| // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "net/http/http_auth_gssapi_starboard.h" |
| |
| #include <limits> |
| #include <string> |
| |
| #include "base/base64.h" |
| #include "base/files/file_path.h" |
| #include "base/format_macros.h" |
| #include "base/logging.h" |
| #include "base/macros.h" |
| #include "base/strings/string_util.h" |
| #include "base/strings/stringprintf.h" |
| #include "base/threading/thread_restrictions.h" |
| #include "net/base/net_errors.h" |
| #include "net/http/http_auth_multi_round_parse.h" |
| #include "starboard/memory.h" |
| |
| // These are defined for the GSSAPI library: |
| // Paraphrasing the comments from gssapi.h: |
| // "The implementation must reserve static storage for a |
| // gss_OID_desc object for each constant. That constant |
| // should be initialized to point to that gss_OID_desc." |
| // These are encoded using ASN.1 BER encoding. |
| namespace { |
| |
| static gss_OID_desc GSS_C_NT_USER_NAME_VAL = { |
| 10, const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01")}; |
| static gss_OID_desc GSS_C_NT_MACHINE_UID_NAME_VAL = { |
| 10, const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02")}; |
| static gss_OID_desc GSS_C_NT_STRING_UID_NAME_VAL = { |
| 10, const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03")}; |
| static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_X_VAL = { |
| 6, const_cast<char*>("\x2b\x06\x01\x05\x06\x02")}; |
| static gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_VAL = { |
| 10, const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04")}; |
| static gss_OID_desc GSS_C_NT_ANONYMOUS_VAL = { |
| 6, const_cast<char*>("\x2b\x06\01\x05\x06\x03")}; |
| static gss_OID_desc GSS_C_NT_EXPORT_NAME_VAL = { |
| 6, const_cast<char*>("\x2b\x06\x01\x05\x06\x04")}; |
| |
| } // namespace |
| |
| // Heimdal >= 1.4 will define the following as preprocessor macros. |
| // To avoid conflicting declarations, we have to undefine these. |
| #undef GSS_C_NT_USER_NAME |
| #undef GSS_C_NT_MACHINE_UID_NAME |
| #undef GSS_C_NT_STRING_UID_NAME |
| #undef GSS_C_NT_HOSTBASED_SERVICE_X |
| #undef GSS_C_NT_HOSTBASED_SERVICE |
| #undef GSS_C_NT_ANONYMOUS |
| #undef GSS_C_NT_EXPORT_NAME |
| |
| gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_VAL; |
| gss_OID GSS_C_NT_MACHINE_UID_NAME = &GSS_C_NT_MACHINE_UID_NAME_VAL; |
| gss_OID GSS_C_NT_STRING_UID_NAME = &GSS_C_NT_STRING_UID_NAME_VAL; |
| gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = &GSS_C_NT_HOSTBASED_SERVICE_X_VAL; |
| gss_OID GSS_C_NT_HOSTBASED_SERVICE = &GSS_C_NT_HOSTBASED_SERVICE_VAL; |
| gss_OID GSS_C_NT_ANONYMOUS = &GSS_C_NT_ANONYMOUS_VAL; |
| gss_OID GSS_C_NT_EXPORT_NAME = &GSS_C_NT_EXPORT_NAME_VAL; |
| |
| namespace net { |
| |
| // Exported mechanism for GSSAPI. We always use SPNEGO: |
| |
| // iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2) |
| gss_OID_desc CHROME_GSS_SPNEGO_MECH_OID_DESC_VAL = { |
| 6, const_cast<char*>("\x2b\x06\x01\x05\x05\x02")}; |
| |
| gss_OID CHROME_GSS_SPNEGO_MECH_OID_DESC = &CHROME_GSS_SPNEGO_MECH_OID_DESC_VAL; |
| |
| // Debugging helpers. |
| namespace { |
| |
| std::string DisplayStatus(OM_uint32 major_status, OM_uint32 minor_status) { |
| if (major_status == GSS_S_COMPLETE) |
| return "OK"; |
| return base::StringPrintf("0x%08X 0x%08X", major_status, minor_status); |
| } |
| |
| std::string DisplayCode(GSSAPILibrary* gssapi_lib, |
| OM_uint32 status, |
| OM_uint32 status_code_type) { |
| const int kMaxDisplayIterations = 8; |
