1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/http/http_auth_gssapi_posix.h" 6 7 #include <limits> 8 #include <string> 9 10 #include "base/base64.h" 11 #include "base/files/file_path.h" 12 #include "base/format_macros.h" 13 #include "base/logging.h" 14 #include "base/strings/string_util.h" 15 #include "base/strings/stringprintf.h" 16 #include "base/threading/thread_restrictions.h" 17 #include "net/base/net_errors.h" 18 #include "net/base/net_util.h" 19 20 // These are defined for the GSSAPI library: 21 // Paraphrasing the comments from gssapi.h: 22 // "The implementation must reserve static storage for a 23 // gss_OID_desc object for each constant. That constant 24 // should be initialized to point to that gss_OID_desc." 25 // These are encoded using ASN.1 BER encoding. 26 namespace { 27 28 static gss_OID_desc GSS_C_NT_USER_NAME_VAL = { 29 10, 30 const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01") 31 }; 32 static gss_OID_desc GSS_C_NT_MACHINE_UID_NAME_VAL = { 33 10, 34 const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02") 35 }; 36 static gss_OID_desc GSS_C_NT_STRING_UID_NAME_VAL = { 37 10, 38 const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03") 39 }; 40 static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_X_VAL = { 41 6, 42 const_cast<char*>("\x2b\x06\x01\x05\x06\x02") 43 }; 44 static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_VAL = { 45 10, 46 const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04") 47 }; 48 static gss_OID_desc GSS_C_NT_ANONYMOUS_VAL = { 49 6, 50 const_cast<char*>("\x2b\x06\01\x05\x06\x03") 51 }; 52 static gss_OID_desc GSS_C_NT_EXPORT_NAME_VAL = { 53 6, 54 const_cast<char*>("\x2b\x06\x01\x05\x06\x04") 55 }; 56 57 } // namespace 58 59 // Heimdal >= 1.4 will define the following as preprocessor macros. 60 // To avoid conflicting declarations, we have to undefine these. 61 #undef GSS_C_NT_USER_NAME 62 #undef GSS_C_NT_MACHINE_UID_NAME 63 #undef GSS_C_NT_STRING_UID_NAME 64 #undef GSS_C_NT_HOSTBASED_SERVICE_X 65 #undef GSS_C_NT_HOSTBASED_SERVICE 66 #undef GSS_C_NT_ANONYMOUS 67 #undef GSS_C_NT_EXPORT_NAME 68 69 gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_VAL; 70 gss_OID GSS_C_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_VAL; 71 gss_OID GSS_C_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_VAL; 72 gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &GSS_C_NT_HOSTBASED_SERVICE_X_VAL; 73 gss_OID GSS_C_NT_HOSTBASED_SERVICE = &GSS_C_NT_HOSTBASED_SERVICE_VAL; 74 gss_OID GSS_C_NT_ANONYMOUS = &GSS_C_NT_ANONYMOUS_VAL; 75 gss_OID GSS_C_NT_EXPORT_NAME = &GSS_C_NT_EXPORT_NAME_VAL; 76 77 namespace net { 78 79 // Exported mechanism for GSSAPI. We always use SPNEGO: 80 81 // iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2) 82 gss_OID_desc CHROME_GSS_SPNEGO_MECH_OID_DESC_VAL = { 83 6, 84 const_cast<char*>("\x2b\x06\x01\x05\x05\x02") 85 }; 86 87 gss_OID CHROME_GSS_SPNEGO_MECH_OID_DESC = 88 &CHROME_GSS_SPNEGO_MECH_OID_DESC_VAL; 89 90 // Debugging helpers. 91 namespace { 92 93 std::string DisplayStatus(OM_uint32 major_status, 94 OM_uint32 minor_status) { 95 if (major_status == GSS_S_COMPLETE) 96 return "OK"; 97 return base::StringPrintf("0x%08X 0x%08X", major_status, minor_status); 98 } 99 100 std::string DisplayCode(GSSAPILibrary* gssapi_lib, 101 OM_uint32 status, 102 OM_uint32 status_code_type) { 103 const int kMaxDisplayIterations = 8; 104 const size_t kMaxMsgLength = 4096; 105 // msg_ctx needs to be outside the loop because it is invoked multiple times. 