The Tor Browser: extensions/auth/nsHttpNegotiateAuth.cpp@6474c204b198 (annotated)

extensions/auth/nsHttpNegotiateAuth.cpp@6474c204b198 (annotated)

extensions/auth/nsHttpNegotiateAuth.cpp

Wed, 31 Dec 2014 06:09:35 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 31 Dec 2014 06:09:35 +0100
changeset 0: 6474c204b198
permissions: -rw-r--r--

Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.

 /* vim:set ts=4 sw=4 sts=4 et cindent: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 //
 // HTTP Negotiate Authentication Support Module
 //
 // Described by IETF Internet draft: draft-brezak-kerberos-http-00.txt
 // (formerly draft-brezak-spnego-http-04.txt)
 //
 // Also described here:
 // http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp
 //
 #include <string.h>
 #include <stdlib.h>
 #include "nsAuth.h"
 #include "nsHttpNegotiateAuth.h"
 #include "nsIHttpAuthenticableChannel.h"
 #include "nsIProxiedChannel.h"
 #include "nsIAuthModule.h"
 #include "nsIServiceManager.h"
 #include "nsIPrefService.h"
 #include "nsIPrefBranch.h"
 #include "nsIProxyInfo.h"
 #include "nsIURI.h"
 #include "nsCOMPtr.h"
 #include "nsString.h"
 #include "nsNetCID.h"
 #include "plbase64.h"
 #include "plstr.h"
 #include "prprf.h"
 #include "prlog.h"
 #include "prmem.h"
 #include "prnetdb.h"
 #include "mozilla/Likely.h"
 //-----------------------------------------------------------------------------
 static const char kNegotiate[] = "Negotiate";
 static const char kNegotiateAuthTrustedURIs[] = "network.negotiate-auth.trusted-uris";
 static const char kNegotiateAuthDelegationURIs[] = "network.negotiate-auth.delegation-uris";
 static const char kNegotiateAuthAllowProxies[] = "network.negotiate-auth.allow-proxies";
 static const char kNegotiateAuthAllowNonFqdn[] = "network.negotiate-auth.allow-non-fqdn";
 static const char kNegotiateAuthSSPI[] = "network.auth.use-sspi";
 #define kNegotiateLen  (sizeof(kNegotiate)-1)
 //-----------------------------------------------------------------------------
 NS_IMETHODIMP
 nsHttpNegotiateAuth::GetAuthFlags(uint32_t *flags)
 {
     //
     // Negotiate Auth creds should not be reused across multiple requests.
     // Only perform the negotiation when it is explicitly requested by the
     // server.  Thus, do *NOT* use the "REUSABLE_CREDENTIALS" flag here.
     //
     // CONNECTION_BASED is specified instead of REQUEST_BASED since we need
     // to complete a sequence of transactions with the server over the same
     // connection.
     //
     *flags = CONNECTION_BASED | IDENTITY_IGNORED;
     return NS_OK;
 }
 //
 // Always set *identityInvalid == FALSE here.  This
 // will prevent the browser from popping up the authentication
 // prompt window.  Because GSSAPI does not have an API
 // for fetching initial credentials (ex: A Kerberos TGT),
 // there is no correct way to get the users credentials.
 //
 NS_IMETHODIMP
 nsHttpNegotiateAuth::ChallengeReceived(nsIHttpAuthenticableChannel *authChannel,
                                        const char *challenge,
                                        bool isProxyAuth,
                                        nsISupports **sessionState,
                                        nsISupports **continuationState,
                                        bool *identityInvalid)
 {
     nsIAuthModule *module = (nsIAuthModule *) *continuationState;
     *identityInvalid = false;
     /* Always fail Negotiate auth for Tor Browser. We don't need it. */
     return NS_ERROR_ABORT;
     if (module)
         return NS_OK;
     nsresult rv;
     nsCOMPtr<nsIURI> uri;
     rv = authChannel->GetURI(getter_AddRefs(uri));
     if (NS_FAILED(rv))
         return rv;
     uint32_t req_flags = nsIAuthModule::REQ_DEFAULT;
     nsAutoCString service;
     if (isProxyAuth) {
         if (!TestBoolPref(kNegotiateAuthAllowProxies)) {
             LOG(("nsHttpNegotiateAuth::ChallengeReceived proxy auth blocked\n"));
             return NS_ERROR_ABORT;
         }
         req_flags |= nsIAuthModule::REQ_PROXY_AUTH;
         nsCOMPtr<nsIProxyInfo> proxyInfo;
         authChannel->GetProxyInfo(getter_AddRefs(proxyInfo));
         NS_ENSURE_STATE(proxyInfo);
         proxyInfo->GetHost(service);
     }
     else {
         bool allowed = TestNonFqdn(uri) ||
                        TestPref(uri, kNegotiateAuthTrustedURIs);
         if (!allowed) {
             LOG(("nsHttpNegotiateAuth::ChallengeReceived URI blocked\n"));
             return NS_ERROR_ABORT;
         }
         bool delegation = TestPref(uri, kNegotiateAuthDelegationURIs);
         if (delegation) {
             LOG(("  using REQ_DELEGATE\n"));
