1// Copyright (c) 2011 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "net/http/http_auth_handler_ntlm.h"
6
7#if !defined(NTLM_SSPI)
8#include "base/base64.h"
9#endif
10#include "base/logging.h"
11#include "base/strings/string_util.h"
12#include "base/strings/utf_string_conversions.h"
13#include "net/base/net_errors.h"
14#include "net/base/net_util.h"
15
16namespace net {
17
18HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::HandleAnotherChallenge(
19    HttpAuth::ChallengeTokenizer* challenge) {
20  return ParseChallenge(challenge, false);
21}
22
23bool HttpAuthHandlerNTLM::Init(HttpAuth::ChallengeTokenizer* tok) {
24  auth_scheme_ = HttpAuth::AUTH_SCHEME_NTLM;
25  score_ = 3;
26  properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED;
27
28  return ParseChallenge(tok, true) == HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
29}
30
31int HttpAuthHandlerNTLM::GenerateAuthTokenImpl(
32    const AuthCredentials* credentials, const HttpRequestInfo* request,
33    const CompletionCallback& callback, std::string* auth_token) {
34#if defined(NTLM_SSPI)
35  return auth_sspi_.GenerateAuthToken(
36      credentials,
37      CreateSPN(origin_),
38      auth_token);
39#else  // !defined(NTLM_SSPI)
40  // TODO(cbentzel): Shouldn't be hitting this case.
41  if (!credentials) {
42    LOG(ERROR) << "Username and password are expected to be non-NULL.";
43    return ERR_MISSING_AUTH_CREDENTIALS;
44  }
45  // TODO(wtc): See if we can use char* instead of void* for in_buf and
46  // out_buf.  This change will need to propagate to GetNextToken,
47  // GenerateType1Msg, and GenerateType3Msg, and perhaps further.
48  const void* in_buf;
49  void* out_buf;
50  uint32 in_buf_len, out_buf_len;
51  std::string decoded_auth_data;
52
53  // The username may be in the form "DOMAIN\user".  Parse it into the two
54  // components.
55  base::string16 domain;
56  base::string16 user;
57  const base::string16& username = credentials->username();
58  const base::char16 backslash_character = '\\';
59  size_t backslash_idx = username.find(backslash_character);
60  if (backslash_idx == base::string16::npos) {
61    user = username;
62  } else {
63    domain = username.substr(0, backslash_idx);
64    user = username.substr(backslash_idx + 1);
65  }
66  domain_ = domain;
67  credentials_.Set(user, credentials->password());
68
69  // Initial challenge.
70  if (auth_data_.empty()) {
71    in_buf_len = 0;
72    in_buf = NULL;
73    int rv = InitializeBeforeFirstChallenge();
74    if (rv != OK)
75      return rv;
76  } else {
77    if (!base::Base64Decode(auth_data_, &decoded_auth_data)) {
78      LOG(ERROR) << "Unexpected problem Base64 decoding.";
79      return ERR_UNEXPECTED;
80    }
81    in_buf_len = decoded_auth_data.length();
82    in_buf = decoded_auth_data.data();
83  }
84
85  int rv = GetNextToken(in_buf, in_buf_len, &out_buf, &out_buf_len);
86  if (rv != OK)
87    return rv;
88
89  // Base64 encode data in output buffer and prepend "NTLM ".
90  std::string encode_input(static_cast<char*>(out_buf), out_buf_len);
91  std::string encode_output;
92  base::Base64Encode(encode_input, &encode_output);
93  // OK, we are done with |out_buf|
94  free(out_buf);
95  *auth_token = std::string("NTLM ") + encode_output;
96  return OK;
97#endif
98}
99
100// The NTLM challenge header looks like:
101//   WWW-Authenticate: NTLM auth-data
102HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::ParseChallenge(
103    HttpAuth::ChallengeTokenizer* tok, bool initial_challenge) {
104#if defined(NTLM_SSPI)
105  // auth_sspi_ contains state for whether or not this is the initial challenge.
106  return auth_sspi_.ParseChallenge(tok);
107#else
108  // TODO(cbentzel): Most of the logic between SSPI, GSSAPI, and portable NTLM
109  // authentication parsing could probably be shared - just need to know if
110  // there was previously a challenge round.
111  // TODO(cbentzel): Write a test case to validate that auth_data_ is left empty
112  // in all failure conditions.
113  auth_data_.clear();
114
115  // Verify the challenge's auth-scheme.
116  if (!LowerCaseEqualsASCII(tok->scheme(), "ntlm"))
117    return HttpAuth::AUTHORIZATION_RESULT_INVALID;
118
119  std::string base64_param = tok->base64_param();
120  if (base64_param.empty()) {
121    if (!initial_challenge)
122      return HttpAuth::AUTHORIZATION_RESULT_REJECT;
123    return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
124  } else {
125    if (initial_challenge)
126      return HttpAuth::AUTHORIZATION_RESULT_INVALID;
127  }
128
129  auth_data_ = base64_param;
130  return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
131#endif  // defined(NTLM_SSPI)
132}
133
134// static
135std::string HttpAuthHandlerNTLM::CreateSPN(const GURL& origin) {
136  // The service principal name of the destination server.  See
137  // http://msdn.microsoft.com/en-us/library/ms677949%28VS.85%29.aspx
138  std::string target("HTTP/");
139  target.append(GetHostAndPort(origin));
140  return target;
141}
142
143}  // namespace net
144