Home | History | Annotate | Download | only in http 
      1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "net/http/http_auth_handler_digest.h"
      6 
      7 #include <string>
      8 
      9 #include "base/logging.h"
     10 #include "base/md5.h"
     11 #include "base/rand_util.h"
     12 #include "base/string_util.h"
     13 #include "base/stringprintf.h"
     14 #include "base/utf_string_conversions.h"
     15 #include "net/base/net_errors.h"
     16 #include "net/base/net_util.h"
     17 #include "net/http/http_auth.h"
     18 #include "net/http/http_request_info.h"
     19 #include "net/http/http_util.h"
     20 
     21 namespace net {
     22 
     23 // Digest authentication is specified in RFC 2617.
     24 // The expanded derivations are listed in the tables below.
     25 
     26 //==========+==========+==========================================+
     27 //    qop   |algorithm |               response                   |
     28 //==========+==========+==========================================+
     29 //    ?     |  ?, md5, | MD5(MD5(A1):nonce:MD5(A2))               |
     30 //          | md5-sess |                                          |
     31 //--------- +----------+------------------------------------------+
     32 //   auth,  |  ?, md5, | MD5(MD5(A1):nonce:nc:cnonce:qop:MD5(A2)) |
     33 // auth-int | md5-sess |                                          |
     34 //==========+==========+==========================================+
     35 //    qop   |algorithm |                  A1                      |
     36 //==========+==========+==========================================+
     37 //          | ?, md5   | user:realm:password                      |
     38 //----------+----------+------------------------------------------+
     39 //          | md5-sess | MD5(user:realm:password):nonce:cnonce    |
     40 //==========+==========+==========================================+
     41 //    qop   |algorithm |                  A2                      |
     42 //==========+==========+==========================================+
     43 //  ?, auth |          | req-method:req-uri                       |
     44 //----------+----------+------------------------------------------+
     45 // auth-int |          | req-method:req-uri:MD5(req-entity-body)  |
     46 //=====================+==========================================+
     47 
     48 HttpAuthHandlerDigest::NonceGenerator::NonceGenerator() {
     49 }
     50 
     51 HttpAuthHandlerDigest::NonceGenerator::~NonceGenerator() {
     52 }
     53 
     54 HttpAuthHandlerDigest::DynamicNonceGenerator::DynamicNonceGenerator() {
     55 }
     56 
     57 std::string HttpAuthHandlerDigest::DynamicNonceGenerator::GenerateNonce()
     58     const {
     59   // This is how mozilla generates their cnonce -- a 16 digit hex string.
     60   static const char domain[] = "0123456789abcdef";
     61   std::string cnonce;
     62   cnonce.reserve(16);
     63   for (int i = 0; i < 16; ++i)
     64     cnonce.push_back(domain[base::RandInt(0, 15)]);
     65   return cnonce;
     66 }
     67 
     68 HttpAuthHandlerDigest::FixedNonceGenerator::FixedNonceGenerator(
     69     const std::string& nonce)
     70     : nonce_(nonce) {
     71 }
     72 
     73 std::string HttpAuthHandlerDigest::FixedNonceGenerator::GenerateNonce() const {
     74   return nonce_;
     75 }
     76 
     77 HttpAuthHandlerDigest::Factory::Factory()
     78     : nonce_generator_(new DynamicNonceGenerator()) {
     79 }
     80 
     81 HttpAuthHandlerDigest::Factory::~Factory() {
     82 }
     83 
     84 void HttpAuthHandlerDigest::Factory::set_nonce_generator(
     85     const NonceGenerator* nonce_generator) {
     86   nonce_generator_.reset(nonce_generator);
     87 }
     88 
     89 int HttpAuthHandlerDigest::Factory::CreateAuthHandler(
     90     HttpAuth::ChallengeTokenizer* challenge,
     91     HttpAuth::Target target,
     92     const GURL& origin,
     93     CreateReason reason,
     94     int digest_nonce_count,
     95     const BoundNetLog& net_log,
     96     scoped_ptr<HttpAuthHandler>* handler) {
     97   // TODO(cbentzel): Move towards model of parsing in the factory
     98   //                 method and only constructing when valid.
