search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 496271, automation config for Tb2.0.0.22 build1, p=joduinn, r=me
[mozilla-1.9.git] / extensions / auth / nsAuthGSSAPI.cpp
blob07b6fe593d2db1946ca5ff029ea21ab21aff8549
1 /* vim:set ts=4 sw=4 sts=4 et cindent: */
2 /* ***** BEGIN LICENSE BLOCK *****
3 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
4 *
5 * The contents of this file are subject to the Mozilla Public License Version
6 * 1.1 (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 * http://www.mozilla.org/MPL/
9 *
10 * Software distributed under the License is distributed on an "AS IS" basis,
11 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
12 * for the specific language governing rights and limitations under the
13 * License.
14 *
15 * The Original Code is the Negotiateauth
16 *
17 * The Initial Developer of the Original Code is Daniel Kouril.
18 * Portions created by the Initial Developer are Copyright (C) 2003
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 * Daniel Kouril <kouril@ics.muni.cz> (original author)
23 * Wyllys Ingersoll <wyllys.ingersoll@sun.com>
24 * Christopher Nebergall <cneberg@sandia.gov>
25 * Darin Fisher <darin@meer.net>
26 * Mark Mentovai <mark@moxienet.com>
27 *
28 * Alternatively, the contents of this file may be used under the terms of
29 * either the GNU General Public License Version 2 or later (the "GPL"), or
30 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
31 * in which case the provisions of the GPL or the LGPL are applicable instead
32 * of those above. If you wish to allow use of your version of this file only
33 * under the terms of either the GPL or the LGPL, and not to allow others to
34 * use your version of this file under the terms of the MPL, indicate your
35 * decision by deleting the provisions above and replace them with the notice
36 * and other provisions required by the GPL or the LGPL. If you do not delete
37 * the provisions above, a recipient may use your version of this file under
38 * the terms of any one of the MPL, the GPL or the LGPL.
39 *
40 * ***** END LICENSE BLOCK ***** */
41
42 //
43 // GSSAPI Authentication Support Module
44 //
45 // Described by IETF Internet draft: draft-brezak-kerberos-http-00.txt
46 // (formerly draft-brezak-spnego-http-04.txt)
47 //
48 // Also described here:
49 // http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
50 //
51 //
52
53 #include "prlink.h"
54 #include "nsCOMPtr.h"
55 #include "nsIPrefService.h"
56 #include "nsIPrefBranch.h"
57 #include "nsIServiceManager.h"
58 #include "nsNativeCharsetUtils.h"
59
60 #include "nsAuthGSSAPI.h"
61
62 #ifdef XP_MACOSX
63 #include <Kerberos/Kerberos.h>
64 #endif
65
66 #ifdef XP_MACOSX
67 typedef KLStatus (*KLCacheHasValidTickets_type)(
68 KLPrincipal,
69 KLKerberosVersion,
70 KLBoolean *,
71 KLPrincipal *,
72 char **);
73 #endif
74
75 //-----------------------------------------------------------------------------
76
77 // We define GSS_C_NT_HOSTBASED_SERVICE explicitly since it may be referenced
78 // by by a different name depending on the implementation of gss but always
79 // has the same value
80
81 static gss_OID_desc gss_c_nt_hostbased_service =
82 { 10, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04" };
83
84 static const char kNegotiateAuthGssLib[] =
85 "network.negotiate-auth.gsslib";
86 static const char kNegotiateAuthNativeImp[] =
87 "network.negotiate-auth.using-native-gsslib";
88
89 static const char *gssFuncStr[] = {
90 "gss_display_status",
91 "gss_init_sec_context",
92 "gss_indicate_mechs",
93 "gss_release_oid_set",
94 "gss_delete_sec_context",
95 "gss_import_name",
96 "gss_release_buffer",
97 "gss_release_name",
98 "gss_wrap",
99 "gss_unwrap"
100 };
101
102 #define gssFuncItems NS_ARRAY_LENGTH(gssFuncStr)
103
104 static PRFuncPtr gssFunPtr[gssFuncItems];
105 static PRBool gssNativeImp = PR_TRUE;
106 static PRLibrary* gssLibrary = nsnull;
107
108 #define gss_display_status_ptr ((gss_display_status_type)*gssFunPtr[0])
