Back to index

lightning-sunbird  0.9+nobinonly
nsAuthSSPI.cpp
Go to the documentation of this file.
00001 /* vim:set ts=4 sw=4 sts=4 et cindent: */
00002 /* ***** BEGIN LICENSE BLOCK *****
00003  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00004  *
00005  * The contents of this file are subject to the Mozilla Public License Version
00006  * 1.1 (the "License"); you may not use this file except in compliance with
00007  * the License. You may obtain a copy of the License at
00008  * http://www.mozilla.org/MPL/
00009  *
00010  * Software distributed under the License is distributed on an "AS IS" basis,
00011  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00012  * for the specific language governing rights and limitations under the
00013  * License.
00014  *
00015  * The Original Code is the SSPI NegotiateAuth Module
00016  *
00017  * The Initial Developer of the Original Code is IBM Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 2004
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *   Darin Fisher <darin@meer.net>
00023  *
00024  * Alternatively, the contents of this file may be used under the terms of
00025  * either the GNU General Public License Version 2 or later (the "GPL"), or
00026  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00027  * in which case the provisions of the GPL or the LGPL are applicable instead
00028  * of those above. If you wish to allow use of your version of this file only
00029  * under the terms of either the GPL or the LGPL, and not to allow others to
00030  * use your version of this file under the terms of the MPL, indicate your
00031  * decision by deleting the provisions above and replace them with the notice
00032  * and other provisions required by the GPL or the LGPL. If you do not delete
00033  * the provisions above, a recipient may use your version of this file under
00034  * the terms of any one of the MPL, the GPL or the LGPL.
00035  *
00036  * ***** END LICENSE BLOCK ***** */
00037 
00038 //
00039 // Negotiate Authentication Support Module
00040 //
00041 // Described by IETF Internet draft: draft-brezak-kerberos-http-00.txt
00042 // (formerly draft-brezak-spnego-http-04.txt)
00043 //
00044 // Also described here:
00045 // http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
00046 //
00047 
00048 #include "nsAuthSSPI.h"
00049 #include "nsIServiceManager.h"
00050 #include "nsIDNSService.h"
00051 #include "nsIDNSRecord.h"
00052 #include "nsNetCID.h"
00053 #include "nsCOMPtr.h"
00054 
00055 #define SEC_SUCCESS(Status) ((Status) >= 0)
00056 
00057 #ifndef KERB_WRAP_NO_ENCRYPT
00058 #define KERB_WRAP_NO_ENCRYPT 0x80000001
00059 #endif
00060 
00061 #ifndef SECBUFFER_PADDING
00062 #define SECBUFFER_PADDING 9
00063 #endif
00064 
00065 #ifndef SECBUFFER_STREAM
00066 #define SECBUFFER_STREAM 10
00067 #endif
00068 
00069 //-----------------------------------------------------------------------------
00070 
00071 static const char *const pTypeName [] = {
00072     "Kerberos",
00073     "Negotiate",
00074     "NTLM"
00075 };
00076 
00077 #ifdef DEBUG
00078 #define CASE_(_x) case _x: return # _x;
00079 static const char *MapErrorCode(int rc)
00080 {
00081     switch (rc) {
00082     CASE_(SEC_E_OK)
00083     CASE_(SEC_I_CONTINUE_NEEDED)
00084     CASE_(SEC_I_COMPLETE_NEEDED)
00085     CASE_(SEC_I_COMPLETE_AND_CONTINUE)
00086     CASE_(SEC_E_INCOMPLETE_MESSAGE)
00087     CASE_(SEC_I_INCOMPLETE_CREDENTIALS)
00088     CASE_(SEC_E_INVALID_HANDLE)
00089     CASE_(SEC_E_TARGET_UNKNOWN)
00090     CASE_(SEC_E_LOGON_DENIED)
00091     CASE_(SEC_E_INTERNAL_ERROR)
00092     CASE_(SEC_E_NO_CREDENTIALS)
00093     CASE_(SEC_E_NO_AUTHENTICATING_AUTHORITY)
00094     CASE_(SEC_E_INSUFFICIENT_MEMORY)
00095     CASE_(SEC_E_INVALID_TOKEN)
00096     }
00097     return "<unknown>";
00098 }
00099 #else
00100 #define MapErrorCode(_rc) ""
00101 #endif
00102 
00103 //-----------------------------------------------------------------------------
00104 
00105 static HINSTANCE                 sspi_lib; 
00106 static PSecurityFunctionTable    sspi;
00107 
00108 static nsresult
00109 InitSSPI()
00110 {
00111     PSecurityFunctionTable (*initFun)(void);
00112 
00113     LOG(("  InitSSPI\n"));
00114 
00115     sspi_lib = LoadLibrary("secur32.dll");
00116     if (!sspi_lib) {
