Bug 362435. Try using Samba's ntlm_auth to perform NTLM authentication on our behalf, when available. If the user has logged in by authenticating to Active Directory, then this may avoid having the user enter their password again. (single sign on) r+sr=biesi

extensions/auth/Makefile.in

@@ -77,6 +77,8 @@ CPPSRCS		+= \
 ifeq ($(OS_ARCH),WINNT)
 LOCAL_INCLUDES	+= -DUSE_SSPI
 CPPSRCS		+= nsAuthSSPI.cpp
+else
+CPPSRCS   += nsAuthSambaNTLM.cpp
 endif
 
 include $(topsrcdir)/config/rules.mk

extensions/auth/nsAuthFactory.cpp

@@ -127,6 +127,36 @@ nsKerbSSPIAuthConstructor(nsISupports *outer, REFNSIID iid, void **result)
   {0x8c, 0xd6, 0x08, 0x00, 0x20, 0x0c, 0x9a, 0x66} \
 }
 
+#else
+
+#define NS_SAMBANTLMAUTH_CID                       \
+{ /* bc54f001-6eb0-4e32-9f49-7e064d8e70ef */       \
+  0xbc54f001,                                      \
+  0x6eb0,                                          \
+  0x4e32,                                          \
+  {0x9f, 0x49, 0x7e, 0x06, 0x4d, 0x8e, 0x70, 0xef} \
+}
+
+#include "nsAuthSambaNTLM.h"
+static NS_METHOD
+nsSambaNTLMAuthConstructor(nsISupports *outer, REFNSIID iid, void **result)
+{
+  if (outer)
+    return NS_ERROR_NO_AGGREGATION;
+
+  nsCOMPtr<nsAuthSambaNTLM> auth = new nsAuthSambaNTLM();
+  if (!auth)
+    return NS_ERROR_OUT_OF_MEMORY;
+
+  nsresult rv = auth->SpawnNTLMAuthHelper();
+  if (NS_FAILED(rv)) {
+    // Failure here probably means that cached credentials were not available
+    return rv;
+  }
+
+  return auth->QueryInterface(iid, result);
+}
+
 #endif
 
 static NS_METHOD
@@ -206,6 +236,12 @@ static nsModuleComponentInfo components[] = {
     NS_AUTH_MODULE_CONTRACTID_PREFIX "sys-ntlm",
     nsSysNTLMAuthConstructor
   },
+#else
+  { "nsAuthSambaNTLM", 
+    NS_SAMBANTLMAUTH_CID,
+    NS_AUTH_MODULE_CONTRACTID_PREFIX "sys-ntlm",
+    nsSambaNTLMAuthConstructor
+  },
 #endif
   { "nsHttpNegotiateAuth", 
     NS_HTTPNEGOTIATEAUTH_CID,