109 #define gss_init_sec_context_ptr ((gss_init_sec_context_type)*gssFunPtr[1])
110 #define gss_indicate_mechs_ptr ((gss_indicate_mechs_type)*gssFunPtr[2])
111 #define gss_release_oid_set_ptr ((gss_release_oid_set_type)*gssFunPtr[3])
112 #define gss_delete_sec_context_ptr ((gss_delete_sec_context_type)*gssFunPtr[4])
113 #define gss_import_name_ptr ((gss_import_name_type)*gssFunPtr[5])
114 #define gss_release_buffer_ptr ((gss_release_buffer_type)*gssFunPtr[6])
115 #define gss_release_name_ptr ((gss_release_name_type)*gssFunPtr[7])
116 #define gss_wrap_ptr ((gss_wrap_type)*gssFunPtr[8])
117 #define gss_unwrap_ptr ((gss_unwrap_type)*gssFunPtr[9])
118
119 #ifdef XP_MACOSX
120 static PRFuncPtr KLCacheHasValidTicketsPtr;
121 #define KLCacheHasValidTickets_ptr \
122 ((KLCacheHasValidTickets_type)*KLCacheHasValidTicketsPtr)
123 #endif
124
125 static nsresult
126 gssInit()
127 {
128 nsXPIDLCString libPath;
129 nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
130 if (prefs) {
131 prefs->GetCharPref(kNegotiateAuthGssLib, getter_Copies(libPath));
132 prefs->GetBoolPref(kNegotiateAuthNativeImp, &gssNativeImp);
133 }
134
135 PRLibrary *lib = NULL;
136
137 if (!libPath.IsEmpty()) {
138 LOG(("Attempting to load user specified library [%s]\n", libPath.get()));
139 gssNativeImp = PR_FALSE;
140 lib = PR_LoadLibrary(libPath.get());
141 }
142 else {
143 #ifdef XP_WIN
144 char *libName = PR_GetLibraryName(NULL, "gssapi32");
145 if (libName) {
146 lib = PR_LoadLibrary("gssapi32");
147 PR_FreeLibraryName(libName);
148 }
149 #else
150
151 const char *const libNames[] = {
152 "gss",
153 "gssapi_krb5",
154 "gssapi"
155 };
156
157 const char *const verLibNames[] = {
158 "libgssapi_krb5.so.2", /* MIT - FC, Suse10, Debian */
159 "libgssapi.so.4", /* Heimdal - Suse10, MDK */
160 "libgssapi.so.1" /* Heimdal - Suse9, CITI - FC, MDK, Suse10*/
161 };
162
163 for (size_t i = 0; i < NS_ARRAY_LENGTH(verLibNames) && !lib; ++i) {
164 lib = PR_LoadLibrary(verLibNames[i]);
165
166 /* The CITI libgssapi library calls exit() during
167 * initialization if it's not correctly configured. Try to
168 * ensure that we never use this library for our GSSAPI
169 * support, as its just a wrapper library, anyway.
170 * See Bugzilla #325433
171 */
172 if (lib &&
173 PR_FindFunctionSymbol(lib,
174 "internal_krb5_gss_initialize") &&
175 PR_FindFunctionSymbol(lib, "gssd_pname_to_uid")) {
176 LOG(("CITI libgssapi found, which calls exit(). Skipping\n"));
177 PR_UnloadLibrary(lib);
178 lib = NULL;
179 }
180 }
181
182 for (size_t i = 0; i < NS_ARRAY_LENGTH(libNames) && !lib; ++i) {
183 char *libName = PR_GetLibraryName(NULL, libNames[i]);
184 if (libName) {
185 lib = PR_LoadLibrary(libName);
186 PR_FreeLibraryName(libName);
187
188 if (lib &&
189 PR_FindFunctionSymbol(lib,
190 "internal_krb5_gss_initialize") &&
191 PR_FindFunctionSymbol(lib, "gssd_pname_to_uid")) {
192 LOG(("CITI libgssapi found, which calls exit(). Skipping\n"));
193 PR_UnloadLibrary(lib);
194 lib = NULL;
195 }
196 }
197 }
198 #endif
199 }
200
201 if (!lib) {
202 LOG(("Fail to load gssapi library\n"));
203 return NS_ERROR_FAILURE;
204 }
205
206 LOG(("Attempting to load gss functions\n"));
207
208 for (size_t i = 0; i < gssFuncItems; ++i) {
209 gssFunPtr[i] = PR_FindFunctionSymbol(lib, gssFuncStr[i]);
210 if (!gssFunPtr[i]) {
211 LOG(("Fail to load %s function from gssapi library\n", gssFuncStr[i]));
212 PR_UnloadLibrary(lib);
213 return NS_ERROR_FAILURE;
214 }
215 }
216 #ifdef XP_MACOSX
217 if (gssNativeImp &&
218 !(KLCacheHasValidTicketsPtr =
219 PR_FindFunctionSymbol(lib, "KLCacheHasValidTickets"))) {
220 LOG(("Fail to load KLCacheHasValidTickets function from gssapi library\n"));
221 PR_UnloadLibrary(lib);
222 return NS_ERROR_FAILURE;
223 }
224 #endif
225
226 gssLibrary = lib;
227 return NS_OK;
228 }
229
230 #if defined( PR_LOGGING )
231
232 // Generate proper GSSAPI error messages from the major and
233 // minor status codes.
