Use SPNEGO for HTTP Negotiate

This is the correct way to do SPNEGO. Just ask for it

Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket
isn't available. Of course, we bail out when the server responds with the
challenge packet, since we don't expect that. But I'll fix that bug next...

1 files changed, 8 insertions, 1 deletions

diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c
index fabbe3598..af1813b03 100644
--- a/lib/curl_gssapi.c
+++ b/lib/curl_gssapi.c
@@ -27,11 +27,18 @@
 #include "curl_gssapi.h"
 #include "sendf.h"
 
+static const char spnego_OID[] = "\x2b\x06\x01\x05\x05\x02";
+static const gss_OID_desc gss_mech_spnego = {
+  6,
+  &spnego_OID
+};
+
 OM_uint32 Curl_gss_init_sec_context(
     struct SessionHandle *data,
     OM_uint32 * minor_status,
     gss_ctx_id_t * context,
     gss_name_t target_name,
+    bool use_spnego,
     gss_channel_bindings_t input_chan_bindings,
     gss_buffer_t input_token,
     gss_buffer_t output_token,
@@ -55,7 +62,7 @@ OM_uint32 Curl_gss_init_sec_context(
                               GSS_C_NO_CREDENTIAL, /* cred_handle */
                               context,
                               target_name,
-                              GSS_C_NO_OID, /* mech_type */
+                              use_spnego ? (gss_OID)&gss_mech_spnego : GSS_C_NO_OID,
                               req_flags,
                               0, /* time_req */
                               input_chan_bindings,