http_done: close Negotiate connections when done

When doing HTTP requests Negotiate authenticated, the entire connnection may become authenticated and not just the specific HTTP request which is otherwise how HTTP works, as Negotiate can basically use NTLM under the hood. curl was not adhering to this fact but would assume that such requests would also be authenticated per request. CVE-2015-3148 Bug: http://curl.haxx.se/docs/adv_20150422B.html Reported-by: Isaac Boukris
author: Daniel Stenberg <daniel@haxx.se> 2015-04-18 23:50:16 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2015-04-21 23:20:37 +0200
commit: 79b9d5f1a42578f807a6c94914bc65cbaa304b6d (patch)
tree: b90cfdb4f416b791700635fc986bb99701783971
parent: 0583e87ada7a3cfb10904ae4ab61b339582c5bd3 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/http.c b/lib/http.c
index 4c1cfc549..beab543ee 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1435,8 +1435,14 @@ CURLcode Curl_http_done(struct connectdata *conn,
 
 #ifdef USE_SPNEGO
   if(data->state.proxyneg.state == GSS_AUTHSENT ||
-      data->state.negotiate.state == GSS_AUTHSENT)
+     data->state.negotiate.state == GSS_AUTHSENT) {
+    /* add forbid re-use if http-code != 401/407 as a WA only needed for
+     * 401/407 that signal auth failure (empty) otherwise state will be RECV
+     * with current code */
+    if((data->req.httpcode != 401) && (data->req.httpcode != 407))
+      connclose(conn, "Negotiate transfer completed");
     Curl_cleanup_negotiate(data);
+  }
 #endif
 
   /* set the proper values (possibly modified on POST) */
author	Daniel Stenberg <daniel@haxx.se>	2015-04-18 23:50:16 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2015-04-21 23:20:37 +0200
commit	79b9d5f1a42578f807a6c94914bc65cbaa304b6d (patch)
tree	b90cfdb4f416b791700635fc986bb99701783971
parent	0583e87ada7a3cfb10904ae4ab61b339582c5bd3 (diff)