• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
3  *
4  *  Use of this source code is governed by a BSD-style license
5  *  that can be found in the LICENSE file in the root of the source
6  *  tree. An additional intellectual property rights grant can be found
7  *  in the file PATENTS.  All contributing project authors may
8  *  be found in the AUTHORS file in the root of the source tree.
9  */
10 
11 #include <time.h>
12 
13 #if defined(WEBRTC_WIN)
14 #include <windows.h>
15 #include <winsock2.h>
16 #include <ws2tcpip.h>
17 
18 #define SECURITY_WIN32
19 #include <security.h>
20 #endif
21 
22 #include <ctype.h>  // for isspace
23 #include <stdio.h>  // for sprintf
24 
25 #include <utility>  // for pair
26 #include <vector>
27 
28 #include "absl/strings/match.h"
29 #include "rtc_base/crypt_string.h"  // for CryptString
30 #include "rtc_base/http_common.h"
31 #include "rtc_base/logging.h"
32 #include "rtc_base/message_digest.h"
33 #include "rtc_base/socket_address.h"
34 #include "rtc_base/string_utils.h"
35 #include "rtc_base/strings/string_builder.h"
36 #include "rtc_base/third_party/base64/base64.h"  // for Base64
37 #include "rtc_base/zero_memory.h"                // for ExplicitZeroMemory
38 
39 namespace rtc {
40 namespace {
41 #if defined(WEBRTC_WIN) && !defined(WINUWP)
42 ///////////////////////////////////////////////////////////////////////////////
43 // ConstantToLabel can be used to easily generate string names from constant
44 // values.  This can be useful for logging descriptive names of error messages.
45 // Usage:
46 //   const ConstantToLabel LIBRARY_ERRORS[] = {
47 //     KLABEL(SOME_ERROR),
48 //     KLABEL(SOME_OTHER_ERROR),
49 //     ...
50 //     LASTLABEL
51 //   }
52 //
53 //   int err = LibraryFunc();
54 //   LOG(LS_ERROR) << "LibraryFunc returned: "
55 //                 << GetErrorName(err, LIBRARY_ERRORS);
56 struct ConstantToLabel {
57   int value;
58   const char* label;
59 };
60 
LookupLabel(int value,const ConstantToLabel entries[])61 const char* LookupLabel(int value, const ConstantToLabel entries[]) {
62   for (int i = 0; entries[i].label; ++i) {
63     if (value == entries[i].value) {
64       return entries[i].label;
65     }
66   }
67   return 0;
68 }
69 
GetErrorName(int err,const ConstantToLabel * err_table)70 std::string GetErrorName(int err, const ConstantToLabel* err_table) {
71   if (err == 0)
72     return "No error";
73 
74   if (err_table != 0) {
75     if (const char* value = LookupLabel(err, err_table))
76       return value;
77   }
78 
79   char buffer[16];
80   snprintf(buffer, sizeof(buffer), "0x%08x", err);
81   return buffer;
82 }
83 
84 #define KLABEL(x) \
85   { x, #x }
86 #define LASTLABEL \
87   { 0, 0 }
88 
89 const ConstantToLabel SECURITY_ERRORS[] = {
90     KLABEL(SEC_I_COMPLETE_AND_CONTINUE),
91     KLABEL(SEC_I_COMPLETE_NEEDED),
92     KLABEL(SEC_I_CONTEXT_EXPIRED),
93     KLABEL(SEC_I_CONTINUE_NEEDED),
94     KLABEL(SEC_I_INCOMPLETE_CREDENTIALS),
95     KLABEL(SEC_I_RENEGOTIATE),
96     KLABEL(SEC_E_CERT_EXPIRED),
97     KLABEL(SEC_E_INCOMPLETE_MESSAGE),
98     KLABEL(SEC_E_INSUFFICIENT_MEMORY),
99     KLABEL(SEC_E_INTERNAL_ERROR),
100     KLABEL(SEC_E_INVALID_HANDLE),
101     KLABEL(SEC_E_INVALID_TOKEN),
102     KLABEL(SEC_E_LOGON_DENIED),
103     KLABEL(SEC_E_NO_AUTHENTICATING_AUTHORITY),
