From 1d532c8ea8b5c4a15f16894afcd604155c016ceb Mon Sep 17 00:00:00 2001
From: Tomas Popela <tpopela@redhat.com>
Date: Wed, 14 Jun 2017 11:46:42 +0200
Subject: [PATCH 2/3] Can't access sites that request closing the connection
 during 401

When a 401 message is received, a new token is generated and saved in
the SoupNegotiateConnectionState's respose header. Later when the connection is
closed (as requested by the server), the state is destroyed together with
the response header. When a new request is being created and we are asked for
the connection authorization, the newly created connection state doesn't have it
set. At this point if the connection state is newly created, generate a new token
together with the response header that will be returned as the connection
authorization.

Also modify how the warning from the soup_gss_build_response is printed
to differentiate if there was a failure during soup_gss_client_init or
soup_gss_client_step.
---
 libsoup/soup-auth-negotiate.c | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/libsoup/soup-auth-negotiate.c b/libsoup/soup-auth-negotiate.c
index 78c56b83..811ee1c2 100644
--- a/libsoup/soup-auth-negotiate.c
+++ b/libsoup/soup-auth-negotiate.c
@@ -188,7 +188,29 @@ soup_auth_negotiate_get_connection_authorization (SoupConnectionAuth *auth,
 	SoupNegotiateConnectionState *conn = state;
 	char *header = NULL;
 
-	if (conn->state == SOUP_NEGOTIATE_RECEIVED_CHALLENGE) {
+	if (conn->state == SOUP_NEGOTIATE_NEW) {
+		GError *err = NULL;
+
+		if (!check_auth_trusted_uri (auth, msg)) {
+			conn->state = SOUP_NEGOTIATE_FAILED;
+			return NULL;
+		}
+
+		if (!soup_gss_build_response (conn, SOUP_AUTH (auth), &err)) {
+			/* FIXME: report further upward via
+			 * soup_message_get_error_message  */
+			if (conn->initialized)
+				g_warning ("gssapi step failed: %s", err->message);
+			else
+				g_warning ("gssapi init failed: %s", err->message);
+			conn->state = SOUP_NEGOTIATE_FAILED;
+			g_clear_error (&err);
+
+			return NULL;
+		}
+	}
+
+	if (conn->response_header) {
 		header = conn->response_header;
 		conn->response_header = NULL;
 		conn->state = SOUP_NEGOTIATE_SENT_RESPONSE;
@@ -251,7 +273,10 @@ soup_auth_negotiate_update_connection (SoupConnectionAuth *auth, SoupMessage *ms
 		} else {
 			/* FIXME: report further upward via
 			 * soup_message_get_error_message  */
-			g_warning ("gssapi step failed: %s", err->message);
+			if (conn->initialized)
+				g_warning ("gssapi step failed: %s", err->message);
+			else
+				g_warning ("gssapi init failed: %s", err->message);
 			success = FALSE;
 		}
 	} else if (!strncmp (header, "Negotiate ", 10)) {
-- 
2.13.0