diff options
Diffstat (limited to 'net/http/http_auth_handler_ntlm_win.cc')
-rw-r--r-- | net/http/http_auth_handler_ntlm_win.cc | 121 |
1 files changed, 3 insertions, 118 deletions
diff --git a/net/http/http_auth_handler_ntlm_win.cc b/net/http/http_auth_handler_ntlm_win.cc index 0f40236..fba9c1b 100644 --- a/net/http/http_auth_handler_ntlm_win.cc +++ b/net/http/http_auth_handler_ntlm_win.cc @@ -17,138 +17,23 @@ #pragma comment(lib, "secur32.lib") -namespace { - -void ZapString(string16* s) { - memset(&(*s)[0], 0, s->length() * 2); -} - -} // namespace - namespace net { -HttpAuthHandlerNTLM::HttpAuthHandlerNTLM() : max_token_len_(0) { - SecInvalidateHandle(&cred_); - SecInvalidateHandle(&ctxt_); +HttpAuthHandlerNTLM::HttpAuthHandlerNTLM() : auth_sspi_("NTLM", NTLMSP_NAME) { } HttpAuthHandlerNTLM::~HttpAuthHandlerNTLM() { - ResetSecurityContext(); - if (SecIsValidHandle(&cred_)) { - FreeCredentialsHandle(&cred_); - SecInvalidateHandle(&cred_); - } - ZapString(&password_); -} - -int HttpAuthHandlerNTLM::InitializeBeforeFirstChallenge() { - DCHECK_EQ("ntlm", scheme_) << "This is not ntlm scheme"; - - int rv = DetermineMaxTokenLength(NTLMSP_NAME, &max_token_len_); - if (rv != OK) { - return rv; - } - rv = AcquireCredentials(NTLMSP_NAME, domain_, username_, password_, &cred_); - return rv; -} - -int HttpAuthHandlerNTLM::GetNextToken(const void* in_token, - uint32 in_token_len, - void** out_token, - uint32* out_token_len) { - SECURITY_STATUS status; - TimeStamp expiry; - - DWORD ctxt_attr; - CtxtHandle* ctxt_ptr; - SecBufferDesc in_buffer_desc, out_buffer_desc; - SecBufferDesc* in_buffer_desc_ptr; - SecBuffer in_buffer, out_buffer; - - if (in_token) { - // Prepare input buffer. - in_buffer_desc.ulVersion = SECBUFFER_VERSION; - in_buffer_desc.cBuffers = 1; - in_buffer_desc.pBuffers = &in_buffer; - in_buffer.BufferType = SECBUFFER_TOKEN; - in_buffer.cbBuffer = in_token_len; - in_buffer.pvBuffer = const_cast<void*>(in_token); - ctxt_ptr = &ctxt_; - in_buffer_desc_ptr = &in_buffer_desc; - } else { - // If there is no input token, then we are starting a new authentication - // sequence. If we have already initialized our security context, then - // we're incorrectly reusing the auth handler for a new sequence. - if (SecIsValidHandle(&ctxt_)) { - LOG(ERROR) << "Cannot restart authentication sequence"; - return ERR_UNEXPECTED; - } - ctxt_ptr = NULL; - in_buffer_desc_ptr = NULL; - } - - // Prepare output buffer. - out_buffer_desc.ulVersion = SECBUFFER_VERSION; - out_buffer_desc.cBuffers = 1; - out_buffer_desc.pBuffers = &out_buffer; - out_buffer.BufferType = SECBUFFER_TOKEN; - out_buffer.cbBuffer = max_token_len_; - out_buffer.pvBuffer = malloc(out_buffer.cbBuffer); - if (!out_buffer.pvBuffer) - return ERR_OUT_OF_MEMORY; - - // The service principal name of the destination server. See - // http://msdn.microsoft.com/en-us/library/ms677949%28VS.85%29.aspx - std::wstring target(L"HTTP/"); - target.append(ASCIIToWide(GetHostAndPort(origin_))); - wchar_t* target_name = const_cast<wchar_t*>(target.c_str()); - - // This returns a token that is passed to the remote server. - status = InitializeSecurityContext(&cred_, // phCredential - ctxt_ptr, // phContext - target_name, // pszTargetName - 0, // fContextReq - 0, // Reserved1 (must be 0) - SECURITY_NATIVE_DREP, // TargetDataRep - in_buffer_desc_ptr, // pInput - 0, // Reserved2 (must be 0) - &ctxt_, // phNewContext - &out_buffer_desc, // pOutput - &ctxt_attr, // pfContextAttr - &expiry); // ptsExpiry - // On success, the function returns SEC_I_CONTINUE_NEEDED on the first call - // and SEC_E_OK on the second call. On failure, the function returns an - // error code. - if (status != SEC_I_CONTINUE_NEEDED && status != SEC_E_OK) { - LOG(ERROR) << "InitializeSecurityContext failed: " << status; - ResetSecurityContext(); - free(out_buffer.pvBuffer); - return ERR_UNEXPECTED; // TODO(wtc): map error code. - } - if (!out_buffer.cbBuffer) { - free(out_buffer.pvBuffer); - out_buffer.pvBuffer = NULL; - } - *out_token = out_buffer.pvBuffer; - *out_token_len = out_buffer.cbBuffer; - return OK; } // Require identity on first pass instead of second. bool HttpAuthHandlerNTLM::NeedsIdentity() { - return auth_data_.empty(); + return auth_sspi_.NeedsIdentity(); } bool HttpAuthHandlerNTLM::IsFinalRound() { - return !auth_data_.empty(); + return auth_sspi_.IsFinalRound(); } -void HttpAuthHandlerNTLM::ResetSecurityContext() { - if (SecIsValidHandle(&ctxt_)) { - DeleteSecurityContext(&ctxt_); - SecInvalidateHandle(&ctxt_); - } -} } // namespace net |