     99   scoped_ptr<HttpAuthHandler> tmp_handler(
    100       new HttpAuthHandlerDigest(digest_nonce_count, nonce_generator_.get()));
    101   if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log))
    102     return ERR_INVALID_RESPONSE;
    103   handler->swap(tmp_handler);
    104   return OK;
    105 }
    106 
    107 HttpAuth::AuthorizationResult HttpAuthHandlerDigest::HandleAnotherChallenge(
    108     HttpAuth::ChallengeTokenizer* challenge) {
    109   // Even though Digest is not connection based, a "second round" is parsed
    110   // to differentiate between stale and rejected responses.
    111   // Note that the state of the current handler is not mutated - this way if
    112   // there is a rejection the realm hasn't changed.
    113   if (!LowerCaseEqualsASCII(challenge->scheme(), "digest"))
    114     return HttpAuth::AUTHORIZATION_RESULT_INVALID;
    115 
    116   HttpUtil::NameValuePairsIterator parameters = challenge->param_pairs();
    117   std::string realm;
    118 
    119   // Try to find the "stale" value, and also keep track of the realm
    120   // for the new challenge.
    121   while (parameters.GetNext()) {
    122     if (LowerCaseEqualsASCII(parameters.name(), "stale")) {
    123       if (LowerCaseEqualsASCII(parameters.value(), "true"))
    124         return HttpAuth::AUTHORIZATION_RESULT_STALE;
    125     } else if (LowerCaseEqualsASCII(parameters.name(), "realm")) {
    126       realm = parameters.value();
    127     }
    128   }
    129   return (realm_ != realm) ?
    130       HttpAuth::AUTHORIZATION_RESULT_DIFFERENT_REALM :
    131       HttpAuth::AUTHORIZATION_RESULT_REJECT;
    132 }
    133 
    134 bool HttpAuthHandlerDigest::Init(HttpAuth::ChallengeTokenizer* challenge) {
    135   return ParseChallenge(challenge);
    136 }
    137 
    138 int HttpAuthHandlerDigest::GenerateAuthTokenImpl(
    139     const string16* username,
    140     const string16* password,
    141     const HttpRequestInfo* request,
    142     CompletionCallback* callback,
    143     std::string* auth_token) {
    144   // Generate a random client nonce.
    145   std::string cnonce = nonce_generator_->GenerateNonce();
    146 
    147   // Extract the request method and path -- the meaning of 'path' is overloaded
    148   // in certain cases, to be a hostname.
    149   std::string method;
    150   std::string path;
    151   GetRequestMethodAndPath(request, &method, &path);
    152 
    153   *auth_token = AssembleCredentials(method, path,
    154                                     *username,
    155                                     *password,
    156                                     cnonce, nonce_count_);
    157   return OK;
    158 }
    159 
    160 HttpAuthHandlerDigest::HttpAuthHandlerDigest(
    161     int nonce_count, const NonceGenerator* nonce_generator)
    162     : stale_(false),
    163       algorithm_(ALGORITHM_UNSPECIFIED),
    164       qop_(QOP_UNSPECIFIED),
    165       nonce_count_(nonce_count),
    166       nonce_generator_(nonce_generator) {
    167   DCHECK(nonce_generator_);
    168 }
    169 
    170 HttpAuthHandlerDigest::~HttpAuthHandlerDigest() {
    171 }
    172 
    173 // The digest challenge header looks like:
    174 //   WWW-Authenticate: Digest
    175 //     [realm="<realm-value>"]
    176 //     nonce="<nonce-value>"
    177 //     [domain="<list-of-URIs>"]
    178 //     [opaque="<opaque-token-value>"]
    179 //     [stale="<true-or-false>"]
    180 //     [algorithm="<digest-algorithm>"]
    181 //     [qop="<list-of-qop-values>"]
    182 //     [<extension-directive>]
    183 //
    184 // Note that according to RFC 2617 (section 1.2) the realm is required.
    185 // However we allow it to be omitted, in which case it will default to the
    186 // empty string.
