< Summary

Information

Class:	System.Net.Http.AuthenticationHelper
Assembly:	System.Net.Http
File(s):	File 1: D:\runner\runtime\src\libraries\System.Net.Http\src\System\Net\Http\SocketsHttpHandler\AuthenticationHelper.cs File 2: D:\runner\runtime\src\libraries\System.Net.Http\src\System\Net\Http\SocketsHttpHandler\AuthenticationHelper.Digest.cs File 3: D:\runner\runtime\src\libraries\System.Net.Http\src\System\Net\Http\SocketsHttpHandler\AuthenticationHelper.NtAuth.cs

Line coverage

Covered lines:	0
Uncovered lines:	619
Coverable lines:	619
Total lines:	1070
Line coverage:	0%

Branch coverage

Covered branches:	0
Total branches:	338
Branch coverage:	0%

Method coverage

Feature is only available for sponsors

Upgrade to PRO version

Metrics

Method	Branch coverage	Cyclomatic complexity	NPath complexity	Sequence coverage
File 1: .ctor(...)	100%	1	1	0%
File 1: TryGetChallengeDataForScheme(...)	0%	4	4	0%
File 1: IsSessionAuthenticationChallenge(...)	0%	8	8	0%
File 1: TryGetValidAuthenticationChallengeForScheme(...)	0%	8	8	0%
File 1: TryGetAuthenticationChallenge(...)	0%	12	12	0%
File 1: TryGetRepeatedChallenge(...)	0%	4	4	0%
File 1: IsAuthenticationChallenge(...)	0%	2	2	0%
File 1: GetResponseAuthenticationHeaderValues(...)	0%	2	2	0%
File 1: SetRequestAuthenticationHeaderValue(...)	0%	2	2	0%
File 1: SetBasicAuthToken(...)	0%	2	2	0%
File 1: TrySetDigestAuthToken()	0%	6	6	0%
File 1: InnerSendAsync(...)	0%	2	2	0%
File 1: SendWithAuthAsync()	0%	54	54	0%
File 1: SendWithProxyAuthAsync(...)	100%	1	1	0%
File 1: SendWithRequestAuthAsync(...)	100%	1	1	0%
File 2: GetDigestTokenForCredential()	0%	48	48	0%
File 2: IsServerNonceStale(...)	0%	2	2	0%
File 2: GetRandomAlphaNumericString()	100%	1	1	0%
File 2: ComputeHash(...)	0%	2	2	0%
File 2: .ctor(...)	0%	2	2	0%
File 2: CharIsSpaceOrTab(...)	0%	2	2	0%
File 2: MustValueBeQuoted(...)	0%	6	6	0%
File 2: GetNextKey(...)	0%	28	28	0%
File 2: GetNextValue(...)	0%	44	44	0%
File 2: Parse(...)	0%	16	16	0%
File 3: .cctor()	100%	1	1	0%
File 3: InnerSendAsync(...)	0%	2	2	0%
File 3: ProxySupportsConnectionAuth(...)	0%	6	6	0%
File 3: SendWithNtAuthAsync()	0%	62	62	0%
File 3: SendWithNtProxyAuthAsync(...)	100%	1	1	0%
File 3: SendWithNtConnectionAuthAsync(...)	100%	1	1	0%

File(s)

D:\runner\runtime\src\libraries\System.Net.Http\src\System\Net\Http\SocketsHttpHandler\AuthenticationHelper.cs