106 OM_uint32 msg_ctx = 0; 107 std::string rv = base::StringPrintf("(0x%08X)", status); 108 109 // This loop should continue iterating until msg_ctx is 0 after the first 110 // iteration. To be cautious and prevent an infinite loop, it stops after 111 // a finite number of iterations as well. As an added sanity check, no 112 // individual message may exceed |kMaxMsgLength|, and the final result 113 // will not exceed |kMaxMsgLength|*2-1. 114 for (int i = 0; i < kMaxDisplayIterations && rv.size() < kMaxMsgLength; 115 ++i) { 116 OM_uint32 min_stat; 117 gss_buffer_desc_struct msg = GSS_C_EMPTY_BUFFER; 118 OM_uint32 maj_stat = 119 gssapi_lib->display_status(&min_stat, status, status_code_type, 120 GSS_C_NULL_OID, &msg_ctx, &msg); 121 if (maj_stat == GSS_S_COMPLETE) { 122 int msg_len = (msg.length > kMaxMsgLength) ? 123 static_cast<int>(kMaxMsgLength) : 124 static_cast<int>(msg.length); 125 if (msg_len > 0 && msg.value != NULL) { 126 rv += base::StringPrintf(" %.*s", msg_len, 127 static_cast<char*>(msg.value)); 128 } 129 } 130 gssapi_lib->release_buffer(&min_stat, &msg); 131 if (!msg_ctx) 132 break; 133 } 134 return rv; 135 } 136 137 std::string DisplayExtendedStatus(GSSAPILibrary* gssapi_lib, 138 OM_uint32 major_status, 139 OM_uint32 minor_status) { 140 if (major_status == GSS_S_COMPLETE) 141 return "OK"; 142 std::string major = DisplayCode(gssapi_lib, major_status, GSS_C_GSS_CODE); 143 std::string minor = DisplayCode(gssapi_lib, minor_status, GSS_C_MECH_CODE); 144 return base::StringPrintf("Major: %s | Minor: %s", major.c_str(), 145 minor.c_str()); 146 } 147 148 // ScopedName releases a gss_name_t when it goes out of scope. 149 class ScopedName { 150 public: 151 ScopedName(gss_name_t name, 152 GSSAPILibrary* gssapi_lib) 153 : name_(name), 154 gssapi_lib_(gssapi_lib) { 155 DCHECK(gssapi_lib_); 156 } 157 158 ~ScopedName() { 159 if (name_ != GSS_C_NO_NAME) { 160 OM_uint32 minor_status = 0; 161 OM_uint32 major_status = 162 gssapi_lib_->release_name(&minor_status, &name_); 163 if (major_status != GSS_S_COMPLETE) { 164 LOG(WARNING) << "Problem releasing name. " 165 << DisplayStatus(major_status, minor_status); 166 } 167 name_ = GSS_C_NO_NAME; 168 } 169 } 170 171 private: 172 gss_name_t name_; 173 GSSAPILibrary* gssapi_lib_; 174 175 DISALLOW_COPY_AND_ASSIGN(ScopedName); 176 }; 177 178 // ScopedBuffer releases a gss_buffer_t when it goes out of scope. 179 class ScopedBuffer { 180 public: 181 ScopedBuffer(gss_buffer_t buffer, 182 GSSAPILibrary* gssapi_lib) 183 : buffer_(buffer), 184 gssapi_lib_(gssapi_lib) { 185 DCHECK(gssapi_lib_); 186 } 187 188 ~ScopedBuffer() { 189 if (buffer_ != GSS_C_NO_BUFFER) { 190 OM_uint32 minor_status = 0; 191 OM_uint32 major_status = 192 gssapi_lib_->release_buffer(&minor_status, buffer_); 193 if (major_status != GSS_S_COMPLETE) { 194 LOG(WARNING) << "Problem releasing buffer. " 195 << DisplayStatus(major_status, minor_status); 196 } 197 buffer_ = GSS_C_NO_BUFFER; 198 } 199 } 200 201 private: 202 gss_buffer_t buffer_; 203 GSSAPILibrary* gssapi_lib_; 204 205 DISALLOW_COPY_AND_ASSIGN(ScopedBuffer); 206 }; 207 208 namespace { 209 210 std::string AppendIfPredefinedValue(gss_OID oid, 211 gss_OID predefined_oid, 212 const char* predefined_oid_name) { 213 DCHECK(oid); 214 DCHECK(predefined_oid); 215 DCHECK(predefined_oid_name); 216 std::string output; 217 if (oid->length != predefined_oid->length) 218 return output; 219 if (0 != memcmp(oid->elements, 220 predefined_oid->elements, 221 predefined_oid->length)) 222 return output; 223 224 output += " ("; 225 output += predefined_oid_name; 226 output += ")"; 227 return output; 228 } 229 230 } // namespace 231 232 std::string DescribeOid(GSSAPILibrary* gssapi_lib, const gss_OID oid) { 233 if (!oid) 234 return "<NULL>"; 235 std::string output; 236 const size_t kMaxCharsToPrint = 1024; 237 OM_uint32 byte_length = oid->length; 238 size_t char_length = byte_length / sizeof(char); 239 if (char_length > kMaxCharsToPrint) { 240 // This might be a plain ASCII string. 