THttpApiServer, HTTP_REQUEST: Issue with Windows Auth and 64 bits

HgAlexx · 2020-06-10 10:11:45

Hello,

I found an issue with Windows authentication when using THttpApiServer and Kerberos (Negotiate), and if mORMot (SynCrtSock.pas) is compiled for 64 bits.

When testing on 32 bits, after an authentication attempt, the field "RequestInfoCount" of structure "HTTP_REQUEST" contains a value > 0

But when testing on 64 bits, "RequestInfoCount" is equal to 0 and the correct value is found inside the field "xxxPadding" of structure "HTTP_REQUEST", which is directly before "RequestInfoCount".

I've "fixed" the issue by adding an IFNDEF arround "xxxPadding" like that:

    // beginning of HTTP_REQUEST_V2 structure
    {$IFNDEF CPU64}
    xxxPadding: DWORD;
    {$ENDIF}
    RequestInfoCount: word;

However, C to Delphi structure conversion and fields size/alignment is not my area of expertise and I not sure at all that this is the proper fix.

Please advise.

Regards,

Alex.

Last edited by HgAlexx (2020-06-10 10:29:52)

ab · 2020-06-10 13:56:52

Perhaps https://synopse.info/fossil/info/7e27e1df16 is a better way.

HgAlexx · 2020-06-10 14:58:03

I'll give it a try, but I'm wondering:
- Won't this remove the padding when using 32 bits ?
- Since 32 bits was working with the padding, will it still work ?

ab · 2020-06-10 15:01:47

Nesting records should do proper alignment and padding.
Please try it.

mpv · 2020-06-10 20:36:09

@HgAlexx - BTW we have a SynSSPIAuth (Windows) / SynGSSAPIAuth (Linux) for Negotiate authentication. Well tested in production for many years. And (IMHO) much flexible compared to HTTP.SYS level authentication.

HgAlexx · 2020-06-11 08:14:30

@mpv
I'm only using THttpApiServer so it's pratical for me that http.sys is handling all the back and forth regarding the Windows Auth and make it very simple to implement on my side.

However, we have another issue with it (all request are auth as the first user who logged in, kernel side) so I'll have a look at SynSSPIAuth and see it the issue persist.

@ab
On my way to test the new struct

HgAlexx · 2020-06-11 08:27:27

@ab
The new struct works for 64 bits but no longer work for 32 bits
The value of RequestInfoCount is offset and set into pRequestInfo

ab · 2020-06-15 13:46:41

I put back your modification as https://synopse.info/fossil/info/be31dd9e97

Hope it works on both Win32 and Win64.

mORMot Open Source

#1 2020-06-10 10:11:45

THttpApiServer, HTTP_REQUEST: Issue with Windows Auth and 64 bits

#2 2020-06-10 13:56:52

Re: THttpApiServer, HTTP_REQUEST: Issue with Windows Auth and 64 bits

#3 2020-06-10 14:58:03

Re: THttpApiServer, HTTP_REQUEST: Issue with Windows Auth and 64 bits

#4 2020-06-10 15:01:47

Re: THttpApiServer, HTTP_REQUEST: Issue with Windows Auth and 64 bits

#5 2020-06-10 20:36:09

Re: THttpApiServer, HTTP_REQUEST: Issue with Windows Auth and 64 bits

#6 2020-06-11 08:14:30

Re: THttpApiServer, HTTP_REQUEST: Issue with Windows Auth and 64 bits

#7 2020-06-11 08:27:27

Re: THttpApiServer, HTTP_REQUEST: Issue with Windows Auth and 64 bits

#8 2020-06-15 13:46:41

Re: THttpApiServer, HTTP_REQUEST: Issue with Windows Auth and 64 bits

Board footer