Home | History | Annotate | Download | only in http 
      1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "net/http/http_auth_handler_ntlm.h"
      6 
      7 #if !defined(NTLM_SSPI)
      8 #include "base/base64.h"
      9 #endif
     10 #include "base/logging.h"
     11 #include "base/string_util.h"
     12 #include "base/utf_string_conversions.h"
     13 #include "net/base/net_errors.h"
     14 #include "net/base/net_util.h"
     15 
     16 namespace net {
     17 
     18 HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::HandleAnotherChallenge(
     19     HttpAuth::ChallengeTokenizer* challenge) {
     20   return ParseChallenge(challenge, false);
     21 }
     22 
     23 bool HttpAuthHandlerNTLM::Init(HttpAuth::ChallengeTokenizer* tok) {
     24   auth_scheme_ = HttpAuth::AUTH_SCHEME_NTLM;
     25   score_ = 3;
     26   properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED;
     27 
     28   return ParseChallenge(tok, true) == HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
     29 }
     30 
     31 int HttpAuthHandlerNTLM::GenerateAuthTokenImpl(
     32     const string16* username,
     33     const string16* password,
     34     const HttpRequestInfo* request,
     35     CompletionCallback* callback,
     36     std::string* auth_token) {
     37 #if defined(NTLM_SSPI)
     38   return auth_sspi_.GenerateAuthToken(
     39       username,
     40       password,
     41       CreateSPN(origin_),
     42       auth_token);
     43 #else  // !defined(NTLM_SSPI)
     44   // TODO(cbentzel): Shouldn't be hitting this case.
     45   if (!username || !password) {
     46     LOG(ERROR) << "Username and password are expected to be non-NULL.";
     47     return ERR_MISSING_AUTH_CREDENTIALS;
     48   }
     49   // TODO(wtc): See if we can use char* instead of void* for in_buf and
     50   // out_buf.  This change will need to propagate to GetNextToken,
     51   // GenerateType1Msg, and GenerateType3Msg, and perhaps further.
     52   const void* in_buf;
     53   void* out_buf;
     54   uint32 in_buf_len, out_buf_len;
     55   std::string decoded_auth_data;
     56 
     57   // |username| may be in the form "DOMAIN\user".  Parse it into the two
     58   // components.
     59   string16 domain;
     60   string16 user;
     61   const char16 backslash_character = '\\';
     62   size_t backslash_idx = username->find(backslash_character);
     63   if (backslash_idx == string16::npos) {
     64     user = *username;
     65   } else {
     66     domain = username->substr(0, backslash_idx);
     67     user = username->substr(backslash_idx + 1);
     68   }
     69   domain_ = domain;
     70   username_ = user;
     71   password_ = *password;
     72 
     73   // Initial challenge.
     74   if (auth_data_.empty()) {
     75     in_buf_len = 0;
     76     in_buf = NULL;
     77     int rv = InitializeBeforeFirstChallenge();
     78     if (rv != OK)
     79       return rv;
     80   } else {
     81     if (!base::Base64Decode(auth_data_, &decoded_auth_data)) {
     82       LOG(ERROR) << "Unexpected problem Base64 decoding.";
     83       return ERR_UNEXPECTED;
     84     }
     85     in_buf_len = decoded_auth_data.length();
     86     in_buf = decoded_auth_data.data();
     87   }
     88 
     89   int rv = GetNextToken(in_buf, in_buf_len, &out_buf, &out_buf_len);
     90   if (rv != OK)
     91     return rv;
     92 
     93   // Base64 encode data in output buffer and prepend "NTLM ".
     94   std::string encode_input(static_cast<char*>(out_buf), out_buf_len);
     95   std::string encode_output;
     96   bool base64_rv = base::Base64Encode(encode_input, &encode_output);
     97   // OK, we are done with |out_buf|
     98   free(out_buf);
     99   if (!base64_rv) {
    100     LOG(ERROR) << "Unexpected problem Base64 encoding.";
    101     return ERR_UNEXPECTED;
    102   }
    103   *auth_token = std::string("NTLM ") + encode_output;
    104   return OK;
    105 #endif
    106 }
    107 
    108 // The NTLM challenge header looks like:
    109 //   WWW-Authenticate: NTLM auth-data
    110 HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::ParseChallenge(
    111     HttpAuth::ChallengeTokenizer* tok, bool initial_challenge) {
    112 #if defined(NTLM_SSPI)
    113   // auth_sspi_ contains state for whether or not this is the initial challenge.
    114   return auth_sspi_.ParseChallenge(tok);
    115 #else
    116   // TODO(cbentzel): Most of the logic between SSPI, GSSAPI, and portable NTLM
    117   // authentication parsing could probably be shared - just need to know if
    118   // there was previously a challenge round.
    119   // TODO(cbentzel): Write a test case to validate that auth_data_ is left empty
    120   // in all failure conditions.
    121   auth_data_.clear();
    122 
    123   // Verify the challenge's auth-scheme.
    124   if (!LowerCaseEqualsASCII(tok->scheme(), "ntlm"))
    125     return HttpAuth::AUTHORIZATION_RESULT_INVALID;
    126 
    127   std::string base64_param = tok->base64_param();
    128   if (base64_param.empty()) {
    129     if (!initial_challenge)
    130       return HttpAuth::AUTHORIZATION_RESULT_REJECT;
    131     return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
    132   } else {
    133     if (initial_challenge)
    134       return HttpAuth::AUTHORIZATION_RESULT_INVALID;
    135   }
    136 
    137   auth_data_ = base64_param;
    138   return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
    139 #endif  // defined(NTLM_SSPI)
    140 }
    141 
    142 // static
    143 std::wstring HttpAuthHandlerNTLM::CreateSPN(const GURL& origin) {
    144   // The service principal name of the destination server.  See
    145   // http://msdn.microsoft.com/en-us/library/ms677949%28VS.85%29.aspx
    146   std::wstring target(L"HTTP/");
    147   target.append(ASCIIToWide(GetHostAndPort(origin)));
    148   return target;
    149 }
    150 
    151 }  // namespace net
    152