked on the original stoken integration, but have only ever used
> it with Cisco VPNs.  It looks like the Juniper logic was updated in
> this commit:
>
> commit 1ff34cb9689fbaf57decac537df1e32e799bb9c7
> Author: Janne Juntunen 
> Date:   Tue Nov 29 22:37:22 2016 +
>
> Add support for Google Authenticator 2fa on Juniper VPN
>
> We resently changed our Juniper VPN from SMS 2fa to use Google
> Authenticator instead. Before it worked perfectly with "openconnect
> --juniper" switch, but after the change all we got was:
>
> Unknown form ID 'frmTotpToken'
> and a dump of the form.
>
> I spent some time debugging the issue, and managed to write a very
> simple fix for it.
>
> Signed-off-by: Janne Juntunen 
> Signed-off-by: David Woodhouse 
>
> Maybe the Google Authenticator form (OC_TOKEN_MODE_TOTP) needs to be
> handled differently from the RSA SecurID form (OC_TOKEN_MODE_STOKEN).

I had done some more digging and adding:

+   strcmp(form->auth_id, "ftmTotpToken") &&
+   strcmp(form->auth_id, "frmLogin"))

gets me part of the way there.  The problem is both the 2FA and actual password
forms use the same frmLogin form type and type="password" form field.

I initially thought that was the only problem so I hacked http.c to set a
vpninfo->token_successful (and then skipped generating a token
if that was already successful).

That still didn't solve my problem and I used --dump-http-traffic and see that
the stoken code being sent is completely different than what
the stoken command actually generates.  I had no idea why that would
have been the case.

That's where I was last at when I put this aside to get real work done :)

Andy

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

openconnect stoken support not working properly with our form

2017-08-20 Thread Andy Wang 
I've been trying to figure out why openconnect's --token-mode support
isn't working with my works VPN and I finalliy dug through the source
and html forms enough to understand I think.  (my C is extremely rusty
as it's been well over 10 years since i've actively coded in it) It
looks like from the function:
static int oncp_can_gen_tokencode(struct openconnect_info *vpninfo,
  struct oc_auth_form *form,
  struct oc_form_opt *opt)
{
if (vpninfo->token_mode == OC_TOKEN_MODE_NONE ||
vpninfo->token_bypassed)
return -EINVAL;

if (strcmp(form->auth_id, "frmDefender") &&
strcmp(form->auth_id, "frmNextToken") &&
strcmp(form->auth_id, "ftmTotpToken"))
return -EINVAL;

return can_gen_tokencode(vpninfo, form, opt);
}

That a token is only used if the form name is frmDefender.
frmNextToken or frmTotpToken.  Our first login form that expects
username/rsa token is frmLogin.

Is my work's form unusual and incorrect or is this just a limitation
with how openconnect tries to determine the difference in the password
field and token form?

Any thoughts on ways to make this work?  I'm using an expect script to
log in to our vpn which works well, but I though it'd be nice to use
the built-in token capabilities (and if it does work I could even use
NetworkManager's gui).  If frmLogin is wrong, any suggestions on where
to find this in juniper documentation ? I tried to google the publicly
available docs but couldn't find any specifics.  Even if their form is
wrong, I can pretty much guarantee that they have no interesting in
changing it since it's only us "weird" linux users that might be
having this problem :)

In case it makes a difference I'm using the fedora 26 package:
openconnect-7.08-2.fc26.x86_64

Thanks,
Andy

___
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel