2018-11-30 18:39:55 +03:00
|
|
|
/* vim:set ts=4 sw=2 sts=2 et cindent: */
|
2012-05-21 15:12:37 +04:00
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
2005-08-10 03:06:47 +04:00
|
|
|
|
|
|
|
//
|
|
|
|
// Negotiate Authentication Support Module
|
|
|
|
//
|
|
|
|
// Described by IETF Internet draft: draft-brezak-kerberos-http-00.txt
|
|
|
|
// (formerly draft-brezak-spnego-http-04.txt)
|
|
|
|
//
|
|
|
|
// Also described here:
|
|
|
|
// http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
|
|
|
|
//
|
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
#include "nsAuthSSPI.h"
|
2017-09-11 05:13:42 +03:00
|
|
|
#include "nsDNSService2.h"
|
2005-08-10 03:06:47 +04:00
|
|
|
#include "nsIServiceManager.h"
|
|
|
|
#include "nsIDNSService.h"
|
|
|
|
#include "nsIDNSRecord.h"
|
2017-12-07 06:36:57 +03:00
|
|
|
#include "nsMemory.h"
|
2005-08-10 03:06:47 +04:00
|
|
|
#include "nsNetCID.h"
|
|
|
|
#include "nsCOMPtr.h"
|
2011-11-09 21:18:59 +04:00
|
|
|
#include "nsICryptoHash.h"
|
2013-07-25 20:54:11 +04:00
|
|
|
#include "mozilla/Telemetry.h"
|
2005-08-10 03:06:47 +04:00
|
|
|
|
2008-08-28 01:44:54 +04:00
|
|
|
#include <windows.h>
|
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
#define SEC_SUCCESS(Status) ((Status) >= 0)
|
|
|
|
|
|
|
|
#ifndef KERB_WRAP_NO_ENCRYPT
|
|
|
|
# define KERB_WRAP_NO_ENCRYPT 0x80000001
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifndef SECBUFFER_PADDING
|
|
|
|
# define SECBUFFER_PADDING 9
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifndef SECBUFFER_STREAM
|
|
|
|
# define SECBUFFER_STREAM 10
|
|
|
|
#endif
|
|
|
|
|
2005-08-10 03:06:47 +04:00
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
|
2019-05-01 11:47:10 +03:00
|
|
|
static const wchar_t* const pTypeName[] = {L"Kerberos", L"Negotiate", L"NTLM"};
|
2005-08-18 19:22:33 +04:00
|
|
|
|
2005-08-10 03:06:47 +04:00
|
|
|
#ifdef DEBUG
|
|
|
|
# define CASE_(_x) \
|
|
|
|
case _x: \
|
|
|
|
return #_x;
|
2019-05-01 11:47:10 +03:00
|
|
|
static const char* MapErrorCode(int rc) {
|
2005-08-10 03:06:47 +04:00
|
|
|
switch (rc) {
|
|
|
|
CASE_(SEC_E_OK)
|
|
|
|
CASE_(SEC_I_CONTINUE_NEEDED)
|
|
|
|
CASE_(SEC_I_COMPLETE_NEEDED)
|
|
|
|
CASE_(SEC_I_COMPLETE_AND_CONTINUE)
|
|
|
|
CASE_(SEC_E_INCOMPLETE_MESSAGE)
|
|
|
|
CASE_(SEC_I_INCOMPLETE_CREDENTIALS)
|
|
|
|
CASE_(SEC_E_INVALID_HANDLE)
|
|
|
|
CASE_(SEC_E_TARGET_UNKNOWN)
|
|
|
|
CASE_(SEC_E_LOGON_DENIED)
|
|
|
|
CASE_(SEC_E_INTERNAL_ERROR)
|
|
|
|
CASE_(SEC_E_NO_CREDENTIALS)
|
|
|
|
CASE_(SEC_E_NO_AUTHENTICATING_AUTHORITY)
|
|
|
|
CASE_(SEC_E_INSUFFICIENT_MEMORY)
|
|
|
|
CASE_(SEC_E_INVALID_TOKEN)
|
|
|
|
}
|
|
|
|
return "<unknown>";
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
# define MapErrorCode(_rc) ""
|
|
|
|
#endif
|
|
|
|
|
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
|
2008-08-28 01:44:54 +04:00
|
|
|
static PSecurityFunctionTableW sspi;
|
2005-08-10 03:06:47 +04:00
|
|
|
|
|
|
|
static nsresult InitSSPI() {
|
2005-08-18 19:22:33 +04:00
|
|
|
LOG((" InitSSPI\n"));
|
|
|
|
|
2012-02-23 18:53:55 +04:00
|
|
|
sspi = InitSecurityInterfaceW();
|
2005-08-10 03:06:47 +04:00
|
|
|
if (!sspi) {
|
2008-08-28 01:44:54 +04:00
|
|
|
LOG(("InitSecurityInterfaceW failed"));
|
2005-08-10 03:06:47 +04:00
|
|
|
return NS_ERROR_UNEXPECTED;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NS_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
|
2019-05-01 11:47:10 +03:00
|
|
|
nsresult nsAuthSSPI::MakeSN(const char* principal, nsCString& result) {
|
2013-01-22 20:59:01 +04:00
|
|
|
nsresult rv;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2013-01-22 20:59:01 +04:00
|
|
|
nsAutoCString buf(principal);
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2013-01-22 20:59:01 +04:00
|
|
|
// The service name looks like "protocol@hostname", we need to map
|
|
|
|
// this to a value that SSPI expects. To be consistent with IE, we
|
|
|
|
// need to map '@' to '/' and canonicalize the hostname.
|
2013-04-03 04:59:27 +04:00
|
|
|
int32_t index = buf.FindChar('@');
|
2013-01-22 20:59:01 +04:00
|
|
|
if (index == kNotFound) return NS_ERROR_UNEXPECTED;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2017-09-11 05:13:42 +03:00
|
|
|
nsCOMPtr<nsIDNSService> dnsService =
|
|
|
|
do_GetService(NS_DNSSERVICE_CONTRACTID, &rv);
|
2013-01-22 20:59:01 +04:00
|
|
|
if (NS_FAILED(rv)) return rv;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2019-05-01 11:47:10 +03:00
|
|
|
auto dns = static_cast<nsDNSService*>(dnsService.get());
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2013-01-22 20:59:01 +04:00
|
|
|
// This could be expensive if our DNS cache cannot satisfy the request.
|
|
|
|
// However, we should have at least hit the OS resolver once prior to
|
|
|
|
// reaching this code, so provided the OS resolver has this information
|
|
|
|
// cached, we should not have to worry about blocking on this function call
|
|
|
|
// for very long. NOTE: because we ask for the canonical hostname, we
|
|
|
|
// might end up requiring extra network activity in cases where the OS
|
|
|
|
// resolver might not have enough information to satisfy the request from
|
|
|
|
// its cache. This is not an issue in versions of Windows up to WinXP.
|
|
|
|
nsCOMPtr<nsIDNSRecord> record;
|
2017-02-15 05:39:40 +03:00
|
|
|
mozilla::OriginAttributes attrs;
|
2017-09-11 05:13:42 +03:00
|
|
|
rv = dns->DeprecatedSyncResolve(Substring(buf, index + 1),
|
|
|
|
nsIDNSService::RESOLVE_CANONICAL_NAME, attrs,
|
|
|
|
getter_AddRefs(record));
|
2013-01-22 20:59:01 +04:00
|
|
|
if (NS_FAILED(rv)) return rv;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2013-01-22 20:59:01 +04:00
|
|
|
nsAutoCString cname;
|
|
|
|
rv = record->GetCanonicalName(cname);
|
|
|
|
if (NS_SUCCEEDED(rv)) {
|
|
|
|
result = StringHead(buf, index) + NS_LITERAL_CSTRING("/") + cname;
|
|
|
|
LOG(("Using SPN of [%s]\n", result.get()));
|
|
|
|
}
|
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
|
|
|
|
//-----------------------------------------------------------------------------
|
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
nsAuthSSPI::nsAuthSSPI(pType package)
|
2005-08-10 03:06:47 +04:00
|
|
|
: mServiceFlags(REQ_DEFAULT),
|
2005-08-10 03:06:58 +04:00
|
|
|
mMaxTokenLen(0),
|
2005-08-18 19:22:33 +04:00
|
|
|
mPackage(package),
|
2012-07-30 18:20:58 +04:00
|
|
|
mCertDERData(nullptr),
|
2011-11-09 21:18:59 +04:00
|
|
|
mCertDERLength(0) {
|
2005-08-10 03:06:47 +04:00
|
|
|
memset(&mCred, 0, sizeof(mCred));
|
|
|
|
memset(&mCtxt, 0, sizeof(mCtxt));
|
|
|
|
}
|
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
nsAuthSSPI::~nsAuthSSPI() {
|
2005-08-10 03:06:47 +04:00
|
|
|
Reset();
|
|
|
|
|
|
|
|
if (mCred.dwLower || mCred.dwUpper) {
|
|
|
|
#ifdef __MINGW32__
|
|
|
|
(sspi->FreeCredentialsHandle)(&mCred);
|
|
|
|
#else
|
|
|
|
(sspi->FreeCredentialHandle)(&mCred);
|
|
|
|
#endif
|
|
|
|
memset(&mCred, 0, sizeof(mCred));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
void nsAuthSSPI::Reset() {
|
2011-11-09 21:18:59 +04:00
|
|
|
mIsFirst = true;
|
|
|
|
|
|
|
|
if (mCertDERData) {
|
2015-03-27 03:01:12 +03:00
|
|
|
free(mCertDERData);
|
2012-07-30 18:20:58 +04:00
|
|
|
mCertDERData = nullptr;
|
2017-07-06 15:00:35 +03:00
|
|
|
mCertDERLength = 0;
|
2011-11-09 21:18:59 +04:00
|
|
|
}
|
|
|
|
|
2005-08-10 03:06:47 +04:00
|
|
|
if (mCtxt.dwLower || mCtxt.dwUpper) {
|
|
|
|
(sspi->DeleteSecurityContext)(&mCtxt);
|
|
|
|
memset(&mCtxt, 0, sizeof(mCtxt));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-04-27 11:06:00 +04:00
|
|
|
NS_IMPL_ISUPPORTS(nsAuthSSPI, nsIAuthModule)
|
2005-08-10 03:06:47 +04:00
|
|
|
|
|
|
|
NS_IMETHODIMP
|
2019-05-01 11:47:10 +03:00
|
|
|
nsAuthSSPI::Init(const char* serviceName, uint32_t serviceFlags,
|
|
|
|
const char16_t* domain, const char16_t* username,
|
|
|
|
const char16_t* password) {
|
2005-08-18 19:22:33 +04:00
|
|
|
LOG((" nsAuthSSPI::Init\n"));
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2011-11-09 21:18:59 +04:00
|
|
|
mIsFirst = true;
|
|
|
|
mCertDERLength = 0;
|
2012-07-30 18:20:58 +04:00
|
|
|
mCertDERData = nullptr;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2009-11-20 01:12:43 +03:00
|
|
|
// The caller must supply a service name to be used. (For why we now require
|
|
|
|
// a service name for NTLM, see bug 487872.)
