From aefe8eac4f5b6a3df823224a38f3d20fb2308579 Mon Sep 17 00:00:00 2001
From: Tomas Popela <tpopela@redhat.com>
Date: Mon, 19 Jun 2017 18:08:16 +0200
Subject: [PATCH 3/3] Authentication should success in some cases when
gss_init_sec_context() returns error
Unfortunately, so many programs (curl, Firefox) ignore the return token that is
included in the response, so it is possible that there are servers that send
back broken stuff. Try to behave in the right way (pass the token to
gss_init_sec_context()), show a warning, but don't fail if the server returned
200.
There is an internal Red Hat site that triggers the described situation
and the "Invalid token was supplied: Unknown error" is being printed to
the console.
---
libsoup/soup-auth-negotiate.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/libsoup/soup-auth-negotiate.c b/libsoup/soup-auth-negotiate.c
index 811ee1c2..5a49119b 100644
--- a/libsoup/soup-auth-negotiate.c
+++ b/libsoup/soup-auth-negotiate.c
@@ -362,13 +362,28 @@ check_server_response (SoupMessage *msg, gpointer auth)
ret = soup_gss_client_step (conn, auth_headers + 10, &err);
- priv->is_authenticated = ret == AUTH_GSS_COMPLETE;
-
- if (ret == AUTH_GSS_CONTINUE) {
+ switch (ret) {
+ case AUTH_GSS_COMPLETE:
+ priv->is_authenticated = TRUE;
+ break;
+ case AUTH_GSS_CONTINUE:
conn->state = SOUP_NEGOTIATE_RECEIVED_CHALLENGE;
- } else if (ret == AUTH_GSS_ERROR) {
+ break;
+ case AUTH_GSS_ERROR:
if (err)
g_warning ("%s", err->message);
+ /* Unfortunately, so many programs (curl, Firefox, ..) ignore
+ * the return token that is included in the response, so it is
+ * possible that there are servers that send back broken stuff.
+ * Try to behave in the right way (pass the token to
+ * gss_init_sec_context()), show a warning, but don't fail
+ * if the server returned 200. */
+ if (msg->status_code == SOUP_STATUS_OK)
+ priv->is_authenticated = TRUE;
+ else
+ conn->state = SOUP_NEGOTIATE_FAILED;
+ break;
+ default:
conn->state = SOUP_NEGOTIATE_FAILED;
}
out:
--
2.13.0