Implemented mid-level Negotiate protocol for Posix.

net/http/http_auth_gssapi_posix.cc

+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/http/http_auth_gssapi_posix.h"
+
+#include <string>
+
+#include "base/base64.h"
+#include "base/file_path.h"
+#include "base/logging.h"
+#include "base/native_library.h"
+#include "base/singleton.h"
+#include "base/string_util.h"
+#include "net/base/net_errors.h"
+#include "net/base/net_util.h"
+#include "net/http/http_auth.h"
+
+namespace net {
+
+gssapi::gss_OID_desc GSS_C_NT_USER_NAME = {
+  10,
+  (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01"
+};
+gssapi::gss_OID_desc GSS_C_NT_MACHINE_UID_NAME = {
+  10,
+  (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"
+};
+gssapi::gss_OID_desc GSS_C_NT_STRING_UID_NAME = {
+  10,
+  (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03"
+};
+gssapi::gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_X = {
+  6,
+  (void *) "\x2b\x06\x01\x05\x06\x02"
+};
+gssapi::gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE = {
+  10,
+  (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"
+};
+gssapi::gss_OID_desc GSS_C_NT_ANONYMOUS = {
+  6,
+  (void *) "\x2b\x06\01\x05\x06\x03"
+};
+gssapi::gss_OID_desc GSS_C_NT_EXPORT_NAME = {
+  6,
+  (void *) "\x2b\x06\x01\x05\x06\x04"
+};
+
+GSSAPISharedLibrary::GSSAPISharedLibrary()
+    : initialized_(false),
+      cached_initialize_value_(false),
+      gssapi_library_(NULL),
+      import_name_(NULL),
+      release_name_(NULL),
+      release_buffer_(NULL),
+      display_status_(NULL),
+      init_sec_context_(NULL),
+      wrap_size_limit_(NULL) {
+}
+
+GSSAPISharedLibrary::~GSSAPISharedLibrary() {
+  if (gssapi_library_) {
+    base::UnloadNativeLibrary(gssapi_library_);
+    gssapi_library_ = NULL;
+  }
+}
+
+bool GSSAPISharedLibrary::Init() {
+  if (!initialized_) {
+    cached_initialize_value_ = InitImpl();
+    initialized_ = true;
+  }
+  return cached_initialize_value_;
+}
+
+bool GSSAPISharedLibrary::InitImpl() {
+  DCHECK(!initialized_);
+  gssapi_library_ = LoadSharedObject();
+  if (gssapi_library_ == NULL)
+    return false;
+  if (!BindMethods())
+    return false;
+  return true;
+}
+
+const char* GSSAPISharedLibrary::kLibraryNames[] = {
+  "libgssapi_krb5.so.2",
+  "libgssapi.so.4",
+  "libgssapi.so.1",
+};
+
+base::NativeLibrary GSSAPISharedLibrary::LoadSharedObject() {
+  for (unsigned int i = 0; i < arraysize(kLibraryNames); ++i) {
+    FilePath file_path(kLibraryNames[i]);
+    base::NativeLibrary lib = base::LoadNativeLibrary(file_path);
+    if (lib)
+      return lib;
+  }
+  return NULL;
+}
+
+template <typename T>
+bool FindAndBind(base::NativeLibrary library, const char* name, T* t) {
+  void* func = base::GetFunctionPointerFromNativeLibrary(library, name);
+  if (func == NULL) {
+    string16 error_message = base::GetLibraryErrorMessage();
+    LOG(WARNING) << "dlsym failed when finding function pointer for " << name
+                 << ": " << error_message;
+    return false;
+  }
+  *t = reinterpret_cast<T>(func);
+  return true;
+}
+
+bool GSSAPISharedLibrary::BindMethods() {
+  DCHECK(gssapi_library_ != NULL);
+  if (!FindAndBind(gssapi_library_, "gss_import_name", &import_name_))
+    return false;
+  if (!FindAndBind(gssapi_library_, "gss_release_name", &release_name_))
+    return false;