| const size_t kMaxMsgLength = 4096; |
| // msg_ctx needs to be outside the loop because it is invoked multiple times. |
| OM_uint32 msg_ctx = 0; |
| std::string rv = base::StringPrintf("(0x%08X)", status); |
| |
| // This loop should continue iterating until msg_ctx is 0 after the first |
| // iteration. To be cautious and prevent an infinite loop, it stops after |
| // a finite number of iterations as well. As an added sanity check, no |
| // individual message may exceed |kMaxMsgLength|, and the final result |
| // will not exceed |kMaxMsgLength|*2-1. |
| for (int i = 0; i < kMaxDisplayIterations && rv.size() < kMaxMsgLength; ++i) { |
| OM_uint32 min_stat; |
| gss_buffer_desc_struct msg = GSS_C_EMPTY_BUFFER; |
| OM_uint32 maj_stat = gssapi_lib->display_status( |
| &min_stat, status, status_code_type, GSS_C_NULL_OID, &msg_ctx, &msg); |
| if (maj_stat == GSS_S_COMPLETE) { |
| int msg_len = (msg.length > kMaxMsgLength) |
| ? static_cast<int>(kMaxMsgLength) |
| : static_cast<int>(msg.length); |
| if (msg_len > 0 && msg.value != NULL) { |
| rv += |
| base::StringPrintf(" %.*s", msg_len, static_cast<char*>(msg.value)); |
| } |
| } |
| gssapi_lib->release_buffer(&min_stat, &msg); |
| if (!msg_ctx) |
| break; |
| } |
| return rv; |
| } |
| |
| std::string DisplayExtendedStatus(GSSAPILibrary* gssapi_lib, |
| OM_uint32 major_status, |
| OM_uint32 minor_status) { |
| if (major_status == GSS_S_COMPLETE) |
| return "OK"; |
| std::string major = DisplayCode(gssapi_lib, major_status, GSS_C_GSS_CODE); |
| std::string minor = DisplayCode(gssapi_lib, minor_status, GSS_C_MECH_CODE); |
| return base::StringPrintf("Major: %s | Minor: %s", major.c_str(), |
| minor.c_str()); |
| } |
| |
| // ScopedName releases a gss_name_t when it goes out of scope. |
| class ScopedName { |
| public: |
| ScopedName(gss_name_t name, GSSAPILibrary* gssapi_lib) |
| : name_(name), gssapi_lib_(gssapi_lib) { |
| DCHECK(gssapi_lib_); |
| } |
| |
| ~ScopedName() { |
| if (name_ != GSS_C_NO_NAME) { |
| OM_uint32 minor_status = 0; |
| OM_uint32 major_status = gssapi_lib_->release_name(&minor_status, &name_); |
| if (major_status != GSS_S_COMPLETE) { |
| LOG(WARNING) << "Problem releasing name. " |
| << DisplayStatus(major_status, minor_status); |
| } |
| name_ = GSS_C_NO_NAME; |
| } |
| } |
| |
| private: |
| gss_name_t name_; |
| GSSAPILibrary* gssapi_lib_; |
| |
| DISALLOW_COPY_AND_ASSIGN(ScopedName); |
| }; |
| |
| // ScopedBuffer releases a gss_buffer_t when it goes out of scope. |
| class ScopedBuffer { |
| public: |
| ScopedBuffer(gss_buffer_t buffer, GSSAPILibrary* gssapi_lib) |
| : buffer_(buffer), gssapi_lib_(gssapi_lib) { |
| DCHECK(gssapi_lib_); |
| } |
| |
| ~ScopedBuffer() { |
| if (buffer_ != GSS_C_NO_BUFFER) { |
| OM_uint32 minor_status = 0; |
| OM_uint32 major_status = |
| gssapi_lib_->release_buffer(&minor_status, buffer_); |
| if (major_status != GSS_S_COMPLETE) { |
| LOG(WARNING) << "Problem releasing buffer. " |
| << DisplayStatus(major_status, minor_status); |
| } |
| buffer_ = GSS_C_NO_BUFFER; |
| } |
| } |
| |
| private: |
| gss_buffer_t buffer_; |
| GSSAPILibrary* gssapi_lib_; |
| |
| DISALLOW_COPY_AND_ASSIGN(ScopedBuffer); |
| }; |
| |
| namespace { |
| |
| std::string AppendIfPredefinedValue(gss_OID oid, |
| gss_OID predefined_oid, |
| const char* predefined_oid_name) { |
| DCHECK(oid); |
| DCHECK(predefined_oid); |
| DCHECK(predefined_oid_name); |
| std::string output; |
| if (oid->length != predefined_oid->length) |
| return output; |
| if (0 != SbMemoryCompare(oid->elements, predefined_oid->elements, |