00117         sspi_lib = LoadLibrary("security.dll");
00118         if (!sspi_lib) {
00119             LOG(("SSPI library not found"));
00120             return NS_ERROR_UNEXPECTED;
00121         }
00122     }
00123 
00124     initFun = (PSecurityFunctionTable (*)(void))
00125             GetProcAddress(sspi_lib, "InitSecurityInterfaceA");
00126     if (!initFun) {
00127         LOG(("InitSecurityInterfaceA not found"));
00128         return NS_ERROR_UNEXPECTED;
00129     }
00130 
00131     sspi = initFun();
00132     if (!sspi) {
00133         LOG(("InitSecurityInterfaceA failed"));
00134         return NS_ERROR_UNEXPECTED;
00135     }
00136 
00137     return NS_OK;
00138 }
00139 
00140 //-----------------------------------------------------------------------------
00141 
00142 static nsresult
00143 MakeSN(const char *principal, nsCString &result)
00144 {
00145     nsresult rv;
00146 
00147     nsCAutoString buf(principal);
00148 
00149     // The service name looks like "protocol@hostname", we need to map
00150     // this to a value that SSPI expects.  To be consistent with IE, we
00151     // need to map '@' to '/' and canonicalize the hostname.
00152     PRInt32 index = buf.FindChar('@');
00153     if (index == kNotFound)
00154         return NS_ERROR_UNEXPECTED;
00155     
00156     nsCOMPtr<nsIDNSService> dns = do_GetService(NS_DNSSERVICE_CONTRACTID, &rv);
00157     if (NS_FAILED(rv))
00158         return rv;
00159 
00160     // This could be expensive if our DNS cache cannot satisfy the request.
00161     // However, we should have at least hit the OS resolver once prior to
00162     // reaching this code, so provided the OS resolver has this information
00163     // cached, we should not have to worry about blocking on this function call
00164     // for very long.  NOTE: because we ask for the canonical hostname, we
00165     // might end up requiring extra network activity in cases where the OS
00166     // resolver might not have enough information to satisfy the request from
00167     // its cache.  This is not an issue in versions of Windows up to WinXP.
00168     nsCOMPtr<nsIDNSRecord> record;
00169     rv = dns->Resolve(Substring(buf, index + 1),
00170                       nsIDNSService::RESOLVE_CANONICAL_NAME,
00171                       getter_AddRefs(record));
00172     if (NS_FAILED(rv))
00173         return rv;
00174 
00175     nsCAutoString cname;
00176     rv = record->GetCanonicalName(cname);
00177     if (NS_SUCCEEDED(rv)) {
00178         result = StringHead(buf, index) + NS_LITERAL_CSTRING("/") + cname;
00179         LOG(("Using SPN of [%s]\n", result.get()));
00180     }
00181     return rv;
00182 }
00183 
00184 //-----------------------------------------------------------------------------
00185 
00186 nsAuthSSPI::nsAuthSSPI(pType package)
00187     : mServiceFlags(REQ_DEFAULT)
00188     , mMaxTokenLen(0)
00189     , mPackage(package)
00190 {
00191     memset(&mCred, 0, sizeof(mCred));
00192     memset(&mCtxt, 0, sizeof(mCtxt));
00193 }
00194 
00195 nsAuthSSPI::~nsAuthSSPI()
00196 {
00197     Reset();
00198 
00199     if (mCred.dwLower || mCred.dwUpper) {
00200 #ifdef __MINGW32__
00201         (sspi->FreeCredentialsHandle)(&mCred);
00202 #else
00203         (sspi->FreeCredentialHandle)(&mCred);
00204 #endif
00205         memset(&mCred, 0, sizeof(mCred));
00206     }
00207 }
00208 
00209 void
00210 nsAuthSSPI::Reset()
00211 {
00212     if (mCtxt.dwLower || mCtxt.dwUpper) {
00213         (sspi->DeleteSecurityContext)(&mCtxt);
00214         memset(&mCtxt, 0, sizeof(mCtxt));
00215     }
00216 }
00217 
00218 NS_IMPL_ISUPPORTS1(nsAuthSSPI, nsIAuthModule)
00219 
00220 NS_IMETHODIMP
00221 nsAuthSSPI::Init(const char *serviceName,
00222                  PRUint32    serviceFlags,
00223                  const PRUnichar *domain,
00224                  const PRUnichar *username,
00225                  const PRUnichar *password)
00226 {
00227     LOG(("  nsAuthSSPI::Init\n"));
00228 
00229     // we don't expect to be passed any user credentials
00230     NS_ASSERTION(!domain && !username && !password, "unexpected credentials");
00231 
00232     // if we're configured for SPNEGO (Negotiate) or Kerberos, then it's critical 
00233     // that the caller supply a service name to be used.