+  if (!FindAndBind(gssapi_library_, "gss_release_buffer", &release_buffer_))
+    return false;
+  if (!FindAndBind(gssapi_library_, "gss_display_status", &display_status_))
+    return false;
+  if (!FindAndBind(gssapi_library_, "gss_init_sec_context", &init_sec_context_))
+    return false;
+  if (!FindAndBind(gssapi_library_, "gss_wrap_size_limit", &wrap_size_limit_))
+    return false;
+  return true;
+}
+
+gssapi::OM_uint32 GSSAPISharedLibrary::import_name(
+    gssapi::OM_uint32* minor_status,
+    const gssapi::gss_buffer_t input_name_buffer,
+    const gssapi::gss_OID input_name_type,
+    gssapi::gss_name_t* output_name) {
+  DCHECK(cached_initialize_value_);
+  if (!import_name_)
+    return gssapi::OM_uint32(-1);
+  return import_name_(minor_status, input_name_buffer, input_name_type,
+                      output_name);
+}
+
+gssapi::OM_uint32 GSSAPISharedLibrary::release_name(
+    gssapi::OM_uint32* minor_status,
+    gssapi::gss_name_t* input_name) {
+  DCHECK(cached_initialize_value_);
+  if (!release_name_)
+    return gssapi::OM_uint32(-1);
+  return release_name_(minor_status, input_name);
+}
+
+gssapi::OM_uint32 GSSAPISharedLibrary::release_buffer(
+    gssapi::OM_uint32* minor_status,
+    gssapi::gss_buffer_t buffer) {
+  DCHECK(cached_initialize_value_);
+  if (!release_buffer_)
+    return gssapi::OM_uint32(-1);
+  return release_buffer_(minor_status, buffer);
+}
+
+gssapi::OM_uint32 GSSAPISharedLibrary::display_status(
+    gssapi::OM_uint32* minor_status,
+    gssapi::OM_uint32 status_value,
+    int status_type,
+    const gssapi::gss_OID mech_type,
+    gssapi::OM_uint32* message_context,
+    gssapi::gss_buffer_t status_string) {
+  DCHECK(cached_initialize_value_);
+  if (!display_status_)
+    return gssapi::OM_uint32(-1);
+  status_string->length = 0;
+  status_string->value = NULL;
+  return display_status_(minor_status, status_value, status_type, mech_type,
+                         message_context, status_string);
+}
+
+gssapi::OM_uint32 GSSAPISharedLibrary::init_sec_context(
+    gssapi::OM_uint32* minor_status,
+    const gssapi::gss_cred_id_t initiator_cred_handle,
+    gssapi::gss_ctx_id_t* context_handle,
+    const gssapi::gss_name_t target_name,
+    const gssapi::gss_OID mech_type,
+    gssapi::OM_uint32 req_flags,
+    gssapi::OM_uint32 time_req,
+    const gssapi::gss_channel_bindings_t input_chan_bindings,
+    const gssapi::gss_buffer_t input_token,
+    gssapi::gss_OID* actual_mech_type,
+    gssapi::gss_buffer_t* output_token,
+    gssapi::OM_uint32* ret_flags,
+    gssapi::OM_uint32* time_rec) {
+  DCHECK(cached_initialize_value_);
+  if (!init_sec_context_)
+    return gssapi::OM_uint32(-1);
+  return init_sec_context_(minor_status,
+                           initiator_cred_handle,
+                           context_handle,
+                           target_name,
+                           mech_type,
+                           req_flags,
+                           time_req,
+                           input_chan_bindings,
+                           input_token,
+                           actual_mech_type,
+                           reinterpret_cast<gssapi::gss_buffer_t>(output_token),
+                           ret_flags,
+                           time_rec);
+}
+
+gssapi::OM_uint32 GSSAPISharedLibrary::wrap_size_limit(
