extensions/auth/nsAuthSASL.cpp

   1 /* vim:set ts=4 sw=4 et cindent: */
   2 /* ***** BEGIN LICENSE BLOCK *****
   3  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
   4  *
   5  * The contents of this file are subject to the Mozilla Public License Version
   6  * 1.1 (the "License"); you may not use this file except in compliance with
   7  * the License. You may obtain a copy of the License at
   8  * http://www.mozilla.org/MPL/
   9  *
  10  * Software distributed under the License is distributed on an "AS IS" basis,
  11  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
  12  * for the specific language governing rights and limitations under the
  13  * License.
  14  *
  15  * The Original Code is saslgssapi
  16  *
  17  * The Initial Developer of the Original Code is Simon Wilkinson
  18  * Portions created by the Initial Developer are Copyright (C) 2005
  19  * the Initial Developer. All Rights Reserved.
  20  *
  21  * Contributor(s):
  22  *   Simon Wilkinson <simon@sxw.org.uk>
  23  *
  24  * Alternatively, the contents of this file may be used under the terms of
  25  * either the GNU General Public License Version 2 or later (the "GPL"), or
  26  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  27  * in which case the provisions of the GPL or the LGPL are applicable instead
  28  * of those above. If you wish to allow use of your version of this file only
  29  * under the terms of either the GPL or the LGPL, and not to allow others to
  30  * use your version of this file under the terms of the MPL, indicate your
  31  * decision by deleting the provisions above and replace them with the notice
  32  * and other provisions required by the GPL or the LGPL. If you do not delete
  33  * the provisions above, a recipient may use your version of this file under
  34  * the terms of any one of the MPL, the GPL or the LGPL.
  35  *
  36  * ***** END LICENSE BLOCK ***** */
  37
  38 #include "nsComponentManagerUtils.h"
  39 #include "nsNativeCharsetUtils.h"
  40 #include "nsIServiceManager.h"
  41 #include "nsIPrefService.h"
  42
  43 #include "nsAuthSASL.h"
  44
  45 static const char kNegotiateAuthSSPI[] = "network.auth.use-sspi";
  46
  47 nsAuthSASL::nsAuthSASL()
  48 {
  49     mSASLReady = false;
  50 }
  51
  52 void nsAuthSASL::Reset()
  53 {
  54     mSASLReady = false;
  55 }
  56
  57 /* Limitations apply to this class's thread safety. See the header file */
  58 NS_IMPL_THREADSAFE_ISUPPORTS1(nsAuthSASL, nsIAuthModule)
  59
  60 NS_IMETHODIMP
  61 nsAuthSASL::Init(const char *serviceName,
  62                  PRUint32    serviceFlags,
  63                  const PRUnichar *domain,
  64                  const PRUnichar *username,
  65                  const PRUnichar *password)
  66 {
  67     nsresult rv;
  68
  69     NS_ASSERTION(username, "SASL requires a username");
  70     NS_ASSERTION(!domain && !password, "unexpected credentials");
  71
  72     mUsername = username;
  73
  74     // If we're doing SASL, we should do mutual auth
  75     serviceFlags |= REQ_MUTUAL_AUTH;
  76
  77     // Find out whether we should be trying SSPI or not
  78     const char *contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "kerb-gss";
  79
  80     nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
  81     if (prefs) {
  82         PRBool val;
  83         rv = prefs->GetBoolPref(kNegotiateAuthSSPI, &val);
  84         if (NS_SUCCEEDED(rv) && val)
  85             contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "kerb-sspi";
  86     }
  87
  88     mInnerModule = do_CreateInstance(contractID, &rv);
  89     // if we can't create the GSSAPI module, then bail
  90     NS_ENSURE_SUCCESS(rv, rv);
  91
  92     mInnerModule->Init(serviceName, serviceFlags, nsnull, nsnull, nsnull);
  93
  94     return NS_OK;
  95 }
  96
  97 NS_IMETHODIMP
  98 nsAuthSASL::GetNextToken(const void *inToken,
  99                          PRUint32    inTokenLen,
 100                          void      **outToken,
 101                          PRUint32   *outTokenLen)
 102 {
 103     nsresult rv;
 104     void *unwrappedToken;
 105     char *message;
 106     PRUint32 unwrappedTokenLen, messageLen;
 107     nsCAutoString userbuf;
 108
 109     if (!mInnerModule)
 110         return NS_ERROR_NOT_INITIALIZED;
 111
 112     if (mSASLReady) {
 113         // If the server COMPLETEs with an empty token, Cyrus sends us that token.
 114         // I don't think this is correct, but we need to handle that behaviour.
 115         // Cyrus ignores the contents of our reply token.
 116         if (inTokenLen == 0) {
 117             *outToken = NULL;
 118             *outTokenLen = 0;
 119             return NS_OK;
 120         }
 121         // We've completed the GSSAPI portion of the handshake, and are
 122         // now ready to do the SASL security layer and authzid negotiation
 123
 124         // Input packet from the server needs to be unwrapped.
 125         rv = mInnerModule->Unwrap(inToken, inTokenLen, &unwrappedToken,
 126                                   &unwrappedTokenLen);
 127         if (NS_FAILED(rv)) {
 128             Reset();
 129             return rv;
 130         }
 131
 132         // If we were doing security layers then we'd care what the
 133         // server had sent us. We're not, so all we had to do was make
 134         // sure that the signature was correct with the above unwrap()
 135         nsMemory::Free(unwrappedToken);
 136
 137         NS_CopyUnicodeToNative(mUsername, userbuf);
 138         messageLen = userbuf.Length() + 4 + 1;
 139         message = (char *)nsMemory::Alloc(messageLen);
 140         if (!message) {
 141           Reset();
 142           return NS_ERROR_OUT_OF_MEMORY;
 143         }
 144         message[0] = 0x01; // No security layer
 145         message[1] = 0x00;
 146         message[2] = 0x00;
 147         message[3] = 0x00; // Maxbuf must be zero if we've got no sec layer
 148         strcpy(message+4, userbuf.get());
 149         // Userbuf should not be NULL terminated, so trim the trailing NULL
 150         // when wrapping the message
 151         rv = mInnerModule->Wrap((void *) message, messageLen-1, PR_FALSE,
 152                                 outToken, outTokenLen);
 153         nsMemory::Free(message);
 154         Reset(); // All done
 155         return NS_SUCCEEDED(rv) ? NS_SUCCESS_AUTH_FINISHED : rv;
 156     }
 157     rv = mInnerModule->GetNextToken(inToken, inTokenLen, outToken,
 158                                     outTokenLen);
 159     if (rv == NS_SUCCESS_AUTH_FINISHED) {
 160         mSASLReady = true;
 161         rv = NS_OK;
 162     }
 163     return rv;
 164 }
 165
 166 NS_IMETHODIMP
 167 nsAuthSASL::Unwrap(const void *inToken,
 168                    PRUint32    inTokenLen,
 169                    void      **outToken,
 170                    PRUint32   *outTokenLen)
 171 {
 172     return NS_ERROR_NOT_IMPLEMENTED;
 173 }
 174
 175 NS_IMETHODIMP
 176 nsAuthSASL::Wrap(const void *inToken,
 177                  PRUint32    inTokenLen,
 178                  PRBool      confidential,
 179                  void      **outToken,
 180                  PRUint32   *outTokenLen)
 181 {
 182     return NS_ERROR_NOT_IMPLEMENTED;
 183 }