Menu

#1484 sasl_sspi does not correctly populate Domain/Realm on Windows

closed
Steve Holme
sasl_sspi (1)
5
2015-04-13
2015-02-21
Grant Pannell
No

With the release of Curl 7.40.0, on Windows, SSPI handles http_digest authentication.

I've noticed that the behavior of using digest auth on most non-Microsoft based HTTP servers will return an unauthorized error. This is because the realm in the challenge response is not populated correctly. The only way to authorize access is for the user to have knowledge of the "Realm" of the challenge-message, which is not usually the case.

I've noticed the PHP Windows binaries now use 7.40.0 and compile with USE_WINDOWS_SSPI.

Some examples (user:password) formats specified with CURLOPT_USERPWD:
"User:Password" results in realm="", even though the server has specified a realm (this is NOT OK)
"Realm\User:Password" results in realm="Realm" (this is OK, maybe? Realm specified by the server may not be the same, but Microsoft HTTP servers may deal with this)

This also conflicts with users that may contain "\" and servers that don't use the MS DOMAIN\User format. Either way, the behavior significantly varies from using Curl without USE_WINDOWS_SSPI.

Instead, this patch populates the realm from the challenge message if the user does not explicitly use the DOMAIN\User format.

Example:
Domain\User ; domain=Domain, user=User
\Domain\User ; domain=server realm, user=Domain\User
User ; domain=server realm, user=User
Domain\ ; domain=Domain, user=blank
\ ; domain=server realm; user=blank
\ ; domain=server realm; user=\

I've made a pull request on Github that solves the problem, but I am not a fantastic C/C++ coder: https://github.com/bagder/curl/pull/141

Thanks

Discussion

  • Steve Holme

    Steve Holme - 2015-02-25

    Thanks for your bug report and suggested fix.

    I've had a quick look at your pull request, as I haven't yet had the time to download it as a patch and apply it locally, but apart from some curl coding style fixes it seems pretty good in its current state.

    My only query before merging it is:

    Do you know / did you investigate to see whether the realm can be pulled out of the challenge using SSPI functions rather then pulling in our own native digest decoding routines?

    Kind Regards

    Steve

     

  • Steve Holme

    Steve Holme - 2015-02-25
    • assigned_to: Steve Holme
     

  • Grant Pannell

    Grant Pannell - 2015-02-26

    Hi Steve,

    I did try to investigate the SSPI API, but I couldn't find anything. However, I'm definitely not an expert.

    I found something that allows you to set the realm manually, but nothing that will automatically pull it out of the challenge message.

     

  • Daniel Stenberg

    Daniel Stenberg - 2015-04-13

    Let's deal with this over in the github pull request, closing this entry on sourceforge.

     

  • Daniel Stenberg

    Daniel Stenberg - 2015-04-13
    • status: open --> closed