From 1239b6ea58fbd487f4d56af0e6a058d9da1f66b2 Mon Sep 17 00:00:00 2001
From: David Woodhouse <David.Woodhouse@intel.com>
Date: Mon, 23 Jun 2014 17:57:19 +0100
Subject: [PATCH] Add SOCKS GSSAPI auth

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
---
 gssapi.c               | 200 +++++++++++++++++++++++++++++++++++++++--
 http.c                 |  13 ++-
 openconnect-internal.h |   1 +
 www/changelog.xml      |   2 +-
 4 files changed, 205 insertions(+), 11 deletions(-)

diff --git a/gssapi.c b/gssapi.c
index 68db5d76..5806fa3c 100644
--- a/gssapi.c
+++ b/gssapi.c
@@ -42,19 +42,20 @@ static void print_gss_err(struct openconnect_info *vpninfo, OM_uint32 err_maj, O
 	} while (msg_ctx);
 }
 
-static int gssapi_setup(struct openconnect_info *vpninfo)
+static int gssapi_setup(struct openconnect_info *vpninfo, const char *service)
 {
 	OM_uint32 major, minor;
 	gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
-	char *service;
+	char *name;
 
-	if (asprintf(&service, "HTTP@%s", vpninfo->proxy) == -1)
+	if (asprintf(&name, "%s@%s", service, vpninfo->proxy) == -1)
 		return -ENOMEM;
-	token.length = strlen(service);
-	token.value = service;
+	token.length = strlen(name);
+	token.value = name;
 
-	major = gss_import_name(&minor, &token, (gss_OID)GSS_C_NT_HOSTBASED_SERVICE, &vpninfo->gss_target_name);
-	free(service);
+	major = gss_import_name(&minor, &token, (gss_OID)GSS_C_NT_HOSTBASED_SERVICE,
+				&vpninfo->gss_target_name);
+	free(name);
 	if (GSS_ERROR(major)) {
 		print_gss_err(vpninfo, major, minor);
 		return -EIO;
@@ -71,7 +72,7 @@ int gssapi_authorization(struct openconnect_info *vpninfo, struct oc_text_buf *h
 	gss_buffer_desc in = GSS_C_EMPTY_BUFFER;
 	gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
 
