1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
// Copyright (c) 2009 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// See "SSPI Sample Application" at
// http://msdn.microsoft.com/en-us/library/aa918273.aspx
// and "NTLM Security Support Provider" at
// http://msdn.microsoft.com/en-us/library/aa923611.aspx.
#include "net/http/http_auth_handler_ntlm.h"
#include "base/logging.h"
#include "base/string_util.h"
#include "net/base/net_errors.h"
#include "net/base/net_util.h"
#include "net/http/http_auth_sspi_win.h"
#pragma comment(lib, "secur32.lib")
namespace net {
HttpAuthHandlerNTLM::HttpAuthHandlerNTLM(SSPILibrary* sspi_library,
ULONG max_token_length) :
auth_sspi_(sspi_library, "NTLM", NTLMSP_NAME, max_token_length) {
}
HttpAuthHandlerNTLM::~HttpAuthHandlerNTLM() {
}
// Require identity on first pass instead of second.
bool HttpAuthHandlerNTLM::NeedsIdentity() {
return auth_sspi_.NeedsIdentity();
}
bool HttpAuthHandlerNTLM::IsFinalRound() {
return auth_sspi_.IsFinalRound();
}
bool HttpAuthHandlerNTLM::AllowDefaultCredentials() {
// NOTE: Temporarily disabled. SSO is a potential security risk with NTLM.
// TODO(cbentzel): Add a pointer to Firefox documentation about risk.
// TODO(cbentzel): Add a blanket command line flag to enable/disable?
// TODO(cbentzel): Add a whitelist regexp command line flag?
// TODO(cbentzel): Resolve the origin_ (helpful if doing already) and see if
// it is in private IP space?
// TODO(cbentzel): Compare origin_ to this machine's hostname and allow if
// it matches at least two or three layers deep?
return false;
}
int HttpAuthHandlerNTLM::GenerateDefaultAuthToken(
const HttpRequestInfo* request,
const ProxyInfo* proxy,
std::string* auth_token) {
return auth_sspi_.GenerateAuthToken(
NULL, // username
NULL, // password
origin_,
request,
proxy,
auth_token);
}
HttpAuthHandlerNTLM::Factory::Factory() :
max_token_length_(0),
first_creation_(true),
is_unsupported_(false),
sspi_library_(SSPILibrary::GetDefault()) {
}
HttpAuthHandlerNTLM::Factory::~Factory() {
}
int HttpAuthHandlerNTLM::Factory::CreateAuthHandler(
HttpAuth::ChallengeTokenizer* challenge,
HttpAuth::Target target,
const GURL& origin,
scoped_refptr<HttpAuthHandler>* handler) {
if (is_unsupported_)
return ERR_UNSUPPORTED_AUTH_SCHEME;
if (filter() && !filter()->IsValid(origin, target)) {
LOG(INFO) << "URL " << origin
<< "fails filter validation for authentication method "
<< "NTLM";
return ERR_INVALID_AUTH_CREDENTIALS;
}
if (max_token_length_ == 0) {
int rv = DetermineMaxTokenLength(sspi_library_, NTLMSP_NAME,
&max_token_length_);
if (rv == ERR_UNSUPPORTED_AUTH_SCHEME)
is_unsupported_ = true;
if (rv != OK)
return rv;
}
// TODO(cbentzel): Move towards model of parsing in the factory
// method and only constructing when valid.
scoped_refptr<HttpAuthHandler> tmp_handler(
new HttpAuthHandlerNTLM(sspi_library_, max_token_length_));
if (!tmp_handler->InitFromChallenge(challenge, target, origin))
return ERR_INVALID_RESPONSE;
handler->swap(tmp_handler);
return OK;
}
} // namespace net
|
