-
-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
digest authentication with sspi does not increment "nc-field" #870
Comments
ping @captain-caveman2k! This is clearly data that looks like it is handled by the windows API but really isn't clear to me how the nc counter is supposed to get increased! |
@bagder I will take a look at it ;-) |
Any clues yet how to fix this? Missing Windows API parameter, flag or function call? |
I looked at wdigest.dll (which implements digest sspi) from Windows 2003 Server and it does not seem to support tracking and incrementing nonce-count at all. |
With the fix from #1251
|
@aroth-arsoft I just landed Max's fix for this issue, which works for me. Can you please try f77dabe with your AXIS IP Camera and let us know what happens? Thanks |
I've just checked with the AXIS cameras: With the f77dabe the authentication works fine. Thanks for fixing it! |
@mkhon It looks like there is still an issue if Windows default credentials
0x80090304 is SEC_E_INTERNAL_ERROR which is in my Windows Error file as "The Local Security Authority cannot be contacted". It isn't a documented error code for MakeSignature. I tried allocating the CredHandle credentials on the heap and not freeing it to see if that would make a difference but it doesn't. There is a GetLastError code of 1394 (0x572) ERROR_NO_USER_SESSION_KEY, which is of limited value since MakeSignature doesn't document checking that code. Any ideas? These are the phony replies I'm testing with:
|
@jay I'll check what can be done |
@jay, how do you test with phony replies? I suspect that using Digest auth with default Windows credentials requires valid Digest auth/AD setup.
|
I'm running socat on localhost and pasting in the replies Reply to the first request with this:
Reply to the second request with this (change the URL to be on the same connection):
In the w/SSPI case curl doesn't increment the nonce count, instead starting from a new context because MakeSignature failed. However in the w/o SSPI case the nc is incremented to 2, as seen in this output:
It may appear to work but have you actually seen the nonce-count increase, or does it instead do the fallback when MakeSignature fails? |
@jay there is no fallback there:
As you see nonce-count is |
@mkhon Your example works here. The difference is yours uses |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I run the following command line:
curl -v --digest http://user1:user1@test.webdav.org/auth-digest/ http://user1:user1@test.webdav.org/auth-digest/
Here's the output:
When the first connection attempt is done the digest challenge is received from the server and afterwards used to retry the request with digest authentication. For the second URL the previous connection is re-used and the same nonce as for the first request. The second request should/must include a nc=00000002 instead of 1 because the same nonce value is used the second time. When using a curl version build with OpenSSL this is done automatically, but with WinSSPI this increment is missing.
I observed that this behavior results in 401-errors for the second request on an AXIS IP camera.
The text was updated successfully, but these errors were encountered: