Merge pull request #4453 from libgit2/ethomson/spnego winhttp: properly support ntlm and negotiate
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
diff --git a/src/transports/winhttp.c b/src/transports/winhttp.c
index 98905ab..6dad1d3 100644
--- a/src/transports/winhttp.c
+++ b/src/transports/winhttp.c
@@ -172,9 +172,15 @@ static int apply_default_credentials(HINTERNET request, int mechanisms)
* is "medium" which applies to the intranet and sounds like it would correspond
* to Internet Explorer security zones, but in fact does not. */
DWORD data = WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW;
+ DWORD native_scheme = 0;
- if ((mechanisms & GIT_WINHTTP_AUTH_NTLM) == 0 &&
- (mechanisms & GIT_WINHTTP_AUTH_NEGOTIATE) == 0) {
+ if ((mechanisms & GIT_WINHTTP_AUTH_NTLM) != 0)
+ native_scheme |= WINHTTP_AUTH_SCHEME_NTLM;
+
+ if ((mechanisms & GIT_WINHTTP_AUTH_NEGOTIATE) != 0)
+ native_scheme |= WINHTTP_AUTH_SCHEME_NEGOTIATE;
+
+ if (!native_scheme) {
giterr_set(GITERR_NET, "invalid authentication scheme");
return -1;
}
@@ -182,6 +188,9 @@ static int apply_default_credentials(HINTERNET request, int mechanisms)
if (!WinHttpSetOption(request, WINHTTP_OPTION_AUTOLOGON_POLICY, &data, sizeof(DWORD)))
return -1;
+ if (!WinHttpSetCredentials(request, WINHTTP_AUTH_TARGET_SERVER, native_scheme, NULL, NULL, NULL))
+ return -1;
+
return 0;
}
@@ -606,12 +615,12 @@ static int parse_unauthorized_response(
if (WINHTTP_AUTH_SCHEME_NTLM & supported) {
*allowed_types |= GIT_CREDTYPE_USERPASS_PLAINTEXT;
*allowed_types |= GIT_CREDTYPE_DEFAULT;
- *allowed_mechanisms = GIT_WINHTTP_AUTH_NEGOTIATE;
+ *allowed_mechanisms |= GIT_WINHTTP_AUTH_NTLM;
}
if (WINHTTP_AUTH_SCHEME_NEGOTIATE & supported) {
*allowed_types |= GIT_CREDTYPE_DEFAULT;
- *allowed_mechanisms = GIT_WINHTTP_AUTH_NEGOTIATE;
+ *allowed_mechanisms |= GIT_WINHTTP_AUTH_NEGOTIATE;
}
if (WINHTTP_AUTH_SCHEME_BASIC & supported) {