int gssapi_authorization(struct openconnect_info *vpninfo, int proxy,
struct http_auth_state *auth_state,
struct oc_text_buf *hdrbuf)
{
OM_uint32 major, minor;
gss_buffer_desc in = GSS_C_EMPTY_BUFFER;
gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
gss_OID mech = GSS_C_NO_OID;
if (auth_state->state == AUTH_AVAILABLE && gssapi_setup(vpninfo, "HTTP", proxy)) {
auth_state->state = AUTH_FAILED;
return -EIO;
}
if (auth_state->challenge && *auth_state->challenge) {
int len = -EINVAL;
in.value = openconnect_base64_decode(&len, auth_state->challenge);
if (!in.value)
return len;
in.length = len;
} else if (auth_state->state > AUTH_AVAILABLE) {
/* This indicates failure. We were trying, but got an empty
'Proxy-Authorization: Negotiate' header back from the server
implying that we should start again... */
goto fail_gssapi;
}
major = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL,
&vpninfo->gss_context[proxy],
vpninfo->gss_target_name[proxy],
(gss_OID)&gss_mech_spnego,
GSS_C_MUTUAL_FLAG, GSS_C_INDEFINITE,
GSS_C_NO_CHANNEL_BINDINGS, &in,
&mech, &out, NULL, NULL);
if (in.value)
free(in.value);
if (major == GSS_S_COMPLETE)
auth_state->state = GSSAPI_COMPLETE;
else if (major == GSS_S_CONTINUE_NEEDED)
auth_state->state = GSSAPI_CONTINUE;
else {
vpn_progress(vpninfo, PRG_ERR,
_("Error generating GSSAPI response:\n"));
print_gss_err(vpninfo, "gss_init_sec_context()", mech, major, minor);
fail_gssapi:
auth_state->state = AUTH_FAILED;
cleanup_gssapi_auth(vpninfo, proxy, auth_state);
/* If we were *trying*, then -EAGAIN. Else -ENOENT to let another
auth method try without having to reconnect first. */
return in.value ? -EAGAIN : -ENOENT;
}
buf_append(hdrbuf, "%sAuthorization: Negotiate ", proxy ? "Proxy-" : "");
buf_append_base64(hdrbuf, out.value, out.length);
buf_append(hdrbuf, "\r\n");
gss_release_buffer(&minor, &out);
if (!auth_state->challenge)
vpn_progress(vpninfo, PRG_INFO,
_("Attempting GSSAPI authentication to proxy\n"));
return 0;
}
int digest_authorization(struct openconnect_info *vpninfo, int proxy,
struct http_auth_state *auth_state,
struct oc_text_buf *hdrbuf)
{
char *chall;
int ret = -EINVAL;
int algo = ALGO_MD5;
int qop_auth = 0;
int nc = 1;
struct oc_text_buf *realm = NULL, *nonce = NULL, *opaque = NULL;
struct oc_text_buf *a1 = NULL, *a2 = NULL, *kd = NULL;
struct oc_text_buf *cnonce = NULL;
unsigned char cnonce_random[32];
const char *user, *pass;
if (proxy) {
user = vpninfo->proxy_user;
pass = vpninfo->proxy_pass;
} else {
/* Need to parse this out of the URL */
return -EINVAL;
}
if (!user || !pass)
return -EINVAL;
if (auth_state->state < AUTH_AVAILABLE)
return -EINVAL;
if (auth_state->state == AUTH_IN_PROGRESS) {
auth_state->state = AUTH_FAILED;
return -EAGAIN;
}
chall = auth_state->challenge;
if (!chall)
return -EINVAL;
while (*chall) {
if (!realm && !strncmp(chall, "realm=", 6)) {
chall += 6;
realm = get_qs(&chall);
if (!realm)
goto err;
} else if (!nonce && !strncmp(chall, "nonce=", 6)) {
chall += 6;
nonce = get_qs(&chall);
if (!nonce)
goto err;
} else if (!strncmp(chall, "qop=", 4)) {
