diff options
| author | asanka@chromium.org <asanka@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-07-19 17:23:11 +0000 |
|---|---|---|
| committer | asanka@chromium.org <asanka@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-07-19 17:23:11 +0000 |
| commit | 843a6b2d48489d09b3359541604a26b191a9b5d7 (patch) | |
| tree | a64a2a8bae260f296c6291f0cea5f1a4d95fe4da /net | |
| parent | 060d49788f6812ae1a6e82d7759699cc4538a3c3 (diff) | |
| download | chromium_src-843a6b2d48489d09b3359541604a26b191a9b5d7.zip chromium_src-843a6b2d48489d09b3359541604a26b191a9b5d7.tar.gz chromium_src-843a6b2d48489d09b3359541604a26b191a9b5d7.tar.bz2 | |
Use SPNEGO mechanism with GSSAPI on Posix
BUG=85510
TEST=net_unittests
Review URL: https://chromiumcodereview.appspot.com/10695186
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@147465 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/http/http_auth_gssapi_posix.cc | 29 | ||||
| -rw-r--r-- | net/http/http_auth_gssapi_posix.h | 7 | ||||
| -rw-r--r-- | net/http/http_auth_gssapi_posix_unittest.cc | 18 | ||||
| -rw-r--r-- | net/http/http_auth_handler_negotiate.cc | 2 | ||||
| -rw-r--r-- | net/http/http_auth_handler_negotiate_unittest.cc | 6 |
5 files changed, 24 insertions, 38 deletions
diff --git a/net/http/http_auth_gssapi_posix.cc b/net/http/http_auth_gssapi_posix.cc index 618a40b..7121406 100644 --- a/net/http/http_auth_gssapi_posix.cc +++ b/net/http/http_auth_gssapi_posix.cc @@ -22,6 +22,7 @@ // "The implementation must reserve static storage for a // gss_OID_desc object for each constant. That constant // should be initialized to point to that gss_OID_desc." +// These are encoded using ASN.1 BER encoding. namespace { static gss_OID_desc GSS_C_NT_USER_NAME_VAL = { @@ -75,30 +76,16 @@ gss_OID GSS_C_NT_EXPORT_NAME = &GSS_C_NT_EXPORT_NAME_VAL; namespace net { -// These are encoded using ASN.1 BER encoding. +// Exported mechanism for GSSAPI. We always use SPNEGO: -// This one is used by Firefox's nsAuthGSSAPI class. -gss_OID_desc CHROME_GSS_KRB5_MECH_OID_DESC_VAL = { - 9, - const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") -}; - -gss_OID_desc CHROME_GSS_C_NT_HOSTBASED_SERVICE_X_VAL = { +// iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2) +gss_OID_desc CHROME_GSS_SPNEGO_MECH_OID_DESC_VAL = { 6, - const_cast<char*>("\x2b\x06\x01\x05\x06\x02") -}; - -gss_OID_desc CHROME_GSS_C_NT_HOSTBASED_SERVICE_VAL = { - 10, - const_cast<char*>("\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04") + const_cast<char*>("\x2b\x06\x01\x05\x05\x02") }; -gss_OID CHROME_GSS_C_NT_HOSTBASED_SERVICE_X = - &CHROME_GSS_C_NT_HOSTBASED_SERVICE_X_VAL; -gss_OID CHROME_GSS_C_NT_HOSTBASED_SERVICE = - &CHROME_GSS_C_NT_HOSTBASED_SERVICE_VAL; -gss_OID CHROME_GSS_KRB5_MECH_OID_DESC = - &CHROME_GSS_KRB5_MECH_OID_DESC_VAL; +gss_OID CHROME_GSS_SPNEGO_MECH_OID_DESC = + &CHROME_GSS_SPNEGO_MECH_OID_DESC_VAL; // Debugging helpers. namespace { @@ -864,7 +851,7 @@ int HttpAuthGSSAPI::GetNextSecurityToken(const std::wstring& spn, OM_uint32 major_status = library_->import_name( &minor_status, &spn_buffer, - CHROME_GSS_C_NT_HOSTBASED_SERVICE, + GSS_C_NT_HOSTBASED_SERVICE, &principal_name); int rv = MapImportNameStatusToError(major_status); if (rv != OK) { diff --git a/net/http/http_auth_gssapi_posix.h b/net/http/http_auth_gssapi_posix.h index b36c6dc..44b99bc 100644 --- a/net/http/http_auth_gssapi_posix.h +++ b/net/http/http_auth_gssapi_posix.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -16,9 +16,8 @@ namespace net { -NET_EXPORT_PRIVATE extern gss_OID CHROME_GSS_C_NT_HOSTBASED_SERVICE_X; -NET_EXPORT_PRIVATE extern gss_OID CHROME_GSS_C_NT_HOSTBASED_SERVICE; -NET_EXPORT_PRIVATE extern gss_OID CHROME_GSS_KRB5_MECH_OID_DESC; +// Mechanism OID for GSSAPI. We always use SPNEGO. +NET_EXPORT_PRIVATE extern gss_OID CHROME_GSS_SPNEGO_MECH_OID_DESC; // GSSAPILibrary is introduced so unit tests can mock the calls to the GSSAPI // library. The default implementation attempts to load one of the standard diff --git a/net/http/http_auth_gssapi_posix_unittest.cc b/net/http/http_auth_gssapi_posix_unittest.cc index 8a16323..cbf4d3d 100644 --- a/net/http/http_auth_gssapi_posix_unittest.cc +++ b/net/http/http_auth_gssapi_posix_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -54,7 +54,7 @@ void EstablishInitialContext(test::MockGSSAPILibrary* library) { "localhost", // Source name "example.com", // Target name 23, // Lifetime - *CHROME_GSS_C_NT_HOSTBASED_SERVICE, // Mechanism + *CHROME_GSS_SPNEGO_MECH_OID_DESC, // Mechanism 