|
2009-11-05 01:12:24 +03:00
|
|
|
NS_ENSURE_TRUE(serviceName && *serviceName, NS_ERROR_INVALID_ARG);
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-10 03:06:47 +04:00
|
|
|
nsresult rv;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-10 03:06:47 +04:00
|
|
|
// XXX lazy initialization like this assumes that we are single threaded
|
|
|
|
if (!sspi) {
|
|
|
|
rv = InitSSPI();
|
|
|
|
if (NS_FAILED(rv)) return rv;
|
|
|
|
}
|
2019-05-01 11:47:10 +03:00
|
|
|
SEC_WCHAR* package;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2019-05-01 11:47:10 +03:00
|
|
|
package = (SEC_WCHAR*)pTypeName[(int)mPackage];
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2013-01-22 20:59:01 +04:00
|
|
|
if (mPackage == PACKAGE_TYPE_NTLM) {
|
|
|
|
// (bug 535193) For NTLM, just use the uri host, do not do canonical host
|
|
|
|
// lookups. The incoming serviceName is in the format: "protocol@hostname",
|
|
|
|
// SSPI expects
|
|
|
|
// "<service class>/<hostname>", so swap the '@' for a '/'.
|
|
|
|
mServiceName.Assign(serviceName);
|
|
|
|
int32_t index = mServiceName.FindChar('@');
|
|
|
|
if (index == kNotFound) return NS_ERROR_UNEXPECTED;
|
|
|
|
mServiceName.Replace(index, 1, '/');
|
|
|
|
} else {
|
|
|
|
// Kerberos requires the canonical host, MakeSN takes care of this through a
|
|
|
|
// DNS lookup.
|
|
|
|
rv = MakeSN(serviceName, mServiceName);
|
|
|
|
if (NS_FAILED(rv)) return rv;
|
|
|
|
}
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2009-11-05 01:12:24 +03:00
|
|
|
mServiceFlags = serviceFlags;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-10 03:06:47 +04:00
|
|
|
SECURITY_STATUS rc;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2008-08-28 01:44:54 +04:00
|
|
|
PSecPkgInfoW pinfo;
|
|
|
|
rc = (sspi->QuerySecurityPackageInfoW)(package, &pinfo);
|
2005-08-10 03:06:58 +04:00
|
|
|
if (rc != SEC_E_OK) {
|
|
|
|
LOG(("%s package not found\n", package));
|
|
|
|
return NS_ERROR_UNEXPECTED;
|
|
|
|
}
|
|
|
|
mMaxTokenLen = pinfo->cbMaxToken;
|
|
|
|
(sspi->FreeContextBuffer)(pinfo);
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2013-07-25 20:54:11 +04:00
|
|
|
MS_TimeStamp useBefore;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2009-11-20 01:12:43 +03:00
|
|
|
SEC_WINNT_AUTH_IDENTITY_W ai;
|
2019-05-01 11:47:10 +03:00
|
|
|
SEC_WINNT_AUTH_IDENTITY_W* pai = nullptr;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2009-11-20 01:12:43 +03:00
|
|
|
// domain, username, and password will be null if nsHttpNTLMAuth's
|
|
|
|
// ChallengeReceived returns false for identityInvalid. Use default
|
|
|
|
// credentials in this case by passing null for pai.