#	Line	Line coverage
	`1`	`// Licensed to the .NET Foundation under one or more agreements.`
	`2`	`// The .NET Foundation licenses this file to you under the MIT license.`
	`3`
	`4`	`using System.Diagnostics;`
	`5`	`using System.Diagnostics.CodeAnalysis;`
	`6`	`using System.Net.Http.Headers;`
	`7`	`using System.Text;`
	`8`	`using System.Threading;`
	`9`	`using System.Threading.Tasks;`
	`10`
	`11`	`namespace System.Net.Http`
	`12`	`{`
	`13`	`internal static partial class AuthenticationHelper`
	`14`	`{`
	`15`	`private const string BasicScheme = "Basic";`
	`16`	`private const string DigestScheme = "Digest";`
	`17`	`private const string NtlmScheme = "NTLM";`
	`18`	`private const string NegotiateScheme = "Negotiate";`
	`19`
	`20`	`private enum AuthenticationType`
	`21`	`{`
	`22`	`Basic,`
	`23`	`Digest,`
	`24`	`Ntlm,`
	`25`	`Negotiate`
	`26`	`}`
	`27`
	`28`	`private readonly struct AuthenticationChallenge`
	`29`	`{`
0	`30`	`public AuthenticationType AuthenticationType { get; }`
0	`31`	`public string SchemeName { get; }`
0	`32`	`public NetworkCredential Credential { get; }`
0	`33`	`public string? ChallengeData { get; }`
	`34`
	`35`	`public AuthenticationChallenge(AuthenticationType authenticationType, string schemeName, NetworkCredential c`
0	`36`	`{`
0	`37`	`AuthenticationType = authenticationType;`
0	`38`	`SchemeName = schemeName;`
0	`39`	`Credential = credential;`
0	`40`	`ChallengeData = challenge;`
0	`41`	`}`
	`42`	`}`
	`43`
	`44`	`private static bool TryGetChallengeDataForScheme(string scheme, HttpHeaderValueCollection<AuthenticationHeaderVa`
0	`45`	`{`
0	`46`	`foreach (AuthenticationHeaderValue ahv in authenticationHeaderValues)`
0	`47`	`{`
0	`48`	`if (StringComparer.OrdinalIgnoreCase.Equals(scheme, ahv.Scheme))`
0	`49`	`{`
	`50`	`// Note, a valid challenge can have challengeData == null`
0	`51`	`challengeData = ahv.Parameter;`
0	`52`	`return true;`
	`53`	`}`
0	`54`	`}`
	`55`
0	`56`	`challengeData = null;`
0	`57`	`return false;`
0	`58`	`}`
	`59`
	`60`	`// Helper function to determine if response is part of session-based authentication challenge.`
	`61`	`internal static bool IsSessionAuthenticationChallenge(HttpResponseMessage response)`
0	`62`	`{`
0	`63`	`if (response.StatusCode != HttpStatusCode.Unauthorized)`
0	`64`	`{`
0	`65`	`return false;`
	`66`	`}`
	`67`
0	`68`	`HttpHeaderValueCollection<AuthenticationHeaderValue> authenticationHeaderValues = GetResponseAuthenticationH`
0	`69`	`foreach (AuthenticationHeaderValue ahv in authenticationHeaderValues)`
0	`70`	`{`
0	`71`	`if (StringComparer.OrdinalIgnoreCase.Equals(NegotiateScheme, ahv.Scheme) \|\| StringComparer.OrdinalIgnore`
0	`72`	`{`
0	`73`	`return true;`
	`74`	`}`
0	`75`	`}`
	`76`
0	`77`	`return false;`
0	`78`	`}`
	`79`
	`80`	`private static bool TryGetValidAuthenticationChallengeForScheme(string scheme, AuthenticationType authentication`
	`81`	`HttpHeaderValueCollection<AuthenticationHeaderValue> authenticationHeaderValues, out AuthenticationChallenge`
0	`82`	`{`
0	`83`	`challenge = default;`
	`84`
0	`85`	`if (!TryGetChallengeDataForScheme(scheme, authenticationHeaderValues, out string? challengeData))`
0	`86`	`{`
0	`87`	`return false;`
	`88`	`}`
	`89`
0	`90`	`NetworkCredential? credential = credentials.GetCredential(uri, scheme);`
0	`91`	`if (credential == null)`
0	`92`	`{`
	`93`	`// We have no credential for this auth type, so we can't respond to the challenge.`
	`94`	`// We'll continue to look for a different auth type that we do have a credential for.`
0	`95`	`if (NetEventSource.Log.IsEnabled())`
0	`96`	`{`
0	`97`	`NetEventSource.AuthenticationInfo(uri, $"Authentication scheme '{scheme}' supported by server, but n`
0	`98`	`}`
0	`99`	`return false;`
	`100`	`}`
	`101`
0	`102`	`challenge = new AuthenticationChallenge(authenticationType, scheme, credential, challengeData);`
0	`103`	`if (NetEventSource.Log.IsEnabled())`
0	`104`	`{`
0	`105`	`NetEventSource.AuthenticationInfo(uri, $"Authentication scheme '{scheme}' selected. Client username={cha`
0	`106`	`}`
0	`107`	`return true;`
0	`108`	`}`
	`109`
	`110`	`private static bool TryGetAuthenticationChallenge(HttpResponseMessage response, bool isProxyAuth, Uri authUri, I`
0	`111`	`{`
0	`112`	`if (!IsAuthenticationChallenge(response, isProxyAuth))`
0	`113`	`{`
0	`114`	`challenge = default;`
0	`115`	`return false;`
	`116`	`}`
	`117`
	`118`	`// Try to get a valid challenge for the schemes we support, in priority order.`
0	`119`	`HttpHeaderValueCollection<AuthenticationHeaderValue> authenticationHeaderValues = GetResponseAuthenticationH`
0	`120`	`if (NetEventSource.Log.IsEnabled())`
0	`121`	`{`
0	`122`	`NetEventSource.AuthenticationInfo(authUri, $"{(isProxyAuth ? "Proxy" : "Server")} authentication request`
0	`123`	`}`
0	`124`	`return`
0	`125`	`TryGetValidAuthenticationChallengeForScheme(NegotiateScheme, AuthenticationType.Negotiate, authUri, cred`
0	`126`	`TryGetValidAuthenticationChallengeForScheme(NtlmScheme, AuthenticationType.Ntlm, authUri, credentials, a`
0	`127`	`TryGetValidAuthenticationChallengeForScheme(DigestScheme, AuthenticationType.Digest, authUri, credential`
0	`128`	`TryGetValidAuthenticationChallengeForScheme(BasicScheme, AuthenticationType.Basic, authUri, credentials,`
0	`129`	`}`
	`130`
	`131`	`private static bool TryGetRepeatedChallenge(HttpResponseMessage response, string scheme, bool isProxyAuth, out s`
0	`132`	`{`
0	`133`	`challengeData = null;`
	`134`
0	`135`	`if (!IsAuthenticationChallenge(response, isProxyAuth))`
0	`136`	`{`
0	`137`	`return false;`
	`138`	`}`
	`139`
0	`140`	`if (!TryGetChallengeDataForScheme(scheme, GetResponseAuthenticationHeaderValues(response, isProxyAuth), out`
0	`141`	`{`
	`142`	`// We got another challenge status code, but couldn't find the challenge for the scheme we're handling c`
	`143`	`// Just stop processing auth.`
0	`144`	`return false;`
	`145`	`}`
	`146`
0	`147`	`return true;`
0	`148`	`}`
	`149`
	`150`	`private static bool IsAuthenticationChallenge(HttpResponseMessage response, bool isProxyAuth)`
0	`151`	`{`
0	`152`	`return isProxyAuth ?`
0	`153`	`response.StatusCode == HttpStatusCode.ProxyAuthenticationRequired :`
0	`154`	`response.StatusCode == HttpStatusCode.Unauthorized;`
0	`155`	`}`
	`156`
	`157`	`private static HttpHeaderValueCollection<AuthenticationHeaderValue> GetResponseAuthenticationHeaderValues(HttpRe`
0	`158`	`{`
0	`159`	`return isProxyAuth ?`
0	`160`	`response.Headers.ProxyAuthenticate :`
0	`161`	`response.Headers.WwwAuthenticate;`
0	`162`	`}`
	`163`
	`164`	`private static void SetRequestAuthenticationHeaderValue(HttpRequestMessage request, AuthenticationHeaderValue he`
0	`165`	`{`
0	`166`	`if (isProxyAuth)`
0	`167`	`{`
0	`168`	`request.Headers.ProxyAuthorization = headerValue;`
0	`169`	`}`
	`170`	`else`
0	`171`	`{`
0	`172`	`request.Headers.Authorization = headerValue;`
0	`173`	`}`
0	`174`	`}`
	`175`
	`176`	`private static void SetBasicAuthToken(HttpRequestMessage request, NetworkCredential credential, bool isProxyAuth`
0	`177`	`{`
0	`178`	`string authString = !string.IsNullOrEmpty(credential.Domain) ?`
0	`179`	`credential.Domain + "\\" + credential.UserName + ":" + credential.Password :`
0	`180`	`credential.UserName + ":" + credential.Password;`
	`181`
0	`182`	`string base64AuthString = Convert.ToBase64String(Encoding.UTF8.GetBytes(authString));`
	`183`
0	`184`	`SetRequestAuthenticationHeaderValue(request, new AuthenticationHeaderValue(BasicScheme, base64AuthString), i`
0	`185`	`}`
	`186`
	`187`	`private static async ValueTask<bool> TrySetDigestAuthToken(HttpRequestMessage request, NetworkCredential credent`