241 // Check if the first |kMaxCharsToPrint| characters 242 // contain only printable characters and are NULL terminated. 243 const char* str = reinterpret_cast<const char*>(oid); 244 size_t str_length = 0; 245 for ( ; str_length < kMaxCharsToPrint; ++str_length) { 246 if (!str[str_length] || !isprint(str[str_length])) 247 break; 248 } 249 if (!str[str_length]) { 250 output += base::StringPrintf("\"%s\"", str); 251 return output; 252 } 253 } 254 output = base::StringPrintf("(%u) \"", byte_length); 255 if (!oid->elements) { 256 output += "<NULL>"; 257 return output; 258 } 259 const unsigned char* elements = 260 reinterpret_cast<const unsigned char*>(oid->elements); 261 // Don't print more than |kMaxCharsToPrint| characters. 262 size_t i = 0; 263 for ( ; (i < byte_length) && (i < kMaxCharsToPrint); ++i) { 264 output += base::StringPrintf("\\x%02X", elements[i]); 265 } 266 if (i >= kMaxCharsToPrint) 267 output += "..."; 268 output += "\""; 269 270 // Check if the OID is one of the predefined values. 271 output += AppendIfPredefinedValue(oid, 272 GSS_C_NT_USER_NAME, 273 "GSS_C_NT_USER_NAME"); 274 output += AppendIfPredefinedValue(oid, 275 GSS_C_NT_MACHINE_UID_NAME, 276 "GSS_C_NT_MACHINE_UID_NAME"); 277 output += AppendIfPredefinedValue(oid, 278 GSS_C_NT_STRING_UID_NAME, 279 "GSS_C_NT_STRING_UID_NAME"); 280 output += AppendIfPredefinedValue(oid, 281 GSS_C_NT_HOSTBASED_SERVICE_X, 282 "GSS_C_NT_HOSTBASED_SERVICE_X"); 283 output += AppendIfPredefinedValue(oid, 284 GSS_C_NT_HOSTBASED_SERVICE, 285 "GSS_C_NT_HOSTBASED_SERVICE"); 286 output += AppendIfPredefinedValue(oid, 287 GSS_C_NT_ANONYMOUS, 288 "GSS_C_NT_ANONYMOUS"); 289 output += AppendIfPredefinedValue(oid, 290 GSS_C_NT_EXPORT_NAME, 291 "GSS_C_NT_EXPORT_NAME"); 292 293 return output; 294 } 295 296 std::string DescribeName(GSSAPILibrary* gssapi_lib, const gss_name_t name) { 297 OM_uint32 major_status = 0; 298 OM_uint32 minor_status = 0; 299 gss_buffer_desc_struct output_name_buffer = GSS_C_EMPTY_BUFFER; 300 gss_OID_desc output_name_type_desc = GSS_C_EMPTY_BUFFER; 301 gss_OID output_name_type = &output_name_type_desc; 302 major_status = gssapi_lib->display_name(&minor_status, 303 name, 304 &output_name_buffer, 305 &output_name_type); 306 ScopedBuffer scoped_output_name(&output_name_buffer, gssapi_lib); 307 if (major_status != GSS_S_COMPLETE) { 308 std::string error = 309 base::StringPrintf("Unable to describe name 0x%p, %s", 310 name, 311 DisplayExtendedStatus(gssapi_lib, 312 major_status, 313 minor_status).c_str()); 314 return error; 315 } 316 int len = output_name_buffer.length; 317 std::string description = base::StringPrintf( 318 "%*s (Type %s)", 319 len, 320 reinterpret_cast<const char*>(output_name_buffer.value), 321 DescribeOid(gssapi_lib, output_name_type).c_str()); 322 return description; 323 } 324 325 std::string DescribeContext(GSSAPILibrary* gssapi_lib, 326 const gss_ctx_id_t context_handle) { 327 OM_uint32 major_status = 0; 328 OM_uint32 minor_status = 0; 329 gss_name_t src_name = GSS_C_NO_NAME; 330 gss_name_t targ_name = GSS_C_NO_NAME; 331 OM_uint32 lifetime_rec = 0; 332 gss_OID mech_type = GSS_C_NO_OID; 333 OM_uint32 ctx_flags = 0; 334 int locally_initiated = 0; 335 int open = 0; 