[libsoup/wip/tpopela/negotiate: 7/16] Rebased Guido G ünther's work from [0] on top of 2.52.0
- From: Tomas Popela <tpopela src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libsoup/wip/tpopela/negotiate: 7/16] Rebased Guido G ünther's work from [0] on top of 2.52.0
- Date: Fri, 30 Oct 2015 07:54:17 +0000 (UTC)
commit a775503a3c2ec04fb6e7b62abde2eddd0559960d
Author: Tomas Popela <tpopela redhat com>
Date: Wed Sep 30 08:52:12 2015 +0200
Rebased Guido Günther's work from [0] on top of 2.52.0
[0] - http://anonscm.debian.org/cgit/users/agx/libsoup.git/log/
configure.ac | 15 ++
examples/get.c | 10 +-
libsoup/Makefile.am | 25 +++-
libsoup/libsoup-2.4.sym | 1 +
libsoup/libsoup-gssapi-2.4.sym | 3 +
libsoup/soup-auth-negotiate.c | 437 ++++++++++++++++++++++++++++++++++++++++
libsoup/soup-auth-negotiate.h | 27 +++
libsoup/soup-auth.h | 2 +
libsoup/soup-gssapi.c | 169 ++++++++++++++++
libsoup/soup-gssapi.h | 41 ++++
libsoup/soup-status.h | 1 +
11 files changed, 729 insertions(+), 2 deletions(-)
---
diff --git a/configure.ac b/configure.ac
index eac02db..7d46af3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -317,6 +317,21 @@ AC_DEFINE_UNQUOTED(NTLM_AUTH, "$ntlm_auth", [Samba's 'winbind' daemon helper 'nt
AX_CODE_COVERAGE
+dnl **********************
+dnl *** GSSAPI support ***
+dnl **********************
+AC_PATH_PROG([KRB5_CONFIG], krb5-config, none, $PATH:/usr/kerberos/bin)
+if test "x$KRB5_CONFIG" != "xnone"; then
+ KRB5_LIBS="`${KRB5_CONFIG} --libs gssapi`"
+ KRB5_CFLAGS="`${KRB5_CONFIG} --cflags gssapi`"
+ AC_SUBST(KRB5_CFLAGS)
+ AC_SUBST(KRB5_LIBS)
+ if test "$KRB5_CONFIG" != none; then
+ AC_DEFINE(HAVE_GSSAPI, 1, [Whether or not gssapi libs are available])
+ fi
+fi
+AM_CONDITIONAL(BUILD_LIBSOUP_GSSAPI, test $KRB5_CONFIG != none)
+
dnl ****************************************************
dnl *** Warnings to show if using GCC ***
dnl *** (do this last so -Werror won't mess up tests ***
diff --git a/examples/get.c b/examples/get.c
index a8888d4..6f761af 100644
--- a/examples/get.c
+++ b/examples/get.c
@@ -89,7 +89,7 @@ get_url (const char *url)
}
static const char *ca_file, *proxy;
-static gboolean synchronous, ntlm;
+static gboolean synchronous, ntlm, negotiate;
static GOptionEntry entries[] = {
{ "ca-file", 'c', 0,
@@ -104,6 +104,9 @@ static GOptionEntry entries[] = {
{ "ntlm", 'n', 0,
G_OPTION_ARG_NONE, &ntlm,
"Use NTLM authentication", NULL },
+ { "negotiate", 'N', 0,
+ G_OPTION_ARG_NONE, &negotiate,
+ "Use Negotiate authentication", NULL },
{ "output", 'o', 0,
G_OPTION_ARG_STRING, &output_file_path,
"Write the received data to FILE instead of stdout", "FILE" },
@@ -183,6 +186,11 @@ main (int argc, char **argv)
soup_uri_free (proxy_uri);
}
+ if (negotiate) {
+ soup_session_add_feature_by_type(session,
+ SOUP_TYPE_AUTH_NEGOTIATE);
+ }
+
if (!synchronous)
loop = g_main_loop_new (NULL, TRUE);
diff --git a/libsoup/Makefile.am b/libsoup/Makefile.am
index 345bd3e..00ac40b 100644
