Back to index

lightning-sunbird  0.9+nobinonly
nsNegotiateAuthSSPI.cpp
Go to the documentation of this file.
00001 /* vim:set ts=4 sw=4 sts=4 et cindent: */
00002 /* ***** BEGIN LICENSE BLOCK *****
00003  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00004  *
00005  * The contents of this file are subject to the Mozilla Public License Version
00006  * 1.1 (the "License"); you may not use this file except in compliance with
00007  * the License. You may obtain a copy of the License at
00008  * http://www.mozilla.org/MPL/
00009  *
00010  * Software distributed under the License is distributed on an "AS IS" basis,
00011  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00012  * for the specific language governing rights and limitations under the
00013  * License.
00014  *
00015  * The Original Code is the SSPI NegotiateAuth Module
00016  *
00017  * The Initial Developer of the Original Code is IBM Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 2004
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *   Darin Fisher <darin@meer.net>
00023  *
00024  * Alternatively, the contents of this file may be used under the terms of
00025  * either the GNU General Public License Version 2 or later (the "GPL"), or
00026  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00027  * in which case the provisions of the GPL or the LGPL are applicable instead
00028  * of those above. If you wish to allow use of your version of this file only
00029  * under the terms of either the GPL or the LGPL, and not to allow others to
00030  * use your version of this file under the terms of the MPL, indicate your
00031  * decision by deleting the provisions above and replace them with the notice
00032  * and other provisions required by the GPL or the LGPL. If you do not delete
00033  * the provisions above, a recipient may use your version of this file under
00034  * the terms of any one of the MPL, the GPL or the LGPL.
00035  *
00036  * ***** END LICENSE BLOCK ***** */
00037 
00038 //
00039 // Negotiate Authentication Support Module
00040 //
00041 // Described by IETF Internet draft: draft-brezak-kerberos-http-00.txt
00042 // (formerly draft-brezak-spnego-http-04.txt)
00043 //
00044 // Also described here:
00045 // http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
00046 //
00047 
00048 #include "nsNegotiateAuth.h"
00049 #include "nsNegotiateAuthSSPI.h"
00050 #include "nsIServiceManager.h"
00051 #include "nsIDNSService.h"
00052 #include "nsIDNSRecord.h"
00053 #include "nsNetCID.h"
00054 #include "nsCOMPtr.h"
00055 
00056 //-----------------------------------------------------------------------------
00057 
00058 #ifdef DEBUG
00059 #define CASE_(_x) case _x: return # _x;
00060 static const char *MapErrorCode(int rc)
00061 {
00062     switch (rc) {
00063     CASE_(SEC_E_OK)
00064     CASE_(SEC_I_CONTINUE_NEEDED)
00065     CASE_(SEC_I_COMPLETE_NEEDED)
00066     CASE_(SEC_I_COMPLETE_AND_CONTINUE)
00067     CASE_(SEC_E_INCOMPLETE_MESSAGE)
00068     CASE_(SEC_I_INCOMPLETE_CREDENTIALS)
00069     CASE_(SEC_E_INVALID_HANDLE)
00070     CASE_(SEC_E_TARGET_UNKNOWN)
00071     CASE_(SEC_E_LOGON_DENIED)
00072     CASE_(SEC_E_INTERNAL_ERROR)
00073     CASE_(SEC_E_NO_CREDENTIALS)
00074     CASE_(SEC_E_NO_AUTHENTICATING_AUTHORITY)
00075     CASE_(SEC_E_INSUFFICIENT_MEMORY)
00076     CASE_(SEC_E_INVALID_TOKEN)
00077     }
00078     return "<unknown>";
00079 }
00080 #else
00081 #define MapErrorCode(_rc) ""
00082 #endif
00083 
00084 //-----------------------------------------------------------------------------
00085 
00086 static HINSTANCE                 sspi_lib; 
00087 static PSecurityFunctionTable    sspi;
00088 
00089 static nsresult
00090 InitSSPI()
00091 {
00092     PSecurityFunctionTable (*initFun)(void);
00093 
00094     sspi_lib = LoadLibrary("secur32.dll");
00095     if (!sspi_lib) {
00096         sspi_lib = LoadLibrary("security.dll");
00097         if (!sspi_lib) {
00098             LOG(("SSPI library not found"));
00099             return NS_ERROR_UNEXPECTED;
00100         }
00101     }
00102 
00103     initFun = (PSecurityFunctionTable (*)(void))
00104             GetProcAddress(sspi_lib, "InitSecurityInterfaceA");
00105     if (!initFun) {
00106         LOG(("InitSecurityInterfaceA not found"));
00107         return NS_ERROR_UNEXPECTED;
00108     }
00109 
00110     sspi = initFun();
00111     if (!sspi) {
00112         LOG(("InitSecurityInterfaceA failed"));
00113         return NS_ERROR_UNEXPECTED;
00114     }
00115 
00116     return NS_OK;
00117 }
00118 
00119 //-----------------------------------------------------------------------------
00120 
00121 static nsresult
00122 MakeSN(const char *principal, nsCString &result)
00123 {
00124     nsresult rv;
00125 
00126     nsCAutoString buf(principal);
00127 
00128     // The service name looks like "protocol@hostname", we need to map
00129     // this to a value that SSPI expects.  To be consistent with IE, we
00130     // need to map '@' to '/' and canonicalize the hostname.
