[libsoup/gnome-3-24] Authentication should success in some cases when gss_init_sec_context() returns error



commit 2134915dcd4ba577591ca8e9c5d572a9c6be572b
Author: Tomas Popela <tpopela redhat com>
Date:   Mon Jun 19 18:08:16 2017 +0200

    Authentication should success in some cases when gss_init_sec_context() returns error
    
    Unfortunately, so many programs (curl, Firefox) ignore the return token that is
    included in the response, so it is possible that there are servers that send
    back broken stuff.  Try to behave in the right way (pass the token to
    gss_init_sec_context()), show a warning, but don't fail if the server returned
    200.
    
    There is an internal Red Hat site that triggers the described situation
    and the "Invalid token was supplied: Unknown error" is being printed to
    the console.

 libsoup/soup-auth-negotiate.c |   23 +++++++++++++++++++----
 1 files changed, 19 insertions(+), 4 deletions(-)
---
diff --git a/libsoup/soup-auth-negotiate.c b/libsoup/soup-auth-negotiate.c
index 811ee1c..5a49119 100644
--- a/libsoup/soup-auth-negotiate.c
+++ b/libsoup/soup-auth-negotiate.c
@@ -362,13 +362,28 @@ check_server_response (SoupMessage *msg, gpointer auth)
 
        ret = soup_gss_client_step (conn, auth_headers + 10, &err);
 
-       priv->is_authenticated = ret == AUTH_GSS_COMPLETE;
-
-       if (ret == AUTH_GSS_CONTINUE) {
+       switch (ret) {
+       case AUTH_GSS_COMPLETE:
+               priv->is_authenticated = TRUE;
+               break;
+       case AUTH_GSS_CONTINUE:
                conn->state = SOUP_NEGOTIATE_RECEIVED_CHALLENGE;
-       } else if (ret == AUTH_GSS_ERROR) {
+               break;
+       case AUTH_GSS_ERROR:
                if (err)
                        g_warning ("%s", err->message);
+               /* Unfortunately, so many programs (curl, Firefox, ..) ignore
+                * the return token that is included in the response, so it is
+                * possible that there are servers that send back broken stuff.
+                * Try to behave in the right way (pass the token to
+                * gss_init_sec_context()), show a warning, but don't fail
+                * if the server returned 200. */
+               if (msg->status_code == SOUP_STATUS_OK)
+                       priv->is_authenticated = TRUE;
+               else
+                       conn->state = SOUP_NEGOTIATE_FAILED;
+               break;
+       default:
                conn->state = SOUP_NEGOTIATE_FAILED;
        }
  out:


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]