Commit 638c6da9 authored by Fabian Keil's avatar Fabian Keil Committed by Daniel Stenberg
Browse files

proxy: make ConnectionExists() check credential of proxyconnections too 

Previously it only compared credentials if the requested needle
connection wasn't using a proxy. This caused NTLM authentication
failures when using proxies as the authentication code wasn't send on
the connection where the challenge arrived.

Added test 1215 to verify: NTLM server authentication through a proxy
(This is a modified copy of test 67)
parent 9141c75b

lib/url.c

+12 −11
Original line number Diff line number Diff line
@@ -2974,6 +2974,18 @@ ConnectionExists(struct SessionHandle *data, 
          continue;

      }



      if((needle->handler->protocol & CURLPROTO_FTP) ||

         ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) {

         /* This is FTP or HTTP+NTLM, verify that we're using the same name

            and password as well */

         if(!strequal(needle->user, check->user) ||

            !strequal(needle->passwd, check->passwd)) {

            /* one of them was different */

            continue;

         }

         credentialsMatch = TRUE;

      }



      if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||

         (needle->bits.httpproxy && check->bits.httpproxy &&

          needle->bits.tunnel_proxy && check->bits.tunnel_proxy &&
@@ -3007,17 +3019,6 @@ ConnectionExists(struct SessionHandle *data, 
              continue;

            }

          }

          if((needle->handler->protocol & CURLPROTO_FTP) ||

             ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) {

            /* This is FTP or HTTP+NTLM, verify that we're using the same name

               and password as well */

            if(!strequal(needle->user, check->user) ||

               !strequal(needle->passwd, check->passwd)) {

              /* one of them was different */

              continue;

            }

            credentialsMatch = TRUE;

          }

          match = TRUE;

        }

      }

tests/data/Makefile.am

+1 −1
Original line number Diff line number Diff line
@@ -88,7 +88,7 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \ 
test1128 test1129 test1130 test1131 test1132 test1133 \

\

test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \

test1208 test1209 test1210 test1211 test1212 test1213 test1214 \

test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \

\

test1220 test1221 test1222 test1223 \

\

tests/data/test1215

0 → 100644
+104 −0
Original line number Diff line number Diff line 
<testcase>

<info>

# This test is a copy of test 67, modified to use a HTTP proxy.

<keywords>

HTTP

HTTP GET

HTTP NTLM auth

HTTP proxy

</keywords>

</info>

# Server-side

<reply>



<!-- no <data> in this test since we have NTLM from the start



This is supposed to be returned when the server gets a first

Authorization: NTLM line passed-in from the client -->



<data1001>

HTTP/1.1 401 Now gimme that second request of crap

Server: Microsoft-IIS/5.0

Content-Type: text/html; charset=iso-8859-1

Content-Length: 34

WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAgACADAAAAAGgoEAc51AYVDgyNcAAAAAAAAAAG4AbgAyAAAAQ0MCAAQAQwBDAAEAEgBFAEwASQBTAEEAQgBFAFQASAAEABgAYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAwAsAGUAbABpAHMAYQBiAGUAdABoAC4AYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAAAAAA==



This is not the real page either!

</data1001>



# This is supposed to be returned when the server gets the second

# Authorization: NTLM line passed-in from the client

<data1002>

HTTP/1.1 200 Things are fine in server land swsclose

Server: Microsoft-IIS/5.0

Content-Type: text/html; charset=iso-8859-1

Content-Length: 32



Finally, this is the real page!

</data1002>



<datacheck>

HTTP/1.1 401 Now gimme that second request of crap

Server: Microsoft-IIS/5.0

Content-Type: text/html; charset=iso-8859-1

Content-Length: 34

WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAgACADAAAAAGgoEAc51AYVDgyNcAAAAAAAAAAG4AbgAyAAAAQ0MCAAQAQwBDAAEAEgBFAEwASQBTAEEAQgBFAFQASAAEABgAYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAwAsAGUAbABpAHMAYQBiAGUAdABoAC4AYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAAAAAA==



HTTP/1.1 200 Things are fine in server land swsclose

Server: Microsoft-IIS/5.0

Content-Type: text/html; charset=iso-8859-1

Content-Length: 32



Finally, this is the real page!

</datacheck>



</reply>



# Client-side

<client>

<features>

NTLM

</features>

<server>

http

</server>

 <name>

HTTP with server NTLM authorization using a proxy

 </name>

 <setenv>

# we force our own host name, in order to make the test machine independent

CURL_GETHOSTNAME=curlhost

# we try to use the LD_PRELOAD hack, if not a debug build

LD_PRELOAD=%PWD/libtest/.libs/libhostname.so

 </setenv>

 <command>

http://%HOSTIP:%HTTPPORT/1215 -u testuser:testpass --ntlm --proxy http://%HOSTIP:%HTTPPORT

</command>

<precheck>

chkhostname curlhost

</precheck>

</client>



# Verify data after the test has been "shot"

<verify>

<strip>

^User-Agent:.*

</strip>

<protocol>

GET http://%HOSTIP:%HTTPPORT/1215 HTTP/1.1

Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=

User-Agent: curl/7.30.0-DEV

Host: %HOSTIP:%HTTPPORT

Accept: */*

Proxy-Connection: Keep-Alive



GET http://%HOSTIP:%HTTPPORT/1215 HTTP/1.1

Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACAAIAHAAAAAIAAgAeAAAAAAAAAAAAAAABoKBAFpkQwKRCZFMhjj0tw47wEjKHRHlvzfxQamFcheMuv8v+xeqphEO5V41xRd7R9deOXRlc3R1c2VyY3VybGhvc3Q=

User-Agent: curl/7.30.0-DEV

Host: %HOSTIP:%HTTPPORT

Accept: */*

Proxy-Connection: Keep-Alive



</protocol>

</verify>

</testcase>