search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Clean up MFYI by adding suppressions for new bugs
[chromium-blink-merge.git] / net / http / http_auth_gssapi_posix.cc
blob41cbcdbcdc005a24597fcd8d03b6209b884ee869
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/http_auth_gssapi_posix.h"
6
7 #include <limits>
8 #include <string>
9
10 #include "base/base64.h"
11 #include "base/files/file_path.h"
12 #include "base/format_macros.h"
13 #include "base/logging.h"
14 #include "base/strings/string_util.h"
15 #include "base/strings/stringprintf.h"
16 #include "base/threading/thread_restrictions.h"
17 #include "net/base/net_errors.h"
18 #include "net/base/net_util.h"
19
20 // These are defined for the GSSAPI library:
21 // Paraphrasing the comments from gssapi.h:
22 // "The implementation must reserve static storage for a
23 // gss_OID_desc object for each constant. That constant
24 // should be initialized to point to that gss_OID_desc."
25 // These are encoded using ASN.1 BER encoding.
26 namespace {
27
28 static gss_OID_desc GSS_C_NT_USER_NAME_VAL = {
29 10,
30 const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01")
31 };
32 static gss_OID_desc GSS_C_NT_MACHINE_UID_NAME_VAL = {
33 10,
34 const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02")
35 };
36 static gss_OID_desc GSS_C_NT_STRING_UID_NAME_VAL = {
37 10,
38 const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03")
39 };
40 static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_X_VAL = {
41 6,
42 const_cast<char*>("\x2b\x06\x01\x05\x06\x02")
43 };
44 static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_VAL = {
45 10,
46 const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04")
47 };
48 static gss_OID_desc GSS_C_NT_ANONYMOUS_VAL = {
49 6,
50 const_cast<char*>("\x2b\x06\01\x05\x06\x03")
51 };
52 static gss_OID_desc GSS_C_NT_EXPORT_NAME_VAL = {
53 6,
54 const_cast<char*>("\x2b\x06\x01\x05\x06\x04")
55 };
56
57 } // namespace
58
59 // Heimdal >= 1.4 will define the following as preprocessor macros.
60 // To avoid conflicting declarations, we have to undefine these.
61 #undef GSS_C_NT_USER_NAME
62 #undef GSS_C_NT_MACHINE_UID_NAME
63 #undef GSS_C_NT_STRING_UID_NAME
64 #undef GSS_C_NT_HOSTBASED_SERVICE_X
65 #undef GSS_C_NT_HOSTBASED_SERVICE
66 #undef GSS_C_NT_ANONYMOUS
67 #undef GSS_C_NT_EXPORT_NAME
68
69 gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_VAL;
70 gss_OID GSS_C_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_VAL;
71 gss_OID GSS_C_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_VAL;
72 gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &GSS_C_NT_HOSTBASED_SERVICE_X_VAL;
73 gss_OID GSS_C_NT_HOSTBASED_SERVICE = &GSS_C_NT_HOSTBASED_SERVICE_VAL;
74 gss_OID GSS_C_NT_ANONYMOUS = &GSS_C_NT_ANONYMOUS_VAL;
75 gss_OID GSS_C_NT_EXPORT_NAME = &GSS_C_NT_EXPORT_NAME_VAL;
76
77 namespace net {
78
79 // Exported mechanism for GSSAPI. We always use SPNEGO:
80
81 // iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2)
82 gss_OID_desc CHROME_GSS_SPNEGO_MECH_OID_DESC_VAL = {
83 6,
84 const_cast<char*>("\x2b\x06\x01\x05\x05\x02")
85 };
86
87 gss_OID CHROME_GSS_SPNEGO_MECH_OID_DESC =
88 &CHROME_GSS_SPNEGO_MECH_OID_DESC_VAL;
89
90 // Debugging helpers.
91 namespace {
92
93 std::string DisplayStatus(OM_uint32 major_status,
94 OM_uint32 minor_status) {
95 if (major_status == GSS_S_COMPLETE)
96 return "OK";
97 return base::StringPrintf("0x%08X 0x%08X", major_status, minor_status);
98 }
99
100 std::string DisplayCode(GSSAPILibrary* gssapi_lib,
101 OM_uint32 status,
102 OM_uint32 status_code_type) {
103 const int kMaxDisplayIterations = 8;
104 const size_t kMaxMsgLength = 4096;
105 // msg_ctx needs to be outside the loop because it is invoked multiple times.