extensions/auth/nsAuthSambaNTLM.cpp

@@ -0,0 +1,315 @@
+/* vim:set ts=4 sw=4 et cindent: */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Samba NTLM Authentication.
+ *
+ * The Initial Developer of the Original Code is Novell.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Robert O'Callahan (rocallahan@novell.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsAuth.h"
+#include "nsAuthSambaNTLM.h"
+#include "prenv.h"
+#include "plbase64.h"
+
+#include <stdlib.h>
+
+nsAuthSambaNTLM::nsAuthSambaNTLM()
+    : mInitialMessage(nsnull), mChildPID(nsnull), mFromChildFD(nsnull),
+      mToChildFD(nsnull)
+{
+}
+
+nsAuthSambaNTLM::~nsAuthSambaNTLM()
+{
+    // ntlm_auth reads from stdin regularly so closing our file handles
+    // should cause it to exit.
+    Shutdown();
+    free(mInitialMessage);
+}
+
+void
+nsAuthSambaNTLM::Shutdown()
+{
+    if (mFromChildFD) {
+        PR_Close(mFromChildFD);
+        mFromChildFD = nsnull;
+    }
+    if (mToChildFD) {
+        PR_Close(mToChildFD);
+        mToChildFD = nsnull;
+    }
+    if (mChildPID) {
+        PRInt32 exitCode;
+        PR_WaitProcess(mChildPID, &exitCode);
+        mChildPID = nsnull;
+    }
+}
+
+NS_IMPL_ISUPPORTS1(nsAuthSambaNTLM, nsIAuthModule)
+
+static PRBool
+SpawnIOChild(char** aArgs, PRProcess** aPID,
+             PRFileDesc** aFromChildFD, PRFileDesc** aToChildFD)
+{
+    PRFileDesc* toChildPipeRead;
+    PRFileDesc* toChildPipeWrite;
+    if (PR_CreatePipe(&toChildPipeRead, &toChildPipeWrite) != PR_SUCCESS)
+        return PR_FALSE;
+    PR_SetFDInheritable(toChildPipeRead, PR_TRUE);
+    PR_SetFDInheritable(toChildPipeWrite, PR_FALSE);
+
+    PRFileDesc* fromChildPipeRead;
+    PRFileDesc* fromChildPipeWrite;
+    if (PR_CreatePipe(&fromChildPipeRead, &fromChildPipeWrite) != PR_SUCCESS) {
+        PR_Close(toChildPipeRead);
+        PR_Close(toChildPipeWrite);
+        return PR_FALSE;
+    }
+    PR_SetFDInheritable(fromChildPipeRead, PR_FALSE);
+    PR_SetFDInheritable(fromChildPipeWrite, PR_TRUE);
+
+    PRProcessAttr* attr = PR_NewProcessAttr();
+    if (!attr) {
+        PR_Close(fromChildPipeRead);
+        PR_Close(fromChildPipeWrite);
+        PR_Close(toChildPipeRead);
+        PR_Close(toChildPipeWrite);
+        return PR_FALSE;
+    }
+
+    PR_ProcessAttrSetStdioRedirect(attr, PR_StandardInput, toChildPipeRead);
+    PR_ProcessAttrSetStdioRedirect(attr, PR_StandardOutput, fromChildPipeWrite);   
+
+    PRProcess* process = PR_CreateProcess(aArgs[0], aArgs, nsnull, attr);
+    PR_DestroyProcessAttr(attr);
+    PR_Close(fromChildPipeWrite);
+    PR_Close(toChildPipeRead);
+    if (!process) {
+        LOG(("ntlm_auth exec failure [%d]", PR_GetError()));
+        PR_Close(fromChildPipeRead);
+        PR_Close(toChildPipeWrite);
+        return PR_FALSE;        
+    }
+
+    *aPID = process;
+    *aFromChildFD = fromChildPipeRead;
+    *aToChildFD = toChildPipeWrite;
+    return PR_TRUE;
+}
+
+static PRBool WriteString(PRFileDesc* aFD, const nsACString& aString)
+{
+    PRInt32 length = aString.Length();
+    const char* s = aString.BeginReading();
+    LOG(("Writing to ntlm_auth: %s", s));
+
+    while (length > 0) {
+        int result = PR_Write(aFD, s, length);
+        if (result <= 0)
+            return PR_FALSE;
+        s += result;
+        length -= result;
+    }
+    return PR_TRUE;
+}
+
+static PRBool ReadLine(PRFileDesc* aFD, nsACString& aString)
+{
+    // ntlm_auth is defined to only send one line in response to each of our
+    // input lines. So this simple unbuffered strategy works as long as we
+    // read the response immediately after sending one request.
+    aString.Truncate();
+    for (;;) {
+        char buf[1024];
+        int result = PR_Read(aFD, buf, sizeof(buf));
+        if (result <= 0)
+            return PR_FALSE;
+        aString.Append(buf, result);
+        if (buf[result - 1] == '\n') {
+            LOG(("Read from ntlm_auth: %s", nsPromiseFlatCString(aString).get()));
+            return PR_TRUE;
+        }
+    }
+}
+
+/**
+ * Returns a heap-allocated array of PRUint8s, and stores the length in aLen.
+ * Returns nsnull if there's an error of any kind.
+ */
+static PRUint8* ExtractMessage(const nsACString& aLine, PRUint32* aLen)
+{
+    // ntlm_auth sends blobs to us as base64-encoded strings after the "xx "
+    // preamble on the response line.
+    PRInt32 length = aLine.Length();
+    // The caller should verify there is a valid "xx " prefix and the line
+    // is terminated with a \n
+    NS_ASSERTION(length >= 4, "Line too short...");
+    const char* line = aLine.BeginReading();