| predefined_oid->length)) |
| return output; |
| |
| output += " ("; |
| output += predefined_oid_name; |
| output += ")"; |
| return output; |
| } |
| |
| } // namespace |
| |
| std::string DescribeOid(GSSAPILibrary* gssapi_lib, const gss_OID oid) { |
| if (!oid) |
| return "<NULL>"; |
| std::string output; |
| const size_t kMaxCharsToPrint = 1024; |
| OM_uint32 byte_length = oid->length; |
| size_t char_length = byte_length / sizeof(char); |
| if (char_length > kMaxCharsToPrint) { |
| // This might be a plain ASCII string. |
| // Check if the first |kMaxCharsToPrint| characters |
| // contain only printable characters and are NULL terminated. |
| const char* str = reinterpret_cast<const char*>(oid); |
| size_t str_length = 0; |
| for (; str_length < kMaxCharsToPrint; ++str_length) { |
| if (!str[str_length] || !isprint(str[str_length])) |
| break; |
| } |
| if (!str[str_length]) { |
| output += base::StringPrintf("\"%s\"", str); |
| return output; |
| } |
| } |
| output = base::StringPrintf("(%u) \"", byte_length); |
| if (!oid->elements) { |
| output += "<NULL>"; |
| return output; |
| } |
| const unsigned char* elements = |
| reinterpret_cast<const unsigned char*>(oid->elements); |
| // Don't print more than |kMaxCharsToPrint| characters. |
| size_t i = 0; |
| for (; (i < byte_length) && (i < kMaxCharsToPrint); ++i) { |
| output += base::StringPrintf("\\x%02X", elements[i]); |
| } |
| if (i >= kMaxCharsToPrint) |
| output += "..."; |
| output += "\""; |
| |
| // Check if the OID is one of the predefined values. |
| output += |
| AppendIfPredefinedValue(oid, GSS_C_NT_USER_NAME, "GSS_C_NT_USER_NAME"); |
| output += AppendIfPredefinedValue(oid, GSS_C_NT_MACHINE_UID_NAME, |
| "GSS_C_NT_MACHINE_UID_NAME"); |
| output += AppendIfPredefinedValue(oid, GSS_C_NT_STRING_UID_NAME, |
| "GSS_C_NT_STRING_UID_NAME"); |
| output += AppendIfPredefinedValue(oid, GSS_C_NT_HOSTBASED_SERVICE_X, |
| "GSS_C_NT_HOSTBASED_SERVICE_X"); |
| output += AppendIfPredefinedValue(oid, GSS_C_NT_HOSTBASED_SERVICE, |
| "GSS_C_NT_HOSTBASED_SERVICE"); |
| output += |
| AppendIfPredefinedValue(oid, GSS_C_NT_ANONYMOUS, "GSS_C_NT_ANONYMOUS"); |
| output += AppendIfPredefinedValue(oid, GSS_C_NT_EXPORT_NAME, |
| "GSS_C_NT_EXPORT_NAME"); |
| |
| return output; |
| } |
| |
| std::string DescribeName(GSSAPILibrary* gssapi_lib, const gss_name_t name) { |
| OM_uint32 major_status = 0; |
| OM_uint32 minor_status = 0; |
| gss_buffer_desc_struct output_name_buffer = GSS_C_EMPTY_BUFFER; |
| gss_OID_desc output_name_type_desc = GSS_C_EMPTY_BUFFER; |
| gss_OID output_name_type = &output_name_type_desc; |
| major_status = gssapi_lib->display_name( |
| &minor_status, name, &output_name_buffer, &output_name_type); |
| ScopedBuffer scoped_output_name(&output_name_buffer, gssapi_lib); |
| if (major_status != GSS_S_COMPLETE) { |
| std::string error = base::StringPrintf( |
| "Unable to describe name 0x%p, %s", name, |
| DisplayExtendedStatus(gssapi_lib, major_status, minor_status).c_str()); |
| return error; |
| } |
| int len = output_name_buffer.length; |
| std::string description = base::StringPrintf( |
| "%*s (Type %s)", len, |
| reinterpret_cast<const char*>(output_name_buffer.value), |
| DescribeOid(gssapi_lib, output_name_type).c_str()); |
| return description; |
| } |
| |
| std::string DescribeContext(GSSAPILibrary* gssapi_lib, |
| const gss_ctx_id_t context_handle) { |
| OM_uint32 major_status = 0; |
| OM_uint32 minor_status = 0; |
| gss_name_t src_name = GSS_C_NO_NAME; |