--- a/libsoup/Makefile.am
+++ b/libsoup/Makefile.am
@@ -20,7 +20,8 @@ AM_CPPFLAGS = \
$(GLIB_CFLAGS) \
$(XML_CFLAGS) \
$(SQLITE_CFLAGS) \
- $(CODE_COVERAGE_CFLAGS)
+ $(CODE_COVERAGE_CFLAGS) \
+ $(KRB5_CFLAGS)
libsoupincludedir = $(includedir)/libsoup-2.4/libsoup
@@ -110,6 +111,8 @@ libsoup_2_4_la_SOURCES = \
soup-auth-digest.c \
soup-auth-ntlm.h \
soup-auth-ntlm.c \
+ soup-auth-negotiate.h \
+ soup-auth-negotiate.c \
soup-auth-domain.c \
soup-auth-domain-basic.c \
soup-auth-domain-digest.c \
@@ -242,6 +245,26 @@ libsoup_gnome_2_4_la_SOURCES = \
endif
+if BUILD_LIBSOUP_GSSAPI
+
+lib_LTLIBRARIES += libsoup-gssapi-2.4.la
+
+libsoup_gssapi_2_4_la_LDFLAGS = \
+ -version-info $(SOUP_CURRENT):$(SOUP_REVISION):$(SOUP_AGE) \
+ -no-undefined \
+ -export-symbols $(srcdir)/libsoup-gssapi-2.4.sym
+
+EXTRA_DIST += libsoup-gssapi-2.4.sym
+
+libsoup_gssapi_2_4_la_LIBADD = \
+ $(KRB5_LIBS) \
+ $(GLIB_LIBS)
+
+libsoup_gssapi_2_4_la_SOURCES = \
+ soup-gssapi.c
+
+endif
+
GLIB_GENERATED = soup-enum-types.c soup-enum-types.h
BUILT_SOURCES = \
$(GLIB_GENERATED) \
diff --git a/libsoup/libsoup-2.4.sym b/libsoup/libsoup-2.4.sym
index e6ff89e..11833cb 100644
--- a/libsoup/libsoup-2.4.sym
+++ b/libsoup/libsoup-2.4.sym
@@ -79,6 +79,7 @@ soup_auth_is_for_proxy
soup_auth_is_ready
soup_auth_manager_get_type
soup_auth_manager_use_auth
+soup_auth_negotiate_get_type
soup_auth_new
soup_auth_ntlm_get_type
soup_auth_save_password
diff --git a/libsoup/libsoup-gssapi-2.4.sym b/libsoup/libsoup-gssapi-2.4.sym
new file mode 100644
index 0000000..2df49d6
--- /dev/null
+++ b/libsoup/libsoup-gssapi-2.4.sym
@@ -0,0 +1,3 @@
+soup_gss_client_init
+soup_gss_client_step
+soup_gss_client_cleanup
diff --git a/libsoup/soup-auth-negotiate.c b/libsoup/soup-auth-negotiate.c
new file mode 100644
index 0000000..79db107
--- /dev/null
+++ b/libsoup/soup-auth-negotiate.c
@@ -0,0 +1,437 @@
+/* -*- Mode: C; tabstop: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
+/*
+ * soup-auth-negotiate.c: HTTP Negotiate Authentication helper
+ *
+ * Copyright (C) 2009,2013 Guido Guenther <agx sigxcpu org>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef HAVE_GSSAPI
+# include <gssapi/gssapi.h>
+#endif
+
+#include <string.h>
+
+#include "soup-auth-negotiate.h"
+#include "soup-gssapi.h"
+#include "soup-headers.h"
+#include "soup-message.h"
+#include "soup-message-private.h"
+#include "soup-misc.h"
+#include "soup-uri.h"
+
+static gboolean soup_gss_build_response (SoupNegotiateConnectionState *conn,
+ SoupAuth *auth, GError **err);
+static gchar** parse_trusted_uris (void);
+static gboolean check_auth_trusted_uri (SoupAuthNegotiate *negotiate,
+ SoupMessage *msg);
+
+typedef struct {
+ char *username;
+} SoupAuthNegotiatePrivate;
+#define SOUP_AUTH_NEGOTIATE_GET_PRIVATE(o) (G_TYPE_INSTANCE_GET_PRIVATE ((o), SOUP_TYPE_AUTH_NEGOTIATE,
SoupAuthNegotiatePrivate))
+
+G_DEFINE_TYPE (SoupAuthNegotiate, soup_auth_negotiate, SOUP_TYPE_CONNECTION_AUTH)
+