106 OM_uint32 msg_ctx = 0;
107 std::string rv = base::StringPrintf("(0x%08X)", status);
108
109 // This loop should continue iterating until msg_ctx is 0 after the first
110 // iteration. To be cautious and prevent an infinite loop, it stops after
111 // a finite number of iterations as well. As an added sanity check, no
112 // individual message may exceed |kMaxMsgLength|, and the final result
113 // will not exceed |kMaxMsgLength|*2-1.
114 for (int i = 0; i < kMaxDisplayIterations && rv.size() < kMaxMsgLength;
115 ++i) {
116 OM_uint32 min_stat;
117 gss_buffer_desc_struct msg = GSS_C_EMPTY_BUFFER;
118 OM_uint32 maj_stat =
119 gssapi_lib->display_status(&min_stat, status, status_code_type,
120 GSS_C_NULL_OID, &msg_ctx, &msg);
121 if (maj_stat == GSS_S_COMPLETE) {
122 int msg_len = (msg.length > kMaxMsgLength) ?
123 static_cast<int>(kMaxMsgLength) :
124 static_cast<int>(msg.length);
125 if (msg_len > 0 && msg.value != NULL) {
126 rv += base::StringPrintf(" %.*s", msg_len,
127 static_cast<char*>(msg.value));
128 }
129 }
130 gssapi_lib->release_buffer(&min_stat, &msg);
131 if (!msg_ctx)
132 break;
133 }
134 return rv;
135 }
136
137 std::string DisplayExtendedStatus(GSSAPILibrary* gssapi_lib,
138 OM_uint32 major_status,
139 OM_uint32 minor_status) {
140 if (major_status == GSS_S_COMPLETE)
141 return "OK";
142 std::string major = DisplayCode(gssapi_lib, major_status, GSS_C_GSS_CODE);
143 std::string minor = DisplayCode(gssapi_lib, minor_status, GSS_C_MECH_CODE);
144 return base::StringPrintf("Major: %s | Minor: %s", major.c_str(),
145 minor.c_str());
146 }
147
148 // ScopedName releases a gss_name_t when it goes out of scope.
149 class ScopedName {
150 public:
151 ScopedName(gss_name_t name,
152 GSSAPILibrary* gssapi_lib)
153 : name_(name),
154 gssapi_lib_(gssapi_lib) {
155 DCHECK(gssapi_lib_);
156 }
157
158 ~ScopedName() {
159 if (name_ != GSS_C_NO_NAME) {
160 OM_uint32 minor_status = 0;
161 OM_uint32 major_status =
162 gssapi_lib_->release_name(&minor_status, &name_);
163 if (major_status != GSS_S_COMPLETE) {
164 LOG(WARNING) << "Problem releasing name. "
165 << DisplayStatus(major_status, minor_status);
166 }
167 name_ = GSS_C_NO_NAME;
168 }
169 }
170
171 private:
172 gss_name_t name_;
173 GSSAPILibrary* gssapi_lib_;
174
175 DISALLOW_COPY_AND_ASSIGN(ScopedName);
176 };
177
178 // ScopedBuffer releases a gss_buffer_t when it goes out of scope.
179 class ScopedBuffer {
180 public:
181 ScopedBuffer(gss_buffer_t buffer,
182 GSSAPILibrary* gssapi_lib)
183 : buffer_(buffer),
184 gssapi_lib_(gssapi_lib) {
185 DCHECK(gssapi_lib_);
186 }
187
188 ~ScopedBuffer() {
189 if (buffer_ != GSS_C_NO_BUFFER) {
190 OM_uint32 minor_status = 0;
191 OM_uint32 major_status =
192 gssapi_lib_->release_buffer(&minor_status, buffer_);
193 if (major_status != GSS_S_COMPLETE) {
194 LOG(WARNING) << "Problem releasing buffer. "
195 << DisplayStatus(major_status, minor_status);
196 }
197 buffer_ = GSS_C_NO_BUFFER;
198 }
199 }
200
201 private:
202 gss_buffer_t buffer_;
203 GSSAPILibrary* gssapi_lib_;
204
205 DISALLOW_COPY_AND_ASSIGN(ScopedBuffer);
206 };
207
208 namespace {
209
210 std::string AppendIfPredefinedValue(gss_OID oid,
211 gss_OID predefined_oid,
212 const char* predefined_oid_name) {
213 DCHECK(oid);
214 DCHECK(predefined_oid);
215 DCHECK(predefined_oid_name);
216 std::string output;
217 if (oid->length != predefined_oid->length)
218 return output;
219 if (0 != memcmp(oid->elements,
220 predefined_oid->elements,
221 predefined_oid->length))
222 return output;
223
224 output += " (";
225 output += predefined_oid_name;
226 output += ")";
227 return output;
228 }
229
230 } // namespace
231
232 std::string DescribeOid(GSSAPILibrary* gssapi_lib, const gss_OID oid) {
233 if (!oid)
234 return "<NULL>";
235 std::string output;
236 const size_t kMaxCharsToPrint = 1024;
237 OM_uint32 byte_length = oid->length;
238 size_t char_length = byte_length / sizeof(char);
239 if (char_length > kMaxCharsToPrint) {
240 // This might be a plain ASCII string.