chall += 4;
if (strncmp(chall, "\"auth\"", 6)) {
/* We don't support "auth-int" */
goto err;
}
qop_auth = 1;
chall += 6;
} else if (!opaque && !strncmp(chall, "opaque=", 7)) {
chall += 7;
opaque = get_qs(&chall);
if (!opaque)
goto err;
} else if (!strncmp(chall, "algorithm=", 10)) {
chall += 10;
if (!strncmp(chall, "MD5-sess", 8)) {
algo = ALGO_MD5_SESS;
chall += 8;
} else if (!strncmp(chall, "MD5", 3)) {
algo = ALGO_MD5;
chall += 3;
}
} else {
char *p = strchr(chall, '=');
if (!p)
goto err;
p++;
if (*p == '\"') {
/* Eat and discard a quoted-string */
int escaped = 0;
p++;
do {
if (escaped)
escaped = 0;
else if (*p == '\\')
escaped = 1;
if (!*p)
goto err;
} while (escaped || *p != '\"');
chall = p+1;
} else {
/* Not quoted. Just find the next comma (or EOL) */
p = strchr(p, ',');
if (!p)
break;
chall = p;
}
}
while (isspace((int)(unsigned char)*chall))
chall++;
if (!*chall)
break;
if (*chall != ',')
goto err;
chall++;
while (isspace((int)(unsigned char)*chall))
chall++;
if (!*chall)
break;
}
if (!nonce || !realm)
goto err;
if (openconnect_random(&cnonce_random, sizeof(cnonce_random)))
goto err;
cnonce = buf_alloc();
buf_append_base64(cnonce, cnonce_random, sizeof(cnonce_random));
if (buf_error(cnonce))
goto err;
/*
* According to RFC2617 §3.2.2.2:
* A1 = unq(username-value) ":" unq(realm-value) ":" passwd
* So the username is escaped, while the password isn't.
*/
a1 = buf_alloc();
buf_append_unq(a1, user);
buf_append(a1, ":%s:%s", realm->data, pass);
if (buf_error(a1))
goto err;
if (algo == ALGO_MD5_SESS) {
struct oc_text_buf *old_a1 = a1;
a1 = buf_alloc();
buf_append_md5(a1, old_a1->data, old_a1->pos);
buf_free(old_a1);
buf_append(a1, ":%s:%s\n", nonce->data, cnonce->data);
if (buf_error(a1))
goto err;
}
a2 = buf_alloc();
buf_append(a2, "CONNECT:%s:%d", vpninfo->hostname, vpninfo->port);
if (buf_error(a2))
goto err;
kd = buf_alloc();
buf_append_md5(kd, a1->data, a1->pos);
buf_append(kd, ":%s:", nonce->data);
if (qop_auth) {
buf_append(kd, "%08x:%s:auth:", nc, cnonce->data);
}
buf_append_md5(kd, a2->data, a2->pos);
if (buf_error(kd))
goto err;
buf_append(hdrbuf, "%sAuthorization: Digest username=\"", proxy ? "Proxy-" : "");
buf_append_unq(hdrbuf, user);
buf_append(hdrbuf, "\", realm=\"%s\", nonce=\"%s\", uri=\"%s:%d\", ",
realm->data, nonce->data, vpninfo->hostname, vpninfo->port);
if (qop_auth)
buf_append(hdrbuf, "cnonce=\"%s\", nc=%08x, qop=auth, ",
cnonce->data, nc);
if (opaque)
buf_append(hdrbuf, "opaque=\"%s\", ", opaque->data);
buf_append(hdrbuf, "response=\"");
buf_append_md5(hdrbuf, kd->data, kd->pos);
buf_append(hdrbuf, "\"\r\n");
ret = 0;
auth_state->state = AUTH_IN_PROGRESS;
if (proxy)
vpn_progress(vpninfo, PRG_INFO,
_("Attempting Digest authentication to proxy\n"));
else
vpn_progress(vpninfo, PRG_INFO,
_("Attempting Digest authentication to server '%s'\n"),
vpninfo->hostname);
err:
if (a1 && a1->data)
memset(a1->data, 0, a1->pos);
buf_free(a1);
buf_free(a2);
buf_free(kd);
buf_free(realm);
buf_free(nonce);
buf_free(cnonce);
buf_free(opaque);
return ret;
}