-	if (vpninfo->auth[AUTH_TYPE_GSSAPI].state == AUTH_AVAILABLE && gssapi_setup(vpninfo)) {
+	if (vpninfo->auth[AUTH_TYPE_GSSAPI].state == AUTH_AVAILABLE && gssapi_setup(vpninfo, "HTTP")) {
 		vpninfo->auth[AUTH_TYPE_GSSAPI].state = AUTH_FAILED;
 		return -EIO;
 	}
@@ -128,3 +129,186 @@ void cleanup_gssapi_auth(struct openconnect_info *vpninfo)
 	gss_delete_sec_context(&minor, &vpninfo->gss_context, GSS_C_NO_BUFFER);
 	vpninfo->gss_context = GSS_C_NO_CONTEXT;
 }
+
+int socks_gssapi_auth(struct openconnect_info *vpninfo)
+{
+	gss_buffer_desc in = GSS_C_EMPTY_BUFFER;
+	gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
+	OM_uint32 major, minor;
+	unsigned char *pktbuf;
+	int i;
+	int ret = -EIO;
+
+	if (gssapi_setup(vpninfo, "rcmd"))
+		return -EIO;
+
+	/* So that cleanup_gssapi_auth actally does something */
+	vpninfo->auth[AUTH_TYPE_GSSAPI].state = AUTH_IN_PROGRESS;
+
+	pktbuf = malloc(65538);
+	if (!pktbuf)
+		return -ENOMEM;
+	while (1) {
+		major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, &vpninfo->gss_context,
+					     vpninfo->gss_target_name, GSS_C_NO_OID, GSS_C_MUTUAL_FLAG,
+					     GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, &in, NULL,
+					     &out, NULL, NULL);
+		in.value = NULL;
+		if (major == GSS_S_COMPLETE) {
+			vpn_progress(vpninfo, PRG_DEBUG,
+				     _("GSSAPI authentication completed\n"));
+			gss_release_buffer(&minor, &out);
+			ret = 0;
+			break;
+		}
+		if (major != GSS_S_CONTINUE_NEEDED) {
+			print_gss_err(vpninfo, major, minor);
+			break;
+		}
+		if (out.length > 65535) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("GSSAPI token too large (%ld bytes)\n"),
+				     out.length);
+			break;
+		}
+
+		pktbuf[0] = 1; /* ver */
+		pktbuf[1] = 1; /* mtyp */
+		pktbuf[2] = (out.length >> 8) & 0xff;
+		pktbuf[3] = out.length & 0xff;
+		memcpy(pktbuf + 4, out.value, out.length);
+
+		free(out.value);
+
+		vpn_progress(vpninfo, PRG_TRACE,
+			     _("Sending GSSAPI token of %zu bytes\n"), out.length + 4);
+
+		i = vpninfo->ssl_write(vpninfo, (void *)pktbuf, out.length + 4);
+		if (i < 0) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Failed to send GSSAPI authentication token to proxy: %s\n"),
+				     strerror(-i));
+			break;
+		}
+
+		i = vpninfo->ssl_read(vpninfo, (void *)pktbuf, 4);
+		if (i < 0) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Failed to receive GSSAPI authentication token from proxy: %s\n"),
+				     strerror(-i));
+			break;
+		}
+		if (pktbuf[1] == 0xff) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("SOCKS server reported GSSAPI context failure\n"));
+			break;
+		} else if (pktbuf[1] != 1) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Unknown GSSAPI status response (0x%02x) from SOCKS server\n"),
+				     pktbuf[1]);
+			break;
+		}
+		in.length = (pktbuf[2] << 8) | pktbuf[3];
+		in.value = pktbuf;
+
+		i = vpninfo->ssl_read(vpninfo, (void *)pktbuf, in.length);
+		if (i < 0) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Failed to receive GSSAPI authentication token from proxy: %s\n"),
+				     strerror(-i));
+			break;
+		}
+		vpn_progress(vpninfo, PRG_TRACE, _("Got GSSAPI token of %zu bytes: %02x %02x %02x %02x\n"),
+			     in.length, pktbuf[0], pktbuf[1], pktbuf[2], pktbuf[3]);
+	}
+
+	if (!ret) {
+		ret = -EIO;
+
+		pktbuf[0] = 0;
+		in.value = pktbuf;
+		in.length = 1;
+
+		major = gss_wrap(&minor, vpninfo->gss_context, 0,
+				 GSS_C_QOP_DEFAULT, &in, NULL, &out);
+		if (major != GSS_S_COMPLETE) {
+			print_gss_err(vpninfo, major, minor);
+			goto err;
+		}
+
+		pktbuf[0] = 1;
+		pktbuf[1] = 2;
+		pktbuf[2] = (out.length >> 8) & 0xff;
+		pktbuf[3] = out.length & 0xff;
+		memcpy(pktbuf + 4, out.value, out.length);
+
+		free(out.value);
+
+		vpn_progress(vpninfo, PRG_TRACE,
+			     _("Sending GSSAPI protection negotiation of %zu bytes\n"), out.length + 4);
+
+		i = vpninfo->ssl_write(vpninfo, (void *)pktbuf, out.length + 4);
+		if (i < 0) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Failed to send GSSAPI protection response to proxy: %s\n"),
+				     strerror(-i));
+			goto err;
+		}
+
+		i = vpninfo->ssl_read(vpninfo, (void *)pktbuf, 4);
+		if (i < 0) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Failed to receive GSSAPI protection response from proxy: %s\n"),
+				     strerror(-i));
+			goto err;
+		}
+		in.length = (pktbuf[2] << 8) | pktbuf[3];
+		in.value = pktbuf;
+
+		i = vpninfo->ssl_read(vpninfo, (void *)pktbuf, in.length);
+		if (i < 0) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Failed to receive GSSAPI protection response from proxy: %s\n"),
+				     strerror(-i));
+			goto err;
+		}
+		vpn_progress(vpninfo, PRG_TRACE,
+			     _("Got GSSAPI protection response of %zu bytes: %02x %02x %02x %02x\n"),
+			     in.length, pktbuf[0], pktbuf[1], pktbuf[2], pktbuf[3]);
+
+		major = gss_unwrap(&minor, vpninfo->gss_context, &in, &out, NULL, GSS_C_QOP_DEFAULT);
+		if (major != GSS_S_COMPLETE) {
+			print_gss_err(vpninfo, major, minor);
+			goto err;
+		}
+		if (out.length != 1) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Invalid GSSAPI protection response from proxy (%zu bytes)\n"),
+				     out.length);
+			gss_release_buffer(&minor, &out);
+			goto err;
+		}
+		i = *(char *)out.value;
+		gss_release_buffer(&minor, &out);
+		if (i == 1) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("SOCKS proxy demands message integrity, which is not supported\n"));
+			goto err;
+		} else if (i == 2) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("SOCKS proxy demands message confidentiality, which is not supported\n"));
+			goto err;
+		} else if (i) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("SOCKS proxy demands protection unknown type 0x%02x\n"),
+				     (unsigned char)i);
+			goto err;
+		}
+		ret = 0;
+	}
+ err:
+	cleanup_gssapi_auth(vpninfo);
+	free(pktbuf);
+
+	return ret;
+}
diff --git a/http.c b/http.c
index be19f670..03e11a42 100644
--- a/http.c
+++ b/http.c
@@ -1499,7 +1499,7 @@ static int process_socks_proxy(struct openconnect_info *vpninfo)
 