| gss_name_t targ_name = GSS_C_NO_NAME; |
| OM_uint32 lifetime_rec = 0; |
| gss_OID mech_type = GSS_C_NO_OID; |
| OM_uint32 ctx_flags = 0; |
| int locally_initiated = 0; |
| int open = 0; |
| if (context_handle == GSS_C_NO_CONTEXT) |
| return std::string("Context: GSS_C_NO_CONTEXT"); |
| major_status = gssapi_lib->inquire_context( |
| &minor_status, context_handle, &src_name, &targ_name, &lifetime_rec, |
| &mech_type, &ctx_flags, &locally_initiated, &open); |
| ScopedName scoped_src_name(src_name, gssapi_lib); |
| ScopedName scoped_targ_name(targ_name, gssapi_lib); |
| if (major_status != GSS_S_COMPLETE) { |
| std::string error = base::StringPrintf( |
| "Unable to describe context 0x%p, %s", context_handle, |
| DisplayExtendedStatus(gssapi_lib, major_status, minor_status).c_str()); |
| return error; |
| } |
| std::string source(DescribeName(gssapi_lib, src_name)); |
| std::string target(DescribeName(gssapi_lib, targ_name)); |
| std::string description = base::StringPrintf( |
| "Context 0x%p: " |
| "Source \"%s\", " |
| "Target \"%s\", " |
| "lifetime %d, " |
| "mechanism %s, " |
| "flags 0x%08X, " |
| "local %d, " |
| "open %d", |
| context_handle, source.c_str(), target.c_str(), lifetime_rec, |
| DescribeOid(gssapi_lib, mech_type).c_str(), ctx_flags, locally_initiated, |
| open); |
| return description; |
| } |
| |
| } // namespace |
| |
| GSSAPISharedLibrary::GSSAPISharedLibrary(const std::string& gssapi_library_name) |
| : initialized_(false), |
| gssapi_library_name_(gssapi_library_name), |
| import_name_(NULL), |
| release_name_(NULL), |
| release_buffer_(NULL), |
| display_name_(NULL), |
| display_status_(NULL), |
| init_sec_context_(NULL), |
| wrap_size_limit_(NULL), |
| delete_sec_context_(NULL), |
| inquire_context_(NULL) {} |
| |
| bool GSSAPISharedLibrary::Init() { |
| if (!initialized_) |
| InitImpl(); |
| return initialized_; |
| } |
| |
| bool GSSAPISharedLibrary::InitImpl() { |
| DCHECK(!initialized_); |
| initialized_ = true; |
| return true; |
| } |
| |
| OM_uint32 GSSAPISharedLibrary::import_name(OM_uint32* minor_status, |
| const gss_buffer_t input_name_buffer, |
| const gss_OID input_name_type, |
| gss_name_t* output_name) { |
| DCHECK(initialized_); |
| return import_name_(minor_status, input_name_buffer, input_name_type, |
| output_name); |
| } |
| |
| OM_uint32 GSSAPISharedLibrary::release_name(OM_uint32* minor_status, |
| gss_name_t* input_name) { |
| DCHECK(initialized_); |
| return release_name_(minor_status, input_name); |
| } |
| |
| OM_uint32 GSSAPISharedLibrary::release_buffer(OM_uint32* minor_status, |
| gss_buffer_t buffer) { |
| DCHECK(initialized_); |
| return release_buffer_(minor_status, buffer); |
| } |
| |
| OM_uint32 GSSAPISharedLibrary::display_name(OM_uint32* minor_status, |
| const gss_name_t input_name, |
| gss_buffer_t output_name_buffer, |
| gss_OID* output_name_type) { |
| DCHECK(initialized_); |
| return display_name_(minor_status, input_name, output_name_buffer, |
| output_name_type); |
| } |
| |
| OM_uint32 GSSAPISharedLibrary::display_status(OM_uint32* minor_status, |
| OM_uint32 status_value, |
| int status_type, |
| const gss_OID mech_type, |
| OM_uint32* message_context, |
| gss_buffer_t status_string) { |
| DCHECK(initialized_); |
| return display_status_(minor_status, status_value, status_type, mech_type, |
| message_context, status_string); |
| } |
| |
| OM_uint32 GSSAPISharedLibrary::init_sec_context( |
| OM_uint32* minor_status, |
| const gss_cred_id_t initiator_cred_handle, |
| gss_ctx_id_t* context_handle, |
