[http] Gracefully handle offers of multiple authentication schemes

Servers may provide multiple WWW-Authenticate headers, each offering a different authentication scheme. We currently fail the request as soon as we encounter an unrecognised scheme, which prevents subsequent offers from succeeding. Fix by silently ignoring headers for schemes that we do not recognise. If no schemes are recognised then the request will eventually fail anyway due to the 401 response code. If multiple schemes are supported, arbitrarily choose the scheme appearing first within the response headers. Signed-off-by: Michael Brown <mcb30@ipxe.org>
ipxe · Nov 12, 2017 · c49acbb · c49acbb
1 parent fc2f0dd
commit c49acbb
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/src/net/tcp/httpauth.c b/src/net/tcp/httpauth.c
@@ -104,6 +104,7 @@ static struct http_www_authenticate_field http_www_auth_fields[] = {
 static int http_parse_www_authenticate ( struct http_transaction *http,
 					 char *line ) {
 	struct http_www_authenticate_field *field;
+	struct http_authentication *auth;
 	char *name;
 	char *key;
 	char *value;
@@ -118,13 +119,19 @@ static int http_parse_www_authenticate ( struct http_transaction *http,
 	}
 
 	/* Identify scheme */
-	http->response.auth.auth = http_authentication ( name );
-	if ( ! http->response.auth.auth ) {
+	auth = http_authentication ( name );
+	if ( ! auth ) {
 		DBGC ( http, "HTTP %p unrecognised authentication scheme "
 		       "\"%s\"\n", http, name );
-		return -ENOTSUP;
+		/* Ignore; the server may offer other schemes */
+		return 0;
 	}
 
+	/* Use first supported scheme */
+	if ( http->response.auth.auth )
+		return 0;
+	http->response.auth.auth = auth;
+
 	/* Process fields */
 	while ( ( key = http_token ( &line, &value ) ) ) {
 		for ( i = 0 ; i < ( sizeof ( http_www_auth_fields ) /