search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 572417 - Release mouse capture in flash subclass after mouse events get delivered...
[mozilla-central.git] / extensions / auth / nsAuthGSSAPI.cpp
blob7acbd7e76adb6032e8787518f4162a1c1c9f40ce
1 /* vim:set ts=4 sw=4 sts=4 et cindent: */
2 /* ***** BEGIN LICENSE BLOCK *****
3 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
4 *
5 * The contents of this file are subject to the Mozilla Public License Version
6 * 1.1 (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 * http://www.mozilla.org/MPL/
9 *
10 * Software distributed under the License is distributed on an "AS IS" basis,
11 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
12 * for the specific language governing rights and limitations under the
13 * License.
14 *
15 * The Original Code is the Negotiateauth
16 *
17 * The Initial Developer of the Original Code is Daniel Kouril.
18 * Portions created by the Initial Developer are Copyright (C) 2003
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 * Daniel Kouril <kouril@ics.muni.cz> (original author)
23 * Wyllys Ingersoll <wyllys.ingersoll@sun.com>
24 * Christopher Nebergall <cneberg@sandia.gov>
25 * Darin Fisher <darin@meer.net>
26 * Mark Mentovai <mark@moxienet.com>
27 *
28 * Alternatively, the contents of this file may be used under the terms of
29 * either the GNU General Public License Version 2 or later (the "GPL"), or
30 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
31 * in which case the provisions of the GPL or the LGPL are applicable instead
32 * of those above. If you wish to allow use of your version of this file only
33 * under the terms of either the GPL or the LGPL, and not to allow others to
34 * use your version of this file under the terms of the MPL, indicate your
35 * decision by deleting the provisions above and replace them with the notice
36 * and other provisions required by the GPL or the LGPL. If you do not delete
37 * the provisions above, a recipient may use your version of this file under
38 * the terms of any one of the MPL, the GPL or the LGPL.
39 *
40 * ***** END LICENSE BLOCK ***** */
41
42 //
43 // GSSAPI Authentication Support Module
44 //
45 // Described by IETF Internet draft: draft-brezak-kerberos-http-00.txt
46 // (formerly draft-brezak-spnego-http-04.txt)
47 //
48 // Also described here:
49 // http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
50 //
51 //
52
53 #include "prlink.h"
54 #include "nsCOMPtr.h"
55 #include "nsIPrefService.h"
56 #include "nsIPrefBranch.h"
57 #include "nsIServiceManager.h"
58 #include "nsNativeCharsetUtils.h"
59
60 #include "nsAuthGSSAPI.h"
61
62 #ifdef XP_MACOSX
63 #include <Kerberos/Kerberos.h>
64 #endif
65
66 #ifdef XP_MACOSX
67 typedef KLStatus (*KLCacheHasValidTickets_type)(
68 KLPrincipal,
69 KLKerberosVersion,
70 KLBoolean *,
71 KLPrincipal *,
72 char **);
73 #endif
74
75 #if defined(HAVE_RES_NINIT)
76 #include <resolv.h>
77 #endif
78
79 //-----------------------------------------------------------------------------
80
81 // We define GSS_C_NT_HOSTBASED_SERVICE explicitly since it may be referenced
82 // by by a different name depending on the implementation of gss but always
83 // has the same value
84
85 static gss_OID_desc gss_c_nt_hostbased_service =
86 { 10, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04" };
87
88 static const char kNegotiateAuthGssLib[] =
89 "network.negotiate-auth.gsslib";
90 static const char kNegotiateAuthNativeImp[] =
91 "network.negotiate-auth.using-native-gsslib";
92
93 static const char *gssFuncStr[] = {
94 "gss_display_status",
95 "gss_init_sec_context",
96 "gss_indicate_mechs",
97 "gss_release_oid_set",
98 "gss_delete_sec_context",
99 "gss_import_name",
100 "gss_release_buffer",
101 "gss_release_name",
102 "gss_wrap",
103 "gss_unwrap"
104 };
105
106 #define gssFuncItems NS_ARRAY_LENGTH(gssFuncStr)
107
108 static PRFuncPtr gssFunPtr[gssFuncItems];
109 static PRBool gssNativeImp = PR_TRUE;
110 static PRLibrary* gssLibrary = nsnull;
111
112 #define gss_display_status_ptr ((gss_display_status_type)*gssFunPtr[0])
113 #define gss_init_sec_context_ptr ((gss_init_sec_context_type)*gssFunPtr[1])
114 #define gss_indicate_mechs_ptr ((gss_indicate_mechs_type)*gssFunPtr[2])
115 #define gss_release_oid_set_ptr ((gss_release_oid_set_type)*gssFunPtr[3])
116 #define gss_delete_sec_context_ptr ((gss_delete_sec_context_type)*gssFunPtr[4])
117 #define gss_import_name_ptr ((gss_import_name_type)*gssFunPtr[5])
118 #define gss_release_buffer_ptr ((gss_release_buffer_type)*gssFunPtr[6])
119 #define gss_release_name_ptr ((gss_release_name_type)*gssFunPtr[7])
120 #define gss_wrap_ptr ((gss_wrap_type)*gssFunPtr[8])
121 #define gss_unwrap_ptr ((gss_unwrap_type)*gssFunPtr[9])
122
123 #ifdef XP_MACOSX
124 static PRFuncPtr KLCacheHasValidTicketsPtr;
125 #define KLCacheHasValidTickets_ptr \
126 ((KLCacheHasValidTickets_type)*KLCacheHasValidTicketsPtr)
127 #endif
128
129 static nsresult
130 gssInit()
131 {
132 nsXPIDLCString libPath;
133 nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
134 if (prefs) {
135 prefs->GetCharPref(kNegotiateAuthGssLib, getter_Copies(libPath));
136 prefs->GetBoolPref(kNegotiateAuthNativeImp, &gssNativeImp);
137 }
138
139 PRLibrary *lib = NULL;
140
141 if (!libPath.IsEmpty()) {
142 LOG(("Attempting to load user specified library [%s]\n", libPath.get()));
143 gssNativeImp = PR_FALSE;
144 lib = PR_LoadLibrary(libPath.get());
145 }
146 else {
147 #ifdef XP_WIN
148 char *libName = PR_GetLibraryName(NULL, "gssapi32");
149 if (libName) {
150 lib = PR_LoadLibrary("gssapi32");
151 PR_FreeLibraryName(libName);
152 }
153 #else
154
155 const char *const libNames[] = {
156 "gss",
157 "gssapi_krb5",
158 "gssapi"
159 };
160
161 const char *const verLibNames[] = {
162 "libgssapi_krb5.so.2", /* MIT - FC, Suse10, Debian */
163 "libgssapi.so.4", /* Heimdal - Suse10, MDK */
164 "libgssapi.so.1" /* Heimdal - Suse9, CITI - FC, MDK, Suse10*/
165 };
166
167 for (size_t i = 0; i < NS_ARRAY_LENGTH(verLibNames) && !lib; ++i) {
168 lib = PR_LoadLibrary(verLibNames[i]);
169
170 /* The CITI libgssapi library calls exit() during
171 * initialization if it's not correctly configured. Try to
172 * ensure that we never use this library for our GSSAPI
173 * support, as its just a wrapper library, anyway.
174 * See Bugzilla #325433
175 */
176 if (lib &&
177 PR_FindFunctionSymbol(lib,
178 "internal_krb5_gss_initialize") &&
179 PR_FindFunctionSymbol(lib, "gssd_pname_to_uid")) {
180 LOG(("CITI libgssapi found, which calls exit(). Skipping\n"));
181 PR_UnloadLibrary(lib);
182 lib = NULL;
183 }
184 }
185
186 for (size_t i = 0; i < NS_ARRAY_LENGTH(libNames) && !lib; ++i) {
187 char *libName = PR_GetLibraryName(NULL, libNames[i]);
188 if (libName) {
189 lib = PR_LoadLibrary(libName);
190 PR_FreeLibraryName(libName);
191
192 if (lib &&
193 PR_FindFunctionSymbol(lib,
194 "internal_krb5_gss_initialize") &&
195 PR_FindFunctionSymbol(lib, "gssd_pname_to_uid")) {
196 LOG(("CITI libgssapi found, which calls exit(). Skipping\n"));
197 PR_UnloadLibrary(lib);
198 lib = NULL;
199 }
200 }
201 }
202 #endif
203 }
204
205 if (!lib) {
206 LOG(("Fail to load gssapi library\n"));
207 return NS_ERROR_FAILURE;
208 }
209
210 LOG(("Attempting to load gss functions\n"));
211
212 for (size_t i = 0; i < gssFuncItems; ++i) {
213 gssFunPtr[i] = PR_FindFunctionSymbol(lib, gssFuncStr[i]);
214 if (!gssFunPtr[i]) {
215 LOG(("Fail to load %s function from gssapi library\n", gssFuncStr[i]));
216 PR_UnloadLibrary(lib);
217 return NS_ERROR_FAILURE;
218 }
219 }
220 #ifdef XP_MACOSX
221 if (gssNativeImp &&
222 !(KLCacheHasValidTicketsPtr =
223 PR_FindFunctionSymbol(lib, "KLCacheHasValidTickets"))) {
224 LOG(("Fail to load KLCacheHasValidTickets function from gssapi library\n"));
225 PR_UnloadLibrary(lib);
226 return NS_ERROR_FAILURE;
227 }
228 #endif
229
230 gssLibrary = lib;
231 return NS_OK;
232 }
233
234 #if defined( PR_LOGGING )
235
236 // Generate proper GSSAPI error messages from the major and
237 // minor status codes.