234 void
235 LogGssError(OM_uint32 maj_stat, OM_uint32 min_stat, const char *prefix)
236 {
237 OM_uint32 new_stat;
238 OM_uint32 msg_ctx = 0;
239 gss_buffer_desc status1_string;
240 gss_buffer_desc status2_string;
241 OM_uint32 ret;
242 nsCAutoString errorStr;
243 errorStr.Assign(prefix);
244
245 if (!gssLibrary)
246 return;
247
248 errorStr += ": ";
249 do {
250 ret = gss_display_status_ptr(&new_stat,
251 maj_stat,
252 GSS_C_GSS_CODE,
253 GSS_C_NULL_OID,
254 &msg_ctx,
255 &status1_string);
256 errorStr.Append((const char *) status1_string.value, status1_string.length);
257 gss_release_buffer_ptr(&new_stat, &status1_string);
258
259 errorStr += '\n';
260 ret = gss_display_status_ptr(&new_stat,
261 min_stat,
262 GSS_C_MECH_CODE,
263 GSS_C_NULL_OID,
264 &msg_ctx,
265 &status2_string);
266 errorStr.Append((const char *) status2_string.value, status2_string.length);
267 errorStr += '\n';
268 } while (!GSS_ERROR(ret) && msg_ctx != 0);
269
270 LOG(("%s\n", errorStr.get()));
271 }
272
273 #else /* PR_LOGGING */
274
275 #define LogGssError(x,y,z)
276
277 #endif /* PR_LOGGING */
278
279 //-----------------------------------------------------------------------------
280
281 nsAuthGSSAPI::nsAuthGSSAPI(pType package)
282 : mServiceFlags(REQ_DEFAULT)
283 {
284 OM_uint32 minstat;
285 OM_uint32 majstat;
286 gss_OID_set mech_set;
287 gss_OID item;
288
289 unsigned int i;
290 static gss_OID_desc gss_krb5_mech_oid_desc =
291 { 9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
292 static gss_OID_desc gss_spnego_mech_oid_desc =
293 { 6, (void *) "\x2b\x06\x01\x05\x05\x02" };
294
295 LOG(("entering nsAuthGSSAPI::nsAuthGSSAPI()\n"));
296
297 mComplete = PR_FALSE;
298
299 if (!gssLibrary && NS_FAILED(gssInit()))
300 return;
301
302 mCtx = GSS_C_NO_CONTEXT;
303 mMechOID = &gss_krb5_mech_oid_desc;
304
305 // if the type is kerberos we accept it as default
306 // and exit
307
308 if (package == PACKAGE_TYPE_KERBEROS)
309 return;
310
311 // Now, look at the list of supported mechanisms,
312 // if SPNEGO is found, then use it.
313 // Otherwise, set the desired mechanism to
314 // GSS_C_NO_OID and let the system try to use
315 // the default mechanism.
316 //
317 // Using Kerberos directly (instead of negotiating
318 // with SPNEGO) may work in some cases depending
319 // on how smart the server side is.
