Commit c24046b9 authored by David Woodhouse's avatar David Woodhouse

Add initial support for TOTP/HOTP keys in Yubikey NEO

Signed-off-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
parent 17a18f1f
......@@ -15,7 +15,7 @@ AM_CFLAGS = @WFLAGS@
AM_CPPFLAGS = -DLOCALEDIR="\"$(localedir)\""
openconnect_SOURCES = xml.c main.c
openconnect_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBOATH_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS)
openconnect_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBOATH_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS)
openconnect_LDADD = libopenconnect.la $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(INTL_LIBS) $(ICONV_LIBS)
library_srcs = ssl.c http.c auth.c library.c compat.c dtls.c cstp.c \
......@@ -27,12 +27,16 @@ lib_srcs_posix = tun.c
lib_srcs_gssapi = gssapi.c
lib_srcs_iconv = iconv.c
lib_srcs_oath = oath.c
lib_srcs_yubikey = yubikey.c
lib_srcs_stoken = stoken.c
POTFILES = $(openconnect_SOURCES) $(lib_srcs_openssl) $(lib_srcs_gnutls) \
$(library_srcs) $(lib_srcs_win32) $(lib_srcs_posix) $(lib_srcs_gssapi) \
$(lib_srcs_iconv) $(lib_srcs_oath) $(lib_srcs_stoken) openconnect-internal.h
$(lib_srcs_iconv) $(lib_srcs_oath) $(lib_srcs_yubikey) $(lib_srcs_stoken) openconnect-internal.h
if OPENCONNECT_LIBPCSCLITE
library_srcs += $(lib_srcs_yubikey)
endif
if OPENCONNECT_STOKEN
library_srcs += $(lib_srcs_stoken)
endif
......@@ -58,8 +62,8 @@ library_srcs += $(lib_srcs_posix)
endif
libopenconnect_la_SOURCES = version.c $(library_srcs)
libopenconnect_la_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(P11KIT_CFLAGS) $(TSS_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBOATH_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS)
libopenconnect_la_LIBADD = $(SSL_LIBS) $(DTLS_SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(ZLIB_LIBS) $(P11KIT_LIBS) $(TSS_LIBS) $(LIBSTOKEN_LIBS) $(LIBOATH_LIBS) $(LIBPSKC_LIBS) $(GSSAPI_LIBS) $(INTL_LIBS) $(ICONV_LIBS)
libopenconnect_la_CFLAGS = $(AM_CFLAGS) $(SSL_CFLAGS) $(DTLS_SSL_CFLAGS) $(LIBXML2_CFLAGS) $(LIBPROXY_CFLAGS) $(ZLIB_CFLAGS) $(P11KIT_CFLAGS) $(TSS_CFLAGS) $(LIBSTOKEN_CFLAGS) $(LIBOATH_CFLAGS) $(LIBPSKC_CFLAGS) $(GSSAPI_CFLAGS) $(INTL_CFLAGS) $(ICONV_CFLAGS) $(LIBPCSCLITE_CFLAGS)
libopenconnect_la_LIBADD = $(SSL_LIBS) $(DTLS_SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIBS) $(ZLIB_LIBS) $(P11KIT_LIBS) $(TSS_LIBS) $(LIBSTOKEN_LIBS) $(LIBOATH_LIBS) $(LIBPSKC_LIBS) $(GSSAPI_LIBS) $(INTL_LIBS) $(ICONV_LIBS) $(LIBPCSCLITE_LIBS)
if OPENBSD_LIBTOOL
# OpenBSD's libtool doesn't have -version-number, but its -version-info arg
# does what GNU libtool's -version-number does. Which arguably is what the
......
......@@ -1064,6 +1064,10 @@ static int can_gen_tokencode(struct openconnect_info *vpninfo,
case OC_TOKEN_MODE_HOTP:
return can_gen_hotp_code(vpninfo, form, opt);
#endif
#ifdef HAVE_LIBPCSCLITE
case OC_TOKEN_MODE_YUBIKEY:
return can_gen_yubikey_code(vpninfo, form, opt);
#endif
default:
return -EINVAL;
......@@ -1099,7 +1103,10 @@ static int do_gen_tokencode(struct openconnect_info *vpninfo,
case OC_TOKEN_MODE_HOTP:
return do_gen_hotp_code(vpninfo, form, opt);
#endif
#ifdef HAVE_LIBPCSCLITE
case OC_TOKEN_MODE_YUBIKEY:
return do_gen_yubikey_code(vpninfo, form, opt);
#endif
default:
return -EINVAL;
}
......
......@@ -598,6 +598,18 @@ AS_IF([test "x$with_stoken" != "xno"], [
], [libstoken_pkg=disabled])
AM_CONDITIONAL(OPENCONNECT_STOKEN, [test "$libstoken_pkg" = "yes"])
AC_ARG_WITH([libpcsclite],
AS_HELP_STRING([--without-libpcsclite],
[Build without libpcsclite library (for Yubikey support) [default=auto]]))
AS_IF([test "x$with_libpcsclite" != "xno"], [
PKG_CHECK_MODULES(LIBPCSCLITE, libpcsclite,
[AC_SUBST(LIBPCSCLITE_PC, libpcsclite)
AC_DEFINE([HAVE_LIBPCSCLITE], 1, [Have libpcsclite])
libpcsclite_pkg=yes],
libpcsclite_pkg=no)
], [libpcsclite_pkg=disabled])
AM_CONDITIONAL(OPENCONNECT_LIBPCSCLITE, [test "$libpcsclite_pkg" = "yes"])
AC_ARG_WITH([liboath],
AS_HELP_STRING([--without-liboath],
[Build without liboath library [default=auto]]))
......
