The Tor Browser / file comparison
comparison: extensions/auth/nsAuthSASL.cpp
extensions/auth/nsAuthSASL.cpp
- changeset 0
- 6474c204b198
equal
deleted
inserted
replaced
| -1:000000000000 | 0:9952576c4a15 |
|---|---|
| 1 /* vim:set ts=4 sw=4 et cindent: */ | |
| 2 /* This Source Code Form is subject to the terms of the Mozilla Public | |
| 3 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
| 4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
| 5 | |
| 6 #include "nsComponentManagerUtils.h" | |
| 7 #include "nsNativeCharsetUtils.h" | |
| 8 #include "nsIServiceManager.h" | |
| 9 #include "nsIPrefService.h" | |
| 10 | |
| 11 #include "nsAuthSASL.h" | |
| 12 | |
| 13 static const char kNegotiateAuthSSPI[] = "network.auth.use-sspi"; | |
| 14 | |
| 15 nsAuthSASL::nsAuthSASL() | |
| 16 { | |
| 17 mSASLReady = false; | |
| 18 } | |
| 19 | |
| 20 void nsAuthSASL::Reset() | |
| 21 { | |
| 22 mSASLReady = false; | |
| 23 } | |
| 24 | |
| 25 /* Limitations apply to this class's thread safety. See the header file */ | |
| 26 NS_IMPL_ISUPPORTS(nsAuthSASL, nsIAuthModule) | |
| 27 | |
| 28 NS_IMETHODIMP | |
| 29 nsAuthSASL::Init(const char *serviceName, | |
| 30 uint32_t serviceFlags, | |
| 31 const char16_t *domain, | |
| 32 const char16_t *username, | |
| 33 const char16_t *password) | |
| 34 { | |
| 35 nsresult rv; | |
| 36 | |
| 37 NS_ASSERTION(username, "SASL requires a username"); | |
| 38 NS_ASSERTION(!domain && !password, "unexpected credentials"); | |
| 39 | |
| 40 mUsername = username; | |
| 41 | |
| 42 // If we're doing SASL, we should do mutual auth | |
| 43 serviceFlags |= REQ_MUTUAL_AUTH; | |
| 44 | |
| 45 // Find out whether we should be trying SSPI or not | |
| 46 const char *contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "kerb-gss"; | |
| 47 | |
| 48 nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID); | |
| 49 if (prefs) { | |
| 50 bool val; | |
| 51 rv = prefs->GetBoolPref(kNegotiateAuthSSPI, &val); | |
| 52 if (NS_SUCCEEDED(rv) && val) | |
| 53 contractID = NS_AUTH_MODULE_CONTRACTID_PREFIX "kerb-sspi"; | |
| 54 } | |
| 55 | |
| 56 mInnerModule = do_CreateInstance(contractID, &rv); | |
| 57 // if we can't create the GSSAPI module, then bail | |
| 58 NS_ENSURE_SUCCESS(rv, rv); | |
| 59 | |
| 60 mInnerModule->Init(serviceName, serviceFlags, nullptr, nullptr, nullptr); | |
| 61 | |
| 62 return NS_OK; | |
| 63 } | |
| 64 | |
| 65 NS_IMETHODIMP | |
| 66 nsAuthSASL::GetNextToken(const void *inToken, | |
| 67 uint32_t inTokenLen, | |
| 68 void **outToken, | |
| 69 uint32_t *outTokenLen) | |
| 70 { | |
| 71 nsresult rv; | |
| 72 void *unwrappedToken; | |
| 73 char *message; | |
| 74 uint32_t unwrappedTokenLen, messageLen; | |
| 75 nsAutoCString userbuf; | |
| 76 | |
| 77 if (!mInnerModule) | |
| 78 return NS_ERROR_NOT_INITIALIZED; | |
| 79 | |
| 80 if (mSASLReady) { | |
| 81 // If the server COMPLETEs with an empty token, Cyrus sends us that token. | |
| 82 // I don't think this is correct, but we need to handle that behaviour. | |
| 83 // Cyrus ignores the contents of our reply token. | |
| 84 if (inTokenLen == 0) { | |
| 85 *outToken = nullptr; | |
| 86 *outTokenLen = 0; | |
| 87 return NS_OK; | |
| 88 } | |
| 89 // We've completed the GSSAPI portion of the handshake, and are | |
| 90 // now ready to do the SASL security layer and authzid negotiation | |
| 91 | |
| 92 // Input packet from the server needs to be unwrapped. | |
| 93 rv = mInnerModule->Unwrap(inToken, inTokenLen, &unwrappedToken, | |
| 94 &unwrappedTokenLen); | |
| 95 if (NS_FAILED(rv)) { | |
| 96 Reset(); | |
| 97 return rv; | |
| 98 } | |
| 99 | |
| 100 // If we were doing security layers then we'd care what the | |
| 101 // server had sent us. We're not, so all we had to do was make | |
| 102 // sure that the signature was correct with the above unwrap() | |
| 103 nsMemory::Free(unwrappedToken); | |
| 104 | |
| 105 NS_CopyUnicodeToNative(mUsername, userbuf); | |
| 106 messageLen = userbuf.Length() + 4 + 1; | |
| 107 message = (char *)nsMemory::Alloc(messageLen); | |
| 108 if (!message) { | |
| 109 Reset(); | |
| 110 return NS_ERROR_OUT_OF_MEMORY; | |
| 111 } | |
| 112 message[0] = 0x01; // No security layer | |
| 113 message[1] = 0x00; | |
| 114 message[2] = 0x00; | |
| 115 message[3] = 0x00; // Maxbuf must be zero if we've got no sec layer | |
| 116 strcpy(message+4, userbuf.get()); | |
| 117 // Userbuf should not be nullptr terminated, so trim the trailing nullptr | |
| 118 // when wrapping the message | |
| 119 rv = mInnerModule->Wrap((void *) message, messageLen-1, false, | |
| 120 outToken, outTokenLen); | |
| 121 nsMemory::Free(message); | |
| 122 Reset(); // All done | |
| 123 return NS_SUCCEEDED(rv) ? NS_SUCCESS_AUTH_FINISHED : rv; | |
| 124 } | |
| 125 rv = mInnerModule->GetNextToken(inToken, inTokenLen, outToken, | |
| 126 outTokenLen); | |
| 127 if (rv == NS_SUCCESS_AUTH_FINISHED) { | |
| 128 mSASLReady = true; | |
| 129 rv = NS_OK; | |
| 130 } | |
| 131 return rv; | |
| 132 } | |
| 133 | |
| 134 NS_IMETHODIMP | |
| 135 nsAuthSASL::Unwrap(const void *inToken, | |
| 136 uint32_t inTokenLen, | |
| 137 void **outToken, | |
| 138 uint32_t *outTokenLen) | |
| 139 { | |
| 140 return NS_ERROR_NOT_IMPLEMENTED; | |
| 141 } | |
| 142 | |
| 143 NS_IMETHODIMP | |
| 144 nsAuthSASL::Wrap(const void *inToken, | |
| 145 uint32_t inTokenLen, | |
| 146 bool confidential, | |
| 147 void **outToken, | |
| 148 uint32_t *outTokenLen) | |
| 149 { | |
| 150 return NS_ERROR_NOT_IMPLEMENTED; | |
| 151 } |