+    gssapi::OM_uint32* minor_status,
+    const gssapi::gss_ctx_id_t context_handle,
+    int conf_req_flag,
+    gssapi::gss_qop_t qop_req,
+    gssapi::OM_uint32 req_output_size,
+    gssapi::OM_uint32* max_input_size) {
+  DCHECK(cached_initialize_value_);
+  if (!wrap_size_limit_)
+    return gssapi::OM_uint32(-1);
+  return wrap_size_limit_(minor_status,
+                          context_handle,
+                          conf_req_flag,
+                          qop_req,
+                          req_output_size,
+                          max_input_size);
+}
+
+GSSAPILibrary* GSSAPILibrary::GetDefault() {
+  return Singleton<GSSAPISharedLibrary>::get();
+}
+
+namespace {
+std::string DisplayStatus(gssapi::OM_uint32 major_status, gssapi::OM_uint32 minor_status) {
+  if (major_status == GSS_S_COMPLETE)
+    return "OK";
+  return StringPrintf("%x %x", major_status, minor_status);
+}
+
+static const int kMaxDisplayIterations = 8;
+
+std::string DisplayCode(GSSAPILibrary* gssapi_lib,
+                        gssapi::OM_uint32 status,
+                        gssapi::OM_uint32 status_code_type) {
+  // msg_ctx needs to be outside the loop because it is invoked multiple times.
+  gssapi::OM_uint32 msg_ctx = 0;
+  std::string rv = StringPrintf("(0x%08X)", status);
+
+  // This loop should continue iterating until msg_ctx is 0 after the first
+  // iteration. To be cautious and prevent an infinite loop, it stops after
+  // a finite number of iterations as well.
+  for (int i = 0; i < kMaxDisplayIterations; ++i) {
+    gssapi::OM_uint32 min_stat;
+    gssapi::gss_buffer_desc_struct msg = GSS_C_EMPTY_BUFFER;
+    gssapi_lib->display_status(&min_stat, status, status_code_type,
+                               GSS_C_NULL_OID,
+                               &msg_ctx, &msg);
+    rv += StringPrintf(" %s", static_cast<char *>(msg.value));
+    gssapi_lib->release_buffer(&min_stat, &msg);
+    if (!msg_ctx)
+      break;
+  }
+  return rv;
+}
+
+std::string DisplayExtendedStatus(GSSAPILibrary* gssapi_lib,
+                                  gssapi::OM_uint32 major_status,
+                                  gssapi::OM_uint32 minor_status) {
+  if (major_status == GSS_S_COMPLETE)
+    return "OK";
+  std::string major = DisplayCode(gssapi_lib, major_status, GSS_C_GSS_CODE);
+  std::string minor = DisplayCode(gssapi_lib, minor_status, GSS_C_MECH_CODE);
+  return StringPrintf("Major: %s | Minor: %s", major.c_str(), minor.c_str());
+}
+
+
+// ScopedName releases a gssapi::gss_name_t when it goes out of scope.
+class ScopedName {
+ public:
+  ScopedName(gssapi::gss_name_t name,
+             GSSAPILibrary* gssapi_lib)
+      : name_(name),
+        gssapi_lib_(gssapi_lib) {
+    DCHECK(gssapi_lib_);
+  }
+
+  ~ScopedName() {
+    if (name_ != GSS_C_NO_NAME) {
+      gssapi::OM_uint32 minor_status = 0;
+      gssapi::OM_uint32 major_status =
+          gssapi_lib_->release_name(&minor_status, &name_);
+      if (major_status != GSS_S_COMPLETE) {
+        LOG(WARNING) << "Problem releasing name. "
+                     << DisplayStatus(major_status, minor_status);
+      }
+      name_ = GSS_C_NO_NAME;
+    }
+  }
+
+ private:
+  gssapi::gss_name_t name_;
+  GSSAPILibrary* gssapi_lib_;
+
+  DISALLOW_COPY_AND_ASSIGN(ScopedName);
+};
+
+// ScopedBuffer releases a gssapi::gss_buffer_t when it goes out of scope.