241 // Check if the first |kMaxCharsToPrint| characters
242 // contain only printable characters and are NULL terminated.
243 const char* str = reinterpret_cast<const char*>(oid);
244 size_t str_length = 0;
245 for ( ; str_length < kMaxCharsToPrint; ++str_length) {
246 if (!str[str_length] || !isprint(str[str_length]))
247 break;
248 }
249 if (!str[str_length]) {
250 output += base::StringPrintf("\"%s\"", str);
251 return output;
252 }
253 }
254 output = base::StringPrintf("(%u) \"", byte_length);
255 if (!oid->elements) {
256 output += "<NULL>";
257 return output;
258 }
259 const unsigned char* elements =
260 reinterpret_cast<const unsigned char*>(oid->elements);
261 // Don't print more than |kMaxCharsToPrint| characters.
262 size_t i = 0;
263 for ( ; (i < byte_length) && (i < kMaxCharsToPrint); ++i) {
264 output += base::StringPrintf("\\x%02X", elements[i]);
265 }
266 if (i >= kMaxCharsToPrint)
267 output += "...";
268 output += "\"";
269
270 // Check if the OID is one of the predefined values.
271 output += AppendIfPredefinedValue(oid,
272 GSS_C_NT_USER_NAME,
273 "GSS_C_NT_USER_NAME");
274 output += AppendIfPredefinedValue(oid,
275 GSS_C_NT_MACHINE_UID_NAME,
276 "GSS_C_NT_MACHINE_UID_NAME");
277 output += AppendIfPredefinedValue(oid,
278 GSS_C_NT_STRING_UID_NAME,
279 "GSS_C_NT_STRING_UID_NAME");
280 output += AppendIfPredefinedValue(oid,
281 GSS_C_NT_HOSTBASED_SERVICE_X,
282 "GSS_C_NT_HOSTBASED_SERVICE_X");
283 output += AppendIfPredefinedValue(oid,
284 GSS_C_NT_HOSTBASED_SERVICE,
285 "GSS_C_NT_HOSTBASED_SERVICE");
286 output += AppendIfPredefinedValue(oid,
287 GSS_C_NT_ANONYMOUS,
288 "GSS_C_NT_ANONYMOUS");
289 output += AppendIfPredefinedValue(oid,
290 GSS_C_NT_EXPORT_NAME,
291 "GSS_C_NT_EXPORT_NAME");
292
293 return output;
294 }
295
296 std::string DescribeName(GSSAPILibrary* gssapi_lib, const gss_name_t name) {
297 OM_uint32 major_status = 0;
298 OM_uint32 minor_status = 0;
299 gss_buffer_desc_struct output_name_buffer = GSS_C_EMPTY_BUFFER;
300 gss_OID_desc output_name_type_desc = GSS_C_EMPTY_BUFFER;
301 gss_OID output_name_type = &output_name_type_desc;
302 major_status = gssapi_lib->display_name(&minor_status,
303 name,
304 &output_name_buffer,
305 &output_name_type);
306 ScopedBuffer scoped_output_name(&output_name_buffer, gssapi_lib);
307 if (major_status != GSS_S_COMPLETE) {
308 std::string error =
309 base::StringPrintf("Unable to describe name 0x%p, %s",
310 name,
311 DisplayExtendedStatus(gssapi_lib,
312 major_status,
313 minor_status).c_str());
314 return error;
315 }
316 int len = output_name_buffer.length;
317 std::string description = base::StringPrintf(
318 "%*s (Type %s)",
319 len,
320 reinterpret_cast<const char*>(output_name_buffer.value),
321 DescribeOid(gssapi_lib, output_name_type).c_str());
322 return description;
323 }
324
325 std::string DescribeContext(GSSAPILibrary* gssapi_lib,
326 const gss_ctx_id_t context_handle) {
327 OM_uint32 major_status = 0;
328 OM_uint32 minor_status = 0;
329 gss_name_t src_name = GSS_C_NO_NAME;
330 gss_name_t targ_name = GSS_C_NO_NAME;
331 OM_uint32 lifetime_rec = 0;
332 gss_OID mech_type = GSS_C_NO_OID;
333 OM_uint32 ctx_flags = 0;
334 int locally_initiated = 0;
335 int open = 0;
336 if (context_handle == GSS_C_NO_CONTEXT)
