Merge branch 'ntlm-requires-http-1.1'

This branch backports two fixes for bugs where NTLM/Kerberos
authentication would fail because cURL v7.62.0 defaults to HTTP/2 for
https:// connections with servers that support it, and NTLM (and at
least *some* Kerberos) authentication does not work via HTTP/2.

This fixes microsoft/Git-Credential-Manager-for-Windows#812

Signed-off-by: Johannes Schindelin <[email protected]>

Author: dscho

mingw-w64-curl/0003-NTLM-force-the-connection-to-HTTP-1.1.patch

@@ -0,0 +1,42 @@
+From f0ca86ac2f20cce2529415b5b87882992ed78ffc Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <[email protected]>
+Date: Thu, 6 Dec 2018 17:26:13 +0100
+Subject: [PATCH 3/4] NTLM: force the connection to HTTP/1.1
+
+Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces
+the capability. However, NTLM authentication only works with HTTP/1.1,
+and will likely remain in that boat (for details, see
+https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported).
+
+When we just found out that we want to use NTLM, and when the current
+connection runs in HTTP/2 mode, let's force the connection to be closed
+and to be re-opened using HTTP/1.1.
+
+Fixes https://github.com/curl/curl/issues/3341.
+Closes #3345
+
+Signed-off-by: Johannes Schindelin <[email protected]>
+---
+ lib/http.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lib/http.c b/lib/http.c
+index 46ac15a6e..87e9a5868 100644
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -526,6 +526,12 @@ CURLcode Curl_http_auth_act(struct connectdata *conn)
+     pickhost = pickoneauth(&data->state.authhost, authmask);
+     if(!pickhost)
+       data->state.authproblem = TRUE;
++    if(data->state.authhost.picked == CURLAUTH_NTLM &&
++       conn->httpversion > 11) {
++      infof(data, "Forcing HTTP/1.1 for NTLM");
++      connclose(conn, "Force HTTP/1.1 connection");
++      conn->data->set.httpversion = CURL_HTTP_VERSION_1_1;
++    }
+   }
+   if(conn->bits.proxy_user_passwd &&
+      ((data->req.httpcode == 407) ||
+-- 
+2.19.2.windows.1.19.g96889860afc7
+