    187 //
    188 // This allowance is for better compatibility with webservers that fail to
    189 // send the realm (See http://crbug.com/20984 for an instance where a
    190 // webserver was not sending the realm with a BASIC challenge).
    191 bool HttpAuthHandlerDigest::ParseChallenge(
    192     HttpAuth::ChallengeTokenizer* challenge) {
    193   auth_scheme_ = HttpAuth::AUTH_SCHEME_DIGEST;
    194   score_ = 2;
    195   properties_ = ENCRYPTS_IDENTITY;
    196 
    197   // Initialize to defaults.
    198   stale_ = false;
    199   algorithm_ = ALGORITHM_UNSPECIFIED;
    200   qop_ = QOP_UNSPECIFIED;
    201   realm_ = nonce_ = domain_ = opaque_ = std::string();
    202 
    203   // FAIL -- Couldn't match auth-scheme.
    204   if (!LowerCaseEqualsASCII(challenge->scheme(), "digest"))
    205     return false;
    206 
    207   HttpUtil::NameValuePairsIterator parameters = challenge->param_pairs();
    208 
    209   // Loop through all the properties.
    210   while (parameters.GetNext()) {
    211     // FAIL -- couldn't parse a property.
    212     if (!ParseChallengeProperty(parameters.name(),
    213                                 parameters.value()))
    214       return false;
    215   }
    216 
    217   // Check if tokenizer failed.
    218   if (!parameters.valid())
    219     return false;
    220 
    221   // Check that a minimum set of properties were provided.
    222   if (nonce_.empty())
    223     return false;
    224 
    225   return true;
    226 }
    227 
    228 bool HttpAuthHandlerDigest::ParseChallengeProperty(const std::string& name,
    229                                                    const std::string& value) {
    230   if (LowerCaseEqualsASCII(name, "realm")) {
    231     realm_ = value;
    232   } else if (LowerCaseEqualsASCII(name, "nonce")) {
    233     nonce_ = value;
    234   } else if (LowerCaseEqualsASCII(name, "domain")) {
    235     domain_ = value;
    236   } else if (LowerCaseEqualsASCII(name, "opaque")) {
    237     opaque_ = value;
    238   } else if (LowerCaseEqualsASCII(name, "stale")) {
    239     // Parse the stale boolean.
    240     stale_ = LowerCaseEqualsASCII(value, "true");
    241   } else if (LowerCaseEqualsASCII(name, "algorithm")) {
    242     // Parse the algorithm.
    243     if (LowerCaseEqualsASCII(value, "md5")) {
    244       algorithm_ = ALGORITHM_MD5;
    245     } else if (LowerCaseEqualsASCII(value, "md5-sess")) {
    246       algorithm_ = ALGORITHM_MD5_SESS;
    247     } else {
    248       DVLOG(1) << "Unknown value of algorithm";
    249       return false;  // FAIL -- unsupported value of algorithm.
    250     }
    251   } else if (LowerCaseEqualsASCII(name, "qop")) {
    252     // Parse the comma separated list of qops.
    253     // auth is the only supported qop, and all other values are ignored.
    254     HttpUtil::ValuesIterator qop_values(value.begin(), value.end(), ',');
    255     qop_ = QOP_UNSPECIFIED;
    256     while (qop_values.GetNext()) {
    257       if (LowerCaseEqualsASCII(qop_values.value(), "auth")) {
    258         qop_ = QOP_AUTH;
    259         break;
    260       }
    261     }
    262   } else {
    263     DVLOG(1) << "Skipping unrecognized digest property";
    264     // TODO(eroman): perhaps we should fail instead of silently skipping?