|
|
|
|
if (username && password) {
|
2009-12-02 22:26:24 +03:00
|
|
|
// Keep a copy of these strings for the duration
|
|
|
|
mUsername.Assign(username);
|
|
|
|
mPassword.Assign(password);
|
|
|
|
mDomain.Assign(domain);
|
2019-05-01 11:47:10 +03:00
|
|
|
ai.Domain = reinterpret_cast<unsigned short*>(mDomain.BeginWriting());
|
2009-12-02 22:26:24 +03:00
|
|
|
ai.DomainLength = mDomain.Length();
|
2019-05-01 11:47:10 +03:00
|
|
|
ai.User = reinterpret_cast<unsigned short*>(mUsername.BeginWriting());
|
2009-12-02 22:26:24 +03:00
|
|
|
ai.UserLength = mUsername.Length();
|
2019-05-01 11:47:10 +03:00
|
|
|
ai.Password = reinterpret_cast<unsigned short*>(mPassword.BeginWriting());
|
2009-12-02 22:26:24 +03:00
|
|
|
ai.PasswordLength = mPassword.Length();
|
2009-11-20 01:12:43 +03:00
|
|
|
ai.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
|
|
|
|
pai = &ai;
|
|
|
|
}
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2013-04-03 05:06:20 +04:00
|
|
|
rc = (sspi->AcquireCredentialsHandleW)(nullptr, package, SECPKG_CRED_OUTBOUND,
|
|
|
|
nullptr, pai, nullptr, nullptr, &mCred,
|
2008-09-05 23:09:06 +04:00
|
|
|
&useBefore);
|
2005-08-10 03:06:47 +04:00
|
|
|
if (rc != SEC_E_OK) return NS_ERROR_UNEXPECTED;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2013-07-25 20:54:11 +04:00
|
|
|
static bool sTelemetrySent = false;
|
|
|
|
if (!sTelemetrySent) {
|
2013-10-10 21:10:45 +04:00
|
|
|
mozilla::Telemetry::Accumulate(mozilla::Telemetry::NTLM_MODULE_USED_2,
|
|
|
|
serviceFlags & nsIAuthModule::REQ_PROXY_AUTH
|
2013-07-25 20:54:11 +04:00
|
|
|
? NTLM_MODULE_WIN_API_PROXY
|
|
|
|
: NTLM_MODULE_WIN_API_DIRECT);
|
|
|
|
sTelemetrySent = true;
|
|
|
|
}
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2009-11-20 01:12:43 +03:00
|
|
|
LOG(("AcquireCredentialsHandle() succeeded.\n"));
|
2005-08-10 03:06:47 +04:00
|
|
|
return NS_OK;
|
|
|
|
}
|
|
|
|
|
2011-11-09 21:18:59 +04:00
|
|
|
// The arguments inToken and inTokenLen are used to pass in the server
|
|
|
|
// certificate (when available) in the first call of the function. The
|
2017-07-06 15:00:35 +03:00
|
|
|
// second time these arguments hold an input token.
|
2005-08-10 03:06:47 +04:00
|
|
|
NS_IMETHODIMP
|
2019-05-01 11:47:10 +03:00
|
|
|
nsAuthSSPI::GetNextToken(const void* inToken, uint32_t inTokenLen,
|
|
|
|
void** outToken, uint32_t* outTokenLen) {
|
2011-11-09 21:18:59 +04:00
|
|
|
// String for end-point bindings.
|
2017-07-06 15:00:35 +03:00
|
|
|
const char end_point[] = "tls-server-end-point:";
|
2011-11-09 21:18:59 +04:00
|
|
|
const int end_point_length = sizeof(end_point) - 1;
|
|
|
|
const int hash_size = 32; // Size of a SHA256 hash.
|
|
|
|
const int cbt_size = hash_size + end_point_length;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-10 03:06:47 +04:00
|
|
|
SECURITY_STATUS rc;
|
2013-07-25 20:54:11 +04:00
|
|
|
MS_TimeStamp ignored;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-10 03:06:47 +04:00
|
|
|
DWORD ctxAttr, ctxReq = 0;
|
2019-05-01 11:47:10 +03:00
|
|
|
CtxtHandle* ctxIn;
|
2005-08-10 03:06:47 +04:00
|
|
|
SecBufferDesc ibd, obd;
|
2011-11-09 21:18:59 +04:00
|
|
|
// Optional second input buffer for the CBT (Channel Binding Token)
|
|
|
|
SecBuffer ib[2], ob;
|
|
|
|
// Pointer to the block of memory that stores the CBT
|
2019-05-01 11:47:10 +03:00
|
|
|
char* sspi_cbt = nullptr;
|
2011-11-09 21:18:59 +04:00
|
|
|
SEC_CHANNEL_BINDINGS pendpoint_binding;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
LOG(("entering nsAuthSSPI::GetNextToken()\n"));
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2009-12-16 23:11:51 +03:00
|
|
|
if (!mCred.dwLower && !mCred.dwUpper) {
|
2009-12-15 09:05:19 +03:00
|
|
|
LOG(("nsAuthSSPI::GetNextToken(), not initialized. exiting."));
|
|
|
|
return NS_ERROR_NOT_INITIALIZED;
|
|
|
|
}
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-10 03:06:47 +04:00
|
|
|
if (mServiceFlags & REQ_DELEGATE) ctxReq |= ISC_REQ_DELEGATE;
|
|
|
|
if (mServiceFlags & REQ_MUTUAL_AUTH) ctxReq |= ISC_REQ_MUTUAL_AUTH;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-10 03:06:47 +04:00
|
|
|
if (inToken) {
|
2011-11-09 21:18:59 +04:00
|
|
|
if (mIsFirst) {
|
|
|
|
// First time if it comes with a token,
|
|
|
|
// the token represents the server certificate.
