curl-library
RE: Digest auth failing on Windows
Date: Sun, 22 Feb 2015 00:57:56 -0300
My knowledge in C++ is very vague, but I tried to go bug hunting on this one, at least to learn something, this is what I found after some debugging:
The issue is probably in the function Curl_create_sspi_identity (curl_sspi.c:170).
I found that the SEC_WINNT_AUTH_IDENTITY[1] struct has a member named Domain, and their value is what is sent as the realm for the connection, currently libcurl seens to take into consideration for the Domain the string before "/" and "\" in the username, like in: domain\user:pass or domain/user:pass, but ignores the realm coming from the headers sent by the server.
I was able to authenticate after running curl with the following args:
>curl.x86.exe --digest --user "digest\user:pass" 127.0.0.1:3000 -v
* Rebuilt URL to: 127.0.0.1:3000/
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 3000 (#0)
* Server auth using Digest with user 'digest\user'
> GET / HTTP/1.1
> User-Agent: curl/7.40.0-DEV
> Host: 127.0.0.1:3000
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< X-Powered-By: Express
< Content-Type: text/plain
< WWW-Authenticate: Digest realm="digest", qop="auth", nonce="d82be76fd3b91b4675687085c76cefef", algorithm="MD5", stale="false"
< Date: Sun, 22 Feb 2015 03:53:36 GMT
< Connection: keep-alive
< Transfer-Encoding: chunked
<
* Ignoring the response-body
* Connection #0 to host 127.0.0.1 left intact
* Issue another request to this URL: 'http://127.0.0.1:3000/'
* Found bundle for host 127.0.0.1: 0x9783e0
* Re-using existing connection! (#0) with host 127.0.0.1
* Connected to 127.0.0.1 (127.0.0.1) port 3000 (#0)
* Server auth using Digest with user 'digest\user'
> GET / HTTP/1.1
> Authorization: Digest username="user",realm="digest",nonce="d82be76fd3b91b4675687085c76cefef",uri="/",cnonce="fad005a5e908edd46a794e695fbb3845",nc=00000001,algorithm=MD5,response="8be858e7b1385bf2ebaa14033065b80f",qop="auth"
> User-Agent: curl/7.40.0-DEV
> Host: 127.0.0.1:3000
> Accept: */*
>
< HTTP/1.1 200 OK
< X-Powered-By: Express
< content-type: text/html; charset=utf-8
< content-length: 4
< etag: "-1919691191"
< Date: Sun, 22 Feb 2015 03:53:36 GMT
< Connection: keep-alive
<
user* Connection #0 to host 127.0.0.1 left intact
[1] = https://msdn.microsoft.com/en-us/library/windows/desktop/aa378664%28v=vs.85%29.aspx
----------------------------------------
> From: well.bad_at_hotmail.com
> To: curl-library_at_cool.haxx.se
> Subject: Digest auth failing on Windows
> Date: Fri, 20 Feb 2015 20:53:16 -0200
>
> Initially I've posted this issue in the curl-users mailing list, but as I think this is a library issue, I'm cross posting it here with more details.
>
> Doing a request which uses digest authentication fails on windows when the libcurl version is>= 7.40. The only thing I can see different is that the realm is "lost" when sending the Authorization header.
>
> Request using libcurl 7.40 (commit 9ce2d7001939b795b45a8ce7700d1a3dcde0475d):
> E:\curl\builds>libcurl-vc11-x86-release-static-ipv6-sspi\bin\curl.exe -V
> curl 7.40.0-DEV (i386-pc-win32) libcurl/7.40.0-DEV WinIDN
> Protocols: dict file ftp gopher http imap ldap pop3 rtsp smb smtp telnet tftp
> Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM
>
> E:\curl\builds>libcurl-vc11-x86-release-static-ipv6-sspi\bin\curl.exe --user user:pass --digest -v 127.0.0.1:3000
> * Rebuilt URL to: 127.0.0.1:3000/
> * Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 3000 (#0)
> * Server auth using Digest with user 'user'
>> GET / HTTP/1.1
>> User-Agent: curl/7.40.0-DEV
>> Host: 127.0.0.1:3000
>> Accept: */*
>>
> < HTTP/1.1 401 Unauthorized
> < X-Powered-By: Express
> < Content-Type: text/plain
> < WWW-Authenticate: Digest realm="digest", qop="auth", nonce="263cb0fd8be1f9212eda9758ab2a4e5c", algorithm="MD5", stale="false"
> < Date: Fri, 20 Feb 2015 22:40:32 GMT
> < Connection: keep-alive
> < Transfer-Encoding: chunked
> <
> * Ignoring the response-body
> * Connection #0 to host 127.0.0.1 left intact
> * Issue another request to this URL: 'http://127.0.0.1:3000/'
> * Found bundle for host 127.0.0.1: 0x5bfcb8
> * Re-using existing connection! (#0) with host 127.0.0.1
> * Connected to 127.0.0.1 (127.0.0.1) port 3000 (#0)
> * Server auth using Digest with user 'user'
>> GET / HTTP/1.1
>> Authorization: Digest username="user",realm="",nonce="263cb0fd8be1f9212eda9758ab2a4e5c",uri="/",cnonce="f57d54728981e2f5d860060bbcce94f7",nc=00000001,algorithm=MD5,response="b0fa5ff4efccbbfb4c3a40ae171f2795",qop="auth"
>> User-Agent: curl/7.40.0-DEV
>> Host: 127.0.0.1:3000
>> Accept: */*
>>
> < HTTP/1.1 401 Unauthorized
> < X-Powered-By: Express
> < Content-Type: text/plain
> * Authentication problem. Ignoring this.