+/* Function pointers to dlopen'ed libsoup-gssapi */
+struct {
+ int (*client_init)(SoupNegotiateConnectionState *conn,
+ const char *host,
+ GError **err);
+ int (*client_step)(SoupNegotiateConnectionState *conn,
+ const char *challenge,
+ GError **err);
+ void (*client_cleanup)(SoupNegotiateConnectionState *conn);
+} soup_gssapi_syms;
+gboolean have_gssapi;
+
+static gchar **trusted_uris;
+
+static void
+soup_auth_negotiate_init (SoupAuthNegotiate *negotiate)
+{
+}
+
+static void
+soup_auth_negotiate_finalize (GObject *object)
+{
+ SoupAuthNegotiatePrivate *priv = SOUP_AUTH_NEGOTIATE_GET_PRIVATE (object);
+
+ g_free (priv->username);
+
+ G_OBJECT_CLASS (soup_auth_negotiate_parent_class)->finalize (object);
+}
+
+static gpointer
+soup_auth_negotiate_create_connection_state (SoupConnectionAuth *auth)
+{
+ return g_slice_new0 (SoupNegotiateConnectionState);
+}
+
+static void
+soup_auth_negotiate_free_connection_state (SoupConnectionAuth *auth,
+ gpointer state)
+{
+ SoupNegotiateConnectionState *conn = state;
+
+ if (have_gssapi)
+ soup_gssapi_syms.client_cleanup (conn);
+ g_free (conn->response_header);
+}
+
+
+static gboolean
+soup_auth_negotiate_update_connection (SoupConnectionAuth *auth, SoupMessage *msg,
+ const char *header, gpointer state)
+{
+ SoupAuthNegotiatePrivate *priv =
+ SOUP_AUTH_NEGOTIATE_GET_PRIVATE (auth);
+ SoupNegotiateConnectionState *conn = state;
+ GError *err = NULL;
+
+ if (conn->state > SOUP_NEGOTIATE_RECEIVED_CHALLENGE) {
+ /* We already authenticated, but then got another 401.
+ * That means "permission denied", so don't try to
+ * authenticate again.
+ */
+ conn->state = SOUP_NEGOTIATE_FAILED;
+
+ /* Make sure we don't claim to be authenticated */
+ g_free (priv->username);
+ priv->username = NULL;
+
+ return FALSE;
+ }
+
+ /* Found negotiate header, start negotiate */
+ if (strcmp (header, "Negotiate") == 0) {
+ conn->state = SOUP_NEGOTIATE_RECEIVED_CHALLENGE;
+ if (soup_gss_build_response (conn, SOUP_AUTH (auth), &err))
+ return TRUE;
+ else {
+ /* FIXME: report further upward via
+ * soup_message_get_error_message */
+ g_warning ("gssapi step failed: %s", err->message);
+ }
+ }
+ g_clear_error (&err);
+ return FALSE;
+}
+
+static GSList *
+soup_auth_negotiate_get_protection_space (SoupAuth *auth, SoupURI *source_uri)
+{
+ char *space, *p;
+
+ space = g_strdup (source_uri->path);
+
+ /* Strip filename component */
+ p = strrchr (space, '/');
+ if (p && p != space && p[1])
+ *p = '\0';
+
+ return g_slist_prepend (NULL, space);
+}
+
+static void
+soup_auth_negotiate_authenticate (SoupAuth *auth, const char *username,
+ const char *password)
+{
+ SoupAuthNegotiatePrivate *priv = SOUP_AUTH_NEGOTIATE_GET_PRIVATE (auth);
+
+ g_return_if_fail (username != NULL);
+ priv->username = g_strdup (username);
+}
+
+static gboolean
+soup_auth_negotiate_is_authenticated (SoupAuth *auth)
+{
+ return SOUP_AUTH_NEGOTIATE_GET_PRIVATE (auth)->username != NULL;
+}
+
+static gboolean
