| blob | c81e69d05938fd0d01f53c0f5ac35364b3b79a1b |
1 /* vim:set ts=4 sw=4 sts=4 et cindent: */
2 /* ***** BEGIN LICENSE BLOCK *****
3 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
4 *
5 * The contents of this file are subject to the Mozilla Public License Version
6 * 1.1 (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 * http://www.mozilla.org/MPL/
9 *
10 * Software distributed under the License is distributed on an "AS IS" basis,
11 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
12 * for the specific language governing rights and limitations under the
13 * License.
14 *
15 * The Original Code is the Negotiateauth
16 *
17 * The Initial Developer of the Original Code is Daniel Kouril.
18 * Portions created by the Initial Developer are Copyright (C) 2003
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 * Daniel Kouril <kouril@ics.muni.cz> (original author)
23 * Wyllys Ingersoll <wyllys.ingersoll@sun.com>
24 * Christopher Nebergall <cneberg@sandia.gov>
25 * Darin Fisher <darin@meer.net>
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either the GNU General Public License Version 2 or later (the "GPL"), or
29 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 //
42 // HTTP Negotiate Authentication Support Module
43 //
44 // Described by IETF Internet draft: draft-brezak-kerberos-http-00.txt
45 // (formerly draft-brezak-spnego-http-04.txt)
46 //
47 // Also described here:
48 // http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
49 //
51 #include <string.h>
52 #include <stdlib.h>
74 //-----------------------------------------------------------------------------
82 #define kNegotiateLen (sizeof(kNegotiate)-1)
84 //-----------------------------------------------------------------------------
86 NS_IMETHODIMP
88 {
89 //
90 // Negotiate Auth creds should not be reused across multiple requests.
91 // Only perform the negotiation when it is explicitly requested by the
92 // server. Thus, do *NOT* use the "REUSABLE_CREDENTIALS" flag here.
93 //
94 // CONNECTION_BASED is specified instead of REQUEST_BASED since we need
95 // to complete a sequence of transactions with the server over the same
96 // connection.
97 //
100 }
102 //
103 // Always set *identityInvalid == FALSE here. This
104 // will prevent the browser from popping up the authentication
105 // prompt window. Because GSSAPI does not have an API
106 // for fetching initial credentials (ex: A Kerberos TGT),
107 // there is no correct way to get the users credentials.
108 //
109 NS_IMETHODIMP
112 PRBool isProxyAuth,
116 {
123 nsresult rv;
131 nsCAutoString service;
137 }
148 }
154 }
160 }
165 }
169 //
170 // The correct service name for IIS servers is "HTTP/f.q.d.n", so
171 // construct the proper service name for passing to "gss_import_name".
172 //
173 // TODO: Possibly make this a configurable service name for use
174 // with non-standard servers that use stuff like "khttp/f.q.d.n"
175 // instead.
176 //
183 }
187 }
194 }
201 }
205 }
209 //
210 // GenerateCredentials
211 //
212 // This routine is responsible for creating the correct authentication
213 // blob to pass to the server that requested "Negotiate" authentication.
214 //
215 NS_IMETHODIMP
218 PRBool isProxyAuth,
225 {
226 // ChallengeReceived must have been called previously.
234 #ifdef DEBUG
235 PRBool isGssapiAuth =
238 #endif
240 //
241 // If the "Negotiate:" header had some data associated with it,
242 // that data should be used as the input to this call. This may
243 // be a continuation of an earlier call because GSSAPI authentication
244 // often takes multiple round-trips to complete depending on the
245 // context flags given. We want to use MUTUAL_AUTHENTICATION which
246 // generally *does* require multiple round-trips. Don't assume
247 // auth can be completed in just 1 call.
248 //
257 challenge++;
265 // strip off any padding (see bug 230351)
267 len--;
269 //
270 // Decode the response that followed the "Negotiate" token
271 //
275 }
276 }
278 //
279 // Initializing, don't use an input token.
280 //
283 }
295 }
297 //
298 // base64 encode the output token.
299 //
309 // allocate a buffer sizeof("Negotiate" + " " + b64output_token + "\0")
313 else
318 }
320 PRBool
322 {
327 PRBool val;
333 }
335 PRBool
337 {
343 PRInt32 port;
356 // pseudo-BNF
357 // ----------
358 //
359 // url-list base-url ( base-url "," LWS )*
360 // base-url ( scheme-part | host-part | scheme-part host-part )
361 // scheme-part scheme "://"
362 // host-part host [":" port]
363 //
364 // for example:
365 // "https://, http://office.foo.com"
366 //
370 // skip past any whitespace
383 }
387 }
389 PRBool
392 PRInt32 matchPort,
395 {
396 // check if scheme://host:port matches baseURI
398 // parse the base URI
401 // the given scheme must match the parsed scheme exactly
405 }
406 else
409 // XXX this does not work for IPv6-literals
412 // the given port must match the parsed port exactly
416 }
417 else
421 // if we didn't parse out a host, then assume we got a match.
427 // matchHost must either equal host or be a subdomain of host
433 // if matchHost ends with host from the base URI, then make sure it is
434 // either an exact match, or prefixed with a dot. we don't want
435 // "foobar.com" to match "bar.com"
440 }
443 }