Commit 6bc76194 authored by David Woodhouse's avatar David Woodhouse Committed by Daniel Stenberg
Browse files

Don't abort Negotiate auth when the server has a response for us 

It's wrong to assume that we can send a single SPNEGO packet which will
complete the authentication. It's a *negotiation* — the clue is in the
name. So make sure we handle responses from the server.

Curl_input_negotiate() will already handle bailing out if it thinks the
state is GSS_S_COMPLETE (or SEC_E_OK on Windows) and the server keeps
talking to us, so we should avoid endless loops that way.
parent f78ae415

lib/http.c

+2 −7
Original line number Diff line number Diff line
@@ -775,13 +775,8 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, bool proxy, 
      authp->avail |= CURLAUTH_GSSNEGOTIATE;



      if(authp->picked == CURLAUTH_GSSNEGOTIATE) {

        if(data->state.negotiate.state == GSS_AUTHSENT) {

          /* if we sent GSS authentication in the outgoing request and we get

             this back, we're in trouble */

          infof(data, "Authentication problem. Ignoring this.\n");

          data->state.authproblem = TRUE;

        }

        else if(data->state.negotiate.state == GSS_AUTHNONE) {

        if(data->state.negotiate.state == GSS_AUTHSENT ||

           data->state.negotiate.state == GSS_AUTHNONE) {

          neg = Curl_input_negotiate(conn, proxy, auth);

          if(neg == 0) {

            DEBUGASSERT(!data->req.newurl);