net/http/http_auth_handler_ntlm.cc

   1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "net/http/http_auth_handler_ntlm.h"
   6
   7 #if !defined(NTLM_SSPI)
   8 #include "base/base64.h"
   9 #endif
  10 #include "base/logging.h"
  11 #include "base/string_util.h"
  12 #include "base/utf_string_conversions.h"
  13 #include "net/base/net_errors.h"
  14 #include "net/base/net_util.h"
  15
  16 namespace net {
  17
  18 HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::HandleAnotherChallenge(
  19     HttpAuth::ChallengeTokenizer* challenge) {
  20   return ParseChallenge(challenge, false);
  21 }
  22
  23 bool HttpAuthHandlerNTLM::Init(HttpAuth::ChallengeTokenizer* tok) {
  24   auth_scheme_ = HttpAuth::AUTH_SCHEME_NTLM;
  25   score_ = 3;
  26   properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED;
  27
  28   return ParseChallenge(tok, true) == HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
  29 }
  30
  31 int HttpAuthHandlerNTLM::GenerateAuthTokenImpl(
  32     const AuthCredentials* credentials, const HttpRequestInfo* request,
  33     const CompletionCallback& callback, std::string* auth_token) {
  34 #if defined(NTLM_SSPI)
  35   return auth_sspi_.GenerateAuthToken(
  36       credentials,
  37       CreateSPN(origin_),
  38       auth_token);
  39 #else  // !defined(NTLM_SSPI)
  40   // TODO(cbentzel): Shouldn't be hitting this case.
  41   if (!credentials) {
  42     LOG(ERROR) << "Username and password are expected to be non-NULL.";
  43     return ERR_MISSING_AUTH_CREDENTIALS;
  44   }
  45   // TODO(wtc): See if we can use char* instead of void* for in_buf and
  46   // out_buf.  This change will need to propagate to GetNextToken,
  47   // GenerateType1Msg, and GenerateType3Msg, and perhaps further.
  48   const void* in_buf;
  49   void* out_buf;
  50   uint32 in_buf_len, out_buf_len;
  51   std::string decoded_auth_data;
  52
  53   // The username may be in the form "DOMAIN\user".  Parse it into the two
  54   // components.
  55   base::string16 domain;
  56   base::string16 user;
  57   const base::string16& username = credentials->username();
  58   const char16 backslash_character = '\\';
  59   size_t backslash_idx = username.find(backslash_character);
  60   if (backslash_idx == base::string16::npos) {
  61     user = username;
  62   } else {
  63     domain = username.substr(0, backslash_idx);
  64     user = username.substr(backslash_idx + 1);
  65   }
  66   domain_ = domain;
  67   credentials_.Set(user, credentials->password());
  68
  69   // Initial challenge.
  70   if (auth_data_.empty()) {
  71     in_buf_len = 0;
  72     in_buf = NULL;
  73     int rv = InitializeBeforeFirstChallenge();
  74     if (rv != OK)
  75       return rv;
  76   } else {
  77     if (!base::Base64Decode(auth_data_, &decoded_auth_data)) {
  78       LOG(ERROR) << "Unexpected problem Base64 decoding.";
  79       return ERR_UNEXPECTED;
  80     }
  81     in_buf_len = decoded_auth_data.length();
  82     in_buf = decoded_auth_data.data();
  83   }
  84
  85   int rv = GetNextToken(in_buf, in_buf_len, &out_buf, &out_buf_len);
  86   if (rv != OK)
  87     return rv;
  88
  89   // Base64 encode data in output buffer and prepend "NTLM ".
  90   std::string encode_input(static_cast<char*>(out_buf), out_buf_len);
  91   std::string encode_output;
  92   bool base64_rv = base::Base64Encode(encode_input, &encode_output);
  93   // OK, we are done with |out_buf|
  94   free(out_buf);
  95   if (!base64_rv) {
  96     LOG(ERROR) << "Unexpected problem Base64 encoding.";
  97     return ERR_UNEXPECTED;
  98   }
  99   *auth_token = std::string("NTLM ") + encode_output;
 100   return OK;
 101 #endif
 102 }
 103
 104 // The NTLM challenge header looks like:
 105 //   WWW-Authenticate: NTLM auth-data
 106 HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::ParseChallenge(
 107     HttpAuth::ChallengeTokenizer* tok, bool initial_challenge) {
 108 #if defined(NTLM_SSPI)
 109   // auth_sspi_ contains state for whether or not this is the initial challenge.
 110   return auth_sspi_.ParseChallenge(tok);
 111 #else
 112   // TODO(cbentzel): Most of the logic between SSPI, GSSAPI, and portable NTLM
 113   // authentication parsing could probably be shared - just need to know if
 114   // there was previously a challenge round.
 115   // TODO(cbentzel): Write a test case to validate that auth_data_ is left empty
 116   // in all failure conditions.
 117   auth_data_.clear();
 118
 119   // Verify the challenge's auth-scheme.
 120   if (!LowerCaseEqualsASCII(tok->scheme(), "ntlm"))
 121     return HttpAuth::AUTHORIZATION_RESULT_INVALID;
 122
 123   std::string base64_param = tok->base64_param();
 124   if (base64_param.empty()) {
 125     if (!initial_challenge)
 126       return HttpAuth::AUTHORIZATION_RESULT_REJECT;
 127     return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
 128   } else {
 129     if (initial_challenge)
 130       return HttpAuth::AUTHORIZATION_RESULT_INVALID;
 131   }
 132
 133   auth_data_ = base64_param;
 134   return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
 135 #endif  // defined(NTLM_SSPI)
 136 }
 137
 138 // static
 139 std::wstring HttpAuthHandlerNTLM::CreateSPN(const GURL& origin) {
 140   // The service principal name of the destination server.  See
 141   // http://msdn.microsoft.com/en-us/library/ms677949%28VS.85%29.aspx
 142   std::wstring target(L"HTTP/");
 143   target.append(ASCIIToWide(GetHostAndPort(origin)));
 144   return target;
 145 }
 146
 147 }  // namespace net