336 if (context_handle == GSS_C_NO_CONTEXT) 337 return std::string("Context: GSS_C_NO_CONTEXT"); 338 major_status = gssapi_lib->inquire_context(&minor_status, 339 context_handle, 340 &src_name, 341 &targ_name, 342 &lifetime_rec, 343 &mech_type, 344 &ctx_flags, 345 &locally_initiated, 346 &open); 347 ScopedName(src_name, gssapi_lib); 348 ScopedName(targ_name, gssapi_lib); 349 if (major_status != GSS_S_COMPLETE) { 350 std::string error = 351 base::StringPrintf("Unable to describe context 0x%p, %s", 352 context_handle, 353 DisplayExtendedStatus(gssapi_lib, 354 major_status, 355 minor_status).c_str()); 356 return error; 357 } 358 std::string source(DescribeName(gssapi_lib, src_name)); 359 std::string target(DescribeName(gssapi_lib, targ_name)); 360 std::string description = base::StringPrintf("Context 0x%p: " 361 "Source \"%s\", " 362 "Target \"%s\", " 363 "lifetime %d, " 364 "mechanism %s, " 365 "flags 0x%08X, " 366 "local %d, " 367 "open %d", 368 context_handle, 369 source.c_str(), 370 target.c_str(), 371 lifetime_rec, 372 DescribeOid(gssapi_lib, 373 mech_type).c_str(), 374 ctx_flags, 375 locally_initiated, 376 open); 377 return description; 378 } 379 380 } // namespace 381 382 GSSAPISharedLibrary::GSSAPISharedLibrary(const std::string& gssapi_library_name) 383 : initialized_(false), 384 gssapi_library_name_(gssapi_library_name), 385 gssapi_library_(NULL), 386 import_name_(NULL), 387 release_name_(NULL), 388 release_buffer_(NULL), 389 display_name_(NULL), 390 display_status_(NULL), 391 init_sec_context_(NULL), 392 wrap_size_limit_(NULL), 393 delete_sec_context_(NULL), 394 inquire_context_(NULL) { 395 } 396 397 GSSAPISharedLibrary::~GSSAPISharedLibrary() { 398 if (gssapi_library_) { 399 base::UnloadNativeLibrary(gssapi_library_); 400 gssapi_library_ = NULL; 401 } 402 } 403 404 bool GSSAPISharedLibrary::Init() { 405 if (!initialized_) 406 InitImpl(); 407 return initialized_; 408 } 409 410 bool GSSAPISharedLibrary::InitImpl() { 411 DCHECK(!initialized_); 412 #if defined(DLOPEN_KERBEROS) 413 gssapi_library_ = LoadSharedLibrary(); 414 if (gssapi_library_ == NULL) 415 return false; 416 #endif // defined(DLOPEN_KERBEROS) 417 initialized_ = true; 418 return true; 419 } 420 421 base::NativeLibrary GSSAPISharedLibrary::LoadSharedLibrary() { 422 const char* const* library_names; 423 size_t num_lib_names; 424 const char* user_specified_library[1]; 425 if (!gssapi_library_name_.empty()) { 426 user_specified_library[0] = gssapi_library_name_.c_str(); 427 library_names = user_specified_library; 428 num_lib_names = 1; 429 } else { 430 static const char* const kDefaultLibraryNames[] = { 431 #if defined(OS_MACOSX) 432 "libgssapi_krb5.dylib" // MIT Kerberos 433 #elif defined(OS_OPENBSD) 434 "libgssapi.so" // Heimdal - OpenBSD 435 #else 436 "libgssapi_krb5.so.2", // MIT Kerberos - FC, Suse10, Debian 437 "libgssapi.so.4", // Heimdal - Suse10, MDK 438 "libgssapi.so.2", // Heimdal - Gentoo 439 "libgssapi.so.1" // Heimdal - Suse9, CITI - FC, MDK, Suse10 440 #endif 441 }; 442 library_names = kDefaultLibraryNames; 443 num_lib_names = arraysize(kDefaultLibraryNames); 444 } 445 446 for (size_t i = 0; i < num_lib_names; ++i) { 447 const char* library_name = library_names[i]; 448 base::FilePath file_path(library_name); 449 450 // TODO(asanka): Move library loading to a separate thread. 