+class ScopedBuffer {
+ public:
+  ScopedBuffer(gssapi::gss_buffer_t buffer,
+               GSSAPILibrary* gssapi_lib)
+      : buffer_(buffer),
+        gssapi_lib_(gssapi_lib) {
+    DCHECK(gssapi_lib_);
+  }
+
+  ~ScopedBuffer() {
+    if (buffer_ != GSS_C_NO_BUFFER) {
+      gssapi::OM_uint32 minor_status = 0;
+      gssapi::OM_uint32 major_status =
+          gssapi_lib_->release_buffer(&minor_status, buffer_);
+      if (major_status != GSS_S_COMPLETE) {
+        LOG(WARNING) << "Problem releasing buffer. "
+                     << DisplayStatus(major_status, minor_status);
+      }
+      buffer_ = GSS_C_NO_BUFFER;
+    }
+  }
+
+ private:
+  gssapi::gss_buffer_t buffer_;
+  GSSAPILibrary* gssapi_lib_;
+
+  DISALLOW_COPY_AND_ASSIGN(ScopedBuffer);
+};
+
+}  // namespace
+
+HttpAuthGSSAPI::HttpAuthGSSAPI(const std::string& scheme,
+                               gssapi::gss_OID gss_oid,
+                               GSSAPILibrary* library)
+    : scheme_(scheme),
+      gss_oid_(gss_oid),
+      library_(library),
+      sec_context_(NULL) {
+}
+
+HttpAuthGSSAPI::~HttpAuthGSSAPI() {
+}
+
+bool HttpAuthGSSAPI::NeedsIdentity() const {
+  return decoded_server_auth_token_.empty();
+}
+
+bool HttpAuthGSSAPI::IsFinalRound() const {
+  return !NeedsIdentity();
+}
+
+bool HttpAuthGSSAPI::ParseChallenge(HttpAuth::ChallengeTokenizer* tok) {
+  // Verify the challenge's auth-scheme.
+  if (!tok->valid() ||
+      !LowerCaseEqualsASCII(tok->scheme(), StringToLowerASCII(scheme_).c_str()))
+    return false;
+
+  tok->set_expect_base64_token(true);
+  if (!tok->GetNext()) {
+    decoded_server_auth_token_.clear();
+    return true;
+  }
+
+  std::string encoded_auth_token = tok->value();
+  std::string decoded_auth_token;
+  bool base64_rv = base::Base64Decode(encoded_auth_token, &decoded_auth_token);
+  if (!base64_rv) {
+    LOG(ERROR) << "Base64 decoding of auth token failed.";
+    return false;
+  }
+  decoded_server_auth_token_ = decoded_auth_token;
+  return true;
+}
+
+
+static uint8 kHostbasedServiceOidElements[] = {
+  0x2a, 0x86, 0x48, 0x86, 0xF7, 0x12, 0x01, 0x02, 0x01, 0x04};
+static gssapi::gss_OID_desc kHostbasedServiceOidDesc = {
+  arraysize(kHostbasedServiceOidElements),
+  static_cast<void *>(&kHostbasedServiceOidElements)};
+
+int HttpAuthGSSAPI::GenerateAuthToken(const std::wstring* username,
+                                      const std::wstring* password,
+                                      const std::wstring& origin,
+                                      const HttpRequestInfo* request,
+                                      const ProxyInfo* proxy,
+                                      std::string* out_credentials) {
+  DCHECK(library_);
+  DCHECK((username == NULL) == (password == NULL));
+
+  library_->Init();
+
+  if (!IsFinalRound()) {
+    int rv = OnFirstRound(username, password);
+    if (rv != OK)
+      return rv;
+  }
+
+  gssapi::gss_buffer_desc input_token = GSS_C_EMPTY_BUFFER;
+  input_token.length = decoded_server_auth_token_.length();
+  input_token.value = static_cast<void *>(const_cast<char *>(
+      decoded_server_auth_token_.c_str()));
+  gssapi::gss_buffer_desc output_token1 = GSS_C_EMPTY_BUFFER;
+  gssapi::gss_buffer_t output_token = &output_token1;
+  int rv = GetNextSecurityToken(origin, &input_token, &output_token);
+  if (rv != OK)
+    return rv;
+  ScopedBuffer sb_out_token(output_token, library_);
+
+  // Base64 encode data in output buffer and prepend the scheme.