| const gss_name_t target_name, |
| const gss_OID mech_type, |
| OM_uint32 req_flags, |
| OM_uint32 time_req, |
| const gss_channel_bindings_t input_chan_bindings, |
| const gss_buffer_t input_token, |
| gss_OID* actual_mech_type, |
| gss_buffer_t output_token, |
| OM_uint32* ret_flags, |
| OM_uint32* time_rec) { |
| DCHECK(initialized_); |
| return init_sec_context_(minor_status, initiator_cred_handle, context_handle, |
| target_name, mech_type, req_flags, time_req, |
| input_chan_bindings, input_token, actual_mech_type, |
| output_token, ret_flags, time_rec); |
| } |
| |
| OM_uint32 GSSAPISharedLibrary::wrap_size_limit( |
| OM_uint32* minor_status, |
| const gss_ctx_id_t context_handle, |
| int conf_req_flag, |
| gss_qop_t qop_req, |
| OM_uint32 req_output_size, |
| OM_uint32* max_input_size) { |
| DCHECK(initialized_); |
| return wrap_size_limit_(minor_status, context_handle, conf_req_flag, qop_req, |
| req_output_size, max_input_size); |
| } |
| |
| OM_uint32 GSSAPISharedLibrary::delete_sec_context(OM_uint32* minor_status, |
| gss_ctx_id_t* context_handle, |
| gss_buffer_t output_token) { |
| // This is called from the owner class' destructor, even if |
| // Init() is not called, so we can't assume |initialized_| |
| // is set. |
| if (!initialized_) |
| return 0; |
| return delete_sec_context_(minor_status, context_handle, output_token); |
| } |
| |
| OM_uint32 GSSAPISharedLibrary::inquire_context( |
| OM_uint32* minor_status, |
| const gss_ctx_id_t context_handle, |
| gss_name_t* src_name, |
| gss_name_t* targ_name, |
| OM_uint32* lifetime_rec, |
| gss_OID* mech_type, |
| OM_uint32* ctx_flags, |
| int* locally_initiated, |
| int* open) { |
| DCHECK(initialized_); |
| return inquire_context_(minor_status, context_handle, src_name, targ_name, |
| lifetime_rec, mech_type, ctx_flags, locally_initiated, |
| open); |
| } |
| |
| const std::string& GSSAPISharedLibrary::GetLibraryNameForTesting() { |
| return gssapi_library_name_; |
| } |
| |
| ScopedSecurityContext::ScopedSecurityContext(GSSAPILibrary* gssapi_lib) |
| : security_context_(GSS_C_NO_CONTEXT), gssapi_lib_(gssapi_lib) { |
| DCHECK(gssapi_lib_); |
| } |
| |
| ScopedSecurityContext::~ScopedSecurityContext() { |
| if (security_context_ != GSS_C_NO_CONTEXT) { |
| gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; |
| OM_uint32 minor_status = 0; |
| OM_uint32 major_status = gssapi_lib_->delete_sec_context( |
| &minor_status, &security_context_, &output_token); |
| if (major_status != GSS_S_COMPLETE) { |
| LOG(WARNING) << "Problem releasing security_context. " |
| << DisplayStatus(major_status, minor_status); |
| } |
| security_context_ = GSS_C_NO_CONTEXT; |
| } |
| } |
| |
| HttpAuthGSSAPI::HttpAuthGSSAPI(GSSAPILibrary* library, |
| const std::string& scheme, |
| gss_OID gss_oid) |
| : scheme_(scheme), |
| gss_oid_(gss_oid), |
| library_(library), |
| scoped_sec_context_(library), |
| can_delegate_(false) { |
| DCHECK(library_); |
| } |
| |
| HttpAuthGSSAPI::~HttpAuthGSSAPI() = default; |
| |
| bool HttpAuthGSSAPI::Init() { |
| if (!library_) |
| return false; |
| return library_->Init(); |
| } |
| |
| bool HttpAuthGSSAPI::NeedsIdentity() const { |
| return decoded_server_auth_token_.empty(); |
| } |
| |
| bool HttpAuthGSSAPI::AllowsExplicitCredentials() const { |
| return false; |
| } |
| |
| void HttpAuthGSSAPI::Delegate() { |
| can_delegate_ = true; |
| } |
| |
| HttpAuth::AuthorizationResult HttpAuthGSSAPI::ParseChallenge( |
| HttpAuthChallengeTokenizer* tok) { |