|
|
|
|
mIsFirst = false;
|
|
|
|
mCertDERLength = inTokenLen;
|
2015-03-27 03:01:12 +03:00
|
|
|
mCertDERData = moz_xmalloc(inTokenLen);
|
2011-11-09 21:18:59 +04:00
|
|
|
memcpy(mCertDERData, inToken, inTokenLen);
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2017-07-06 15:00:35 +03:00
|
|
|
// We are starting a new authentication sequence.
|
2011-11-09 21:18:59 +04:00
|
|
|
// If we have already initialized our
|
|
|
|
// security context, then we're in trouble because it means that the
|
|
|
|
// first sequence failed. We need to bail or else we might end up in
|
|
|
|
// an infinite loop.
|
|
|
|
if (mCtxt.dwLower || mCtxt.dwUpper) {
|
|
|
|
LOG(("Cannot restart authentication sequence!"));
|
|
|
|
return NS_ERROR_UNEXPECTED;
|
2018-11-30 13:46:48 +03:00
|
|
|
}
|
2012-07-30 18:20:58 +04:00
|
|
|
ctxIn = nullptr;
|
2011-11-09 21:18:59 +04:00
|
|
|
// The certificate needs to be erased before being passed
|
2017-07-06 15:00:35 +03:00
|
|
|
// to InitializeSecurityContextW().
|
2011-11-09 21:18:59 +04:00
|
|
|
inToken = nullptr;
|
|
|
|
inTokenLen = 0;
|
|
|
|
} else {
|
|
|
|
ibd.ulVersion = SECBUFFER_VERSION;
|
|
|
|
ibd.cBuffers = 0;
|
2017-07-06 15:00:35 +03:00
|
|
|
ibd.pBuffers = ib;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2011-11-09 21:18:59 +04:00
|
|
|
// If we have stored a certificate, the Channel Binding Token
|
|
|
|
// needs to be generated and sent in the first input buffer.
|
|
|
|
if (mCertDERLength > 0) {
|
|
|
|
// First we create a proper Endpoint Binding structure.
|
|
|
|
pendpoint_binding.dwInitiatorAddrType = 0;
|
|
|
|
pendpoint_binding.cbInitiatorLength = 0;
|
|
|
|
pendpoint_binding.dwInitiatorOffset = 0;
|
|
|
|
pendpoint_binding.dwAcceptorAddrType = 0;
|
|
|
|
pendpoint_binding.cbAcceptorLength = 0;
|
|
|
|
pendpoint_binding.dwAcceptorOffset = 0;
|
|
|
|
pendpoint_binding.cbApplicationDataLength = cbt_size;
|
|
|
|
pendpoint_binding.dwApplicationDataOffset =
|
|
|
|
sizeof(SEC_CHANNEL_BINDINGS);
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2011-11-09 21:18:59 +04:00
|
|
|
// Then add it to the array of sec buffers accordingly.
|
|
|
|
ib[ibd.cBuffers].BufferType = SECBUFFER_CHANNEL_BINDINGS;
|
|
|
|
ib[ibd.cBuffers].cbBuffer = pendpoint_binding.cbApplicationDataLength +
|
|
|
|
pendpoint_binding.dwApplicationDataOffset;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2019-05-01 11:47:10 +03:00
|
|
|
sspi_cbt = (char*)moz_xmalloc(ib[ibd.cBuffers].cbBuffer);
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2011-11-09 21:18:59 +04:00
|
|
|
// Helper to write in the memory block that stores the CBT
|
2019-05-01 11:47:10 +03:00
|
|
|
char* sspi_cbt_ptr = sspi_cbt;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2015-03-27 03:01:12 +03:00
|
|
|
ib[ibd.cBuffers].pvBuffer = sspi_cbt;
|
2011-11-09 21:18:59 +04:00
|
|
|
ibd.cBuffers++;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2011-11-09 21:18:59 +04:00
|
|
|
memcpy(sspi_cbt_ptr, &pendpoint_binding,
|
2017-07-06 15:00:35 +03:00
|
|
|
pendpoint_binding.dwApplicationDataOffset);
|
2011-11-09 21:18:59 +04:00
|
|
|
sspi_cbt_ptr += pendpoint_binding.dwApplicationDataOffset;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2011-11-09 21:18:59 +04:00
|
|
|
memcpy(sspi_cbt_ptr, end_point, end_point_length);
|
|
|
|
sspi_cbt_ptr += end_point_length;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2011-11-09 21:18:59 +04:00
|
|
|
// Start hashing. We are always doing SHA256, but depending
|
|
|
|
// on the certificate, a different alogirthm might be needed.