104     KLABEL(SEC_E_NO_CREDENTIALS),
105     KLABEL(SEC_E_NOT_OWNER),
106     KLABEL(SEC_E_OK),
107     KLABEL(SEC_E_SECPKG_NOT_FOUND),
108     KLABEL(SEC_E_TARGET_UNKNOWN),
109     KLABEL(SEC_E_UNKNOWN_CREDENTIALS),
110     KLABEL(SEC_E_UNSUPPORTED_FUNCTION),
111     KLABEL(SEC_E_UNTRUSTED_ROOT),
112     KLABEL(SEC_E_WRONG_PRINCIPAL),
113     LASTLABEL};
114 #undef KLABEL
115 #undef LASTLABEL
116 #endif  // defined(WEBRTC_WIN) && !defined(WINUWP)
117 
118 typedef std::pair<std::string, std::string> HttpAttribute;
119 typedef std::vector<HttpAttribute> HttpAttributeList;
120 
IsEndOfAttributeName(size_t pos,size_t len,const char * data)121 inline bool IsEndOfAttributeName(size_t pos, size_t len, const char* data) {
122   if (pos >= len)
123     return true;
124   if (isspace(static_cast<unsigned char>(data[pos])))
125     return true;
126   // The reason for this complexity is that some attributes may contain trailing
127   // equal signs (like base64 tokens in Negotiate auth headers)
128   if ((pos + 1 < len) && (data[pos] == '=') &&
129       !isspace(static_cast<unsigned char>(data[pos + 1])) &&
130       (data[pos + 1] != '=')) {
131     return true;
132   }
133   return false;
134 }
135 
HttpParseAttributes(const char * data,size_t len,HttpAttributeList & attributes)136 void HttpParseAttributes(const char* data,
137                          size_t len,
138                          HttpAttributeList& attributes) {
139   size_t pos = 0;
140   while (true) {
141     // Skip leading whitespace
142     while ((pos < len) && isspace(static_cast<unsigned char>(data[pos]))) {
143       ++pos;
144     }
145 
146     // End of attributes?
147     if (pos >= len)
148       return;
149 
150     // Find end of attribute name
151     size_t start = pos;
152     while (!IsEndOfAttributeName(pos, len, data)) {
153       ++pos;
154     }
155 
156     HttpAttribute attribute;
157     attribute.first.assign(data + start, data + pos);
158 
159     // Attribute has value?
160     if ((pos < len) && (data[pos] == '=')) {
161       ++pos;  // Skip '='
162       // Check if quoted value
163       if ((pos < len) && (data[pos] == '"')) {
164         while (++pos < len) {
165           if (data[pos] == '"') {
166             ++pos;
167             break;
168           }
169           if ((data[pos] == '\\') && (pos + 1 < len))
170             ++pos;
171           attribute.second.append(1, data[pos]);
172         }
173       } else {
174         while ((pos < len) && !isspace(static_cast<unsigned char>(data[pos])) &&
175                (data[pos] != ',')) {
176           attribute.second.append(1, data[pos++]);
177         }
178       }
179     }
180 
181     attributes.push_back(attribute);
182     if ((pos < len) && (data[pos] == ','))
183       ++pos;  // Skip ','
184   }
185 }
186 
HttpHasAttribute(const HttpAttributeList & attributes,const std::string & name,std::string * value)187 bool HttpHasAttribute(const HttpAttributeList& attributes,
188                       const std::string& name,
189                       std::string* value) {
190   for (HttpAttributeList::const_iterator it = attributes.begin();
191        it != attributes.end(); ++it) {
192     if (it->first == name) {
193       if (value) {
194         *value = it->second;
195       }
196       return true;
197     }