0	`188`	`{`
0	`189`	`string? parameter = await GetDigestTokenForCredential(credential, request, digestResponse).ConfigureAwait(fa`
	`190`
	`191`	`// Any errors in obtaining parameter return false and we don't proceed with auth`
0	`192`	`if (string.IsNullOrEmpty(parameter))`
0	`193`	`{`
0	`194`	`if (NetEventSource.Log.IsEnabled())`
0	`195`	`{`
0	`196`	`NetEventSource.AuthenticationError(request.RequestUri, $"Unable to find 'Digest' authentication toke`
0	`197`	`}`
0	`198`	`return false;`
	`199`	`}`
	`200`
0	`201`	`var headerValue = new AuthenticationHeaderValue(DigestScheme, parameter);`
0	`202`	`SetRequestAuthenticationHeaderValue(request, headerValue, isProxyAuth);`
0	`203`	`return true;`
0	`204`	`}`
	`205`
	`206`	`private static ValueTask<HttpResponseMessage> InnerSendAsync(HttpRequestMessage request, bool async, bool isProx`
0	`207`	`{`
0	`208`	`return isProxyAuth ?`
0	`209`	`pool.SendWithVersionDetectionAndRetryAsync(request, async, doRequestAuth, cancellationToken) :`
0	`210`	`pool.SendWithProxyAuthAsync(request, async, doRequestAuth, cancellationToken);`
0	`211`	`}`
	`212`
	`213`	`private static async ValueTask<HttpResponseMessage> SendWithAuthAsync(HttpRequestMessage request, Uri authUri, b`
0	`214`	`{`
	`215`	`// If preauth is enabled and this isn't proxy auth, try to get a basic credential from the`
	`216`	`// preauth credentials cache, and if successful, set an auth header for it onto the request.`
	`217`	`// Currently we only support preauth for Basic.`
0	`218`	`NetworkCredential? preAuthCredential = null;`
0	`219`	`Uri? preAuthCredentialUri = null;`
0	`220`	`if (preAuthenticate)`
0	`221`	`{`
0	`222`	`Debug.Assert(pool.PreAuthCredentials != null);`
	`223`	`(Uri uriPrefix, NetworkCredential credential)? preAuthCredentialPair;`
0	`224`	`lock (pool.PreAuthCredentials)`
0	`225`	`{`
	`226`	`// Just look for basic credentials. If in the future we support preauth`
	`227`	`// for other schemes, this will need to search in order of precedence.`
0	`228`	`Debug.Assert(pool.PreAuthCredentials.GetCredential(authUri, NegotiateScheme) == null);`
0	`229`	`Debug.Assert(pool.PreAuthCredentials.GetCredential(authUri, NtlmScheme) == null);`
0	`230`	`Debug.Assert(pool.PreAuthCredentials.GetCredential(authUri, DigestScheme) == null);`
0	`231`	`preAuthCredentialPair = pool.PreAuthCredentials.GetCredential(authUri, BasicScheme);`
0	`232`	`}`
	`233`
0	`234`	`if (preAuthCredentialPair != null)`
0	`235`	`{`
0	`236`	`(preAuthCredentialUri, preAuthCredential) = preAuthCredentialPair.Value;`
0	`237`	`SetBasicAuthToken(request, preAuthCredential, isProxyAuth);`
0	`238`	`}`
0	`239`	`}`
	`240`
0	`241`	`HttpResponseMessage response = await InnerSendAsync(request, async, isProxyAuth, doRequestAuth, pool, cancel`
	`242`
0	`243`	`if (TryGetAuthenticationChallenge(response, isProxyAuth, authUri, credentials, out AuthenticationChallenge c`
0	`244`	`{`
0	`245`	`switch (challenge.AuthenticationType)`
	`246`	`{`
	`247`	`case AuthenticationType.Digest:`
0	`248`	`if (CredentialCache.DefaultCredentials == credentials)`
0	`249`	`{`
	`250`	`// The DefaultCredentials applies only to NTLM, negotiate, and Kerberos-based authentication`
0	`251`	`break;`
	`252`	`}`
	`253`
0	`254`	`var digestResponse = new DigestResponse(challenge.ChallengeData);`
0	`255`	`if (await TrySetDigestAuthToken(request, challenge.Credential, digestResponse, isProxyAuth).Conf`
0	`256`	`{`
0	`257`	`response.Dispose();`
0	`258`	`response = await InnerSendAsync(request, async, isProxyAuth, doRequestAuth, pool, cancellati`
	`259`
	`260`	`// Retry in case of nonce timeout in server.`
0	`261`	`if (TryGetRepeatedChallenge(response, challenge.SchemeName, isProxyAuth, out string? challen`
0	`262`	`{`
0	`263`	`digestResponse = new DigestResponse(challengeData);`
0	`264`	`if (IsServerNonceStale(digestResponse) &&`
0	`265`	`await TrySetDigestAuthToken(request, challenge.Credential, digestResponse, isProxyAu`
0	`266`	`{`
0	`267`	`response.Dispose();`
0	`268`	`response = await InnerSendAsync(request, async, isProxyAuth, doRequestAuth, pool, ca`
0	`269`	`}`
0	`270`	`}`
0	`271`	`}`
0	`272`	`break;`
	`273`
	`274`	`case AuthenticationType.Basic:`
0	`275`	`if (CredentialCache.DefaultCredentials == credentials)`
0	`276`	`{`
	`277`	`// The DefaultCredentials applies only to NTLM, negotiate, and Kerberos-based authentication`
0	`278`	`break;`
	`279`	`}`
	`280`
0	`281`	`if (preAuthCredential != null)`
0	`282`	`{`
0	`283`	`if (NetEventSource.Log.IsEnabled())`
0	`284`	`{`
0	`285`	`NetEventSource.AuthenticationError(authUri, $"Pre-authentication with {(isProxyAuth ? "p`
0	`286`	`}`
	`287`
0	`288`	`if (challenge.Credential == preAuthCredential)`
0	`289`	`{`
	`290`	`// Pre auth failed, and user supplied credentials are still same, we can stop there.`
0	`291`	`break;`
	`292`	`}`
	`293`
	`294`	`// Pre-auth credentials have changed, continue with the new ones.`
	`295`	`// The old ones will be removed below.`
0	`296`	`}`
	`297`
0	`298`	`response.Dispose();`
0	`299`	`SetBasicAuthToken(request, challenge.Credential, isProxyAuth);`
0	`300`	`response = await InnerSendAsync(request, async, isProxyAuth, doRequestAuth, pool, cancellationTo`
	`301`
0	`302`	`if (preAuthenticate)`
0	`303`	`{`
0	`304`	`switch (response.StatusCode)`
	`305`	`{`
	`306`	`case HttpStatusCode.ProxyAuthenticationRequired:`
	`307`	`case HttpStatusCode.Unauthorized:`
0	`308`	`if (NetEventSource.Log.IsEnabled())`
0	`309`	`{`
0	`310`	`NetEventSource.AuthenticationError(authUri, $"Pre-authentication with {(isProxyA`
0	`311`	`}`
0	`312`	`break;`
	`313`
	`314`	`default:`
0	`315`	`lock (pool.PreAuthCredentials!)`
0	`316`	`{`
	`317`	`// remove previously cached (failing) creds`
0	`318`	`if (preAuthCredentialUri != null)`
0	`319`	`{`
0	`320`	`if (NetEventSource.Log.IsEnabled())`
0	`321`	`{`
0	`322`	`NetEventSource.Info(pool.PreAuthCredentials, $"Removing Basic credential`
0	`323`	`}`
	`324`
0	`325`	`pool.PreAuthCredentials.Remove(preAuthCredentialUri, BasicScheme);`
0	`326`	`}`
	`327`
	`328`	`try`
0	`329`	`{`
0	`330`	`if (NetEventSource.Log.IsEnabled())`
0	`331`	`{`
0	`332`	`NetEventSource.Info(pool.PreAuthCredentials, $"Adding Basic credential t`
0	`333`	`}`
0	`334`	`pool.PreAuthCredentials.Add(authUri, BasicScheme, challenge.Credential);`
0	`335`	`}`
0	`336`	`catch (ArgumentException)`
0	`337`	`{`
	`338`	`// The credential already existed.`
0	`339`	`if (NetEventSource.Log.IsEnabled())`
0	`340`	`{`
0	`341`	`NetEventSource.Info(pool.PreAuthCredentials, $"Basic credential present`
0	`342`	`}`
0	`343`	`}`
0	`344`	`}`
0	`345`	`break;`
	`346`	`}`
0	`347`	`}`
0	`348`	`break;`
	`349`	`}`
0	`350`	`}`
	`351`
0	`352`	`if (NetEventSource.Log.IsEnabled() && response.StatusCode == HttpStatusCode.Unauthorized)`
0	`353`	`{`
0	`354`	`NetEventSource.AuthenticationError(authUri, $"{(isProxyAuth ? "Proxy" : "Server")} authentication failed`
0	`355`	`}`
	`356`
0	`357`	`return response;`
0	`358`	`}`
	`359`
	`360`	`public static ValueTask<HttpResponseMessage> SendWithProxyAuthAsync(HttpRequestMessage request, Uri proxyUri, bo`
0	`361`	`{`
0	`362`	`return SendWithAuthAsync(request, proxyUri, async, proxyCredentials, preAuthenticate: false, isProxyAuth: tr`
0	`363`	`}`
	`364`
	`365`	`public static ValueTask<HttpResponseMessage> SendWithRequestAuthAsync(HttpRequestMessage request, bool async, IC`
0	`366`	`{`
0	`367`	`Debug.Assert(request.RequestUri != null);`
0	`368`	`return SendWithAuthAsync(request, request.RequestUri, async, credentials, preAuthenticate, isProxyAuth: fals`
0	`369`	`}`
	`370`	`}`
	`371`	`}`