|
2012-07-30 18:20:58 +04:00
|
|
|
nsAutoCString hashString;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2011-11-09 21:18:59 +04:00
|
|
|
nsresult rv;
|
|
|
|
nsCOMPtr<nsICryptoHash> crypto;
|
2017-07-06 15:00:35 +03:00
|
|
|
crypto = do_CreateInstance(NS_CRYPTO_HASH_CONTRACTID, &rv);
|
|
|
|
if (NS_SUCCEEDED(rv)) rv = crypto->Init(nsICryptoHash::SHA256);
|
2011-11-09 21:18:59 +04:00
|
|
|
if (NS_SUCCEEDED(rv))
|
2019-05-01 11:47:10 +03:00
|
|
|
rv = crypto->Update((unsigned char*)mCertDERData, mCertDERLength);
|
2005-08-10 03:06:47 +04:00
|
|
|
if (NS_SUCCEEDED(rv)) rv = crypto->Finish(false, hashString);
|
2011-11-09 21:18:59 +04:00
|
|
|
if (NS_FAILED(rv)) {
|
2005-08-10 03:06:47 +04:00
|
|
|
free(mCertDERData);
|
|
|
|
mCertDERData = nullptr;
|
2011-11-09 21:18:59 +04:00
|
|
|
mCertDERLength = 0;
|
2015-03-27 03:01:12 +03:00
|
|
|
free(sspi_cbt);
|
2005-08-10 03:06:47 +04:00
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
|
2008-08-28 01:44:54 +04:00
|
|
|
// Once the hash has been computed, we store it in memory right
|
2008-09-05 23:09:06 +04:00
|
|
|
// after the Endpoint structure and the "tls-server-end-point:"
|
2009-11-20 01:12:43 +03:00
|
|
|
// char array.
|
2015-03-27 03:01:12 +03:00
|
|
|
memcpy(sspi_cbt_ptr, hashString.get(), hash_size);
|
2005-08-18 19:22:33 +04:00
|
|
|
|
2011-11-09 21:18:59 +04:00
|
|
|
// Free memory used to store the server certificate
|
2015-03-27 03:01:12 +03:00
|
|
|
free(mCertDERData);
|
2012-07-30 18:20:58 +04:00
|
|
|
mCertDERData = nullptr;
|
2011-11-09 21:18:59 +04:00
|
|
|
mCertDERLength = 0;
|
|
|
|
} // End of CBT computation.
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2011-11-09 21:18:59 +04:00
|
|
|
// We always need this SECBUFFER.
|
|
|
|
ib[ibd.cBuffers].BufferType = SECBUFFER_TOKEN;
|
|
|
|
ib[ibd.cBuffers].cbBuffer = inTokenLen;
|
2019-05-01 11:47:10 +03:00
|
|
|
ib[ibd.cBuffers].pvBuffer = (void*)inToken;
|
2011-11-09 21:18:59 +04:00
|
|
|
ibd.cBuffers++;
|
|
|
|
ctxIn = &mCtxt;
|
2018-11-30 13:46:48 +03:00
|
|
|
}
|
2011-11-09 21:18:59 +04:00
|
|
|
} else { // First time and without a token (no server certificate)
|
2017-07-06 15:00:35 +03:00
|
|
|
// We are starting a new authentication sequence. If we have already
|
|
|
|
// initialized our security context, then we're in trouble because it
|
|
|
|
// means that the first sequence failed. We need to bail or else we
|
2011-11-09 21:18:59 +04:00
|
|
|
// might end up in an infinite loop.
|
|
|
|
if (mCtxt.dwLower || mCtxt.dwUpper || mCertDERData || mCertDERLength) {
|
2005-08-10 03:06:47 +04:00
|
|
|
LOG(("Cannot restart authentication sequence!"));
|
|
|
|
return NS_ERROR_UNEXPECTED;
|
2018-11-30 13:46:48 +03:00
|
|
|
}
|
2013-04-03 05:06:20 +04:00
|
|
|
ctxIn = nullptr;
|
2011-11-09 21:18:59 +04:00
|
|
|
mIsFirst = false;
|
2018-11-30 13:46:48 +03:00
|
|
|
}
|
|
|
|
|
2005-08-10 03:06:47 +04:00
|
|
|
obd.ulVersion = SECBUFFER_VERSION;
|
|
|
|
obd.cBuffers = 1;
|
|
|
|
obd.pBuffers = &ob;
|
|
|
|
ob.BufferType = SECBUFFER_TOKEN;
|
2005-08-10 03:06:58 +04:00
|
|
|
ob.cbBuffer = mMaxTokenLen;
|
2015-03-27 03:01:12 +03:00
|
|
|
ob.pvBuffer = moz_xmalloc(ob.cbBuffer);
|
2005-08-10 03:06:47 +04:00
|
|
|
memset(ob.pvBuffer, 0, ob.cbBuffer);
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2008-09-05 23:09:06 +04:00
|
|
|
NS_ConvertUTF8toUTF16 wSN(mServiceName);
|
2019-05-01 11:47:10 +03:00
|
|
|
SEC_WCHAR* sn = (SEC_WCHAR*)wSN.get();
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2008-08-28 01:44:54 +04:00