198   }
199   return false;
200 }
201 
HttpHasNthAttribute(HttpAttributeList & attributes,size_t index,std::string * name,std::string * value)202 bool HttpHasNthAttribute(HttpAttributeList& attributes,
203                          size_t index,
204                          std::string* name,
205                          std::string* value) {
206   if (index >= attributes.size())
207     return false;
208 
209   if (name)
210     *name = attributes[index].first;
211   if (value)
212     *value = attributes[index].second;
213   return true;
214 }
215 
quote(const std::string & str)216 std::string quote(const std::string& str) {
217   std::string result;
218   result.push_back('"');
219   for (size_t i = 0; i < str.size(); ++i) {
220     if ((str[i] == '"') || (str[i] == '\\'))
221       result.push_back('\\');
222     result.push_back(str[i]);
223   }
224   result.push_back('"');
225   return result;
226 }
227 
228 #if defined(WEBRTC_WIN) && !defined(WINUWP)
229 struct NegotiateAuthContext : public HttpAuthContext {
230   CredHandle cred;
231   CtxtHandle ctx;
232   size_t steps;
233   bool specified_credentials;
234 
NegotiateAuthContextrtc::__anon5283ab7c0111::NegotiateAuthContext235   NegotiateAuthContext(const std::string& auth, CredHandle c1, CtxtHandle c2)
236       : HttpAuthContext(auth),
237         cred(c1),
238         ctx(c2),
239         steps(0),
240         specified_credentials(false) {}
241 
~NegotiateAuthContextrtc::__anon5283ab7c0111::NegotiateAuthContext242   ~NegotiateAuthContext() override {
243     DeleteSecurityContext(&ctx);
244     FreeCredentialsHandle(&cred);
245   }
246 };
247 #endif  // defined(WEBRTC_WIN) && !defined(WINUWP)
248 
249 }  // anonymous namespace
250 
HttpAuthenticate(const char * challenge,size_t len,const SocketAddress & server,const std::string & method,const std::string & uri,const std::string & username,const CryptString & password,HttpAuthContext * & context,std::string & response,std::string & auth_method)251 HttpAuthResult HttpAuthenticate(const char* challenge,
252                                 size_t len,
253                                 const SocketAddress& server,
254                                 const std::string& method,
255                                 const std::string& uri,
256                                 const std::string& username,
257                                 const CryptString& password,
258                                 HttpAuthContext*& context,
259                                 std::string& response,
260                                 std::string& auth_method) {
261   HttpAttributeList args;
262   HttpParseAttributes(challenge, len, args);
263   HttpHasNthAttribute(args, 0, &auth_method, nullptr);
264 
265   if (context && (context->auth_method != auth_method))
266     return HAR_IGNORE;
267 
268   // BASIC
269   if (absl::EqualsIgnoreCase(auth_method, "basic")) {
270     if (context)
271       return HAR_CREDENTIALS;  // Bad credentials
272     if (username.empty())
273       return HAR_CREDENTIALS;  // Missing credentials
274 
275     context = new HttpAuthContext(auth_method);
276 
277     // TODO(bugs.webrtc.org/8905): Convert sensitive to a CryptString and also
278     // return response as CryptString so contents get securely deleted
279     // automatically.