D:\runner\runtime\src\libraries\System.Net.Http\src\System\Net\Http\SocketsHttpHandler\AuthenticationHelper.Digest.cs

#	Line	Line coverage
	`1`	`// Licensed to the .NET Foundation under one or more agreements.`
	`2`	`// The .NET Foundation licenses this file to you under the MIT license.`
	`3`
	`4`	`using System.Collections.Generic;`
	`5`	`using System.Diagnostics;`
	`6`	`using System.IO;`
	`7`	`using System.Net;`
	`8`	`using System.Net.Http.Headers;`
	`9`	`using System.Security.Cryptography;`
	`10`	`using System.Text;`
	`11`	`using System.Threading.Tasks;`
	`12`
	`13`	`namespace System.Net.Http`
	`14`	`{`
	`15`	`internal static partial class AuthenticationHelper`
	`16`	`{`
	`17`	`// Define digest constants`
	`18`	`private const string Qop = "qop";`
	`19`	`private const string Auth = "auth";`
	`20`	`private const string AuthInt = "auth-int";`
	`21`	`private const string Domain = "domain";`
	`22`	`private const string Nonce = "nonce";`
	`23`	`private const string NC = "nc";`
	`24`	`private const string Realm = "realm";`
	`25`	`private const string UserHash = "userhash";`
	`26`	`private const string Username = "username";`
	`27`	`private const string UsernameStar = "username*";`
	`28`	`private const string Algorithm = "algorithm";`
	`29`	`private const string Uri = "uri";`
	`30`	`private const string Sha256 = "SHA-256";`
	`31`	`private const string Md5 = "MD5";`
	`32`	`private const string Sha256Sess = "SHA-256-sess";`
	`33`	`private const string MD5Sess = "MD5-sess";`
	`34`	`private const string CNonce = "cnonce";`
	`35`	`private const string Opaque = "opaque";`
	`36`	`private const string Response = "response";`
	`37`	`private const string Stale = "stale";`
	`38`
	`39`	`public static async Task<string?> GetDigestTokenForCredential(NetworkCredential credential, HttpRequestMessage r`
0	`40`	`{`
0	`41`	`StringBuilder sb = StringBuilderCache.Acquire();`
	`42`
	`43`	`// It is mandatory for servers to implement sha-256 per RFC 7616`
	`44`	`// Keep MD5 for backward compatibility.`
	`45`	`string? algorithm;`
0	`46`	`bool isAlgorithmSpecified = digestResponse.Parameters.TryGetValue(Algorithm, out algorithm);`
0	`47`	`if (isAlgorithmSpecified)`
0	`48`	`{`
0	`49`	`if (!algorithm!.Equals(Sha256, StringComparison.OrdinalIgnoreCase) &&`
0	`50`	`!algorithm.Equals(Md5, StringComparison.OrdinalIgnoreCase) &&`
0	`51`	`!algorithm.Equals(Sha256Sess, StringComparison.OrdinalIgnoreCase) &&`
0	`52`	`!algorithm.Equals(MD5Sess, StringComparison.OrdinalIgnoreCase))`
0	`53`	`{`
0	`54`	`if (NetEventSource.Log.IsEnabled()) NetEventSource.Error(digestResponse, $"Algorithm not supported:`
0	`55`	`return null;`
	`56`	`}`
0	`57`	`}`
	`58`	`else`
0	`59`	`{`
0	`60`	`algorithm = Md5;`
0	`61`	`}`
	`62`
	`63`	`// Check if nonce is there in challenge`
	`64`	`string? nonce;`
0	`65`	`if (!digestResponse.Parameters.TryGetValue(Nonce, out nonce))`
0	`66`	`{`
0	`67`	`if (NetEventSource.Log.IsEnabled()) NetEventSource.Error(digestResponse, "Nonce missing");`
0	`68`	`return null;`
	`69`	`}`
	`70`
	`71`	`// opaque token may or may not exist`
	`72`	`string? opaque;`
0	`73`	`digestResponse.Parameters.TryGetValue(Opaque, out opaque);`
	`74`
	`75`	`string? realm;`
0	`76`	`if (!digestResponse.Parameters.TryGetValue(Realm, out realm))`
0	`77`	`{`
0	`78`	`if (NetEventSource.Log.IsEnabled()) NetEventSource.Error(digestResponse, "Realm missing");`
0	`79`	`return null;`
	`80`	`}`
	`81`
	`82`	`// Add username`
	`83`	`string? userhash;`
0	`84`	`if (digestResponse.Parameters.TryGetValue(UserHash, out userhash) && userhash == "true")`
0	`85`	`{`
0	`86`	`sb.AppendKeyValue(Username, ComputeHash(credential.UserName + ":" + realm, algorithm));`
0	`87`	`sb.AppendKeyValue(UserHash, userhash, includeQuotes: false);`
0	`88`	`}`
	`89`	`else`
0	`90`	`{`
0	`91`	`if (!Ascii.IsValid(credential.UserName))`
0	`92`	`{`
0	`93`	`string usernameStar = HeaderUtilities.Encode5987(credential.UserName);`
0	`94`	`sb.AppendKeyValue(UsernameStar, usernameStar, includeQuotes: false);`
0	`95`	`}`
	`96`	`else`
0	`97`	`{`
0	`98`	`sb.AppendKeyValue(Username, credential.UserName);`
0	`99`	`}`
0	`100`	`}`
	`101`
	`102`	`// Add realm`
0	`103`	`sb.AppendKeyValue(Realm, realm);`
	`104`
	`105`	`// Add nonce`
0	`106`	`sb.AppendKeyValue(Nonce, nonce);`
	`107`
0	`108`	`Debug.Assert(request.RequestUri != null);`
	`109`	`// Add uri`
0	`110`	`sb.AppendKeyValue(Uri, request.RequestUri.PathAndQuery);`
	`111`
	`112`	`// Set qop, default is auth`
0	`113`	`string qop = Auth;`
0	`114`	`bool isQopSpecified = digestResponse.Parameters.ContainsKey(Qop);`
0	`115`	`if (isQopSpecified)`
0	`116`	`{`
	`117`	`// Check if auth-int present in qop string`
0	`118`	`int index1 = digestResponse.Parameters[Qop].IndexOf(AuthInt, StringComparison.Ordinal);`
0	`119`	`if (index1 != -1)`
0	`120`	`{`
	`121`	`// Get index of auth if present in qop string`
0	`122`	`int index2 = digestResponse.Parameters[Qop].IndexOf(Auth, StringComparison.Ordinal);`
	`123`
	`124`	`// If index2 < index1, auth option is available`
	`125`	`// If index2 == index1, check if auth option available later in string after auth-int.`
0	`126`	`if (index2 == index1)`
0	`127`	`{`
0	`128`	`index2 = digestResponse.Parameters[Qop].IndexOf(Auth, index1 + AuthInt.Length, StringComparison.`
0	`129`	`if (index2 == -1)`
0	`130`	`{`
0	`131`	`qop = AuthInt;`
0	`132`	`}`
0	`133`	`}`