|
|
|
rc = (sspi->InitializeSecurityContextW)(
|
2008-09-05 23:09:06 +04:00
|
|
|
&mCred, ctxIn, sn, ctxReq, 0, SECURITY_NATIVE_DREP,
|
2013-04-03 05:06:20 +04:00
|
|
|
inToken ? &ibd : nullptr, 0, &mCtxt, &obd, &ctxAttr, &ignored);
|
2005-08-10 03:06:47 +04:00
|
|
|
if (rc == SEC_I_CONTINUE_NEEDED || rc == SEC_E_OK) {
|
2005-08-18 19:22:33 +04:00
|
|
|
if (rc == SEC_E_OK)
|
|
|
|
LOG(("InitializeSecurityContext: succeeded.\n"));
|
2018-11-30 13:46:48 +03:00
|
|
|
else
|
2009-11-20 01:12:43 +03:00
|
|
|
LOG(("InitializeSecurityContext: continue.\n"));
|
2005-08-18 19:22:33 +04:00
|
|
|
|
2005-08-10 03:06:47 +04:00
|
|
|
if (sspi_cbt) free(sspi_cbt);
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2006-03-07 05:38:31 +03:00
|
|
|
if (!ob.cbBuffer) {
|
2015-03-27 03:01:12 +03:00
|
|
|
free(ob.pvBuffer);
|
2005-08-10 03:06:47 +04:00
|
|
|
ob.pvBuffer = nullptr;
|
|
|
|
}
|
|
|
|
*outToken = ob.pvBuffer;
|
|
|
|
*outTokenLen = ob.cbBuffer;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-10 03:06:47 +04:00
|
|
|
if (rc == SEC_E_OK) return NS_SUCCESS_AUTH_FINISHED;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2006-01-25 23:26:08 +03:00
|
|
|
return NS_OK;
|
2018-11-30 13:46:48 +03:00
|
|
|
}
|
2005-08-10 03:06:47 +04:00
|
|
|
|
|
|
|
LOG(("InitializeSecurityContext failed [rc=%d:%s]\n", rc, MapErrorCode(rc)));
|
|
|
|
Reset();
|
2015-03-27 03:01:12 +03:00
|
|
|
free(ob.pvBuffer);
|
2005-08-10 03:06:47 +04:00
|
|
|
return NS_ERROR_FAILURE;
|
|
|
|
}
|
2005-08-18 19:22:33 +04:00
|
|
|
|
|
|
|
NS_IMETHODIMP
|
2019-05-01 11:47:10 +03:00
|
|
|
nsAuthSSPI::Unwrap(const void* inToken, uint32_t inTokenLen, void** outToken,
|
|
|
|
uint32_t* outTokenLen) {
|
2005-08-18 19:22:33 +04:00
|
|
|
SECURITY_STATUS rc;
|
|
|
|
SecBufferDesc ibd;
|
|
|
|
SecBuffer ib[2];
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
ibd.cBuffers = 2;
|
|
|
|
ibd.pBuffers = ib;
|
2017-07-06 15:00:35 +03:00
|
|
|
ibd.ulVersion = SECBUFFER_VERSION;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
// SSPI Buf
|
|
|
|
ib[0].BufferType = SECBUFFER_STREAM;
|
|
|
|
ib[0].cbBuffer = inTokenLen;
|
2015-03-27 03:01:12 +03:00
|
|
|
ib[0].pvBuffer = moz_xmalloc(ib[0].cbBuffer);
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
memcpy(ib[0].pvBuffer, inToken, inTokenLen);
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
// app data
|
|
|
|
ib[1].BufferType = SECBUFFER_DATA;
|
|
|
|
ib[1].cbBuffer = 0;
|
2013-04-03 05:06:20 +04:00
|
|
|
ib[1].pvBuffer = nullptr;
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
rc = (sspi->DecryptMessage)(&mCtxt, &ibd,
|
|
|
|
0, // no sequence numbers
|
2013-04-03 05:06:20 +04:00
|
|
|
nullptr);
|
2018-11-30 13:46:48 +03:00
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
if (SEC_SUCCESS(rc)) {
|
2009-09-07 18:30:58 +04:00
|
|
|
// check if ib[1].pvBuffer is really just ib[0].pvBuffer, in which
|
|
|
|
// case we can let the caller free it. Otherwise, we need to
|
|
|
|
// clone it, and free the original
|
|
|
|
if (ib[0].pvBuffer == ib[1].pvBuffer) {
|
|
|
|
*outToken = ib[1].pvBuffer;
|
|
|
|
} else {
|
2018-08-28 08:59:19 +03:00
|
|
|
*outToken = moz_xmemdup(ib[1].pvBuffer, ib[1].cbBuffer);
|
2015-03-27 03:01:12 +03:00
|
|
|
free(ib[0].pvBuffer);
|
2005-08-18 19:22:33 +04:00
|
|
|
}
|
|
|
|
*outTokenLen = ib[1].cbBuffer;
|
|
|
|
} else
|
2015-03-27 03:01:12 +03:00
|
|
|
free(ib[0].pvBuffer);
|
2005-08-18 19:22:33 +04:00
|
|
|
|