280     // std::string decoded = username + ":" + password;
281     size_t len = username.size() + password.GetLength() + 2;
282     char* sensitive = new char[len];
283     size_t pos = strcpyn(sensitive, len, username.data(), username.size());
284     pos += strcpyn(sensitive + pos, len - pos, ":");
285     password.CopyTo(sensitive + pos, true);
286 
287     response = auth_method;
288     response.append(" ");
289     // TODO: create a sensitive-source version of Base64::encode
290     response.append(Base64::Encode(sensitive));
291     ExplicitZeroMemory(sensitive, len);
292     delete[] sensitive;
293     return HAR_RESPONSE;
294   }
295 
296   // DIGEST
297   if (absl::EqualsIgnoreCase(auth_method, "digest")) {
298     if (context)
299       return HAR_CREDENTIALS;  // Bad credentials
300     if (username.empty())
301       return HAR_CREDENTIALS;  // Missing credentials
302 
303     context = new HttpAuthContext(auth_method);
304 
305     std::string cnonce, ncount;
306     char buffer[256];
307     sprintf(buffer, "%d", static_cast<int>(time(0)));
308     cnonce = MD5(buffer);
309     ncount = "00000001";
310 
311     std::string realm, nonce, qop, opaque;
312     HttpHasAttribute(args, "realm", &realm);
313     HttpHasAttribute(args, "nonce", &nonce);
314     bool has_qop = HttpHasAttribute(args, "qop", &qop);
315     bool has_opaque = HttpHasAttribute(args, "opaque", &opaque);
316 
317     // TODO(bugs.webrtc.org/8905): Convert sensitive to a CryptString and also
318     // return response as CryptString so contents get securely deleted
319     // automatically.
320     // std::string A1 = username + ":" + realm + ":" + password;
321     size_t len = username.size() + realm.size() + password.GetLength() + 3;
322     char* sensitive = new char[len];  // A1
323     size_t pos = strcpyn(sensitive, len, username.data(), username.size());
324     pos += strcpyn(sensitive + pos, len - pos, ":");
325     pos += strcpyn(sensitive + pos, len - pos, realm.c_str());
326     pos += strcpyn(sensitive + pos, len - pos, ":");
327     password.CopyTo(sensitive + pos, true);
328 
329     std::string A2 = method + ":" + uri;
330     std::string middle;
331     if (has_qop) {
332       qop = "auth";
333       middle = nonce + ":" + ncount + ":" + cnonce + ":" + qop;
334     } else {
335       middle = nonce;
336     }
337     std::string HA1 = MD5(sensitive);
338     ExplicitZeroMemory(sensitive, len);
339     delete[] sensitive;
340     std::string HA2 = MD5(A2);
341     std::string dig_response = MD5(HA1 + ":" + middle + ":" + HA2);
342 
343     rtc::StringBuilder ss;
344     ss << auth_method;
345     ss << " username=" << quote(username);
346     ss << ", realm=" << quote(realm);
347     ss << ", nonce=" << quote(nonce);
348     ss << ", uri=" << quote(uri);
349     if (has_qop) {
350       ss << ", qop=" << qop;
351       ss << ", nc=" << ncount;
352       ss << ", cnonce=" << quote(cnonce);
353     }
354     ss << ", response=\"" << dig_response << "\"";
355     if (has_opaque) {
356       ss << ", opaque=" << quote(opaque);
357     }
358     response = ss.str();
359     return HAR_RESPONSE;
360   }
361 
362 #if defined(WEBRTC_WIN) && !defined(WINUWP)
363 #if 1
364   bool want_negotiate = absl::EqualsIgnoreCase(auth_method, "negotiate");
365   bool want_ntlm = absl::EqualsIgnoreCase(auth_method, "ntlm");
366   // SPNEGO & NTLM
367   if (want_negotiate || want_ntlm) {
368     const size_t MAX_MESSAGE = 12000, MAX_SPN = 256;
369     char out_buf[MAX_MESSAGE], spn[MAX_SPN];
370 
371 #if 0  // Requires funky windows versions
372     DWORD len = MAX_SPN;
373     if (DsMakeSpn("HTTP", server.HostAsURIString().c_str(), nullptr,
