stoken: Add software token functions to library API; bump to v2.1

openconnect_has_stoken_support(): returns 1 if the library was linked
with libstoken.

openconnect_set_stoken_mode(): enables/disables tokencode generation,
and tells the library how to locate the seed.  Unless this function is
called, the library will not try to use a soft token.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>

diff --git a/libopenconnect.map.in b/libopenconnect.map.in
index 0048334..2539335 100644 (file)
--- a/libopenconnect.map.in
+++ b/libopenconnect.map.in
@@ -1,5 +1,11 @@
+OPENCONNECT_2.1 {
+ global:
+       openconnect_has_stoken_support;
+       openconnect_set_stoken_mode;
+};
+
 OPENCONNECT_2.0 {
- global: 
+ global:
        openconnect_clear_cookie;
        openconnect_get_cert_sha1;
        openconnect_get_cookie;

diff --git a/library.c b/library.c
index b97f8df..c8db968 100644 (file)
--- a/library.c
+++ b/library.c
@@ -26,6 +26,10 @@
 #include <errno.h>
 #include <stdlib.h>
 
+#ifdef LIBSTOKEN_HDR
+#include LIBSTOKEN_HDR
+#endif
+
 #include "openconnect-internal.h"
 
 struct openconnect_info *openconnect_vpninfo_new (char *useragent,
@@ -104,6 +108,12 @@ void openconnect_vpninfo_free (struct openconnect_info *vpninfo)
                vpninfo->peer_cert = NULL;
        }
        free(vpninfo->useragent);
+#ifdef LIBSTOKEN_HDR
+       if (vpninfo->stoken_pin)
+               free(vpninfo->stoken_pin);
+       if (vpninfo->stoken_ctx)
+               stoken_destroy(vpninfo->stoken_ctx);
+#endif
        /* No need to free deflate streams; they weren't initialised */
        free(vpninfo);
 }
@@ -265,3 +275,54 @@ int openconnect_has_tss_blob_support(void)
 #endif
        return 0;
 }
+
+int openconnect_has_stoken_support(void)
+{
+#ifdef LIBSTOKEN_HDR
+       return 1;
+#else
+       return 0;
+#endif
+}
+
+/*
+ * Enable software token generation if use_stoken == 1.
+ *
+ * If token_str is not NULL, try to parse the string.  Otherwise, try to read
+ * the token data from ~/.stokenrc
+ *
+ * Return value:
+ *  = -EOPNOTSUPP, if libstoken is not available
+ *  = -EINVAL, if the token string is invalid (token_str was provided)
+ *  = -ENOENT, if ~/.stokenrc is missing (token_str was NULL)
+ *  = -EIO, for other libstoken failures
+ *  = 0, on success
+ */
+int openconnect_set_stoken_mode (struct openconnect_info *vpninfo,
+                                int use_stoken, const char *token_str)
+{
+#ifdef LIBSTOKEN_HDR
+       int ret;
+
+       vpninfo->use_stoken = 0;
+       if (!use_stoken)
+               return 0;
+
+       if (!vpninfo->stoken_ctx) {
+               vpninfo->stoken_ctx = stoken_new();
+               if (!vpninfo->stoken_ctx)
+                       return -EIO;
+       }
+
+       ret = token_str ?
+             stoken_import_string(vpninfo->stoken_ctx, token_str) :
+             stoken_import_rcfile(vpninfo->stoken_ctx, NULL);
+       if (ret)
+               return ret;
+
+       vpninfo->use_stoken = 1;
+       return 0;
+#else
+       return -EOPNOTSUPP;
+#endif
+}

diff --git a/openconnect-internal.h b/openconnect-internal.h
index 5b0b44a..4b88920 100644 (file)
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -61,6 +61,10 @@
 #include LIBPROXY_HDR
 #endif
 
+#ifdef LIBSTOKEN_HDR
+#include LIBSTOKEN_HDR
+#endif
+
 #ifdef ENABLE_NLS
 #include <locale.h>
 #include <libintl.h>
@@ -166,6 +170,15 @@ struct openconnect_info {
        int uid_csd_given;
        int no_http_keepalive;
 
+#ifdef LIBSTOKEN_HDR
+       struct stoken_ctx *stoken_ctx;
+#endif
+       int use_stoken;
+       int stoken_bypassed;
+       int stoken_tries;
+       time_t stoken_time;
+       char *stoken_pin;
+
        OPENCONNECT_X509 *peer_cert;
 
        char *cookie; /* Pointer to within cookies list */

diff --git a/openconnect.h b/openconnect.h
index c4a0075..dd89bd9 100644 (file)
--- a/openconnect.h
+++ b/openconnect.h
@@ -31,9 +31,12 @@
 #include <unistd.h>
 
 #define OPENCONNECT_API_VERSION_MAJOR 2
-#define OPENCONNECT_API_VERSION_MINOR 0
+#define OPENCONNECT_API_VERSION_MINOR 1
 
 /*
+ * API version 2.1:
+ *  - Add openconnect_set_stoken_mode(), openconnect_has_stoken_support()
+ *
  * API version 2.0:
  *  - OPENCONNECT_X509 is now an opaque type.
  *  - Add openconnect_has_pkcs11_support(), openconnect_has_tss_blob_support()
@@ -158,6 +161,11 @@ void openconnect_set_hostname (struct openconnect_info *, char *);
 char *openconnect_get_urlpath (struct openconnect_info *);
 void openconnect_set_urlpath (struct openconnect_info *, char *);
 
+/* This function does *not* take ownership of the string; it is parsed
+   and then discarded. */
+int openconnect_set_stoken_mode (struct openconnect_info *,
+                                int use_stoken, const char *token_str);
+
 /* This function does *not* take ownership of the string; it's copied
    into a static buffer in the vpninfo. The size must be 41 bytes,
    since that's the size of a 20-byte SHA1 represented as hex with
@@ -249,4 +257,7 @@ int openconnect_has_pkcs11_support(void);
    in the near future. */
 int openconnect_has_tss_blob_support(void);
 
+/* Software token capabilities. */
+int openconnect_has_stoken_support(void);
+
 #endif /* __OPENCONNECT_H__ */