"
Bug 3643: NTLM helpers stuck in reserved state by Safari
NTLM failures are not always cleaning up connection-auth credentials
properly. In particular they are not releasing the NTLM helpers when
the connection is closed between challenge and handshake completion.
Resulting in permanently reserved helpers locking up all access
through the proxy.
This change redesigns the connection authentication state management
to move the auth link/unlink operations into the connection state
manager objects instead of being managed by NTLM auth components.
As a result we are able to manage credentials from any auth scheme
consistently and terminate the connection properly on several
error conditions which the auth components are not easily aware of.
Fix sponsored by Netbox Blue Pty (http://netboxblue.com/)
"
The bulk of the patch is symbol changes since we are moving the
credentials from a public member variable to private one with accessors.
The core of the patch logics is contained in
ConnStateData::setConnectionAuth which performs error checking and
triggers termination of the connection in various ways determined by the
type of error that was encountered.
In summary:
- once credentials are set they are baked into the connection state.
- all following requests require a credentials token matching the
state one.
- any request lacking credentials (or setting NULL) will terminate the
connection gracefully. It should end with an auth re-challenge, but that
specific detail does depend on ACLs.
- any request with a new or altered auth token (injection attacks,
broken relay pinning) will terminate the connection immediately (expect
lost bytes).
- any pinned server connection, and any pinned stateful auth helper is
unpined/released on credential errors.
Specific cases and handling are covered in greater detail in the patch
comments.
It also adds a stub file for client_side.h functionality.
Amos
This archive was generated by hypermail 2.2.0 : Wed Mar 27 2013 - 12:00:25 MDT