+    const char* s = line + 3;
+    length -= 4; // lose first 3 chars plus trailing \n
+    NS_ASSERTION(s[length] == '\n', "aLine not newline-terminated");
+    
+    if (length & 3) {
+        // The base64 encoded block must be multiple of 4. If not, something
+        // screwed up.
+        NS_WARNING("Base64 encoded block should be a multiple of 4 chars");
+        return nsnull;
+    } 
+
+    // Calculate the exact length. I wonder why there isn't a function for this
+    // in plbase64.
+    PRInt32 numEquals;
+    for (numEquals = 0; numEquals < length; ++numEquals) {
+        if (s[length - 1 - numEquals] != '=')
+            break;
+    }
+    *aLen = (length/4)*3 - numEquals;
+    return NS_REINTERPRET_CAST(PRUint8*, PL_Base64Decode(s, length, nsnull));
+}
+
+nsresult
+nsAuthSambaNTLM::SpawnNTLMAuthHelper()
+{
+    const char* username = PR_GetEnv("USER");
+    if (!username)
+        return NS_ERROR_FAILURE;
+
+    char* args[] = {
+        "ntlm_auth",
+        "--helper-protocol", "ntlmssp-client-1",
+        "--use-cached-creds",
+        "--username", NS_CONST_CAST(char*, username),
+        nsnull
+    };
+
+    PRBool isOK = SpawnIOChild(args, &mChildPID, &mFromChildFD, &mToChildFD);
+    if (!isOK)  
+        return NS_ERROR_FAILURE;
+
+    if (!WriteString(mToChildFD, NS_LITERAL_CSTRING("YR\n")))
+        return NS_ERROR_FAILURE;
+    nsCString line;
+    if (!ReadLine(mFromChildFD, line))
+        return NS_ERROR_FAILURE;
+    if (!StringBeginsWith(line, NS_LITERAL_CSTRING("YR "))) {
+        // Something went wrong. Perhaps no credentials are accessible.
+        return NS_ERROR_FAILURE;
+    }
+
+    // It gave us an initial client-to-server request packet. Save that
+    // because we'll need it later.
+    mInitialMessage = ExtractMessage(line, &mInitialMessageLen);
+    if (!mInitialMessage)
+        return NS_ERROR_FAILURE;
+    return NS_OK;
+}
+
+NS_IMETHODIMP
+nsAuthSambaNTLM::Init(const char *serviceName,
+                      PRUint32    serviceFlags,
+                      const PRUnichar *domain,
+                      const PRUnichar *username,
+                      const PRUnichar *password)
+{
+    NS_ASSERTION(!username && !domain && !password, "unexpected credentials");
+    return NS_OK;
+}
+
+NS_IMETHODIMP
+nsAuthSambaNTLM::GetNextToken(const void *inToken,
+                              PRUint32    inTokenLen,
+                              void      **outToken,
+                              PRUint32   *outTokenLen)
+{
+    if (!inToken) {
+        /* someone wants our initial message */
+        *outToken = nsMemory::Clone(mInitialMessage, mInitialMessageLen);
+        if (!*outToken)
+            return NS_ERROR_OUT_OF_MEMORY;
+        *outTokenLen = mInitialMessageLen;
+        return NS_OK;
+    }
+
+    /* inToken must be a type 2 message. Get ntlm_auth to generate our response */
+    char* encoded = PL_Base64Encode(NS_STATIC_CAST(const char*, inToken), inTokenLen, nsnull);
+    if (!encoded)
+        return NS_ERROR_OUT_OF_MEMORY;
+
+    nsCString request;
+    request.AssignLiteral("TT ");
+    request.Append(encoded);
+    free(encoded);
+    request.Append('\n');
+
+    if (!WriteString(mToChildFD, request))
+        return NS_ERROR_FAILURE;
+    nsCString line;
+    if (!ReadLine(mFromChildFD, line))
+        return NS_ERROR_FAILURE;
+    if (!StringBeginsWith(line, NS_LITERAL_CSTRING("KK "))) {
+        // Something went wrong. Perhaps no credentials are accessible.
+        return NS_ERROR_FAILURE;
+    }
+    PRUint8* buf = ExtractMessage(line, outTokenLen);
+    if (!buf)
+        return NS_ERROR_FAILURE;
+    // *outToken has to be freed by nsMemory::Free, which may not be free() 
+    *outToken = nsMemory::Clone(buf, *outTokenLen);
+    if (!*outToken) {
+        free(buf);
+        return NS_ERROR_OUT_OF_MEMORY;
+    }
+    
+    // We're done. Close our file descriptors now and reap the helper
+    // process.
+    Shutdown();
+    return NS_SUCCESS_AUTH_FINISHED;
+}
+
+NS_IMETHODIMP
+nsAuthSambaNTLM::Unwrap(const void *inToken,
+                        PRUint32    inTokenLen,
+                        void      **outToken,
+                        PRUint32   *outTokenLen)
+{
+    return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+NS_IMETHODIMP
+nsAuthSambaNTLM::Wrap(const void *inToken,
+                      PRUint32    inTokenLen,
+                      PRBool      confidential,
+                      void      **outToken,
+                      PRUint32   *outTokenLen)
+{
+    return NS_ERROR_NOT_IMPLEMENTED;
+}

