| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_auth_handler_negotiate.h" | 5 #include "net/http/http_auth_handler_negotiate.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/strings/string_number_conversions.h" |
| 11 #include "base/strings/string_util.h" |
| 10 #include "base/strings/stringprintf.h" | 12 #include "base/strings/stringprintf.h" |
| 13 #include "base/values.h" |
| 11 #include "net/base/address_family.h" | 14 #include "net/base/address_family.h" |
| 12 #include "net/base/net_errors.h" | 15 #include "net/base/net_errors.h" |
| 16 #include "net/cert/x509_util.h" |
| 13 #include "net/dns/host_resolver.h" | 17 #include "net/dns/host_resolver.h" |
| 14 #include "net/dns/single_request_host_resolver.h" | 18 #include "net/dns/single_request_host_resolver.h" |
| 15 #include "net/http/http_auth_filter.h" | 19 #include "net/http/http_auth_filter.h" |
| 16 #include "net/http/http_auth_preferences.h" | 20 #include "net/http/http_auth_preferences.h" |
| 21 #include "net/log/net_log.h" |
| 22 #include "net/ssl/ssl_info.h" |
| 17 | 23 |
| 18 namespace net { | 24 namespace net { |
| 19 | 25 |
| 26 namespace { |
| 27 |
| 28 scoped_ptr<base::Value> NetLogParameterChannelBindings( |
| 29 const std::string& channel_binding_token, |
| 30 NetLogCaptureMode capture_mode) { |
| 31 scoped_ptr<base::DictionaryValue> dict; |
| 32 if (!capture_mode.include_socket_bytes()) |
| 33 return std::move(dict); |
| 34 |
| 35 dict.reset(new base::DictionaryValue()); |
| 36 dict->SetString("token", base::HexEncode(channel_binding_token.data(), |
| 37 channel_binding_token.size())); |
| 38 return std::move(dict); |
| 39 } |
| 40 |
| 41 } // namespace |
| 42 |
| 20 HttpAuthHandlerNegotiate::Factory::Factory() | 43 HttpAuthHandlerNegotiate::Factory::Factory() |
| 21 : resolver_(NULL), | 44 : resolver_(NULL), |
| 22 #if defined(OS_WIN) | 45 #if defined(OS_WIN) |
| 23 max_token_length_(0), | 46 max_token_length_(0), |
| 24 #endif | 47 #endif |
| 25 is_unsupported_(false) { | 48 is_unsupported_(false) { |
| 26 } | 49 } |
| 27 | 50 |
| 28 HttpAuthHandlerNegotiate::Factory::~Factory() { | 51 HttpAuthHandlerNegotiate::Factory::~Factory() { |
| 29 } | 52 } |
| 30 | 53 |
| 31 void HttpAuthHandlerNegotiate::Factory::set_host_resolver( | 54 void HttpAuthHandlerNegotiate::Factory::set_host_resolver( |
| 32 HostResolver* resolver) { | 55 HostResolver* resolver) { |
| 33 resolver_ = resolver; | 56 resolver_ = resolver; |
| 34 } | 57 } |
| 35 | 58 |
| 36 int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler( | 59 int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler( |
| 37 HttpAuthChallengeTokenizer* challenge, | 60 HttpAuthChallengeTokenizer* challenge, |
| 38 HttpAuth::Target target, | 61 HttpAuth::Target target, |
| 62 const SSLInfo& ssl_info, |
| 39 const GURL& origin, | 63 const GURL& origin, |
| 40 CreateReason reason, | 64 CreateReason reason, |
| 41 int digest_nonce_count, | 65 int digest_nonce_count, |
| 42 const BoundNetLog& net_log, | 66 const BoundNetLog& net_log, |
| 43 scoped_ptr<HttpAuthHandler>* handler) { | 67 scoped_ptr<HttpAuthHandler>* handler) { |
| 44 #if defined(OS_WIN) | 68 #if defined(OS_WIN) |
| 45 if (is_unsupported_ || reason == CREATE_PREEMPTIVE) | 69 if (is_unsupported_ || reason == CREATE_PREEMPTIVE) |
| 46 return ERR_UNSUPPORTED_AUTH_SCHEME; | 70 return ERR_UNSUPPORTED_AUTH_SCHEME; |
| 47 if (max_token_length_ == 0) { | 71 if (max_token_length_ == 0) { |
| 48 int rv = DetermineMaxTokenLength(auth_library_.get(), NEGOSSP_NAME, | 72 int rv = DetermineMaxTokenLength(auth_library_.get(), NEGOSSP_NAME, |
| (...skipping 22 matching lines...) Expand all Loading... |
| 71 return ERR_UNSUPPORTED_AUTH_SCHEME; | 95 return ERR_UNSUPPORTED_AUTH_SCHEME; |
| 72 if (!auth_library_->Init()) { | 96 if (!auth_library_->Init()) { |