238 void
239 LogGssError(OM_uint32 maj_stat, OM_uint32 min_stat, const char *prefix)
240 {
241 OM_uint32 new_stat;
242 OM_uint32 msg_ctx = 0;
243 gss_buffer_desc status1_string;
244 gss_buffer_desc status2_string;
245 OM_uint32 ret;
246 nsCAutoString errorStr;
247 errorStr.Assign(prefix);
248
249 if (!gssLibrary)
250 return;
251
252 errorStr += ": ";
253 do {
254 ret = gss_display_status_ptr(&new_stat,
255 maj_stat,
256 GSS_C_GSS_CODE,
257 GSS_C_NULL_OID,
258 &msg_ctx,
259 &status1_string);
260 errorStr.Append((const char *) status1_string.value, status1_string.length);
261 gss_release_buffer_ptr(&new_stat, &status1_string);
262
263 errorStr += '\n';
264 ret = gss_display_status_ptr(&new_stat,
265 min_stat,
266 GSS_C_MECH_CODE,
267 GSS_C_NULL_OID,
268 &msg_ctx,
269 &status2_string);
270 errorStr.Append((const char *) status2_string.value, status2_string.length);
271 errorStr += '\n';
272 } while (!GSS_ERROR(ret) && msg_ctx != 0);
273
274 LOG(("%s\n", errorStr.get()));
275 }
276
277 #else /* PR_LOGGING */
278
279 #define LogGssError(x,y,z)
280
281 #endif /* PR_LOGGING */
282
283 //-----------------------------------------------------------------------------
284
285 nsAuthGSSAPI::nsAuthGSSAPI(pType package)
286 : mServiceFlags(REQ_DEFAULT)
287 {
288 OM_uint32 minstat;
289 OM_uint32 majstat;
290 gss_OID_set mech_set;
291 gss_OID item;
292
293 unsigned int i;
294 static gss_OID_desc gss_krb5_mech_oid_desc =
295 { 9, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
296 static gss_OID_desc gss_spnego_mech_oid_desc =
297 { 6, (void *) "\x2b\x06\x01\x05\x05\x02" };
298
299 LOG(("entering nsAuthGSSAPI::nsAuthGSSAPI()\n"));
300
301 mComplete = PR_FALSE;
302
303 if (!gssLibrary && NS_FAILED(gssInit()))
304 return;
305
306 mCtx = GSS_C_NO_CONTEXT;
307 mMechOID = &gss_krb5_mech_oid_desc;
308
309 // if the type is kerberos we accept it as default
310 // and exit
311
312 if (package == PACKAGE_TYPE_KERBEROS)
313 return;
314
315 // Now, look at the list of supported mechanisms,
316 // if SPNEGO is found, then use it.
317 // Otherwise, set the desired mechanism to
318 // GSS_C_NO_OID and let the system try to use
319 // the default mechanism.
320 //
321 // Using Kerberos directly (instead of negotiating
322 // with SPNEGO) may work in some cases depending
323 // on how smart the server side is.