320
321 majstat = gss_indicate_mechs_ptr(&minstat, &mech_set);
322 if (GSS_ERROR(majstat))
323 return;
324
325 if (mech_set) {
326 for (i=0; i<mech_set->count; i++) {
327 item = &mech_set->elements[i];
328 if (item->length == gss_spnego_mech_oid_desc.length &&
329 !memcmp(item->elements, gss_spnego_mech_oid_desc.elements,
330 item->length)) {
331 // ok, we found it
332 mMechOID = &gss_spnego_mech_oid_desc;
333 break;
334 }
335 }
336 gss_release_oid_set_ptr(&minstat, &mech_set);
337 }
338 }
339
340 void
341 nsAuthGSSAPI::Reset()
342 {
343 if (gssLibrary && mCtx != GSS_C_NO_CONTEXT) {
344 OM_uint32 minor_status;
345 gss_delete_sec_context_ptr(&minor_status, &mCtx, GSS_C_NO_BUFFER);
346 }
347 mCtx = GSS_C_NO_CONTEXT;
348 mComplete = PR_FALSE;
349 }
350
351 /* static */ void
352 nsAuthGSSAPI::Shutdown()
353 {
354 if (gssLibrary) {
355 PR_UnloadLibrary(gssLibrary);
356 gssLibrary = nsnull;
357 }
358 }
359
360 /* Limitations apply to this class's thread safety. See the header file */
361 NS_IMPL_THREADSAFE_ISUPPORTS1(nsAuthGSSAPI, nsIAuthModule)
362
363 NS_IMETHODIMP
364 nsAuthGSSAPI::Init(const char *serviceName,
365 PRUint32 serviceFlags,
366 const PRUnichar *domain,
367 const PRUnichar *username,
368 const PRUnichar *password)
369 {
370 // we don't expect to be passed any user credentials
371 NS_ASSERTION(!domain && !username && !password, "unexpected credentials");
372
373 // it's critial that the caller supply a service name to be used
374 NS_ENSURE_TRUE(serviceName && *serviceName, NS_ERROR_INVALID_ARG);
375
376 LOG(("entering nsAuthGSSAPI::Init()\n"));
377
378 if (!gssLibrary)
379 return NS_ERROR_NOT_INITIALIZED;
380
381 mServiceName = serviceName;
382 mServiceFlags = serviceFlags;
383 return NS_OK;
384 }
385
386 NS_IMETHODIMP
387 nsAuthGSSAPI::GetNextToken(const void *inToken,
388 PRUint32 inTokenLen,
389 void **outToken,
390 PRUint32 *outTokenLen)
391 {
392 OM_uint32 major_status, minor_status;
393 OM_uint32 req_flags = 0;
394 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
395 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
396 gss_buffer_t in_token_ptr = GSS_C_NO_BUFFER;
397 gss_name_t server;
398 nsCAutoString userbuf;
399 nsresult rv;
400
401 LOG(("entering nsAuthGSSAPI::GetNextToken()\n"));
402
403 if (!gssLibrary)
404 return NS_ERROR_NOT_INITIALIZED;
405
406 // If they've called us again after we're complete, reset to start afresh.
407 if (mComplete)
408 Reset();
409
410 if (mServiceFlags & REQ_DELEGATE)
411 req_flags |= GSS_C_DELEG_FLAG;
412
413 if (mServiceFlags & REQ_MUTUAL_AUTH)
414 req_flags |= GSS_C_MUTUAL_FLAG;
415
416 input_token.value = (void *)mServiceName.get();
417 input_token.length = mServiceName.Length() + 1;
418
419 major_status = gss_import_name_ptr(&minor_status,
420 &input_token,
421 &gss_c_nt_hostbased_service,
422 &server);
423 input_token.value = NULL;
424 input_token.length = 0;
425 if (GSS_ERROR(major_status)) {
426 LogGssError(major_status, minor_status, "gss_import_name() failed");
427 return NS_ERROR_FAILURE;
428 }
429
430 if (inToken) {
431 input_token.length = inTokenLen;
432 input_token.value = (void *) inToken;
433 in_token_ptr = &input_token;
434 }
435 else if (mCtx != GSS_C_NO_CONTEXT) {
436 // If there is no input token, then we are starting a new
437 // authentication sequence. If we have already initialized our
438 // security context, then we're in trouble because it means that the
439 // first sequence failed. We need to bail or else we might end up in
440 // an infinite loop.
441 LOG(("Cannot restart authentication sequence!"));
442 return NS_ERROR_UNEXPECTED;
443 }
444
445 #if defined(XP_MACOSX)
446 // Suppress Kerberos prompts to get credentials. See bug 240643.
