diff options
| author | Edward Thomson <ethomson@edwardthomson.com> | 2017-12-29 17:41:24 +0000 |
|---|---|---|
| committer | Edward Thomson <ethomson@edwardthomson.com> | 2017-12-29 17:41:24 +0000 |
| commit | 526dea1c3ca11e83efca16aa8e5a4479ff542c5d (patch) | |
| tree | 1fc8615ce7c61c286cec7d22e5cad4cb54bae0c9 | |
| parent | 083b1a2e2d8d190db02db3db0dad4fa742eccb02 (diff) | |
| download | libgit2-ethomson/spnego.tar.gz | |
winhttp: properly support ntlm and negotiateethomson/spnego
When parsing unauthorized responses, properly parse headers looking for
both NTLM and Negotiate challenges. Set the HTTP credentials to default
credentials (using a `NULL` username and password) with the schemes
supported by ourselves and the server.
| -rw-r--r-- | src/transports/winhttp.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/src/transports/winhttp.c b/src/transports/winhttp.c index 98905ab61..6dad1d38a 100644 --- a/src/transports/winhttp.c +++ b/src/transports/winhttp.c @@ -172,9 +172,15 @@ static int apply_default_credentials(HINTERNET request, int mechanisms) * is "medium" which applies to the intranet and sounds like it would correspond * to Internet Explorer security zones, but in fact does not. */ DWORD data = WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW; + DWORD native_scheme = 0; - if ((mechanisms & GIT_WINHTTP_AUTH_NTLM) == 0 && - (mechanisms & GIT_WINHTTP_AUTH_NEGOTIATE) == 0) { + if ((mechanisms & GIT_WINHTTP_AUTH_NTLM) != 0) + native_scheme |= WINHTTP_AUTH_SCHEME_NTLM; + + if ((mechanisms & GIT_WINHTTP_AUTH_NEGOTIATE) != 0) + native_scheme |= WINHTTP_AUTH_SCHEME_NEGOTIATE; + + if (!native_scheme) { giterr_set(GITERR_NET, "invalid authentication scheme"); return -1; } @@ -182,6 +188,9 @@ static int apply_default_credentials(HINTERNET request, int mechanisms) if (!WinHttpSetOption(request, WINHTTP_OPTION_AUTOLOGON_POLICY, &data, sizeof(DWORD))) return -1; + if (!WinHttpSetCredentials(request, WINHTTP_AUTH_TARGET_SERVER, native_scheme, NULL, NULL, NULL)) + return -1; + return 0; } @@ -606,12 +615,12 @@ static int parse_unauthorized_response( if (WINHTTP_AUTH_SCHEME_NTLM & supported) { *allowed_types |= GIT_CREDTYPE_USERPASS_PLAINTEXT; *allowed_types |= GIT_CREDTYPE_DEFAULT; - *allowed_mechanisms = GIT_WINHTTP_AUTH_NEGOTIATE; + *allowed_mechanisms |= GIT_WINHTTP_AUTH_NTLM; } if (WINHTTP_AUTH_SCHEME_NEGOTIATE & supported) { *allowed_types |= GIT_CREDTYPE_DEFAULT; - *allowed_mechanisms = GIT_WINHTTP_AUTH_NEGOTIATE; + *allowed_mechanisms |= GIT_WINHTTP_AUTH_NEGOTIATE; } if (WINHTTP_AUTH_SCHEME_BASIC & supported) { |