324
325 majstat = gss_indicate_mechs_ptr(&minstat, &mech_set);
326 if (GSS_ERROR(majstat))
327 return;
328
329 if (mech_set) {
330 for (i=0; i<mech_set->count; i++) {
331 item = &mech_set->elements[i];
332 if (item->length == gss_spnego_mech_oid_desc.length &&
333 !memcmp(item->elements, gss_spnego_mech_oid_desc.elements,
334 item->length)) {
335 // ok, we found it
336 mMechOID = &gss_spnego_mech_oid_desc;
337 break;
338 }
339 }
340 gss_release_oid_set_ptr(&minstat, &mech_set);
341 }
342 }
343
344 void
345 nsAuthGSSAPI::Reset()
346 {
347 if (gssLibrary && mCtx != GSS_C_NO_CONTEXT) {
348 OM_uint32 minor_status;
349 gss_delete_sec_context_ptr(&minor_status, &mCtx, GSS_C_NO_BUFFER);
350 }
351 mCtx = GSS_C_NO_CONTEXT;
352 mComplete = PR_FALSE;
353 }
354
355 /* static */ void
356 nsAuthGSSAPI::Shutdown()
357 {
358 if (gssLibrary) {
359 PR_UnloadLibrary(gssLibrary);
360 gssLibrary = nsnull;
361 }
362 }
363
364 /* Limitations apply to this class's thread safety. See the header file */
365 NS_IMPL_THREADSAFE_ISUPPORTS1(nsAuthGSSAPI, nsIAuthModule)
366
367 NS_IMETHODIMP
368 nsAuthGSSAPI::Init(const char *serviceName,
369 PRUint32 serviceFlags,
370 const PRUnichar *domain,
371 const PRUnichar *username,
372 const PRUnichar *password)
373 {
374 // we don't expect to be passed any user credentials
375 NS_ASSERTION(!domain && !username && !password, "unexpected credentials");
376
377 // it's critial that the caller supply a service name to be used
378 NS_ENSURE_TRUE(serviceName && *serviceName, NS_ERROR_INVALID_ARG);
379
380 LOG(("entering nsAuthGSSAPI::Init()\n"));
381
382 if (!gssLibrary)
383 return NS_ERROR_NOT_INITIALIZED;
384
385 mServiceName = serviceName;
386 mServiceFlags = serviceFlags;
387 return NS_OK;
388 }
389
390 NS_IMETHODIMP
391 nsAuthGSSAPI::GetNextToken(const void *inToken,
392 PRUint32 inTokenLen,
393 void **outToken,
394 PRUint32 *outTokenLen)
395 {
396 OM_uint32 major_status, minor_status;
397 OM_uint32 req_flags = 0;
398 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
399 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
400 gss_buffer_t in_token_ptr = GSS_C_NO_BUFFER;
401 gss_name_t server;
402 nsCAutoString userbuf;
403 nsresult rv;
404
405 LOG(("entering nsAuthGSSAPI::GetNextToken()\n"));
406
407 if (!gssLibrary)
408 return NS_ERROR_NOT_INITIALIZED;
409
410 // If they've called us again after we're complete, reset to start afresh.
411 if (mComplete)
412 Reset();
413
414 if (mServiceFlags & REQ_DELEGATE)
415 req_flags |= GSS_C_DELEG_FLAG;
416
417 if (mServiceFlags & REQ_MUTUAL_AUTH)
418 req_flags |= GSS_C_MUTUAL_FLAG;
419
420 input_token.value = (void *)mServiceName.get();
421 input_token.length = mServiceName.Length() + 1;
422
423 #if defined(HAVE_RES_NINIT)
424 res_ninit(&_res);
425 #endif
426 major_status = gss_import_name_ptr(&minor_status,
427 &input_token,
428 &gss_c_nt_hostbased_service,
429 &server);
430 input_token.value = NULL;
431 input_token.length = 0;
432 if (GSS_ERROR(major_status)) {
433 LogGssError(major_status, minor_status, "gss_import_name() failed");
434 return NS_ERROR_FAILURE;
435 }
436
437 if (inToken) {
438 input_token.length = inTokenLen;
439 input_token.value = (void *) inToken;
440 in_token_ptr = &input_token;
441 }
442 else if (mCtx != GSS_C_NO_CONTEXT) {
443 // If there is no input token, then we are starting a new
444 // authentication sequence. If we have already initialized our
445 // security context, then we're in trouble because it means that the
446 // first sequence failed. We need to bail or else we might end up in
447 // an infinite loop.
448 LOG(("Cannot restart authentication sequence!"));
449 return NS_ERROR_UNEXPECTED;
450 }
451
452 #if defined(XP_MACOSX)
453 // Suppress Kerberos prompts to get credentials. See bug 240643.
