curl-library
[PATCH 4/5] Don't abort Negotiate auth when the server has a response for us
From: David Woodhouse <dwmw2_at_infradead.org>
Date: Fri, 11 Jul 2014 12:29:22 +0100
Received on 2014-07-11
Date: Fri, 11 Jul 2014 12:29:22 +0100
From: David Woodhouse <David.Woodhouse_at_intel.com>
It's wrong to assume that we can send a single SPNEGO packet which will
complete the authentication. It's a *negotiation* — the clue is in the
name. So make sure we handle responses from the server.
Curl_input_negotiate() will already handle bailing out if it thinks the
state is GSS_S_COMPLETE (or SEC_E_OK on Windows) and the server keeps
talking to us, so we should avoid endless loops that way.
---
lib/http.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/lib/http.c b/lib/http.c
index 249da0f..fe9ae3e 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -775,13 +775,8 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, bool proxy,
authp->avail |= CURLAUTH_GSSNEGOTIATE;
if(authp->picked == CURLAUTH_GSSNEGOTIATE) {
- if(data->state.negotiate.state == GSS_AUTHSENT) {
- /* if we sent GSS authentication in the outgoing request and we get
- this back, we're in trouble */
- infof(data, "Authentication problem. Ignoring this.\n");
- data->state.authproblem = TRUE;
- }
- else if(data->state.negotiate.state == GSS_AUTHNONE) {
+ if(data->state.negotiate.state == GSS_AUTHSENT ||
+ data->state.negotiate.state == GSS_AUTHNONE) {
neg = Curl_input_negotiate(conn, proxy, auth);
if(neg == 0) {
DEBUGASSERT(!data->req.newurl);
--
1.9.3
--
David Woodhouse Open Source Technology Centre
David.Woodhouse_at_intel.com Intel Corporation
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
- application/x-pkcs7-signature attachment: smime.p7s