Adding upstream version 124.0.1.upstream/124.0.1

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 555 insertions, 0 deletions

diff --git a/third_party/libwebrtc/rtc_base/http_common.cc b/third_party/libwebrtc/rtc_base/http_common.cc
new file mode 100644
index 0000000000..621b854b53
--- /dev/null
+++ b/third_party/libwebrtc/rtc_base/http_common.cc
@@ -0,0 +1,555 @@
+/*
+ *  Copyright 2004 The WebRTC Project Authors. All rights reserved.
+ *
+ *  Use of this source code is governed by a BSD-style license
+ *  that can be found in the LICENSE file in the root of the source
+ *  tree. An additional intellectual property rights grant can be found
+ *  in the file PATENTS.  All contributing project authors may
+ *  be found in the AUTHORS file in the root of the source tree.
+ */
+
+#include <time.h>
+
+#include "absl/strings/string_view.h"
+
+#if defined(WEBRTC_WIN)
+#include <windows.h>
+#include <winsock2.h>
+#include <ws2tcpip.h>
+
+#define SECURITY_WIN32
+#include <security.h>
+#endif
+
+#include <ctype.h>  // for isspace
+#include <stdio.h>  // for sprintf
+
+#include <utility>  // for pair
+#include <vector>
+
+#include "absl/strings/match.h"
+#include "rtc_base/crypt_string.h"  // for CryptString
+#include "rtc_base/http_common.h"
+#include "rtc_base/logging.h"
+#include "rtc_base/message_digest.h"
+#include "rtc_base/socket_address.h"
+#include "rtc_base/string_utils.h"
+#include "rtc_base/strings/string_builder.h"
+#include "rtc_base/third_party/base64/base64.h"  // for Base64
+#include "rtc_base/zero_memory.h"                // for ExplicitZeroMemory
+
+namespace rtc {
+namespace {
+#if defined(WEBRTC_WIN) && !defined(WINUWP)
+///////////////////////////////////////////////////////////////////////////////
+// ConstantToLabel can be used to easily generate string names from constant
+// values.  This can be useful for logging descriptive names of error messages.
+// Usage:
+//   const ConstantToLabel LIBRARY_ERRORS[] = {
+//     KLABEL(SOME_ERROR),
+//     KLABEL(SOME_OTHER_ERROR),
+//     ...
+//     LASTLABEL
+//   }
+//
+//   int err = LibraryFunc();
+//   LOG(LS_ERROR) << "LibraryFunc returned: "
+//                 << GetErrorName(err, LIBRARY_ERRORS);
+struct ConstantToLabel {
+  int value;
+  const char* label;
+};
+
+const char* LookupLabel(int value, const ConstantToLabel entries[]) {
+  for (int i = 0; entries[i].label; ++i) {
+    if (value == entries[i].value) {
+      return entries[i].label;
+    }
+  }
+  return 0;
+}
+
+std::string GetErrorName(int err, const ConstantToLabel* err_table) {
+  if (err == 0)
+    return "No error";
+
+  if (err_table != 0) {
+    if (const char* value = LookupLabel(err, err_table))
+      return value;
+  }
+
+  char buffer[16];
+  snprintf(buffer, sizeof(buffer), "0x%08x", err);
+  return buffer;
+}
+
+#define KLABEL(x) \
+  { x, #x }
+#define LASTLABEL \
+  { 0, 0 }
+
+const ConstantToLabel SECURITY_ERRORS[] = {
+    KLABEL(SEC_I_COMPLETE_AND_CONTINUE),
+    KLABEL(SEC_I_COMPLETE_NEEDED),
+    KLABEL(SEC_I_CONTEXT_EXPIRED),
+    KLABEL(SEC_I_CONTINUE_NEEDED),
+    KLABEL(SEC_I_INCOMPLETE_CREDENTIALS),
+    KLABEL(SEC_I_RENEGOTIATE),
+    KLABEL(SEC_E_CERT_EXPIRED),
+    KLABEL(SEC_E_INCOMPLETE_MESSAGE),
+    KLABEL(SEC_E_INSUFFICIENT_MEMORY),
+    KLABEL(SEC_E_INTERNAL_ERROR),
+    KLABEL(SEC_E_INVALID_HANDLE),
+    KLABEL(SEC_E_INVALID_TOKEN),
+    KLABEL(SEC_E_LOGON_DENIED),
+    KLABEL(SEC_E_NO_AUTHENTICATING_AUTHORITY),
+    KLABEL(SEC_E_NO_CREDENTIALS),
+    KLABEL(SEC_E_NOT_OWNER),
+    KLABEL(SEC_E_OK),
+    KLABEL(SEC_E_SECPKG_NOT_FOUND),
+    KLABEL(SEC_E_TARGET_UNKNOWN),
+    KLABEL(SEC_E_UNKNOWN_CREDENTIALS),
+    KLABEL(SEC_E_UNSUPPORTED_FUNCTION),
+    KLABEL(SEC_E_UNTRUSTED_ROOT),
+    KLABEL(SEC_E_WRONG_PRINCIPAL),
+    LASTLABEL};
+#undef KLABEL
+#undef LASTLABEL
+#endif  // defined(WEBRTC_WIN) && !defined(WINUWP)
+
+typedef std::pair<std::string, std::string> HttpAttribute;
+typedef std::vector<HttpAttribute> HttpAttributeList;
+
+inline bool IsEndOfAttributeName(size_t pos, absl::string_view data) {
+  if (pos >= data.size())
+    return true;
+  if (isspace(static_cast<unsigned char>(data[pos])))
+    return true;
+  // The reason for this complexity is that some attributes may contain trailing
+  // equal signs (like base64 tokens in Negotiate auth headers)
+  if ((pos + 1 < data.size()) && (data[pos] == '=') &&
