diff options
author | Michael Brown | 2017-11-07 12:33:13 +0100 |
---|---|---|
committer | Michael Brown | 2017-11-12 19:52:03 +0100 |
commit | c49acbb4d2d84c6cb2faacd18fa21ed5d12ed450 (patch) | |
tree | 8a8903067c05a1a79a4f5baba5f4bff13b71882e | |
parent | [ntlm] Add support for NTLM authentication mechanism (diff) | |
download | ipxe-c49acbb4d2d84c6cb2faacd18fa21ed5d12ed450.tar.gz ipxe-c49acbb4d2d84c6cb2faacd18fa21ed5d12ed450.tar.xz ipxe-c49acbb4d2d84c6cb2faacd18fa21ed5d12ed450.zip |
[http] Gracefully handle offers of multiple authentication schemes
Servers may provide multiple WWW-Authenticate headers, each offering a
different authentication scheme. We currently fail the request as
soon as we encounter an unrecognised scheme, which prevents subsequent
offers from succeeding.
Fix by silently ignoring headers for schemes that we do not recognise.
If no schemes are recognised then the request will eventually fail
anyway due to the 401 response code.
If multiple schemes are supported, arbitrarily choose the scheme
appearing first within the response headers.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
-rw-r--r-- | src/net/tcp/httpauth.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/src/net/tcp/httpauth.c b/src/net/tcp/httpauth.c index fb6dcd03..bb327244 100644 --- a/src/net/tcp/httpauth.c +++ b/src/net/tcp/httpauth.c @@ -104,6 +104,7 @@ static struct http_www_authenticate_field http_www_auth_fields[] = { static int http_parse_www_authenticate ( struct http_transaction *http, char *line ) { struct http_www_authenticate_field *field; + struct http_authentication *auth; char *name; char *key; char *value; @@ -118,13 +119,19 @@ static int http_parse_www_authenticate ( struct http_transaction *http, } /* Identify scheme */ - http->response.auth.auth = http_authentication ( name ); - if ( ! http->response.auth.auth ) { + auth = http_authentication ( name ); + if ( ! auth ) { DBGC ( http, "HTTP %p unrecognised authentication scheme " "\"%s\"\n", http, name ); - return -ENOTSUP; + /* Ignore; the server may offer other schemes */ + return 0; } + /* Use first supported scheme */ + if ( http->response.auth.auth ) + return 0; + http->response.auth.auth = auth; + /* Process fields */ while ( ( key = http_token ( &line, &value ) ) ) { for ( i = 0 ; i < ( sizeof ( http_www_auth_fields ) / |