0	`134`	`}`
0	`135`	`}`
	`136`
	`137`	`// Set cnonce`
0	`138`	`string cnonce = GetRandomAlphaNumericString();`
	`139`
	`140`	`// Calculate response`
0	`141`	`string a1 = credential.UserName + ":" + realm + ":" + credential.Password;`
0	`142`	`if (algorithm.EndsWith("sess", StringComparison.OrdinalIgnoreCase))`
0	`143`	`{`
0	`144`	`a1 = ComputeHash(a1, algorithm) + ":" + nonce + ":" + cnonce;`
0	`145`	`}`
	`146`
0	`147`	`string a2 = request.Method.Method + ":" + request.RequestUri.PathAndQuery;`
0	`148`	`if (qop == AuthInt)`
0	`149`	`{`
0	`150`	`string content = request.Content == null ? string.Empty : await request.Content.ReadAsStringAsync().Conf`
0	`151`	`a2 = a2 + ":" + ComputeHash(content, algorithm);`
0	`152`	`}`
	`153`
	`154`	`string response;`
0	`155`	`if (isQopSpecified)`
0	`156`	`{`
0	`157`	`response = ComputeHash(ComputeHash(a1, algorithm) + ":" +`
0	`158`	`nonce + ":" +`
0	`159`	`DigestResponse.NonceCount + ":" +`
0	`160`	`cnonce + ":" +`
0	`161`	`qop + ":" +`
0	`162`	`ComputeHash(a2, algorithm), algorithm);`
0	`163`	`}`
	`164`	`else`
0	`165`	`{`
0	`166`	`response = ComputeHash(ComputeHash(a1, algorithm) + ":" +`
0	`167`	`nonce + ":" +`
0	`168`	`ComputeHash(a2, algorithm), algorithm);`
0	`169`	`}`
	`170`
	`171`	`// Add response`
0	`172`	`sb.AppendKeyValue(Response, response, includeComma: opaque != null \|\| isAlgorithmSpecified \|\| isQopSpecified`
	`173`
	`174`	`// Add opaque`
0	`175`	`if (opaque != null)`
0	`176`	`{`
0	`177`	`sb.AppendKeyValue(Opaque, opaque, includeComma: isAlgorithmSpecified \|\| isQopSpecified);`
0	`178`	`}`
	`179`
0	`180`	`if (isAlgorithmSpecified)`
0	`181`	`{`
	`182`	`// Add algorithm`
0	`183`	`sb.AppendKeyValue(Algorithm, algorithm, includeQuotes: false, includeComma: isQopSpecified);`
0	`184`	`}`
	`185`
0	`186`	`if (isQopSpecified)`
0	`187`	`{`
	`188`	`// Add qop`
0	`189`	`sb.AppendKeyValue(Qop, qop, includeQuotes: false);`
	`190`
	`191`	`// Add nc`
0	`192`	`sb.AppendKeyValue(NC, DigestResponse.NonceCount, includeQuotes: false);`
	`193`
	`194`	`// Add cnonce`
0	`195`	`sb.AppendKeyValue(CNonce, cnonce, includeComma: false);`
0	`196`	`}`
	`197`
0	`198`	`return StringBuilderCache.GetStringAndRelease(sb);`
0	`199`	`}`
	`200`
	`201`	`public static bool IsServerNonceStale(DigestResponse digestResponse)`
0	`202`	`{`
0	`203`	`return digestResponse.Parameters.TryGetValue(Stale, out string? stale) && stale == "true";`
0	`204`	`}`
	`205`
	`206`	`private static string GetRandomAlphaNumericString()`
0	`207`	`{`
	`208`	`const int Length = 16;`
	`209`	`const string CharacterSet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";`
0	`210`	`return RandomNumberGenerator.GetString(CharacterSet, Length);`
0	`211`	`}`
	`212`
	`213`	`private static string ComputeHash(string data, string algorithm)`
0	`214`	`{`
0	`215`	`Span<byte> hashBuffer = stackalloc byte[SHA256.HashSizeInBytes]; // SHA256 is the largest hash produced`
0	`216`	`byte[] dataBytes = Encoding.UTF8.GetBytes(data);`
	`217`	`int written;`
	`218`
0	`219`	`if (algorithm.StartsWith(Sha256, StringComparison.OrdinalIgnoreCase))`
0	`220`	`{`
0	`221`	`written = SHA256.HashData(dataBytes, hashBuffer);`
0	`222`	`Debug.Assert(written == SHA256.HashSizeInBytes);`
0	`223`	`}`
	`224`	`else`
0	`225`	`{`
	`226`	`// Disable MD5 insecure warning.`
	`227`	`#pragma warning disable CA5351`
0	`228`	`written = MD5.HashData(dataBytes, hashBuffer);`
0	`229`	`Debug.Assert(written == MD5.HashSizeInBytes);`
	`230`	`#pragma warning restore CA5351`
0	`231`	`}`
	`232`
0	`233`	`return Convert.ToHexStringLower(hashBuffer.Slice(0, written));`
0	`234`	`}`
	`235`
	`236`	`internal sealed class DigestResponse`
	`237`	`{`
0	`238`	`internal readonly Dictionary<string, string> Parameters = new Dictionary<string, string>(StringComparer.Ordi`
	`239`	`internal const string NonceCount = "00000001";`
	`240`
0	`241`	`internal DigestResponse(string? challenge)`
0	`242`	`{`
0	`243`	`if (!string.IsNullOrEmpty(challenge))`
0	`244`	`Parse(challenge);`
0	`245`	`}`
	`246`
	`247`	`private static bool CharIsSpaceOrTab(char ch)`
0	`248`	`{`
0	`249`	`return ch == ' ' \|\| ch == '\t';`
0	`250`	`}`
	`251`
	`252`	`private static bool MustValueBeQuoted(string key)`
0	`253`	`{`
	`254`	`// As per the RFC, these string must be quoted for historical reasons.`
0	`255`	`return key.Equals(Realm, StringComparison.OrdinalIgnoreCase) \|\| key.Equals(Nonce, StringComparison.Ordin`
0	`256`	`key.Equals(Opaque, StringComparison.OrdinalIgnoreCase) \|\| key.Equals(Qop, StringComparison.OrdinalIg`
0	`257`	`}`
	`258`
	`259`	`private static string? GetNextKey(string data, int currentIndex, out int parsedIndex)`
0	`260`	`{`
	`261`	`// Skip leading space or tab.`
0	`262`	`while (currentIndex < data.Length && CharIsSpaceOrTab(data[currentIndex]))`
0	`263`	`{`
0	`264`	`currentIndex++;`
0	`265`	`}`
	`266`
	`267`	`// Start parsing key`
0	`268`	`int start = currentIndex;`
	`269`
	`270`	`// Parse till '=' is encountered marking end of key.`
	`271`	`// Key cannot contain space or tab, break if either is found.`
0	`272`	`while (currentIndex < data.Length && data[currentIndex] != '=' && !CharIsSpaceOrTab(data[currentIndex]))`
0	`273`	`{`
0	`274`	`currentIndex++;`
0	`275`	`}`
	`276`
0	`277`	`if (currentIndex == data.Length)`
0	`278`	`{`
	`279`	`// Key didn't terminate with '='`
0	`280`	`parsedIndex = currentIndex;`