+      !isspace(static_cast<unsigned char>(data[pos + 1])) &&
+      (data[pos + 1] != '=')) {
+    return true;
+  }
+  return false;
+}
+
+void HttpParseAttributes(absl::string_view data,
+                         HttpAttributeList& attributes) {
+  size_t pos = 0;
+  const size_t len = data.size();
+  while (true) {
+    // Skip leading whitespace
+    while ((pos < len) && isspace(static_cast<unsigned char>(data[pos]))) {
+      ++pos;
+    }
+
+    // End of attributes?
+    if (pos >= len)
+      return;
+
+    // Find end of attribute name
+    size_t start = pos;
+    while (!IsEndOfAttributeName(pos, data)) {
+      ++pos;
+    }
+
+    HttpAttribute attribute;
+    attribute.first.assign(data.data() + start, data.data() + pos);
+
+    // Attribute has value?
+    if ((pos < len) && (data[pos] == '=')) {
+      ++pos;  // Skip '='
+      // Check if quoted value
+      if ((pos < len) && (data[pos] == '"')) {
+        while (++pos < len) {
+          if (data[pos] == '"') {
+            ++pos;
+            break;
+          }
+          if ((data[pos] == '\\') && (pos + 1 < len))
+            ++pos;
+          attribute.second.append(1, data[pos]);
+        }
+      } else {
+        while ((pos < len) && !isspace(static_cast<unsigned char>(data[pos])) &&
+               (data[pos] != ',')) {
+          attribute.second.append(1, data[pos++]);
+        }
+      }
+    }
+
+    attributes.push_back(attribute);
+    if ((pos < len) && (data[pos] == ','))
+      ++pos;  // Skip ','
+  }
+}
+
+bool HttpHasAttribute(const HttpAttributeList& attributes,
+                      absl::string_view name,
+                      std::string* value) {
+  for (HttpAttributeList::const_iterator it = attributes.begin();
+       it != attributes.end(); ++it) {
+    if (it->first == name) {
+      if (value) {
+        *value = it->second;
+      }
+      return true;
+    }
+  }
+  return false;
+}
+
+bool HttpHasNthAttribute(HttpAttributeList& attributes,
+                         size_t index,
+                         std::string* name,
+                         std::string* value) {
+  if (index >= attributes.size())
+    return false;
+
+  if (name)
+    *name = attributes[index].first;
+  if (value)
+    *value = attributes[index].second;
+  return true;
+}
+
+std::string quote(absl::string_view str) {
+  std::string result;
+  result.push_back('"');
+  for (size_t i = 0; i < str.size(); ++i) {
+    if ((str[i] == '"') || (str[i] == '\\'))
+      result.push_back('\\');
+    result.push_back(str[i]);
+  }
+  result.push_back('"');
+  return result;
+}
+
+#if defined(WEBRTC_WIN) && !defined(WINUWP)
+struct NegotiateAuthContext : public HttpAuthContext {
+  CredHandle cred;
+  CtxtHandle ctx;
+  size_t steps;
+  bool specified_credentials;
+
+  NegotiateAuthContext(absl::string_view auth, CredHandle c1, CtxtHandle c2)
+      : HttpAuthContext(auth),
+        cred(c1),
+        ctx(c2),
+        steps(0),
+        specified_credentials(false) {}
+
+  ~NegotiateAuthContext() override {
+    DeleteSecurityContext(&ctx);
+    FreeCredentialsHandle(&cred);
+  }
+};
+#endif  // defined(WEBRTC_WIN) && !defined(WINUWP)
+
+}  // anonymous namespace
+
+HttpAuthResult HttpAuthenticate(absl::string_view challenge,
+                                const SocketAddress& server,
+                                absl::string_view method,
+                                absl::string_view uri,
+                                absl::string_view username,
+                                const CryptString& password,
+                                HttpAuthContext*& context,
+                                std::string& response,
+                                std::string& auth_method) {
+  HttpAttributeList args;
+  HttpParseAttributes(challenge, args);
+  HttpHasNthAttribute(args, 0, &auth_method, nullptr);
+
+  if (context && (context->auth_method != auth_method))
+    return HAR_IGNORE;
+
+  // BASIC
+  if (absl::EqualsIgnoreCase(auth_method, "basic")) {
+    if (context)
+      return HAR_CREDENTIALS;  // Bad credentials
+    if (username.empty())
+      return HAR_CREDENTIALS;  // Missing credentials
+
+    context = new HttpAuthContext(auth_method);
+
+    // TODO(bugs.webrtc.org/8905): Convert sensitive to a CryptString and also
+    // return response as CryptString so contents get securely deleted
+    // automatically.