00234     if (mPackage != PACKAGE_TYPE_NTLM)
00235         NS_ENSURE_TRUE(serviceName && *serviceName, NS_ERROR_INVALID_ARG);
00236 
00237     nsresult rv;
00238 
00239     // XXX lazy initialization like this assumes that we are single threaded
00240     if (!sspi) {
00241         rv = InitSSPI();
00242         if (NS_FAILED(rv))
00243             return rv;
00244     }
00245 
00246     SEC_CHAR *package;
00247 
00248     package = (SEC_CHAR *) pTypeName[(int)mPackage];
00249 
00250     if (mPackage != PACKAGE_TYPE_NTLM)
00251     {
00252         rv = MakeSN(serviceName, mServiceName);
00253         if (NS_FAILED(rv))
00254             return rv;
00255         mServiceFlags = serviceFlags;
00256     }
00257 
00258     SECURITY_STATUS rc;
00259 
00260     PSecPkgInfo pinfo;
00261     rc = (sspi->QuerySecurityPackageInfo)(package, &pinfo);
00262     if (rc != SEC_E_OK) {
00263         LOG(("%s package not found\n", package));
00264         return NS_ERROR_UNEXPECTED;
00265     }
00266     mMaxTokenLen = pinfo->cbMaxToken;
00267     (sspi->FreeContextBuffer)(pinfo);
00268 
00269     TimeStamp useBefore;
00270 
00271     rc = (sspi->AcquireCredentialsHandle)(NULL,
00272                                           package,
00273                                           SECPKG_CRED_OUTBOUND,
00274                                           NULL,
00275                                           NULL,
00276                                           NULL,
00277                                           NULL,
00278                                           &mCred,
00279                                           &useBefore);
00280     if (rc != SEC_E_OK)
00281         return NS_ERROR_UNEXPECTED;
00282 
00283     return NS_OK;
00284 }
00285 
00286 NS_IMETHODIMP
00287 nsAuthSSPI::GetNextToken(const void *inToken,
00288                          PRUint32    inTokenLen,
00289                          void      **outToken,
00290                          PRUint32   *outTokenLen)
00291 {
00292     SECURITY_STATUS rc;
00293     TimeStamp ignored;
00294 
00295     DWORD ctxAttr, ctxReq = 0;
00296     CtxtHandle *ctxIn;
00297     SecBufferDesc ibd, obd;
00298     SecBuffer ib, ob;
00299 
00300     LOG(("entering nsAuthSSPI::GetNextToken()\n"));
00301 
00302     if (mServiceFlags & REQ_DELEGATE)
00303         ctxReq |= ISC_REQ_DELEGATE;
00304     if (mServiceFlags & REQ_MUTUAL_AUTH)
00305         ctxReq |= ISC_REQ_MUTUAL_AUTH;
00306 
00307     if (inToken) {
00308         ib.BufferType = SECBUFFER_TOKEN;
00309         ib.cbBuffer = inTokenLen;
00310         ib.pvBuffer = (void *) inToken;
00311         ibd.ulVersion = SECBUFFER_VERSION;
00312         ibd.cBuffers = 1;
00313         ibd.pBuffers = &ib;
00314         ctxIn = &mCtxt;
00315     }
00316     else {
00317         // If there is no input token, then we are starting a new
00318         // authentication sequence.  If we have already initialized our
00319         // security context, then we're in trouble because it means that the
00320         // first sequence failed.  We need to bail or else we might end up in
00321         // an infinite loop.