00131     PRInt32 index = buf.FindChar('@');
00132     if (index == kNotFound)
00133         return NS_ERROR_UNEXPECTED;
00134     
00135     nsCOMPtr<nsIDNSService> dns = do_GetService(NS_DNSSERVICE_CONTRACTID, &rv);
00136     if (NS_FAILED(rv))
00137         return rv;
00138 
00139     // This could be expensive if our DNS cache cannot satisfy the request.
00140     // However, we should have at least hit the OS resolver once prior to
00141     // reaching this code, so provided the OS resolver has this information
00142     // cached, we should not have to worry about blocking on this function call
00143     // for very long.  NOTE: because we ask for the canonical hostname, we
00144     // might end up requiring extra network activity in cases where the OS
00145     // resolver might not have enough information to satisfy the request from
00146     // its cache.  This is not an issue in versions of Windows up to WinXP.
00147     nsCOMPtr<nsIDNSRecord> record;
00148     rv = dns->Resolve(Substring(buf, index + 1),
00149                       nsIDNSService::RESOLVE_CANONICAL_NAME,
00150                       getter_AddRefs(record));
00151     if (NS_FAILED(rv))
00152         return rv;
00153 
00154     nsCAutoString cname;
00155     rv = record->GetCanonicalName(cname);
00156     if (NS_SUCCEEDED(rv)) {
00157         result = StringHead(buf, index) + NS_LITERAL_CSTRING("/") + cname;
00158         LOG(("Using SPN of [%s]\n", result.get()));
00159     }
00160     return rv;
00161 }
00162 
00163 //-----------------------------------------------------------------------------
00164 
00165 nsNegotiateAuth::nsNegotiateAuth(PRBool useNTLM)
00166     : mServiceFlags(REQ_DEFAULT)
00167     , mMaxTokenLen(0)
00168     , mUseNTLM(useNTLM)
00169 {
00170     memset(&mCred, 0, sizeof(mCred));
00171     memset(&mCtxt, 0, sizeof(mCtxt));
00172 }
00173 
00174 nsNegotiateAuth::~nsNegotiateAuth()
00175 {
00176     Reset();
00177 
00178     if (mCred.dwLower || mCred.dwUpper) {
00179 #ifdef __MINGW32__
00180         (sspi->FreeCredentialsHandle)(&mCred);
00181 #else
00182         (sspi->FreeCredentialHandle)(&mCred);
00183 #endif
00184         memset(&mCred, 0, sizeof(mCred));
00185     }
00186 }
00187 
00188 void
00189 nsNegotiateAuth::Reset()
00190 {
00191     if (mCtxt.dwLower || mCtxt.dwUpper) {
00192         (sspi->DeleteSecurityContext)(&mCtxt);
00193         memset(&mCtxt, 0, sizeof(mCtxt));
00194     }
00195 }
00196 
00197 NS_IMPL_ISUPPORTS1(nsNegotiateAuth, nsIAuthModule)
00198 
00199 NS_IMETHODIMP
00200 nsNegotiateAuth::Init(const char *serviceName,
00201                       PRUint32    serviceFlags,
00202                       const PRUnichar *domain,
00203                       const PRUnichar *username,
00204                       const PRUnichar *password)
00205 {
00206     // we don't expect to be passed any user credentials
00207     NS_ASSERTION(!domain && !username && !password, "unexpected credentials");
00208 
00209     // if we're configured for SPNEGO, then it's critial that the caller
00210     // supply a service name to be used.
