[net/auth] Use common token parser in NTLM authentication handler.

This CL inches closer to merging the NTLM and Negotiate handlers which basically implement the same logic under different names. Servicification of Negotiate handling will then not have to deal with NTLM and Negotiate authentication schemes separately. R=mmenke@chromium.org Bug: 991265 Change-Id: I167d4fb5856f65319fe7c21636e6e4db61aa46a1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1907151 Commit-Queue: Asanka Herath <asanka@chromium.org> Reviewed-by: Matt Menke <mmenke@chromium.org> Cr-Commit-Position: refs/heads/master@{#715246}

[net/auth] Use common token parser in NTLM authentication handler.
This CL inches closer to merging the NTLM and Negotiate handlers which basically implement the same logic under different names. Servicification of Negotiate handling will then not have to deal with NTLM and Negotiate authentication schemes separately. R=mmenke@chromium.org Bug: 991265 Change-Id: I167d4fb5856f65319fe7c21636e6e4db61aa46a1 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1907151 Commit-Queue: Asanka Herath <asanka@chromium.org> Reviewed-by: Matt Menke <mmenke@chromium.org> Cr-Commit-Position: refs/heads/master@{#715246}
b182a350 · Asanka Herath · Commit Bot · 24d34884 · b182a350 · b182a350
Commit b182a350 authored Nov 14, 2019 by Asanka Herath Committed by Commit Bot Nov 14, 2019
3 changed files
--- a/net/http/http_auth_handler_ntlm.h
+++ b/net/http/http_auth_handler_ntlm.h
@@ -182,9 +182,9 @@ class NET_EXPORT_PRIVATE HttpAuthHandlerNTLM : public HttpAuthHandler {
  AuthCredentials credentials_;
  std::string channel_bindings_;
-  // The base64-encoded string following "NTLM" in the "WWW-Authenticate" or
+  // Decoded authentication token that the server returned as part of an NTLM
-  // "Proxy-Authenticate" response header.
+  // challenge.
-  std::string auth_data_;
+  std::string challenge_token_;
 #if defined(NTLM_SSPI)
  const HttpAuthPreferences* http_auth_preferences_;

--- a/net/http/http_auth_handler_ntlm_portable.cc
+++ b/net/http/http_auth_handler_ntlm_portable.cc
@@ -11,8 +11,10 @@
 #include "net/base/net_errors.h"
 #include "net/base/network_interfaces.h"
 #include "net/dns/host_resolver.h"
+#include "net/http/http_auth.h"
 #include "net/http/http_auth_challenge_tokenizer.h"
 #include "net/http/http_auth_handler_ntlm.h"
+#include "net/http/http_auth_multi_round_parse.h"
 #include "net/http/http_auth_preferences.h"
 #include "net/http/http_auth_scheme.h"
 #include "net/ssl/ssl_info.h"
@@ -75,10 +77,10 @@ HttpAuthHandlerNTLM::HttpAuthHandlerNTLM(
                                : true)) {}
 bool HttpAuthHandlerNTLM::NeedsIdentity() {
-  // This gets called for each round-trip.  Only require identity on
+  // This gets called for each round-trip. Only require identity on the first
-  // the first call (when auth_data_ is empty).  On subsequent calls,
+  // call (when challenge_token_ is empty). On subsequent calls, we use the
-  // we use the initially established identity.
+  // initially established identity.
-  return auth_data_.empty();
+  return challenge_token_.empty();
 }
 bool HttpAuthHandlerNTLM::AllowsDefaultCredentials() {
@@ -118,22 +120,16 @@ int HttpAuthHandlerNTLM::GenerateAuthTokenImpl(
  domain_ = domain;
  credentials_.Set(user, credentials->password());
-  std::string decoded_auth_data;
+  if (challenge_token_.empty()) {
-  if (auth_data_.empty()) {
+    // There is no |challenge_token_| because the client sends the first
-    // There is no |auth_data_| because the client sends the first message.
+    // message.
    int rv = InitializeBeforeFirstChallenge();
    if (rv != OK)
      return rv;
-  } else {
-    // When |auth_data_| is present it contains the Challenge message.
-    if (!base::Base64Decode(auth_data_, &decoded_auth_data)) {
-      LOG(ERROR) << "Unexpected problem Base64 decoding.";
-      return ERR_UNEXPECTED;
-    }
  }
  std::vector<uint8_t> next_token =
-      GetNextToken(base::as_bytes(base::make_span(decoded_auth_data)));
+      GetNextToken(base::as_bytes(base::make_span(challenge_token_)));
  if (next_token.empty())
    return ERR_UNEXPECTED;
@@ -199,24 +195,14 @@ std::vector<uint8_t> HttpAuthHandlerNTLM::GetNextToken(
 HttpAuth::AuthorizationResult HttpAuthHandlerNTLM::ParseChallenge(
    HttpAuthChallengeTokenizer* tok,
    bool initial_challenge) {
-  auth_data_.clear();
+  challenge_token_.clear();
-  // Verify the challenge's auth-scheme.
-  if (tok->auth_scheme() != kNtlmAuthScheme)
-    return HttpAuth::AUTHORIZATION_RESULT_INVALID;
-  std::string base64_param = tok->base64_param();
+  if (initial_challenge)
-  if (base64_param.empty()) {
+    return ParseFirstRoundChallenge(HttpAuth::Scheme::AUTH_SCHEME_NTLM, tok);
-    if (!initial_challenge)
-      return HttpAuth::AUTHORIZATION_RESULT_REJECT;
-    return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
-  } else {
-    if (initial_challenge)
-      return HttpAuth::AUTHORIZATION_RESULT_INVALID;
-  }
-  auth_data_ = base64_param;
+  std::string encoded_token;
-  return HttpAuth::AUTHORIZATION_RESULT_ACCEPT;
+  return ParseLaterRoundChallenge(HttpAuth::Scheme::AUTH_SCHEME_NTLM, tok,
+                                  &encoded_token, &challenge_token_);
 }
 }  // namespace net
--- a/net/http/http_auth_handler_ntlm_portable_unittest.cc
+++ b/net/http/http_auth_handler_ntlm_portable_unittest.cc
@@ -202,9 +202,8 @@ TEST_F(HttpAuthHandlerNtlmPortableTest, InvalidBase64Encoding) {
  ASSERT_EQ(OK, GetGenerateAuthTokenResult());
  // Token isn't valid base64.
-  ASSERT_EQ(HttpAuth::AUTHORIZATION_RESULT_ACCEPT,
+  ASSERT_EQ(HttpAuth::AUTHORIZATION_RESULT_INVALID,
            HandleAnotherChallenge("NTLM !!!!!!!!!!!!!"));
-  ASSERT_EQ(ERR_UNEXPECTED, GetGenerateAuthTokenResult());
 }
 TEST_F(HttpAuthHandlerNtlmPortableTest, CantChangeSchemeMidway) {