> From: Daniel Stenberg
> Subject: Re: Negotiate: crash
> [snip]
> So why did you change to this method if it is worse for proxy connections?

Sorry for not making myself clear enough. _Both_ methods do not work
with proxy connections. That is, I tried to call
Curl_cleanup_negotiate() from Curl_output_negotiate() and from
Curl_disconnect(), and in both cases the auth token is sent to the wrong
host.

The difference between these cases is that in the first case a new token
is generated from scratch, whereas in the second case an existing token
is reused.

When I did that fix I was convinced that the token should be reused (in
the case it should be used at all), but now I'm not so sure. The thing
is, reused tokens work in my setup, but in theory they probably should
not, since reused token is basically a replay attack. I will have to
investigate this further.

In any case, there's a problem with proxy connection that I don't know
how to fix.

By the way, it is possible to test the logic around this Negotiate
scheme without setting up the whole Kerberos thing --- one can simply
provide a server with a canned 401 response and WWW-Authenticate:
Negotiate header. It will not test authentication itself, but one could
catch curl crashes and errors like sending a token to the wrong host.

P.S. Sorry about messed up threading. I have switched from digest to
regular distribution, hope it will clear up the matter.

Best regards

-- 
Anatoli Tubman