1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
// Copyright 2011 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// This file contains common routines used by NTLM and Negotiate authentication
// using the SSPI API on Windows.
#ifndef NET_HTTP_HTTP_AUTH_SSPI_WIN_H_
#define NET_HTTP_HTTP_AUTH_SSPI_WIN_H_
#include <windows.h>
#include "base/memory/raw_ptr.h"
// security.h needs to be included for CredHandle. Unfortunately CredHandle
// is a typedef and can't be forward declared.
#define SECURITY_WIN32 1
#include <security.h>
#include <string>
#include "net/base/completion_once_callback.h"
#include "net/base/net_errors.h"
#include "net/base/net_export.h"
#include "net/http/http_auth.h"
#include "net/http/http_auth_mechanism.h"
namespace net {
class HttpAuthChallengeTokenizer;
// SSPILibrary is introduced so unit tests can mock the calls to Windows' SSPI
// implementation. The default implementation simply passes the arguments on to
// the SSPI implementation provided by Secur32.dll.
//
// A single SSPILibrary can only be used with a single security package. Hence
// the package is bound at construction time. Overridable SSPI methods exclude
// the security package parameter since it is implicit.
class NET_EXPORT_PRIVATE SSPILibrary {
public:
explicit SSPILibrary(const wchar_t* package) : package_name_(package) {}
virtual ~SSPILibrary() {}
// Determines the maximum token length in bytes for a particular SSPI package.
//
// |library| and |max_token_length| must be non-nullptr pointers to valid
// objects.
//
// If the return value is OK, |*max_token_length| contains the maximum token
// length in bytes.
//
// If the return value is ERR_UNSUPPORTED_AUTH_SCHEME, |package| is not an
// known SSPI authentication scheme on this system. |*max_token_length| is not
// changed.
//
// If the return value is ERR_UNEXPECTED, there was an unanticipated problem
// in the underlying SSPI call. The details are logged, and
// |*max_token_length| is not changed.
Error DetermineMaxTokenLength(ULONG* max_token_length);
virtual SECURITY_STATUS AcquireCredentialsHandle(LPWSTR pszPrincipal,
unsigned long fCredentialUse,
void* pvLogonId,
void* pvAuthData,
SEC_GET_KEY_FN pGetKeyFn,
void* pvGetKeyArgument,
PCredHandle phCredential,
PTimeStamp ptsExpiry) = 0;
virtual SECURITY_STATUS InitializeSecurityContext(PCredHandle phCredential,
PCtxtHandle phContext,
SEC_WCHAR* pszTargetName,
unsigned long fContextReq,
unsigned long Reserved1,
unsigned long TargetDataRep,
PSecBufferDesc pInput,
unsigned long Reserved2,
PCtxtHandle phNewContext,
PSecBufferDesc pOutput,
unsigned long* contextAttr,
PTimeStamp ptsExpiry) = 0;
virtual SECURITY_STATUS QueryContextAttributesEx(PCtxtHandle phContext,
ULONG ulAttribute,
PVOID pBuffer,
ULONG cbBuffer) = 0;
virtual SECURITY_STATUS QuerySecurityPackageInfo(PSecPkgInfoW* pkgInfo) = 0;
virtual SECURITY_STATUS FreeCredentialsHandle(PCredHandle phCredential) = 0;
virtual SECURITY_STATUS DeleteSecurityContext(PCtxtHandle phContext) = 0;
virtual SECURITY_STATUS FreeContextBuffer(PVOID pvContextBuffer) = 0;
protected:
// Security package used with DetermineMaxTokenLength(),
// QuerySecurityPackageInfo(), AcquireCredentialsHandle(). All of these must
// be consistent.
const std::wstring package_name_;
ULONG max_token_length_ = 0;
bool is_supported_ = true;
};
class SSPILibraryDefault : public SSPILibrary {
public:
explicit SSPILibraryDefault(const wchar_t* package) : SSPILibrary(package) {}
~SSPILibraryDefault() override {}
SECURITY_STATUS AcquireCredentialsHandle(LPWSTR pszPrincipal,
unsigned long fCredentialUse,
void* pvLogonId,
void* pvAuthData,
SEC_GET_KEY_FN pGetKeyFn,
void* pvGetKeyArgument,
PCredHandle phCredential,
PTimeStamp ptsExpiry) override;
SECURITY_STATUS InitializeSecurityContext(PCredHandle phCredential,
PCtxtHandle phContext,
SEC_WCHAR* pszTargetName,
unsigned long fContextReq,
unsigned long Reserved1,
unsigned long TargetDataRep,
PSecBufferDesc pInput,
unsigned long Reserved2,
PCtxtHandle phNewContext,
PSecBufferDesc pOutput,
unsigned long* contextAttr,
PTimeStamp ptsExpiry) override;
SECURITY_STATUS QueryContextAttributesEx(PCtxtHandle phContext,
ULONG ulAttribute,
PVOID pBuffer,
ULONG cbBuffer) override;
SECURITY_STATUS QuerySecurityPackageInfo(PSecPkgInfoW* pkgInfo) override;
SECURITY_STATUS FreeCredentialsHandle(PCredHandle phCredential) override;
SECURITY_STATUS DeleteSecurityContext(PCtxtHandle phContext) override;
SECURITY_STATUS FreeContextBuffer(PVOID pvContextBuffer) override;
};
class NET_EXPORT_PRIVATE HttpAuthSSPI : public HttpAuthMechanism {
public:
HttpAuthSSPI(SSPILibrary* sspi_library, HttpAuth::Scheme scheme);
~HttpAuthSSPI() override;
// HttpAuthMechanism implementation:
bool Init(const NetLogWithSource& net_log) override;
bool NeedsIdentity() const override;
bool AllowsExplicitCredentials() const override;
HttpAuth::AuthorizationResult ParseChallenge(
HttpAuthChallengeTokenizer* tok) override;
int GenerateAuthToken(const AuthCredentials* credentials,
const std::string& spn,
const std::string& channel_bindings,
std::string* auth_token,
const NetLogWithSource& net_log,
CompletionOnceCallback callback) override;
void SetDelegation(HttpAuth::DelegationType delegation_type) override;
private:
int OnFirstRound(const AuthCredentials* credentials,
const NetLogWithSource& net_log);
int GetNextSecurityToken(const std::string& spn,
const std::string& channing_bindings,
const void* in_token,
int in_token_len,
const NetLogWithSource& net_log,
void** out_token,
int* out_token_len);
void ResetSecurityContext();
raw_ptr<SSPILibrary> library_;
HttpAuth::Scheme scheme_;
std::string decoded_server_auth_token_;
CredHandle cred_;
CtxtHandle ctxt_;
HttpAuth::DelegationType delegation_type_;
};
// Splits |combined| into domain and username.
// If |combined| is of form "FOO\bar", |domain| will contain "FOO" and |user|
// will contain "bar".
// If |combined| is of form "bar", |domain| will be empty and |user| will
// contain "bar".
// |domain| and |user| must be non-nullptr.
NET_EXPORT_PRIVATE void SplitDomainAndUser(const std::u16string& combined,
std::u16string* domain,
std::u16string* user);
} // namespace net
#endif // NET_HTTP_HTTP_AUTH_SSPI_WIN_H_
|