| 73 is_unsupported_ = true; | 97 is_unsupported_ = true; |
| 74 return ERR_UNSUPPORTED_AUTH_SCHEME; | 98 return ERR_UNSUPPORTED_AUTH_SCHEME; |
| 75 } | 99 } |
| 76 // TODO(ahendrickson): Move towards model of parsing in the factory | 100 // TODO(ahendrickson): Move towards model of parsing in the factory |
| 77 // method and only constructing when valid. | 101 // method and only constructing when valid. |
| 78 scoped_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNegotiate( | 102 scoped_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNegotiate( |
| 79 auth_library_.get(), http_auth_preferences(), resolver_)); | 103 auth_library_.get(), http_auth_preferences(), resolver_)); |
| 80 #endif | 104 #endif |
| 81 if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log)) | 105 if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info, origin, |
| 106 net_log)) |
| 82 return ERR_INVALID_RESPONSE; | 107 return ERR_INVALID_RESPONSE; |
| 83 handler->swap(tmp_handler); | 108 handler->swap(tmp_handler); |
| 84 return OK; | 109 return OK; |
| 85 } | 110 } |
| 86 | 111 |
| 87 HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate( | 112 HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate( |
| 88 #if !defined(OS_ANDROID) | 113 #if !defined(OS_ANDROID) |
| 89 AuthLibrary* auth_library, | 114 AuthLibrary* auth_library, |
| 90 #endif | 115 #endif |
| 91 #if defined(OS_WIN) | 116 #if defined(OS_WIN) |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 178 return false; | 203 return false; |
| 179 return http_auth_preferences_->CanUseDefaultCredentials(origin_); | 204 return http_auth_preferences_->CanUseDefaultCredentials(origin_); |
| 180 } | 205 } |
| 181 | 206 |
| 182 bool HttpAuthHandlerNegotiate::AllowsExplicitCredentials() { | 207 bool HttpAuthHandlerNegotiate::AllowsExplicitCredentials() { |
| 183 return auth_system_.AllowsExplicitCredentials(); | 208 return auth_system_.AllowsExplicitCredentials(); |
| 184 } | 209 } |
| 185 | 210 |
| 186 // The Negotiate challenge header looks like: | 211 // The Negotiate challenge header looks like: |
| 187 // WWW-Authenticate: NEGOTIATE auth-data | 212 // WWW-Authenticate: NEGOTIATE auth-data |
| 188 bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge) { | 213 bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge, |
| 214 const SSLInfo& ssl_info) { |
| 189 #if defined(OS_POSIX) | 215 #if defined(OS_POSIX) |
| 190 if (!auth_system_.Init()) { | 216 if (!auth_system_.Init()) { |
| 191 VLOG(1) << "can't initialize GSSAPI library"; | 217 VLOG(1) << "can't initialize GSSAPI library"; |
| 192 return false; | 218 return false; |
| 193 } | 219 } |
| 194 // GSSAPI does not provide a way to enter username/password to | 220 // GSSAPI does not provide a way to enter username/password to |
| 195 // obtain a TGT. If the default credentials are not allowed for | 221 // obtain a TGT. If the default credentials are not allowed for |
| 196 // a particular site (based on whitelist), fall back to a | 222 // a particular site (based on whitelist), fall back to a |
| 197 // different scheme. | 223 // different scheme. |
| 198 if (!AllowsDefaultCredentials()) | 224 if (!AllowsDefaultCredentials()) |
| 199 return false; | 225 return false; |
| 200 #endif | 226 #endif |
| 201 if (CanDelegate()) | 227 if (CanDelegate()) |
| 202 auth_system_.Delegate(); | 228 auth_system_.Delegate(); |
| 203 auth_scheme_ = HttpAuth::AUTH_SCHEME_NEGOTIATE; | 229 auth_scheme_ = HttpAuth::AUTH_SCHEME_NEGOTIATE; |
| 204 score_ = 4; | 230 score_ = 4; |
| 205 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED; | 231 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED; |
| 232 |
| 206 HttpAuth::AuthorizationResult auth_result = | 233 HttpAuth::AuthorizationResult auth_result = |
| 207 auth_system_.ParseChallenge(challenge); | 234 auth_system_.ParseChallenge(challenge); |