337 return std::string("Context: GSS_C_NO_CONTEXT");
338 major_status = gssapi_lib->inquire_context(&minor_status,
339 context_handle,
340 &src_name,
341 &targ_name,
342 &lifetime_rec,
343 &mech_type,
344 &ctx_flags,
345 &locally_initiated,
346 &open);
347 ScopedName(src_name, gssapi_lib);
348 ScopedName(targ_name, gssapi_lib);
349 if (major_status != GSS_S_COMPLETE) {
350 std::string error =
351 base::StringPrintf("Unable to describe context 0x%p, %s",
352 context_handle,
353 DisplayExtendedStatus(gssapi_lib,
354 major_status,
355 minor_status).c_str());
356 return error;
357 }
358 std::string source(DescribeName(gssapi_lib, src_name));
359 std::string target(DescribeName(gssapi_lib, targ_name));
360 std::string description = base::StringPrintf("Context 0x%p: "
361 "Source \"%s\", "
362 "Target \"%s\", "
363 "lifetime %d, "
364 "mechanism %s, "
365 "flags 0x%08X, "
366 "local %d, "
367 "open %d",
368 context_handle,
369 source.c_str(),
370 target.c_str(),
371 lifetime_rec,
372 DescribeOid(gssapi_lib,
373 mech_type).c_str(),
374 ctx_flags,
375 locally_initiated,
376 open);
377 return description;
378 }
379
380 } // namespace
381
382 GSSAPISharedLibrary::GSSAPISharedLibrary(const std::string& gssapi_library_name)
383 : initialized_(false),
384 gssapi_library_name_(gssapi_library_name),
385 gssapi_library_(NULL),
386 import_name_(NULL),
387 release_name_(NULL),
388 release_buffer_(NULL),
389 display_name_(NULL),
390 display_status_(NULL),
391 init_sec_context_(NULL),
392 wrap_size_limit_(NULL),
393 delete_sec_context_(NULL),
394 inquire_context_(NULL) {
395 }
396
397 GSSAPISharedLibrary::~GSSAPISharedLibrary() {
398 if (gssapi_library_) {
399 base::UnloadNativeLibrary(gssapi_library_);
400 gssapi_library_ = NULL;
401 }
402 }
403
404 bool GSSAPISharedLibrary::Init() {
405 if (!initialized_)
406 InitImpl();
407 return initialized_;
408 }
409
410 bool GSSAPISharedLibrary::InitImpl() {
411 DCHECK(!initialized_);
412 #if defined(DLOPEN_KERBEROS)
413 gssapi_library_ = LoadSharedLibrary();
414 if (gssapi_library_ == NULL)
415 return false;
416 #endif // defined(DLOPEN_KERBEROS)
417 initialized_ = true;
418 return true;
419 }
420
421 base::NativeLibrary GSSAPISharedLibrary::LoadSharedLibrary() {
422 const char* const* library_names;
423 size_t num_lib_names;
424 const char* user_specified_library[1];
425 if (!gssapi_library_name_.empty()) {
426 user_specified_library[0] = gssapi_library_name_.c_str();
427 library_names = user_specified_library;
428 num_lib_names = 1;
429 } else {
430 static const char* const kDefaultLibraryNames[] = {
431 #if defined(OS_MACOSX)
432 "libgssapi_krb5.dylib" // MIT Kerberos
433 #elif defined(OS_OPENBSD)
434 "libgssapi.so" // Heimdal - OpenBSD
435 #else
436 "libgssapi_krb5.so.2", // MIT Kerberos - FC, Suse10, Debian
437 "libgssapi.so.4", // Heimdal - Suse10, MDK
438 "libgssapi.so.2", // Heimdal - Gentoo
439 "libgssapi.so.1" // Heimdal - Suse9, CITI - FC, MDK, Suse10
440 #endif
441 };
442 library_names = kDefaultLibraryNames;
443 num_lib_names = arraysize(kDefaultLibraryNames);
444 }
445
446 for (size_t i = 0; i < num_lib_names; ++i) {
447 const char* library_name = library_names[i];
448 base::FilePath file_path(library_name);
449
450 // TODO(asanka): Move library loading to a separate thread.