......@@ -602,6 +602,10 @@ int openconnect_set_token_mode(struct openconnect_info *vpninfo,
case OC_TOKEN_MODE_HOTP:
return set_hotp_mode(vpninfo, token_str);
#endif
#ifdef HAVE_LIBPCSCLITE
case OC_TOKEN_MODE_YUBIKEY:
return set_yubikey_mode(vpninfo, token_str);
#endif
default:
return -EOPNOTSUPP;
......
......@@ -1218,6 +1218,8 @@ int main(int argc, char **argv)
token_mode = OC_TOKEN_MODE_TOTP;
} else if (strcasecmp(config_arg, "hotp") == 0) {
token_mode = OC_TOKEN_MODE_HOTP;
} else if (strcasecmp(config_arg, "yubikey") == 0) {
token_mode = OC_TOKEN_MODE_YUBIKEY;
} else {
fprintf(stderr, _("Invalid software token mode \"%s\"\n"),
config_arg);
......@@ -1900,6 +1902,21 @@ static void init_token(struct openconnect_info *vpninfo,
break;
case OC_TOKEN_MODE_YUBIKEY:
switch(ret) {
case 0:
return;
case -ENOENT:
fprintf(stderr, _("Yubikey token not found\n"));
exit(1);
case -EOPNOTSUPP:
fprintf(stderr, _("OpenConnect was not built with Yubikey support\n"));
exit(1);
default:
fprintf(stderr, _("General Yubikey failure: %s\n"), strerror(-ret));
exit(1);
}
case OC_TOKEN_MODE_NONE:
/* No-op */
break;
......
......@@ -89,6 +89,11 @@
#include <pskc/pskc.h>
#endif
#ifdef HAVE_LIBPCSCLITE
#include <pcsclite.h>
#include <winscard.h>
#endif
#ifdef ENABLE_NLS
#include <libintl.h>
#define _(s) dgettext("openconnect", s)
......@@ -277,6 +282,11 @@ struct openconnect_info {
HOTP_SECRET_HEX,
HOTP_SECRET_PSKC,
} hotp_secret_format; /* We need to give it back in the same form */
#endif
#ifdef HAVE_LIBPCSCLITE
SCARDHANDLE pcsc_ctx, pcsc_card;
char *yubikey_objname;
int yubikey_mode;
#endif
openconnect_lock_token_vfn lock_token;
openconnect_unlock_token_vfn unlock_token;
......@@ -675,6 +685,15 @@ int do_gen_stoken_code(struct openconnect_info *vpninfo,
struct oc_auth_form *form,
struct oc_form_opt *opt);
/* yubikey.c */
int set_yubikey_mode(struct openconnect_info *vpninfo, const char *token_str);
int can_gen_yubikey_code(struct openconnect_info *vpninfo,
struct oc_auth_form *form,
struct oc_form_opt *opt);
int do_gen_yubikey_code(struct openconnect_info *vpninfo,
struct oc_auth_form *form,
struct oc_form_opt *opt);
/* auth.c */
void nuke_opt_values(struct oc_form_opt *opt);
int parse_xml_response(struct openconnect_info *vpninfo, char *response,
......
......@@ -273,6 +273,7 @@ typedef enum {
OC_TOKEN_MODE_STOKEN,
OC_TOKEN_MODE_TOTP,
OC_TOKEN_MODE_HOTP,
OC_TOKEN_MODE_YUBIKEY,
} oc_token_mode_t;
/* All strings are UTF-8. If operating in a legacy environment where
......
......@@ -7,7 +7,7 @@ includedir=@includedir@
Name: openconnect
Description: OpenConnect VPN client
Version: @VERSION@
Requires.private: @LIBPROXY_PC@ @ZLIB_PC@ @SSL_DTLS_PC@ @P11KIT_PC@ @LIBSTOKEN_PC@ @LIBOATH_PC@ @LIBPSKC_PC@ libxml-2.0
Requires.private: @LIBPROXY_PC@ @ZLIB_PC@ @SSL_DTLS_PC@ @P11KIT_PC@ @LIBSTOKEN_PC@ @LIBOATH_PC@ @LIBPSKC_PC@ @LIBPCSCLITE_PC@ libxml-2.0
Libs: -L${libdir} -lopenconnect
Libs.private: @INTL_LIBS@
Cflags: -I${includedir}
......@@ -15,6 +15,7 @@
<ul>
<li><b>OpenConnect HEAD</b>
<ul>
<li>Add support for HOTP/TOTP keys from Yubikey NEO devices.</li>
<li>Add <tt>---no-system-trust</tt> option to disable default certificate authorities.</li>
<li>Improve <tt>libiconv</tt> and <tt>libintl</tt> detection.</li>
<li>Stop calling <tt>setenv()</tt> from library functions.</li>
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment