Chromium Code Reviews Chromium Code Reviews
Issue 1408433006:
Support tls-server-end-point channel bindings for HTTP authentication. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // See "SSPI Sample Application" at | 5 // See "SSPI Sample Application" at |
| 6 // http://msdn.microsoft.com/en-us/library/aa918273.aspx | 6 // http://msdn.microsoft.com/en-us/library/aa918273.aspx |
| 7 | 7 |
| 8 #include "net/http/http_auth_sspi_win.h" | 8 #include "net/http/http_auth_sspi_win.h" |
| 9 | 9 |
| 10 #include "base/base64.h" | 10 #include "base/base64.h" |
| (...skipping 274 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 285 if (!SecIsValidHandle(&ctxt_)) { | 285 if (!SecIsValidHandle(&ctxt_)) { |
| 286 return net::ParseFirstRoundChallenge(scheme_, tok); | 286 return net::ParseFirstRoundChallenge(scheme_, tok); |
| 287 } | 287 } |
| 288 std::string encoded_auth_token; | 288 std::string encoded_auth_token; |
| 289 return net::ParseLaterRoundChallenge(scheme_, tok, &encoded_auth_token, | 289 return net::ParseLaterRoundChallenge(scheme_, tok, &encoded_auth_token, |
| 290 &decoded_server_auth_token_); | 290 &decoded_server_auth_token_); |
| 291 } | 291 } |
| 292 | 292 |
| 293 int HttpAuthSSPI::GenerateAuthToken(const AuthCredentials* credentials, | 293 int HttpAuthSSPI::GenerateAuthToken(const AuthCredentials* credentials, |
| 294 const std::string& spn, | 294 const std::string& spn, |
| 295 const std::string& channel_bindings, | |
| 295 std::string* auth_token, | 296 std::string* auth_token, |
| 296 const CompletionCallback& /*callback*/) { | 297 const CompletionCallback& /*callback*/) { |
| 297 // Initial challenge. | 298 // Initial challenge. |
| 298 if (!SecIsValidHandle(&cred_)) { | 299 if (!SecIsValidHandle(&cred_)) { |
| 299 int rv = OnFirstRound(credentials); | 300 int rv = OnFirstRound(credentials); |
| 300 if (rv != OK) | 301 if (rv != OK) |
| 301 return rv; | 302 return rv; |
| 302 } | 303 } |
| 303 | 304 |
| 304 DCHECK(SecIsValidHandle(&cred_)); | 305 DCHECK(SecIsValidHandle(&cred_)); |
| 305 void* out_buf; | 306 void* out_buf; |
| 306 int out_buf_len; | 307 int out_buf_len; |
| 307 int rv = GetNextSecurityToken( | 308 int rv = GetNextSecurityToken( |
| 308 spn, | 309 spn, channel_bindings, |
| 309 static_cast<void *>(const_cast<char *>( | 310 static_cast<void*>(const_cast<char*>(decoded_server_auth_token_.c_str())), |
| 310 decoded_server_auth_token_.c_str())), | 311 decoded_server_auth_token_.length(), &out_buf, &out_buf_len); |
| 311 decoded_server_auth_token_.length(), | |
| 312 &out_buf, | |
| 313 &out_buf_len); | |
| 314 if (rv != OK) | 312 if (rv != OK) |
| 315 return rv; | 313 return rv; |
| 316 | 314 |
| 317 // Base64 encode data in output buffer and prepend the scheme. | 315 // Base64 encode data in output buffer and prepend the scheme. |
| 318 std::string encode_input(static_cast<char*>(out_buf), out_buf_len); | 316 std::string encode_input(static_cast<char*>(out_buf), out_buf_len); |
| 319 std::string encode_output; | 317 std::string encode_output; |
| 320 base::Base64Encode(encode_input, &encode_output); | 318 base::Base64Encode(encode_input, &encode_output); |
| 321 // OK, we are done with |out_buf| | 319 // OK, we are done with |out_buf| |
| 322 free(out_buf); | 320 free(out_buf); |
| 323 *auth_token = scheme_ + " " + encode_output; | 321 *auth_token = scheme_ + " " + encode_output; |
| (...skipping 13 matching lines...) Expand all Loading... | |
| 337 return rv; | 335 return rv; |
| 338 } else { | 336 } else { |
| 339 rv = AcquireDefaultCredentials(library_, security_package_, &cred_); | 337 rv = AcquireDefaultCredentials(library_, security_package_, &cred_); |
| 340 if (rv != OK) | 338 if (rv != OK) |
| 341 return rv; | 339 return rv; |
| 342 } | 340 } |
| 343 | 341 |
| 344 return rv; | 342 return rv; |
| 345 } | 343 } |
| 346 | 344 |
| 347 int HttpAuthSSPI::GetNextSecurityToken( | 345 int HttpAuthSSPI::GetNextSecurityToken(const std::string& spn, |
| 348 const std::string& spn, | 346 const std::string& channel_bindings, |
| 349 const void* in_token, | 347 const void* in_token, |
| 350 int in_token_len, | 348 int in_token_len, |
| 351 void** out_token, | 349 void** out_token, |
| 352 int* out_token_len) { | 350 int* out_token_len) { |
| 353 CtxtHandle* ctxt_ptr; | 351 CtxtHandle* ctxt_ptr = nullptr; |
| 354 SecBufferDesc in_buffer_desc, out_buffer_desc; | 352 SecBufferDesc in_buffer_desc, out_buffer_desc; |
| 355 SecBufferDesc* in_buffer_desc_ptr; | 353 SecBufferDesc* in_buffer_desc_ptr = nullptr; |
| 356 SecBuffer in_buffer, out_buffer; | 354 SecBuffer in_buffers[2], out_buffer; |
| 357 | 355 |
| 356 in_buffer_desc.ulVersion = SECBUFFER_VERSION; | |
| 357 in_buffer_desc.cBuffers = 0; | |
| 358 in_buffer_desc.pBuffers = in_buffers; | |
| 358 if (in_token_len > 0) { | 359 if (in_token_len > 0) { |
| 359 // Prepare input buffer. | 360 // Prepare input buffer. |
| 360 in_buffer_desc.ulVersion = SECBUFFER_VERSION; | 361 SecBuffer& sec_buffer = in_buffers[in_buffer_desc.cBuffers++]; |
| 361 in_buffer_desc.cBuffers = 1; | 362 sec_buffer.BufferType = SECBUFFER_TOKEN; |
| 362 in_buffer_desc.pBuffers = &in_buffer; | 363 sec_buffer.cbBuffer = in_token_len; |
| 363 in_buffer.BufferType = SECBUFFER_TOKEN; | 364 sec_buffer.pvBuffer = const_cast<void*>(in_token); |
| 364 in_buffer.cbBuffer = in_token_len; | |
| 365 in_buffer.pvBuffer = const_cast<void*>(in_token); | |
| 366 ctxt_ptr = &ctxt_; | 365 ctxt_ptr = &ctxt_; |
| 367 in_buffer_desc_ptr = &in_buffer_desc; | |
| 368 } else { | 366 } else { |
| 369 // If there is no input token, then we are starting a new authentication | 367 // If there is no input token, then we are starting a new authentication |
| 370 // sequence. If we have already initialized our security context, then | 368 // sequence. If we have already initialized our security context, then |
| 371 // we're incorrectly reusing the auth handler for a new sequence. | 369 // we're incorrectly reusing the auth handler for a new sequence. |
| 372 if (SecIsValidHandle(&ctxt_)) { | 370 if (SecIsValidHandle(&ctxt_)) { |
| 373 NOTREACHED(); | 371 NOTREACHED(); |
| 374 return ERR_UNEXPECTED; | 372 return ERR_UNEXPECTED; |
| 375 } | 373 } |
| 376 ctxt_ptr = NULL; | |
| 377 in_buffer_desc_ptr = NULL; | |
| 378 } | 374 } |
| 379 | 375 |
| 376 std::vector<char> sec_channel_bindings_buffer; | |
| 377 if (!channel_bindings.empty()) { | |
| 378 sec_channel_bindings_buffer.reserve(sizeof(SEC_CHANNEL_BINDINGS) + | |
| 379 channel_bindings.size()); | |
| 380 sec_channel_bindings_buffer.resize(sizeof(SEC_CHANNEL_BINDINGS)); | |
| 381 SEC_CHANNEL_BINDINGS* bindings_desc = | |
| 382 reinterpret_cast<SEC_CHANNEL_BINDINGS*>( | |
| 383 &sec_channel_bindings_buffer.front()); | |
| 384 bindings_desc->cbApplicationDataLength = channel_bindings.size(); | |
| 385 bindings_desc->dwApplicationDataOffset = sizeof(SEC_CHANNEL_BINDINGS); | |
| 386 DCHECK_EQ(0u, bindings_desc->dwInitiatorAddrType); | |
| 387 DCHECK_EQ(0u, bindings_desc->cbInitiatorLength); | |
| 388 DCHECK_EQ(0u, bindings_desc->dwInitiatorOffset); | |
| 389 DCHECK_EQ(0u, bindings_desc->dwAcceptorAddrType); | |
| 390 DCHECK_EQ(0u, bindings_desc->cbAcceptorLength); | |
| 391 DCHECK_EQ(0u, bindings_desc->dwAcceptorOffset); | |
|
Ryan Sleevi
2016/03/18 21:27:40
Why these DCHECKs? This is guaranteed by 378/380
asanka
2016/03/23 04:51:30
Removed.
