OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/http_auth_handler_negotiate.h" | 5 #include "net/http/http_auth_handler_negotiate.h" |
6 | 6 |
7 #include "base/bind.h" | 7 #include "base/bind.h" |
8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/strings/string_number_conversions.h" |
| 11 #include "base/strings/string_util.h" |
10 #include "base/strings/stringprintf.h" | 12 #include "base/strings/stringprintf.h" |
| 13 #include "base/values.h" |
11 #include "net/base/address_family.h" | 14 #include "net/base/address_family.h" |
12 #include "net/base/net_errors.h" | 15 #include "net/base/net_errors.h" |
| 16 #include "net/cert/x509_util.h" |
13 #include "net/dns/host_resolver.h" | 17 #include "net/dns/host_resolver.h" |
14 #include "net/dns/single_request_host_resolver.h" | 18 #include "net/dns/single_request_host_resolver.h" |
15 #include "net/http/http_auth_filter.h" | 19 #include "net/http/http_auth_filter.h" |
16 #include "net/http/http_auth_preferences.h" | 20 #include "net/http/http_auth_preferences.h" |
| 21 #include "net/log/net_log.h" |
| 22 #include "net/ssl/ssl_info.h" |
17 | 23 |
18 namespace net { | 24 namespace net { |
19 | 25 |
| 26 namespace { |
| 27 |
| 28 scoped_ptr<base::Value> NetLogParameterChannelBindings( |
| 29 const std::string& channel_binding_token, |
| 30 NetLogCaptureMode capture_mode) { |
| 31 scoped_ptr<base::DictionaryValue> dict; |
| 32 if (!capture_mode.include_socket_bytes()) |
| 33 return std::move(dict); |
| 34 |
| 35 dict.reset(new base::DictionaryValue()); |
| 36 dict->SetString("token", base::HexEncode(channel_binding_token.data(), |
| 37 channel_binding_token.size())); |
| 38 return std::move(dict); |
| 39 } |
| 40 |
| 41 } // namespace |
| 42 |
20 HttpAuthHandlerNegotiate::Factory::Factory() | 43 HttpAuthHandlerNegotiate::Factory::Factory() |
21 : resolver_(NULL), | 44 : resolver_(NULL), |
22 #if defined(OS_WIN) | 45 #if defined(OS_WIN) |
23 max_token_length_(0), | 46 max_token_length_(0), |
24 #endif | 47 #endif |
25 is_unsupported_(false) { | 48 is_unsupported_(false) { |
26 } | 49 } |
27 | 50 |
28 HttpAuthHandlerNegotiate::Factory::~Factory() { | 51 HttpAuthHandlerNegotiate::Factory::~Factory() { |
29 } | 52 } |
30 | 53 |
31 void HttpAuthHandlerNegotiate::Factory::set_host_resolver( | 54 void HttpAuthHandlerNegotiate::Factory::set_host_resolver( |
32 HostResolver* resolver) { | 55 HostResolver* resolver) { |
33 resolver_ = resolver; | 56 resolver_ = resolver; |
34 } | 57 } |
35 | 58 |
36 int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler( | 59 int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler( |
37 HttpAuthChallengeTokenizer* challenge, | 60 HttpAuthChallengeTokenizer* challenge, |
38 HttpAuth::Target target, | 61 HttpAuth::Target target, |
| 62 const SSLInfo& ssl_info, |
39 const GURL& origin, | 63 const GURL& origin, |
40 CreateReason reason, | 64 CreateReason reason, |
41 int digest_nonce_count, | 65 int digest_nonce_count, |
42 const BoundNetLog& net_log, | 66 const BoundNetLog& net_log, |
43 scoped_ptr<HttpAuthHandler>* handler) { | 67 scoped_ptr<HttpAuthHandler>* handler) { |
44 #if defined(OS_WIN) | 68 #if defined(OS_WIN) |
45 if (is_unsupported_ || reason == CREATE_PREEMPTIVE) | 69 if (is_unsupported_ || reason == CREATE_PREEMPTIVE) |
46 return ERR_UNSUPPORTED_AUTH_SCHEME; | 70 return ERR_UNSUPPORTED_AUTH_SCHEME; |
47 if (max_token_length_ == 0) { | 71 if (max_token_length_ == 0) { |
48 int rv = DetermineMaxTokenLength(auth_library_.get(), NEGOSSP_NAME, | 72 int rv = DetermineMaxTokenLength(auth_library_.get(), NEGOSSP_NAME, |
(...skipping 22 matching lines...) Expand all Loading... |
71 return ERR_UNSUPPORTED_AUTH_SCHEME; | 95 return ERR_UNSUPPORTED_AUTH_SCHEME; |
