1 /* vim:set ts=4 sw=2 sts=2 et cindent: */
2 /* This Source Code Form is subject to the terms of the Mozilla Public
3 * License, v. 2.0. If a copy of the MPL was not distributed with this
4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5
6 //
7 // GSSAPI Authentication Support Module
8 //
9 // Described by IETF Internet draft: draft-brezak-kerberos-http-00.txt
10 // (formerly draft-brezak-spnego-http-04.txt)
11 //
12 // Also described here:
13 // http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
14 //
15 //
16
17 #include "mozilla/ArrayUtils.h"
18 #include "mozilla/IntegerPrintfMacros.h"
19
20 #include "nsCOMPtr.h"
21 #include "nsMemory.h"
22 #include "nsNativeCharsetUtils.h"
23 #include "mozilla/Preferences.h"
24 #include "mozilla/SharedLibrary.h"
25 #include "mozilla/Telemetry.h"
26
27 #include "nsAuthGSSAPI.h"
28
29 #ifdef XP_MACOSX
30 # include <Kerberos/Kerberos.h>
31 #endif
32
33 #ifdef XP_MACOSX
34 typedef KLStatus (*KLCacheHasValidTickets_type)(KLPrincipal, KLKerberosVersion,
35 KLBoolean*, KLPrincipal*,
36 char**);
37 #endif
38
39 #if defined(HAVE_RES_NINIT)
40 # include <sys/types.h>
41 # include <netinet/in.h>
42 # include <arpa/nameser.h>
43 # include <resolv.h>
44 #endif
45
46 using namespace mozilla;
47
48 //-----------------------------------------------------------------------------
49
50 // We define GSS_C_NT_HOSTBASED_SERVICE explicitly since it may be referenced
51 // by by a different name depending on the implementation of gss but always
52 // has the same value
53
54 static gss_OID_desc gss_c_nt_hostbased_service = {
55 10, (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"};
56
57 static const char kNegotiateAuthGssLib[] = "network.negotiate-auth.gsslib";
58 static const char kNegotiateAuthNativeImp[] =
59 "network.negotiate-auth.using-native-gsslib";
60
61 static struct GSSFunction {
62 const char* str;
63 PRFuncPtr func;
64 } gssFuncs[] = {{"gss_display_status", nullptr},
65 {"gss_init_sec_context", nullptr},
66 {"gss_indicate_mechs", nullptr},
67 {"gss_release_oid_set", nullptr},
68 {"gss_delete_sec_context", nullptr},
69 {"gss_import_name", nullptr},
70 {"gss_release_buffer", nullptr},
71 {"gss_release_name", nullptr},
72 {"gss_wrap", nullptr},
73 {"gss_unwrap", nullptr}};
74
75 static bool gssNativeImp = true;
76 static PRLibrary* gssLibrary = nullptr;
77
78 #define gss_display_status_ptr ((gss_display_status_type)*gssFuncs[0].func)
79 #define gss_init_sec_context_ptr ((gss_init_sec_context_type)*gssFuncs[1].func)
80 #define gss_indicate_mechs_ptr ((gss_indicate_mechs_type)*gssFuncs[2].func)
81 #define gss_release_oid_set_ptr ((gss_release_oid_set_type)*gssFuncs[3].func)
82 #define gss_delete_sec_context_ptr \
83 ((gss_delete_sec_context_type)*gssFuncs[4].func)
84 #define gss_import_name_ptr ((gss_import_name_type)*gssFuncs[5].func)
85 #define gss_release_buffer_ptr ((gss_release_buffer_type)*gssFuncs[6].func)
86 #define gss_release_name_ptr ((gss_release_name_type)*gssFuncs[7].func)
87 #define gss_wrap_ptr ((gss_wrap_type)*gssFuncs[8].func)
88 #define gss_unwrap_ptr ((gss_unwrap_type)*gssFuncs[9].func)
89
90 #ifdef XP_MACOSX
91 static PRFuncPtr KLCacheHasValidTicketsPtr;
92 # define KLCacheHasValidTickets_ptr \
93 ((KLCacheHasValidTickets_type)*KLCacheHasValidTicketsPtr)
94 #endif
95
gssInit()96 static nsresult gssInit() {
97 #ifdef XP_WIN
98 nsAutoString libPathU;
99 Preferences::GetString(kNegotiateAuthGssLib, libPathU);
100 NS_ConvertUTF16toUTF8 libPath(libPathU);
101 #else
102 nsAutoCString libPath;
103 Preferences::GetCString(kNegotiateAuthGssLib, libPath);
104 #endif
105 gssNativeImp = Preferences::GetBool(kNegotiateAuthNativeImp);
106
107 PRLibrary* lib = nullptr;
108
109 if (!libPath.IsEmpty()) {
110 LOG(("Attempting to load user specified library [%s]\n", libPath.get()));
111 gssNativeImp = false;
112 #ifdef XP_WIN
113 lib = LoadLibraryWithFlags(libPathU.get());
114 #else
115 lib = LoadLibraryWithFlags(libPath.get());
116 #endif
117 } else {
118 #ifdef XP_WIN
119 # ifdef _WIN64
120 constexpr auto kLibName = u"gssapi64.dll"_ns;
121 # else
122 constexpr auto kLibName = u"gssapi32.dll"_ns;
123 # endif
124
125 lib = LoadLibraryWithFlags(kLibName.get());
126 #elif defined(__OpenBSD__)
127 /* OpenBSD doesn't register inter-library dependencies in basesystem
128 * libs therefor we need to load all the libraries gssapi depends on,
129 * in the correct order and with LD_GLOBAL for GSSAPI auth to work
130 * fine.
