diff options
Diffstat (limited to 'chromium/net/http/http_auth_handler_ntlm.cc')
-rw-r--r-- | chromium/net/http/http_auth_handler_ntlm.cc | 147 |
1 files changed, 147 insertions, 0 deletions
diff --git a/chromium/net/http/http_auth_handler_ntlm.cc b/chromium/net/http/http_auth_handler_ntlm.cc new file mode 100644 index 00000000000..4c04234e22e --- /dev/null +++ b/chromium/net/http/http_auth_handler_ntlm.cc @@ -0,0 +1,147 @@ +// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "net/http/http_auth_handler_ntlm.h" + +#if !defined(NTLM_SSPI) +#include "base/base64.h" +#endif +#include "base/logging.h" +#include "base/strings/string_util.h" +#include "base/strings/utf_string_conversions.h" +#include "net/base/net_errors.h" +#include "net/base/net_util.h" + +namespace net { + +HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::HandleAnotherChallenge( + HttpAuth::ChallengeTokenizer* challenge) { + return ParseChallenge(challenge, false); +} + +bool HttpAuthHandlerNTLM::Init(HttpAuth::ChallengeTokenizer* tok) { + auth_scheme_ = HttpAuth::AUTH_SCHEME_NTLM; + score_ = 3; + properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED; + + return ParseChallenge(tok, true) == HttpAuth::AUTHORIZATION_RESULT_ACCEPT; +} + +int HttpAuthHandlerNTLM::GenerateAuthTokenImpl( + const AuthCredentials* credentials, const HttpRequestInfo* request, + const CompletionCallback& callback, std::string* auth_token) { +#if defined(NTLM_SSPI) + return auth_sspi_.GenerateAuthToken( + credentials, + CreateSPN(origin_), + auth_token); +#else // !defined(NTLM_SSPI) + // TODO(cbentzel): Shouldn't be hitting this case. + if (!credentials) { + LOG(ERROR) << "Username and password are expected to be non-NULL."; + return ERR_MISSING_AUTH_CREDENTIALS; + } + // TODO(wtc): See if we can use char* instead of void* for in_buf and + // out_buf. This change will need to propagate to GetNextToken, + // GenerateType1Msg, and GenerateType3Msg, and perhaps further. + const void* in_buf; + void* out_buf; + uint32 in_buf_len, out_buf_len; + std::string decoded_auth_data; + + // The username may be in the form "DOMAIN\user". Parse it into the two + // components. + base::string16 domain; + base::string16 user; + const base::string16& username = credentials->username(); + const base::char16 backslash_character = '\\'; + size_t backslash_idx = username.find(backslash_character); + if (backslash_idx == base::string16::npos) { + user = username; + } else { + domain = username.substr(0, backslash_idx); + user = username.substr(backslash_idx + 1); + } + domain_ = domain; + credentials_.Set(user, credentials->password()); + + // Initial challenge. + if (auth_data_.empty()) { + in_buf_len = 0; + in_buf = NULL; + int rv = InitializeBeforeFirstChallenge(); + if (rv != OK) + return rv; + } else { + if (!base::Base64Decode(auth_data_, &decoded_auth_data)) { + LOG(ERROR) << "Unexpected problem Base64 decoding."; + return ERR_UNEXPECTED; + } + in_buf_len = decoded_auth_data.length(); + in_buf = decoded_auth_data.data(); + } + + int rv = GetNextToken(in_buf, in_buf_len, &out_buf, &out_buf_len); + if (rv != OK) + return rv; + + // Base64 encode data in output buffer and prepend "NTLM ". + std::string encode_input(static_cast<char*>(out_buf), out_buf_len); + std::string encode_output; + bool base64_rv = base::Base64Encode(encode_input, &encode_output); + // OK, we are done with |out_buf| + free(out_buf); + if (!base64_rv) { + LOG(ERROR) << "Unexpected problem Base64 encoding."; + return ERR_UNEXPECTED; + } + *auth_token = std::string("NTLM ") + encode_output; + return OK; +#endif +} + +// The NTLM challenge header looks like: +// WWW-Authenticate: NTLM auth-data +HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::ParseChallenge( + HttpAuth::ChallengeTokenizer* tok, bool initial_challenge) { +#if defined(NTLM_SSPI) + // auth_sspi_ contains state for whether or not this is the initial challenge. + return auth_sspi_.ParseChallenge(tok); +#else + // TODO(cbentzel): Most of the logic between SSPI, GSSAPI, and portable NTLM + // authentication parsing could probably be shared - just need to know if + // there was previously a challenge round. + // TODO(cbentzel): Write a test case to validate that auth_data_ is left empty + // in all failure conditions. + auth_data_.clear(); + + // Verify the challenge's auth-scheme. + if (!LowerCaseEqualsASCII(tok->scheme(), "ntlm")) + return HttpAuth::AUTHORIZATION_RESULT_INVALID; + + std::string base64_param = tok->base64_param(); + if (base64_param.empty()) { + if (!initial_challenge) + return HttpAuth::AUTHORIZATION_RESULT_REJECT; + return HttpAuth::AUTHORIZATION_RESULT_ACCEPT; + } else { + if (initial_challenge) + return HttpAuth::AUTHORIZATION_RESULT_INVALID; + } + + auth_data_ = base64_param; + return HttpAuth::AUTHORIZATION_RESULT_ACCEPT; +#endif // defined(NTLM_SSPI) +} + +// static +std::wstring HttpAuthHandlerNTLM::CreateSPN(const GURL& origin) { + // The service principal name of the destination server. See + // http://msdn.microsoft.com/en-us/library/ms677949%28VS.85%29.aspx + std::wstring target(L"HTTP/"); + target.append(ASCIIToWide(GetHostAndPort(origin))); + return target; +} + +} // namespace net |