1 : /* vim:set ts=4 sw=4 et cindent: */
2 : /* ***** BEGIN LICENSE BLOCK *****
3 : * Version: MPL 1.1/GPL 2.0/LGPL 2.1
4 : *
5 : * The contents of this file are subject to the Mozilla Public License Version
6 : * 1.1 (the "License"); you may not use this file except in compliance with
7 : * the License. You may obtain a copy of the License at
8 : * http://www.mozilla.org/MPL/
9 : *
10 : * Software distributed under the License is distributed on an "AS IS" basis,
11 : * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
12 : * for the specific language governing rights and limitations under the
13 : * License.
14 : *
15 : * The Original Code is saslgssapi
16 : *
17 : * The Initial Developer of the Original Code is Simon Wilkinson
18 : * Portions created by the Initial Developer are Copyright (C) 2005
19 : * the Initial Developer. All Rights Reserved.
20 : *
21 : * Contributor(s):
22 : * Simon Wilkinson <simon@sxw.org.uk>
23 : *
24 : * Alternatively, the contents of this file may be used under the terms of
25 : * either the GNU General Public License Version 2 or later (the "GPL"), or
26 : * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
27 : * in which case the provisions of the GPL or the LGPL are applicable instead
28 : * of those above. If you wish to allow use of your version of this file only
29 : * under the terms of either the GPL or the LGPL, and not to allow others to
30 : * use your version of this file under the terms of the MPL, indicate your
31 : * decision by deleting the provisions above and replace them with the notice
32 : * and other provisions required by the GPL or the LGPL. If you do not delete
33 : * the provisions above, a recipient may use your version of this file under
34 : * the terms of any one of the MPL, the GPL or the LGPL.
35 : *
36 : * ***** END LICENSE BLOCK ***** */
37 :
38 : #include "nsComponentManagerUtils.h"
39 : #include "nsNativeCharsetUtils.h"
40 : #include "nsIServiceManager.h"
41 : #include "nsIPrefService.h"
42 :
43 : #include "nsAuthSASL.h"
44 :
45 : static const char kNegotiateAuthSSPI[] = "network.auth.use-sspi";
46 :
47 0 : nsAuthSASL::nsAuthSASL()
48 : {
49 0 : mSASLReady = false;
50 0 : }
51 :
52 0 : void nsAuthSASL::Reset()
53 : {
54 0 : mSASLReady = false;
55 0 : }
56 :
57 : /* Limitations apply to this class's thread safety. See the header file */
58 0 : NS_IMPL_THREADSAFE_ISUPPORTS1(nsAuthSASL, nsIAuthModule)
59 :
60 : NS_IMETHODIMP
61 0 : nsAuthSASL::Init(const char *serviceName,
62 : PRUint32 serviceFlags,
63 : const PRUnichar *domain,
64 : const PRUnichar *username,
65 : const PRUnichar *password)
66 : {
67 : nsresult rv;
68 :
69 0 : NS_ASSERTION(username, "SASL requires a username");
70 0 : NS_ASSERTION(!domain && !password, "unexpected credentials");
71 :
72 0 : mUsername = username;
73 :
74 : // If we're doing SASL, we should do mutual auth
75 0 : serviceFlags |= REQ_MUTUAL_AUTH;
76 :
77 : // Find out whether we should be trying SSPI or not
78 0 : const char *contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "kerb-gss";
79 :
80 0 : nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
81 0 : if (prefs) {
82 : bool val;
83 0 : rv = prefs->GetBoolPref(kNegotiateAuthSSPI, &val);
84 0 : if (NS_SUCCEEDED(rv) && val)
85 0 : contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "kerb-sspi";
86 : }
87 :
88 0 : mInnerModule = do_CreateInstance(contractID, &rv);
89 : // if we can't create the GSSAPI module, then bail
90 0 : NS_ENSURE_SUCCESS(rv, rv);
91 :
92 0 : mInnerModule->Init(serviceName, serviceFlags, nsnull, nsnull, nsnull);
93 :
94 0 : return NS_OK;
95 : }
96 :
97 : NS_IMETHODIMP
98 0 : nsAuthSASL::GetNextToken(const void *inToken,
99 : PRUint32 inTokenLen,
100 : void **outToken,
101 : PRUint32 *outTokenLen)
102 : {
103 : nsresult rv;
104 : void *unwrappedToken;
105 : char *message;
106 : PRUint32 unwrappedTokenLen, messageLen;
107 0 : nsCAutoString userbuf;
108 :
109 0 : if (!mInnerModule)
110 0 : return NS_ERROR_NOT_INITIALIZED;
111 :
112 0 : if (mSASLReady) {
113 : // If the server COMPLETEs with an empty token, Cyrus sends us that token.
