RFC 7616 HTTP digest auth: Add support for SHA-256 and username hashing

Tested with lighttpd (configs: https://gist.github.com/rojer/f04fae5eeffe856ec4071a6c20873deb, password for user "test" is "test")

Bug: 1160478
Change-Id: I0f5643663fe14b0676af7d2094f9e6d16bb7ff38
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4611879
Commit-Queue: Kenichi Ishibashi <[email protected]>
Reviewed-by: David Benjamin <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1175895}

Author: rojer

AUTHORS

@@ -326,6 +326,7 @@ Deepak Sharma <[email protected]>
 Deepak Singla <[email protected]>
 Deniz Eren Evrendilek <[email protected]>
 Deokjin Kim <[email protected]>
+Deomid rojer Ryabkov <[email protected]>
 Derek Halman <[email protected]>
 Devlin Cronin <[email protected]>
 Dhi Aurrahman <[email protected]>

chrome/browser/about_flags.cc

@@ -10717,6 +10717,11 @@ const FeatureEntry kFeatureEntries[] = {
          password_manager::features::kFillingAcrossAffiliatedWebsitesAndroid)},
 #endif
 
+    {"digest-auth-enable-secure-algorithms",
+     flag_descriptions::kDigestAuthEnableSecureAlgorithmsName,
+     flag_descriptions::kDigestAuthEnableSecureAlgorithmsDescription, kOsAll,
+     FEATURE_VALUE_TYPE(net::features::kDigestAuthEnableSecureAlgorithms)},
+
     // NOTE: Adding a new flag requires adding a corresponding entry to enum
     // "LoginCustomFlags" in tools/metrics/histograms/enums.xml. See "Flag
     // Histograms" in tools/metrics/histograms/README.md (run the

chrome/browser/flag-metadata.json

@@ -1611,6 +1611,11 @@
     ],
     "expiry_milestone": 130
   },
+  {
+    "name": "digest-auth-enable-secure-algorithms",
+    "owners": [ "[email protected]" ],
+    "expiry_milestone": 120
+  },
   {
     "name": "disable-accelerated-2d-canvas",
     "owners": [ "fserb" ],

chrome/browser/flag_descriptions.cc

@@ -211,6 +211,12 @@ const char kDIPSDescription[] =
     "sites that appear to be performing cross-site tracking using the bounce "
     "tracking technique.";
 
+const char kDigestAuthEnableSecureAlgorithmsName[] =
+    "Enable Secure Algorithms for HTTP DIgest Auth";
+const char kDigestAuthEnableSecureAlgorithmsDescription[] =
+    "This flag controls whether HTTP Digest auth handler should respond to "
+    "challenges that use SHA-256. It also enables username hashing support.";
+
 const char kDocumentPictureInPictureApiName[] =
     "Document Picture-in-Picture API";
 const char kDocumentPictureInPictureApiDescription[] =

chrome/browser/flag_descriptions.h

@@ -133,6 +133,9 @@ extern const char kCustomizeChromeColorExtractionDescription[];
 extern const char kCustomizeChromeSidePanelName[];
 extern const char KCustomizeChromeSidePanelDescription[];
 
+extern const char kDigestAuthEnableSecureAlgorithmsName[];
+extern const char kDigestAuthEnableSecureAlgorithmsDescription[];
+
 extern const char kDIPSName[];
 extern const char kDIPSDescription[];
 

net/base/features.cc

@@ -419,4 +419,8 @@ BASE_FEATURE(kClearSiteDataWildcardSupport,
              "ClearSiteDataWildcardSupport",
              base::FEATURE_ENABLED_BY_DEFAULT);
 
+BASE_FEATURE(kDigestAuthEnableSecureAlgorithms,
+             "DigestAuthEnableSecureAlgorithms",
+             base::FEATURE_ENABLED_BY_DEFAULT);
+
 }  // namespace net::features

net/base/features.h

@@ -422,6 +422,9 @@ NET_EXPORT BASE_DECLARE_FEATURE(kZstdContentEncoding);
 // targets as "*" rather than requiring all targets be listed out.
 NET_EXPORT BASE_DECLARE_FEATURE(kClearSiteDataWildcardSupport);
 
+// Enables SHA-256 and username hashing support for HTTP Digest auth.
+NET_EXPORT BASE_DECLARE_FEATURE(kDigestAuthEnableSecureAlgorithms);
+
 }  // namespace net::features
 
 #endif  // NET_BASE_FEATURES_H_