Add openconnect_set_http_auth() and --http-auth command line option

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
sailfishos-mirror · Feb 24, 2015 · 92c22a0 · 92c22a0
1 parent 7330ea3
commit 92c22a0
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 4 deletions.
diff --git a/http-auth.c b/http-auth.c
@@ -361,13 +361,14 @@ void clear_auth_states(struct openconnect_info *vpninfo,
 	}
 }
 
-int openconnect_set_proxy_auth(struct openconnect_info *vpninfo, const char *methods)
+static int set_authmethods(struct openconnect_info *vpninfo, struct http_auth_state *auth_states,
+			   const char *methods)
 {
 	int i, len;
 	const char *p;
 
 	for (i = 0; i < sizeof(auth_methods) / sizeof(auth_methods[0]); i++)
-		vpninfo->proxy_auth[auth_methods[i].state_index].state = AUTH_DISABLED;
+		auth_states[auth_methods[i].state_index].state = AUTH_DISABLED;
 
 	while (methods) {
 		p = strchr(methods, ',');
@@ -381,7 +382,7 @@ int openconnect_set_proxy_auth(struct openconnect_info *vpninfo, const char *met
 			if (strprefix_match(methods, len, auth_methods[i].name) ||
 			    (auth_methods[i].state_index == AUTH_TYPE_GSSAPI &&
 			     strprefix_match(methods, len, "gssapi"))) {
-				vpninfo->proxy_auth[auth_methods[i].state_index].state = AUTH_UNSEEN;
+				auth_states[auth_methods[i].state_index].state = AUTH_UNSEEN;
 				break;
 			}
 		}
@@ -390,3 +391,12 @@ int openconnect_set_proxy_auth(struct openconnect_info *vpninfo, const char *met
 	return 0;
 }
 
+int openconnect_set_http_auth(struct openconnect_info *vpninfo, const char *methods)
+{
+	return set_authmethods(vpninfo, vpninfo->http_auth, methods);
+}
+
+int openconnect_set_proxy_auth(struct openconnect_info *vpninfo, const char *methods)
+{
+	return set_authmethods(vpninfo, vpninfo->proxy_auth, methods);
+}
diff --git a/libopenconnect.map.in b/libopenconnect.map.in
@@ -67,6 +67,11 @@ OPENCONNECT_5_1 {
 	openconnect_set_loglevel;
 } OPENCONNECT_5.0;
 
+OPENCONNECT_5_2 {
+ global:
+	openconnect_set_http_auth;
+} OPENCONNECT_5_1;
+
 OPENCONNECT_PRIVATE {
  global: @SYMVER_TIME@ @SYMVER_GETLINE@ @SYMVER_JAVA@ @SYMVER_ASPRINTF@ @SYMVER_VASPRINTF@ @SYMVER_WIN32_STRERROR@
 	openconnect_fopen_utf8;

diff --git a/main.c b/main.c
@@ -183,6 +183,7 @@ enum {
 	OPT_TIMESTAMP,
 	OPT_PFS,
 	OPT_PROXY_AUTH,
+	OPT_HTTP_AUTH,
 };
 
 #ifdef __sun__
@@ -216,6 +217,7 @@ static const struct option long_options[] = {
 	OPTION("cert-expire-warning", 1, 'e'),
 	OPTION("usergroup", 1, 'g'),
 	OPTION("help", 0, 'h'),
+	OPTION("http-auth", 1, OPT_HTTP_AUTH),
 	OPTION("interface", 1, 'i'),
 	OPTION("mtu", 1, 'm'),
 	OPTION("base-mtu", 1, OPT_BASEMTU),
@@ -1190,6 +1192,9 @@ int main(int argc, char **argv)
 		case OPT_PROXY_AUTH:
 			openconnect_set_proxy_auth(vpninfo, config_arg);
 			break;
+		case OPT_HTTP_AUTH:
+			openconnect_set_http_auth(vpninfo, config_arg);
+			break;
 		case OPT_NO_PROXY:
 			autoproxy = 0;
 			proxy = NULL;

diff --git a/openconnect.8.in b/openconnect.8.in
@@ -17,6 +17,7 @@ openconnect \- Connect to Cisco AnyConnect VPN
 .OP \-\-force\-dpd interval
 .OP \-g,\-\-usergroup group
 .OP \-h,\-\-help
+.OP \-\-http\-auth methods
 .OP \-i,\-\-interface ifname
 .OP \-l,\-\-syslog
 .OP \-\-timestamp
@@ -170,6 +171,15 @@ as login UserGroup
 .B \-h,\-\-help
 Display help text
 .TP
+.B \-\-http\-auth=METHODS
+Use only the specified methods for HTTP authentication to a server.  By default,
+only Negotiate, NTLM and Digest authentication are enabled. Basic authentication
+is also supported but because it is insecure it must be explicitly enabled. The
+argument is a comma-separated list of methods to be enabled. Note that the order
+does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic
+authentication in that order, if each is enabled, regardless of the order
+specified in the METHODS string.
+.TP
 .B \-i,\-\-interface=IFNAME
 Use
 .I IFNAME
@@ -214,7 +224,7 @@ in the given URL, and will be used for authentication. If authentication is
 required but no credentials are given, GSSAPI and automatic NTLM authentication
 using Samba's ntlm_auth helper tool may be attempted.
 .TP
-.B \-\-proxy-auth=METHODS
+.B \-\-proxy\-auth=METHODS
 Use only the specified methods for HTTP authentication to a proxy.  By default,
 only Negotiate, NTLM and Digest authentication are enabled. Basic authentication
 is also supported but because it is insecure it must be explicitly enabled. The

diff --git a/openconnect.h b/openconnect.h
@@ -32,6 +32,9 @@
 #define OPENCONNECT_API_VERSION_MINOR 1
 
 /*
+ * API version 5.2:
+ *  - Add openconnect_set_http_auth().
+ *
  * API version 5.1:
  *  - Add openconnect_set_compression_mode(), openconnect_set_loglevel()
  *
@@ -341,6 +344,8 @@ void openconnect_free_cert_info(struct openconnect_info *vpninfo,
 				void *buf);
 /* Contains a comma-separated list of authentication methods to enabled.
    Currently supported: Negotiate,NTLM,Digest,Basic */
+int openconnect_set_http_auth(struct openconnect_info *vpninfo,
+			      const char *methods);
 int openconnect_set_proxy_auth(struct openconnect_info *vpninfo,
 			       const char *methods);
 int openconnect_set_http_proxy(struct openconnect_info *vpninfo,