131 */
132
133 const char* const verLibNames[] = {
134 "libasn1.so", "libcrypto.so", "libroken.so", "libheimbase.so",
135 "libcom_err.so", "libkrb5.so", "libgssapi.so"};
136
137 PRLibSpec libSpec;
138 for (size_t i = 0; i < ArrayLength(verLibNames); ++i) {
139 libSpec.type = PR_LibSpec_Pathname;
140 libSpec.value.pathname = verLibNames[i];
141 lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_GLOBAL);
142 }
143
144 #else
145
146 const char* const libNames[] = {"gss", "gssapi_krb5", "gssapi"};
147
148 const char* const verLibNames[] = {
149 "libgssapi_krb5.so.2", /* MIT - FC, Suse10, Debian */
150 "libgssapi.so.4", /* Heimdal - Suse10, MDK */
151 "libgssapi.so.1" /* Heimdal - Suse9, CITI - FC, MDK, Suse10*/
152 };
153
154 for (size_t i = 0; i < ArrayLength(verLibNames) && !lib; ++i) {
155 lib = PR_LoadLibrary(verLibNames[i]);
156
157 /* The CITI libgssapi library calls exit() during
158 * initialization if it's not correctly configured. Try to
159 * ensure that we never use this library for our GSSAPI
160 * support, as its just a wrapper library, anyway.
161 * See Bugzilla #325433
162 */
163 if (lib && PR_FindFunctionSymbol(lib, "internal_krb5_gss_initialize") &&
164 PR_FindFunctionSymbol(lib, "gssd_pname_to_uid")) {
165 LOG(("CITI libgssapi found, which calls exit(). Skipping\n"));
166 PR_UnloadLibrary(lib);
167 lib = nullptr;
168 }
169 }
170
171 for (size_t i = 0; i < ArrayLength(libNames) && !lib; ++i) {
172 char* libName = PR_GetLibraryName(nullptr, libNames[i]);
173 if (libName) {
174 lib = PR_LoadLibrary(libName);
175 PR_FreeLibraryName(libName);
176
177 if (lib && PR_FindFunctionSymbol(lib, "internal_krb5_gss_initialize") &&
178 PR_FindFunctionSymbol(lib, "gssd_pname_to_uid")) {
179 LOG(("CITI libgssapi found, which calls exit(). Skipping\n"));
180 PR_UnloadLibrary(lib);
181 lib = nullptr;
182 }
183 }
184 }
185 #endif
186 }
187
188 if (!lib) {
189 LOG(("Fail to load gssapi library\n"));
190 return NS_ERROR_FAILURE;
191 }
192
193 LOG(("Attempting to load gss functions\n"));
194
195 for (size_t i = 0; i < ArrayLength(gssFuncs); ++i) {
196 gssFuncs[i].func = PR_FindFunctionSymbol(lib, gssFuncs[i].str);
197 if (!gssFuncs[i].func) {
198 LOG(("Fail to load %s function from gssapi library\n", gssFuncs[i].str));
199 PR_UnloadLibrary(lib);
200 return NS_ERROR_FAILURE;
201 }
202 }
203 #ifdef XP_MACOSX
204 if (gssNativeImp && !(KLCacheHasValidTicketsPtr = PR_FindFunctionSymbol(
205 lib, "KLCacheHasValidTickets"))) {
206 LOG(("Fail to load KLCacheHasValidTickets function from gssapi library\n"));
207 PR_UnloadLibrary(lib);
208 return NS_ERROR_FAILURE;
209 }
210 #endif
211
212 gssLibrary = lib;
213 return NS_OK;
214 }
215
216 // Generate proper GSSAPI error messages from the major and
217 // minor status codes.