+    // std::string decoded = username + ":" + password;
+    size_t len = username.size() + password.GetLength() + 2;
+    char* sensitive = new char[len];
+    size_t pos = strcpyn(sensitive, len, username);
+    pos += strcpyn(sensitive + pos, len - pos, ":");
+    password.CopyTo(sensitive + pos, true);
+
+    response = auth_method;
+    response.append(" ");
+    // TODO: create a sensitive-source version of Base64::encode
+    response.append(Base64::Encode(sensitive));
+    ExplicitZeroMemory(sensitive, len);
+    delete[] sensitive;
+    return HAR_RESPONSE;
+  }
+
+  // DIGEST
+  if (absl::EqualsIgnoreCase(auth_method, "digest")) {
+    if (context)
+      return HAR_CREDENTIALS;  // Bad credentials
+    if (username.empty())
+      return HAR_CREDENTIALS;  // Missing credentials
+
+    context = new HttpAuthContext(auth_method);
+
+    std::string cnonce, ncount;
+    char buffer[256];
+    snprintf(buffer, sizeof(buffer), "%d", static_cast<int>(time(0)));
+    cnonce = MD5(buffer);
+    ncount = "00000001";
+
+    std::string realm, nonce, qop, opaque;
+    HttpHasAttribute(args, "realm", &realm);
+    HttpHasAttribute(args, "nonce", &nonce);
+    bool has_qop = HttpHasAttribute(args, "qop", &qop);
+    bool has_opaque = HttpHasAttribute(args, "opaque", &opaque);
+
+    // TODO(bugs.webrtc.org/8905): Convert sensitive to a CryptString and also
+    // return response as CryptString so contents get securely deleted
+    // automatically.
+    // std::string A1 = username + ":" + realm + ":" + password;
+    size_t len = username.size() + realm.size() + password.GetLength() + 3;
+    char* sensitive = new char[len];  // A1
+    size_t pos = strcpyn(sensitive, len, username);
+    pos += strcpyn(sensitive + pos, len - pos, ":");
+    pos += strcpyn(sensitive + pos, len - pos, realm);
+    pos += strcpyn(sensitive + pos, len - pos, ":");
+    password.CopyTo(sensitive + pos, true);
+
+    std::string A2 = std::string(method) + ":" + std::string(uri);
+    std::string middle;
+    if (has_qop) {
+      qop = "auth";
+      middle = nonce + ":" + ncount + ":" + cnonce + ":" + qop;
+    } else {
+      middle = nonce;
+    }
+    std::string HA1 = MD5(sensitive);
+    ExplicitZeroMemory(sensitive, len);
+    delete[] sensitive;
+    std::string HA2 = MD5(A2);
+    std::string dig_response = MD5(HA1 + ":" + middle + ":" + HA2);
+
+    rtc::StringBuilder ss;
+    ss << auth_method;
+    ss << " username=" << quote(username);
+    ss << ", realm=" << quote(realm);
+    ss << ", nonce=" << quote(nonce);
+    ss << ", uri=" << quote(uri);
+    if (has_qop) {
+      ss << ", qop=" << qop;
+      ss << ", nc=" << ncount;
+      ss << ", cnonce=" << quote(cnonce);
+    }
+    ss << ", response=\"" << dig_response << "\"";
+    if (has_opaque) {
+      ss << ", opaque=" << quote(opaque);
+    }
+    response = ss.str();
+    return HAR_RESPONSE;
+  }
+
+#if defined(WEBRTC_WIN) && !defined(WINUWP)
+#if 1
+  bool want_negotiate = absl::EqualsIgnoreCase(auth_method, "negotiate");
+  bool want_ntlm = absl::EqualsIgnoreCase(auth_method, "ntlm");
+  // SPNEGO & NTLM
+  if (want_negotiate || want_ntlm) {
+    const size_t MAX_MESSAGE = 12000, MAX_SPN = 256;
+    char out_buf[MAX_MESSAGE], spn[MAX_SPN];
+
+#if 0  // Requires funky windows versions
+    DWORD len = MAX_SPN;
+    if (DsMakeSpn("HTTP", server.HostAsURIString().c_str(), nullptr,
+                  server.port(),