0	`281`	`return null;`
	`282`	`}`
	`283`
	`284`	`// Record end of key.`
0	`285`	`int length = currentIndex - start;`
0	`286`	`if (CharIsSpaceOrTab(data[currentIndex]))`
0	`287`	`{`
	`288`	`// Key parsing terminated due to ' ' or '\t'.`
	`289`	`// Parse till '=' is found.`
0	`290`	`while (currentIndex < data.Length && CharIsSpaceOrTab(data[currentIndex]))`
0	`291`	`{`
0	`292`	`currentIndex++;`
0	`293`	`}`
	`294`
0	`295`	`if (currentIndex == data.Length \|\| data[currentIndex] != '=')`
0	`296`	`{`
	`297`	`// Key is invalid.`
0	`298`	`parsedIndex = currentIndex;`
0	`299`	`return null;`
	`300`	`}`
0	`301`	`}`
	`302`
	`303`	`// Skip trailing space and tab and '='`
0	`304`	`while (currentIndex < data.Length && (CharIsSpaceOrTab(data[currentIndex]) \|\| data[currentIndex] == '=')`
0	`305`	`{`
0	`306`	`currentIndex++;`
0	`307`	`}`
	`308`
	`309`	`// Set the parsedIndex to current valid char.`
0	`310`	`parsedIndex = currentIndex;`
0	`311`	`return data.Substring(start, length);`
0	`312`	`}`
	`313`
	`314`	`private static string? GetNextValue(string data, int currentIndex, bool expectQuotes, out int parsedIndex)`
0	`315`	`{`
0	`316`	`Debug.Assert(currentIndex < data.Length && !CharIsSpaceOrTab(data[currentIndex]));`
	`317`
	`318`	`// If quoted value, skip first quote.`
0	`319`	`bool quotedValue = false;`
0	`320`	`if (data[currentIndex] == '"')`
0	`321`	`{`
0	`322`	`quotedValue = true;`
0	`323`	`currentIndex++;`
0	`324`	`}`
	`325`
0	`326`	`if (expectQuotes && !quotedValue)`
0	`327`	`{`
0	`328`	`parsedIndex = currentIndex;`
0	`329`	`return null;`
	`330`	`}`
	`331`
0	`332`	`StringBuilder sb = StringBuilderCache.Acquire();`
0	`333`	`while (currentIndex < data.Length && ((quotedValue && data[currentIndex] != '"') \|\| (!quotedValue && dat`
0	`334`	`{`
0	`335`	`sb.Append(data[currentIndex]);`
0	`336`	`currentIndex++;`
	`337`
0	`338`	`if (currentIndex == data.Length)`
0	`339`	`break;`
	`340`
0	`341`	`if (!quotedValue && CharIsSpaceOrTab(data[currentIndex]))`
0	`342`	`break;`
	`343`
0	`344`	`if (quotedValue && data[currentIndex] == '"' && data[currentIndex - 1] == '\\')`
0	`345`	`{`
	`346`	`// Include the escaped quote.`
0	`347`	`sb.Append(data[currentIndex]);`
0	`348`	`currentIndex++;`
0	`349`	`}`
0	`350`	`}`
	`351`
	`352`	`// Skip the quote.`
0	`353`	`if (quotedValue)`
0	`354`	`currentIndex++;`
	`355`
	`356`	`// Skip any whitespace.`
0	`357`	`while (currentIndex < data.Length && CharIsSpaceOrTab(data[currentIndex]))`
0	`358`	`currentIndex++;`
	`359`
	`360`	`// Return if this is last value.`
0	`361`	`if (currentIndex == data.Length)`
0	`362`	`{`
0	`363`	`parsedIndex = currentIndex;`
0	`364`	`return StringBuilderCache.GetStringAndRelease(sb);`
	`365`	`}`
	`366`
	`367`	`// A key-value pair should end with ','`
0	`368`	`if (data[currentIndex++] != ',')`
0	`369`	`{`
0	`370`	`parsedIndex = currentIndex;`
0	`371`	`return null;`
	`372`	`}`
	`373`
	`374`	`// Skip space and tab`
0	`375`	`while (currentIndex < data.Length && CharIsSpaceOrTab(data[currentIndex]))`
0	`376`	`{`
0	`377`	`currentIndex++;`
0	`378`	`}`
	`379`
	`380`	`// Set parsedIndex to current valid char.`
0	`381`	`parsedIndex = currentIndex;`
0	`382`	`return StringBuilderCache.GetStringAndRelease(sb);`
0	`383`	`}`
	`384`
	`385`	`private void Parse(string challenge)`
0	`386`	`{`
0	`387`	`int parsedIndex = 0;`
0	`388`	`while (parsedIndex < challenge.Length)`
0	`389`	`{`
	`390`	`// Get the key.`
0	`391`	`string? key = GetNextKey(challenge, parsedIndex, out parsedIndex);`
	`392`	`// Ensure key is not empty and parsedIndex is still in range.`
0	`393`	`if (string.IsNullOrEmpty(key) \|\| parsedIndex >= challenge.Length)`
0	`394`	`break;`
	`395`
	`396`	`// Get the value.`
0	`397`	`string? value = GetNextValue(challenge, parsedIndex, MustValueBeQuoted(key), out parsedIndex);`
0	`398`	`if (value == null)`
0	`399`	`break;`
	`400`
	`401`	`// Ensure value is valid.`
	`402`	`// Opaque, Domain and Realm can have empty string`
0	`403`	`if (value == string.Empty &&`
0	`404`	`!key.Equals(Opaque, StringComparison.OrdinalIgnoreCase) &&`
0	`405`	`!key.Equals(Domain, StringComparison.OrdinalIgnoreCase) &&`
0	`406`	`!key.Equals(Realm, StringComparison.OrdinalIgnoreCase))`
0	`407`	`break;`
	`408`
	`409`	`// Add the key-value pair to Parameters.`
0	`410`	`Parameters.Add(key, value);`
0	`411`	`}`
0	`412`	`}`
	`413`	`}`
	`414`	`}`
	`415`
	`416`	`internal static class StringBuilderExtensions`
	`417`	`{`
	`418`	`public static void AppendKeyValue(this StringBuilder sb, string key, string value, bool includeQuotes = true, bo`
	`419`	`{`
	`420`	`sb.Append(key).Append('=');`
	`421`
	`422`	`if (includeQuotes)`
	`423`	`{`
	`424`	`ReadOnlySpan<char> valueSpan = value;`
	`425`	`sb.Append('"');`
	`426`	`while (true)`
	`427`	`{`
	`428`	`int i = valueSpan.IndexOfAny('"', '\\'); // Characters that require escaping in quoted string`
	`429`	`if (i >= 0)`
	`430`	`{`
	`431`	`sb.Append(valueSpan.Slice(0, i)).Append('\\').Append(valueSpan[i]);`
	`432`	`valueSpan = valueSpan.Slice(i + 1);`
	`433`	`}`
	`434`	`else`
	`435`	`{`
	`436`	`sb.Append(valueSpan);`
	`437`	`break;`
	`438`	`}`
	`439`	`}`
	`440`	`sb.Append('"');`
	`441`	`}`
	`442`	`else`
	`443`	`{`
	`444`	`sb.Append(value);`
	`445`	`}`
	`446`
	`447`	`if (includeComma)`
	`448`	`{`
	`449`	`sb.Append(',').Append(' ');`
	`450`	`}`
	`451`	`}`
	`452`	`}`
	`453`	`}`

