Startseite Erkunden Hilfe
Anmelden
vimacs
/
openconnect
Beobachten 1
Favorit hinzufügen 0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: a8c89f9683
Branches Tags
openconnect
/
http-auth.c

http-auth.c 8.3 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316 
  1. /*
    2. 

  2.  * OpenConnect (SSL + DTLS) VPN client
    3. 

  3.  *
    4. 

  4.  * Copyright © 2008-2015 Intel Corporation.
    5. 

  5.  *
    6. 

  6.  * Author: David Woodhouse <dwmw2@infradead.org>
    7. 

  7.  *
    8. 

  8.  * This program is free software; you can redistribute it and/or
    9. 

  9.  * modify it under the terms of the GNU Lesser General Public License
    10. 

  10.  * version 2.1, as published by the Free Software Foundation.
    11. 

  11.  *
    12. 

  12.  * This program is distributed in the hope that it will be useful, but
    13. 

  13.  * WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    15. 

  15.  * Lesser General Public License for more details.
    16. 

  16.  */
    17. 

  17. 

  18. #include <config.h>
    19. 

  19. 

  20. #include "openconnect-internal.h"
    21. 

  21. 

  22. #include <unistd.h>
    23. 

  23. #include <fcntl.h>
    24. 

  24. 

  25. #include <time.h>
    26. 

  26. #include <string.h>
    27. 

  27. #include <ctype.h>
    28. 

  28. #include <errno.h>
    29. 

  29. #include <stdlib.h>
    30. 

  30. #include <stdio.h>
    31. 

  31. #include <stdarg.h>
    32. 

  32. 

  33. static int basic_authorization(struct openconnect_info *vpninfo, int proxy,
    34. 

  34. 			       struct http_auth_state *auth_state,
    35. 

  35. 			       struct oc_text_buf *hdrbuf)
    36. 

  36. {
    37. 

  37. 	struct oc_text_buf *text;
    38. 

  38. 	const char *user, *pass;
    39. 

  39. 

  40. 	if (proxy) {
    41. 

  41. 		user = vpninfo->proxy_user;
    42. 

  42. 		pass = vpninfo->proxy_pass;
    43. 

  43. 	} else {
    44. 

  44. 		/* Need to parse this out of the URL */
    45. 

  45. 		return -EINVAL;
    46. 

  46. 	}
    47. 

  47. 

  48. 	if (!user || !pass)
    49. 

  49. 		return -EINVAL;
    50. 

  50. 

  51. 	if (auth_state->state == AUTH_IN_PROGRESS) {
    52. 

  52. 		auth_state->state = AUTH_FAILED;
    53. 

  53. 		return -EAGAIN;
    54. 

  54. 	}
    55. 

  55. 

  56. 	text = buf_alloc();
    57. 

  57. 	buf_append(text, "%s:%s", user, pass);
    58. 

  58. 	if (buf_error(text))
    59. 

  59. 		return buf_free(text);
    60. 

  60. 

  61. 	buf_append(hdrbuf, "%sAuthorization: Basic ", proxy ? "Proxy-" : "");
    62. 

  62. 	buf_append_base64(hdrbuf, text->data, text->pos, 0);
    63. 

  63. 	buf_append(hdrbuf, "\r\n");
    64. 

  64. 

  65. 	memset(text->data, 0, text->pos);
    66. 

  66. 	buf_free(text);
    67. 

  67. 

  68. 	if (proxy)
    69. 

  69. 		vpn_progress(vpninfo, PRG_INFO, _("Attempting HTTP Basic authentication to proxy\n"));
    70. 

  70. 	else
    71. 

  71. 		vpn_progress(vpninfo, PRG_INFO, _("Attempting HTTP Basic authentication to server '%s'\n"),
    72. 

  72. 			     vpninfo->hostname);
    73. 

  73. 

  74. 	auth_state->state = AUTH_IN_PROGRESS;
    75. 

  75. 	return 0;
    76. 

  76. }
    77. 

  77. 

  78. static int bearer_authorization(struct openconnect_info *vpninfo, int proxy,
    79. 

  79. 			       struct http_auth_state *auth_state,
    80. 

  80. 			       struct oc_text_buf *hdrbuf)
    81. 

  81. {
    82. 

  82. 	const char *bearer_token = vpninfo->bearer_token;
    83. 

