1// Copyright (c) 2011 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "net/http/http_auth_handler_ntlm.h" 6 7#if !defined(NTLM_SSPI) 8#include "base/base64.h" 9#endif 10#include "base/logging.h" 11#include "base/strings/string_util.h" 12#include "base/strings/utf_string_conversions.h" 13#include "net/base/net_errors.h" 14#include "net/base/net_util.h" 15#include "net/http/http_auth_challenge_tokenizer.h" 16 17namespace net { 18 19HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::HandleAnotherChallenge( 20 HttpAuthChallengeTokenizer* challenge) { 21 return ParseChallenge(challenge, false); 22} 23 24bool HttpAuthHandlerNTLM::Init(HttpAuthChallengeTokenizer* tok) { 25 auth_scheme_ = HttpAuth::AUTH_SCHEME_NTLM; 26 score_ = 3; 27 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED; 28 29 return ParseChallenge(tok, true) == HttpAuth::AUTHORIZATION_RESULT_ACCEPT; 30} 31 32int HttpAuthHandlerNTLM::GenerateAuthTokenImpl( 33 const AuthCredentials* credentials, const HttpRequestInfo* request, 34 const CompletionCallback& callback, std::string* auth_token) { 35#if defined(NTLM_SSPI) 36 return auth_sspi_.GenerateAuthToken( 37 credentials, 38 CreateSPN(origin_), 39 auth_token); 40#else // !defined(NTLM_SSPI) 41 // TODO(cbentzel): Shouldn't be hitting this case. 42 if (!credentials) { 43 LOG(ERROR) << "Username and password are expected to be non-NULL."; 44 return ERR_MISSING_AUTH_CREDENTIALS; 45 } 46 // TODO(wtc): See if we can use char* instead of void* for in_buf and 47 // out_buf. This change will need to propagate to GetNextToken, 48 // GenerateType1Msg, and GenerateType3Msg, and perhaps further. 49 const void* in_buf; 50 void* out_buf; 51 uint32 in_buf_len, out_buf_len; 52 std::string decoded_auth_data; 53 54 // The username may be in the form "DOMAIN\user". Parse it into the two 55 // components. 56 base::string16 domain; 57 base::string16 user; 58 const base::string16& username = credentials->username(); 59 const base::char16 backslash_character = '\\'; 60 size_t backslash_idx = username.find(backslash_character); 61 if (backslash_idx == base::string16::npos) { 62 user = username; 63 } else { 64 domain = username.substr(0, backslash_idx); 65 user = username.substr(backslash_idx + 1); 66 } 67 domain_ = domain; 68 credentials_.Set(user, credentials->password()); 69 70 // Initial challenge. 71 if (auth_data_.empty()) { 72 in_buf_len = 0; 73 in_buf = NULL; 74 int rv = InitializeBeforeFirstChallenge(); 75 if (rv != OK) 76 return rv; 77 } else { 78 if (!base::Base64Decode(auth_data_, &decoded_auth_data)) { 79 LOG(ERROR) << "Unexpected problem Base64 decoding."; 80 return ERR_UNEXPECTED; 81 } 82 in_buf_len = decoded_auth_data.length(); 83 in_buf = decoded_auth_data.data(); 84 } 85 86 int rv = GetNextToken(in_buf, in_buf_len, &out_buf, &out_buf_len); 87 if (rv != OK) 88 return rv; 89 90 // Base64 encode data in output buffer and prepend "NTLM ". 91 std::string encode_input(static_cast<char*>(out_buf), out_buf_len); 92 std::string encode_output; 93 base::Base64Encode(encode_input, &encode_output); 94 // OK, we are done with |out_buf| 95 free(out_buf); 96 *auth_token = std::string("NTLM ") + encode_output; 97 return OK; 98#endif 99} 100 101// The NTLM challenge header looks like: 102// WWW-Authenticate: NTLM auth-data 103HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::ParseChallenge( 104 HttpAuthChallengeTokenizer* tok, bool initial_challenge) { 105#if defined(NTLM_SSPI) 106 // auth_sspi_ contains state for whether or not this is the initial challenge. 107 return auth_sspi_.ParseChallenge(tok); 108#else 109 // TODO(cbentzel): Most of the logic between SSPI, GSSAPI, and portable NTLM 110 // authentication parsing could probably be shared - just need to know if 111 // there was previously a challenge round. 112 // TODO(cbentzel): Write a test case to validate that auth_data_ is left empty 113 // in all failure conditions. 114 auth_data_.clear(); 115 116 // Verify the challenge's auth-scheme. 117 if (!LowerCaseEqualsASCII(tok->scheme(), "ntlm")) 118 return HttpAuth::AUTHORIZATION_RESULT_INVALID; 119 120 std::string base64_param = tok->base64_param(); 121 if (base64_param.empty()) { 122 if (!initial_challenge) 123 return HttpAuth::AUTHORIZATION_RESULT_REJECT; 124 return HttpAuth::AUTHORIZATION_RESULT_ACCEPT; 125 } else { 126 if (initial_challenge) 127 return HttpAuth::AUTHORIZATION_RESULT_INVALID; 128 } 129 130 auth_data_ = base64_param; 131 return HttpAuth::AUTHORIZATION_RESULT_ACCEPT; 132#endif // defined(NTLM_SSPI) 133} 134 135// static 136std::string HttpAuthHandlerNTLM::CreateSPN(const GURL& origin) { 137 // The service principal name of the destination server. See 138 // http://msdn.microsoft.com/en-us/library/ms677949%28VS.85%29.aspx 139 std::string target("HTTP/"); 140 target.append(GetHostAndPort(origin)); 141 return target; 142} 143 144} // namespace net 145