451 // http://crbug.com/66702 452 base::ThreadRestrictions::ScopedAllowIO allow_io_temporarily; 453 base::NativeLibrary lib = base::LoadNativeLibrary(file_path, NULL); 454 if (lib) { 455 // Only return this library if we can bind the functions we need. 456 if (BindMethods(lib)) 457 return lib; 458 base::UnloadNativeLibrary(lib); 459 } 460 } 461 LOG(WARNING) << "Unable to find a compatible GSSAPI library"; 462 return NULL; 463 } 464 465 #if defined(DLOPEN_KERBEROS) 466 #define BIND(lib, x) \ 467 DCHECK(lib); \ 468 gss_##x##_type x = reinterpret_cast<gss_##x##_type>( \ 469 base::GetFunctionPointerFromNativeLibrary(lib, "gss_" #x)); \ 470 if (x == NULL) { \ 471 LOG(WARNING) << "Unable to bind function \"" << "gss_" #x << "\""; \ 472 return false; \ 473 } 474 #else 475 #define BIND(lib, x) gss_##x##_type x = gss_##x 476 #endif 477 478 bool GSSAPISharedLibrary::BindMethods(base::NativeLibrary lib) { 479 BIND(lib, import_name); 480 BIND(lib, release_name); 481 BIND(lib, release_buffer); 482 BIND(lib, display_name); 483 BIND(lib, display_status); 484 BIND(lib, init_sec_context); 485 BIND(lib, wrap_size_limit); 486 BIND(lib, delete_sec_context); 487 BIND(lib, inquire_context); 488 489 import_name_ = import_name; 490 release_name_ = release_name; 491 release_buffer_ = release_buffer; 492 display_name_ = display_name; 493 display_status_ = display_status; 494 init_sec_context_ = init_sec_context; 495 wrap_size_limit_ = wrap_size_limit; 496 delete_sec_context_ = delete_sec_context; 497 inquire_context_ = inquire_context; 498 499 return true; 500 } 501 502 #undef BIND 503 504 OM_uint32 GSSAPISharedLibrary::import_name( 505 OM_uint32* minor_status, 506 const gss_buffer_t input_name_buffer, 507 const gss_OID input_name_type, 508 gss_name_t* output_name) { 509 DCHECK(initialized_); 510 return import_name_(minor_status, input_name_buffer, input_name_type, 511 output_name); 512 } 513 514 OM_uint32 GSSAPISharedLibrary::release_name( 515 OM_uint32* minor_status, 516 gss_name_t* input_name) { 517 DCHECK(initialized_); 518 return release_name_(minor_status, input_name); 519 } 520 521 OM_uint32 GSSAPISharedLibrary::release_buffer( 522 OM_uint32* minor_status, 523 gss_buffer_t buffer) { 524 DCHECK(initialized_); 525 return release_buffer_(minor_status, buffer); 526 } 527 528 OM_uint32 GSSAPISharedLibrary::display_name( 529 OM_uint32* minor_status, 530 const gss_name_t input_name, 531 gss_buffer_t output_name_buffer, 532 gss_OID* output_name_type) { 533 DCHECK(initialized_); 534 return display_name_(minor_status, 535 input_name, 536 output_name_buffer, 537 output_name_type); 538 } 539 540 OM_uint32 GSSAPISharedLibrary::display_status( 541 OM_uint32* minor_status, 542 OM_uint32 status_value, 543 int status_type, 544 const gss_OID mech_type, 545 OM_uint32* message_context, 546 gss_buffer_t status_string) { 547 DCHECK(initialized_); 548 return display_status_(minor_status, status_value, status_type, mech_type, 549 message_context, status_string); 550 } 551 552 OM_uint32 GSSAPISharedLibrary::init_sec_context( 553 OM_uint32* minor_status, 554 const gss_cred_id_t initiator_cred_handle, 555 gss_ctx_id_t* context_handle, 556 const gss_name_t target_name, 557 const gss_OID mech_type, 558 OM_uint32 req_flags, 559 OM_uint32 time_req, 560 const gss_channel_bindings_t input_chan_bindings, 561 const gss_buffer_t input_token, 562 gss_OID* actual_mech_type, 563 gss_buffer_t output_token, 564 OM_uint32* ret_flags, 565 OM_uint32* time_rec) { 566 DCHECK(initialized_); 567 return init_sec_context_(minor_status, 568 initiator_cred_handle, 569 context_handle, 570 target_name, 571 mech_type, 572 req_flags, 573 time_req, 574 input_chan_bindings, 575 input_token, 576 actual_mech_type, 577 output_token, 578 ret_flags, 579 time_rec); 580 } 581 582 OM_uint32 GSSAPISharedLibrary::wrap_size_limit( 