00211     if (!mUseNTLM)
00212         NS_ENSURE_TRUE(serviceName && *serviceName, NS_ERROR_INVALID_ARG);
00213 
00214     nsresult rv;
00215 
00216     // XXX lazy initialization like this assumes that we are single threaded
00217     if (!sspi) {
00218         rv = InitSSPI();
00219         if (NS_FAILED(rv))
00220             return rv;
00221     }
00222 
00223     SEC_CHAR *package;
00224     if (mUseNTLM)
00225         package = "NTLM";
00226     else {
00227         package = "Negotiate";
00228 
00229         rv = MakeSN(serviceName, mServiceName);
00230         if (NS_FAILED(rv))
00231             return rv;
00232         mServiceFlags = serviceFlags;
00233     }
00234 
00235     SECURITY_STATUS rc;
00236 
00237     PSecPkgInfo pinfo;
00238     rc = (sspi->QuerySecurityPackageInfo)(package, &pinfo);
00239     if (rc != SEC_E_OK) {
00240         LOG(("%s package not found\n", package));
00241         return NS_ERROR_UNEXPECTED;
00242     }
00243     mMaxTokenLen = pinfo->cbMaxToken;
00244     (sspi->FreeContextBuffer)(pinfo);
00245 
00246     TimeStamp useBefore;
00247 
00248     rc = (sspi->AcquireCredentialsHandle)(NULL,
00249                                           package,
00250                                           SECPKG_CRED_OUTBOUND,
00251                                           NULL,
00252                                           NULL,
00253                                           NULL,
00254                                           NULL,
00255                                           &mCred,
00256                                           &useBefore);
00257     if (rc != SEC_E_OK)
00258         return NS_ERROR_UNEXPECTED;
00259 
00260     return NS_OK;
00261 }
00262 
00263 NS_IMETHODIMP
00264 nsNegotiateAuth::GetNextToken(const void *inToken,
00265                               PRUint32    inTokenLen,
00266                               void      **outToken,
00267                               PRUint32   *outTokenLen)
00268 {
00269     SECURITY_STATUS rc;
00270 
00271     DWORD ctxAttr, ctxReq = 0;
00272     CtxtHandle *ctxIn;
00273     SecBufferDesc ibd, obd;
00274     SecBuffer ib, ob;
00275 
00276     LOG(("entering nsNegotiateAuth::GetNextToken()\n"));
00277 
00278     if (mServiceFlags & REQ_DELEGATE)
00279         ctxReq |= ISC_REQ_DELEGATE;
00280     if (mServiceFlags & REQ_MUTUAL_AUTH)
00281         ctxReq |= ISC_REQ_MUTUAL_AUTH;
00282 
00283     if (inToken) {
00284         ib.BufferType = SECBUFFER_TOKEN;
00285         ib.cbBuffer = inTokenLen;
00286         ib.pvBuffer = (void *) inToken;
00287         ibd.ulVersion = SECBUFFER_VERSION;
00288         ibd.cBuffers = 1;
00289         ibd.pBuffers = &ib;
00290         ctxIn = &mCtxt;
00291     }
00292     else {
00293         // If there is no input token, then we are starting a new
00294         // authentication sequence.  If we have already initialized our
00295         // security context, then we're in trouble because it means that the
00296         // first sequence failed.  We need to bail or else we might end up in
00297         // an infinite loop.
00298         if (mCtxt.dwLower || mCtxt.dwUpper) {
00299             LOG(("Cannot restart authentication sequence!"));
00300             return NS_ERROR_UNEXPECTED;
00301         }
00302 
00303         ctxIn = NULL;
00304     }
00305 
00306     obd.ulVersion = SECBUFFER_VERSION;
00307     obd.cBuffers = 1;
00308     obd.pBuffers = &ob;
00309     ob.BufferType = SECBUFFER_TOKEN;
00310     ob.cbBuffer = mMaxTokenLen;
00311     ob.pvBuffer = nsMemory::Alloc(ob.cbBuffer);
00312     if (!ob.pvBuffer)
00313         return NS_ERROR_OUT_OF_MEMORY;
00314     memset(ob.pvBuffer, 0, ob.cbBuffer);
00315 
00316     SEC_CHAR *sn;
00317     if (mUseNTLM)
00318         sn = NULL;
00319     else
00320         sn = (SEC_CHAR *) mServiceName.get();
00321 
00322     rc = (sspi->InitializeSecurityContext)(&mCred,
00323                                            ctxIn,
00324                                            sn,
00325                                            ctxReq,
00326                                            0,
00327                                            SECURITY_NATIVE_DREP,
00328                                            inToken ? &ibd : NULL,
00329                                            0,
00330                                            &mCtxt,
00331                                            &obd,
00332                                            &ctxAttr,
00333                                            NULL);
00334     if (rc == SEC_I_CONTINUE_NEEDED || rc == SEC_E_OK) {
00335         *outToken = ob.pvBuffer;
00336         *outTokenLen = ob.cbBuffer;
00337         return NS_OK;
00338     }
00339 
00340     LOG(("InitializeSecurityContext failed [rc=%d:%s]\n", rc, MapErrorCode(rc)));
00341     Reset();
00342     nsMemory::Free(ob.pvBuffer);
00343     return NS_ERROR_FAILURE;
00344 }