LogGssError(OM_uint32 maj_stat,OM_uint32 min_stat,const char * prefix)218 void LogGssError(OM_uint32 maj_stat, OM_uint32 min_stat, const char* prefix) {
219 if (!MOZ_LOG_TEST(gNegotiateLog, LogLevel::Debug)) {
220 return;
221 }
222
223 OM_uint32 new_stat;
224 OM_uint32 msg_ctx = 0;
225 gss_buffer_desc status1_string;
226 gss_buffer_desc status2_string;
227 OM_uint32 ret;
228 nsAutoCString errorStr;
229 errorStr.Assign(prefix);
230
231 if (!gssLibrary) return;
232
233 errorStr += ": ";
234 do {
235 ret = gss_display_status_ptr(&new_stat, maj_stat, GSS_C_GSS_CODE,
236 GSS_C_NULL_OID, &msg_ctx, &status1_string);
237 errorStr.Append((const char*)status1_string.value, status1_string.length);
238 gss_release_buffer_ptr(&new_stat, &status1_string);
239
240 errorStr += '\n';
241 ret = gss_display_status_ptr(&new_stat, min_stat, GSS_C_MECH_CODE,
242 GSS_C_NULL_OID, &msg_ctx, &status2_string);
243 errorStr.Append((const char*)status2_string.value, status2_string.length);
244 errorStr += '\n';
245 } while (!GSS_ERROR(ret) && msg_ctx != 0);
246
247 LOG(("%s\n", errorStr.get()));
248 }
249
250 //-----------------------------------------------------------------------------
251
nsAuthGSSAPI(pType package)252 nsAuthGSSAPI::nsAuthGSSAPI(pType package) : mServiceFlags(REQ_DEFAULT) {
253 OM_uint32 minstat;
254 OM_uint32 majstat;
255 gss_OID_set mech_set;
256 gss_OID item;
257
258 unsigned int i;
259 static gss_OID_desc gss_krb5_mech_oid_desc = {
260 9, (void*)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
261 static gss_OID_desc gss_spnego_mech_oid_desc = {
262 6, (void*)"\x2b\x06\x01\x05\x05\x02"};
263
264 LOG(("entering nsAuthGSSAPI::nsAuthGSSAPI()\n"));
265
266 mComplete = false;
267
268 if (!gssLibrary && NS_FAILED(gssInit())) return;
269
270 mCtx = GSS_C_NO_CONTEXT;
271 mMechOID = &gss_krb5_mech_oid_desc;
272
273 // if the type is kerberos we accept it as default
274 // and exit
275
276 if (package == PACKAGE_TYPE_KERBEROS) return;
277
278 // Now, look at the list of supported mechanisms,
279 // if SPNEGO is found, then use it.
280 // Otherwise, set the desired mechanism to
281 // GSS_C_NO_OID and let the system try to use
282 // the default mechanism.
283 //
284 // Using Kerberos directly (instead of negotiating
285 // with SPNEGO) may work in some cases depending
286 // on how smart the server side is.
