Support tls-server-end-point channel bindings for HTTP authentication.

net/http/http_auth_handler_negotiate.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_auth_handler_negotiate.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/logging.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
+#include "base/values.h"
 #include "net/base/address_family.h"
 #include "net/base/net_errors.h"
+#include "net/cert/x509_util.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/single_request_host_resolver.h"
 #include "net/http/http_auth_filter.h"
 #include "net/http/http_auth_preferences.h"
+#include "net/http/http_response_info.h"
+#include "net/log/net_log.h"
 
 namespace net {
 
+namespace {
+
+scoped_ptr<base::Value> NetLogParameterChannelBindings(
+    const std::string& channel_binding_token,
+    NetLogCaptureMode capture_mode) {
+  scoped_ptr<base::DictionaryValue> dict;
+  if (!capture_mode.include_socket_bytes())
+    return std::move(dict);
+
+  dict.reset(new base::DictionaryValue());
+  auto colon = channel_binding_token.find(':');

[Ryan Sleevi, 2016/03/18 21:27:40]

Is it necessary to split this? I'm not sure why you treat "type" as a magic
value - why not just let it be logged w/o further interpretation?

[asanka, 2016/03/23 04:51:30]

Done. Yeah, went with logging the token in hex without trying to interpret the
type.

+  if (colon == channel_binding_token.npos || colon < 1 ||

[Ryan Sleevi, 2016/03/18 21:27:40]

Shouldn't this be std::string::npos? It's a static data member, not instance.

[asanka, 2016/03/23 04:51:30]

Either is valid for a static member of a class, but the fully qualified form is
more readable. I'd have changed it to std::string::npos, but this block got
removed since we are now logging the token without trying to determine its type.

+      !base::IsStringASCII(channel_binding_token.substr(0, colon))) {
+    dict->SetString("type", "(unknown)");
+    dict->SetString("token", base::HexEncode(channel_binding_token.data(),
+                                             channel_binding_token.size()));
+  } else {
+    dict->SetString("type", channel_binding_token.substr(0, colon));
+    ++colon;
+    dict->SetString("token",
+                    base::HexEncode(channel_binding_token.data() + colon,
+                                    channel_binding_token.size() - colon));
+  }
+  return std::move(dict);
+}
+
+}  // namespace
+
 HttpAuthHandlerNegotiate::Factory::Factory()
     : resolver_(NULL),
 #if defined(OS_WIN)
       max_token_length_(0),
 #endif
       is_unsupported_(false) {
 }
 
 HttpAuthHandlerNegotiate::Factory::~Factory() {
 }
 
 void HttpAuthHandlerNegotiate::Factory::set_host_resolver(
     HostResolver* resolver) {
   resolver_ = resolver;
 }
 
 int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler(
     HttpAuthChallengeTokenizer* challenge,
     HttpAuth::Target target,
+    const HttpResponseInfo& response_info,
     const GURL& origin,
     CreateReason reason,
     int digest_nonce_count,
     const BoundNetLog& net_log,
     scoped_ptr<HttpAuthHandler>* handler) {
 #if defined(OS_WIN)
   if (is_unsupported_ || reason == CREATE_PREEMPTIVE)
     return ERR_UNSUPPORTED_AUTH_SCHEME;
   if (max_token_length_ == 0) {
     int rv = DetermineMaxTokenLength(auth_library_.get(), NEGOSSP_NAME,
@@ skipping 22 matching lines @@
     return ERR_UNSUPPORTED_AUTH_SCHEME;
   if (!auth_library_->Init()) {
     is_unsupported_ = true;
     return ERR_UNSUPPORTED_AUTH_SCHEME;
   }
   // TODO(ahendrickson): Move towards model of parsing in the factory
   //                     method and only constructing when valid.
   scoped_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNegotiate(
       auth_library_.get(), http_auth_preferences(), resolver_));
 #endif
-  if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log))
+  if (!tmp_handler->InitFromChallenge(challenge, target, response_info, origin,
+                                      net_log))
     return ERR_INVALID_RESPONSE;
   handler->swap(tmp_handler);
   return OK;
 }
 
