http: ensure the scheme supports the credentialsethomson/creds_for_scheme

When a server responds with multiple scheme support - for example,
Negotiate and NTLM are commonly used together - we need to ensure that
we choose a scheme that supports the credentials.

1 files changed, 9 insertions, 4 deletions

diff --git a/src/transports/http.c b/src/transports/http.c
index 7ec681c41..a5b40ce95 100644
--- a/src/transports/http.c
+++ b/src/transports/http.c
@@ -129,17 +129,22 @@ typedef struct {
 	size_t *bytes_read;
 } parser_context;
 
-static git_http_auth_scheme *scheme_for_challenge(const char *challenge)
+static git_http_auth_scheme *scheme_for_challenge(
+	const char *challenge,
+	git_cred *cred)
 {
 	git_http_auth_scheme *scheme = NULL;
 	size_t i;
 
 	for (i = 0; i < ARRAY_SIZE(auth_schemes); i++) {
 		const char *scheme_name = auth_schemes[i].name;
+		const git_credtype_t scheme_types = auth_schemes[i].credtypes;
 		size_t scheme_len;
 
 		scheme_len = strlen(scheme_name);
-		if (strncasecmp(challenge, scheme_name, scheme_len) == 0 &&
+
+		if ((!cred || (cred->credtype & scheme_types)) &&
+		    strncasecmp(challenge, scheme_name, scheme_len) == 0 &&
 		    (challenge[scheme_len] == '\0' || challenge[scheme_len] == ' ')) {
 			scheme = &auth_schemes[i];
 			break;
@@ -256,7 +261,7 @@ static int set_authentication_types(http_server *server)
 	size_t i;
 
 	git_vector_foreach(&server->auth_challenges, i, challenge) {
-		if ((scheme = scheme_for_challenge(challenge)) != NULL) {
+		if ((scheme = scheme_for_challenge(challenge, NULL)) != NULL) {
 			server->authtypes |= scheme->type;
 			server->credtypes |= scheme->credtypes;
 		}
@@ -433,7 +438,7 @@ static int init_auth(http_server *server)
 	int error;
 
 	git_vector_foreach(&server->auth_challenges, i, c) {
-		s = scheme_for_challenge(c);
+		s = scheme_for_challenge(c, server->cred);
 
 		if (s && !!(s->credtypes & server->credtypes)) {
 			scheme = s;