1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
|
// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef NET_HTTP_HTTP_AUTH_GSSAPI_POSIX_H_
#define NET_HTTP_HTTP_AUTH_GSSAPI_POSIX_H_
#include <string>
#include <string_view>
#include "base/gtest_prod_util.h"
#include "base/memory/raw_ptr.h"
#include "base/native_library.h"
#include "base/values.h"
#include "build/build_config.h"
#include "net/base/completion_once_callback.h"
#include "net/base/net_export.h"
#include "net/http/http_auth.h"
#include "net/http/http_auth_mechanism.h"
#if BUILDFLAG(IS_APPLE)
#include <GSS/gssapi.h>
#elif BUILDFLAG(IS_FREEBSD)
#include <gssapi/gssapi.h>
#else
#include <gssapi.h>
#endif
namespace net {
class HttpAuthChallengeTokenizer;
// Mechanism OID for GSSAPI. We always use SPNEGO.
NET_EXPORT_PRIVATE extern gss_OID CHROME_GSS_SPNEGO_MECH_OID_DESC;
// GSSAPILibrary is introduced so unit tests can mock the calls to the GSSAPI
// library. The default implementation attempts to load one of the standard
// GSSAPI library implementations, then simply passes the arguments on to
// that implementation.
class NET_EXPORT_PRIVATE GSSAPILibrary {
public:
virtual ~GSSAPILibrary() = default;
// Initializes the library, including any necessary dynamic libraries.
// This is done separately from construction (which happens at startup time)
// in order to delay work until the class is actually needed.
virtual bool Init(const NetLogWithSource& net_log) = 0;
// These methods match the ones in the GSSAPI library.
virtual OM_uint32 import_name(
OM_uint32* minor_status,
const gss_buffer_t input_name_buffer,
const gss_OID input_name_type,
gss_name_t* output_name) = 0;
virtual OM_uint32 release_name(
OM_uint32* minor_status,
gss_name_t* input_name) = 0;
virtual OM_uint32 release_buffer(
OM_uint32* minor_status,
gss_buffer_t buffer) = 0;
virtual OM_uint32 display_name(
OM_uint32* minor_status,
const gss_name_t input_name,
gss_buffer_t output_name_buffer,
gss_OID* output_name_type) = 0;
virtual OM_uint32 display_status(
OM_uint32* minor_status,
OM_uint32 status_value,
int status_type,
const gss_OID mech_type,
OM_uint32* message_contex,
gss_buffer_t status_string) = 0;
virtual OM_uint32 init_sec_context(
OM_uint32* minor_status,
const gss_cred_id_t initiator_cred_handle,
gss_ctx_id_t* context_handle,
const gss_name_t target_name,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
const gss_channel_bindings_t input_chan_bindings,
const gss_buffer_t input_token,
gss_OID* actual_mech_type,
gss_buffer_t output_token,
OM_uint32* ret_flags,
OM_uint32* time_rec) = 0;
virtual OM_uint32 wrap_size_limit(
OM_uint32* minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
OM_uint32* max_input_size) = 0;
virtual OM_uint32 delete_sec_context(
OM_uint32* minor_status,
gss_ctx_id_t* context_handle,
gss_buffer_t output_token) = 0;
virtual OM_uint32 inquire_context(
OM_uint32* minor_status,
const gss_ctx_id_t context_handle,
gss_name_t* src_name,
gss_name_t* targ_name,
OM_uint32* lifetime_rec,
gss_OID* mech_type,
OM_uint32* ctx_flags,
int* locally_initiated,
int* open) = 0;
virtual const std::string& GetLibraryNameForTesting() = 0;
};
// GSSAPISharedLibrary class is defined here so that unit tests can access it.
class NET_EXPORT_PRIVATE GSSAPISharedLibrary : public GSSAPILibrary {
public:
// If |gssapi_library_name| is empty, hard-coded default library names are
// used.
