Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Digest: incorrect realm and nonce when curl easy handle is reused #2347

Closed
waterproofman opened this issue Mar 1, 2018 · 2 comments
Closed

Digest: incorrect realm and nonce when curl easy handle is reused #2347

waterproofman opened this issue Mar 1, 2018 · 2 comments
Labels
authentication HTTP

Comments

@waterproofman
Copy link

waterproofman commented Mar 1, 2018
edited
Loading

I did this

I tried to reuse curl easy handle in application that connects to servers with digest authentication.
Curl seems to use incorrect nonce and realm (from previous server).
Here is the simplest example:

#include <curl/curl.h>
void restGet(CURL* hnd, const char* url, const char* usrpwd)
{
	curl_easy_setopt(hnd, CURLOPT_URL, url);
	curl_easy_setopt(hnd, CURLOPT_HTTPGET, 1L);
	curl_easy_setopt(hnd, CURLOPT_USERPWD, usrpwd);
	curl_easy_setopt(hnd, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);
	curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
	curl_easy_perform(hnd);
	curl_easy_reset(hnd);
}

int main(int argc, char *argv[])
{
  CURL* hnd;
  hnd = curl_easy_init();

  restGet(hnd, "http://digest.server1/file", "clark:kent");
  restGet(hnd, "http://digest.server2/file", "peter:parker");

  curl_easy_cleanup(hnd);  
  return 0;
}

Result of first curl_easy_perform is fine, but in second call curl uses digest realm and nonce from first server and then the result is http unauthorized.

It works in the following way now:
First curl_easy_perform():

  1. Curl sends GET to server1.
  2. Server1 responds "unauthorized" with its digest realm and nonce.
  3. Curl sends GET with provided realm and nonce.

Then easy_reset() and second curl_easy_perform():
4. Curl sends GET(already with digest) to server2, but using realm and nonce received from server1.
5. Server2 responds "unauthorized" with its realm and digest.
6. Curl returns, connection is failed (unauthorized).

I expected the following

Similar attempts for both servers, so in second curl_easy_perform():
4. Curl sends GET to server2 (not digest).
5. Server2 responds "unauthorized" with digest realm and nonce.
6. Curl sends GET with realm and nonce provided by server2.

If separate handlers are used (cleanup()/init() instead of reset()) it works fine.

curl/libcurl version

I tried with curl 7.47.0 (shared lib, linux) and with 7.58.0 (statically linked, linux).

operating system

Linux, Ubuntu 16.04
@bagder
Copy link
Member

bagder commented Mar 1, 2018
edited
Loading

Thanks! I believe this is fixed in commit 9caa3e2 (issue #2255), which will be included in the next release. You can download and try a daily snapshot or build from git, and I'd appreciate if you did try that out so that we know if this fixes your issue or not!

@waterproofman
Copy link
Author

I have built curl from git, mentioned commit included.
I run example which failed before and then few more connection attempts with digest and... it works :-).
Thank you.

@lock lock bot locked as resolved and limited conversation to collaborators May 31, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
authentication HTTP
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bagder @waterproofman