1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
// Copyright (c) 2010 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "net/http/http_auth_handler_ntlm.h"
#if !defined(NTLM_SSPI)
#include "base/base64.h"
#endif
#include "base/logging.h"
#include "base/string_util.h"
#include "base/utf_string_conversions.h"
#include "net/base/net_errors.h"
#include "net/base/net_util.h"
namespace net {
int HttpAuthHandlerNTLM::GenerateAuthTokenImpl(
const string16* username,
const string16* password,
const HttpRequestInfo* request,
CompletionCallback* callback,
std::string* auth_token) {
#if defined(NTLM_SSPI)
return auth_sspi_.GenerateAuthToken(
username,
password,
CreateSPN(origin_),
auth_token);
#else // !defined(NTLM_SSPI)
// TODO(cbentzel): Shouldn't be hitting this case.
if (!username || !password) {
LOG(ERROR) << "Username and password are expected to be non-NULL.";
return ERR_MISSING_AUTH_CREDENTIALS;
}
// TODO(wtc): See if we can use char* instead of void* for in_buf and
// out_buf. This change will need to propagate to GetNextToken,
// GenerateType1Msg, and GenerateType3Msg, and perhaps further.
const void* in_buf;
void* out_buf;
uint32 in_buf_len, out_buf_len;
std::string decoded_auth_data;
// |username| may be in the form "DOMAIN\user". Parse it into the two
// components.
string16 domain;
string16 user;
const char16 backslash_character = '\\';
size_t backslash_idx = username->find(backslash_character);
if (backslash_idx == string16::npos) {
user = *username;
} else {
domain = username->substr(0, backslash_idx);
user = username->substr(backslash_idx + 1);
}
domain_ = domain;
username_ = user;
password_ = *password;
// Initial challenge.
if (auth_data_.empty()) {
in_buf_len = 0;
in_buf = NULL;
int rv = InitializeBeforeFirstChallenge();
if (rv != OK)
return rv;
} else {
if (!base::Base64Decode(auth_data_, &decoded_auth_data)) {
LOG(ERROR) << "Unexpected problem Base64 decoding.";
return ERR_UNEXPECTED;
}
in_buf_len = decoded_auth_data.length();
in_buf = decoded_auth_data.data();
}
int rv = GetNextToken(in_buf, in_buf_len, &out_buf, &out_buf_len);
if (rv != OK)
return rv;
// Base64 encode data in output buffer and prepend "NTLM ".
std::string encode_input(static_cast<char*>(out_buf), out_buf_len);
std::string encode_output;
bool base64_rv = base::Base64Encode(encode_input, &encode_output);
// OK, we are done with |out_buf|
free(out_buf);
if (!base64_rv) {
LOG(ERROR) << "Unexpected problem Base64 encoding.";
return ERR_UNEXPECTED;
}
*auth_token = std::string("NTLM ") + encode_output;
return OK;
#endif
}
bool HttpAuthHandlerNTLM::Init(HttpAuth::ChallengeTokenizer* tok) {
scheme_ = "ntlm";
score_ = 3;
properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED;
return ParseChallenge(tok, true) == HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
}
HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::HandleAnotherChallenge(
HttpAuth::ChallengeTokenizer* challenge) {
return ParseChallenge(challenge, false);
}
// The NTLM challenge header looks like:
// WWW-Authenticate: NTLM auth-data
HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::ParseChallenge(
HttpAuth::ChallengeTokenizer* tok, bool initial_challenge) {
#if defined(NTLM_SSPI)
// auth_sspi_ contains state for whether or not this is the initial challenge.
return auth_sspi_.ParseChallenge(tok);
#else
// TODO(cbentzel): Most of the logic between SSPI, GSSAPI, and portable NTLM
// authentication parsing could probably be shared - just need to know if
// there was previously a challenge round.
// TODO(cbentzel): Write a test case to validate that auth_data_ is left empty
// in all failure conditions.
auth_data_.clear();
// Verify the challenge's auth-scheme.
if (!LowerCaseEqualsASCII(tok->scheme(), "ntlm"))
return HttpAuth::AUTHORIZATION_RESULT_INVALID;
std::string base64_param = tok->base64_param();
if (base64_param.empty()) {
if (!initial_challenge)
return HttpAuth::AUTHORIZATION_RESULT_REJECT;
return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
} else {
if (initial_challenge)
return HttpAuth::AUTHORIZATION_RESULT_INVALID;
}
auth_data_ = base64_param;
return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
#endif // defined(NTLM_SSPI)
}
// static
std::wstring HttpAuthHandlerNTLM::CreateSPN(const GURL& origin) {
// The service principal name of the destination server. See
// http://msdn.microsoft.com/en-us/library/ms677949%28VS.85%29.aspx
std::wstring target(L"HTTP/");
target.append(ASCIIToWide(GetHostAndPort(origin)));
return target;
}
} // namespace net
|