    265   }
    266   return true;
    267 }
    268 
    269 // static
    270 std::string HttpAuthHandlerDigest::QopToString(QualityOfProtection qop) {
    271   switch (qop) {
    272     case QOP_UNSPECIFIED:
    273       return "";
    274     case QOP_AUTH:
    275       return "auth";
    276     default:
    277       NOTREACHED();
    278       return "";
    279   }
    280 }
    281 
    282 // static
    283 std::string HttpAuthHandlerDigest::AlgorithmToString(
    284     DigestAlgorithm algorithm) {
    285   switch (algorithm) {
    286     case ALGORITHM_UNSPECIFIED:
    287       return "";
    288     case ALGORITHM_MD5:
    289       return "MD5";
    290     case ALGORITHM_MD5_SESS:
    291       return "MD5-sess";
    292     default:
    293       NOTREACHED();
    294       return "";
    295   }
    296 }
    297 
    298 void HttpAuthHandlerDigest::GetRequestMethodAndPath(
    299     const HttpRequestInfo* request,
    300     std::string* method,
    301     std::string* path) const {
    302   DCHECK(request);
    303 
    304   const GURL& url = request->url;
    305 
    306   if (target_ == HttpAuth::AUTH_PROXY && url.SchemeIs("https")) {
    307     *method = "CONNECT";
    308     *path = GetHostAndPort(url);
    309   } else {
    310     *method = request->method;
    311     *path = HttpUtil::PathForRequest(url);
    312   }
    313 }
    314 
    315 std::string HttpAuthHandlerDigest::AssembleResponseDigest(
    316     const std::string& method,
    317     const std::string& path,
    318     const string16& username,
    319     const string16& password,
    320     const std::string& cnonce,
    321     const std::string& nc) const {
    322   // ha1 = MD5(A1)
    323   // TODO(eroman): is this the right encoding?
    324   std::string ha1 = MD5String(UTF16ToUTF8(username) + ":" + realm_ + ":" +
    325                               UTF16ToUTF8(password));
    326   if (algorithm_ == HttpAuthHandlerDigest::ALGORITHM_MD5_SESS)
    327     ha1 = MD5String(ha1 + ":" + nonce_ + ":" + cnonce);
    328 
    329   // ha2 = MD5(A2)
    330   // TODO(eroman): need to add MD5(req-entity-body) for qop=auth-int.
    331   std::string ha2 = MD5String(method + ":" + path);
    332 
    333   std::string nc_part;
    334   if (qop_ != HttpAuthHandlerDigest::QOP_UNSPECIFIED) {
    335     nc_part = nc + ":" + cnonce + ":" + QopToString(qop_) + ":";
    336   }
    337 
    338   return MD5String(ha1 + ":" + nonce_ + ":" + nc_part + ha2);
    339 }
    340 
    341 std::string HttpAuthHandlerDigest::AssembleCredentials(
    342     const std::string& method,
    343     const std::string& path,
    344     const string16& username,
    345     const string16& password,
    346     const std::string& cnonce,
    347     int nonce_count) const {
    348   // the nonce-count is an 8 digit hex string.
    349   std::string nc = base::StringPrintf("%08x", nonce_count);
    350 
    351   // TODO(eroman): is this the right encoding?
    352   std::string authorization = (std::string("Digest username=") +
    353                                HttpUtil::Quote(UTF16ToUTF8(username)));
    354   authorization += ", realm=" + HttpUtil::Quote(realm_);
    355   authorization += ", nonce=" + HttpUtil::Quote(nonce_);
    356   authorization += ", uri=" + HttpUtil::Quote(path);
    357 
    358   if (algorithm_ != ALGORITHM_UNSPECIFIED) {
    359     authorization += ", algorithm=" + AlgorithmToString(algorithm_);
    360   }
    361   std::string response = AssembleResponseDigest(method, path, username,
    362                                                 password, cnonce, nc);
    363   // No need to call HttpUtil::Quote() as the response digest cannot contain
    364   // any characters needing to be escaped.
    365   authorization += ", response=\"" + response + "\"";
    366 
    367   if (!opaque_.empty()) {
    368     authorization += ", opaque=" + HttpUtil::Quote(opaque_);
    369   }
    370   if (qop_ != QOP_UNSPECIFIED) {
    371     // TODO(eroman): Supposedly IIS server requires quotes surrounding qop.
    372     authorization += ", qop=" + QopToString(qop_);
    373     authorization += ", nc=" + nc;
    374     authorization += ", cnonce=" + HttpUtil::Quote(cnonce);
    375   }
    376 
    377   return authorization;
    378 }
    379 
    380 }  // namespace net
    381