0, // Context flags 1, // Locally initiated 0); // Open @@ -98,7 +98,7 @@ TEST(HttpAuthGSSAPIPOSIXTest, GSSAPICycle) { "localhost", // Source name "example.com", // Target name 23, // Lifetime - *CHROME_GSS_C_NT_HOSTBASED_SERVICE, // Mechanism + *CHROME_GSS_SPNEGO_MECH_OID_DESC, // Mechanism 0, // Context flags 1, // Locally initiated 0); // Open @@ -106,7 +106,7 @@ TEST(HttpAuthGSSAPIPOSIXTest, GSSAPICycle) { "localhost", // Source name "example.com", // Target name 23, // Lifetime - *CHROME_GSS_C_NT_HOSTBASED_SERVICE, // Mechanism + *CHROME_GSS_SPNEGO_MECH_OID_DESC, // Mechanism 0, // Context flags 1, // Locally initiated 1); // Open @@ -179,7 +179,7 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_FirstRound) { // The first round should just consist of an unadorned "Negotiate" header. test::MockGSSAPILibrary mock_library; HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", - CHROME_GSS_KRB5_MECH_OID_DESC); + CHROME_GSS_SPNEGO_MECH_OID_DESC); std::string challenge_text = "Negotiate"; HttpAuth::ChallengeTokenizer challenge(challenge_text.begin(), challenge_text.end()); @@ -192,7 +192,7 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_TwoRounds) { // have a valid base64 token associated with it. test::MockGSSAPILibrary mock_library; HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", - CHROME_GSS_KRB5_MECH_OID_DESC); + CHROME_GSS_SPNEGO_MECH_OID_DESC); std::string first_challenge_text = "Negotiate"; HttpAuth::ChallengeTokenizer first_challenge(first_challenge_text.begin(), first_challenge_text.end()); @@ -217,7 +217,7 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_UnexpectedTokenFirstRound) { // should be treated as an invalid challenge from the server. test::MockGSSAPILibrary mock_library; HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", - CHROME_GSS_KRB5_MECH_OID_DESC); + CHROME_GSS_SPNEGO_MECH_OID_DESC); std::string challenge_text = "Negotiate Zm9vYmFy"; HttpAuth::ChallengeTokenizer challenge(challenge_text.begin(), challenge_text.end()); @@ -230,7 +230,7 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_MissingTokenSecondRound) { // an authentication challenge rejection from the server or proxy. test::MockGSSAPILibrary mock_library; HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", - CHROME_GSS_KRB5_MECH_OID_DESC); + CHROME_GSS_SPNEGO_MECH_OID_DESC); std::string first_challenge_text = "Negotiate"; HttpAuth::ChallengeTokenizer first_challenge(first_challenge_text.begin(), first_challenge_text.end()); @@ -253,7 +253,7 @@ TEST(HttpAuthGSSAPITest, ParseChallenge_NonBase64EncodedToken) { // be treated as an invalid challenge. test::MockGSSAPILibrary mock_library; HttpAuthGSSAPI auth_gssapi(&mock_library, "Negotiate", - CHROME_GSS_KRB5_MECH_OID_DESC); + CHROME_GSS_SPNEGO_MECH_OID_DESC); std::string first_challenge_text = "Negotiate"; HttpAuth::ChallengeTokenizer first_challenge(first_challenge_text.begin(), first_challenge_text.end()); diff --git a/net/http/http_auth_handler_negotiate.cc b/net/http/http_auth_handler_negotiate.cc index 4e1c81d..35681c4 100644 --- a/net/http/http_auth_handler_negotiate.cc +++ b/net/http/http_auth_handler_negotiate.cc @@ -100,7 +100,7 @@ HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate( #if defined(OS_WIN) : auth_system_(auth_library, "Negotiate", NEGOSSP_NAME, max_token_length), #elif defined(OS_POSIX) - : auth_system_(auth_library, "Negotiate", CHROME_GSS_KRB5_MECH_OID_DESC), + : auth_system_(auth_library, "Negotiate", CHROME_GSS_SPNEGO_MECH_OID_DESC), #endif disable_cname_lookup_(disable_cname_lookup), use_port_(use_port), diff --git a/net/http/http_auth_handler_negotiate_unittest.cc b/net/http/http_auth_handler_negotiate_unittest.cc index f43e39a..4d8eaf4 100644 --- a/net/http/http_auth_handler_negotiate_unittest.cc +++ b/net/http/http_auth_handler_negotiate_unittest.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -101,7 +101,7 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest { "localhost", // Source name "example.com", // Target name 23, // Lifetime - *CHROME_GSS_C_NT_HOSTBASED_SERVICE, // Mechanism + *CHROME_GSS_SPNEGO_MECH_OID_DESC, // Mechanism 0, // Context flags 1, // Locally initiated 0); // Open @@ -109,7 +109,7 @@ class HttpAuthHandlerNegotiateTest : public PlatformTest { "localhost", // Source name "example.com", // Target name 23, // Lifetime - *CHROME_GSS_C_NT_HOSTBASED_SERVICE, // Mechanism + *CHROME_GSS_SPNEGO_MECH_OID_DESC, // Mechanism 0, // Context flags 1, // Locally initiated 1); // Open |