  83. 

  84. 	if (proxy) {
    85. 

  85. 		return -EINVAL;
    86. 

  86. 	}
    87. 

  87. 

  88. 	if (!bearer_token)
    89. 

  89. 		return -EINVAL;
    90. 

  90. 

  91. 	if (auth_state->state == AUTH_IN_PROGRESS) {
    92. 

  92. 		auth_state->state = AUTH_FAILED;
    93. 

  93. 		return -EAGAIN;
    94. 

  94. 	}
    95. 

  95. 

  96. 	buf_append(hdrbuf, "Authorization: Bearer %s\r\n", bearer_token);
    97. 

  97. 

  98. 	vpn_progress(vpninfo, PRG_INFO, _("Attempting HTTP Bearer authentication to server '%s'\n"),
    99. 

  99. 				vpninfo->hostname);
    100. 

  100. 

  101. 	auth_state->state = AUTH_IN_PROGRESS;
    102. 

  102. 	return 0;
    103. 

  103. }
    104. 

  104. 

  105. #if !defined(HAVE_GSSAPI) && !defined(_WIN32)
    106. 

  106. static int no_gssapi_authorization(struct openconnect_info *vpninfo, int proxy,
    107. 

  107. 				   struct http_auth_state *auth_state,
    108. 

  108. 				   struct oc_text_buf *hdrbuf)
    109. 

  109. {
    110. 

  110. 	/* This comes last so just complain. We're about to bail. */
    111. 

  111. 	vpn_progress(vpninfo, PRG_ERR,
    112. 

  112. 		     _("This version of OpenConnect was built without GSSAPI support\n"));
    113. 

  113. 	auth_state->state = AUTH_FAILED;
    114. 

  114. 	return -ENOENT;
    115. 

  115. }
    116. 

  116. #endif
    117. 

  117. 

  118. struct auth_method {
    119. 

  119. 	int state_index;
    120. 

  120. 	const char *name;
    121. 

  121. 	int (*authorization)(struct openconnect_info *, int, struct http_auth_state *, struct oc_text_buf *);
    122. 

  122. 	void (*cleanup)(struct openconnect_info *, struct http_auth_state *);
    123. 

  123. } auth_methods[] = {
    124. 

  124. #if defined(HAVE_GSSAPI) || defined(_WIN32)
    125. 

  125. 	{ AUTH_TYPE_GSSAPI, "Negotiate", gssapi_authorization, cleanup_gssapi_auth },
    126. 

  126. #endif
    127. 

  127. 	{ AUTH_TYPE_NTLM, "NTLM", ntlm_authorization, cleanup_ntlm_auth },
    128. 

  128. 	{ AUTH_TYPE_DIGEST, "Digest", digest_authorization, NULL },
    129. 

  129. 	{ AUTH_TYPE_BASIC, "Basic", basic_authorization, NULL },
    130. 

  130. 	{ AUTH_TYPE_BEARER, "Bearer", bearer_authorization, NULL },
    131. 

  131. #if !defined(HAVE_GSSAPI) && !defined(_WIN32)
    132. 

  132. 	{ AUTH_TYPE_GSSAPI, "Negotiate", no_gssapi_authorization, NULL }
    133. 

  133. #endif
    134. 

  134. };
    135. 

  135. 

  136. /* Generate Proxy-Authorization: header for request if appropriate */
    137. 

  137. int gen_authorization_hdr(struct openconnect_info *vpninfo, int proxy,
    138. 

  138. 			  struct oc_text_buf *buf)
    139. 

  139. {
    140. 

  140. 	int ret;
    141. 

  141. 	int i;
    142. 

  142. 

  143. 	for (i = 0; i < ARRAY_SIZE(auth_methods); i++) {
    144. 

  144. 		struct http_auth_state *auth_state;
    145. 

  145. 		if (proxy)
    146. 

  146. 			auth_state = &vpninfo->proxy_auth[auth_methods[i].state_index];
    147. 

  147. 		else
    148. 

  148. 			auth_state = &vpninfo->http_auth[auth_methods[i].state_index];
    149. 

  149. 

  150. 		if (auth_state->state == AUTH_DEFAULT_DISABLED) {
    151. 

  151. 			if (proxy)
    152. 

  152. 				vpn_progress(vpninfo, PRG_ERR,
    153. 

