Use SSPI for NTLM authentication on Windows.

net/http/http_network_transaction.cc

 // Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/http_network_transaction.h"
 
 #include "base/scoped_ptr.h"
 #include "base/compiler_specific.h"
 #include "base/field_trial.h"
 #include "base/histogram.h"
@@ skipping 126 matching lines @@
       user_callback_(NULL),
       session_(session),
       request_(NULL),
       pac_request_(NULL),
       socket_factory_(csf),
       reused_socket_(false),
       using_ssl_(false),
       proxy_mode_(kDirectConnection),
       establishing_tunnel_(false),
       reading_body_from_socket_(false),
+      embedded_identity_used_(false),
       request_headers_(new RequestHeaders()),
       request_headers_bytes_sent_(0),
       header_buf_(new ResponseHeaders()),
       header_buf_capacity_(0),
       header_buf_len_(0),
       header_buf_body_offset_(-1),
       header_buf_http_offset_(-1),
       response_body_length_(-1),  // -1 means unspecified.
       response_body_read_(0),
       read_buf_len_(0),
@@ skipping 89 matching lines @@
   DCHECK(auth_identity_[target].source != HttpAuth::IDENT_SRC_PATH_LOOKUP);
 
   // Add the auth entry to the cache before restarting. We don't know whether
   // the identity is valid yet, but if it is valid we want other transactions
   // to know about it. If an entry for (origin, handler->realm()) already
   // exists, we update it.
   //
   // If auth_identity_[target].source is HttpAuth::IDENT_SRC_NONE,
   // auth_identity_[target] contains no identity because identity is not
   // required yet.
+  //
+  // TODO(wtc): For NTLM_SSPI, we add the same auth entry to the cache in
+  // round 1 and round 2, which is redundant but correct.  It would be nice
+  // to add an auth entry to the cache only once, preferrably in round 1.
+  // See http://crbug.com/21015.
   bool has_auth_identity =
       auth_identity_[target].source != HttpAuth::IDENT_SRC_NONE;
   if (has_auth_identity) {
     session_->auth_cache()->Add(AuthOrigin(target), auth_handler_[target],
         auth_identity_[target].username, auth_identity_[target].password,
         AuthPath(target));
   }
 
   bool keep_alive = false;
   if (response_.headers->IsKeepAlive()) {
     // If there is a response body of known length, we need to drain it first.
     if (response_body_length_ > 0 || chunked_decoder_.get()) {
       next_state_ = STATE_DRAIN_BODY_FOR_AUTH_RESTART;
       read_buf_ = new IOBuffer(kDrainBodyBufferSize);  // A bit bucket
       read_buf_len_ = kDrainBodyBufferSize;
       return;
     }
     if (response_body_length_ == 0)  // No response body to drain.
       keep_alive = true;
     // response_body_length_ is -1 and we're not using chunked encoding. We
     // don't know the length of the response body, so we can't reuse this
     // connection even though the server says it's keep-alive.
   }
 
   // If the auth scheme is connection-based but the proxy/server mistakenly
   // marks the connection as non-keep-alive, the auth is going to fail, so log
   // an error message.
+  //
+  // TODO(wtc): has_auth_identity is not the right condition.  We should
+  // be testing for "not round 1" here.  See http://crbug.com/21015.
   if (!keep_alive && auth_handler_[target]->is_connection_based() &&
       has_auth_identity) {
     LOG(ERROR) << "Can't perform " << auth_handler_[target]->scheme()
                << " auth to the " << AuthTargetString(target) << " "
                << AuthOrigin(target) << " over a non-keep-alive connection";
 
     HttpVersion http_version = response_.headers->GetHttpVersion();
     LOG(ERROR) << "  HTTP version is " << http_version.major_value() << "."
                << http_version.minor_value();
 
@@ skipping 442 matching lines @@
         ShouldApplyProxyAuth() &&
         (HaveAuth(HttpAuth::AUTH_PROXY) ||
          SelectPreemptiveAuth(HttpAuth::AUTH_PROXY));
     bool have_server_auth =
         ShouldApplyServerAuth() &&
         (HaveAuth(HttpAuth::AUTH_SERVER) ||
          SelectPreemptiveAuth(HttpAuth::AUTH_SERVER));
 
     std::string authorization_headers;
 
+    // TODO(wtc): If BuildAuthorizationHeader fails (returns an authorization
+    // header with no credentials), we should return an error to prevent
+    // entering an infinite auth restart loop.  See http://crbug.com/21050.
     if (have_proxy_auth)
       authorization_headers.append(
           BuildAuthorizationHeader(HttpAuth::AUTH_PROXY));
     if (have_server_auth)
       authorization_headers.append(
           BuildAuthorizationHeader(HttpAuth::AUTH_SERVER));
 
     if (establishing_tunnel_) {
       BuildTunnelRequest(request_, authorization_headers,
                          &request_headers_->headers_);
@@ skipping 1017 matching lines @@
   }
   return false;
 }
 
 bool HttpNetworkTransaction::SelectNextAuthIdentityToTry(
     HttpAuth::Target target) {
   DCHECK(auth_handler_[target]);
   DCHECK(auth_identity_[target].invalid);
 
