[PATCH] SPNEGO version2

David Woodhouse dwmw2 at infradead.org
Thu Feb 19 03:09:23 PST 2015


On Thu, 2015-02-19 at 10:06 +0100, Nikos Mavrogiannopoulos wrote:
> Note that I've not generalized authentication outside spnego, mainly
> intentionally as I have no way to test it.

I really do want to see that generalised. It's not so hard to test it.
Just have a completely unrelated URL elsewhere which requires
authentication of whatever kind, and when you've authenticated you get
an HTTP redirect to the real ocserv URL.

Not only will that allow us to test other auth methods, it'll also allow
us to test the case of authenticating with GSSAPI to more than one
server — which might happen in load-balancing scenarios.

So I'd prefer not to do this...

> +int gssapi_proxy_authorization(struct openconnect_info *vpninfo, struct oc_text_buf *hdrbuf)
> +{
> +	return gssapi_authorization(vpninfo, &vpninfo->auth[AUTH_TYPE_GSSAPI], hdrbuf, 1);
> +}

... but instead make this change...

> -int gssapi_authorization(struct openconnect_info *vpninfo, struct oc_text_buf *hdrbuf)
> +int gssapi_authorization(struct openconnect_info *vpninfo, struct proxy_auth_state *auth_state, 
> +			 struct oc_text_buf *hdrbuf, unsigned proxy)

... for all the authenticators. Let's do that in a preliminary patch,
and then it makes the rest a little simpler, right?

Can we pass the target hostname rather than the 'proxy' flag though?

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20150219/7b8f2b6b/attachment-0001.bin>


More information about the openconnect-devel mailing list