Fix multi-round authentication.

In the case of Negotiate, authentication can look like C: GET S: 401, WWW-Authenticate: Negotiate C: GET, WWW-Authorization: Negotiate <client_token_1> S: 401, WWW-Authenticate: Negotiate <server_token_1> C: GET, WWW-Authorization: Negotiate <client_token_2> S: 401, WWW-Authenticate: Negotiate <server_token_2> on that third challenge, the handler was reported as being in "the final round" and this was treated as a rejection of the authentication attempt. After that, the new challenge token was used by a new auth handler that hadn't established a security context, and an ERR_INVALID_HANDLE would be returned. This CL also does some prep work to correctly handle the "stale=true" value for Digest authentication, but I decided to defer the HttpAuthCache changes needed for that to a separate CL since this was large enough. BUG=53282 TEST=net_unittests. Unfortunately, I haven't been able to set up a proxy/server to do more than two auth challenges, but this does happen in the wild. Review URL: http://codereview.chromium.org/3360017 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@59188 0039d316-1c4b-4281-b951-d872f2087c98
author: cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-09-11 14:03:30 +0000
committer: cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-09-11 14:03:30 +0000
commit: eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c (patch)
tree: ae0368388f38766781c5ddff86c9e0e2c0c9c362 /net/http/http_auth_handler_digest.cc
parent: 4630db4630bc415cc3b7be70bce87160559810df (diff)
download: chromium_src-eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c.zip
chromium_src-eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c.tar.gz
chromium_src-eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c.tar.bz2
1 files changed, 33 insertions, 6 deletions
diff --git a/net/http/http_auth_handler_digest.cc b/net/http/http_auth_handler_digest.cc
index ebb2494..289e0c7 100644
--- a/net/http/http_auth_handler_digest.cc
+++ b/net/http/http_auth_handler_digest.cc
@@ -173,8 +173,8 @@ std::string HttpAuthHandlerDigest::AssembleCredentials(
   std::string nc = StringPrintf("%08x", nonce_count);
 
   // TODO(eroman): is this the right encoding?
-  std::string authorization = std::string("Digest username=") +
-                              HttpUtil::Quote(UTF16ToUTF8(username));
+  std::string authorization = (std::string("Digest username=") +
+                               HttpUtil::Quote(UTF16ToUTF8(username)));
   authorization += ", realm=" + HttpUtil::Quote(realm_);
   authorization += ", nonce=" + HttpUtil::Quote(nonce_);
   authorization += ", uri=" + HttpUtil::Quote(path);
@@ -201,6 +201,31 @@ std::string HttpAuthHandlerDigest::AssembleCredentials(
   return authorization;
 }
 
+bool HttpAuthHandlerDigest::Init(HttpAuth::ChallengeTokenizer* challenge) {
+  return ParseChallenge(challenge);
+}
+
+HttpAuth::AuthorizationResult HttpAuthHandlerDigest::HandleAnotherChallenge(
+    HttpAuth::ChallengeTokenizer* challenge) {
+  // Even though Digest is not connection based, a "second round" is parsed
+  // to differentiate between stale and rejected responses.
+  // Note that the state of the current handler is not mutated - this way if
+  // there is a rejection the realm hasn't changed.
+  if (!challenge->valid() ||
+      !LowerCaseEqualsASCII(challenge->scheme(), "digest"))
+    return HttpAuth::AUTHORIZATION_RESULT_INVALID;
+
+  // Try to find the "stale" value.
+  while (challenge->GetNext()) {
+    if (!LowerCaseEqualsASCII(challenge->name(), "stale"))
+      continue;
+    if (LowerCaseEqualsASCII(challenge->unquoted_value(), "true"))
+      return HttpAuth::AUTHORIZATION_RESULT_STALE;
+  }
+
+  return HttpAuth::AUTHORIZATION_RESULT_REJECT;
+}
+
 // The digest challenge header looks like:
 //   WWW-Authenticate: Digest
 //     [realm="<realm-value>"]
@@ -231,9 +256,10 @@ bool HttpAuthHandlerDigest::ParseChallenge(
   qop_ = QOP_UNSPECIFIED;
   realm_ = nonce_ = domain_ = opaque_ = std::string();
 
+  // FAIL -- Couldn't match auth-scheme.
   if (!challenge->valid() ||
       !LowerCaseEqualsASCII(challenge->scheme(), "digest"))
-    return false;  // FAIL -- Couldn't match auth-scheme.
+    return false;
 
   // Loop through all the properties.
   while (challenge->GetNext()) {
@@ -242,17 +268,18 @@ bool HttpAuthHandlerDigest::ParseChallenge(
       return false;
     }
 
+    // FAIL -- couldn't parse a property.
     if (!ParseChallengeProperty(challenge->name(), challenge->unquoted_value()))
-      return false;  // FAIL -- couldn't parse a property.
+      return false;
   }
 
   // Check if tokenizer failed.
   if (!challenge->valid())
-    return false;  // FAIL
+    return false;
 
   // Check that a minimum set of properties were provided.
   if (nonce_.empty())
-    return false;  // FAIL
+    return false;
 
   return true;
 }
author	cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-09-11 14:03:30 +0000
committer	cbentzel@chromium.org <cbentzel@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-09-11 14:03:30 +0000
commit	eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c (patch)
tree	ae0368388f38766781c5ddff86c9e0e2c0c9c362 /net/http/http_auth_handler_digest.cc
parent	4630db4630bc415cc3b7be70bce87160559810df (diff)
download	chromium_src-eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c.zip chromium_src-eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c.tar.gz chromium_src-eca50e128ff1bc41bc0cc1d3fdf2e015ba459d4c.tar.bz2