explicit GSSAPISharedLibrary(const std::string& gssapi_library_name);
~GSSAPISharedLibrary() override;
// GSSAPILibrary methods:
bool Init(const NetLogWithSource& net_log) override;
OM_uint32 import_name(OM_uint32* minor_status,
const gss_buffer_t input_name_buffer,
const gss_OID input_name_type,
gss_name_t* output_name) override;
OM_uint32 release_name(OM_uint32* minor_status,
gss_name_t* input_name) override;
OM_uint32 release_buffer(OM_uint32* minor_status,
gss_buffer_t buffer) override;
OM_uint32 display_name(OM_uint32* minor_status,
const gss_name_t input_name,
gss_buffer_t output_name_buffer,
gss_OID* output_name_type) override;
OM_uint32 display_status(OM_uint32* minor_status,
OM_uint32 status_value,
int status_type,
const gss_OID mech_type,
OM_uint32* message_contex,
gss_buffer_t status_string) override;
OM_uint32 init_sec_context(OM_uint32* minor_status,
const gss_cred_id_t initiator_cred_handle,
gss_ctx_id_t* context_handle,
const gss_name_t target_name,
const gss_OID mech_type,
OM_uint32 req_flags,
OM_uint32 time_req,
const gss_channel_bindings_t input_chan_bindings,
const gss_buffer_t input_token,
gss_OID* actual_mech_type,
gss_buffer_t output_token,
OM_uint32* ret_flags,
OM_uint32* time_rec) override;
OM_uint32 wrap_size_limit(OM_uint32* minor_status,
const gss_ctx_id_t context_handle,
int conf_req_flag,
gss_qop_t qop_req,
OM_uint32 req_output_size,
OM_uint32* max_input_size) override;
OM_uint32 delete_sec_context(OM_uint32* minor_status,
gss_ctx_id_t* context_handle,
gss_buffer_t output_token) override;
OM_uint32 inquire_context(OM_uint32* minor_status,
const gss_ctx_id_t context_handle,
gss_name_t* src_name,
gss_name_t* targ_name,
OM_uint32* lifetime_rec,
gss_OID* mech_type,
OM_uint32* ctx_flags,
int* locally_initiated,
int* open) override;
const std::string& GetLibraryNameForTesting() override;
private:
FRIEND_TEST_ALL_PREFIXES(HttpAuthGSSAPIPOSIXTest, GSSAPIStartup);
bool InitImpl(const NetLogWithSource& net_log);
// Finds a usable dynamic library for GSSAPI and loads it. The criteria are:
// 1. The library must exist.
// 2. The library must export the functions we need.
base::NativeLibrary LoadSharedLibrary(const NetLogWithSource& net_log);
bool BindMethods(base::NativeLibrary lib,
std::string_view library_name,
const NetLogWithSource& net_log);
bool initialized_ = false;
std::string gssapi_library_name_;
// Need some way to invalidate the library.
base::NativeLibrary gssapi_library_ = nullptr;
// Function pointers
decltype(&gss_import_name) import_name_ = nullptr;
decltype(&gss_release_name) release_name_ = nullptr;
decltype(&gss_release_buffer) release_buffer_ = nullptr;
decltype(&gss_display_name) display_name_ = nullptr;
decltype(&gss_display_status) display_status_ = nullptr;
decltype(&gss_init_sec_context) init_sec_context_ = nullptr;
decltype(&gss_wrap_size_limit) wrap_size_limit_ = nullptr;
decltype(&gss_delete_sec_context) delete_sec_context_ = nullptr;
decltype(&gss_inquire_context) inquire_context_ = nullptr;
};
// ScopedSecurityContext releases a gss_ctx_id_t when it goes out of
// scope.
class ScopedSecurityContext {
public:
explicit ScopedSecurityContext(GSSAPILibrary* gssapi_lib);
ScopedSecurityContext(const ScopedSecurityContext&) = delete;
ScopedSecurityContext& operator=(const ScopedSecurityContext&) = delete;
~ScopedSecurityContext();
gss_ctx_id_t get() const { return security_context_; }
gss_ctx_id_t* receive() { return &security_context_; }
private:
gss_ctx_id_t security_context_ = GSS_C_NO_CONTEXT;
raw_ptr<GSSAPILibrary> gssapi_lib_;
};
// TODO(ahendrickson): Share code with HttpAuthSSPI.
class NET_EXPORT_PRIVATE HttpAuthGSSAPI : public HttpAuthMechanism {
public:
HttpAuthGSSAPI(GSSAPILibrary* library,
const gss_OID gss_oid);
~HttpAuthGSSAPI() override;
// HttpAuthMechanism implementation:
bool Init(const NetLogWithSource& net_log) override;
bool NeedsIdentity() const override;
bool AllowsExplicitCredentials() const override;
HttpAuth::AuthorizationResult ParseChallenge(
HttpAuthChallengeTokenizer* tok) override;
int GenerateAuthToken(const AuthCredentials* credentials,
const std::string& spn,
const std::string& channel_bindings,
std::string* auth_token,
const NetLogWithSource& net_log,
CompletionOnceCallback callback) override;
void SetDelegation(HttpAuth::DelegationType delegation_type) override;
private:
int GetNextSecurityToken(const std::string& spn,
const std::string& channel_bindings,
gss_buffer_t in_token,
gss_buffer_t out_token,
const NetLogWithSource& net_log);
gss_OID gss_oid_;
raw_ptr<GSSAPILibrary> library_;
std::string decoded_server_auth_token_;
ScopedSecurityContext scoped_sec_context_;
HttpAuth::DelegationType delegation_type_ = HttpAuth::DelegationType::kNone;
};
// Diagnostics
// GetGssStatusCodeValue constructs a base::Value::Dict containing a status code
// and a message.
