From 20ef4632243832ff25712f7c85d6c92ca97a8cb7 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Thu, 19 Jun 2014 15:45:39 +0100 Subject: [PATCH] Start adding GSSAPI support Signed-off-by: David Woodhouse --- Makefile.am | 9 ++++++--- configure.ac | 17 +++++++++++++++++ http.c | 6 ++++++ openconnect-internal.h | 3 +++ 4 files changed, 32 insertions(+), 3 deletions(-) diff --git a/Makefile.am b/Makefile.am index 68e471f8..99efdf18 100644 --- a/Makefile.am +++ b/Makefile.am @@ -20,11 +20,14 @@ openconnect_LDADD = libopenconnect.la $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(LIBINTL library_srcs = ssl.c http.c auth.c library.c compat.c dtls.c cstp.c \ mainloop.c script.c ntlm.c +if OPENCONNECT_GSSAPI +library_srcs += gssapi.c +endif lib_srcs_gnutls = gnutls.c gnutls_pkcs12.c gnutls_tpm.c lib_srcs_openssl = openssl.c POTFILES = $(openconnect_SOURCES) $(lib_srcs_openssl) $(lib_srcs_gnutls) \ - $(library_srcs) tun-win32.c tun.c + $(library_srcs) tun-win32.c tun.c gssapi.c if OPENCONNECT_GNUTLS library_srcs += $(lib_srcs_gnutls) @@ -38,8 +41,8 @@ else library_srcs += tun.c endif libopenconnect_la_SOURCES = version.c $(library_srcs) -libopenconnect_la_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(P11KIT_CFLAGS) $(TSS_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBOATH_CFLAGS) -libopenconnect_la_LIBADD = $(SSL_LIBS) $(DTLS_SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(ZLIB_LIBS) $(LIBINTL) $(P11KIT_LIBS) $(TSS_LIBS) $(LIBSTOKEN_LIBS) $(LIBOATH_LIBS) +libopenconnect_la_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(P11KIT_CFLAGS) $(TSS_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBOATH_CFLAGS) $(GSSAPI_CFLAGS) +libopenconnect_la_LIBADD = $(SSL_LIBS) $(DTLS_SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(ZLIB_LIBS) $(LIBINTL) $(P11KIT_LIBS) $(TSS_LIBS) $(LIBSTOKEN_LIBS) $(LIBOATH_LIBS) $(GSSAPI_LIBS) if OPENBSD_LIBTOOL # OpenBSD's libtool doesn't have -version-number, but its -version-info arg # does what GNU libtool's -version-number does. Which arguably is what the diff --git a/configure.ac b/configure.ac index 083ee083..178c8d36 100644 --- a/configure.ac +++ b/configure.ac @@ -584,6 +584,23 @@ AS_IF([test "x$with_liboath" != "xno"], [ liboath_pkg=no) ]) +have_gssapi=no +AC_ARG_WITH([gssapi], + AS_HELP_STRING([--without-gssapi], + [Build without GSSAPI support [default=auto]])) +AS_IF([test "x$with_gssapi" != "xno"], [ + AC_PATH_PROG([KRB5_CONFIG], krb5-config, [], $PATH:/usr/kerberos/bin) + if test "$KRB5_CONFIG" != ""; then + have_gssapi=yes + GSSAPI_LIBS="`${KRB5_CONFIG} --libs gssapi`" + GSSAPI_CFLAGS="`${KRB5_CONFIG} --cflags gssapi`" + AC_SUBST(GSSAPI_CFLAGS) + AC_SUBST(GSSAPI_LIBS) + AC_DEFINE([HAVE_GSSAPI], 1) + fi +]) +AM_CONDITIONAL(OPENCONNECT_GSSAPI, [test "$have_gssapi" = "yes"]) + AC_ARG_WITH([java], AS_HELP_STRING([--with-java(=DIR)], [Build JNI bindings using jni.h from DIR [default=no]]), diff --git a/http.c b/http.c index e398b467..708707ef 100644 --- a/http.c +++ b/http.c @@ -1587,6 +1587,12 @@ void buf_append_base64(struct oc_text_buf *buf, const void *bytes, int len) /* Generate Proxy-Authorization: header for request if appropriate */ static int proxy_authorization(struct openconnect_info *vpninfo, struct oc_text_buf *buf) { +#ifdef HAVE_GSSAPI + if (vpninfo->gssapi_auth.state > AUTH_UNSEEN && + !gssapi_authorization(vpninfo, buf)) + return 0; +#endif + if (vpninfo->ntlm_auth.state > AUTH_UNSEEN && !ntlm_authorization(vpninfo, buf)) return 0; diff --git a/openconnect-internal.h b/openconnect-internal.h index 377839c0..8ef1f6ca 100644 --- a/openconnect-internal.h +++ b/openconnect-internal.h @@ -581,6 +581,9 @@ int internal_parse_url(char *url, char **res_proto, char **res_host, /* ntlm.c */ int ntlm_authorization(struct openconnect_info *vpninfo, struct oc_text_buf *buf); +/* gssapi.c */ +int gssapi_authorization(struct openconnect_info *vpninfo, struct oc_text_buf *buf); + /* ssl_ui.c */ int set_openssl_ui(void);