583 OM_uint32* minor_status, 584 const gss_ctx_id_t context_handle, 585 int conf_req_flag, 586 gss_qop_t qop_req, 587 OM_uint32 req_output_size, 588 OM_uint32* max_input_size) { 589 DCHECK(initialized_); 590 return wrap_size_limit_(minor_status, 591 context_handle, 592 conf_req_flag, 593 qop_req, 594 req_output_size, 595 max_input_size); 596 } 597 598 OM_uint32 GSSAPISharedLibrary::delete_sec_context( 599 OM_uint32* minor_status, 600 gss_ctx_id_t* context_handle, 601 gss_buffer_t output_token) { 602 // This is called from the owner class' destructor, even if 603 // Init() is not called, so we can't assume |initialized_| 604 // is set. 605 if (!initialized_) 606 return 0; 607 return delete_sec_context_(minor_status, 608 context_handle, 609 output_token); 610 } 611 612 OM_uint32 GSSAPISharedLibrary::inquire_context( 613 OM_uint32* minor_status, 614 const gss_ctx_id_t context_handle, 615 gss_name_t* src_name, 616 gss_name_t* targ_name, 617 OM_uint32* lifetime_rec, 618 gss_OID* mech_type, 619 OM_uint32* ctx_flags, 620 int* locally_initiated, 621 int* open) { 622 DCHECK(initialized_); 623 return inquire_context_(minor_status, 624 context_handle, 625 src_name, 626 targ_name, 627 lifetime_rec, 628 mech_type, 629 ctx_flags, 630 locally_initiated, 631 open); 632 } 633 634 ScopedSecurityContext::ScopedSecurityContext(GSSAPILibrary* gssapi_lib) 635 : security_context_(GSS_C_NO_CONTEXT), 636 gssapi_lib_(gssapi_lib) { 637 DCHECK(gssapi_lib_); 638 } 639 640 ScopedSecurityContext::~ScopedSecurityContext() { 641 if (security_context_ != GSS_C_NO_CONTEXT) { 642 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; 643 OM_uint32 minor_status = 0; 644 OM_uint32 major_status = gssapi_lib_->delete_sec_context( 645 &minor_status, &security_context_, &output_token); 646 if (major_status != GSS_S_COMPLETE) { 647 LOG(WARNING) << "Problem releasing security_context. " 648 << DisplayStatus(major_status, minor_status); 649 } 650 security_context_ = GSS_C_NO_CONTEXT; 651 } 652 } 653 654 HttpAuthGSSAPI::HttpAuthGSSAPI(GSSAPILibrary* library, 655 const std::string& scheme, 656 gss_OID gss_oid) 657 : scheme_(scheme), 658 gss_oid_(gss_oid), 659 library_(library), 660 scoped_sec_context_(library), 661 can_delegate_(false) { 662 DCHECK(library_); 663 } 664 665 HttpAuthGSSAPI::~HttpAuthGSSAPI() { 666 } 667 668 bool HttpAuthGSSAPI::Init() { 669 if (!library_) 670 return false; 671 return library_->Init(); 672 } 673 674 bool HttpAuthGSSAPI::NeedsIdentity() const { 675 return decoded_server_auth_token_.empty(); 676 } 677 678 bool HttpAuthGSSAPI::AllowsExplicitCredentials() const { 679 return false; 680 } 681 682 void HttpAuthGSSAPI::Delegate() { 683 can_delegate_ = true; 684 } 685 686 HttpAuth::AuthorizationResult HttpAuthGSSAPI::ParseChallenge( 687 HttpAuth::ChallengeTokenizer* tok) { 688 // Verify the challenge's auth-scheme. 689 if (!LowerCaseEqualsASCII(tok->scheme(), StringToLowerASCII(scheme_).c_str())) 690 return HttpAuth::AUTHORIZATION_RESULT_INVALID; 691 692 std::string encoded_auth_token = tok->base64_param(); 693 694 if (encoded_auth_token.empty()) { 695 // If a context has already been established, an empty Negotiate challenge 696 // should be treated as a rejection of the current attempt. 697 if (scoped_sec_context_.get() != GSS_C_NO_CONTEXT) 698 return HttpAuth::AUTHORIZATION_RESULT_REJECT; 699 DCHECK(decoded_server_auth_token_.empty()); 700 return HttpAuth::AUTHORIZATION_RESULT_ACCEPT; 701 } else { 702 // If a context has not already been established, additional tokens should 703 // not be present in the auth challenge. 