114 : // I don't think this is correct, but we need to handle that behaviour.
115 : // Cyrus ignores the contents of our reply token.
116 0 : if (inTokenLen == 0) {
117 0 : *outToken = NULL;
118 0 : *outTokenLen = 0;
119 0 : return NS_OK;
120 : }
121 : // We've completed the GSSAPI portion of the handshake, and are
122 : // now ready to do the SASL security layer and authzid negotiation
123 :
124 : // Input packet from the server needs to be unwrapped.
125 0 : rv = mInnerModule->Unwrap(inToken, inTokenLen, &unwrappedToken,
126 0 : &unwrappedTokenLen);
127 0 : if (NS_FAILED(rv)) {
128 0 : Reset();
129 0 : return rv;
130 : }
131 :
132 : // If we were doing security layers then we'd care what the
133 : // server had sent us. We're not, so all we had to do was make
134 : // sure that the signature was correct with the above unwrap()
135 0 : nsMemory::Free(unwrappedToken);
136 :
137 0 : NS_CopyUnicodeToNative(mUsername, userbuf);
138 0 : messageLen = userbuf.Length() + 4 + 1;
139 0 : message = (char *)nsMemory::Alloc(messageLen);
140 0 : if (!message) {
141 0 : Reset();
142 0 : return NS_ERROR_OUT_OF_MEMORY;
143 : }
144 0 : message[0] = 0x01; // No security layer
145 0 : message[1] = 0x00;
146 0 : message[2] = 0x00;
147 0 : message[3] = 0x00; // Maxbuf must be zero if we've got no sec layer
148 0 : strcpy(message+4, userbuf.get());
149 : // Userbuf should not be NULL terminated, so trim the trailing NULL
150 : // when wrapping the message
151 0 : rv = mInnerModule->Wrap((void *) message, messageLen-1, false,
152 0 : outToken, outTokenLen);
153 0 : nsMemory::Free(message);
154 0 : Reset(); // All done
155 0 : return NS_SUCCEEDED(rv) ? NS_SUCCESS_AUTH_FINISHED : rv;
156 : }
157 0 : rv = mInnerModule->GetNextToken(inToken, inTokenLen, outToken,
158 0 : outTokenLen);
159 0 : if (rv == NS_SUCCESS_AUTH_FINISHED) {
160 0 : mSASLReady = true;
161 0 : rv = NS_OK;
162 : }
163 0 : return rv;
164 : }
165 :
166 : NS_IMETHODIMP
167 0 : nsAuthSASL::Unwrap(const void *inToken,
168 : PRUint32 inTokenLen,
169 : void **outToken,
170 : PRUint32 *outTokenLen)
171 : {
172 0 : return NS_ERROR_NOT_IMPLEMENTED;
173 : }
174 :
175 : NS_IMETHODIMP
176 0 : nsAuthSASL::Wrap(const void *inToken,
177 : PRUint32 inTokenLen,
178 : bool confidential,
179 : void **outToken,
180 : PRUint32 *outTokenLen)
181 : {
182 0 : return NS_ERROR_NOT_IMPLEMENTED;
183 : }
|