+                  0, &len, spn) != ERROR_SUCCESS) {
+      RTC_LOG_F(LS_WARNING) << "(Negotiate) - DsMakeSpn failed";
+      return HAR_IGNORE;
+    }
+#else
+    snprintf(spn, MAX_SPN, "HTTP/%s", server.ToString().c_str());
+#endif
+
+    SecBuffer out_sec;
+    out_sec.pvBuffer = out_buf;
+    out_sec.cbBuffer = sizeof(out_buf);
+    out_sec.BufferType = SECBUFFER_TOKEN;
+
+    SecBufferDesc out_buf_desc;
+    out_buf_desc.ulVersion = 0;
+    out_buf_desc.cBuffers = 1;
+    out_buf_desc.pBuffers = &out_sec;
+
+    const ULONG NEG_FLAGS_DEFAULT =
+        // ISC_REQ_ALLOCATE_MEMORY
+        ISC_REQ_CONFIDENTIALITY
+        //| ISC_REQ_EXTENDED_ERROR
+        //| ISC_REQ_INTEGRITY
+        | ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT
+        //| ISC_REQ_STREAM
+        //| ISC_REQ_USE_SUPPLIED_CREDS
+        ;
+
+    ::TimeStamp lifetime;
+    SECURITY_STATUS ret = S_OK;
+    ULONG ret_flags = 0, flags = NEG_FLAGS_DEFAULT;
+
+    bool specify_credentials = !username.empty();
+    size_t steps = 0;
+
+    // uint32_t now = Time();
+
+    NegotiateAuthContext* neg = static_cast<NegotiateAuthContext*>(context);
+    if (neg) {
+      const size_t max_steps = 10;
+      if (++neg->steps >= max_steps) {
+        RTC_LOG(LS_WARNING) << "AsyncHttpsProxySocket::Authenticate(Negotiate) "
+                               "too many retries";
+        return HAR_ERROR;
+      }
+      steps = neg->steps;
+
+      std::string challenge, decoded_challenge;
+      if (HttpHasNthAttribute(args, 1, &challenge, nullptr) &&
+          Base64::Decode(challenge, Base64::DO_STRICT, &decoded_challenge,
+                         nullptr)) {
+        SecBuffer in_sec;
+        in_sec.pvBuffer = const_cast<char*>(decoded_challenge.data());
+        in_sec.cbBuffer = static_cast<unsigned long>(decoded_challenge.size());
+        in_sec.BufferType = SECBUFFER_TOKEN;
+
+        SecBufferDesc in_buf_desc;
+        in_buf_desc.ulVersion = 0;
+        in_buf_desc.cBuffers = 1;
+        in_buf_desc.pBuffers = &in_sec;
+
+        ret = InitializeSecurityContextA(
+            &neg->cred, &neg->ctx, spn, flags, 0, SECURITY_NATIVE_DREP,
+            &in_buf_desc, 0, &neg->ctx, &out_buf_desc, &ret_flags, &lifetime);
+        if (FAILED(ret)) {
+          RTC_LOG(LS_ERROR) << "InitializeSecurityContext returned: "
+                            << GetErrorName(ret, SECURITY_ERRORS);
+          return HAR_ERROR;
+        }
+      } else if (neg->specified_credentials) {
+        // Try again with default credentials
+        specify_credentials = false;
+        delete context;
+        context = neg = 0;
+      } else {
+        return HAR_CREDENTIALS;
+      }
+    }
+
+    if (!neg) {
+      unsigned char userbuf[256], passbuf[256], domainbuf[16];
+      SEC_WINNT_AUTH_IDENTITY_A auth_id, *pauth_id = 0;
+      if (specify_credentials) {
+        memset(&auth_id, 0, sizeof(auth_id));
+        size_t len = password.GetLength() + 1;
+        char* sensitive = new char[len];
+        password.CopyTo(sensitive, true);
+        absl::string_view::size_type pos = username.find('\\');
+        if (pos == absl::string_view::npos) {
+          auth_id.UserLength = static_cast<unsigned long>(
+              std::min(sizeof(userbuf) - 1, username.size()));
+          memcpy(userbuf, username.data(), auth_id.UserLength);
+          userbuf[auth_id.UserLength] = 0;
+          auth_id.DomainLength = 0;