| |
| 392 sec_channel_bindings_buffer.insert(sec_channel_bindings_buffer.end(), | |
| 393 channel_bindings.begin(), | |
| 394 channel_bindings.end()); | |
| 395 DCHECK_EQ(sizeof(SEC_CHANNEL_BINDINGS) + channel_bindings.size(), | |
| 396 sec_channel_bindings_buffer.size()); | |
| 397 | |
| 398 SecBuffer& sec_buffer = in_buffers[in_buffer_desc.cBuffers++]; | |
| 399 sec_buffer.BufferType = SECBUFFER_CHANNEL_BINDINGS; | |
| 400 sec_buffer.cbBuffer = sec_channel_bindings_buffer.size(); | |
| 401 sec_buffer.pvBuffer = &sec_channel_bindings_buffer.front(); | |
| 402 } | |
| 403 | |
| 404 if (in_buffer_desc.cBuffers > 0) | |
| 405 in_buffer_desc_ptr = &in_buffer_desc; | |
| 406 | |
| 380 // Prepare output buffer. | 407 // Prepare output buffer. |
| 381 out_buffer_desc.ulVersion = SECBUFFER_VERSION; | 408 out_buffer_desc.ulVersion = SECBUFFER_VERSION; |
| 382 out_buffer_desc.cBuffers = 1; | 409 out_buffer_desc.cBuffers = 1; |
| 383 out_buffer_desc.pBuffers = &out_buffer; | 410 out_buffer_desc.pBuffers = &out_buffer; |
| 384 out_buffer.BufferType = SECBUFFER_TOKEN; | 411 out_buffer.BufferType = SECBUFFER_TOKEN; |
| 385 out_buffer.cbBuffer = max_token_length_; | 412 out_buffer.cbBuffer = max_token_length_; |
| 386 out_buffer.pvBuffer = malloc(out_buffer.cbBuffer); | 413 out_buffer.pvBuffer = malloc(out_buffer.cbBuffer); |
| 387 if (!out_buffer.pvBuffer) | 414 if (!out_buffer.pvBuffer) |
| 388 return ERR_OUT_OF_MEMORY; | 415 return ERR_OUT_OF_MEMORY; |
| 389 | 416 |
| (...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 454 int token_length = pkg_info->cbMaxToken; | 481 int token_length = pkg_info->cbMaxToken; |
| 455 status = library->FreeContextBuffer(pkg_info); | 482 status = library->FreeContextBuffer(pkg_info); |
| 456 rv = MapFreeContextBufferStatusToError(status); | 483 rv = MapFreeContextBufferStatusToError(status); |
| 457 if (rv != OK) | 484 if (rv != OK) |
| 458 return rv; | 485 return rv; |
| 459 *max_token_length = token_length; | 486 *max_token_length = token_length; |
| 460 return OK; | 487 return OK; |
| 461 } | 488 } |
| 462 | 489 |
| 463 } // namespace net | 490 } // namespace net |
| OLD | NEW |
