cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: How-To use NTLM proxy authentication?

From: Augustus Saunders <augustus.saunders_at_verilogix.net>
Date: Sun, 27 Mar 2005 14:47:12 -0800

Ok, as a reminder on the background here, there are 2
problems: 1) using curl_easy_setopt(blah, CURLPROXY_AUTH,
CURLAUTH_ANY) doesn't work; no Proxy-Authentication headers
ever get sent. 2) if CURLPROXY_AUTH gets set to NTLM and
you do an HTTP POST, libcurl goes into an infinite loop
while negotiating the NTLM auth. Here's what an NTLM proxy
authentication session should look like:

1) HTTP POST blah
2) HTTP 407 Authorization required
3) HTTP POST blah
   Proxy-Authentication: NTLM gibberish
4) HTTP 407 Authorization denied
   Proxy-Authentication: NTLM gibberish + response
5) HTTP POST blah
   Proxy-Authentication: NTLM final response
6) HTTP 200 OK

Instead, what happens is this:

1) HTTP POST blah
2) HTTP 407 Authorization required
3) HTTP POST blah
   Proxy-Authentication: NTLM gibberish
4) HTTP 407 Authorization denied
   Proxy-Authentication: NTLM gibberish + response
5) HTTP POST blah
   Proxy-Authentication: NTLM gibberish
6) HTTP 407 Authorization denied
   Proxy-Authentication: NTLM gibberish + response
5) HTTP POST blah
   Proxy-Authentication: NTLM gibberish
6) HTTP 407 Authorization denied
   Proxy-Authentication: NTLM gibberish + response
5) HTTP POST blah
   Proxy-Authentication: NTLM gibberish
6) HTTP 407 Authorization denied
   Proxy-Authentication: NTLM gibberish + response

... ad nauseum. libcurl keeps resending the original
gibberish instead of calculating the final response and
sending that. Like I mentioned before, if you use an HTTP
GET to negotiate the NTLM, you can then POST successfully.

Of the two, I'm more concerned about the infinite loop when
POSTing. Anyway, regarding CURLAUTH_ANY not working, I
don't have the source code here at home, but here's what
happens:

Curl_http_auth_act gets called correctly. pickoneauth or
some such function gets called to decide which authorization
method to use. It goes through some picking logic, and hey,
works great. auth->picked gets set to the correct value (in
this case, NTLM, which happens to be 8). Now, the part
that's confusing, is that Curl_http_output_auth doesn't
check against *picked*, it checks against *want*. Problem
is, auth->want is set to CURLAUTH_ANY, which works out to
-5, which of course does not equal any of the individual
authorization methods. So, for this to ever have worked
correctly, auth->want had to get set to auth->picked
somewhere along the line. I'm not sure where that's
supposed to happen, so I just added auth->want =
auth->picked at the end of "pickoneauth". Seems to work ok,
but I'm worried that breaks things elsewhere. How is this
supposed to work? Where in the code is auth->want
*supposed* to be set to auth->picked?

Incidently, is there a way to get libcurl to abort an
operation when it gets an error back? I tried FAILONERROR,
but it doesn't seem to do what I want. I'm POSTing pretty
large files and I don't want to continue uploading once I
know it's gonna fail.

Augustus

PS Regarding test cases, I'm not sure what framework you've
got set up, but as far as I can tell, curl.exe has no
command line switch to enably CURLAUTH_ANY for proxies. And
posting form data from the command line seems like a PITA
(though I haven't tried, admittedly).

On Sun, 27 Mar 2005 14:43:52 +0200 (CEST)
 Daniel Stenberg <daniel-curl_at_haxx.se> wrote:
> On Thu, 24 Mar 2005, Augustus Saunders wrote:
>
> > Hmm, I'm looking at Curl_http_output_auth and I can see
> what's happening, and
> > I'm not sure how it ever worked.
>
> What exactly doesn't work for you? Can you show us a
> trace log from the auth
> neg showing the failure? Can you show us a source code
> example we can use to
> repeat the problem?
>
> > Should all the if-elses compare against
> authproxy->picked instead, or is
> > authproxy->want supposed to get set to
> authproxy->picked at some point? I
> > can hack it to make it work, but I want it to be
> "right."
>
> The right way is to make sure all current test cases
> remain working, and then
> add a new one that features your case and then have that
> one run OK too...
> I admit NTLM proxy auth is not the most tested feature,
> but I believe there's
> at least one existing test case for it.
>
> --
> Daniel Stenberg -- http://curl.haxx.se --
> http://daniel.haxx.se
> Commercial curl and libcurl Technical Support:
> http://haxx.se/curl.html
Received on 2005-03-28