454 // We can only use Mac OS X specific kerb functions if we are using
455 // the native lib
456 KLBoolean found;
457 PRBool doingMailTask = mServiceName.Find("imap@") ||
458 mServiceName.Find("pop@") ||
459 mServiceName.Find("smtp@") ||
460 mServiceName.Find("ldap@");
461
462 if (!doingMailTask && (gssNativeImp &&
463 (KLCacheHasValidTickets_ptr(NULL, kerberosVersion_V5, &found, NULL, NULL) != klNoErr || !found)))
464 {
465 major_status = GSS_S_FAILURE;
466 minor_status = 0;
467 }
468 else
469 #endif /* XP_MACOSX */
470 major_status = gss_init_sec_context_ptr(&minor_status,
471 GSS_C_NO_CREDENTIAL,
472 &mCtx,
473 server,
474 mMechOID,
475 req_flags,
476 GSS_C_INDEFINITE,
477 GSS_C_NO_CHANNEL_BINDINGS,
478 in_token_ptr,
479 nsnull,
480 &output_token,
481 nsnull,
482 nsnull);
483
484 if (GSS_ERROR(major_status)) {
485 LogGssError(major_status, minor_status, "gss_init_sec_context() failed");
486 Reset();
487 rv = NS_ERROR_FAILURE;
488 goto end;
489 }
490 if (major_status == GSS_S_COMPLETE) {
491 // Mark ourselves as being complete, so that if we're called again
492 // we know to start afresh.
493 mComplete = PR_TRUE;
494 }
495 else if (major_status == GSS_S_CONTINUE_NEEDED) {
496 //
497 // The important thing is that we do NOT reset the
498 // context here because it will be needed on the
499 // next call.
500 //
501 }
502
503 *outTokenLen = output_token.length;
504 if (output_token.length != 0)
505 *outToken = nsMemory::Clone(output_token.value, output_token.length);
506 else
507 *outToken = NULL;
508
509 gss_release_buffer_ptr(&minor_status, &output_token);
510
511 if (major_status == GSS_S_COMPLETE)
512 rv = NS_SUCCESS_AUTH_FINISHED;
513 else
514 rv = NS_OK;
515
516 end:
517 gss_release_name_ptr(&minor_status, &server);
518
519 LOG((" leaving nsAuthGSSAPI::GetNextToken [rv=%x]", rv));
520 return rv;
521 }
522
523 NS_IMETHODIMP
524 nsAuthGSSAPI::Unwrap(const void *inToken,
525 PRUint32 inTokenLen,
526 void **outToken,
527 PRUint32 *outTokenLen)
528 {
529 OM_uint32 major_status, minor_status;
530
531 gss_buffer_desc input_token;
532 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
533
534 input_token.value = (void *) inToken;
535 input_token.length = inTokenLen;
536
537 major_status = gss_unwrap_ptr(&minor_status,
538 mCtx,
539 &input_token,
540 &output_token,
541 NULL,
542 NULL);
543 if (GSS_ERROR(major_status)) {
544 LogGssError(major_status, minor_status, "gss_unwrap() failed");
545 Reset();
546 gss_release_buffer_ptr(&minor_status, &output_token);
547 return NS_ERROR_FAILURE;
548 }
549
550 *outTokenLen = output_token.length;
551
552 if (output_token.length)
553 *outToken = nsMemory::Clone(output_token.value, output_token.length);
554 else
555 *outToken = NULL;
556
557 gss_release_buffer_ptr(&minor_status, &output_token);
558
559 return NS_OK;
560 }
561
562 NS_IMETHODIMP
563 nsAuthGSSAPI::Wrap(const void *inToken,
564 PRUint32 inTokenLen,
565 PRBool confidential,
566 void **outToken,
567 PRUint32 *outTokenLen)
568 {
569 OM_uint32 major_status, minor_status;
570
571 gss_buffer_desc input_token;
572 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
573
574 input_token.value = (void *) inToken;
575 input_token.length = inTokenLen;
576
577 major_status = gss_wrap_ptr(&minor_status,
578 mCtx,
579 confidential,
580 GSS_C_QOP_DEFAULT,
581 &input_token,
582 NULL,
583 &output_token);
584
585 if (GSS_ERROR(major_status)) {
586 LogGssError(major_status, minor_status, "gss_wrap() failed");
587 Reset();
588 gss_release_buffer_ptr(&minor_status, &output_token);
589 return NS_ERROR_FAILURE;
590 }
591
592 *outTokenLen = output_token.length;
593
594 /* it is not possible for output_token.length to be zero */
595 *outToken = nsMemory::Clone(output_token.value, output_token.length);
596 gss_release_buffer_ptr(&minor_status, &output_token);
597
598 return NS_OK;
599 }
600
git mirror of mozilla-central