1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/http/http_auth_handler_ntlm.h" 6 7 #if !defined(NTLM_SSPI) 8 #include "base/base64.h" 9 #endif 10 #include "base/logging.h" 11 #include "base/strings/string_util.h" 12 #include "base/strings/utf_string_conversions.h" 13 #include "net/base/net_errors.h" 14 #include "net/base/net_util.h" 15 16 namespace net { 17 18 HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::HandleAnotherChallenge( 19 HttpAuth::ChallengeTokenizer* challenge) { 20 return ParseChallenge(challenge, false); 21 } 22 23 bool HttpAuthHandlerNTLM::Init(HttpAuth::ChallengeTokenizer* tok) { 24 auth_scheme_ = HttpAuth::AUTH_SCHEME_NTLM; 25 score_ = 3; 26 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED; 27 28 return ParseChallenge(tok, true) == HttpAuth::AUTHORIZATION_RESULT_ACCEPT; 29 } 30 31 int HttpAuthHandlerNTLM::GenerateAuthTokenImpl( 32 const AuthCredentials* credentials, const HttpRequestInfo* request, 33 const CompletionCallback& callback, std::string* auth_token) { 34 #if defined(NTLM_SSPI) 35 return auth_sspi_.GenerateAuthToken( 36 credentials, 37 CreateSPN(origin_), 38 auth_token); 39 #else // !defined(NTLM_SSPI) 40 // TODO(cbentzel): Shouldn't be hitting this case. 41 if (!credentials) { 42 LOG(ERROR) << "Username and password are expected to be non-NULL."; 43 return ERR_MISSING_AUTH_CREDENTIALS; 44 } 45 // TODO(wtc): See if we can use char* instead of void* for in_buf and 46 // out_buf. This change will need to propagate to GetNextToken, 47 // GenerateType1Msg, and GenerateType3Msg, and perhaps further. 48 const void* in_buf; 49 void* out_buf; 50 uint32 in_buf_len, out_buf_len; 51 std::string decoded_auth_data; 52 53 // The username may be in the form "DOMAIN\user". Parse it into the two 54 // components. 55 base::string16 domain; 56 base::string16 user; 57 const base::string16& username = credentials->username(); 58 const base::char16 backslash_character = '\\'; 59 size_t backslash_idx = username.find(backslash_character); 60 if (backslash_idx == base::string16::npos) { 61 user = username; 62 } else { 63 domain = username.substr(0, backslash_idx); 64 user = username.substr(backslash_idx + 1); 65 } 66 domain_ = domain; 67 credentials_.Set(user, credentials->password()); 68 69 // Initial challenge. 70 if (auth_data_.empty()) { 71 in_buf_len = 0; 72 in_buf = NULL; 73 int rv = InitializeBeforeFirstChallenge(); 74 if (rv != OK) 75 return rv; 76 } else { 77 if (!base::Base64Decode(auth_data_, &decoded_auth_data)) { 78 LOG(ERROR) << "Unexpected problem Base64 decoding."; 79 return ERR_UNEXPECTED; 80 } 81 in_buf_len = decoded_auth_data.length(); 82 in_buf = decoded_auth_data.data(); 83 } 84 85 int rv = GetNextToken(in_buf, in_buf_len, &out_buf, &out_buf_len); 86 if (rv != OK) 87 return rv; 88 89 // Base64 encode data in output buffer and prepend "NTLM ". 90 std::string encode_input(static_cast<char*>(out_buf), out_buf_len); 91 std::string encode_output; 92 bool base64_rv = base::Base64Encode(encode_input, &encode_output); 93 // OK, we are done with |out_buf| 94 free(out_buf); 95 if (!base64_rv) { 96 LOG(ERROR) << "Unexpected problem Base64 encoding."; 97 return ERR_UNEXPECTED; 98 } 99 *auth_token = std::string("NTLM ") + encode_output; 100 return OK; 101 #endif 102 } 103 104 // The NTLM challenge header looks like: 105 // WWW-Authenticate: NTLM auth-data 106 HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::ParseChallenge( 107 HttpAuth::ChallengeTokenizer* tok, bool initial_challenge) { 108 #if defined(NTLM_SSPI) 109 // auth_sspi_ contains state for whether or not this is the initial challenge. 110 return auth_sspi_.ParseChallenge(tok); 111 #else 112 // TODO(cbentzel): Most of the logic between SSPI, GSSAPI, and portable NTLM 113 // authentication parsing could probably be shared - just need to know if 114 // there was previously a challenge round. 115 // TODO(cbentzel): Write a test case to validate that auth_data_ is left empty 116 // in all failure conditions. 117 auth_data_.clear(); 118 119 // Verify the challenge's auth-scheme. 120 if (!LowerCaseEqualsASCII(tok->scheme(), "ntlm")) 121 return HttpAuth::AUTHORIZATION_RESULT_INVALID; 122 123 std::string base64_param = tok->base64_param(); 124 if (base64_param.empty()) { 125 if (!initial_challenge) 126 return HttpAuth::AUTHORIZATION_RESULT_REJECT; 127 return HttpAuth::AUTHORIZATION_RESULT_ACCEPT; 128 } else { 129 if (initial_challenge) 130 return HttpAuth::AUTHORIZATION_RESULT_INVALID; 131 } 132 133 auth_data_ = base64_param; 134 return HttpAuth::AUTHORIZATION_RESULT_ACCEPT; 135 #endif // defined(NTLM_SSPI) 136 } 137 138 // static 139 std::wstring HttpAuthHandlerNTLM::CreateSPN(const GURL& origin) { 140 // The service principal name of the destination server. See 141 // http://msdn.microsoft.com/en-us/library/ms677949%28VS.85%29.aspx 142 std::wstring target(L"HTTP/"); 143 target.append(ASCIIToWide(GetHostAndPort(origin))); 144 return target; 145 } 146 147 } // namespace net 148