72 if (!auth_library_->Init()) { | 96 if (!auth_library_->Init()) { |
73 is_unsupported_ = true; | 97 is_unsupported_ = true; |
74 return ERR_UNSUPPORTED_AUTH_SCHEME; | 98 return ERR_UNSUPPORTED_AUTH_SCHEME; |
75 } | 99 } |
76 // TODO(ahendrickson): Move towards model of parsing in the factory | 100 // TODO(ahendrickson): Move towards model of parsing in the factory |
77 // method and only constructing when valid. | 101 // method and only constructing when valid. |
78 scoped_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNegotiate( | 102 scoped_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNegotiate( |
79 auth_library_.get(), http_auth_preferences(), resolver_)); | 103 auth_library_.get(), http_auth_preferences(), resolver_)); |
80 #endif | 104 #endif |
81 if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log)) | 105 if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info, origin, |
| 106 net_log)) |
82 return ERR_INVALID_RESPONSE; | 107 return ERR_INVALID_RESPONSE; |
83 handler->swap(tmp_handler); | 108 handler->swap(tmp_handler); |
84 return OK; | 109 return OK; |
85 } | 110 } |
86 | 111 |
87 HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate( | 112 HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate( |
88 #if !defined(OS_ANDROID) | 113 #if !defined(OS_ANDROID) |
89 AuthLibrary* auth_library, | 114 AuthLibrary* auth_library, |
90 #endif | 115 #endif |
91 #if defined(OS_WIN) | 116 #if defined(OS_WIN) |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
178 return false; | 203 return false; |
179 return http_auth_preferences_->CanUseDefaultCredentials(origin_); | 204 return http_auth_preferences_->CanUseDefaultCredentials(origin_); |
180 } | 205 } |
181 | 206 |
182 bool HttpAuthHandlerNegotiate::AllowsExplicitCredentials() { | 207 bool HttpAuthHandlerNegotiate::AllowsExplicitCredentials() { |
183 return auth_system_.AllowsExplicitCredentials(); | 208 return auth_system_.AllowsExplicitCredentials(); |
184 } | 209 } |
185 | 210 |
186 // The Negotiate challenge header looks like: | 211 // The Negotiate challenge header looks like: |
187 // WWW-Authenticate: NEGOTIATE auth-data | 212 // WWW-Authenticate: NEGOTIATE auth-data |
188 bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge) { | 213 bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge, |
| 214 const SSLInfo& ssl_info) { |
189 #if defined(OS_POSIX) | 215 #if defined(OS_POSIX) |
190 if (!auth_system_.Init()) { | 216 if (!auth_system_.Init()) { |
191 VLOG(1) << "can't initialize GSSAPI library"; | 217 VLOG(1) << "can't initialize GSSAPI library"; |
192 return false; | 218 return false; |
193 } | 219 } |
194 // GSSAPI does not provide a way to enter username/password to | 220 // GSSAPI does not provide a way to enter username/password to |
195 // obtain a TGT. If the default credentials are not allowed for | 221 // obtain a TGT. If the default credentials are not allowed for |
196 // a particular site (based on whitelist), fall back to a | 222 // a particular site (based on whitelist), fall back to a |
197 // different scheme. | 223 // different scheme. |
198 if (!AllowsDefaultCredentials()) | 224 if (!AllowsDefaultCredentials()) |
199 return false; | 225 return false; |
200 #endif | 226 #endif |
201 if (CanDelegate()) | 227 if (CanDelegate()) |
202 auth_system_.Delegate(); | 228 auth_system_.Delegate(); |
203 auth_scheme_ = HttpAuth::AUTH_SCHEME_NEGOTIATE; | 229 auth_scheme_ = HttpAuth::AUTH_SCHEME_NEGOTIATE; |
204 score_ = 4; | 230 score_ = 4; |
205 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED; | 231 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED; |
| 232 |