+soup_auth_negotiate_is_ready (SoupAuth *auth,
+ SoupMessage *msg)
+{
+ SoupAuthNegotiate* negotiate = SOUP_AUTH_NEGOTIATE (auth);
+ return check_auth_trusted_uri (negotiate, msg);
+}
+
+
+static void
+check_server_response(SoupMessage *msg, gpointer state)
+{
+ gchar **parts, *p;
+ gint ret;
+ const char *auth_headers;
+ SoupNegotiateConnectionState *conn = state;
+ GError *err = NULL;
+
+ if (msg->status_code == SOUP_STATUS_UNAUTHORIZED)
+ return;
+
+ /* FIXME: need to check for proxy-auth too */
+ auth_headers = soup_message_headers_get_one (msg->response_headers,
+ "WWW-Authenticate");
+ parts = g_strsplit (auth_headers, " ", 0);
+ if (g_strv_length (parts) != 2) {
+ g_warning ("Failed to parse auth header %s", auth_headers);
+ conn->state = SOUP_NEGOTIATE_FAILED;
+ goto out;
+ }
+ if (g_ascii_strcasecmp (parts[0], "Negotiate")) {
+ g_warning ("Failed to parse auth header %s", auth_headers);
+ conn->state = SOUP_NEGOTIATE_FAILED;
+ }
+
+ p = parts[1];
+ ret = soup_gssapi_syms.client_step (conn, p, &err);
+
+ if (ret != AUTH_GSS_COMPLETE) {
+ g_warning ("%s", err->message);
+ conn->state = SOUP_NEGOTIATE_FAILED;
+ }
+ out:
+ g_clear_error (&err);
+ g_strfreev (parts);
+}
+
+
+static void
+remove_server_response_handler(SoupMessage *msg, gpointer state)
+{
+ g_signal_handlers_disconnect_by_func (msg,
+ G_CALLBACK (check_server_response),
+ state);
+}
+
+
+static char *
+soup_auth_negotiate_get_connection_authorization (SoupConnectionAuth *auth,
+ SoupMessage *msg,
+ gpointer state)
+{
+ SoupNegotiateConnectionState *conn = state;
+ char *header = NULL;
+
+ if (conn->state == SOUP_NEGOTIATE_RECEIVED_CHALLENGE) {
+ header = conn->response_header;
+ conn->response_header = NULL;
+ conn->state = SOUP_NEGOTIATE_SENT_RESPONSE;
+ }
+
+
+ g_signal_connect (msg,
+ "finished",
+ G_CALLBACK (remove_server_response_handler),
+ conn);
+
+ /* Wait for the 2xx response to verify server response */
+ g_signal_connect (msg,
+ "got_headers",
+ G_CALLBACK (check_server_response),
+ conn);
+
+ return header;
+}
+
+static gboolean
+soup_auth_negotiate_is_connection_ready (SoupConnectionAuth *auth,
+ SoupMessage *msg,
+ gpointer state)
+{
+ SoupNegotiateConnectionState *conn = state;
+
+ return conn->state != SOUP_NEGOTIATE_FAILED;
+}
+
+static gboolean
+soup_gssapi_load (void)
+{
+ GModule *gssapi;
+ const char *modulename = PACKAGE "-gssapi-2.4." G_MODULE_SUFFIX;
+
+ if (!g_module_supported ())
+ return FALSE;
+
+ gssapi = g_module_open (modulename, G_MODULE_BIND_LOCAL);
+ if (!gssapi) {
+ g_warning ("Failed to load %s - negotiate support will "
+ "be disabled.", modulename);
+ return FALSE;
+ }
+
+#define GSSAPI_BIND_SYMBOL(name) \
+ g_return_val_if_fail (g_module_symbol (gssapi, "soup_gss_" #name, (gpointer)&soup_gssapi_syms.name),
FALSE)
+
+ GSSAPI_BIND_SYMBOL(client_step);
+ GSSAPI_BIND_SYMBOL(client_init);
+ GSSAPI_BIND_SYMBOL(client_cleanup);
+#undef GSSPI_BIND_SYMBOL
+ return TRUE;
+}
