Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[http] Work around stateful authentication schemes
As pointedly documented in RFC7230 section 2.3, HTTP is a stateless
protocol: each request message can be understood in isolation from any
other requests or responses.  Various authentication schemes such as
NTLM break this fundamental property of HTTP and rely on the same TCP
connection being reused.

Work around these broken authentication schemes by ensuring that the
most recently pooled connection is reused for the subsequent
authentication retry.

Reported-by: Andreas Hammarskjöld <junior@2PintSoftware.com>
Tested-by: Andreas Hammarskjöld <junior@2PintSoftware.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
mcb30 committed Jun 8, 2018
1 parent 960d1e3 commit e7f67d5
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 2 deletions.
9 changes: 7 additions & 2 deletions src/net/tcp/httpconn.c
Expand Up @@ -252,8 +252,13 @@ int http_connect ( struct interface *xfer, struct uri *uri ) {
/* Identify port */
port = uri_port ( uri, scheme->port );

/* Look for a reusable connection in the pool */
list_for_each_entry ( conn, &http_connection_pool, pool.list ) {
/* Look for a reusable connection in the pool. Reuse the most
* recent connection in order to accommodate authentication
* schemes that break the stateless nature of HTTP and rely on
* the same connection being reused for authentication
* responses.
*/
list_for_each_entry_reverse ( conn, &http_connection_pool, pool.list ) {

/* Sanity checks */
assert ( conn->uri != NULL );
Expand Down
12 changes: 12 additions & 0 deletions src/net/tcp/httpcore.c
Expand Up @@ -778,6 +778,18 @@ static int http_transfer_complete ( struct http_transaction *http ) {
http->len = 0;
assert ( http->remaining == 0 );

/* Retry immediately if applicable. We cannot rely on an
* immediate timer expiry, since certain Microsoft-designed
* HTTP extensions such as NTLM break the fundamentally
* stateless nature of HTTP and rely on the same connection
* being reused for authentication. See RFC7230 section 2.3
* for further details.
*/
if ( ! http->response.retry_after ) {
http_reopen ( http );
return 0;
}

/* Start timer to initiate retry */
DBGC2 ( http, "HTTP %p retrying after %d seconds\n",
http, http->response.retry_after );
Expand Down

0 comments on commit e7f67d5

Please sign in to comment.