Kerberos uses an SPN (Service Principal Name) to identify a server. This is typically in the form "HTTP/host:port", with the ":port" suffix being optional, and the "HTTP/" prefix is fixed regardless of whether the service is accessed over HTTP or HTTPS.

The issue this is fixing is that the URL host may be an incomplete domain name, a numerical address, or an alias for a canonical DNS name.

By default, Chrome will skip adding the optional port to the SPN, and will use the canonical DNS name for the server (which may be the original server name if it is an A or AAAA record). This matches IE and Firefox's default behavior.

Some intranets are set up so the original host name should be used rather than the canonical name. The canonical name resolution can be disabled with the --disable-spnego-cname-lookup command line flag.

Some intranets are also set up so the optional port should be specified when it is non-standard (non 80 or 443). Use the --enable-spnego-port command line flag.

BUG=29862
TEST=net_unittests.exe --gtest_filter="*CanonicalName*"

Review URL: http://codereview.chromium.org/1535019

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@44526 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 18 insertions, 2 deletions

diff --git a/net/http/http_auth_handler.h b/net/http/http_auth_handler.h
index d2eae13..663e04a 100644
--- a/net/http/http_auth_handler.h
+++ b/net/http/http_auth_handler.h
@@ -8,10 +8,13 @@
 #include <string>
 
 #include "base/ref_counted.h"
+#include "net/base/completion_callback.h"
 #include "net/http/http_auth.h"
 
 namespace net {
 
+class BoundNetLog;
+class HostResolver;
 class HttpRequestInfo;
 class ProxyInfo;
 
@@ -81,6 +84,11 @@ class HttpAuthHandler : public base::RefCounted<HttpAuthHandler> {
   // TODO(cbentzel): Add a pointer to Firefox documentation about risk.
   virtual bool SupportsDefaultCredentials() { return false; }
 
+  // Returns whether the canonical DNS name for the origin host needs to be
+  // resolved. The Negotiate auth scheme typically uses the canonical DNS
+  // name when constructing the Kerberos SPN.
+  virtual bool NeedsCanonicalName() { return false; }
+
   // TODO(cbentzel): Separate providing credentials from generating the
   // authentication token in the API.
 
@@ -103,6 +111,14 @@ class HttpAuthHandler : public base::RefCounted<HttpAuthHandler> {
                                        const ProxyInfo* proxy,
                                        std::string* auth_token) = 0;
 
+  // Resolves the canonical name for the |origin_| host. The canonical
+  // name is used by the Negotiate scheme to generate a valid Kerberos
+  // SPN.
+  // The return value is a net error code.
+  virtual int ResolveCanonicalName(HostResolver* host_resolver,
+                                   CompletionCallback* callback,
+                                   const BoundNetLog& net_log);
+
  protected:
   enum Property {
     ENCRYPTS_IDENTITY = 1 << 0,
@@ -121,14 +137,14 @@ class HttpAuthHandler : public base::RefCounted<HttpAuthHandler> {
   // scheme_, realm_, score_, properties_
   virtual bool Init(HttpAuth::ChallengeTokenizer* challenge) = 0;
 
-  // The lowercase auth-scheme {"basic", "digest", "ntlm", ...}
+  // The lowercase auth-scheme {"basic", "digest", "ntlm", "negotiate"}
   std::string scheme_;
 
   // The realm.  Used by "basic" and "digest".
   std::string realm_;
 
   // The {scheme, host, port} for the authentication target.  Used by "ntlm"
-  // to construct the service principal name.
+  // and "negotiate" to construct the service principal name.
   GURL origin_;
 
   // The score for this challenge. Higher numbers are better.