extensions/auth/nsAuthSambaNTLM.h

@@ -0,0 +1,83 @@
+/* vim:set ts=4 sw=4 et cindent: */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is Samba NTLM Authentication.
+ *
+ * The Initial Developer of the Original Code is Novell.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Robert O'Callahan (rocallahan@novell.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifndef nsAuthSambaNTLM_h__
+#define nsAuthSambaNTLM_h__
+
+#include "nsIAuthModule.h"
+#include "nsString.h"
+#include "nsCOMPtr.h"
+#include "prio.h"
+#include "prproces.h"
+
+/**
+ * This is an implementation of NTLM authentication that does single-signon
+ * by obtaining the user's Unix username, parsing it into DOMAIN\name format,
+ * and then asking Samba's ntlm_auth tool to do the authentication for us
+ * using the user's password cached in winbindd, if available. If the
+ * password is not available then this component fails to instantiate so
+ * nsHttpNTLMAuth will fall back to a different NTLM implementation.
+ * NOTE: at time of writing, this requires patches to be added to the stock
+ * Samba winbindd and ntlm_auth!  
+ */
+class nsAuthSambaNTLM : public nsIAuthModule
+{
+public:
+    NS_DECL_ISUPPORTS
+    NS_DECL_NSIAUTHMODULE
+
+    nsAuthSambaNTLM();
+
+    // We spawn the ntlm_auth helper from the module constructor, because
+    // that lets us fail to instantiate the module if ntlm_auth isn't
+    // available, triggering fallback to the built-in NTLM support (which
+    // doesn't support single signon, of course)
+    nsresult SpawnNTLMAuthHelper();
+
+private:
+    ~nsAuthSambaNTLM();
+
+    void Shutdown();
+
+    PRUint8*    mInitialMessage; /* free with free() */
+    PRUint32    mInitialMessageLen;
+    PRProcess*  mChildPID;
+    PRFileDesc* mFromChildFD;
+    PRFileDesc* mToChildFD;
+};
+
+#endif /* nsAuthSambaNTLM_h__ */

layout/generic/nsFrame.cpp

@@ -262,6 +262,12 @@ nsIFrameDebug::GetLogModuleInfo()
   return gLogModule;
 }
 
+void
+nsIFrameDebug::DumpFrameTree(nsIFrame* aFrame)
+{
+    RootFrameList(aFrame->GetPresContext(), stdout, 0);
+}
+
 void
 nsIFrameDebug::RootFrameList(nsPresContext* aPresContext, FILE* out, PRInt32 aIndent)
 {

layout/generic/nsIFrameDebug.h

@@ -64,6 +64,9 @@ public:
    * - calls root frame's List(...)
    */
   static void RootFrameList(nsPresContext* aPresContext, FILE* out, PRInt32 aIndent);
+
+  static void DumpFrameTree(nsIFrame* aFrame);
+
   /**
    * Get a printable from of the name of the frame type.
    * XXX This should be eliminated and we use GetType() instead...

netwerk/protocol/http/src/nsHttpNTLMAuth.cpp

@@ -46,8 +46,6 @@
 
 //-----------------------------------------------------------------------------
 
-#ifdef XP_WIN
-
 #include "nsIPrefBranch.h"
 #include "nsIPrefService.h"
 #include "nsIServiceManager.h"
@@ -208,8 +206,6 @@ public:
 };
 NS_IMPL_ISUPPORTS0(nsNTLMSessionState)
 
-#endif
-
 //-----------------------------------------------------------------------------
 
 NS_IMPL_ISUPPORTS1(nsHttpNTLMAuth, nsIHttpAuthenticator)
@@ -231,7 +227,6 @@ nsHttpNTLMAuth::ChallengeReceived(nsIHttpChannel *channel,
     // start new auth sequence if challenge is exactly "NTLM"
     if (PL_strcasecmp(challenge, "NTLM") == 0) {
         nsCOMPtr<nsISupports> module;
-#ifdef XP_WIN
         //
         // our session state is non-null to indicate that we've flagged
         // this auth domain as not accepting the system's default login.
@@ -239,7 +234,7 @@ nsHttpNTLMAuth::ChallengeReceived(nsIHttpChannel *channel,
         PRBool trySysNTLM = (*sessionState == nsnull);
 
         //
-        // on windows, we may have access to the built-in SSPI library,
+        // we may have access to a built-in SSPI library,
         // which could be used to authenticate the user without prompting.
         // 
         // if the continuationState is null, then we may want to try using
@@ -266,9 +261,7 @@ nsHttpNTLMAuth::ChallengeReceived(nsIHttpChannel *channel,
                     return NS_ERROR_OUT_OF_MEMORY;
                 NS_ADDREF(*sessionState);
             }
-#else
-        {
-#endif 
+
             module = do_CreateInstance(NS_AUTH_MODULE_CONTRACTID_PREFIX "ntlm");
 
             // prompt user for domain, username, and password...