00322         if (mCtxt.dwLower || mCtxt.dwUpper) {
00323             LOG(("Cannot restart authentication sequence!"));
00324             return NS_ERROR_UNEXPECTED;
00325         }
00326 
00327         ctxIn = NULL;
00328     }
00329 
00330     obd.ulVersion = SECBUFFER_VERSION;
00331     obd.cBuffers = 1;
00332     obd.pBuffers = &ob;
00333     ob.BufferType = SECBUFFER_TOKEN;
00334     ob.cbBuffer = mMaxTokenLen;
00335     ob.pvBuffer = nsMemory::Alloc(ob.cbBuffer);
00336     if (!ob.pvBuffer)
00337         return NS_ERROR_OUT_OF_MEMORY;
00338     memset(ob.pvBuffer, 0, ob.cbBuffer);
00339 
00340     SEC_CHAR *sn;
00341 
00342     if (mPackage == PACKAGE_TYPE_NTLM)
00343         sn = NULL;
00344     else
00345         sn = (SEC_CHAR *) mServiceName.get();
00346 
00347     rc = (sspi->InitializeSecurityContext)(&mCred,
00348                                            ctxIn,
00349                                            sn,
00350                                            ctxReq,
00351                                            0,
00352                                            SECURITY_NATIVE_DREP,
00353                                            inToken ? &ibd : NULL,
00354                                            0,
00355                                            &mCtxt,
00356                                            &obd,
00357                                            &ctxAttr,
00358                                            &ignored);
00359     if (rc == SEC_I_CONTINUE_NEEDED || rc == SEC_E_OK) {
00360         if (!ob.cbBuffer) {
00361             nsMemory::Free(ob.pvBuffer);
00362             ob.pvBuffer = NULL;
00363         }
00364         *outToken = ob.pvBuffer;
00365         *outTokenLen = ob.cbBuffer;
00366 
00367         if (rc == SEC_E_OK)
00368             return NS_SUCCESS_AUTH_FINISHED;
00369 
00370         return NS_OK;
00371     }
00372 
00373     LOG(("InitializeSecurityContext failed [rc=%d:%s]\n", rc, MapErrorCode(rc)));
00374     Reset();
00375     nsMemory::Free(ob.pvBuffer);
00376     return NS_ERROR_FAILURE;
00377 }
00378 
00379 NS_IMETHODIMP
00380 nsAuthSSPI::Unwrap(const void *inToken,
00381                    PRUint32    inTokenLen,
00382                    void      **outToken,
00383                    PRUint32   *outTokenLen)
00384 {
00385     SECURITY_STATUS rc;
00386     SecBufferDesc ibd;
00387     SecBuffer ib[2];
00388 
00389     ibd.cBuffers = 2;
00390     ibd.pBuffers = ib;
00391     ibd.ulVersion = SECBUFFER_VERSION; 
00392 
00393     // SSPI Buf
00394     ib[0].BufferType = SECBUFFER_STREAM;
00395     ib[0].cbBuffer = inTokenLen;
00396     ib[0].pvBuffer = nsMemory::Alloc(ib[0].cbBuffer);
00397     if (!ib[0].pvBuffer)
00398         return NS_ERROR_OUT_OF_MEMORY;
00399     
00400     memcpy(ib[0].pvBuffer, inToken, inTokenLen);
00401 
00402     // app data
00403     ib[1].BufferType = SECBUFFER_DATA;
00404     ib[1].cbBuffer = 0;
00405     ib[1].pvBuffer = NULL;
00406 
00407     rc = (sspi->DecryptMessage)(
00408                                 &mCtxt,
00409                                 &ibd,
00410                                 0, // no sequence numbers
00411                                 NULL
00412                                 );
00413 
00414     if (SEC_SUCCESS(rc)) {
00415         *outToken = ib[1].pvBuffer;
00416         *outTokenLen = ib[1].cbBuffer;