+
+static void
+soup_auth_negotiate_class_init (SoupAuthNegotiateClass *auth_negotiate_class)
+{
+ SoupAuthClass *auth_class = SOUP_AUTH_CLASS (auth_negotiate_class);
+ SoupConnectionAuthClass *connauth_class =
+ SOUP_CONNECTION_AUTH_CLASS (auth_negotiate_class);
+ GObjectClass *object_class = G_OBJECT_CLASS (auth_negotiate_class);
+
+ g_type_class_add_private (auth_negotiate_class, sizeof (SoupAuthNegotiatePrivate));
+
+ auth_class->scheme_name = "Negotiate";
+ auth_class->strength = 7;
+
+ auth_class->get_protection_space = soup_auth_negotiate_get_protection_space;
+ auth_class->authenticate = soup_auth_negotiate_authenticate;
+ auth_class->is_authenticated = soup_auth_negotiate_is_authenticated;
+ auth_class->is_ready = soup_auth_negotiate_is_ready;
+
+ connauth_class->create_connection_state = soup_auth_negotiate_create_connection_state;
+ connauth_class->free_connection_state = soup_auth_negotiate_free_connection_state;
+ connauth_class->update_connection = soup_auth_negotiate_update_connection;
+ connauth_class->get_connection_authorization = soup_auth_negotiate_get_connection_authorization;
+ connauth_class->is_connection_ready = soup_auth_negotiate_is_connection_ready;
+
+ object_class->finalize = soup_auth_negotiate_finalize;
+
+ trusted_uris = parse_trusted_uris ();
+ have_gssapi = soup_gssapi_load();
+}
+
+static gboolean
+soup_gss_build_response (SoupNegotiateConnectionState *conn, SoupAuth *auth, GError **err)
+{
+ if (!have_gssapi) {
+ if (err && *err == NULL) {
+ g_set_error (err,
+ SOUP_HTTP_ERROR,
+ SOUP_STATUS_GSSAPI_FAILED,
+ "GSSAPI unavailable");
+ }
+ return FALSE;
+ }
+
+ if (!soup_gssapi_syms.client_init (conn, soup_auth_get_host (SOUP_AUTH (auth)), err))
+ return FALSE;
+
+ if (soup_gssapi_syms.client_step (conn, "", err) != AUTH_GSS_CONTINUE)
+ return FALSE;
+
+ return TRUE;
+}
+
+/* Parses a comma separated list of URIS from the environment. */
+static gchar**
+parse_trusted_uris(void)
+{
+ gchar **uris = NULL;
+ const gchar *env;
+
+ env = g_getenv ("SOUP_AUTH_TRUSTED_URIS");
+ if (env)
+ uris = g_strsplit (env, ",", -1);
+ return uris;
+}
+
+
+/* check if scheme://host:port from msg matches the trusted uri */
+static gboolean
+match_base_uri (SoupMessage *msg, const gchar *trusted)
+{
+ SoupURI *uri;
+ gboolean ret = FALSE;
+
+ /* params of the trusted uri */
+ gchar **trusted_parts = NULL;
+ gchar **trusted_host_port = NULL;
+ const gchar *trusted_host = NULL;
+ gint trusted_host_len;
+
+ /* params of the msg's uri */
+ const gchar *host = NULL;
+ gint port;
+ gint host_len;
+
+ uri = soup_message_get_uri (msg);
+ /* split trusted uri into scheme and host/port */
+ if (strstr (trusted, "://")) {
+ trusted_parts = g_strsplit (trusted, "://", -1);
+
+ /* The scheme has to match exactly */
+ if (g_ascii_strcasecmp (trusted_parts[0],
+ soup_uri_get_scheme (uri))) {
+ goto out;
+ }
+ if (strlen (trusted_parts[1]) == 0) {
+ /* scheme only, we're done */
