| blob | ca70729e7c5df787f45d217b6115afdb68126969 |
1 /* vim:set ts=4 sw=4 sts=4 et cindent: */
2 /* ***** BEGIN LICENSE BLOCK *****
3 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
4 *
5 * The contents of this file are subject to the Mozilla Public License Version
6 * 1.1 (the "License"); you may not use this file except in compliance with
7 * the License. You may obtain a copy of the License at
8 * http://www.mozilla.org/MPL/
9 *
10 * Software distributed under the License is distributed on an "AS IS" basis,
11 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
12 * for the specific language governing rights and limitations under the
13 * License.
14 *
15 * The Original Code is the SSPI NegotiateAuth Module
16 *
17 * The Initial Developer of the Original Code is IBM Corporation.
18 * Portions created by the Initial Developer are Copyright (C) 2004
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 * Darin Fisher <darin@meer.net>
23 *
24 * Alternatively, the contents of this file may be used under the terms of
25 * either the GNU General Public License Version 2 or later (the "GPL"), or
26 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27 * in which case the provisions of the GPL or the LGPL are applicable instead
28 * of those above. If you wish to allow use of your version of this file only
29 * under the terms of either the GPL or the LGPL, and not to allow others to
30 * use your version of this file under the terms of the MPL, indicate your
31 * decision by deleting the provisions above and replace them with the notice
32 * and other provisions required by the GPL or the LGPL. If you do not delete
33 * the provisions above, a recipient may use your version of this file under
34 * the terms of any one of the MPL, the GPL or the LGPL.
35 *
36 * ***** END LICENSE BLOCK ***** */
38 //
39 // Negotiate Authentication Support Module
40 //
41 // Described by IETF Internet draft: draft-brezak-kerberos-http-00.txt
42 // (formerly draft-brezak-spnego-http-04.txt)
43 //
44 // Also described here:
45 // http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
46 //
55 #define SEC_SUCCESS(Status) ((Status) >= 0)
57 #ifndef KERB_WRAP_NO_ENCRYPT
58 #define KERB_WRAP_NO_ENCRYPT 0x80000001
59 #endif
61 #ifndef SECBUFFER_PADDING
62 #define SECBUFFER_PADDING 9
63 #endif
65 #ifndef SECBUFFER_STREAM
66 #define SECBUFFER_STREAM 10
67 #endif
69 //-----------------------------------------------------------------------------
74 "NTLM"
75 };
77 #ifdef DEBUG
78 #define CASE_(_x) case _x: return # _x;
80 {
96 }
98 }
99 #else
101 #endif
103 //-----------------------------------------------------------------------------
108 static nsresult
110 {
121 }
122 }
129 }
135 }
138 }
140 //-----------------------------------------------------------------------------
142 static nsresult
144 {
145 nsresult rv;
149 // The service name looks like "protocol@hostname", we need to map
150 // this to a value that SSPI expects. To be consistent with IE, we
151 // need to map '@' to '/' and canonicalize the hostname.
160 // This could be expensive if our DNS cache cannot satisfy the request.
161 // However, we should have at least hit the OS resolver once prior to
162 // reaching this code, so provided the OS resolver has this information
163 // cached, we should not have to worry about blocking on this function call
164 // for very long. NOTE: because we ask for the canonical hostname, we
165 // might end up requiring extra network activity in cases where the OS
166 // resolver might not have enough information to satisfy the request from
167 // its cache. This is not an issue in versions of Windows up to WinXP.
175 nsCAutoString cname;
180 }
182 }
184 //-----------------------------------------------------------------------------
190 {
193 }
196 {
200 #ifdef __MINGW32__
202 #else
204 #endif
206 }
207 }
209 void
211 {
215 }
216 }
220 NS_IMETHODIMP
222 PRUint32 serviceFlags,
226 {
229 // we don't expect to be passed any user credentials
232 // if we're configured for SPNEGO (Negotiate) or Kerberos, then it's critical
233 // that the caller supply a service name to be used.
237 nsresult rv;
239 // XXX lazy initialization like this assumes that we are single threaded
244 }
251 {
256 }
258 SECURITY_STATUS rc;
260 PSecPkgInfo pinfo;
265 }
269 TimeStamp useBefore;
272 package,
273 SECPKG_CRED_OUTBOUND,
274 NULL,
275 NULL,
276 NULL,
277 NULL,
284 }
286 NS_IMETHODIMP
288 PRUint32 inTokenLen,
291 {
292 SECURITY_STATUS rc;
293 TimeStamp ignored;
315 }
317 // If there is no input token, then we are starting a new
318 // authentication sequence. If we have already initialized our
319 // security context, then we're in trouble because it means that the
320 // first sequence failed. We need to bail or else we might end up in
321 // an infinite loop.
325 }
328 }
344 else
348 ctxIn,
349 sn,
350 ctxReq,
352 SECURITY_NATIVE_DREP,
363 }
371 }
377 }
379 NS_IMETHODIMP
381 PRUint32 inTokenLen,
384 {
385 SECURITY_STATUS rc;
386 SecBufferDesc ibd;
393 // SSPI Buf
402 // app data
411 NULL
412 );
417 }
418 else
427 }
429 // utility class used to free memory on exit
430 class secBuffers
431 {
439 {
448 }
449 };
451 NS_IMETHODIMP
453 PRUint32 inTokenLen,
454 PRBool confidential,
457 {
458 SECURITY_STATUS rc;
460 SecBufferDesc ibd;
461 secBuffers bufs;
462 SecPkgContext_Sizes sizes;
466 SECPKG_ATTR_SIZES,
476 // SSPI
484 // APP Data
494 // SSPI
525 }
528 }