2006-01-25 23:26:08 +03:00
|
|
|
if (!SEC_SUCCESS(rc)) return NS_ERROR_FAILURE;
|
|
|
|
|
|
|
|
return NS_OK;
|
2005-08-18 19:22:33 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
// utility class used to free memory on exit
|
|
|
|
class secBuffers {
|
|
|
|
public:
|
|
|
|
SecBuffer ib[3];
|
|
|
|
|
|
|
|
secBuffers() { memset(&ib, 0, sizeof(ib)); }
|
|
|
|
|
|
|
|
~secBuffers() {
|
|
|
|
if (ib[0].pvBuffer) free(ib[0].pvBuffer);
|
|
|
|
|
2015-03-27 03:01:12 +03:00
|
|
|
if (ib[1].pvBuffer) free(ib[1].pvBuffer);
|
2005-08-18 19:22:33 +04:00
|
|
|
|
2015-03-27 03:01:12 +03:00
|
|
|
if (ib[2].pvBuffer) free(ib[2].pvBuffer);
|
2005-08-18 19:22:33 +04:00
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
NS_IMETHODIMP
|
2019-05-01 11:47:10 +03:00
|
|
|
nsAuthSSPI::Wrap(const void* inToken, uint32_t inTokenLen, bool confidential,
|
|
|
|
void** outToken, uint32_t* outTokenLen) {
|
2005-08-18 19:22:33 +04:00
|
|
|
SECURITY_STATUS rc;
|
|
|
|
|
|
|
|
SecBufferDesc ibd;
|
|
|
|
secBuffers bufs;
|
|
|
|
SecPkgContext_Sizes sizes;
|
|
|
|
|
2008-08-28 01:44:54 +04:00
|
|
|
rc = (sspi->QueryContextAttributesW)(&mCtxt, SECPKG_ATTR_SIZES, &sizes);
|
2005-08-18 19:22:33 +04:00
|
|
|
|
2006-01-25 23:26:08 +03:00
|
|
|
if (!SEC_SUCCESS(rc)) return NS_ERROR_FAILURE;
|
2017-07-06 15:00:35 +03:00
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
ibd.cBuffers = 3;
|
|
|
|
ibd.pBuffers = bufs.ib;
|
|
|
|
ibd.ulVersion = SECBUFFER_VERSION;
|
2017-07-06 15:00:35 +03:00
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
// SSPI
|
|
|
|
bufs.ib[0].cbBuffer = sizes.cbSecurityTrailer;
|
|
|
|
bufs.ib[0].BufferType = SECBUFFER_TOKEN;
|
2015-03-27 03:01:12 +03:00
|
|
|
bufs.ib[0].pvBuffer = moz_xmalloc(sizes.cbSecurityTrailer);
|
2005-08-18 19:22:33 +04:00
|
|
|
|
|
|
|
// APP Data
|
|
|
|
bufs.ib[1].BufferType = SECBUFFER_DATA;
|
2015-03-27 03:01:12 +03:00
|
|
|
bufs.ib[1].pvBuffer = moz_xmalloc(inTokenLen);
|
2005-08-18 19:22:33 +04:00
|
|
|
bufs.ib[1].cbBuffer = inTokenLen;
|
2017-07-06 15:00:35 +03:00
|
|
|
|
2005-08-18 19:22:33 +04:00
|
|
|
memcpy(bufs.ib[1].pvBuffer, inToken, inTokenLen);
|
|
|
|
|
|
|
|
// SSPI
|
|
|
|
bufs.ib[2].BufferType = SECBUFFER_PADDING;
|
|
|
|
bufs.ib[2].cbBuffer = sizes.cbBlockSize;
|
2015-03-27 03:01:12 +03:00
|
|
|
bufs.ib[2].pvBuffer = moz_xmalloc(bufs.ib[2].cbBuffer);
|
2005-08-18 19:22:33 +04:00
|
|
|
|
|
|
|
rc = (sspi->EncryptMessage)(&mCtxt, confidential ? 0 : KERB_WRAP_NO_ENCRYPT,
|
|
|
|
&ibd, 0);
|
|
|
|
|
|
|
|
if (SEC_SUCCESS(rc)) {
|
|
|
|
int len = bufs.ib[0].cbBuffer + bufs.ib[1].cbBuffer + bufs.ib[2].cbBuffer;
|
2019-05-01 11:47:10 +03:00
|
|
|
char* p = (char*)moz_xmalloc(len);
|
2005-08-18 19:22:33 +04:00
|
|
|
|
2019-05-01 11:47:10 +03:00
|
|
|
*outToken = (void*)p;
|
2006-03-07 05:38:31 +03:00
|
|
|
*outTokenLen = len;
|
2005-08-18 19:22:33 +04:00
|
|
|
|
2006-03-07 05:38:31 +03:00
|
|
|
memcpy(p, bufs.ib[0].pvBuffer, bufs.ib[0].cbBuffer);
|
|
|
|
p += bufs.ib[0].cbBuffer;
|
2005-08-18 19:22:33 +04:00
|
|
|
|
2006-03-07 05:38:31 +03:00
|
|
|
memcpy(p, bufs.ib[1].pvBuffer, bufs.ib[1].cbBuffer);
|
|
|
|
p += bufs.ib[1].cbBuffer;
|
2006-01-25 23:26:08 +03:00
|
|
|
|
2006-03-07 05:38:31 +03:00
|
|
|
memcpy(p, bufs.ib[2].pvBuffer, bufs.ib[2].cbBuffer);
|
2017-07-06 15:00:35 +03:00
|
|
|
|
2006-01-25 23:26:08 +03:00
|
|
|
return NS_OK;
|
2005-08-18 19:22:33 +04:00
|
|
|
}
|
|
|
|
|
2006-01-25 23:26:08 +03:00
|
|
|
return NS_ERROR_FAILURE;
|
2005-08-18 19:22:33 +04:00
|
|
|
}
|