704 if (scoped_sec_context_.get() == GSS_C_NO_CONTEXT) 705 return HttpAuth::AUTHORIZATION_RESULT_INVALID; 706 } 707 708 // Make sure the additional token is base64 encoded. 709 std::string decoded_auth_token; 710 bool base64_rv = base::Base64Decode(encoded_auth_token, &decoded_auth_token); 711 if (!base64_rv) 712 return HttpAuth::AUTHORIZATION_RESULT_INVALID; 713 decoded_server_auth_token_ = decoded_auth_token; 714 return HttpAuth::AUTHORIZATION_RESULT_ACCEPT; 715 } 716 717 int HttpAuthGSSAPI::GenerateAuthToken(const AuthCredentials* credentials, 718 const std::string& spn, 719 std::string* auth_token) { 720 DCHECK(auth_token); 721 722 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; 723 input_token.length = decoded_server_auth_token_.length(); 724 input_token.value = (input_token.length > 0) ? 725 const_cast<char*>(decoded_server_auth_token_.data()) : 726 NULL; 727 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; 728 ScopedBuffer scoped_output_token(&output_token, library_); 729 int rv = GetNextSecurityToken(spn, &input_token, &output_token); 730 if (rv != OK) 731 return rv; 732 733 // Base64 encode data in output buffer and prepend the scheme. 734 std::string encode_input(static_cast<char*>(output_token.value), 735 output_token.length); 736 std::string encode_output; 737 base::Base64Encode(encode_input, &encode_output); 738 *auth_token = scheme_ + " " + encode_output; 739 return OK; 740 } 741 742 743 namespace { 744 745 // GSSAPI status codes consist of a calling error (essentially, a programmer 746 // bug), a routine error (defined by the RFC), and supplementary information, 747 // all bitwise-or'ed together in different regions of the 32 bit return value. 748 // This means a simple switch on the return codes is not sufficient. 749 750 int MapImportNameStatusToError(OM_uint32 major_status) { 751 VLOG(1) << "import_name returned 0x" << std::hex << major_status; 752 if (major_status == GSS_S_COMPLETE) 753 return OK; 754 if (GSS_CALLING_ERROR(major_status) != 0) 755 return ERR_UNEXPECTED; 756 OM_uint32 routine_error = GSS_ROUTINE_ERROR(major_status); 757 switch (routine_error) { 758 case GSS_S_FAILURE: 759 // Looking at the MIT Kerberos implementation, this typically is returned 760 // when memory allocation fails. However, the API does not guarantee 761 // that this is the case, so using ERR_UNEXPECTED rather than 762 // ERR_OUT_OF_MEMORY. 763 return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS; 764 case GSS_S_BAD_NAME: 765 case GSS_S_BAD_NAMETYPE: 766 return ERR_MALFORMED_IDENTITY; 767 case GSS_S_DEFECTIVE_TOKEN: 768 // Not mentioned in the API, but part of code. 769 return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS; 770 case GSS_S_BAD_MECH: 771 return ERR_UNSUPPORTED_AUTH_SCHEME; 772 default: 773 return ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS; 774 } 775 } 776 777 int MapInitSecContextStatusToError(OM_uint32 major_status) { 778 VLOG(1) << "init_sec_context returned 0x" << std::hex << major_status; 779 // Although GSS_S_CONTINUE_NEEDED is an additional bit, it seems like 780 // other code just checks if major_status is equivalent to it to indicate 781 // that there are no other errors included. 782 if (major_status == GSS_S_COMPLETE || major_status == GSS_S_CONTINUE_NEEDED) 783 return OK; 784 if (GSS_CALLING_ERROR(major_status) != 0) 785 return ERR_UNEXPECTED; 786 OM_uint32 routine_status = GSS_ROUTINE_ERROR(major_status); 787 switch (routine_status) { 788 case GSS_S_DEFECTIVE_TOKEN: 789 return ERR_INVALID_RESPONSE; 790 case GSS_S_DEFECTIVE_CREDENTIAL: 791 // Not expected since this implementation uses the default credential. 