374                   server.port(),
375                   0, &len, spn) != ERROR_SUCCESS) {
376       RTC_LOG_F(WARNING) << "(Negotiate) - DsMakeSpn failed";
377       return HAR_IGNORE;
378     }
379 #else
380     snprintf(spn, MAX_SPN, "HTTP/%s", server.ToString().c_str());
381 #endif
382 
383     SecBuffer out_sec;
384     out_sec.pvBuffer = out_buf;
385     out_sec.cbBuffer = sizeof(out_buf);
386     out_sec.BufferType = SECBUFFER_TOKEN;
387 
388     SecBufferDesc out_buf_desc;
389     out_buf_desc.ulVersion = 0;
390     out_buf_desc.cBuffers = 1;
391     out_buf_desc.pBuffers = &out_sec;
392 
393     const ULONG NEG_FLAGS_DEFAULT =
394         // ISC_REQ_ALLOCATE_MEMORY
395         ISC_REQ_CONFIDENTIALITY
396         //| ISC_REQ_EXTENDED_ERROR
397         //| ISC_REQ_INTEGRITY
398         | ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT
399         //| ISC_REQ_STREAM
400         //| ISC_REQ_USE_SUPPLIED_CREDS
401         ;
402 
403     ::TimeStamp lifetime;
404     SECURITY_STATUS ret = S_OK;
405     ULONG ret_flags = 0, flags = NEG_FLAGS_DEFAULT;
406 
407     bool specify_credentials = !username.empty();
408     size_t steps = 0;
409 
410     // uint32_t now = Time();
411 
412     NegotiateAuthContext* neg = static_cast<NegotiateAuthContext*>(context);
413     if (neg) {
414       const size_t max_steps = 10;
415       if (++neg->steps >= max_steps) {
416         RTC_LOG(WARNING) << "AsyncHttpsProxySocket::Authenticate(Negotiate) "
417                             "too many retries";
418         return HAR_ERROR;
419       }
420       steps = neg->steps;
421 
422       std::string challenge, decoded_challenge;
423       if (HttpHasNthAttribute(args, 1, &challenge, nullptr) &&
424           Base64::Decode(challenge, Base64::DO_STRICT, &decoded_challenge,
425                          nullptr)) {
426         SecBuffer in_sec;
427         in_sec.pvBuffer = const_cast<char*>(decoded_challenge.data());
428         in_sec.cbBuffer = static_cast<unsigned long>(decoded_challenge.size());
429         in_sec.BufferType = SECBUFFER_TOKEN;
430 
431         SecBufferDesc in_buf_desc;
432         in_buf_desc.ulVersion = 0;
433         in_buf_desc.cBuffers = 1;
434         in_buf_desc.pBuffers = &in_sec;
435 
436         ret = InitializeSecurityContextA(
437             &neg->cred, &neg->ctx, spn, flags, 0, SECURITY_NATIVE_DREP,
438             &in_buf_desc, 0, &neg->ctx, &out_buf_desc, &ret_flags, &lifetime);
439         if (FAILED(ret)) {
440           RTC_LOG(LS_ERROR) << "InitializeSecurityContext returned: "
441                             << GetErrorName(ret, SECURITY_ERRORS);
442           return HAR_ERROR;
443         }
444       } else if (neg->specified_credentials) {
445         // Try again with default credentials
446         specify_credentials = false;
447         delete context;
448         context = neg = 0;
449       } else {
450         return HAR_CREDENTIALS;
451       }
452     }
453 
454     if (!neg) {
455       unsigned char userbuf[256], passbuf[256], domainbuf[16];
456       SEC_WINNT_AUTH_IDENTITY_A auth_id, *pauth_id = 0;
457       if (specify_credentials) {
458         memset(&auth_id, 0, sizeof(auth_id));
459         size_t len = password.GetLength() + 1;
460         char* sensitive = new char[len];
461         password.CopyTo(sensitive, true);
462         std::string::size_type pos = username.find('\\');
463         if (pos == std::string::npos) {
464           auth_id.UserLength = static_cast<unsigned long>(
465               std::min(sizeof(userbuf) - 1, username.size()));
466           memcpy(userbuf, username.c_str(), auth_id.UserLength);
467           userbuf[auth_id.UserLength] = 0;
468           auth_id.DomainLength = 0;
