From: Steve Holme Date: Sat, 18 May 2019 16:30:16 +0000 (+0100) Subject: http_ntlm_wb: Handle auth for only a single request X-Git-Tag: curl-7_65_0~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7ca7f82ba7c936cc01651e28b2ad92400ad4f7cc;p=thirdparty%2Fcurl.git http_ntlm_wb: Handle auth for only a single request Currently when the server responds with 401 on NTLM authenticated connection (re-used) we consider it to have failed. However this is legitimate and may happen when for example IIS is set configured to 'authPersistSingleRequest' or when the request goes thru a proxy (with 'via' header). Implemented by imploying an additional state once a connection is re-used to indicate that if we receive 401 we need to restart authentication. Missed in fe6049f0. --- diff --git a/lib/curl_ntlm_wb.c b/lib/curl_ntlm_wb.c index fa0ad95fb8..80266e2a45 100644 --- a/lib/curl_ntlm_wb.c +++ b/lib/curl_ntlm_wb.c @@ -356,7 +356,11 @@ CURLcode Curl_input_ntlm_wb(struct connectdata *conn, *state = NTLMSTATE_TYPE2; /* We got a type-2 message */ } else { - if(*state == NTLMSTATE_TYPE3) { + if(*state == NTLMSTATE_LAST) { + infof(conn->data, "NTLM auth restarted\n"); + Curl_http_auth_cleanup_ntlm_wb(conn); + } + else if(*state == NTLMSTATE_TYPE3) { infof(conn->data, "NTLM handshake rejected\n"); Curl_http_auth_cleanup_ntlm_wb(conn); *state = NTLMSTATE_NONE; @@ -445,6 +449,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn, return CURLE_OUT_OF_MEMORY; conn->response_header = NULL; break; + case NTLMSTATE_TYPE2: input = aprintf("TT %s\n", conn->challenge_header); if(!input) @@ -466,11 +471,14 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn, if(!*allocuserpwd) return CURLE_OUT_OF_MEMORY; break; + case NTLMSTATE_TYPE3: /* connection is already authenticated, * don't send a header in future requests */ - free(*allocuserpwd); - *allocuserpwd = NULL; + *state = NTLMSTATE_LAST; + /* FALLTHROUGH */ + case NTLMSTATE_LAST: + Curl_safefree(*allocuserpwd); authp->done = TRUE; break; }