451 // http://crbug.com/66702
452 base::ThreadRestrictions::ScopedAllowIO allow_io_temporarily;
453 base::NativeLibrary lib = base::LoadNativeLibrary(file_path, NULL);
454 if (lib) {
455 // Only return this library if we can bind the functions we need.
456 if (BindMethods(lib))
457 return lib;
458 base::UnloadNativeLibrary(lib);
459 }
460 }
461 LOG(WARNING) << "Unable to find a compatible GSSAPI library";
462 return NULL;
463 }
464
465 #if defined(DLOPEN_KERBEROS)
466 #define BIND(lib, x) \
467 DCHECK(lib); \
468 gss_##x##_type x = reinterpret_cast<gss_##x##_type>( \
469 base::GetFunctionPointerFromNativeLibrary(lib, "gss_" #x)); \
470 if (x == NULL) { \
471 LOG(WARNING) << "Unable to bind function \"" << "gss_" #x << "\""; \
472 return false; \
473 }
474 #else
475 #define BIND(lib, x) gss_##x##_type x = gss_##x
476 #endif
477
478 bool GSSAPISharedLibrary::BindMethods(base::NativeLibrary lib) {
479 BIND(lib, import_name);
480 BIND(lib, release_name);
481 BIND(lib, release_buffer);
482 BIND(lib, display_name);
483 BIND(lib, display_status);
484 BIND(lib, init_sec_context);
485 BIND(lib, wrap_size_limit);
486 BIND(lib, delete_sec_context);
487 BIND(lib, inquire_context);
488
489 import_name_ = import_name;
490 release_name_ = release_name;
491 release_buffer_ = release_buffer;
492 display_name_ = display_name;
493 display_status_ = display_status;
494 init_sec_context_ = init_sec_context;
495 wrap_size_limit_ = wrap_size_limit;
496 delete_sec_context_ = delete_sec_context;
497 inquire_context_ = inquire_context;
498
499 return true;
500 }
501
502 #undef BIND
503
504 OM_uint32 GSSAPISharedLibrary::import_name(
505 OM_uint32* minor_status,
506 const gss_buffer_t input_name_buffer,
507 const gss_OID input_name_type,
508 gss_name_t* output_name) {
509 DCHECK(initialized_);
510 return import_name_(minor_status, input_name_buffer, input_name_type,
511 output_name);
512 }
513
514 OM_uint32 GSSAPISharedLibrary::release_name(
515 OM_uint32* minor_status,
516 gss_name_t* input_name) {
517 DCHECK(initialized_);
518 return release_name_(minor_status, input_name);
519 }
520
521 OM_uint32 GSSAPISharedLibrary::release_buffer(
522 OM_uint32* minor_status,
523 gss_buffer_t buffer) {
524 DCHECK(initialized_);
525 return release_buffer_(minor_status, buffer);
526 }
527
528 OM_uint32 GSSAPISharedLibrary::display_name(
529 OM_uint32* minor_status,
530 const gss_name_t input_name,
531 gss_buffer_t output_name_buffer,
532 gss_OID* output_name_type) {
533 DCHECK(initialized_);
534 return display_name_(minor_status,
535 input_name,
536 output_name_buffer,
537 output_name_type);
538 }
539
540 OM_uint32 GSSAPISharedLibrary::display_status(
541 OM_uint32* minor_status,
542 OM_uint32 status_value,
543 int status_type,
544 const gss_OID mech_type,
545 OM_uint32* message_context,
546 gss_buffer_t status_string) {
547 DCHECK(initialized_);
548 return display_status_(minor_status, status_value, status_type, mech_type,
549 message_context, status_string);
550 }
551
552 OM_uint32 GSSAPISharedLibrary::init_sec_context(
553 OM_uint32* minor_status,
554 const gss_cred_id_t initiator_cred_handle,
555 gss_ctx_id_t* context_handle,
556 const gss_name_t target_name,
557 const gss_OID mech_type,
558 OM_uint32 req_flags,
559 OM_uint32 time_req,
560 const gss_channel_bindings_t input_chan_bindings,