             req_flags |= nsIAuthModule::REQ_DELEGATE;
         }
         rv = uri->GetAsciiHost(service);
         if (NS_FAILED(rv))
             return rv;
     }
     LOG(("  service = %s\n", service.get()));
     //
     // The correct service name for IIS servers is "HTTP/f.q.d.n", so
     // construct the proper service name for passing to "gss_import_name".
     //
     // TODO: Possibly make this a configurable service name for use
     // with non-standard servers that use stuff like "khttp/f.q.d.n"
     // instead.
     //
     service.Insert("HTTP@", 0);
     const char *contractID;
     if (TestBoolPref(kNegotiateAuthSSPI)) {
 	   LOG(("  using negotiate-sspi\n"));
 	   contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "negotiate-sspi";
     }
     else {
 	   LOG(("  using negotiate-gss\n"));
 	   contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "negotiate-gss";
     }
     rv = CallCreateInstance(contractID, &module);
     if (NS_FAILED(rv)) {
         LOG(("  Failed to load Negotiate Module \n"));
         return rv;
     }
     rv = module->Init(service.get(), req_flags, nullptr, nullptr, nullptr);
     if (NS_FAILED(rv)) {
         NS_RELEASE(module);
         return rv;
     }
     *continuationState = module;
     return NS_OK;
 }
 NS_IMPL_ISUPPORTS(nsHttpNegotiateAuth, nsIHttpAuthenticator)
 //
 // GenerateCredentials
 //
 // This routine is responsible for creating the correct authentication
 // blob to pass to the server that requested "Negotiate" authentication.
 //
 NS_IMETHODIMP
 nsHttpNegotiateAuth::GenerateCredentials(nsIHttpAuthenticableChannel *authChannel,
                                          const char *challenge,
                                          bool isProxyAuth,
                                          const char16_t *domain,
                                          const char16_t *username,
                                          const char16_t *password,
                                          nsISupports **sessionState,
                                          nsISupports **continuationState,
                                          uint32_t *flags,
                                          char **creds)
 {
     // ChallengeReceived must have been called previously.
     nsIAuthModule *module = (nsIAuthModule *) *continuationState;
     NS_ENSURE_TRUE(module, NS_ERROR_NOT_INITIALIZED);
     *flags = USING_INTERNAL_IDENTITY;
     LOG(("nsHttpNegotiateAuth::GenerateCredentials() [challenge=%s]\n", challenge));
     NS_ASSERTION(creds, "null param");
 #ifdef DEBUG
     bool isGssapiAuth =
         !PL_strncasecmp(challenge, kNegotiate, kNegotiateLen);
     NS_ASSERTION(isGssapiAuth, "Unexpected challenge");
 #endif
     //
     // If the "Negotiate:" header had some data associated with it,
     // that data should be used as the input to this call.  This may
     // be a continuation of an earlier call because GSSAPI authentication
     // often takes multiple round-trips to complete depending on the
     // context flags given.  We want to use MUTUAL_AUTHENTICATION which
     // generally *does* require multiple round-trips.  Don't assume
     // auth can be completed in just 1 call.
     //
     unsigned int len = strlen(challenge);
     void *inToken, *outToken;
     uint32_t inTokenLen, outTokenLen;
     if (len > kNegotiateLen) {
         challenge += kNegotiateLen;
         while (*challenge == ' ')
             challenge++;
         len = strlen(challenge);
         // strip off any padding (see bug 230351)
         while (challenge[len - 1] == '=')
             len--;
         inTokenLen = (len * 3)/4;
         inToken = malloc(inTokenLen);
         if (!inToken)
             return (NS_ERROR_OUT_OF_MEMORY);
         //
         // Decode the response that followed the "Negotiate" token
         //
         if (PL_Base64Decode(challenge, len, (char *) inToken) == nullptr) {
             free(inToken);
             return(NS_ERROR_UNEXPECTED);
         }
     }
     else {
         //
         // Initializing, don't use an input token.
         //
         inToken = nullptr;
         inTokenLen = 0;
     }
     nsresult rv = module->GetNextToken(inToken, inTokenLen, &outToken, &outTokenLen);
     free(inToken);
     if (NS_FAILED(rv))
         return rv;
     if (outTokenLen == 0) {
         LOG(("  No output token to send, exiting"));
         return NS_ERROR_FAILURE;
     }
     //
     // base64 encode the output token.
     //
     char *encoded_token = PL_Base64Encode((char *)outToken, outTokenLen, nullptr);
     nsMemory::Free(outToken);
     if (!encoded_token)