| if (scoped_sec_context_.get() == GSS_C_NO_CONTEXT) { |
| return net::ParseFirstRoundChallenge(scheme_, tok); |
| } |
| std::string encoded_auth_token; |
| return net::ParseLaterRoundChallenge(scheme_, tok, &encoded_auth_token, |
| &decoded_server_auth_token_); |
| } |
| |
| int HttpAuthGSSAPI::GenerateAuthToken(const AuthCredentials* credentials, |
| const std::string& spn, |
| const std::string& channel_bindings, |
| std::string* auth_token, |
| CompletionOnceCallback /*callback*/) { |
| DCHECK(auth_token); |
| |
| gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER; |
| input_token.length = decoded_server_auth_token_.length(); |
| input_token.value = (input_token.length > 0) |
| ? const_cast<char*>(decoded_server_auth_token_.data()) |
| : NULL; |
| gss_buffer_desc output_token = GSS_C_EMPTY_BUFFER; |
| ScopedBuffer scoped_output_token(&output_token, library_); |
| int rv = |
| GetNextSecurityToken(spn, channel_bindings, &input_token, &output_token); |
| if (rv != OK) |
| return rv; |
| |
| // Base64 encode data in output buffer and prepend the scheme. |
| std::string encode_input(static_cast<char*>(output_token.value), |
| output_token.length); |
| std::string encode_output; |
| base::Base64Encode(encode_input, &encode_output); |
| *auth_token = scheme_ + " " + encode_output; |
| return OK; |
| } |
| |
| namespace { |
| |
| // GSSAPI status codes consist of a calling error (essentially, a programmer |
| // bug), a routine error (defined by the RFC), and supplementary information, |
| // all bitwise-or'ed together in different regions of the 32 bit return value. |
| // This means a simple switch on the return codes is not sufficient. |
| |
| int MapImportNameStatusToError(OM_uint32 major_status) { |
| VLOG(1) << "import_name returned 0x" << std::hex << major_status; |
| if (major_status == GSS_S_COMPLETE) |
| return OK; |
| if (GSS_CALLING_ERROR(major_status) != 0) |
| return ERR_UNEXPECTED; |
| OM_uint32 routine_error = GSS_ROUTINE_ERROR(major_status); |
| switch (routine_error) { |
| case GSS_S_FAILURE: |
| // Looking at the MIT Kerberos implementation, this typically is returned |
| // when memory allocation fails. However, the API does not guarantee |
| // that this is the case, so using ERR_UNEXPECTED rather than |
| // ERR_OUT_OF_MEMORY. |
| return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS; |
| case GSS_S_BAD_NAME: |
| case GSS_S_BAD_NAMETYPE: |
| return ERR_MALFORMED_IDENTITY; |
| case GSS_S_DEFECTIVE_TOKEN: |
| // Not mentioned in the API, but part of code. |
| return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS; |
| case GSS_S_BAD_MECH: |
| return ERR_UNSUPPORTED_AUTH_SCHEME; |
| default: |
| return ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS; |
| } |
| } |
| |
| int MapInitSecContextStatusToError(OM_uint32 major_status) { |
| VLOG(1) << "init_sec_context returned 0x" << std::hex << major_status; |
| // Although GSS_S_CONTINUE_NEEDED is an additional bit, it seems like |
| // other code just checks if major_status is equivalent to it to indicate |
| // that there are no other errors included. |
| if (major_status == GSS_S_COMPLETE || major_status == GSS_S_CONTINUE_NEEDED) |
| return OK; |
| if (GSS_CALLING_ERROR(major_status) != 0) |
| return ERR_UNEXPECTED; |
| OM_uint32 routine_status = GSS_ROUTINE_ERROR(major_status); |
| switch (routine_status) { |
| case GSS_S_DEFECTIVE_TOKEN: |
| return ERR_INVALID_RESPONSE; |
| case GSS_S_DEFECTIVE_CREDENTIAL: |
| // Not expected since this implementation uses the default credential. |
