Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Finally add (non-proxy) HTTP authentication support
This is what a lot of the previous changes from Nikos and myself were
working towards.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
  • Loading branch information
David Woodhouse authored and David Woodhouse committed Feb 24, 2015
1 parent df80b80 commit c26d459
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 8 deletions.
21 changes: 19 additions & 2 deletions http-auth.c
Expand Up @@ -253,9 +253,10 @@ int gen_authorization_hdr(struct openconnect_info *vpninfo, int proxy,

/* Returns non-zero if it matched */
static int handle_auth_proto(struct openconnect_info *vpninfo,
struct http_auth_state *auth_states,
struct auth_method *method, char *hdr)
{
struct http_auth_state *auth = &vpninfo->proxy_auth[method->state_index];
struct http_auth_state *auth = &auth_states[method->state_index];
int l = strlen(method->name);

if (auth->state <= AUTH_FAILED)
Expand Down Expand Up @@ -294,7 +295,23 @@ int proxy_auth_hdrs(struct openconnect_info *vpninfo, char *hdr, char *val)

for (i = 0; i < sizeof(auth_methods) / sizeof(auth_methods[0]); i++) {
/* Return once we've found a match */
if (handle_auth_proto(vpninfo, &auth_methods[i], val))
if (handle_auth_proto(vpninfo, vpninfo->proxy_auth, &auth_methods[i], val))
return 0;
}

return 0;
}

int http_auth_hdrs(struct openconnect_info *vpninfo, char *hdr, char *val)
{
int i;

if (strcasecmp(hdr, "WWW-Authenticate"))
return 0;

for (i = 0; i < sizeof(auth_methods) / sizeof(auth_methods[0]); i++) {
/* Return once we've found a match */
if (handle_auth_proto(vpninfo, vpninfo->http_auth, &auth_methods[i], val))
return 0;
}

Expand Down
23 changes: 20 additions & 3 deletions http.c
Expand Up @@ -790,6 +790,7 @@ int do_https_request(struct openconnect_info *vpninfo, const char *method,
int result;
int rq_retry;
int rlen, pad;
int auth = 0;

if (request_body_type && buf_error(request_body))
return buf_error(request_body);
Expand All @@ -815,6 +816,14 @@ int do_https_request(struct openconnect_info *vpninfo, const char *method,
buf_append(buf, "%s /%s HTTP/1.1\r\n", method, vpninfo->urlpath ?: "");
if (vpninfo->proto.add_http_headers)
vpninfo->proto.add_http_headers(vpninfo, buf);
if (auth) {
result = gen_authorization_hdr(vpninfo, 0, buf);
if (result)
goto out;

/* Forget existing challenges */
clear_auth_states(vpninfo, vpninfo->http_auth, 0);
}

if (request_body_type) {
rlen = request_body->pos;
Expand Down Expand Up @@ -856,12 +865,12 @@ int do_https_request(struct openconnect_info *vpninfo, const char *method,
vpn_progress(vpninfo, PRG_ERR,
_("Failed to open HTTPS connection to %s\n"),
vpninfo->hostname);
buf_free(buf);
/* We really don't want to return -EINVAL if we have
failed to even connect to the server, because if
we do that openconnect_obtain_cookie() might try
again without XMLPOST... with the same result. */
return -EIO;
result = -EIO;
goto out;
}
}

Expand All @@ -876,14 +885,18 @@ int do_https_request(struct openconnect_info *vpninfo, const char *method,
if (result < 0)
goto out;

result = process_http_response(vpninfo, 0, NULL, buf);
result = process_http_response(vpninfo, 0, http_auth_hdrs, buf);
if (result < 0) {
/* We'll already have complained about whatever offended us */
goto out;
}
if (vpninfo->dump_http_traffic && buf->pos)
dump_buf(vpninfo, '<', buf->data);

if (result == 401) {
auth = 1;
goto redirected;
}
if (result != 200 && vpninfo->redirect_url) {
result = handle_redirect(vpninfo);
if (result == 0) {
Expand All @@ -894,6 +907,8 @@ int do_https_request(struct openconnect_info *vpninfo, const char *method,
method = "GET";
request_body_type = NULL;
}
if (vpninfo->redirect_type == REDIR_TYPE_NEWHOST)
clear_auth_states(vpninfo, vpninfo->http_auth, 1);
goto redirected;
}
goto out;
Expand All @@ -912,6 +927,8 @@ int do_https_request(struct openconnect_info *vpninfo, const char *method,

out:
buf_free(buf);
/* On success, clear out all authentication state for the next request */
clear_auth_states(vpninfo, vpninfo->http_auth, 1);
return result;
}

Expand Down
2 changes: 0 additions & 2 deletions ntlm.c
Expand Up @@ -1014,8 +1014,6 @@ int ntlm_authorization(struct openconnect_info *vpninfo, int proxy,
/* Don't let it reset our state when it reconnects */
if (proxy)
vpninfo->proxy_close_during_auth = 1;
else
vpninfo->http_close_during_auth = 1;
return ret;
}
if (!ret)
Expand Down
2 changes: 1 addition & 1 deletion openconnect-internal.h
Expand Up @@ -374,7 +374,6 @@ struct openconnect_info {
char *proxy_user;
char *proxy_pass;
int proxy_close_during_auth;
int http_close_during_auth;
struct http_auth_state http_auth[MAX_AUTH_TYPES];
struct http_auth_state proxy_auth[MAX_AUTH_TYPES];
int authmethods_set;
Expand Down Expand Up @@ -960,6 +959,7 @@ void *openconnect_base64_decode(int *len, const char *in);
void clear_auth_states(struct openconnect_info *vpninfo,
struct http_auth_state *auth_states, int reset);
int proxy_auth_hdrs(struct openconnect_info *vpninfo, char *hdr, char *val);
int http_auth_hdrs(struct openconnect_info *vpninfo, char *hdr, char *val);
int gen_authorization_hdr(struct openconnect_info *vpninfo, int proxy,
struct oc_text_buf *buf);
/* ntlm.c */
Expand Down

0 comments on commit c26d459

Please sign in to comment.