+ ret = TRUE;
+ goto out;
+ } else
+ trusted_host = trusted_parts[1];
+ } else {
+ trusted_host = trusted;
+ }
+
+ trusted_host_port = g_strsplit (trusted_host, ":", 2);
+ /* If we got a port in the trusted uri it has to match exactly */
+ if (g_strv_length (trusted_host_port) > 1) {
+ port = g_ascii_strtoll (trusted_host_port[1], NULL, 10);
+ if (port != soup_uri_get_port (uri)) {
+ goto out;
+ }
+ }
+
+ trusted_host = trusted_host_port[0];
+ host = soup_uri_get_host (uri);
+ if (g_str_has_suffix (host, trusted_host)) {
+ /* if the msg host ends with host from the trusted uri, then make
+ * sure it is either an exact match, or prefixed with a dot. We
+ * don't want "foobar.com" to match "bar.com"
+ */
+ if (g_ascii_strcasecmp (host, trusted_host) == 0) {
+ ret = TRUE;
+ goto out;
+ } else {
+ /* we don't want example.com to match fooexample.com
+ */
+ trusted_host_len = strlen (trusted_host);
+ host_len = strlen (host);
+ if (host[host_len - trusted_host_len - 1] == '.') {
+ ret = TRUE;
+ }
+ }
+ }
+out:
+ g_strfreev (trusted_parts);
+ g_strfreev (trusted_host_port);
+ return ret;
+}
+
+
+static gboolean
+check_auth_trusted_uri (SoupAuthNegotiate *negotiate, SoupMessage *msg)
+{
+ SoupAuthNegotiatePrivate *priv =
+ SOUP_AUTH_NEGOTIATE_GET_PRIVATE (negotiate);
+ int i;
+
+ g_return_val_if_fail (negotiate != NULL, FALSE);
+ g_return_val_if_fail (priv != NULL, FALSE);
+ g_return_val_if_fail (msg != NULL, FALSE);
+
+ if (!trusted_uris) {
+ return FALSE;
+ }
+
+ for (i=0; i < g_strv_length (trusted_uris); i++) {
+ if (match_base_uri (msg, trusted_uris[i]))
+ return TRUE;
+ }
+ return FALSE;
+}
diff --git a/libsoup/soup-auth-negotiate.h b/libsoup/soup-auth-negotiate.h
new file mode 100644
index 0000000..dbdfc3c
--- /dev/null
+++ b/libsoup/soup-auth-negotiate.h
@@ -0,0 +1,27 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
+/*
+ * Copyright (C) 2010 Guido Guenther <agx sigxcpu org>
+ */
+
+#ifndef SOUP_AUTH_NEGOTIATE_H
+#define SOUP_AUTH_NEGOTIATE_H 1
+
+#include "soup-connection-auth.h"
+
+#define SOUP_AUTH_NEGOTIATE(object) (G_TYPE_CHECK_INSTANCE_CAST ((object), SOUP_TYPE_AUTH_NEGOTIATE,
SoupAuthNegotiate))
+#define SOUP_AUTH_NEGOTIATE_CLASS(klass) (G_TYPE_CHECK_CLASS_CAST ((klass), SOUP_TYPE_AUTH_NEGOTIATE,
SoupAuthNegotiateClass))
+#define SOUP_IS_AUTH_NEGOTIATE(object) (G_TYPE_CHECK_INSTANCE_TYPE ((object), SOUP_TYPE_AUTH_NEGOTIATE))
+#define SOUP_IS_AUTH_NEGOTIATE_CLASS(klass) (G_TYPE_CHECK_CLASS_TYPE ((klass), SOUP_TYPE_AUTH_NEGOTIATE))
+#define SOUP_AUTH_NEGOTIATE_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), SOUP_TYPE_AUTH_NEGOTIATE,
SoupAuthNegotiateClass))
+
+typedef struct {
+ SoupConnectionAuth parent;
+
+} SoupAuthNegotiate;
+
+typedef struct {
+ SoupConnectionAuthClass parent_class;
+
+} SoupAuthNegotiateClass;
+
+#endif /* SOUP_AUTH_NEGOTIATE_H */
diff --git a/libsoup/soup-auth.h b/libsoup/soup-auth.h
index 824857e..8db2ccc 100644
--- a/libsoup/soup-auth.h