00417     }
00418     else
00419         nsMemory::Free(ib[1].pvBuffer);
00420 
00421     nsMemory::Free(ib[0].pvBuffer);
00422 
00423     if (!SEC_SUCCESS(rc))
00424         return NS_ERROR_FAILURE;
00425 
00426     return NS_OK;
00427 }
00428 
00429 // utility class used to free memory on exit
00430 class secBuffers
00431 {
00432 public:
00433 
00434     SecBuffer ib[3];
00435 
00436     secBuffers() { memset(&ib, 0, sizeof(ib)); }
00437 
00438     ~secBuffers() 
00439     {
00440         if (ib[0].pvBuffer)
00441             nsMemory::Free(ib[0].pvBuffer);
00442 
00443         if (ib[1].pvBuffer)
00444             nsMemory::Free(ib[1].pvBuffer);
00445 
00446         if (ib[2].pvBuffer)
00447             nsMemory::Free(ib[2].pvBuffer);
00448     }
00449 };
00450 
00451 NS_IMETHODIMP
00452 nsAuthSSPI::Wrap(const void *inToken,
00453                  PRUint32    inTokenLen,
00454                  PRBool      confidential,
00455                  void      **outToken,
00456                  PRUint32   *outTokenLen)
00457 {
00458     SECURITY_STATUS rc;
00459 
00460     SecBufferDesc ibd;
00461     secBuffers bufs;
00462     SecPkgContext_Sizes sizes;
00463 
00464     rc = (sspi->QueryContextAttributes)(
00465          &mCtxt,
00466          SECPKG_ATTR_SIZES,
00467          &sizes);
00468 
00469     if (!SEC_SUCCESS(rc))  
00470         return NS_ERROR_FAILURE;
00471     
00472     ibd.cBuffers = 3;
00473     ibd.pBuffers = bufs.ib;
00474     ibd.ulVersion = SECBUFFER_VERSION;
00475     
00476     // SSPI
00477     bufs.ib[0].cbBuffer = sizes.cbSecurityTrailer;
00478     bufs.ib[0].BufferType = SECBUFFER_TOKEN;
00479     bufs.ib[0].pvBuffer = nsMemory::Alloc(sizes.cbSecurityTrailer);
00480 
00481     if (!bufs.ib[0].pvBuffer)
00482         return NS_ERROR_OUT_OF_MEMORY;
00483 
00484     // APP Data
00485     bufs.ib[1].BufferType = SECBUFFER_DATA;
00486     bufs.ib[1].pvBuffer = nsMemory::Alloc(inTokenLen);
00487     bufs.ib[1].cbBuffer = inTokenLen;
00488     
00489     if (!bufs.ib[1].pvBuffer)
00490         return NS_ERROR_OUT_OF_MEMORY;
00491 
00492     memcpy(bufs.ib[1].pvBuffer, inToken, inTokenLen);
00493 
00494     // SSPI
00495     bufs.ib[2].BufferType = SECBUFFER_PADDING;
00496     bufs.ib[2].cbBuffer = sizes.cbBlockSize;
00497     bufs.ib[2].pvBuffer = nsMemory::Alloc(bufs.ib[2].cbBuffer);
00498 
00499     if (!bufs.ib[2].pvBuffer)
00500         return NS_ERROR_OUT_OF_MEMORY;
00501 
00502     rc = (sspi->EncryptMessage)(&mCtxt,
00503           confidential ? 0 : KERB_WRAP_NO_ENCRYPT,
00504          &ibd, 0);
00505 
00506     if (SEC_SUCCESS(rc)) {
00507         int len  = bufs.ib[0].cbBuffer + bufs.ib[1].cbBuffer + bufs.ib[2].cbBuffer;
00508         char *p = (char *) nsMemory::Alloc(len);
00509 
00510         if (!p)
00511             return NS_ERROR_OUT_OF_MEMORY;
00512                             
00513         *outToken = (void *) p;
00514         *outTokenLen = len;
00515 
00516         memcpy(p, bufs.ib[0].pvBuffer, bufs.ib[0].cbBuffer);
00517         p += bufs.ib[0].cbBuffer;
00518 
00519         memcpy(p,bufs.ib[1].pvBuffer, bufs.ib[1].cbBuffer);
00520         p += bufs.ib[1].cbBuffer;
00521 
00522         memcpy(p,bufs.ib[2].pvBuffer, bufs.ib[2].cbBuffer);
00523         
00524         return NS_OK;
00525     }
00526 
00527     return NS_ERROR_FAILURE;
00528 }