Support tls-server-end-point channel bindings for HTTP authentication.

net/http/http_auth_controller.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_auth_controller.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/platform_thread.h"
 #include "net/base/auth.h"
 #include "net/base/url_util.h"
 #include "net/dns/host_resolver.h"
 #include "net/http/http_auth_handler.h"
 #include "net/http/http_auth_handler_factory.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/http_request_info.h"
 #include "net/http/http_response_headers.h"
 
 namespace net {
 
 namespace {
 
-// Returns a log message for all the response headers related to the auth
-// challenge.
-std::string AuthChallengeLogMessage(HttpResponseHeaders* headers) {
-  std::string msg;
-  std::string header_val;
-  size_t iter = 0;
-  while (headers->EnumerateHeader(&iter, "proxy-authenticate", &header_val)) {
-    msg.append("\n  Has header Proxy-Authenticate: ");
-    msg.append(header_val);
-  }
-
-  iter = 0;
-  while (headers->EnumerateHeader(&iter, "www-authenticate", &header_val)) {
-    msg.append("\n  Has header WWW-Authenticate: ");
-    msg.append(header_val);
-  }
-
-  // RFC 4559 requires that a proxy indicate its support of NTLM/Negotiate
-  // authentication with a "Proxy-Support: Session-Based-Authentication"
-  // response header.
-  iter = 0;
-  while (headers->EnumerateHeader(&iter, "proxy-support", &header_val)) {
-    msg.append("\n  Has header Proxy-Support: ");
-    msg.append(header_val);
-  }
-
-  return msg;
-}
-
 enum AuthEvent {
   AUTH_EVENT_START = 0,
   AUTH_EVENT_REJECT,
   AUTH_EVENT_MAX,
 };
 
 enum AuthTarget {
   AUTH_TARGET_PROXY = 0,
   AUTH_TARGET_SECURE_PROXY,
   AUTH_TARGET_SERVER,
@@ skipping 174 matching lines @@
   // the auth scheme and want to retry.
   if (!auth_token_.empty()) {
     authorization_headers->SetHeader(
         HttpAuth::GetAuthorizationHeaderName(target_), auth_token_);
     auth_token_.clear();
   }
 }
 
 int HttpAuthController::HandleAuthChallenge(
     scoped_refptr<HttpResponseHeaders> headers,
+    const SSLInfo& ssl_info,
     bool do_not_send_server_auth,
     bool establishing_tunnel,
     const BoundNetLog& net_log) {
   DCHECK(CalledOnValidThread());
   DCHECK(headers.get());
   DCHECK(auth_origin_.is_valid());
-  VLOG(1) << "The " << HttpAuth::GetAuthTargetString(target_) << " "
-          << auth_origin_ << " requested auth "
-          << AuthChallengeLogMessage(headers.get());
 
   // Give the existing auth handler first try at the authentication headers.
   // This will also evict the entry in the HttpAuthCache if the previous
   // challenge appeared to be rejected, or is using a stale nonce in the Digest
   // case.
   if (HaveAuth()) {
     std::string challenge_used;
-    HttpAuth::AuthorizationResult result =
-        HttpAuth::HandleChallengeResponse(handler_.get(),
-                                          headers.get(),
-                                          target_,
-                                          disabled_schemes_,
-                                          &challenge_used);
+    HttpAuth::AuthorizationResult result = HttpAuth::HandleChallengeResponse(
+        handler_.get(), *headers, target_, disabled_schemes_, &challenge_used);
     switch (result) {
       case HttpAuth::AUTHORIZATION_RESULT_ACCEPT:
         break;
       case HttpAuth::AUTHORIZATION_RESULT_INVALID:
         InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
         break;
       case HttpAuth::AUTHORIZATION_RESULT_REJECT:
         HistogramAuthEvent(handler_.get(), AUTH_EVENT_REJECT);
         InvalidateCurrentHandler(INVALIDATE_HANDLER_AND_CACHED_CREDENTIALS);
         break;
@@ skipping 28 matching lines @@
   }
 
   identity_.invalid = true;
 
   bool can_send_auth = (target_ != HttpAuth::AUTH_SERVER ||
                         !do_not_send_server_auth);
 
   do {
     if (!handler_.get() && can_send_auth) {
       // Find the best authentication challenge that we support.
-      HttpAuth::ChooseBestChallenge(http_auth_handler_factory_,
-                                    headers.get(),
-                                    target_,
-                                    auth_origin_,
-                                    disabled_schemes_,
-                                    net_log,
-                                    &handler_);
+      HttpAuth::ChooseBestChallenge(http_auth_handler_factory_, *headers,
+                                    ssl_info, target_, auth_origin_,
+                                    disabled_schemes_, net_log, &handler_);
       if (handler_.get())
         HistogramAuthEvent(handler_.get(), AUTH_EVENT_START);
     }
 
     if (!handler_.get()) {
       if (establishing_tunnel) {
-        LOG(ERROR) << "Can't perform auth to the "
-                   << HttpAuth::GetAuthTargetString(target_) << " "
-                   << auth_origin_ << " when establishing a tunnel"
-                   << AuthChallengeLogMessage(headers.get());
-
         // We are establishing a tunnel, we can't show the error page because an
         // active network attacker could control its contents.  Instead, we just
         // fail to establish the tunnel.
         DCHECK(target_ == HttpAuth::AUTH_PROXY);
         return ERR_PROXY_AUTH_UNSUPPORTED;
       }
       // We found no supported challenge -- let the transaction continue so we
       // end up displaying the error page.
       return OK;
     }
@@ skipping 221 matching lines @@
   DCHECK(CalledOnValidThread());
   disabled_schemes_.insert(scheme);
 }
 
 void HttpAuthController::DisableEmbeddedIdentity() {
   DCHECK(CalledOnValidThread());
   embedded_identity_used_ = true;
 }
 
 }  // namespace net