Hi,
git clone against a repository using GSS auth does not work with recent
libcurl versions. It used to work fine with libcurl 7.15.5 for example,
but in recent versions it's broken.
The problem is this code in Curl_http_input_auth():
if(data->state.negotiate.state == GSS_AUTHSENT) {
/* if we sent GSS authentication in the outgoing request and we get this
back, we're in trouble */
infof(data, "Authentication problem. Ignoring this.\n");
data->state.authproblem = TRUE;
}
When a struct connectdata is used for multiple requests and the
first request was authenticated with GSS, data->state.negotiate.state
is not reset for subsequent calls to Curl_http_input_auth,
which causes the above if statement to be true and the next request
to fail without authentication being tried.
The attached patch makes sure that the state is always set to
GSS_AUTHNONE in output_auth_headers(), unless it actually did
a successful Curl_output_negotiate().
Attached is also a log from GIT_CURL_VERBOSE=1 showing the problem.
When using libcurl 7.15.5 or using my patch, the
"* Authentication problem. Ignoring this." line interleaved in the
last 401 does not appear, and libcurl successfully resends the
request with proper authentication.
//Marcus
--
---------------------------------------------
Marcus Sundberg <[email protected]>
Senior System & Software Engineer
Aptilo Networks AB, http://www.aptilo.com/
>From 328af37f3c2081c37bf9fd7e89b1dea12ac7e59a Mon Sep 17 00:00:00 2001
From: Marcus Sundberg <[email protected]>
Date: Wed, 9 Mar 2011 19:07:28 +0100
Subject: [PATCH] curl-7.21.5-gssauth-handle-reuse-fix
Make GSS authentication work when a curl handle is reused for multiple
authenticated requests, by always setting negdata->state in
output_auth_headers().
Signed-off-by: Marcus Sundberg <[email protected]>
---
lib/http.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/lib/http.c b/lib/http.c
index 807bbeb..419efc1 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -531,6 +531,7 @@ output_auth_headers(struct connectdata *conn,
#endif
#ifdef USE_HTTP_NEGOTIATE
+ negdata->state = GSS_AUTHNONE;
if((authstatus->picked == CURLAUTH_GSSNEGOTIATE) &&
negdata->context && !GSS_ERROR(negdata->status)) {
auth="GSS-Negotiate";
--
1.7.4
Cloning into myrepo...
* Couldn't find host git.example.com in the .netrc file; using defaults
* About to connect() to git.example.com port 80 (#0)
* Trying 1.2.3.4... * Connected to git.example.com (1.2.3.4) port 80 (#0)
> GET /git/myrepo.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/1.7.3.2
Host: git.example.com
Accept: */*
Pragma: no-cache
< HTTP/1.1 401 Authorization Required
< Date: Wed, 09 Mar 2011 18:02:07 GMT
< Server: Apache/2.2.3 (CentOS)
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="Example AD"
< Content-Length: 484
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
<
* Expire cleared
* Closing connection #0
* Issue another request to this URL:
'http://:@git.example.com/git/myrepo.git/info/refs?service=git-upload-pack'
* Couldn't find host git.example.com in the .netrc file; using defaults
* About to connect() to git.example.com port 80 (#0)
* Trying 1.2.3.4... * Connected to git.example.com (1.2.3.4) port 80 (#0)
* Server auth using GSS-Negotiate with user ''
> GET /git/myrepo.git/info/refs?service=git-upload-pack HTTP/1.1
Authorization: Negotiate BASE64DATA
User-Agent: git/1.7.3.2
Host: git.example.com
Accept: */*
Pragma: no-cache
< HTTP/1.1 200 OK
< Date: Wed, 09 Mar 2011 18:02:07 GMT
< Server: Apache/2.2.3 (CentOS)
< Expires: Fri, 01 Jan 1980 00:00:00 GMT
< Pragma: no-cache
< Cache-Control: no-cache, max-age=0, must-revalidate
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: application/x-git-upload-pack-advertisement
<
* Closing connection #0
* Couldn't find host git.example.com in the .netrc file; using defaults
* About to connect() to git.example.com port 80 (#0)
* Trying 1.2.3.4... * connected
* Connected to git.example.com (1.2.3.4) port 80 (#0)
> POST /git/myrepo.git/git-upload-pack HTTP/1.1
User-Agent: git/1.7.3.2
Host: git.example.com
Accept-Encoding: deflate, gzip
Content-Type: application/x-git-upload-pack-request
Accept: application/x-git-upload-pack-result
Content-Encoding: gzip
Content-Length: 3105
Expect: 100-continue
< HTTP/1.1 401 Authorization Required
< Date: Wed, 09 Mar 2011 18:02:07 GMT
< Server: Apache/2.2.3 (CentOS)
* Authentication problem. Ignoring this.
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="Example AD"
< Content-Length: 484
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
* The requested URL returned error: 401
* Closing connection #0
error: RPC failed; result=22, HTTP code = 401
fatal: The remote end hung up unexpectedly
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
