Bugs item #3172608, was opened at 2011-02-04 12:07
Message generated for change (Comment added) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3172608&group_id=976
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: bad behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Pierre F BESSON (pfbesson)
Assigned to: Daniel Stenberg (bagder)
Summary: No re-authentication when HTTP connecton is closed
Initial Comment:
When accessing an httpd server configured with KeepAlive on & MaxKeepAliveRequests 100 and Kerberos authentication, libcurl authenticates the first time the connexion is opened and reusing the connexion for 100 requests, but when the connexion is closed by the server and re-athentication must happen, the authentication automat of curl responds to the 401 status by incorrectly detecting "Athentication problem" and not resending the authentication because he remembers having already done so 100 requests before ! Status of the authentication automat should be reset when at least one request succeds ?
The error is detected around line 737 in http.c.
Version is libcurl 7.21.3 on RedHat using gssapi on httpd v2.2 kerberized
Sorry, I cannot provide the trace of the session, it is on a classified system.
----------------------------------------------------------------------
>Comment By: Daniel Stenberg (bagder)
Date: 2011-04-11 22:24
Message:
Hi again and sorry for the delay. I've been hoping for someone else to show
interest in this issue but I've failed.
Can you please attach your patch to this entry using the "add a file"
feature down the page so that I can apply it more easily in my end?
----------------------------------------------------------------------
Comment By: Pierre F BESSON (pfbesson)
Date: 2011-02-14 18:21
Message:
(I discarded the comments in french in my version)
diff -u ../CClasses/Curl/lib/http.c ../CClasses/curl-7.21.2/lib/http.c
--- ../CClasses/Curl/lib/http.c 2011-02-14 17:52:24.000000000 +0100
+++ ../CClasses/curl-7.21.2/lib/http.c 2010-10-10 23:22:27.000000000
+0200
@@ -3517,11 +3517,6 @@
k->ignorecl = TRUE; /* ignore Content-Length headers */
break;
default:
-#ifdef HAVE_GSSAPI
- if( k->httpcode >= 200 && k->httpcode < 300 )
- {
- conn->data->state.negotiate.state = GSS_AUTHNONE;
- }
-#endif
/* nothing */
break;
}
diff -u ../CClasses/Curl/lib/http_negotiate.c
../CClasses/curl-7.21.2/lib/http_negotiate.c
--- ../CClasses/Curl/lib/http_negotiate.c 2011-02-14 17:52:35.000000000
+0100
+++ ../CClasses/curl-7.21.2/lib/http_negotiate.c 2010-09-18
23:00:21.000000000 +0200
@@ -355,9 +355,7 @@
if(neg_ctx->server_name != GSS_C_NO_NAME)
gss_release_name(&minor_status, &neg_ctx->server_name);
- int savedState = neg_ctx->state;
memset(neg_ctx, 0, sizeof(*neg_ctx));
- neg_ctx->state = savedState;
}
void Curl_cleanup_negotiate(struct SessionHandle *data)
Sorry, I made the diff command the wrong way : - are in reality + !!!
----------------------------------------------------------------------
Comment By: Daniel Stenberg (bagder)
Date: 2011-02-08 22:52
Message:
Thanks for your report and analysis!
Can you please do a "diff -u" (or git diff) output with your suggested
changes and submit it here so that we get to see exactly what you suggest?
----------------------------------------------------------------------
Comment By: Pierre F BESSON (pfbesson)
Date: 2011-02-04 17:59
Message:
I modified the source to have a workaround but I am not an expert in HTTP
nor in libcurl, so I submit this "as is".
First, there is a problem in the last lines of http_negotiate.c, in the
cleanup function, the memset resets the state of the authentication automat
to zero during the authentication process. Luckily, nobody depends on the
state when it is in GSS_AUTHRECV. The function should memorize the state,
then memset then restore the state. There are perhaps other values to save
and restore..?
Second, I inserted near line 3520 of http.c (into the default of the
switch) a test that resets the state of the autentication automat to NONE
when the httpcode is something between 200 and 299 (ie when the request
succeds). Thus next time the authentication process starts, the automat is
in its start state. I didn't make the changes on the proxy part of the
function because I do not have any proxy to test the change.
If someone knowing better http and libcurl than me could validate the
workaround, it would be a great help.
Thank you in advance.
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3172608&group_id=976
Received on 2011-04-11