287
288 majstat = gss_indicate_mechs_ptr(&minstat, &mech_set);
289 if (GSS_ERROR(majstat)) return;
290
291 if (mech_set) {
292 for (i = 0; i < mech_set->count; i++) {
293 item = &mech_set->elements[i];
294 if (item->length == gss_spnego_mech_oid_desc.length &&
295 !memcmp(item->elements, gss_spnego_mech_oid_desc.elements,
296 item->length)) {
297 // ok, we found it
298 mMechOID = &gss_spnego_mech_oid_desc;
299 break;
300 }
301 }
302 gss_release_oid_set_ptr(&minstat, &mech_set);
303 }
304 }
305
Reset()306 void nsAuthGSSAPI::Reset() {
307 if (gssLibrary && mCtx != GSS_C_NO_CONTEXT) {
308 OM_uint32 minor_status;
309 gss_delete_sec_context_ptr(&minor_status, &mCtx, GSS_C_NO_BUFFER);
310 }
311 mCtx = GSS_C_NO_CONTEXT;
312 mComplete = false;
313 }
314
315 /* static */
Shutdown()316 void nsAuthGSSAPI::Shutdown() {
317 if (gssLibrary) {
318 PR_UnloadLibrary(gssLibrary);
319 gssLibrary = nullptr;
320 }
321 }
322
323 /* Limitations apply to this class's thread safety. See the header file */
NS_IMPL_ISUPPORTS(nsAuthGSSAPI,nsIAuthModule)324 NS_IMPL_ISUPPORTS(nsAuthGSSAPI, nsIAuthModule)
325
326 NS_IMETHODIMP
327 nsAuthGSSAPI::Init(const char* serviceName, uint32_t serviceFlags,
328 const char16_t* domain, const char16_t* username,
329 const char16_t* password) {
330 // we don't expect to be passed any user credentials
331 NS_ASSERTION(!domain && !username && !password, "unexpected credentials");
332
333 // it's critial that the caller supply a service name to be used
334 NS_ENSURE_TRUE(serviceName && *serviceName, NS_ERROR_INVALID_ARG);
335
336 LOG(("entering nsAuthGSSAPI::Init()\n"));
337
338 if (!gssLibrary) return NS_ERROR_NOT_INITIALIZED;
339
340 mServiceName = serviceName;
341 mServiceFlags = serviceFlags;
342
343 static bool sTelemetrySent = false;
344 if (!sTelemetrySent) {
345 mozilla::Telemetry::Accumulate(mozilla::Telemetry::NTLM_MODULE_USED_2,
346 serviceFlags & nsIAuthModule::REQ_PROXY_AUTH
347 ? NTLM_MODULE_KERBEROS_PROXY
348 : NTLM_MODULE_KERBEROS_DIRECT);
349 sTelemetrySent = true;
350 }
351
352 return NS_OK;
353 }
354
355 NS_IMETHODIMP
GetNextToken(const void * inToken,uint32_t inTokenLen,void ** outToken,uint32_t * outTokenLen)356 nsAuthGSSAPI::GetNextToken(const void* inToken, uint32_t inTokenLen,
357 void** outToken, uint32_t* outTokenLen) {
358 OM_uint32 major_status, minor_status;
359 OM_uint32 req_flags = 0;
360 gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
361 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
362 gss_buffer_t in_token_ptr = GSS_C_NO_BUFFER;
363 gss_name_t server;
364 nsAutoCString userbuf;
365 nsresult rv;
366
367 LOG(("entering nsAuthGSSAPI::GetNextToken()\n"));
368
369 if (!gssLibrary) return NS_ERROR_NOT_INITIALIZED;
370
371 // If they've called us again after we're complete, reset to start afresh.
372 if (mComplete) Reset();
373
374 if (mServiceFlags & REQ_DELEGATE) req_flags |= GSS_C_DELEG_FLAG;
375
376 if (mServiceFlags & REQ_MUTUAL_AUTH) req_flags |= GSS_C_MUTUAL_FLAG;
377
378 input_token.value = (void*)mServiceName.get();
379 input_token.length = mServiceName.Length() + 1;
380
381 #if defined(HAVE_RES_NINIT)
382 res_ninit(&_res);
383 #endif
384 major_status = gss_import_name_ptr(&minor_status, &input_token,
385 &gss_c_nt_hostbased_service, &server);
386 input_token.value = nullptr;
387 input_token.length = 0;
388 if (GSS_ERROR(major_status)) {
389 LogGssError(major_status, minor_status, "gss_import_name() failed");
390 return NS_ERROR_FAILURE;
391 }
392
393 if (inToken) {
394 input_token.length = inTokenLen;
395 input_token.value = (void*)inToken;
396 in_token_ptr = &input_token;
397 } else if (mCtx != GSS_C_NO_CONTEXT) {
398 // If there is no input token, then we are starting a new
399 // authentication sequence. If we have already initialized our
400 // security context, then we're in trouble because it means that the
401 // first sequence failed. We need to bail or else we might end up in
402 // an infinite loop.
403 LOG(("Cannot restart authentication sequence!"));
404 return NS_ERROR_UNEXPECTED;
405 }
406
407 #if defined(XP_MACOSX)
408 // Suppress Kerberos prompts to get credentials. See bug 240643.