+++ b/libsoup/soup-auth.h
@@ -99,6 +99,8 @@ GType soup_auth_basic_get_type (void);
GType soup_auth_digest_get_type (void);
#define SOUP_TYPE_AUTH_NTLM (soup_auth_ntlm_get_type ())
GType soup_auth_ntlm_get_type (void);
+#define SOUP_TYPE_AUTH_NEGOTIATE (soup_auth_negotiate_get_type ())
+GType soup_auth_negotiate_get_type (void);
/* Deprecated SoupPasswordManager-related APIs: all are now no-ops */
SOUP_AVAILABLE_IN_2_28
diff --git a/libsoup/soup-gssapi.c b/libsoup/soup-gssapi.c
new file mode 100644
index 0000000..78aaa77
--- /dev/null
+++ b/libsoup/soup-gssapi.c
@@ -0,0 +1,169 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
+/*
+ * soup-gssapi.c: GSSAPI related functions
+ *
+ * Copyright (C) 2013 Guido Guenther <agx sigxcpu org>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <string.h>
+
+#include <soup-status.h>
+#include <soup-gssapi.h>
+
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_krb5.h>
+
+int
+soup_gss_client_init (SoupNegotiateConnectionState *conn, const char *host, GError **err);
+
+int
+soup_gss_client_step (SoupNegotiateConnectionState *conn, const char *host, GError **err);
+
+void
+soup_gss_client_cleanup (SoupNegotiateConnectionState *conn);
+
+static void
+soup_gss_error (OM_uint32 err_maj, OM_uint32 err_min, GError **err)
+{
+ OM_uint32 maj_stat, min_stat, msg_ctx = 0;
+ gss_buffer_desc status;
+ char *buf_maj = NULL, *buf_min = NULL;
+
+ do {
+ maj_stat = gss_display_status (&min_stat,
+ err_maj,
+ GSS_C_GSS_CODE,
+ GSS_C_NO_OID,
+ &msg_ctx,
+ &status);
+ if (GSS_ERROR (maj_stat))
+ break;
+
+ buf_maj = g_strdup ((char*) status.value);
+ gss_release_buffer (&min_stat, &status);
+
+ maj_stat = gss_display_status (&min_stat,
+ err_min,
+ GSS_C_MECH_CODE,
+ GSS_C_NULL_OID,
+ &msg_ctx,
+ &status);
+ if (!GSS_ERROR (maj_stat)) {
+ buf_min = g_strdup ((char*) status.value);
+ gss_release_buffer (&min_stat, &status);
+ }
+
+ if (err && *err == NULL) {
+ g_set_error (err,
+ SOUP_HTTP_ERROR,
+ SOUP_STATUS_GSSAPI_FAILED,
+ "%s %s",
+ buf_maj,
+ buf_min ? buf_min : "");
+ }
+ g_free (buf_maj);
+ g_free (buf_min);
+ buf_min = buf_maj = NULL;
+ } while (!GSS_ERROR (maj_stat) && msg_ctx != 0);
+}
+
+G_MODULE_EXPORT int
+soup_gss_client_init (SoupNegotiateConnectionState *conn, const char *host, GError **err)
+{
+ OM_uint32 maj_stat, min_stat;
+ char *service = NULL;
+ gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
+ gboolean ret = FALSE;
+ gchar *h;
+
+ conn->server_name = GSS_C_NO_NAME;
+ conn->context = GSS_C_NO_CONTEXT;
+
+ h = g_ascii_strdown (host, -1);
+ service = g_strconcat ("HTTP/", h, NULL);
+ token.length = strlen (service);
+ token.value = (char *)service;
+
+ maj_stat = gss_import_name (&min_stat,
+ &token,
+ (gss_OID) GSS_KRB5_NT_PRINCIPAL_NAME,
+ &conn->server_name);
+
+ if (GSS_ERROR (maj_stat)) {
+ soup_gss_error (maj_stat, min_stat, err);
+ ret = FALSE;
+ goto out;
+ }
+
+ ret = TRUE;
+out:
+ g_free (h);
+ g_free (service);
+ return ret;
