http_negotiate_sspi: Fixed endless unauthorized loop in commit 6bc7619

If the server rejects our authentication attempt and curl hasn't called CompleteAuthToken() then the status variable will be SEC_I_CONTINUE_NEEDED and not SEC_E_OK. As such the existing detection mechanism for determining whether or not the authentication process has finished is not sufficient. However, the WWW-Authenticate: Negotiate header line will not contain any data when the server has exhausted the negotiation, so we can use that coupled with the already allocated context pointer.
curl · Aug 6, 2014 · f8af860 · f8af860
1 parent 524833e
commit f8af860
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/lib/http_negotiate_sspi.c b/lib/http_negotiate_sspi.c
@@ -117,9 +117,14 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
 
   len = strlen(header);
   if(!len) {
-    /* first call in a new negotation, we have to acquire credentials,
-       and allocate memory for the context */
+    /* Is this the first call in a new negotiation? */
+    if(neg_ctx->context) {
+      /* The server rejected our authentication and hasn't suppled any more
+         negotiation mechanisms */
+      return -1;
+    }
 
+    /* We have to acquire credentials and allocate memory for the context */
     neg_ctx->credentials = malloc(sizeof(CredHandle));
     neg_ctx->context = malloc(sizeof(CtxtHandle));