1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/http_auth_handler_ntlm.h"
6
7 #if !defined(NTLM_SSPI)
8 #include "base/base64.h"
9 #endif
10 #include "base/logging.h"
11 #include "base/string_util.h"
12 #include "base/utf_string_conversions.h"
13 #include "net/base/net_errors.h"
14 #include "net/base/net_util.h"
15
16 namespace net {
17
HandleAnotherChallenge(HttpAuth::ChallengeTokenizer * challenge)18 HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::HandleAnotherChallenge(
19 HttpAuth::ChallengeTokenizer* challenge) {
20 return ParseChallenge(challenge, false);
21 }
22
Init(HttpAuth::ChallengeTokenizer * tok)23 bool HttpAuthHandlerNTLM::Init(HttpAuth::ChallengeTokenizer* tok) {
24 auth_scheme_ = HttpAuth::AUTH_SCHEME_NTLM;
25 score_ = 3;
26 properties_ = ENCRYPTS_IDENTITY | IS_CONNECTION_BASED;
27
28 return ParseChallenge(tok, true) == HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
29 }
30
GenerateAuthTokenImpl(const string16 * username,const string16 * password,const HttpRequestInfo * request,CompletionCallback * callback,std::string * auth_token)31 int HttpAuthHandlerNTLM::GenerateAuthTokenImpl(
32 const string16* username,
33 const string16* password,
34 const HttpRequestInfo* request,
35 CompletionCallback* callback,
36 std::string* auth_token) {
37 #if defined(NTLM_SSPI)
38 return auth_sspi_.GenerateAuthToken(
39 username,
40 password,
41 CreateSPN(origin_),
42 auth_token);
43 #else // !defined(NTLM_SSPI)
44 // TODO(cbentzel): Shouldn't be hitting this case.
45 if (!username || !password) {
46 LOG(ERROR) << "Username and password are expected to be non-NULL.";
47 return ERR_MISSING_AUTH_CREDENTIALS;
48 }
49 // TODO(wtc): See if we can use char* instead of void* for in_buf and
50 // out_buf. This change will need to propagate to GetNextToken,
51 // GenerateType1Msg, and GenerateType3Msg, and perhaps further.
52 const void* in_buf;
53 void* out_buf;
54 uint32 in_buf_len, out_buf_len;
55 std::string decoded_auth_data;
56
57 // |username| may be in the form "DOMAIN\user". Parse it into the two
58 // components.
59 string16 domain;
60 string16 user;
61 const char16 backslash_character = '\\';
62 size_t backslash_idx = username->find(backslash_character);
63 if (backslash_idx == string16::npos) {
64 user = *username;
65 } else {
66 domain = username->substr(0, backslash_idx);
67 user = username->substr(backslash_idx + 1);
68 }
69 domain_ = domain;
70 username_ = user;
71 password_ = *password;
72
73 // Initial challenge.
74 if (auth_data_.empty()) {
75 in_buf_len = 0;
76 in_buf = NULL;
77 int rv = InitializeBeforeFirstChallenge();
78 if (rv != OK)
79 return rv;
80 } else {
81 if (!base::Base64Decode(auth_data_, &decoded_auth_data)) {
82 LOG(ERROR) << "Unexpected problem Base64 decoding.";
83 return ERR_UNEXPECTED;
84 }
85 in_buf_len = decoded_auth_data.length();
86 in_buf = decoded_auth_data.data();
87 }
88
89 int rv = GetNextToken(in_buf, in_buf_len, &out_buf, &out_buf_len);
90 if (rv != OK)
91 return rv;
92
93 // Base64 encode data in output buffer and prepend "NTLM ".
94 std::string encode_input(static_cast<char*>(out_buf), out_buf_len);
95 std::string encode_output;
96 bool base64_rv = base::Base64Encode(encode_input, &encode_output);
97 // OK, we are done with |out_buf|
98 free(out_buf);
99 if (!base64_rv) {
100 LOG(ERROR) << "Unexpected problem Base64 encoding.";
101 return ERR_UNEXPECTED;
102 }
103 *auth_token = std::string("NTLM ") + encode_output;
104 return OK;
105 #endif
106 }
107
108 // The NTLM challenge header looks like:
109 // WWW-Authenticate: NTLM auth-data
ParseChallenge(HttpAuth::ChallengeTokenizer * tok,bool initial_challenge)110 HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::ParseChallenge(
111 HttpAuth::ChallengeTokenizer* tok, bool initial_challenge) {
112 #if defined(NTLM_SSPI)
113 // auth_sspi_ contains state for whether or not this is the initial challenge.
114 return auth_sspi_.ParseChallenge(tok);
115 #else
116 // TODO(cbentzel): Most of the logic between SSPI, GSSAPI, and portable NTLM
117 // authentication parsing could probably be shared - just need to know if
118 // there was previously a challenge round.
119 // TODO(cbentzel): Write a test case to validate that auth_data_ is left empty
120 // in all failure conditions.
121 auth_data_.clear();
122
123 // Verify the challenge's auth-scheme.
124 if (!LowerCaseEqualsASCII(tok->scheme(), "ntlm"))
125 return HttpAuth::AUTHORIZATION_RESULT_INVALID;
126
127 std::string base64_param = tok->base64_param();
128 if (base64_param.empty()) {
129 if (!initial_challenge)
130 return HttpAuth::AUTHORIZATION_RESULT_REJECT;
131 return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
132 } else {
133 if (initial_challenge)
134 return HttpAuth::AUTHORIZATION_RESULT_INVALID;
135 }
136
137 auth_data_ = base64_param;
138 return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
139 #endif // defined(NTLM_SSPI)
140 }
141
142 // static
CreateSPN(const GURL & origin)143 std::wstring HttpAuthHandlerNTLM::CreateSPN(const GURL& origin) {
144 // The service principal name of the destination server. See
145 // http://msdn.microsoft.com/en-us/library/ms677949%28VS.85%29.aspx
146 std::wstring target(L"HTTP/");
147 target.append(ASCIIToWide(GetHostAndPort(origin)));
148 return target;
149 }
150
151 } // namespace net
152