Fix multi-round authentication.

In the case of Negotiate, authentication can look like

C: GET
S: 401, WWW-Authenticate: Negotiate

C: GET, WWW-Authorization: Negotiate <client_token_1>
S: 401, WWW-Authenticate: Negotiate <server_token_1>

C: GET, WWW-Authorization: Negotiate <client_token_2>
S: 401, WWW-Authenticate: Negotiate <server_token_2>

on that third challenge, the handler was reported as being in "the final round" and this was treated as a rejection of the authentication attempt. After that, the new challenge token was used by a new auth handler that hadn't established a security context, and an ERR_INVALID_HANDLE would be returned.

This CL also does some prep work to correctly handle the "stale=true" value for Digest authentication, but I decided to defer the HttpAuthCache changes needed for that to a separate CL since this was large enough.

BUG=53282
TEST=net_unittests. Unfortunately, I haven't been able to set up a proxy/server to do more than two auth challenges, but this does happen in the wild.

Review URL: http://codereview.chromium.org/3360017

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@59188 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 18 insertions, 14 deletions

diff --git a/net/http/http_auth_sspi_win.cc b/net/http/http_auth_sspi_win.cc
index 6ff9529..03742e4 100644
--- a/net/http/http_auth_sspi_win.cc
+++ b/net/http/http_auth_sspi_win.cc
@@ -129,10 +129,6 @@ bool HttpAuthSSPI::NeedsIdentity() const {
   return decoded_server_auth_token_.empty();
 }
 
-bool HttpAuthSSPI::IsFinalRound() const {
-  return !decoded_server_auth_token_.empty();
-}
-
 void HttpAuthSSPI::Delegate() {
   can_delegate_ = true;
 }
@@ -144,27 +140,35 @@ void HttpAuthSSPI::ResetSecurityContext() {
   }
 }
 
-bool HttpAuthSSPI::ParseChallenge(HttpAuth::ChallengeTokenizer* tok) {
+HttpAuth::AuthorizationResult HttpAuthSSPI::ParseChallenge(
+    HttpAuth::ChallengeTokenizer* tok) {
   // Verify the challenge's auth-scheme.
   if (!tok->valid() ||
       !LowerCaseEqualsASCII(tok->scheme(), StringToLowerASCII(scheme_).c_str()))
-    return false;
+    return HttpAuth::AUTHORIZATION_RESULT_INVALID;
 
   tok->set_expect_base64_token(true);
   if (!tok->GetNext()) {
-    decoded_server_auth_token_.clear();
-    return true;
+    // If a context has already been established, an empty challenge
+    // should be treated as a rejection of the current attempt.
+    if (SecIsValidHandle(&ctxt_))
+      return HttpAuth::AUTHORIZATION_RESULT_REJECT;
+    DCHECK(decoded_server_auth_token_.empty());
+    return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
+  } else {
+    // If a context has not already been established, additional tokens should
+    // not be present in the auth challenge.
+    if (!SecIsValidHandle(&ctxt_))
+      return HttpAuth::AUTHORIZATION_RESULT_INVALID;
   }
 
   std::string encoded_auth_token = tok->value();
   std::string decoded_auth_token;
   bool base64_rv = base::Base64Decode(encoded_auth_token, &decoded_auth_token);
-  if (!base64_rv) {
-    LOG(ERROR) << "Base64 decoding of auth token failed.";
-    return false;
-  }
+  if (!base64_rv)
+    return HttpAuth::AUTHORIZATION_RESULT_INVALID;
   decoded_server_auth_token_ = decoded_auth_token;
-  return true;
+  return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
 }
 
 int HttpAuthSSPI::GenerateAuthToken(const string16* username,
@@ -174,7 +178,7 @@ int HttpAuthSSPI::GenerateAuthToken(const string16* username,
   DCHECK((username == NULL) == (password == NULL));
 
   // Initial challenge.
-  if (!IsFinalRound()) {
+  if (!SecIsValidHandle(&cred_)) {
     int rv = OnFirstRound(username, password);
     if (rv != OK)
       return rv;