| 208 return (auth_result == HttpAuth::AUTHORIZATION_RESULT_ACCEPT); | 235 if (auth_result != HttpAuth::AUTHORIZATION_RESULT_ACCEPT) |
| 236 return false; |
| 237 |
| 238 // Try to extract channel bindings. |
| 239 if (ssl_info.is_valid()) |
| 240 x509_util::GetTLSServerEndPointChannelBinding(*ssl_info.cert, |
| 241 &channel_bindings_); |
| 242 if (!channel_bindings_.empty()) |
| 243 net_log_.AddEvent( |
| 244 NetLog::TYPE_AUTH_CHANNEL_BINDINGS, |
| 245 base::Bind(&NetLogParameterChannelBindings, channel_bindings_)); |
| 246 return true; |
| 209 } | 247 } |
| 210 | 248 |
| 211 int HttpAuthHandlerNegotiate::GenerateAuthTokenImpl( | 249 int HttpAuthHandlerNegotiate::GenerateAuthTokenImpl( |
| 212 const AuthCredentials* credentials, const HttpRequestInfo* request, | 250 const AuthCredentials* credentials, const HttpRequestInfo* request, |
| 213 const CompletionCallback& callback, std::string* auth_token) { | 251 const CompletionCallback& callback, std::string* auth_token) { |
| 214 DCHECK(callback_.is_null()); | 252 DCHECK(callback_.is_null()); |
| 215 DCHECK(auth_token_ == NULL); | 253 DCHECK(auth_token_ == NULL); |
| 216 auth_token_ = auth_token; | 254 auth_token_ = auth_token; |
| 217 if (already_called_) { | 255 if (already_called_) { |
| 218 DCHECK((!has_credentials_ && credentials == NULL) || | 256 DCHECK((!has_credentials_ && credentials == NULL) || |
| (...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 312 next_state_ = STATE_GENERATE_AUTH_TOKEN; | 350 next_state_ = STATE_GENERATE_AUTH_TOKEN; |
| 313 spn_ = CreateSPN(address_list_, origin_); | 351 spn_ = CreateSPN(address_list_, origin_); |
| 314 address_list_ = AddressList(); | 352 address_list_ = AddressList(); |
| 315 return rv; | 353 return rv; |
| 316 } | 354 } |
| 317 | 355 |
| 318 int HttpAuthHandlerNegotiate::DoGenerateAuthToken() { | 356 int HttpAuthHandlerNegotiate::DoGenerateAuthToken() { |
| 319 next_state_ = STATE_GENERATE_AUTH_TOKEN_COMPLETE; | 357 next_state_ = STATE_GENERATE_AUTH_TOKEN_COMPLETE; |
| 320 AuthCredentials* credentials = has_credentials_ ? &credentials_ : NULL; | 358 AuthCredentials* credentials = has_credentials_ ? &credentials_ : NULL; |
| 321 return auth_system_.GenerateAuthToken( | 359 return auth_system_.GenerateAuthToken( |
| 322 credentials, spn_, auth_token_, | 360 credentials, spn_, channel_bindings_, auth_token_, |
| 323 base::Bind(&HttpAuthHandlerNegotiate::OnIOComplete, | 361 base::Bind(&HttpAuthHandlerNegotiate::OnIOComplete, |
| 324 base::Unretained(this))); | 362 base::Unretained(this))); |
| 325 } | 363 } |
| 326 | 364 |
| 327 int HttpAuthHandlerNegotiate::DoGenerateAuthTokenComplete(int rv) { | 365 int HttpAuthHandlerNegotiate::DoGenerateAuthTokenComplete(int rv) { |
| 328 DCHECK_NE(ERR_IO_PENDING, rv); | 366 DCHECK_NE(ERR_IO_PENDING, rv); |
| 329 auth_token_ = NULL; | 367 auth_token_ = NULL; |
| 330 return rv; | 368 return rv; |
| 331 } | 369 } |
| 332 | 370 |
| 333 bool HttpAuthHandlerNegotiate::CanDelegate() const { | 371 bool HttpAuthHandlerNegotiate::CanDelegate() const { |
| 334 // TODO(cbentzel): Should delegation be allowed on proxies? | 372 // TODO(cbentzel): Should delegation be allowed on proxies? |
| 335 if (target_ == HttpAuth::AUTH_PROXY) | 373 if (target_ == HttpAuth::AUTH_PROXY) |
| 336 return false; | 374 return false; |
| 337 if (!http_auth_preferences_) | 375 if (!http_auth_preferences_) |
| 338 return false; | 376 return false; |
| 339 return http_auth_preferences_->CanDelegate(origin_); | 377 return http_auth_preferences_->CanDelegate(origin_); |
| 340 } | 378 } |
| 341 | 379 |
| 342 } // namespace net | 380 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1408433006:
Support tls-server-end-point channel bindings for HTTP authentication. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master