  153. 					     _("Proxy requested Basic authentication which is disabled by default\n"));
    154. 

  154. 			else
    155. 

  155. 				vpn_progress(vpninfo, PRG_ERR,
    156. 

  156. 					     _("Server '%s' requested Basic authentication which is disabled by default\n"),
    157. 

  157. 					       vpninfo->hostname);
    158. 

  158. 			auth_state->state = AUTH_FAILED;
    159. 

  159. 			return -EINVAL;
    160. 

  160. 		}
    161. 

  161. 

  162. 

  163. 		if (auth_state->state > AUTH_UNSEEN) {
    164. 

  164. 			ret = auth_methods[i].authorization(vpninfo, proxy, auth_state, buf);
    165. 

  165. 			if (ret == -EAGAIN || !ret)
    166. 

  166. 				return ret;
    167. 

  167. 		}
    168. 

  168. 	}
    169. 

  169. 	vpn_progress(vpninfo, PRG_INFO, _("No more authentication methods to try\n"));
    170. 

  170. 

  171. 	if (vpninfo->retry_on_auth_fail) {
    172. 

  172. 		/* Try again without the X-Support-HTTP-Auth: header */
    173. 

  173. 		vpninfo->try_http_auth = 0;
    174. 

  174. 		return 0;
    175. 

  175. 	}
    176. 

  176. 	return -ENOENT;
    177. 

  177. }
    178. 

  178. 

  179. /* Returns non-zero if it matched */
    180. 

  180. static int handle_auth_proto(struct openconnect_info *vpninfo,
    181. 

  181. 			     struct http_auth_state *auth_states,
    182. 

  182. 			     struct auth_method *method, char *hdr)
    183. 

  183. {
    184. 

  184. 	struct http_auth_state *auth = &auth_states[method->state_index];
    185. 

  185. 	int l = strlen(method->name);
    186. 

  186. 

  187. 	if (auth->state <= AUTH_FAILED)
    188. 

  188. 		return 0;
    189. 

  189. 

  190. 	if (strncmp(method->name, hdr, l))
    191. 

  191. 		return 0;
    192. 

  192. 	if (hdr[l] != ' ' && hdr[l] != 0)
    193. 

  193. 		return 0;
    194. 

  194. 

  195. 	if (auth->state == AUTH_UNSEEN)
    196. 

  196. 		auth->state = AUTH_AVAILABLE;
    197. 

  197. 

  198. 	free(auth->challenge);
    199. 

  199. 	if (hdr[l])
    200. 

  200. 		auth->challenge = strdup(hdr + l + 1);
    201. 

  201. 	else
    202. 

  202. 		auth->challenge = NULL;
    203. 

  203. 

  204. 	return 1;
    205. 

  205. }
    206. 

  206. 

  207. int proxy_auth_hdrs(struct openconnect_info *vpninfo, char *hdr, char *val)
    208. 

  208. {
    209. 

  209. 	int i;
    210. 

  210. 

  211. 	if (!strcasecmp(hdr, "Proxy-Connection") ||
    212. 

  212. 	    !strcasecmp(hdr, "Connection")) {
    213. 

  213. 		if (!strcasecmp(val, "close"))
    214. 

  214. 			vpninfo->proxy_close_during_auth = 1;
    215. 

  215. 		return 0;
    216. 

  216. 	}
    217. 

  217. 

  218. 	if (strcasecmp(hdr, "Proxy-Authenticate"))
    219. 

  219. 		return 0;
    220. 

  220. 

  221. 	for (i = 0; i < ARRAY_SIZE(auth_methods); i++) {
    222. 

  222. 		/* Return once we've found a match */
    223. 

  223. 		if (handle_auth_proto(vpninfo, vpninfo->proxy_auth, &auth_methods[i], val))
    224. 

  224. 			return 0;
    225. 

  225. 	}
    226. 

  226. 

  227. 	return 0;
    228. 

  228. }
    229. 

  229. 

  230. int http_auth_hdrs(struct openconnect_info *vpninfo, char *hdr, char *val)
    231. 

  231. {
    232. 

  232. 	int i;
    233. 

  233. 

  234. 	if (!strcasecmp(hdr, "X-HTTP-Auth-Support") &&
    235. 