 	buf[2 + nr_auth_methods++] = SOCKS_AUTH_NONE;
 #ifdef HAVE_GSSAPI
-	//buf[2 + nr_auth_methods++] = SOCKS_AUTH_GSSAPI;
+	buf[2 + nr_auth_methods++] = SOCKS_AUTH_GSSAPI;
 #endif
 	if (vpninfo->proxy_user && vpninfo->proxy_pass)
 		buf[2 + nr_auth_methods++] = SOCKS_AUTH_PASSWORD;
@@ -1531,12 +1531,21 @@ static int process_socks_proxy(struct openconnect_info *vpninfo)
 		break;
 
 	case SOCKS_AUTH_GSSAPI:
+#ifdef HAVE_GSSAPI
+		vpn_progress(vpninfo, PRG_DEBUG,
+			     _("SOCKS server requested GSSAPI authentication\n"));
+		if (socks_gssapi_auth(vpninfo))
+			return -EIO;
+		break;
+#else
+		/* This should never happen since we didn't ask for it! */
 		vpn_progress(vpninfo, PRG_ERR,
 			     _("SOCKS server requested GSSAPI authentication\n"));
 		return -EIO;
+#endif
 
 	case SOCKS_AUTH_PASSWORD:
-		vpn_progress(vpninfo, PRG_ERR,
+		vpn_progress(vpninfo, PRG_DEBUG,
 			     _("SOCKS server requested password authentication\n"));
 		if (socks_password_auth(vpninfo))
 			return -EIO;
diff --git a/openconnect-internal.h b/openconnect-internal.h
index afd3a725..967f0897 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -602,6 +602,7 @@ void cleanup_ntlm_auth(struct openconnect_info *vpninfo);
 /* gssapi.c */
 int gssapi_authorization(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
 void cleanup_gssapi_auth(struct openconnect_info *vpninfo);
+int socks_gssapi_auth(struct openconnect_info *vpninfo);
 
 /* digest.c */
 int digest_authorization(struct openconnect_info *vpninfo, struct oc_text_buf *buf);
diff --git a/www/changelog.xml b/www/changelog.xml
index 90e73d3d..0a5d9544 100644
--- a/www/changelog.xml
+++ b/www/changelog.xml
@@ -15,7 +15,7 @@
 <ul>
    <li><b>OpenConnect HEAD</b>
      <ul>
-       <li>Support SOCKS proxy authentication (password).</li>
+       <li>Support SOCKS proxy authentication (password, GSSAPI).</li>
        <li>Support HTTP proxy authentication (Basic, Digest, NTLM and GSSAPI).</li>
        <li>Download XML profile in XML POST mode.</li>
        <li>Fix a couple of bugs involving DTLS rekeying.</li>