561 const gss_buffer_t input_token,
562 gss_OID* actual_mech_type,
563 gss_buffer_t output_token,
564 OM_uint32* ret_flags,
565 OM_uint32* time_rec) {
566 DCHECK(initialized_);
567 return init_sec_context_(minor_status,
568 initiator_cred_handle,
569 context_handle,
570 target_name,
571 mech_type,
572 req_flags,
573 time_req,
574 input_chan_bindings,
575 input_token,
576 actual_mech_type,
577 output_token,
578 ret_flags,
579 time_rec);
580 }
581
582 OM_uint32 GSSAPISharedLibrary::wrap_size_limit(
583 OM_uint32* minor_status,
584 const gss_ctx_id_t context_handle,
585 int conf_req_flag,
586 gss_qop_t qop_req,
587 OM_uint32 req_output_size,
588 OM_uint32* max_input_size) {
589 DCHECK(initialized_);
590 return wrap_size_limit_(minor_status,
591 context_handle,
592 conf_req_flag,
593 qop_req,
594 req_output_size,
595 max_input_size);
596 }
597
598 OM_uint32 GSSAPISharedLibrary::delete_sec_context(
599 OM_uint32* minor_status,
600 gss_ctx_id_t* context_handle,
601 gss_buffer_t output_token) {
602 // This is called from the owner class' destructor, even if
603 // Init() is not called, so we can't assume |initialized_|
604 // is set.
605 if (!initialized_)
606 return 0;
607 return delete_sec_context_(minor_status,
608 context_handle,
609 output_token);
610 }
611
612 OM_uint32 GSSAPISharedLibrary::inquire_context(
613 OM_uint32* minor_status,
614 const gss_ctx_id_t context_handle,
615 gss_name_t* src_name,
616 gss_name_t* targ_name,
617 OM_uint32* lifetime_rec,
618 gss_OID* mech_type,
619 OM_uint32* ctx_flags,
620 int* locally_initiated,
621 int* open) {
622 DCHECK(initialized_);
623 return inquire_context_(minor_status,
624 context_handle,
625 src_name,
626 targ_name,
627 lifetime_rec,
628 mech_type,
629 ctx_flags,
630 locally_initiated,
631 open);
632 }
633
634 ScopedSecurityContext::ScopedSecurityContext(GSSAPILibrary* gssapi_lib)
635 : security_context_(GSS_C_NO_CONTEXT),
636 gssapi_lib_(gssapi_lib) {
637 DCHECK(gssapi_lib_);
638 }
639
640 ScopedSecurityContext::~ScopedSecurityContext() {
641 if (security_context_ != GSS_C_NO_CONTEXT) {
642 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
643 OM_uint32 minor_status = 0;
644 OM_uint32 major_status = gssapi_lib_->delete_sec_context(
645 &minor_status, &security_context_, &output_token);
646 if (major_status != GSS_S_COMPLETE) {
647 LOG(WARNING) << "Problem releasing security_context. "
648 << DisplayStatus(major_status, minor_status);
649 }
650 security_context_ = GSS_C_NO_CONTEXT;
651 }
652 }
653
654 HttpAuthGSSAPI::HttpAuthGSSAPI(GSSAPILibrary* library,
655 const std::string& scheme,
656 gss_OID gss_oid)
657 : scheme_(scheme),
658 gss_oid_(gss_oid),
659 library_(library),
660 scoped_sec_context_(library),
661 can_delegate_(false) {
662 DCHECK(library_);
663 }
664
665 HttpAuthGSSAPI::~HttpAuthGSSAPI() {
666 }
667
668 bool HttpAuthGSSAPI::Init() {
669 if (!library_)
670 return false;
671 return library_->Init();
672 }
673
674 bool HttpAuthGSSAPI::NeedsIdentity() const {
675 return decoded_server_auth_token_.empty();
676 }
677
678 bool HttpAuthGSSAPI::AllowsExplicitCredentials() const {
679 return false;
680 }
681
682 void HttpAuthGSSAPI::Delegate() {
683 can_delegate_ = true;
684 }
685
686 HttpAuth::AuthorizationResult HttpAuthGSSAPI::ParseChallenge(
687 HttpAuth::ChallengeTokenizer* tok) {
688 // Verify the challenge's auth-scheme.