+}
+
+G_MODULE_EXPORT int
+soup_gss_client_step (SoupNegotiateConnectionState *conn, const char *challenge, GError **err)
+{
+ OM_uint32 maj_stat, min_stat;
+ gss_buffer_desc in = GSS_C_EMPTY_BUFFER;
+ gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
+ int ret = AUTH_GSS_CONTINUE;
+
+ g_clear_pointer (&conn->response_header, g_free);
+
+ if (challenge && *challenge) {
+ size_t len;
+ in.value = g_base64_decode (challenge, &len);
+ in.length = len;
+ }
+
+ maj_stat = gss_init_sec_context (&min_stat,
+ GSS_C_NO_CREDENTIAL,
+ &conn->context,
+ conn->server_name,
+ GSS_C_NO_OID,
+ GSS_C_MUTUAL_FLAG,
+ GSS_C_INDEFINITE,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ &in,
+ NULL,
+ &out,
+ NULL,
+ NULL);
+
+ if ((maj_stat != GSS_S_COMPLETE) && (maj_stat != GSS_S_CONTINUE_NEEDED)) {
+ soup_gss_error (maj_stat, min_stat, err);
+ ret = AUTH_GSS_ERROR;
+ goto out;
+ }
+
+ ret = (maj_stat == GSS_S_COMPLETE) ? AUTH_GSS_COMPLETE : AUTH_GSS_CONTINUE;
+ if (out.length) {
+ char *response = g_base64_encode ((const unsigned char *)out.value, out.length);
+ conn->response_header = g_strconcat ("Negotiate ", response, NULL);
+ g_free (response);
+ maj_stat = gss_release_buffer (&min_stat, &out);
+ }
+
+out:
+ if (out.value)
+ gss_release_buffer (&min_stat, &out);
+ if (in.value)
+ g_free (in.value);
+ return ret;
+}
+
+
+G_MODULE_EXPORT void
+soup_gss_client_cleanup (SoupNegotiateConnectionState *conn)
+{
+ OM_uint32 min_stat;
+
+ gss_release_name (&min_stat, &conn->server_name);
+}
+
diff --git a/libsoup/soup-gssapi.h b/libsoup/soup-gssapi.h
new file mode 100644
index 0000000..05a2b48
--- /dev/null
+++ b/libsoup/soup-gssapi.h
@@ -0,0 +1,41 @@
+/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
+/*
+ * soup-auth-negotiate.c: HTTP Negotiate Authentication helper
+ *
+ * Copyright (C) 2013 Guido Guenther <agx sigxcpu org>
+ */
+
+#ifndef SOUP_GSSAPI_H
+#define SOUP_GSSAPI_H
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
+#ifdef HAVE_GSSAPI
+# include <gssapi/gssapi.h>
+#endif
+
+#define AUTH_GSS_ERROR -1
+#define AUTH_GSS_COMPLETE 1
+#define AUTH_GSS_CONTINUE 0
+
+typedef enum {
+ SOUP_NEGOTIATE_NEW,
+ SOUP_NEGOTIATE_RECEIVED_CHALLENGE, /* received intial negotiate header */
+ SOUP_NEGOTIATE_SENT_RESPONSE, /* sent response to server */
+ SOUP_NEGOTIATE_FAILED
+} SoupNegotiateState;
+
+typedef struct {
+ SoupNegotiateState state;
+
+#ifdef HAVE_GSSAPI
+ gss_ctx_id_t context;
+ gss_name_t server_name;
+#endif
+
+ char *response_header;
+} SoupNegotiateConnectionState;
+
+#endif /* SOUP_GSSAPI_H */
diff --git a/libsoup/soup-status.h b/libsoup/soup-status.h
index fb4147c..70a9864 100644
--- a/libsoup/soup-status.h
+++ b/libsoup/soup-status.h
@@ -34,6 +34,7 @@ typedef enum {
SOUP_STATUS_TRY_AGAIN,
SOUP_STATUS_TOO_MANY_REDIRECTS,
SOUP_STATUS_TLS_FAILED,
+ SOUP_STATUS_GSSAPI_FAILED,
/* HTTP Status Codes */
SOUP_STATUS_CONTINUE = 100,
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]