+  std::string encode_input(static_cast<char*>(output_token->value),
+                           output_token->length);
+  std::string encode_output;
+  bool ok = base::Base64Encode(encode_input, &encode_output);
+  if (!ok)
+    return rv;
+  *out_credentials = scheme_ + " " + encode_output;
+  return OK;
+}
+
+int HttpAuthGSSAPI::OnFirstRound(const std::wstring* username,
+                                 const std::wstring* password) {
+  // TODO(cbentzel): Acquire credentials?
+  DCHECK((username == NULL) == (password == NULL));
+  username_ = L"";
+  password_ = L"";
+  if (username) {
+    username_ = *username;
+    password_ = *password;
+  }
+  return OK;
+}
+
+int HttpAuthGSSAPI::GetNextSecurityToken(const std::wstring& origin,
+                                         gssapi::gss_buffer_t in_token,
+                                         gssapi::gss_buffer_t* out_token) {
+  // Create a name for the principal
+  // TODO(cbentzel): Should this be username@origin? What about domain?
+  // TODO(cbentzel): Just do this on the first pass?
+  const GURL orig(WideToASCII(origin));
+  std::string origin_principal = GetHostAndPort(orig);
+  gssapi::gss_buffer_desc origin_buffer = GSS_C_EMPTY_BUFFER;
+  origin_buffer.value = static_cast<void *>(const_cast<char *>(
+      origin_principal.c_str()));
+  origin_buffer.length = origin_principal.size() + 1;
+  gssapi::OM_uint32 minor_status_import_name = 0;
+  gssapi::gss_name_t principal_name;
+  gssapi::OM_uint32 major_status_import_name = library_->import_name(
+      &minor_status_import_name,
+      &origin_buffer,
+      &kHostbasedServiceOidDesc,
+      &principal_name);
+  if (major_status_import_name != GSS_S_COMPLETE) {
+    LOG(WARNING) << "Problem importing name. "
+                 << DisplayExtendedStatus(library_,
+                                          major_status_import_name,
+                                          minor_status_import_name);
+    return ERR_UNEXPECTED;
+  }
+  ScopedName scoped_name(principal_name, library_);
+
+  // Create a security context.
+  gssapi::OM_uint32 minor_status_sec_context;
+  gssapi::OM_uint32 req_flags = 0;
+  gssapi::OM_uint32 major_status_sec_context = library_->init_sec_context(
+      &minor_status_sec_context,
+      GSS_C_NO_CREDENTIAL,
+      &sec_context_,
+      principal_name,
+      gss_oid_,
+      req_flags,
+      GSS_C_INDEFINITE,
+      GSS_C_NO_CHANNEL_BINDINGS,
+      in_token,
+      NULL,  // actual_mech_type
+      out_token,
+      NULL,  // ret flags
+      NULL);
+  if (major_status_sec_context != GSS_S_COMPLETE &&
+      major_status_sec_context != GSS_S_CONTINUE_NEEDED) {
+    LOG(WARNING) << "Problem initializing context. "
+                 << DisplayExtendedStatus(library_,
+                                          major_status_sec_context,
+                                          minor_status_sec_context);
+    return ERR_UNEXPECTED;
+  }
+
+  return (major_status_sec_context != GSS_S_COMPLETE) ? ERR_IO_PENDING : OK;
+}
+
+}  // namespace net
+