689 if (!LowerCaseEqualsASCII(tok->scheme(), StringToLowerASCII(scheme_).c_str()))
690 return HttpAuth::AUTHORIZATION_RESULT_INVALID;
691
692 std::string encoded_auth_token = tok->base64_param();
693
694 if (encoded_auth_token.empty()) {
695 // If a context has already been established, an empty Negotiate challenge
696 // should be treated as a rejection of the current attempt.
697 if (scoped_sec_context_.get() != GSS_C_NO_CONTEXT)
698 return HttpAuth::AUTHORIZATION_RESULT_REJECT;
699 DCHECK(decoded_server_auth_token_.empty());
700 return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
701 } else {
702 // If a context has not already been established, additional tokens should
703 // not be present in the auth challenge.
704 if (scoped_sec_context_.get() == GSS_C_NO_CONTEXT)
705 return HttpAuth::AUTHORIZATION_RESULT_INVALID;
706 }
707
708 // Make sure the additional token is base64 encoded.
709 std::string decoded_auth_token;
710 bool base64_rv = base::Base64Decode(encoded_auth_token, &decoded_auth_token);
711 if (!base64_rv)
712 return HttpAuth::AUTHORIZATION_RESULT_INVALID;
713 decoded_server_auth_token_ = decoded_auth_token;
714 return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
715 }
716
717 int HttpAuthGSSAPI::GenerateAuthToken(const AuthCredentials* credentials,
718 const std::string& spn,
719 std::string* auth_token) {
720 DCHECK(auth_token);
721
722 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
723 input_token.length = decoded_server_auth_token_.length();
724 input_token.value = (input_token.length > 0) ?
725 const_cast<char*>(decoded_server_auth_token_.data()) :
726 NULL;
727 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
728 ScopedBuffer scoped_output_token(&output_token, library_);
729 int rv = GetNextSecurityToken(spn, &input_token, &output_token);
730 if (rv != OK)
731 return rv;
732
733 // Base64 encode data in output buffer and prepend the scheme.
734 std::string encode_input(static_cast<char*>(output_token.value),
735 output_token.length);
736 std::string encode_output;
737 base::Base64Encode(encode_input, &encode_output);
738 *auth_token = scheme_ + " " + encode_output;
739 return OK;
740 }
741
742
743 namespace {
744
745 // GSSAPI status codes consist of a calling error (essentially, a programmer
746 // bug), a routine error (defined by the RFC), and supplementary information,
747 // all bitwise-or'ed together in different regions of the 32 bit return value.
748 // This means a simple switch on the return codes is not sufficient.
749
750 int MapImportNameStatusToError(OM_uint32 major_status) {
751 VLOG(1) << "import_name returned 0x" << std::hex << major_status;
752 if (major_status == GSS_S_COMPLETE)
753 return OK;
754 if (GSS_CALLING_ERROR(major_status) != 0)
755 return ERR_UNEXPECTED;
756 OM_uint32 routine_error = GSS_ROUTINE_ERROR(major_status);
757 switch (routine_error) {
758 case GSS_S_FAILURE:
759 // Looking at the MIT Kerberos implementation, this typically is returned
760 // when memory allocation fails. However, the API does not guarantee
761 // that this is the case, so using ERR_UNEXPECTED rather than
762 // ERR_OUT_OF_MEMORY.
763 return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS;
764 case GSS_S_BAD_NAME:
765 case GSS_S_BAD_NAMETYPE:
766 return ERR_MALFORMED_IDENTITY;
767 case GSS_S_DEFECTIVE_TOKEN:
768 // Not mentioned in the API, but part of code.
769 return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS;
770 case GSS_S_BAD_MECH:
771 return ERR_UNSUPPORTED_AUTH_SCHEME;
772 default:
773 return ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS;
774 }
775 }
776
777 int MapInitSecContextStatusToError(OM_uint32 major_status) {
778 VLOG(1) << "init_sec_context returned 0x" << std::hex << major_status;
779 // Although GSS_S_CONTINUE_NEEDED is an additional bit, it seems like
780 // other code just checks if major_status is equivalent to it to indicate
781 // that there are no other errors included.