   // Try to use the username/password encoded into the URL first.
-  // (By checking source == IDENT_SRC_NONE, we make sure that this
-  // is only done once for the transaction.)
   if (target == HttpAuth::AUTH_SERVER && request_->url.has_username() &&
-      auth_identity_[target].source == HttpAuth::IDENT_SRC_NONE) {
+      !embedded_identity_used_) {
     auth_identity_[target].source = HttpAuth::IDENT_SRC_URL;
     auth_identity_[target].invalid = false;
     // Extract the username:password from the URL.
     GetIdentifyFromUrl(request_->url,
                        &auth_identity_[target].username,
                        &auth_identity_[target].password);
+    embedded_identity_used_ = true;
     // TODO(eroman): If the password is blank, should we also try combining
     // with a password from the cache?
     return true;
   }
 
   // Check the auth cache for a realm entry.
   HttpAuthCache::Entry* entry = session_->auth_cache()->LookupByRealm(
       AuthOrigin(target), auth_handler_[target]->realm());
 
   if (entry) {
@@ skipping 72 matching lines @@
       HttpAuth::AUTH_PROXY : HttpAuth::AUTH_SERVER;
 
   LOG(INFO) << "The " << AuthTargetString(target) << " "
             << AuthOrigin(target) << " requested auth"
             << AuthChallengeLogMessage();
 
   if (target == HttpAuth::AUTH_PROXY && proxy_info_.is_direct())
     return ERR_UNEXPECTED_PROXY_AUTH;
 
   // The auth we tried just failed, hence it can't be valid. Remove it from
-  // the cache so it won't be used again, unless it's a null identity.
-  if (HaveAuth(target) &&
-      auth_identity_[target].source != HttpAuth::IDENT_SRC_NONE)
+  // the cache so it won't be used again.
+  // TODO(wtc): IsFinalRound is not the right condition.  In a multi-round
+  // auth sequence, the server may fail the auth in round 1 if our first
+  // authorization header is broken.  We should inspect response_.headers to
+  // determine if the server already failed the auth or wants us to continue.
+  // See http://crbug.com/21015.
+  if (HaveAuth(target) && auth_handler_[target]->IsFinalRound()) {
     InvalidateRejectedAuthFromCache(target);
+    auth_handler_[target] = NULL;
+    auth_identity_[target] = HttpAuth::Identity();
+  }
 
   auth_identity_[target].invalid = true;
 
   if (target != HttpAuth::AUTH_SERVER ||
       !(request_->load_flags & LOAD_DO_NOT_SEND_AUTH_DATA)) {
     // Find the best authentication challenge that we support.
     HttpAuth::ChooseBestChallenge(response_.headers.get(),
                                   target,
                                   &auth_handler_[target]);
   }
@@ skipping 14 matching lines @@
     // We found no supported challenge -- let the transaction continue
     // so we end up displaying the error page.
     return OK;
   }
 
   if (auth_handler_[target]->NeedsIdentity()) {
     // Pick a new auth identity to try, by looking to the URL and auth cache.
     // If an identity to try is found, it is saved to auth_identity_[target].
     SelectNextAuthIdentityToTry(target);
   } else {
-    // Proceed with a null identity.
+    // Proceed with the existing identity or a null identity.
     //
     // TODO(wtc): Add a safeguard against infinite transaction restarts, if
     // the server keeps returning "NTLM".
-    auth_identity_[target].source = HttpAuth::IDENT_SRC_NONE;
     auth_identity_[target].invalid = false;
-    auth_identity_[target].username.clear();
-    auth_identity_[target].password.clear();
   }
 
   // Make a note that we are waiting for auth. This variable is inspected
   // when the client calls RestartWithAuth() to pick up where we left off.
   pending_auth_target_ = target;
 
   if (auth_identity_[target].invalid) {
     // We have exhausted all identity possibilities, all we can do now is
     // pass the challenge information back to the client.
     PopulateAuthChallenge(target);
@@ skipping 16 matching lines @@
     host_and_port = proxy_info_.proxy_server().host_and_port();
   } else {
     DCHECK(target == HttpAuth::AUTH_SERVER);
     host_and_port = GetHostAndPort(request_->url);
   }
   auth_info->host_and_port = ASCIIToWide(host_and_port);
   response_.auth_challenge = auth_info;
 }
 
 }  // namespace net