Map SECURITY_STATUS from InitializeSecurityContext to net error codes.

The SSPI implementation of Negotiate+NTLM used to have too many ways to generate an ERR_UNEXPECTED return code, which made it difficult to diagnose user reported issues. BUG=53850 TEST=net_unittests Review URL: http://codereview.chromium.org/3234007 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@57979 0039d316-1c4b-4281-b951-d872f2087c98
author: cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-08-31 11:10:55 +0000
committer: cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-08-31 11:10:55 +0000
commit: 228739b4afab820bbaf15e6266f8070c741c636f (patch)
tree: 7110aae224d2ce620758eec271d4fea3144ff051
parent: 95c473307f3a0f87ed6bd94640ebd47d4fe67802 (diff)
download: chromium_src-228739b4afab820bbaf15e6266f8070c741c636f.zip
chromium_src-228739b4afab820bbaf15e6266f8070c741c636f.tar.gz
chromium_src-228739b4afab820bbaf15e6266f8070c741c636f.tar.bz2
2 files changed, 54 insertions, 8 deletions
diff --git a/net/base/net_error_list.h b/net/base/net_error_list.h
index 014829d..785cbed 100644
--- a/net/base/net_error_list.h
+++ b/net/base/net_error_list.h
@@ -363,6 +363,14 @@ NET_ERROR(ENCODING_DETECTION_FAILED, -340)
 // (GSSAPI) No Kerberos credentials were available during HTTP Authentication.
 NET_ERROR(MISSING_AUTH_CREDENTIALS, -341)
 
+// A valid SSPI return code that does not have an equivalent error
+// code.
+NET_ERROR(UNMAPPED_SSPI_ERROR, -342)
+
+// The environment was not set up correctly for authentication (for
+// example, no KDC could be found or the principal is unknown.
+NET_ERROR(MISCONFIGURED_AUTH_ENVIRONMENT, -343)
+
 // The cache does not have the requested entry.
 NET_ERROR(CACHE_MISS, -400)
 
diff --git a/net/http/http_auth_sspi_win.cc b/net/http/http_auth_sspi_win.cc
index 4431e28..3e22ce8 100644
--- a/net/http/http_auth_sspi_win.cc
+++ b/net/http/http_auth_sspi_win.cc
@@ -199,7 +199,7 @@ int HttpAuthSSPI::GenerateAuthToken(const string16* username,
   free(out_buf);
   if (!base64_rv) {
     LOG(ERROR) << "Base64 encoding of auth token failed.";
-    return ERR_UNEXPECTED;
+    return ERR_ENCODING_CONVERSION_FAILED;
   }
   *auth_token = scheme_ + " " + encode_output;
   return OK;
@@ -227,6 +227,47 @@ int HttpAuthSSPI::OnFirstRound(const string16* username,
   return rv;
 }
 
+namespace {
+
+int MapInitializeSecurityContextStatusToError(SECURITY_STATUS status) {
+  switch (status) {
+    case SEC_E_OK:
+    case SEC_I_CONTINUE_NEEDED:
+      return OK;
+    case SEC_I_COMPLETE_AND_CONTINUE:
+    case SEC_I_COMPLETE_NEEDED:
+    case SEC_I_INCOMPLETE_CREDENTIALS:
+    case SEC_E_INCOMPLETE_MESSAGE:
+    case SEC_E_INTERNAL_ERROR:
+      // These are return codes reported by InitializeSecurityContext
+      // but not expected by Chrome (for example, INCOMPLETE_CREDENTIALS
+      // and INCOMPLETE_MESSAGE are intended for schannel).
+      LOG(ERROR) << "Unmapped SECURITY_STATUS " << status;
+      return ERR_UNMAPPED_SSPI_ERROR;
+    case SEC_E_INSUFFICIENT_MEMORY:
+      return ERR_OUT_OF_MEMORY;
+    case SEC_E_UNSUPPORTED_FUNCTION:
+      // This indicates a programming error.
+      NOTREACHED();
+      return ERR_UNEXPECTED;
+    case SEC_E_INVALID_TOKEN:
+      return ERR_INVALID_RESPONSE;
+    case SEC_E_LOGON_DENIED:
+    case SEC_E_NO_CREDENTIALS:
+    case SEC_E_WRONG_PRINCIPAL:
+    case SEC_E_INVALID_HANDLE:
+      return ERR_INVALID_AUTH_CREDENTIALS;
+    case SEC_E_NO_AUTHENTICATING_AUTHORITY:
+    case SEC_E_TARGET_UNKNOWN:
+      return ERR_MISCONFIGURED_AUTH_ENVIRONMENT;
+    default:
+      LOG(ERROR) << "Unexpected SECURITY_STATUS " << status;
+      return ERR_UNEXPECTED;
+  }
+}
+
+}
+
 int HttpAuthSSPI::GetNextSecurityToken(
     const std::wstring& spn,
     const void* in_token,
@@ -253,7 +294,7 @@ int HttpAuthSSPI::GetNextSecurityToken(
     // sequence.  If we have already initialized our security context, then
     // we're incorrectly reusing the auth handler for a new sequence.
     if (SecIsValidHandle(&ctxt_)) {
-      LOG(ERROR) << "Cannot restart authentication sequence";
+      NOTREACHED();
       return ERR_UNEXPECTED;
     }
     ctxt_ptr = NULL;
@@ -291,14 +332,11 @@ int HttpAuthSSPI::GetNextSecurityToken(
       &out_buffer_desc,  // pOutput
       &context_attribute,  // pfContextAttr
       NULL);  // ptsExpiry
-  // On success, the function returns SEC_I_CONTINUE_NEEDED on the first call
-  // and SEC_E_OK on the second call.  On failure, the function returns an
-  // error code.
-  if (status != SEC_I_CONTINUE_NEEDED && status != SEC_E_OK) {
-    LOG(ERROR) << "InitializeSecurityContext failed " << status;
+  int rv = MapInitializeSecurityContextStatusToError(status);
+  if (rv != OK) {
     ResetSecurityContext();
     free(out_buffer.pvBuffer);
-    return ERR_UNEXPECTED;  // TODO(wtc): map error code.
+    return rv;
   }
   if (!out_buffer.cbBuffer) {
     free(out_buffer.pvBuffer);
author	cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-08-31 11:10:55 +0000
committer	cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-08-31 11:10:55 +0000
commit	228739b4afab820bbaf15e6266f8070c741c636f (patch)
tree	7110aae224d2ce620758eec271d4fea3144ff051
parent	95c473307f3a0f87ed6bd94640ebd47d4fe67802 (diff)
download	chromium_src-228739b4afab820bbaf15e6266f8070c741c636f.zip chromium_src-228739b4afab820bbaf15e6266f8070c741c636f.tar.gz chromium_src-228739b4afab820bbaf15e6266f8070c741c636f.tar.bz2