  235. 	    !strcasecmp(val, "fallback")) {
    236. 

  236. 		vpninfo->retry_on_auth_fail = 1;
    237. 

  237. 		return 0;
    238. 

  238. 	}
    239. 

  239. 

  240. 	if (strcasecmp(hdr, "WWW-Authenticate"))
    241. 

  241. 		return 0;
    242. 

  242. 

  243. 	for (i = 0; i < ARRAY_SIZE(auth_methods); i++) {
    244. 

  244. 		/* Return once we've found a match */
    245. 

  245. 		if (handle_auth_proto(vpninfo, vpninfo->http_auth, &auth_methods[i], val))
    246. 

  246. 			return 0;
    247. 

  247. 	}
    248. 

  248. 

  249. 	return 0;
    250. 

  250. }
    251. 

  251. 

  252. void clear_auth_states(struct openconnect_info *vpninfo,
    253. 

  253. 		       struct http_auth_state *auth_states, int reset)
    254. 

  254. {
    255. 

  255. 	int i;
    256. 

  256. 

  257. 	for (i = 0; i < ARRAY_SIZE(auth_methods); i++) {
    258. 

  258. 		struct http_auth_state *auth = &auth_states[auth_methods[i].state_index];
    259. 

  259. 

  260. 		/* The 'reset' argument is set when we're connected successfully,
    261. 

  261. 		   to fully reset the state to allow another connection to start
    262. 

  262. 		   again. Otherwise, we need to remember which auth methods have
    263. 

  263. 		   been tried and should not be attempted again. */
    264. 

  264. 		if (reset && auth_methods[i].cleanup)
    265. 

  265. 			auth_methods[i].cleanup(vpninfo, auth);
    266. 

  266. 

  267. 		free(auth->challenge);
    268. 

  268. 		auth->challenge = NULL;
    269. 

  269. 		/* If it *failed* don't try it again even next time */
    270. 

  270. 		if (auth->state <= AUTH_FAILED)
    271. 

  271. 			continue;
    272. 

  272. 		if (reset || auth->state == AUTH_AVAILABLE)
    273. 

  273. 			auth->state = AUTH_UNSEEN;
    274. 

  274. 	}
    275. 

  275. }
    276. 

  276. 

  277. static int set_authmethods(struct openconnect_info *vpninfo, struct http_auth_state *auth_states,
    278. 

  278. 			   const char *methods)
    279. 

  279. {
    280. 

  280. 	int i, len;
    281. 

  281. 	const char *p;
    282. 

  282. 

  283. 	for (i = 0; i < ARRAY_SIZE(auth_methods); i++)
    284. 

  284. 		auth_states[auth_methods[i].state_index].state = AUTH_DISABLED;
    285. 

  285. 

  286. 	while (methods) {
    287. 

  287. 		p = strchr(methods, ',');
    288. 

  288. 		if (p) {
    289. 

  289. 			len = p - methods;
    290. 

  290. 			p++;
    291. 

  291. 		} else
    292. 

  292. 			len = strlen(methods);
    293. 

  293. 

  294. 		for (i = 0; i < ARRAY_SIZE(auth_methods); i++) {
    295. 

  295. 			if (strprefix_match(methods, len, auth_methods[i].name) ||
    296. 

  296. 			    (auth_methods[i].state_index == AUTH_TYPE_GSSAPI &&
    297. 

  297. 			     strprefix_match(methods, len, "gssapi"))) {
    298. 

  298. 				auth_states[auth_methods[i].state_index].state = AUTH_UNSEEN;
    299. 

  299. 				break;
    300. 

  300. 			}
    301. 

  301. 		}
    302. 

  302. 		methods = p;
    303. 

  303. 	}
    304. 

  304. 	return 0;
    305. 

  305. }
    306. 

  306. 

  307. int openconnect_set_http_auth(struct openconnect_info *vpninfo, const char *methods)
    308. 

  308. {
    309. 

  309. 	return set_authmethods(vpninfo, vpninfo->http_auth, methods);
    310. 

  310. }
    311. 

  311. 

  312. int openconnect_set_proxy_auth(struct openconnect_info *vpninfo, const char *methods)
    313. 

  313. {
    314. 

  314. 	return set_authmethods(vpninfo, vpninfo->proxy_auth, methods);
    315. 

  315. }
    316. 

  316.