469           domainbuf[auth_id.DomainLength] = 0;
470           auth_id.PasswordLength = static_cast<unsigned long>(
471               std::min(sizeof(passbuf) - 1, password.GetLength()));
472           memcpy(passbuf, sensitive, auth_id.PasswordLength);
473           passbuf[auth_id.PasswordLength] = 0;
474         } else {
475           auth_id.UserLength = static_cast<unsigned long>(
476               std::min(sizeof(userbuf) - 1, username.size() - pos - 1));
477           memcpy(userbuf, username.c_str() + pos + 1, auth_id.UserLength);
478           userbuf[auth_id.UserLength] = 0;
479           auth_id.DomainLength =
480               static_cast<unsigned long>(std::min(sizeof(domainbuf) - 1, pos));
481           memcpy(domainbuf, username.c_str(), auth_id.DomainLength);
482           domainbuf[auth_id.DomainLength] = 0;
483           auth_id.PasswordLength = static_cast<unsigned long>(
484               std::min(sizeof(passbuf) - 1, password.GetLength()));
485           memcpy(passbuf, sensitive, auth_id.PasswordLength);
486           passbuf[auth_id.PasswordLength] = 0;
487         }
488         ExplicitZeroMemory(sensitive, len);
489         delete[] sensitive;
490         auth_id.User = userbuf;
491         auth_id.Domain = domainbuf;
492         auth_id.Password = passbuf;
493         auth_id.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
494         pauth_id = &auth_id;
495         RTC_LOG(LS_VERBOSE)
496             << "Negotiate protocol: Using specified credentials";
497       } else {
498         RTC_LOG(LS_VERBOSE) << "Negotiate protocol: Using default credentials";
499       }
500 
501       CredHandle cred;
502       ret = AcquireCredentialsHandleA(
503           0, const_cast<char*>(want_negotiate ? NEGOSSP_NAME_A : NTLMSP_NAME_A),
504           SECPKG_CRED_OUTBOUND, 0, pauth_id, 0, 0, &cred, &lifetime);
505       if (ret != SEC_E_OK) {
506         RTC_LOG(LS_ERROR) << "AcquireCredentialsHandle error: "
507                           << GetErrorName(ret, SECURITY_ERRORS);
508         return HAR_IGNORE;
509       }
510 
511       // CSecBufferBundle<5, CSecBufferBase::FreeSSPI> sb_out;
512 
513       CtxtHandle ctx;
514       ret = InitializeSecurityContextA(&cred, 0, spn, flags, 0,
515                                        SECURITY_NATIVE_DREP, 0, 0, &ctx,
516                                        &out_buf_desc, &ret_flags, &lifetime);
517       if (FAILED(ret)) {
518         RTC_LOG(LS_ERROR) << "InitializeSecurityContext returned: "
519                           << GetErrorName(ret, SECURITY_ERRORS);
520         FreeCredentialsHandle(&cred);
521         return HAR_IGNORE;
522       }
523 
524       RTC_DCHECK(!context);
525       context = neg = new NegotiateAuthContext(auth_method, cred, ctx);
526       neg->specified_credentials = specify_credentials;
527       neg->steps = steps;
528     }
529 
530     if ((ret == SEC_I_COMPLETE_NEEDED) ||
531         (ret == SEC_I_COMPLETE_AND_CONTINUE)) {
532       ret = CompleteAuthToken(&neg->ctx, &out_buf_desc);
533       RTC_LOG(LS_VERBOSE) << "CompleteAuthToken returned: "
534                           << GetErrorName(ret, SECURITY_ERRORS);
535       if (FAILED(ret)) {
536         return HAR_ERROR;
537       }
538     }
539 
540     std::string decoded(out_buf, out_buf + out_sec.cbBuffer);
541     response = auth_method;
542     response.append(" ");
543     response.append(Base64::Encode(decoded));
544     return HAR_RESPONSE;
545   }
546 #endif
547 #endif  // defined(WEBRTC_WIN) && !defined(WINUWP)
548 
549   return HAR_IGNORE;
550 }
551 
552 //////////////////////////////////////////////////////////////////////
553 
554 }  // namespace rtc
555