 HttpAuthHandlerNegotiate::HttpAuthHandlerNegotiate(
 #if !defined(OS_ANDROID)
     AuthLibrary* auth_library,
 #endif
 #if defined(OS_WIN)
@@ skipping 86 matching lines @@
     return false;
   return http_auth_preferences_->CanUseDefaultCredentials(origin_);
 }
 
 bool HttpAuthHandlerNegotiate::AllowsExplicitCredentials() {
   return auth_system_.AllowsExplicitCredentials();
 }
 
 // The Negotiate challenge header looks like:
 //   WWW-Authenticate: NEGOTIATE auth-data
-bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge) {
+bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge,
+                                    const HttpResponseInfo& response_info) {
 #if defined(OS_POSIX)
   if (!auth_system_.Init()) {
     VLOG(1) << "can't initialize GSSAPI library";
     return false;
   }
   // GSSAPI does not provide a way to enter username/password to
   // obtain a TGT. If the default credentials are not allowed for
   // a particular site (based on whitelist), fall back to a
   // different scheme.
   if (!AllowsDefaultCredentials())
     return false;
 #endif
   if (CanDelegate())
     auth_system_.Delegate();
   auth_scheme_ = HttpAuth::AUTH_SCHEME_NEGOTIATE;
   score_ = 4;
   properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED;
+
   HttpAuth::AuthorizationResult auth_result =
       auth_system_.ParseChallenge(challenge);
-  return (auth_result == HttpAuth::AUTHORIZATION_RESULT_ACCEPT);
+  if (auth_result != HttpAuth::AUTHORIZATION_RESULT_ACCEPT)
+    return false;
+
+  // Try to extract channel bindings.
+  if (response_info.ssl_info.is_valid())
+    x509_util::GetTLSServerEndPointChannelBinding(*response_info.ssl_info.cert,
+                                                  &channel_bindings_);
+  if (!channel_bindings_.empty())
+    net_log_.AddEvent(
+        NetLog::TYPE_AUTH_CHANNEL_BINDINGS,
+        base::Bind(&NetLogParameterChannelBindings, channel_bindings_));
+  return true;
 }
 
 int HttpAuthHandlerNegotiate::GenerateAuthTokenImpl(
     const AuthCredentials* credentials, const HttpRequestInfo* request,
     const CompletionCallback& callback, std::string* auth_token) {
   DCHECK(callback_.is_null());
   DCHECK(auth_token_ == NULL);
   auth_token_ = auth_token;
   if (already_called_) {
     DCHECK((!has_credentials_ && credentials == NULL) ||
@@ skipping 93 matching lines @@
   next_state_ = STATE_GENERATE_AUTH_TOKEN;
   spn_ = CreateSPN(address_list_, origin_);
   address_list_ = AddressList();
   return rv;
 }
 
 int HttpAuthHandlerNegotiate::DoGenerateAuthToken() {
   next_state_ = STATE_GENERATE_AUTH_TOKEN_COMPLETE;
   AuthCredentials* credentials = has_credentials_ ? &credentials_ : NULL;
   return auth_system_.GenerateAuthToken(
-      credentials, spn_, auth_token_,
+      credentials, spn_, channel_bindings_, auth_token_,
       base::Bind(&HttpAuthHandlerNegotiate::OnIOComplete,
                  base::Unretained(this)));
 }
 
 int HttpAuthHandlerNegotiate::DoGenerateAuthTokenComplete(int rv) {
   DCHECK_NE(ERR_IO_PENDING, rv);
   auth_token_ = NULL;
   return rv;
 }
 
 bool HttpAuthHandlerNegotiate::CanDelegate() const {
   // TODO(cbentzel): Should delegation be allowed on proxies?
   if (target_ == HttpAuth::AUTH_PROXY)
     return false;
   if (!http_auth_preferences_)
     return false;
   return http_auth_preferences_->CanDelegate(origin_);
 }
 
 }  // namespace net