http_negotiate_sspi: Fixed endless unauthorized loop in commit 6bc76194e8

If the server rejects our authentication attempt and curl hasn't called CompleteAuthToken() then the status variable will be SEC_I_CONTINUE_NEEDED and not SEC_E_OK. As such the existing detection mechanism for determining whether or not the authentication process has finished is not sufficient. However, the WWW-Authenticate: Negotiate header line will not contain any data when the server has exhausted the negotiation, so we can use that coupled with the already allocated context pointer.
2024-12-22 16:18:48 -05:00 · 2014-08-06 00:12:53 +01:00 · 2014-08-06 00:12:53 +01:00 · f8af8606a5
commit f8af8606a5
parent 524833e155
1 changed files with 7 additions and 2 deletions
--- a/lib/http_negotiate_sspi.c
+++ b/lib/http_negotiate_sspi.c
@ -117,9 +117,14 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,

  len = strlen(header);
  if(!len) {
-    /* first call in a new negotation, we have to acquire credentials,
-       and allocate memory for the context */
+    /* Is this the first call in a new negotiation? */
+    if(neg_ctx->context) {
+      /* The server rejected our authentication and hasn't suppled any more
+         negotiation mechanisms */
+      return -1;
+    }

+    /* We have to acquire credentials and allocate memory for the context */
    neg_ctx->credentials = malloc(sizeof(CredHandle));
    neg_ctx->context = malloc(sizeof(CtxtHandle));