447 // We can only use Mac OS X specific kerb functions if we are using
448 // the native lib
449 KLBoolean found;
450 PRBool doingMailTask = mServiceName.Find("imap@") ||
451 mServiceName.Find("pop@") ||
452 mServiceName.Find("smtp@") ||
453 mServiceName.Find("ldap@");
454
455 if (!doingMailTask && (gssNativeImp &&
456 (KLCacheHasValidTickets_ptr(NULL, kerberosVersion_V5, &found, NULL, NULL) != klNoErr || !found)))
457 {
458 major_status = GSS_S_FAILURE;
459 minor_status = 0;
460 }
461 else
462 #endif /* XP_MACOSX */
463 major_status = gss_init_sec_context_ptr(&minor_status,
464 GSS_C_NO_CREDENTIAL,
465 &mCtx,
466 server,
467 mMechOID,
468 req_flags,
469 GSS_C_INDEFINITE,
470 GSS_C_NO_CHANNEL_BINDINGS,
471 in_token_ptr,
472 nsnull,
473 &output_token,
474 nsnull,
475 nsnull);
476
477 if (GSS_ERROR(major_status)) {
478 LogGssError(major_status, minor_status, "gss_init_sec_context() failed");
479 Reset();
480 rv = NS_ERROR_FAILURE;
481 goto end;
482 }
483 if (major_status == GSS_S_COMPLETE) {
484 // Mark ourselves as being complete, so that if we're called again
485 // we know to start afresh.
486 mComplete = PR_TRUE;
487 }
488 else if (major_status == GSS_S_CONTINUE_NEEDED) {
489 //
490 // The important thing is that we do NOT reset the
491 // context here because it will be needed on the
492 // next call.
493 //
494 }
495
496 *outTokenLen = output_token.length;
497 if (output_token.length != 0)
498 *outToken = nsMemory::Clone(output_token.value, output_token.length);
499 else
500 *outToken = NULL;
501
502 gss_release_buffer_ptr(&minor_status, &output_token);
503
504 if (major_status == GSS_S_COMPLETE)
505 rv = NS_SUCCESS_AUTH_FINISHED;
506 else
507 rv = NS_OK;
508
509 end:
510 gss_release_name_ptr(&minor_status, &server);
511
512 LOG((" leaving nsAuthGSSAPI::GetNextToken [rv=%x]", rv));
513 return rv;
514 }
515
516 NS_IMETHODIMP
517 nsAuthGSSAPI::Unwrap(const void *inToken,
518 PRUint32 inTokenLen,
519 void **outToken,
520 PRUint32 *outTokenLen)
521 {
522 OM_uint32 major_status, minor_status;
523
524 gss_buffer_desc input_token;
525 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
526
527 input_token.value = (void *) inToken;
528 input_token.length = inTokenLen;
529
530 major_status = gss_unwrap_ptr(&minor_status,
531 mCtx,
532 &input_token,
533 &output_token,
534 NULL,
535 NULL);
536 if (GSS_ERROR(major_status)) {
537 LogGssError(major_status, minor_status, "gss_unwrap() failed");
538 Reset();
539 gss_release_buffer_ptr(&minor_status, &output_token);
540 return NS_ERROR_FAILURE;
541 }
542
543 *outTokenLen = output_token.length;
544
545 if (output_token.length)
546 *outToken = nsMemory::Clone(output_token.value, output_token.length);
547 else
548 *outToken = NULL;
549
550 gss_release_buffer_ptr(&minor_status, &output_token);
551
552 return NS_OK;
553 }
554
555 NS_IMETHODIMP
556 nsAuthGSSAPI::Wrap(const void *inToken,
557 PRUint32 inTokenLen,
558 PRBool confidential,
559 void **outToken,
560 PRUint32 *outTokenLen)
561 {
562 OM_uint32 major_status, minor_status;
563
564 gss_buffer_desc input_token;
565 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
566
567 input_token.value = (void *) inToken;
568 input_token.length = inTokenLen;
569
570 major_status = gss_wrap_ptr(&minor_status,
571 mCtx,
572 confidential,
573 GSS_C_QOP_DEFAULT,
574 &input_token,
575 NULL,
576 &output_token);
577
578 if (GSS_ERROR(major_status)) {
579 LogGssError(major_status, minor_status, "gss_wrap() failed");
580 Reset();
581 gss_release_buffer_ptr(&minor_status, &output_token);
582 return NS_ERROR_FAILURE;
583 }
584
585 *outTokenLen = output_token.length;
586
587 /* it is not possible for output_token.length to be zero */
588 *outToken = nsMemory::Clone(output_token.value, output_token.length);
589 gss_release_buffer_ptr(&minor_status, &output_token);
590
591 return NS_OK;
592 }
593
Mirror of Mozilla 1.9 mercurial repository