|
|
cURL Mailing List Monthly Index Single Mail
curl-tracker Archives
[ curl-Bugs-3545398 ] authp->picked not being cleared on failed auth
From: SourceForge.net <noreply_at_sourceforge.net>
Date: Thu, 26 Jul 2012 14:07:58 -0700
Bugs item #3545398, was opened at 2012-07-18 07:06
Please note that this message will contain a full copy of the comment thread,
Initial Comment:
I'm trying to set up an app to connect to a server that supports GSS-Negotiate and NTLM auth. If the client-side auth setup is incorrect I want to fall back to using NTLM.
So this is pretty simple:
void doRequest(const char* url, const char* username, const char* password, bool allowNegotiate)
CURL* handle = curl_easy_init();
// expect one 401 to be sent during auth setup; anything more than that means auth failed
We set up a request allowing CURLAUTH_NTLM | CURLAUTH_GSSNEGOTIATE and, if it receives too many 401 errors, send it again with just CURLAUTH_NTLM.
To both requests, the server will send back:
WWW-Authenticate: Negotiate
The problem comes in Curl_http_input_auth:
if(checkprefix("GSS-Negotiate", start) ||
if(authp->picked == CURLAUTH_GSSNEGOTIATE) {
The first time through, it reads the Negotiate header, updates "avail", and then does nothing since "picked" is 0. After reading all the headers, it will set set "picked" to CURLAUTH_GSSNEGOTIATE because that's the highest priority, and attempt to output a negotiate header. (Which will fail because, for this test, GSS auth is set up wrong.)
The second time through, it reads the Negotiate header, updates "avail", and then goes into the "if" statement because "picked" is still CURLAUTH_NEGOTIATE from the first pass. Even though we're using a different handle! It then calls Curl_input_negotiate, which will call some gss functions and return an error code when they fail. It then sets authproblem to TRUE, which means that even though it reads the NTLM header it will not continue to send the NTLM auth as we want. It seems to me that it should be ignoring this Negotiate header entirely, since in this second pass CURLAUTH_GSSNEGOTIATE isn't even included in CURLOPT_HTTPAUTH.
(I've also tried adding CURLOPT_FRESH_CONNECT when allowNegotiate is false, to force it to use a new connection, but "picked" is still set.)
So it looks like "picked" should be cleared at some point when Negotiate auth fails, so that it doesn't keep trying to use it for further requests. But I'm not sure where this is should be done.
Another option would be to change that if statement to "if(authp->picked == CURLAUTH_GSSNEGOTIATE && authp->want & CURLAUTH_GSSNEGOTIATE)", so that if we don't want negotiate it just ignores the value of picked here, but I think that would just be hiding the problem.
----------------------------------------------------------------------
>Comment By: Daniel Stenberg (bagder)
Message:
Do you have any recipe to repeat/see this problem in a decent way?
----------------------------------------------------------------------
Comment By: Joe Mason (jmasonrim)
Message:
----------------------------------------------------------------------
You can respond by visiting:
These mail archives are generated by hypermail. |
Page updated January 05, 2012.
web site info