+          domainbuf[auth_id.DomainLength] = 0;
+          auth_id.PasswordLength = static_cast<unsigned long>(
+              std::min(sizeof(passbuf) - 1, password.GetLength()));
+          memcpy(passbuf, sensitive, auth_id.PasswordLength);
+          passbuf[auth_id.PasswordLength] = 0;
+        } else {
+          auth_id.UserLength = static_cast<unsigned long>(
+              std::min(sizeof(userbuf) - 1, username.size() - pos - 1));
+          memcpy(userbuf, username.data() + pos + 1, auth_id.UserLength);
+          userbuf[auth_id.UserLength] = 0;
+          auth_id.DomainLength =
+              static_cast<unsigned long>(std::min(sizeof(domainbuf) - 1, pos));
+          memcpy(domainbuf, username.data(), auth_id.DomainLength);
+          domainbuf[auth_id.DomainLength] = 0;
+          auth_id.PasswordLength = static_cast<unsigned long>(
+              std::min(sizeof(passbuf) - 1, password.GetLength()));
+          memcpy(passbuf, sensitive, auth_id.PasswordLength);
+          passbuf[auth_id.PasswordLength] = 0;
+        }
+        ExplicitZeroMemory(sensitive, len);
+        delete[] sensitive;
+        auth_id.User = userbuf;
+        auth_id.Domain = domainbuf;
+        auth_id.Password = passbuf;
+        auth_id.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;
+        pauth_id = &auth_id;
+        RTC_LOG(LS_VERBOSE)
+            << "Negotiate protocol: Using specified credentials";
+      } else {
+        RTC_LOG(LS_VERBOSE) << "Negotiate protocol: Using default credentials";
+      }
+
+      CredHandle cred;
+      ret = AcquireCredentialsHandleA(
+          0, const_cast<char*>(want_negotiate ? NEGOSSP_NAME_A : NTLMSP_NAME_A),
+          SECPKG_CRED_OUTBOUND, 0, pauth_id, 0, 0, &cred, &lifetime);
+      if (ret != SEC_E_OK) {
+        RTC_LOG(LS_ERROR) << "AcquireCredentialsHandle error: "
+                          << GetErrorName(ret, SECURITY_ERRORS);
+        return HAR_IGNORE;
+      }
+
+      // CSecBufferBundle<5, CSecBufferBase::FreeSSPI> sb_out;
+
+      CtxtHandle ctx;
+      ret = InitializeSecurityContextA(&cred, 0, spn, flags, 0,
+                                       SECURITY_NATIVE_DREP, 0, 0, &ctx,
+                                       &out_buf_desc, &ret_flags, &lifetime);
+      if (FAILED(ret)) {
+        RTC_LOG(LS_ERROR) << "InitializeSecurityContext returned: "
+                          << GetErrorName(ret, SECURITY_ERRORS);
+        FreeCredentialsHandle(&cred);
+        return HAR_IGNORE;
+      }
+
+      RTC_DCHECK(!context);
+      context = neg = new NegotiateAuthContext(auth_method, cred, ctx);
+      neg->specified_credentials = specify_credentials;
+      neg->steps = steps;
+    }
+
+    if ((ret == SEC_I_COMPLETE_NEEDED) ||
+        (ret == SEC_I_COMPLETE_AND_CONTINUE)) {
+      ret = CompleteAuthToken(&neg->ctx, &out_buf_desc);
+      RTC_LOG(LS_VERBOSE) << "CompleteAuthToken returned: "
+                          << GetErrorName(ret, SECURITY_ERRORS);
+      if (FAILED(ret)) {
+        return HAR_ERROR;
+      }
+    }
+
+    std::string decoded(out_buf, out_buf + out_sec.cbBuffer);
+    response = auth_method;
+    response.append(" ");
+    response.append(Base64::Encode(decoded));
+    return HAR_RESPONSE;
+  }
+#endif
+#endif  // defined(WEBRTC_WIN) && !defined(WINUWP)
+
+  return HAR_IGNORE;
+}
+
+//////////////////////////////////////////////////////////////////////
+
+}  // namespace rtc