D:\runner\runtime\src\libraries\System.Net.Http\src\System\Net\Http\SocketsHttpHandler\AuthenticationHelper.NtAuth.cs

#	Line	Line coverage
	`1`	`// Licensed to the .NET Foundation under one or more agreements.`
	`2`	`// The .NET Foundation licenses this file to you under the MIT license.`
	`3`
	`4`	`using System.Collections.Generic;`
	`5`	`using System.ComponentModel;`
	`6`	`using System.Diagnostics;`
	`7`	`using System.Net;`
	`8`	`using System.Net.Http.Headers;`
	`9`	`using System.Net.Security;`
	`10`	`using System.Security.Authentication.ExtendedProtection;`
	`11`	`using System.Security.Principal;`
	`12`	`using System.Threading;`
	`13`	`using System.Threading.Tasks;`
	`14`
	`15`	`namespace System.Net.Http`
	`16`	`{`
	`17`	`internal static partial class AuthenticationHelper`
	`18`	`{`
	`19`	`private const string UsePortInSpnCtxSwitch = "System.Net.Http.UsePortInSpn";`
	`20`	`private const string UsePortInSpnEnvironmentVariable = "DOTNET_SYSTEM_NET_HTTP_USEPORTINSPN";`
	`21`
0	`22`	`private static volatile int s_usePortInSpn = -1;`
	`23`
	`24`	`private static bool UsePortInSpn`
	`25`	`{`
	`26`	`get`
0	`27`	`{`
0	`28`	`int usePortInSpn = s_usePortInSpn;`
0	`29`	`if (usePortInSpn != -1)`
0	`30`	`{`
0	`31`	`return usePortInSpn != 0;`
	`32`	`}`
	`33`
	`34`	`// First check for the AppContext switch, giving it priority over the environment variable.`
0	`35`	`if (AppContext.TryGetSwitch(UsePortInSpnCtxSwitch, out bool value))`
0	`36`	`{`
0	`37`	`s_usePortInSpn = value ? 1 : 0;`
0	`38`	`}`
	`39`	`else`
0	`40`	`{`
	`41`	`// AppContext switch wasn't used. Check the environment variable.`
0	`42`	`s_usePortInSpn =`
0	`43`	`Environment.GetEnvironmentVariable(UsePortInSpnEnvironmentVariable) is string envVar &&`
0	`44`	`(envVar == "1" \|\| envVar.Equals("true", StringComparison.OrdinalIgnoreCase)) ? 1 : 0;`
0	`45`	`}`
	`46`
0	`47`	`return s_usePortInSpn != 0;`
0	`48`	`}`
	`49`	`}`
	`50`
	`51`	`private static Task<HttpResponseMessage> InnerSendAsync(HttpRequestMessage request, bool async, bool isProxyAuth`
0	`52`	`{`
0	`53`	`return isProxyAuth ?`
0	`54`	`connection.SendAsync(request, async, cancellationToken) :`
0	`55`	`pool.SendWithNtProxyAuthAsync(connection, request, async, cancellationToken);`
0	`56`	`}`
	`57`
	`58`	`private static bool ProxySupportsConnectionAuth(HttpResponseMessage response)`
0	`59`	`{`
0	`60`	`if (!response.Headers.TryGetValues(KnownHeaders.ProxySupport.Descriptor, out IEnumerable<string>? values))`
0	`61`	`{`
0	`62`	`return false;`
	`63`	`}`
	`64`
0	`65`	`foreach (string v in values)`
0	`66`	`{`
0	`67`	`if (v.Equals("Session-Based-Authentication", StringComparison.OrdinalIgnoreCase))`
0	`68`	`{`
0	`69`	`return true;`
	`70`	`}`
0	`71`	`}`
	`72`
0	`73`	`return false;`
0	`74`	`}`
	`75`
	`76`	`private static async Task<HttpResponseMessage> SendWithNtAuthAsync(HttpRequestMessage request, Uri authUri, bool`
0	`77`	`{`
0	`78`	`HttpResponseMessage response = await InnerSendAsync(request, async, isProxyAuth, connectionPool, connection,`
0	`79`	`if (!isProxyAuth && connection.Kind == HttpConnectionKind.Proxy && !ProxySupportsConnectionAuth(response))`
0	`80`	`{`
	`81`	`// Proxy didn't indicate that it supports connection-based auth, so we can't proceed.`
0	`82`	`if (NetEventSource.Log.IsEnabled())`
0	`83`	`{`
0	`84`	`NetEventSource.Error(connection, $"Proxy doesn't support connection-based auth, uri={authUri}");`
0	`85`	`}`
0	`86`	`return response;`
	`87`	`}`
	`88`
0	`89`	`if (TryGetAuthenticationChallenge(response, isProxyAuth, authUri, credentials, out AuthenticationChallenge c`
0	`90`	`{`
0	`91`	`if (challenge.AuthenticationType == AuthenticationType.Negotiate \|\|`
0	`92`	`challenge.AuthenticationType == AuthenticationType.Ntlm)`
0	`93`	`{`
0	`94`	`bool isNewConnection = false;`
0	`95`	`bool needDrain = true;`
	`96`	`try`
0	`97`	`{`
0	`98`	`if (response.Headers.ConnectionClose.GetValueOrDefault())`
0	`99`	`{`
	`100`	`// Server is closing the connection and asking us to authenticate on a new connection.`
	`101`
	`102`	`// First, detach the current connection from the pool. This means it will no longer count ag`
	`103`	`// Instead, it will be replaced by the new connection below.`
0	`104`	`connection.DetachFromPool();`
	`105`
0	`106`	`connection = await connectionPool.CreateHttp11ConnectionAsync(request, async, cancellationTo`
0	`107`	`connection!.Acquire();`
0	`108`	`isNewConnection = true;`
0	`109`	`needDrain = false;`
0	`110`	`}`
	`111`
0	`112`	`if (NetEventSource.Log.IsEnabled())`
0	`113`	`{`
0	`114`	`NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, Uri: {auth`
0	`115`	`}`
	`116`
	`117`	`// Calculate SPN (Service Principal Name) using the host name of the request.`
	`118`	`// Use the request's 'Host' header if available. Otherwise, use the request uri.`
	`119`	`// Ignore the 'Host' header if this is proxy authentication since we need to use`
	`120`	`// the host name of the proxy itself for SPN calculation.`
	`121`	`string hostName;`
0	`122`	`if (!isProxyAuth && request.HasHeaders && request.Headers.Host != null)`
