From 7ca7f82ba7c936cc01651e28b2ad92400ad4f7cc Mon Sep 17 00:00:00 2001 From: Steve Holme Date: Sat, 18 May 2019 17:30:16 +0100 Subject: http_ntlm_wb: Handle auth for only a single request Currently when the server responds with 401 on NTLM authenticated connection (re-used) we consider it to have failed. However this is legitimate and may happen when for example IIS is set configured to 'authPersistSingleRequest' or when the request goes thru a proxy (with 'via' header). Implemented by imploying an additional state once a connection is re-used to indicate that if we receive 401 we need to restart authentication. Missed in fe6049f0. --- lib/curl_ntlm_wb.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/lib/curl_ntlm_wb.c b/lib/curl_ntlm_wb.c index fa0ad95fb..80266e2a4 100644 --- a/lib/curl_ntlm_wb.c +++ b/lib/curl_ntlm_wb.c @@ -356,7 +356,11 @@ CURLcode Curl_input_ntlm_wb(struct connectdata *conn, *state = NTLMSTATE_TYPE2; /* We got a type-2 message */ } else { - if(*state == NTLMSTATE_TYPE3) { + if(*state == NTLMSTATE_LAST) { + infof(conn->data, "NTLM auth restarted\n"); + Curl_http_auth_cleanup_ntlm_wb(conn); + } + else if(*state == NTLMSTATE_TYPE3) { infof(conn->data, "NTLM handshake rejected\n"); Curl_http_auth_cleanup_ntlm_wb(conn); *state = NTLMSTATE_NONE; @@ -445,6 +449,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn, return CURLE_OUT_OF_MEMORY; conn->response_header = NULL; break; + case NTLMSTATE_TYPE2: input = aprintf("TT %s\n", conn->challenge_header); if(!input) @@ -466,11 +471,14 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn, if(!*allocuserpwd) return CURLE_OUT_OF_MEMORY; break; + case NTLMSTATE_TYPE3: /* connection is already authenticated, * don't send a header in future requests */ - free(*allocuserpwd); - *allocuserpwd = NULL; + *state = NTLMSTATE_LAST; + /* FALLTHROUGH */ + case NTLMSTATE_LAST: + Curl_safefree(*allocuserpwd); authp->done = TRUE; break; } -- cgit v1.2.3