409 // We can only use Mac OS X specific kerb functions if we are using
410 // the native lib
411 KLBoolean found;
412 bool doingMailTask = mServiceName.Find("imap@") ||
413 mServiceName.Find("pop@") ||
414 mServiceName.Find("smtp@") || mServiceName.Find("ldap@");
415
416 if (!doingMailTask &&
417 (gssNativeImp &&
418 (KLCacheHasValidTickets_ptr(nullptr, kerberosVersion_V5, &found, nullptr,
419 nullptr) != klNoErr ||
420 !found))) {
421 major_status = GSS_S_FAILURE;
422 minor_status = 0;
423 } else
424 #endif /* XP_MACOSX */
425 major_status = gss_init_sec_context_ptr(
426 &minor_status, GSS_C_NO_CREDENTIAL, &mCtx, server, mMechOID, req_flags,
427 GSS_C_INDEFINITE, GSS_C_NO_CHANNEL_BINDINGS, in_token_ptr, nullptr,
428 &output_token, nullptr, nullptr);
429
430 if (GSS_ERROR(major_status)) {
431 LogGssError(major_status, minor_status, "gss_init_sec_context() failed");
432 Reset();
433 rv = NS_ERROR_FAILURE;
434 goto end;
435 }
436 if (major_status == GSS_S_COMPLETE) {
437 // Mark ourselves as being complete, so that if we're called again
438 // we know to start afresh.
439 mComplete = true;
440 } else if (major_status == GSS_S_CONTINUE_NEEDED) {
441 //
442 // The important thing is that we do NOT reset the
443 // context here because it will be needed on the
444 // next call.
445 //
446 }
447
448 *outTokenLen = output_token.length;
449 if (output_token.length != 0)
450 *outToken = moz_xmemdup(output_token.value, output_token.length);
451 else
452 *outToken = nullptr;
453
454 gss_release_buffer_ptr(&minor_status, &output_token);
455
456 if (major_status == GSS_S_COMPLETE)
457 rv = NS_SUCCESS_AUTH_FINISHED;
458 else
459 rv = NS_OK;
460
461 end:
462 gss_release_name_ptr(&minor_status, &server);
463
464 LOG((" leaving nsAuthGSSAPI::GetNextToken [rv=%" PRIx32 "]",
465 static_cast<uint32_t>(rv)));
466 return rv;
467 }
468
469 NS_IMETHODIMP
Unwrap(const void * inToken,uint32_t inTokenLen,void ** outToken,uint32_t * outTokenLen)470 nsAuthGSSAPI::Unwrap(const void* inToken, uint32_t inTokenLen, void** outToken,
471 uint32_t* outTokenLen) {
472 OM_uint32 major_status, minor_status;
473
474 gss_buffer_desc input_token;
475 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
476
477 input_token.value = (void*)inToken;
478 input_token.length = inTokenLen;
479
480 major_status = gss_unwrap_ptr(&minor_status, mCtx, &input_token,
481 &output_token, nullptr, nullptr);
482 if (GSS_ERROR(major_status)) {
483 LogGssError(major_status, minor_status, "gss_unwrap() failed");
484 Reset();
485 gss_release_buffer_ptr(&minor_status, &output_token);
486 return NS_ERROR_FAILURE;
487 }
488
489 *outTokenLen = output_token.length;
490
491 if (output_token.length)
492 *outToken = moz_xmemdup(output_token.value, output_token.length);
493 else
494 *outToken = nullptr;
495
496 gss_release_buffer_ptr(&minor_status, &output_token);
497
498 return NS_OK;
499 }
500
501 NS_IMETHODIMP
Wrap(const void * inToken,uint32_t inTokenLen,bool confidential,void ** outToken,uint32_t * outTokenLen)502 nsAuthGSSAPI::Wrap(const void* inToken, uint32_t inTokenLen, bool confidential,
503 void** outToken, uint32_t* outTokenLen) {
504 OM_uint32 major_status, minor_status;
505
506 gss_buffer_desc input_token;
507 gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER;
508
509 input_token.value = (void*)inToken;
510 input_token.length = inTokenLen;
511
512 major_status =
513 gss_wrap_ptr(&minor_status, mCtx, confidential, GSS_C_QOP_DEFAULT,
514 &input_token, nullptr, &output_token);
515
516 if (GSS_ERROR(major_status)) {
517 LogGssError(major_status, minor_status, "gss_wrap() failed");
518 Reset();
519 gss_release_buffer_ptr(&minor_status, &output_token);
520 return NS_ERROR_FAILURE;
521 }
522
523 *outTokenLen = output_token.length;
524
525 /* it is not possible for output_token.length to be zero */
526 *outToken = moz_xmemdup(output_token.value, output_token.length);
527 gss_release_buffer_ptr(&minor_status, &output_token);
528
529 return NS_OK;
530 }
531