//
// {
// "status" : <status value as a number>,
// "message": [
// <list of strings explaining what that number means>
// ]
// }
//
// Messages are looked up via gss_display_status() exposed by |gssapi_lib|. The
// type of status code should be indicated by setting |status_code_type| to
// either |GSS_C_MECH_CODE| or |GSS_C_GSS_CODE|.
//
// Mechanism specific codes aren't unique, so the mechanism needs to be
// identified to look up messages if |status_code_type| is |GSS_C_MECH_CODE|.
// Since no mechanism OIDs are passed in, mechanism specific status codes will
// likely not have messages.
NET_EXPORT_PRIVATE base::Value::Dict GetGssStatusCodeValue(
GSSAPILibrary* gssapi_lib,
OM_uint32 status,
OM_uint32 status_code_type);
// Given major and minor GSSAPI status codes, returns a base::Value::Dict
// encapsulating the codes as well as their meanings as expanded via
// gss_display_status().
//
// The base::Value::Dict has the following structure:
// {
// "function": <name of GSSAPI function that returned the error>
// "major_status": {
// "status" : <status value as a number>,
// "message": [
// <list of strings hopefully explaining what that number means>
// ]
// },
// "minor_status": {
// "status" : <status value as a number>,
// "message": [
// <list of strings hopefully explaining what that number means>
// ]
// }
// }
//
// Passing nullptr to |gssapi_lib| will skip the message lookups. Thus the
// returned value will be missing the "message" fields. The same is true if the
// message lookup failed for some reason, or if the lookups succeeded but
// yielded an empty message.
NET_EXPORT_PRIVATE base::Value::Dict GetGssStatusValue(
GSSAPILibrary* gssapi_lib,
std::string_view method,
OM_uint32 major_status,
OM_uint32 minor_status);
// OidToValue returns a base::Value::Dict representing an OID. The structure of
// the value is:
// {
// "oid": <symbolic name of OID if it is known>
// "length": <length in bytes of serialized OID>,
// "bytes": <hexdump of up to 1024 bytes of serialized OID>
// }
NET_EXPORT_PRIVATE base::Value::Dict OidToValue(const gss_OID oid);
// GetDisplayNameValue returns a base::Value::Dict representing a gss_name_t. It
// invokes |gss_display_name()| via |gssapi_lib| to determine the display name
// associated with |gss_name|.
//
// The structure of the returned value is:
// {
// "gss_name": <display name as returned by gss_display_name()>,
// "type": <OID indicating type. See OidToValue() for structure of this
// field>
// }
//
// If the lookup failed, then the structure is:
// {
// "error": <error. See GetGssStatusValue() for structure.>
// }
//
// Note that |gss_name_t| is platform dependent. If |gss_display_name| fails,
// there's no good value to display in its stead.
NET_EXPORT_PRIVATE base::Value::Dict GetDisplayNameValue(
GSSAPILibrary* gssapi_lib,
const gss_name_t gss_name);
// GetContextStateAsValue returns a base::Value::Dict that describes the state
// of a GSSAPI context. The structure of the value is:
//
// {
// "source": {
// "name": <GSSAPI principal name of source (e.g. the user)>,
// "type": <OID of name type>
// },
// "target": {
// "name": <GSSAPI principal name of target (e.g. the server)>,
// "type": <OID of name type>
// },
// "lifetime": <Lifetime of the negotiated context in seconds.>,
// "mechanism": <OID of negotiated mechanism>,
// "flags": <Context flags. See documentation for gss_inquire_context for
// flag values>
// "open": <True if the context has finished the handshake>
// }
//
// If the inquiry fails, the following is returned:
// {
// "error": <error. See GetGssStatusValue() for structure.>
// }
NET_EXPORT_PRIVATE base::Value::Dict GetContextStateAsValue(
GSSAPILibrary* gssapi_lib,
const gss_ctx_id_t context_handle);
} // namespace net
#endif // NET_HTTP_HTTP_AUTH_GSSAPI_POSIX_H_
|