| return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS; |
| case GSS_S_BAD_SIG: |
| // Probably won't happen, but it's a bad response. |
| return ERR_INVALID_RESPONSE; |
| case GSS_S_NO_CRED: |
| return ERR_INVALID_AUTH_CREDENTIALS; |
| case GSS_S_CREDENTIALS_EXPIRED: |
| return ERR_INVALID_AUTH_CREDENTIALS; |
| case GSS_S_BAD_BINDINGS: |
| // This only happens with mutual authentication. |
| return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS; |
| case GSS_S_NO_CONTEXT: |
| return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS; |
| case GSS_S_BAD_NAMETYPE: |
| return ERR_UNSUPPORTED_AUTH_SCHEME; |
| case GSS_S_BAD_NAME: |
| return ERR_UNSUPPORTED_AUTH_SCHEME; |
| case GSS_S_BAD_MECH: |
| return ERR_UNEXPECTED_SECURITY_LIBRARY_STATUS; |
| case GSS_S_FAILURE: |
| // This should be an "Unexpected Security Status" according to the |
| // GSSAPI documentation, but it's typically used to indicate that |
| // credentials are not correctly set up on a user machine, such |
| // as a missing credential cache or hitting this after calling |
| // kdestroy. |
| // TODO(cbentzel): Use minor code for even better mapping? |
| return ERR_MISSING_AUTH_CREDENTIALS; |
| default: |
| if (routine_status != 0) |
| return ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS; |
| break; |
| } |
| OM_uint32 supplemental_status = GSS_SUPPLEMENTARY_INFO(major_status); |
| // Replays could indicate an attack. |
| if (supplemental_status & (GSS_S_DUPLICATE_TOKEN | GSS_S_OLD_TOKEN | |
| GSS_S_UNSEQ_TOKEN | GSS_S_GAP_TOKEN)) |
| return ERR_INVALID_RESPONSE; |
| |
| // At this point, every documented status has been checked. |
| return ERR_UNDOCUMENTED_SECURITY_LIBRARY_STATUS; |
| } |
| |
| } // anonymous namespace |
| |
| int HttpAuthGSSAPI::GetNextSecurityToken(const std::string& spn, |
| const std::string& channel_bindings, |
| gss_buffer_t in_token, |
| gss_buffer_t out_token) { |
| // Create a name for the principal |
| // TODO(cbentzel): Just do this on the first pass? |
| std::string spn_principal = spn; |
| gss_buffer_desc spn_buffer = GSS_C_EMPTY_BUFFER; |
| spn_buffer.value = const_cast<char*>(spn_principal.c_str()); |
| spn_buffer.length = spn_principal.size() + 1; |
| OM_uint32 minor_status = 0; |
| gss_name_t principal_name = GSS_C_NO_NAME; |
| OM_uint32 major_status = library_->import_name( |
| &minor_status, &spn_buffer, GSS_C_NT_HOSTBASED_SERVICE, &principal_name); |
| int rv = MapImportNameStatusToError(major_status); |
| if (rv != OK) { |
| LOG(ERROR) << "Problem importing name from " |
| << "spn \"" << spn_principal << "\"\n" |
| << DisplayExtendedStatus(library_, major_status, minor_status); |
| return rv; |
| } |
| ScopedName scoped_name(principal_name, library_); |
| |
| // Continue creating a security context. |
| OM_uint32 req_flags = 0; |
| if (can_delegate_) |
| req_flags |= GSS_C_DELEG_FLAG; |
| major_status = library_->init_sec_context( |
| &minor_status, GSS_C_NO_CREDENTIAL, scoped_sec_context_.receive(), |
| principal_name, gss_oid_, req_flags, GSS_C_INDEFINITE, |
| GSS_C_NO_CHANNEL_BINDINGS, in_token, |
| nullptr, // actual_mech_type |
| out_token, |
| nullptr, // ret flags |
| nullptr); |
| rv = MapInitSecContextStatusToError(major_status); |
| if (rv != OK) { |
| LOG(ERROR) << "Problem initializing context. \n" |
| << DisplayExtendedStatus(library_, major_status, minor_status) |
| << '\n' |
| << DescribeContext(library_, scoped_sec_context_.get()); |
| } |
| return rv; |
| } |
| |
| } // namespace net |