cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[ curl-Bugs-3172608 ] No re-authentication when HTTP connecton is closed

From: SourceForge.net <noreply_at_sourceforge.net>
Date: Mon, 20 Jun 2011 07:26:02 -0700

Bugs item #3172608, was opened at 2011-02-04 03:07
Message generated for change (Comment added) made by jchaffraix
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3172608&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: libcurl
Group: bad behaviour
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Pierre F BESSON (pfbesson)
Assigned to: Daniel Stenberg (bagder)
Summary: No re-authentication when HTTP connecton is closed

Initial Comment:
When accessing an httpd server configured with KeepAlive on & MaxKeepAliveRequests 100 and Kerberos authentication, libcurl authenticates the first time the connexion is opened and reusing the connexion for 100 requests, but when the connexion is closed by the server and re-athentication must happen, the authentication automat of curl responds to the 401 status by incorrectly detecting "Athentication problem" and not resending the authentication because he remembers having already done so 100 requests before ! Status of the authentication automat should be reset when at least one request succeds ?
The error is detected around line 737 in http.c.
Version is libcurl 7.21.3 on RedHat using gssapi on httpd v2.2 kerberized
Sorry, I cannot provide the trace of the session, it is on a classified system.

----------------------------------------------------------------------

Comment By: Julien Chaffraix (jchaffraix)
Date: 2011-06-20 07:26

Message:
I had a look the patch over the week-end, I don't think this is the right
way to go. The right fix would be to move the state information so that it
is not cleared between session. We need to investigate what the misuse of
such a change could be though.

----------------------------------------------------------------------

Comment By: Pierre F BESSON (pfbesson)
Date: 2011-05-10 08:39

Message:
Hello and sorry for the looong delay, I was far away with no access to my
source...

Attached is the diff between my source and version 7.21.2

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2011-04-11 13:24

Message:
Hi again and sorry for the delay. I've been hoping for someone else to show
interest in this issue but I've failed.

Can you please attach your patch to this entry using the "add a file"
feature down the page so that I can apply it more easily in my end?

----------------------------------------------------------------------

Comment By: Pierre F BESSON (pfbesson)
Date: 2011-02-14 09:21

Message:
(I discarded the comments in french in my version)

diff -u ../CClasses/Curl/lib/http.c ../CClasses/curl-7.21.2/lib/http.c
--- ../CClasses/Curl/lib/http.c 2011-02-14 17:52:24.000000000 +0100
+++ ../CClasses/curl-7.21.2/lib/http.c 2010-10-10 23:22:27.000000000
+0200
@@ -3517,11 +3517,6 @@
           k->ignorecl = TRUE; /* ignore Content-Length headers */
           break;
         default:
-#ifdef HAVE_GSSAPI
- if( k->httpcode >= 200 && k->httpcode < 300 )
- {
- conn->data->state.negotiate.state = GSS_AUTHNONE;
- }
-#endif
           /* nothing */
           break;
         }
diff -u ../CClasses/Curl/lib/http_negotiate.c
../CClasses/curl-7.21.2/lib/http_negotiate.c
--- ../CClasses/Curl/lib/http_negotiate.c 2011-02-14 17:52:35.000000000
+0100
+++ ../CClasses/curl-7.21.2/lib/http_negotiate.c 2010-09-18
23:00:21.000000000 +0200
@@ -355,9 +355,7 @@
   if(neg_ctx->server_name != GSS_C_NO_NAME)
     gss_release_name(&minor_status, &neg_ctx->server_name);
 
- int savedState = neg_ctx->state;
   memset(neg_ctx, 0, sizeof(*neg_ctx));
- neg_ctx->state = savedState;
 }
 
 void Curl_cleanup_negotiate(struct SessionHandle *data)

Sorry, I made the diff command the wrong way : - are in reality + !!!

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2011-02-08 13:52

Message:
Thanks for your report and analysis!

Can you please do a "diff -u" (or git diff) output with your suggested
changes and submit it here so that we get to see exactly what you suggest?

----------------------------------------------------------------------

Comment By: Pierre F BESSON (pfbesson)
Date: 2011-02-04 08:59

Message:
I modified the source to have a workaround but I am not an expert in HTTP
nor in libcurl, so I submit this "as is".
First, there is a problem in the last lines of http_negotiate.c, in the
cleanup function, the memset resets the state of the authentication automat
to zero during the authentication process. Luckily, nobody depends on the
state when it is in GSS_AUTHRECV. The function should memorize the state,
then memset then restore the state. There are perhaps other values to save
and restore..?
Second, I inserted near line 3520 of http.c (into the default of the
switch) a test that resets the state of the autentication automat to NONE
when the httpcode is something between 200 and 299 (ie when the request
succeds). Thus next time the authentication process starts, the automat is
in its start state. I didn't make the changes on the proxy part of the
function because I do not have any proxy to test the change.
If someone knowing better http and libcurl than me could validate the
workaround, it would be a great help.
Thank you in advance.

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3172608&group_id=976
Received on 2011-06-20

These mail archives are generated by hypermail.

donate! Page updated November 12, 2010.
web site info

File upload with ASP.NET