206 HttpAuth::AuthorizationResult auth_result = | 233 HttpAuth::AuthorizationResult auth_result = |
207 auth_system_.ParseChallenge(challenge); | 234 auth_system_.ParseChallenge(challenge); |
208 return (auth_result == HttpAuth::AUTHORIZATION_RESULT_ACCEPT); | 235 if (auth_result != HttpAuth::AUTHORIZATION_RESULT_ACCEPT) |
| 236 return false; |
| 237 |
| 238 // Try to extract channel bindings. |
| 239 if (ssl_info.is_valid()) |
| 240 x509_util::GetTLSServerEndPointChannelBinding(*ssl_info.cert, |
| 241 &channel_bindings_); |
| 242 if (!channel_bindings_.empty()) |
| 243 net_log_.AddEvent( |
| 244 NetLog::TYPE_AUTH_CHANNEL_BINDINGS, |
| 245 base::Bind(&NetLogParameterChannelBindings, channel_bindings_)); |
| 246 return true; |
209 } | 247 } |
210 | 248 |
211 int HttpAuthHandlerNegotiate::GenerateAuthTokenImpl( | 249 int HttpAuthHandlerNegotiate::GenerateAuthTokenImpl( |
212 const AuthCredentials* credentials, const HttpRequestInfo* request, | 250 const AuthCredentials* credentials, const HttpRequestInfo* request, |
213 const CompletionCallback& callback, std::string* auth_token) { | 251 const CompletionCallback& callback, std::string* auth_token) { |
214 DCHECK(callback_.is_null()); | 252 DCHECK(callback_.is_null()); |
215 DCHECK(auth_token_ == NULL); | 253 DCHECK(auth_token_ == NULL); |
216 auth_token_ = auth_token; | 254 auth_token_ = auth_token; |
217 if (already_called_) { | 255 if (already_called_) { |
218 DCHECK((!has_credentials_ && credentials == NULL) || | 256 DCHECK((!has_credentials_ && credentials == NULL) || |
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
312 next_state_ = STATE_GENERATE_AUTH_TOKEN; | 350 next_state_ = STATE_GENERATE_AUTH_TOKEN; |
313 spn_ = CreateSPN(address_list_, origin_); | 351 spn_ = CreateSPN(address_list_, origin_); |
314 address_list_ = AddressList(); | 352 address_list_ = AddressList(); |
315 return rv; | 353 return rv; |
316 } | 354 } |
317 | 355 |
318 int HttpAuthHandlerNegotiate::DoGenerateAuthToken() { | 356 int HttpAuthHandlerNegotiate::DoGenerateAuthToken() { |
319 next_state_ = STATE_GENERATE_AUTH_TOKEN_COMPLETE; | 357 next_state_ = STATE_GENERATE_AUTH_TOKEN_COMPLETE; |
320 AuthCredentials* credentials = has_credentials_ ? &credentials_ : NULL; | 358 AuthCredentials* credentials = has_credentials_ ? &credentials_ : NULL; |
321 return auth_system_.GenerateAuthToken( | 359 return auth_system_.GenerateAuthToken( |
322 credentials, spn_, auth_token_, | 360 credentials, spn_, channel_bindings_, auth_token_, |
323 base::Bind(&HttpAuthHandlerNegotiate::OnIOComplete, | 361 base::Bind(&HttpAuthHandlerNegotiate::OnIOComplete, |
324 base::Unretained(this))); | 362 base::Unretained(this))); |
325 } | 363 } |
326 | 364 |
327 int HttpAuthHandlerNegotiate::DoGenerateAuthTokenComplete(int rv) { | 365 int HttpAuthHandlerNegotiate::DoGenerateAuthTokenComplete(int rv) { |
328 DCHECK_NE(ERR_IO_PENDING, rv); | 366 DCHECK_NE(ERR_IO_PENDING, rv); |
329 auth_token_ = NULL; | 367 auth_token_ = NULL; |
330 return rv; | 368 return rv; |
331 } | 369 } |
332 | 370 |
333 bool HttpAuthHandlerNegotiate::CanDelegate() const { | 371 bool HttpAuthHandlerNegotiate::CanDelegate() const { |
334 // TODO(cbentzel): Should delegation be allowed on proxies? | 372 // TODO(cbentzel): Should delegation be allowed on proxies? |
335 if (target_ == HttpAuth::AUTH_PROXY) | 373 if (target_ == HttpAuth::AUTH_PROXY) |
336 return false; | 374 return false; |
337 if (!http_auth_preferences_) | 375 if (!http_auth_preferences_) |
338 return false; | 376 return false; |
339 return http_auth_preferences_->CanDelegate(origin_); | 377 return http_auth_preferences_->CanDelegate(origin_); |
340 } | 378 } |
341 | 379 |
342 } // namespace net | 380 } // namespace net |
OLD | NEW |