proxy: make ConnectionExists() check credential of proxyconnections too

Previously it only compared credentials if the requested needle
connection wasn't using a proxy. This caused NTLM authentication
failures when using proxies as the authentication code wasn't send on
the connection where the challenge arrived.

Added test 1215 to verify: NTLM server authentication through a proxy
(This is a modified copy of test 67)

diff --git a/lib/url.c b/lib/url.c
index 33876478b0fd7bdb26b03370bfe949c4a6bc5be2..4399162a9daa64b5e4d157692ce1aab60f089c26 100644 (file)
--- a/lib/url.c
+++ b/lib/url.c
@@ -2974,6 +2974,18 @@ ConnectionExists(struct SessionHandle *data,
           continue;
       }
 
+      if((needle->handler->protocol & CURLPROTO_FTP) ||
+         ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) {
+         /* This is FTP or HTTP+NTLM, verify that we're using the same name
+            and password as well */
+         if(!strequal(needle->user, check->user) ||
+            !strequal(needle->passwd, check->passwd)) {
+            /* one of them was different */
+            continue;
+         }
+         credentialsMatch = TRUE;
+      }
+
       if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
          (needle->bits.httpproxy && check->bits.httpproxy &&
           needle->bits.tunnel_proxy && check->bits.tunnel_proxy &&
@@ -3007,17 +3019,6 @@ ConnectionExists(struct SessionHandle *data,
               continue;
             }
           }
-          if((needle->handler->protocol & CURLPROTO_FTP) ||
-             ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) {
-            /* This is FTP or HTTP+NTLM, verify that we're using the same name
-               and password as well */
-            if(!strequal(needle->user, check->user) ||
-               !strequal(needle->passwd, check->passwd)) {
-              /* one of them was different */
-              continue;
-            }
-            credentialsMatch = TRUE;
-          }
           match = TRUE;
         }
       }

diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
index a6eb2e07eda1807a4ba0ed35fd8335d05d80e833..5ef2de6b720bbe6fd201a9b5dad7ff2eb123199f 100644 (file)
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -88,7 +88,7 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \
 test1128 test1129 test1130 test1131 test1132 test1133 \
 \
 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
-test1208 test1209 test1210 test1211 test1212 test1213 test1214 \
+test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
 \
 test1220 test1221 test1222 test1223 \
 \

diff --git a/tests/data/test1215 b/tests/data/test1215
new file mode 100644 (file)
index 0000000..ea62eeb
--- /dev/null
+++ b/tests/data/test1215
@@ -0,0 +1,104 @@
+<testcase>
+<info>
+# This test is a copy of test 67, modified to use a HTTP proxy.
+<keywords>
+HTTP
+HTTP GET
+HTTP NTLM auth
+HTTP proxy
+</keywords>
+</info>
+# Server-side
+<reply>
+
+<!-- no <data> in this test since we have NTLM from the start
+
+This is supposed to be returned when the server gets a first
+Authorization: NTLM line passed-in from the client -->
+
+<data1001>
+HTTP/1.1 401 Now gimme that second request of crap
+Server: Microsoft-IIS/5.0
+Content-Type: text/html; charset=iso-8859-1
+Content-Length: 34
+WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAgACADAAAAAGgoEAc51AYVDgyNcAAAAAAAAAAG4AbgAyAAAAQ0MCAAQAQwBDAAEAEgBFAEwASQBTAEEAQgBFAFQASAAEABgAYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAwAsAGUAbABpAHMAYQBiAGUAdABoAC4AYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAAAAAA==
+
+This is not the real page either!
+</data1001>
+
+# This is supposed to be returned when the server gets the second
+# Authorization: NTLM line passed-in from the client
+<data1002>
+HTTP/1.1 200 Things are fine in server land swsclose
+Server: Microsoft-IIS/5.0
+Content-Type: text/html; charset=iso-8859-1
+Content-Length: 32
+
+Finally, this is the real page!
+</data1002>
+
+<datacheck>
+HTTP/1.1 401 Now gimme that second request of crap
+Server: Microsoft-IIS/5.0
+Content-Type: text/html; charset=iso-8859-1
+Content-Length: 34
+WWW-Authenticate: NTLM TlRMTVNTUAACAAAAAgACADAAAAAGgoEAc51AYVDgyNcAAAAAAAAAAG4AbgAyAAAAQ0MCAAQAQwBDAAEAEgBFAEwASQBTAEEAQgBFAFQASAAEABgAYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAwAsAGUAbABpAHMAYQBiAGUAdABoAC4AYwBjAC4AaQBjAGUAZABlAHYALgBuAHUAAAAAAA==
+
+HTTP/1.1 200 Things are fine in server land swsclose
+Server: Microsoft-IIS/5.0
+Content-Type: text/html; charset=iso-8859-1
+Content-Length: 32
+
+Finally, this is the real page!
+</datacheck>
+
+</reply>
+
+# Client-side
+<client>
+<features>
+NTLM
+</features>
+<server>
+http
+</server>
+ <name>
+HTTP with server NTLM authorization using a proxy
+ </name>
+ <setenv>
+# we force our own host name, in order to make the test machine independent
+CURL_GETHOSTNAME=curlhost
+# we try to use the LD_PRELOAD hack, if not a debug build
+LD_PRELOAD=%PWD/libtest/.libs/libhostname.so
+ </setenv>
+ <command>
+http://%HOSTIP:%HTTPPORT/1215 -u testuser:testpass --ntlm --proxy http://%HOSTIP:%HTTPPORT
+</command>
+<precheck>
+chkhostname curlhost
+</precheck>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET http://%HOSTIP:%HTTPPORT/1215 HTTP/1.1\r
+Authorization: NTLM TlRMTVNTUAABAAAABoIIAAAAAAAAAAAAAAAAAAAAAAA=\r
+User-Agent: curl/7.30.0-DEV\r
+Host: %HOSTIP:%HTTPPORT\r
+Accept: */*\r
+Proxy-Connection: Keep-Alive\r
+\r
+GET http://%HOSTIP:%HTTPPORT/1215 HTTP/1.1\r
+Authorization: NTLM TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAAAAABwAAAACAAIAHAAAAAIAAgAeAAAAAAAAAAAAAAABoKBAFpkQwKRCZFMhjj0tw47wEjKHRHlvzfxQamFcheMuv8v+xeqphEO5V41xRd7R9deOXRlc3R1c2VyY3VybGhvc3Q=\r
+User-Agent: curl/7.30.0-DEV\r
+Host: %HOSTIP:%HTTPPORT\r
+Accept: */*\r
+Proxy-Connection: Keep-Alive\r
+\r
+</protocol>
+</verify>
+</testcase>