Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1504)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/http_auth_handler_negotiate.cc

Issue 1408433006: Support tls-server-end-point channel bindings for HTTP authentication. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Narrower dependencies, update comments, address review comments. Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/cert/x509_util_openssl.cc ('K') | « net/http/http_auth_handler_negotiate.h ('k') | net/http/http_auth_handler_negotiate_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/http_auth_handler_negotiate.cc
diff --git a/net/http/http_auth_handler_negotiate.cc b/net/http/http_auth_handler_negotiate.cc
index 864a703e12e24c7369125b3a470bc80019a9de65..1ca6d5478d942de939d81d2170ba9c3f098c64b9 100644
--- a/net/http/http_auth_handler_negotiate.cc
+++ b/net/http/http_auth_handler_negotiate.cc
@@ -7,16 +7,39 @@
#include "base/bind.h"
#include "base/bind_helpers.h"
#include "base/logging.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
#include "base/strings/stringprintf.h"
+#include "base/values.h"
#include "net/base/address_family.h"
#include "net/base/net_errors.h"
+#include "net/cert/x509_util.h"
#include "net/dns/host_resolver.h"
#include "net/dns/single_request_host_resolver.h"
#include "net/http/http_auth_filter.h"
#include "net/http/http_auth_preferences.h"
+#include "net/log/net_log.h"
+#include "net/ssl/ssl_info.h"
namespace net {
+namespace {
+
+scoped_ptr<base::Value> NetLogParameterChannelBindings(
+ const std::string& channel_binding_token,
+ NetLogCaptureMode capture_mode) {
+ scoped_ptr<base::DictionaryValue> dict;
+ if (!capture_mode.include_socket_bytes())
+ return std::move(dict);
+
+ dict.reset(new base::DictionaryValue());
+ dict->SetString("token", base::HexEncode(channel_binding_token.data(),
+ channel_binding_token.size()));
+ return std::move(dict);
+}
+
+} // namespace
+
HttpAuthHandlerNegotiate::Factory::Factory()
: resolver_(NULL),
#if defined(OS_WIN)
@@ -36,6 +59,7 @@ void HttpAuthHandlerNegotiate::Factory::set_host_resolver(
int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler(
HttpAuthChallengeTokenizer* challenge,
HttpAuth::Target target,
+ const SSLInfo& ssl_info,
const GURL& origin,
CreateReason reason,
int digest_nonce_count,
@@ -78,7 +102,8 @@ int HttpAuthHandlerNegotiate::Factory::CreateAuthHandler(
scoped_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNegotiate(
auth_library_.get(), http_auth_preferences(), resolver_));
#endif
- if (!tmp_handler->InitFromChallenge(challenge, target, origin, net_log))
+ if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info, origin,
+ net_log))
return ERR_INVALID_RESPONSE;
handler->swap(tmp_handler);
return OK;
@@ -185,7 +210,8 @@ bool HttpAuthHandlerNegotiate::AllowsExplicitCredentials() {
// The Negotiate challenge header looks like:
// WWW-Authenticate: NEGOTIATE auth-data
-bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge) {
+bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge,
+ const SSLInfo& ssl_info) {
#if defined(OS_POSIX)
if (!auth_system_.Init()) {
VLOG(1) << "can't initialize GSSAPI library";
@@ -203,9 +229,21 @@ bool HttpAuthHandlerNegotiate::Init(HttpAuthChallengeTokenizer* challenge) {
auth_scheme_ = HttpAuth::AUTH_SCHEME_NEGOTIATE;
score_ = 4;
properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED;
+
HttpAuth::AuthorizationResult auth_result =
auth_system_.ParseChallenge(challenge);
- return (auth_result == HttpAuth::AUTHORIZATION_RESULT_ACCEPT);
+ if (auth_result != HttpAuth::AUTHORIZATION_RESULT_ACCEPT)
+ return false;
+
+ // Try to extract channel bindings.
+ if (ssl_info.is_valid())
+ x509_util::GetTLSServerEndPointChannelBinding(*ssl_info.cert,
+ &channel_bindings_);
+ if (!channel_bindings_.empty())
+ net_log_.AddEvent(
+ NetLog::TYPE_AUTH_CHANNEL_BINDINGS,
+ base::Bind(&NetLogParameterChannelBindings, channel_bindings_));
+ return true;
}
int HttpAuthHandlerNegotiate::GenerateAuthTokenImpl(
@@ -319,7 +357,7 @@ int HttpAuthHandlerNegotiate::DoGenerateAuthToken() {
next_state_ = STATE_GENERATE_AUTH_TOKEN_COMPLETE;
AuthCredentials* credentials = has_credentials_ ? &credentials_ : NULL;
return auth_system_.GenerateAuthToken(
- credentials, spn_, auth_token_,
+ credentials, spn_, channel_bindings_, auth_token_,
base::Bind(&HttpAuthHandlerNegotiate::OnIOComplete,
base::Unretained(this)));
}
« net/cert/x509_util_openssl.cc ('K') | « net/http/http_auth_handler_negotiate.h ('k') | net/http/http_auth_handler_negotiate_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698