From beb8764c9d6550675be41889eb0cf2b78bca595f Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 25 Oct 2022 03:36:13 -0400
Subject: [PATCH] import openwsman-2.6.5-8.el8_6

---
 ...sman-2.6.5-http-unauthorized-improve.patch | 56 +++++++++++++++++++
 SPECS/openwsman.spec                          |  8 ++-
 2 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/openwsman-2.6.5-http-unauthorized-improve.patch

diff --git a/SOURCES/openwsman-2.6.5-http-unauthorized-improve.patch b/SOURCES/openwsman-2.6.5-http-unauthorized-improve.patch
new file mode 100644
index 0000000..e9f7537
--- /dev/null
+++ b/SOURCES/openwsman-2.6.5-http-unauthorized-improve.patch
@@ -0,0 +1,56 @@
+diff -up openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig openwsman-2.6.5/src/lib/wsman-curl-client-transport.c
+--- openwsman-2.6.5/src/lib/wsman-curl-client-transport.c.orig	2022-09-08 10:36:46.265107915 +0200
++++ openwsman-2.6.5/src/lib/wsman-curl-client-transport.c	2022-09-08 10:36:46.273107919 +0200
+@@ -452,6 +452,7 @@ wsmc_handler( WsManClient *cl,
+ 	long http_code;
+ 	long auth_avail = 0;
+ 	char *_user = NULL, *_pass = NULL;
++	int _no_auth = 0; /* 0 if authentication is used, 1 if no authentication was used */
+ 	u_buf_t *response = NULL;
+ 	//char *soapaction;
+ 	char *tmp_str = NULL;
+@@ -551,6 +552,7 @@ wsmc_handler( WsManClient *cl,
+ 		_user = wsmc_get_user(cl);
+ 		_pass = wsmc_get_password(cl);
+ 		if (_user && _pass && cl->data.auth_set) {
++			_no_auth = 0;
+ 			r = curl_easy_setopt(curl, CURLOPT_HTTPAUTH, cl->data.auth_set);
+ 			if (r != CURLE_OK) {
+ 				cl->fault_string = u_strdup(curl_easy_strerror(r));
+@@ -571,6 +573,11 @@ wsmc_handler( WsManClient *cl,
+ 				curl_err("curl_easy_setopt(curl, CURLOPT_USERPWD, ..) failed");
+ 				goto DONE;
+ 			}
++        } else {
++            /* request without user credentials, remember this for
++             * later use when it might become necessary to print an error message
++             */
++            _no_auth = 1;
+ 		}
+ 
+ 		if (wsman_debug_level_debugged(DEBUG_LEVEL_MESSAGE)) {
+@@ -603,6 +610,24 @@ wsmc_handler( WsManClient *cl,
+ 				break;
+ 			case 401:
+ 				// The server requires authentication.
++                /* RFC 2616 states:
++                 *
++                 * If the request already included Authorization credentials, then the 401
++                 * response indicates that authorization has been refused for those
++                 * credentials. If the 401 response contains the same challenge as the
++                 * prior response, and the user agent has already attempted
++                 * authentication at least once, then the user SHOULD be presented the
++                 * entity that was given in the response, since that entity might
++                 * include relevant diagnostic information.
++                 */
++                if (_no_auth == 0) {
++                    /* no authentication credentials were used. It is only
++                     * possible to write a message about the current situation. There
++                     * is no information about the last attempt to access the resource.
++                     * Maybe at a later point in time I will implement more state information.
++                     */
++                    fprintf(stdout,"Authentication failed, please retry\n");
++                }
+ 				break;
+ 			default:
+ 				// The status code does not indicate success.
diff --git a/SPECS/openwsman.spec b/SPECS/openwsman.spec
index 0b54272..733bc36 100644
--- a/SPECS/openwsman.spec
+++ b/SPECS/openwsman.spec
@@ -3,7 +3,7 @@
 
 Name:		openwsman
 Version:	2.6.5
-Release:	7%{?dist}
+Release:	8%{?dist}
 Summary:	Open source Implementation of WS-Management
 
 License:	BSD
@@ -23,6 +23,7 @@ Patch5:		openwsman-2.6.5-fix-set-cipher-list-retval-check.patch
 Patch6:		openwsman-2.6.5-CVE-2019-3816.patch
 # Patch7: fixes CVE-2019-3833, rhbz#1687865
 Patch7:		openwsman-2.6.5-CVE-2019-3833.patch
+Patch8:		openwsman-2.6.5-http-unauthorized-improve.patch
 BuildRequires:	swig
 BuildRequires:	libcurl-devel libxml2-devel pam-devel sblim-sfcc-devel
 BuildRequires:	python3 python3-devel ruby ruby-devel rubygems-devel perl-interpreter
@@ -131,6 +132,7 @@ You can use it to send shell commands to a remote Windows hosts.
 %patch5 -p1 -b .fix-set-cipher-list-retval-check
 %patch6 -p1 -b .CVE-2019-3816
 %patch7 -p1 -b .CVE-2019-3833
+%patch8 -p1 -b .http-unauthorized-improve
 
 %build
 # Removing executable permissions on .c and .h files to fix rpmlint warnings. 
@@ -287,6 +289,10 @@ rm -f /var/log/wsmand.log
 %{_bindir}/winrs
 
 %changelog
+* Thu Sep 08 2022 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.5-8
+- Improve handling of HTTP 401 Unauthorized
+  Resolves: #2124893
+
 * Mon May 11 2020 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.6.5-7
 - Fix CVE-2019-3833
   Resolves: #1687865