> < WWW-Authenticate: Digest realm="digest", qop="auth", nonce="40902141ad26807a6b0e5897e51dc86d", algorithm="MD5", stale="false"
> < Date: Fri, 20 Feb 2015 22:40:32 GMT
> < Connection: keep-alive
> < Transfer-Encoding: chunked
> <
> 401 Unauthorized* Connection #0 to host 127.0.0.1 left intact
>
> ---
>
> Same request, but with libcurl 7.39 (commit 303bfc1024d948a5ba134ccfc106f82c0b4fd675):
> E:\curl\builds>libcurl-vc11-x86-release-static-ipv6-sspi\bin\curl.exe -V
> curl 7.38.1-DEV (i386-pc-win32) libcurl/7.38.1-DEV WinIDN
> Protocols: dict file ftp gopher http imap ldap pop3 rtsp smtp telnet tftp
> Features: AsynchDNS IDN IPv6 Largefile SSPI SPNEGO NTLM
>
> E:\curl\builds>libcurl-vc11-x86-release-static-ipv6-sspi\bin\curl.exe --user user:pass --digest -v 127.0.0.1:3000
> * Rebuilt URL to: 127.0.0.1:3000/
> * Hostname was NOT found in DNS cache
> * Trying 127.0.0.1...
> * Connected to 127.0.0.1 (127.0.0.1) port 3000 (#0)
> * Server auth using Digest with user 'user'
>> GET / HTTP/1.1
>> User-Agent: curl/7.38.1-DEV
>> Host: 127.0.0.1:3000
>> Accept: */*
>>
> < HTTP/1.1 401 Unauthorized
> < X-Powered-By: Express
> < Content-Type: text/plain
> < WWW-Authenticate: Digest realm="digest", qop="auth", nonce="7287239a2bb9f24adb13b8ab303c5e69", algorithm="MD5", stale="false"
> < Date: Fri, 20 Feb 2015 22:50:41 GMT
> < Connection: keep-alive
> < Transfer-Encoding: chunked
> <
> * Ignoring the response-body
> * Connection #0 to host 127.0.0.1 left intact
> * Issue another request to this URL: 'http://127.0.0.1:3000/'
> * Found bundle for host 127.0.0.1: 0x4ffce8
> * Re-using existing connection! (#0) with host 127.0.0.1
> * Connected to 127.0.0.1 (127.0.0.1) port 3000 (#0)
> * WARNING: Using weak random seed
> * Server auth using Digest with user 'user'
>> GET / HTTP/1.1
>> Authorization: Digest username="user", realm="digest", nonce="7287239a2bb9f24adb13b8ab303c5e69", uri="/", cnonce="NWI0MmZjOTgzZDhkY2YwYjVlMjQ4ZTRjZDZiN2JiMDc=", nc=00000001, qop=auth, response="f9ff07e309c8954a5c660db4027aaca0", algorithm="MD5"
>> User-Agent: curl/7.38.1-DEV
>> Host: 127.0.0.1:3000
>> Accept: */*
>>
> < HTTP/1.1 200 OK
> < X-Powered-By: Express
> < content-type: text/html; charset=utf-8
> < content-length: 4
> < etag: "-1919691191"
> < Date: Fri, 20 Feb 2015 22:50:41 GMT
> < Connection: keep-alive
> <
> Hello!* Connection #0 to host 127.0.0.1 left intact
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-library
> Etiquette: http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-02-22