         return NS_ERROR_OUT_OF_MEMORY;
     LOG(("  Sending a token of length %d\n", outTokenLen));
     // allocate a buffer sizeof("Negotiate" + " " + b64output_token + "\0")
     *creds = (char *) nsMemory::Alloc(kNegotiateLen + 1 + strlen(encoded_token) + 1);
     if (MOZ_UNLIKELY(!*creds))
         rv = NS_ERROR_OUT_OF_MEMORY;
     else
         sprintf(*creds, "%s %s", kNegotiate, encoded_token);
     PR_Free(encoded_token);
     return rv;
 }
 bool
 nsHttpNegotiateAuth::TestBoolPref(const char *pref)
 {
     nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
     if (!prefs)
         return false;
     bool val;
     nsresult rv = prefs->GetBoolPref(pref, &val);
     if (NS_FAILED(rv))
         return false;
     return val;
 }
 bool
 nsHttpNegotiateAuth::TestNonFqdn(nsIURI *uri)
 {
     nsAutoCString host;
     PRNetAddr addr;
     if (!TestBoolPref(kNegotiateAuthAllowNonFqdn))
         return false;
     if (NS_FAILED(uri->GetAsciiHost(host)))
         return false;
     // return true if host does not contain a dot and is not an ip address
     return !host.IsEmpty() && host.FindChar('.') == kNotFound &&
            PR_StringToNetAddr(host.BeginReading(), &addr) != PR_SUCCESS;
 }
 bool
 nsHttpNegotiateAuth::TestPref(nsIURI *uri, const char *pref)
 {
     nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
     if (!prefs)
         return false;
     nsAutoCString scheme, host;
     int32_t port;
     if (NS_FAILED(uri->GetScheme(scheme)))
         return false;
     if (NS_FAILED(uri->GetAsciiHost(host)))
         return false;
     if (NS_FAILED(uri->GetPort(&port)))
         return false;
     char *hostList;
     if (NS_FAILED(prefs->GetCharPref(pref, &hostList)) || !hostList)
         return false;
     // pseudo-BNF
     // ----------
     //
     // url-list       base-url ( base-url "," LWS )*
     // base-url       ( scheme-part | host-part | scheme-part host-part )
     // scheme-part    scheme "://"
     // host-part      host [":" port]
     //
     // for example:
     //   "https://, http://office.foo.com"
     //
     char *start = hostList, *end;
     for (;;) {
         // skip past any whitespace
         while (*start == ' ' || *start == '\t')
             ++start;
         end = strchr(start, ',');
         if (!end)
             end = start + strlen(start);
         if (start == end)
             break;
         if (MatchesBaseURI(scheme, host, port, start, end))
             return true;
         if (*end == '\0')
             break;
         start = end + 1;
     }
     nsMemory::Free(hostList);
     return false;
 }
 bool
 nsHttpNegotiateAuth::MatchesBaseURI(const nsCSubstring &matchScheme,
                                     const nsCSubstring &matchHost,
                                     int32_t             matchPort,
                                     const char         *baseStart,
                                     const char         *baseEnd)
 {
     // check if scheme://host:port matches baseURI
     // parse the base URI
     const char *hostStart, *schemeEnd = strstr(baseStart, "://");
     if (schemeEnd) {
         // the given scheme must match the parsed scheme exactly
         if (!matchScheme.Equals(Substring(baseStart, schemeEnd)))
             return false;
         hostStart = schemeEnd + 3;
     }
     else
         hostStart = baseStart;
     // XXX this does not work for IPv6-literals
     const char *hostEnd = strchr(hostStart, ':');
     if (hostEnd && hostEnd < baseEnd) {
         // the given port must match the parsed port exactly
         int port = atoi(hostEnd + 1);
         if (matchPort != (int32_t) port)
             return false;
     }
     else
         hostEnd = baseEnd;
     // if we didn't parse out a host, then assume we got a match.
     if (hostStart == hostEnd)
         return true;
     uint32_t hostLen = hostEnd - hostStart;
     // matchHost must either equal host or be a subdomain of host
     if (matchHost.Length() < hostLen)
         return false;
     const char *end = matchHost.EndReading();
     if (PL_strncasecmp(end - hostLen, hostStart, hostLen) == 0) {
         // if matchHost ends with host from the base URI, then make sure it is
         // either an exact match, or prefixed with a dot.  we don't want
         // "foobar.com" to match "bar.com"
         if (matchHost.Length() == hostLen ||
             *(end - hostLen) == '.' ||
             *(end - hostLen - 1) == '.')
             return true;
     }
     return false;
 }

The Tor Browser / annotate

extensions/auth/nsHttpNegotiateAuth.cpp@6474c204b198 (annotated)

extensions/auth/nsHttpNegotiateAuth.cpp