0	`123`	`{`
	`124`	`// Use the host name without any normalization.`
0	`125`	`hostName = request.Headers.Host;`
0	`126`	`if (NetEventSource.Log.IsEnabled())`
0	`127`	`{`
0	`128`	`NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, Host:`
0	`129`	`}`
0	`130`	`}`
	`131`	`else`
0	`132`	`{`
	`133`	`// Need to use FQDN normalized host so that CNAME's are traversed.`
	`134`	`// Use DNS to do the forward lookup to an A (host) record.`
	`135`	`// But skip DNS lookup on IP literals. Otherwise, we would end up`
	`136`	`// doing an unintended reverse DNS lookup.`
0	`137`	`UriHostNameType hnt = authUri.HostNameType;`
0	`138`	`if (hnt == UriHostNameType.IPv6 \|\| hnt == UriHostNameType.IPv4)`
0	`139`	`{`
0	`140`	`hostName = authUri.IdnHost;`
0	`141`	`}`
	`142`	`else`
0	`143`	`{`
0	`144`	`IPHostEntry result = await Dns.GetHostEntryAsync(authUri.IdnHost, cancellationToken).Con`
0	`145`	`hostName = result.HostName;`
0	`146`	`}`
	`147`
0	`148`	`if (!isProxyAuth && !authUri.IsDefaultPort && UsePortInSpn)`
0	`149`	`{`
0	`150`	`hostName = string.Create(null, stackalloc char[128], $"{hostName}:{authUri.Port}");`
0	`151`	`}`
0	`152`	`}`
	`153`
0	`154`	`string spn = "HTTP/" + hostName;`
0	`155`	`if (NetEventSource.Log.IsEnabled())`
0	`156`	`{`
0	`157`	`NetEventSource.Info(connection, $"Authentication: {challenge.AuthenticationType}, SPN: {spn}`
0	`158`	`}`
	`159`
0	`160`	`ProtectionLevel requiredProtectionLevel = ProtectionLevel.None;`
	`161`	`// When connecting to proxy server don't enforce the integrity to avoid`
	`162`	`// compatibility issues. The assumption is that the proxy server comes`
	`163`	`// from a trusted source. On macOS we always need to enforce the integrity`
	`164`	`// to avoid the GSSAPI implementation generating corrupted authentication`
	`165`	`// tokens.`
0	`166`	`if (!isProxyAuth \|\| OperatingSystem.IsMacOS())`
0	`167`	`{`
0	`168`	`requiredProtectionLevel = ProtectionLevel.Sign;`
0	`169`	`}`
	`170`
0	`171`	`NegotiateAuthenticationClientOptions authClientOptions = new NegotiateAuthenticationClientOption`
0	`172`	`{`
0	`173`	`Package = challenge.SchemeName,`
0	`174`	`Credential = challenge.Credential,`
0	`175`	`TargetName = spn,`
0	`176`	`RequiredProtectionLevel = requiredProtectionLevel,`
0	`177`	`Binding = connection.TransportContext?.GetChannelBinding(ChannelBindingKind.Endpoint),`
0	`178`	`AllowedImpersonationLevel = impersonationLevel`
0	`179`	`};`
	`180`
0	`181`	`using NegotiateAuthentication authContext = new NegotiateAuthentication(authClientOptions);`
0	`182`	`string? challengeData = challenge.ChallengeData;`
	`183`	`NegotiateAuthenticationStatusCode statusCode;`
0	`184`	`while (true)`
0	`185`	`{`
0	`186`	`string? challengeResponse = authContext.GetOutgoingBlob(challengeData, out statusCode);`
0	`187`	`if (statusCode > NegotiateAuthenticationStatusCode.ContinueNeeded \|\| challengeResponse == nu`
0	`188`	`{`
	`189`	`// Response indicated denial even after login, so stop processing and return current res`
0	`190`	`break;`
	`191`	`}`
	`192`
0	`193`	`if (needDrain)`
0	`194`	`{`
0	`195`	`await connection.DrainResponseAsync(response!, cancellationToken).ConfigureAwait(false);`
0	`196`	`}`
	`197`
0	`198`	`SetRequestAuthenticationHeaderValue(request, new AuthenticationHeaderValue(challenge.SchemeN`
	`199`
0	`200`	`response = await InnerSendAsync(request, async, isProxyAuth, connectionPool, connection, can`
0	`201`	`if (authContext.IsAuthenticated \|\| !TryGetChallengeDataForScheme(challenge.SchemeName, GetRe`
0	`202`	`{`
0	`203`	`break;`
	`204`	`}`
	`205`
0	`206`	`if (!IsAuthenticationChallenge(response, isProxyAuth))`
0	`207`	`{`
	`208`	`// Tail response for Negotiate on successful authentication. Validate it before we proce`
0	`209`	`authContext.GetOutgoingBlob(challengeData, out statusCode);`
0	`210`	`if (statusCode > NegotiateAuthenticationStatusCode.ContinueNeeded)`
0	`211`	`{`
0	`212`	`isNewConnection = false;`
0	`213`	`connection.Dispose();`
0	`214`	`throw new HttpRequestException(HttpRequestError.UserAuthenticationError, SR.Format(S`
	`215`	`}`
0	`216`	`break;`
	`217`	`}`
	`218`
0	`219`	`needDrain = true;`
0	`220`	`}`
0	`221`	`}`
	`222`	`finally`
0	`223`	`{`
0	`224`	`if (isNewConnection)`
0	`225`	`{`
0	`226`	`connection!.Release();`
0	`227`	`}`
0	`228`	`}`
0	`229`	`}`
0	`230`	`}`
	`231`
0	`232`	`return response!;`
0	`233`	`}`
	`234`
	`235`	`public static Task<HttpResponseMessage> SendWithNtProxyAuthAsync(HttpRequestMessage request, Uri proxyUri, bool`
0	`236`	`{`
0	`237`	`return SendWithNtAuthAsync(request, proxyUri, async, proxyCredentials, impersonationLevel, isProxyAuth: true`
0	`238`	`}`
	`239`
	`240`	`public static Task<HttpResponseMessage> SendWithNtConnectionAuthAsync(HttpRequestMessage request, bool async, IC`
0	`241`	`{`
0	`242`	`Debug.Assert(request.RequestUri != null);`
0	`243`	`return SendWithNtAuthAsync(request, request.RequestUri, async, credentials, impersonationLevel, isProxyAuth:`
0	`244`	`}`
	`245`	`}`
	`246`	`}`

Methods/Properties