792 return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS; 793 case GSS_S_BAD_SIG: 794 // Probably won't happen, but it's a bad response. 795 return ERR_INVALID_RESPONSE; 796 case GSS_S_NO_CRED: 797 return ERR_INVALID_AUTH_CREDENTIALS; 798 case GSS_S_CREDENTIALS_EXPIRED: 799 return ERR_INVALID_AUTH_CREDENTIALS; 800 case GSS_S_BAD_BINDINGS: 801 // This only happens with mutual authentication. 802 return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS; 803 case GSS_S_NO_CONTEXT: 804 return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS; 805 case GSS_S_BAD_NAMETYPE: 806 return ERR_UNSUPPORTED_AUTH_SCHEME; 807 case GSS_S_BAD_NAME: 808 return ERR_UNSUPPORTED_AUTH_SCHEME; 809 case GSS_S_BAD_MECH: 810 return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS; 811 case GSS_S_FAILURE: 812 // This should be an "Unexpected Security Status" according to the 813 // GSSAPI documentation, but it's typically used to indicate that 814 // credentials are not correctly set up on a user machine, such 815 // as a missing credential cache or hitting this after calling 816 // kdestroy. 817 // TODO(cbentzel): Use minor code for even better mapping? 818 return ERR_MISSING_AUTH_CREDENTIALS; 819 default: 820 if (routine_status != 0) 821 return ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS; 822 break; 823 } 824 OM_uint32 supplemental_status = GSS_SUPPLEMENTARY_INFO(major_status); 825 // Replays could indicate an attack. 826 if (supplemental_status & (GSS_S_DUPLICATE_TOKEN | GSS_S_OLD_TOKEN | 827 GSS_S_UNSEQ_TOKEN | GSS_S_GAP_TOKEN)) 828 return ERR_INVALID_RESPONSE; 829 830 // At this point, every documented status has been checked. 831 return ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS; 832 } 833 834 } 835 836 int HttpAuthGSSAPI::GetNextSecurityToken(const std::string& spn, 837 gss_buffer_t in_token, 838 gss_buffer_t out_token) { 839 // Create a name for the principal 840 // TODO(cbentzel): Just do this on the first pass? 841 std::string spn_principal = spn; 842 gss_buffer_desc spn_buffer = GSS_C_EMPTY_BUFFER; 843 spn_buffer.value = const_cast<char*>(spn_principal.c_str()); 844 spn_buffer.length = spn_principal.size() + 1; 845 OM_uint32 minor_status = 0; 846 gss_name_t principal_name = GSS_C_NO_NAME; 847 OM_uint32 major_status = library_->import_name( 848 &minor_status, 849 &spn_buffer, 850 GSS_C_NT_HOSTBASED_SERVICE, 851 &principal_name); 852 int rv = MapImportNameStatusToError(major_status); 853 if (rv != OK) { 854 LOG(ERROR) << "Problem importing name from " 855 << "spn \"" << spn_principal << "\"\n" 856 << DisplayExtendedStatus(library_, major_status, minor_status); 857 return rv; 858 } 859 ScopedName scoped_name(principal_name, library_); 860 861 // Continue creating a security context. 862 OM_uint32 req_flags = 0; 863 if (can_delegate_) 864 req_flags |= GSS_C_DELEG_FLAG; 865 major_status = library_->init_sec_context( 866 &minor_status, 867 GSS_C_NO_CREDENTIAL, 868 scoped_sec_context_.receive(), 869 principal_name, 870 gss_oid_, 871 req_flags, 872 GSS_C_INDEFINITE, 873 GSS_C_NO_CHANNEL_BINDINGS, 874 in_token, 875 NULL, // actual_mech_type 876 out_token, 877 NULL, // ret flags 878 NULL); 879 rv = MapInitSecContextStatusToError(major_status); 880 if (rv != OK) { 881 LOG(ERROR) << "Problem initializing context. \n" 882 << DisplayExtendedStatus(library_, major_status, minor_status) 883 << '\n' 884 << DescribeContext(library_, scoped_sec_context_.get()); 885 } 886 return rv; 887 } 888 889 } // namespace net 890