782 if (major_status == GSS_S_COMPLETE || major_status == GSS_S_CONTINUE_NEEDED)
783 return OK;
784 if (GSS_CALLING_ERROR(major_status) != 0)
785 return ERR_UNEXPECTED;
786 OM_uint32 routine_status = GSS_ROUTINE_ERROR(major_status);
787 switch (routine_status) {
788 case GSS_S_DEFECTIVE_TOKEN:
789 return ERR_INVALID_RESPONSE;
790 case GSS_S_DEFECTIVE_CREDENTIAL:
791 // Not expected since this implementation uses the default credential.
792 return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS;
793 case GSS_S_BAD_SIG:
794 // Probably won't happen, but it's a bad response.
795 return ERR_INVALID_RESPONSE;
796 case GSS_S_NO_CRED:
797 return ERR_INVALID_AUTH_CREDENTIALS;
798 case GSS_S_CREDENTIALS_EXPIRED:
799 return ERR_INVALID_AUTH_CREDENTIALS;
800 case GSS_S_BAD_BINDINGS:
801 // This only happens with mutual authentication.
802 return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS;
803 case GSS_S_NO_CONTEXT:
804 return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS;
805 case GSS_S_BAD_NAMETYPE:
806 return ERR_UNSUPPORTED_AUTH_SCHEME;
807 case GSS_S_BAD_NAME:
808 return ERR_UNSUPPORTED_AUTH_SCHEME;
809 case GSS_S_BAD_MECH:
810 return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS;
811 case GSS_S_FAILURE:
812 // This should be an "Unexpected Security Status" according to the
813 // GSSAPI documentation, but it's typically used to indicate that
814 // credentials are not correctly set up on a user machine, such
815 // as a missing credential cache or hitting this after calling
816 // kdestroy.
817 // TODO(cbentzel): Use minor code for even better mapping?
818 return ERR_MISSING_AUTH_CREDENTIALS;
819 default:
820 if (routine_status != 0)
821 return ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS;
822 break;
823 }
824 OM_uint32 supplemental_status = GSS_SUPPLEMENTARY_INFO(major_status);
825 // Replays could indicate an attack.
826 if (supplemental_status & (GSS_S_DUPLICATE_TOKEN | GSS_S_OLD_TOKEN |
827 GSS_S_UNSEQ_TOKEN | GSS_S_GAP_TOKEN))
828 return ERR_INVALID_RESPONSE;
829
830 // At this point, every documented status has been checked.
831 return ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS;
832 }
833
834 }
835
836 int HttpAuthGSSAPI::GetNextSecurityToken(const std::string& spn,
837 gss_buffer_t in_token,
838 gss_buffer_t out_token) {
839 // Create a name for the principal
840 // TODO(cbentzel): Just do this on the first pass?
841 std::string spn_principal = spn;
842 gss_buffer_desc spn_buffer = GSS_C_EMPTY_BUFFER;
843 spn_buffer.value = const_cast<char*>(spn_principal.c_str());
844 spn_buffer.length = spn_principal.size() + 1;
845 OM_uint32 minor_status = 0;
846 gss_name_t principal_name = GSS_C_NO_NAME;
847 OM_uint32 major_status = library_->import_name(
848 &minor_status,
849 &spn_buffer,
850 GSS_C_NT_HOSTBASED_SERVICE,
851 &principal_name);
852 int rv = MapImportNameStatusToError(major_status);
853 if (rv != OK) {
854 LOG(ERROR) << "Problem importing name from "
855 << "spn \"" << spn_principal << "\"\n"
856 << DisplayExtendedStatus(library_, major_status, minor_status);
857 return rv;
858 }
859 ScopedName scoped_name(principal_name, library_);
860
861 // Continue creating a security context.
862 OM_uint32 req_flags = 0;
863 if (can_delegate_)
864 req_flags |= GSS_C_DELEG_FLAG;
865 major_status = library_->init_sec_context(
866 &minor_status,
867 GSS_C_NO_CREDENTIAL,
868 scoped_sec_context_.receive(),
869 principal_name,
870 gss_oid_,
871 req_flags,
872 GSS_C_INDEFINITE,
873 GSS_C_NO_CHANNEL_BINDINGS,
874 in_token,
875 NULL, // actual_mech_type
876 out_token,
877 NULL, // ret flags
878 NULL);
879 rv = MapInitSecContextStatusToError(major_status);
880 if (rv != OK) {
881 LOG(ERROR) << "Problem initializing context. \n"
882 << DisplayExtendedStatus(library_, major_status, minor_status)
883 << '\n'
884 << DescribeContext(library_, scoped_sec_context_.get());
885 }
886 return rv;
887 }
888
889 } // namespace net