mingw-w64-curl/0004-Upon-HTTP_1_1_REQUIRED-retry-the-request-with-HTTP-1.patch

@@ -0,0 +1,109 @@
+From 4482b184e4321533205750f9a8f64e7c4018b259 Mon Sep 17 00:00:00 2001
+From: Johannes Schindelin <[email protected]>
+Date: Fri, 7 Dec 2018 17:04:39 +0100
+Subject: [PATCH 4/4] Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
+
+This is a companion patch to cbea2fd2c (NTLM: force the connection to
+HTTP/1.1, 2018-12-06): with NTLM, we can switch to HTTP/1.1
+preemptively. However, with other (Negotiate) authentication it is not
+clear to this developer whether there is a way to make it work with
+HTTP/2, so let's try HTTP/2 first and fall back in case we encounter the
+error HTTP_1_1_REQUIRED.
+
+Note: we will still keep the NTLM workaround, as it avoids an extra
+round trip.
+
+Daniel Stenberg helped a lot with this patch, in particular by
+suggesting to introduce the Curl_h2_http_1_1_error() function.
+
+Closes #3349
+
+Signed-off-by: Johannes Schindelin <[email protected]>
+---
+ lib/http2.c |  8 ++++++++
+ lib/http2.h |  4 ++++
+ lib/multi.c | 20 ++++++++++++++++++++
+ 3 files changed, 32 insertions(+)
+
+diff --git a/lib/http2.c b/lib/http2.c
+index 0c5f6db0b..424724ab7 100644
+--- a/lib/http2.c
++++ b/lib/http2.c
+@@ -2367,6 +2367,14 @@ void Curl_http2_cleanup_dependencies(struct Curl_easy *data)
+     Curl_http2_remove_child(data->set.stream_depends_on, data);
+ }
+ 
++/* Only call this function for a transfer that already got a HTTP/2
++   CURLE_HTTP2_STREAM error! */
++bool Curl_h2_http_1_1_error(struct connectdata *conn)
++{
++  struct http_conn *httpc = &conn->proto.httpc;
++  return (httpc->error_code == NGHTTP2_HTTP_1_1_REQUIRED);
++}
++
+ #else /* !USE_NGHTTP2 */
+ 
+ /* Satisfy external references even if http2 is not compiled in. */
+diff --git a/lib/http2.h b/lib/http2.h
+index 4492ec211..67db3dffb 100644
+--- a/lib/http2.h
++++ b/lib/http2.h
+@@ -59,6 +59,9 @@ CURLcode Curl_http2_add_child(struct Curl_easy *parent,
+ void Curl_http2_remove_child(struct Curl_easy *parent,
+                              struct Curl_easy *child);
+ void Curl_http2_cleanup_dependencies(struct Curl_easy *data);
++
++/* returns true if the HTTP/2 stream error was HTTP_1_1_REQUIRED */
++bool Curl_h2_http_1_1_error(struct connectdata *conn);
+ #else /* USE_NGHTTP2 */
+ #define Curl_http2_init(x) CURLE_UNSUPPORTED_PROTOCOL
+ #define Curl_http2_send_request(x) CURLE_UNSUPPORTED_PROTOCOL
+@@ -74,6 +77,7 @@ void Curl_http2_cleanup_dependencies(struct Curl_easy *data);
+ #define Curl_http2_add_child(x, y, z)
+ #define Curl_http2_remove_child(x, y)
+ #define Curl_http2_cleanup_dependencies(x)
++#define Curl_h2_http_1_1_error(x) 0
+ #endif
+ 
+ #endif /* HEADER_CURL_HTTP2_H */
+diff --git a/lib/multi.c b/lib/multi.c
+index 0db2a9730..ebd9189d2 100644
+--- a/lib/multi.c
++++ b/lib/multi.c
+@@ -46,6 +46,7 @@
+ #include "vtls/vtls.h"
+ #include "connect.h"
+ #include "http_proxy.h"
++#include "http2.h"
+ /* The last 3 #include files should be in this order */
+ #include "curl_printf.h"
+ #include "curl_memory.h"
+@@ -1939,6 +1940,25 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi,
+           done = TRUE;
+         }
+       }
++      else if((CURLE_HTTP2_STREAM == result) &&
++                Curl_h2_http_1_1_error(data->easy_conn)) {
++        CURLcode ret = Curl_retry_request(data->easy_conn, &newurl);
++
++        infof(data, "Forcing HTTP/1.1 for NTLM");
++        data->set.httpversion = CURL_HTTP_VERSION_1_1;
++
++        if(!ret)
++          retry = (newurl)?TRUE:FALSE;
++        else
++          result = ret;
++
++        if(retry) {
++          /* if we are to retry, set the result to OK and consider the
++             request as done */
++          result = CURLE_OK;
++          done = TRUE;
++        }
++      }
+ 
+       if(result) {
+         /*
+-- 
+2.19.2.windows.1.19.g96889860afc7
+

mingw-w64-curl/PKGBUILD

@@ -24,11 +24,15 @@ depends=("${MINGW_PACKAGE_PREFIX}-gcc-libs"
 options=('!strip' 'staticlibs')
 source=("${url}/download/${_realname}-${pkgver}.tar.bz2"{,.asc}
         "0001-Make-cURL-relocatable.patch"
-        "0002-Hack-make-relocation-work-inside-libexec-git-core.patch")
+        "0002-Hack-make-relocation-work-inside-libexec-git-core.patch"
+        "0003-NTLM-force-the-connection-to-HTTP-1.1.patch"
+        "0004-Upon-HTTP_1_1_REQUIRED-retry-the-request-with-HTTP-1.patch")
 sha256sums=('7802c54076500be500b171fde786258579d60547a3a35b8c5a23d8c88e8f9620'
             'SKIP'
             'b0ba74f34b5024104c0bf349d6b5f2c499c94e9977950d5c7fc3b25a3704e05e'
-            'c69dce84d3ffea09b4a320fe2a8bf0bc459bf3ad45b8f75f77be8f79a41ae836')
+            'c69dce84d3ffea09b4a320fe2a8bf0bc459bf3ad45b8f75f77be8f79a41ae836'
+            'c9ca27882007c583ad1ee542f699702adf5703f95956c00285bbfd90e27765f3'
+            '83e66847376376cad084c4f3af1709d56630d05699f17d520b933074db5bb20a')
 validpgpkeys=('914C533DF9B2ADA2204F586D78E11C6B279D5C91'  # Daniel Stenberg
               '27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2'
               '4461EAF0F8E9097F48AF0555F9FEAFF9D34A1BDB')
@@ -41,6 +45,8 @@ prepare() {
   rm -f lib/pathtools.h lib/pathtools.c >/dev/null 2>&1 || true
   patch -p1 -i "${srcdir}/0001-Make-cURL-relocatable.patch"
   patch -p1 -i "${srcdir}/0002-Hack-make-relocation-work-inside-libexec-git-core.patch"
+  patch -p1 -i "${srcdir}/0003-NTLM-force-the-connection-to-HTTP-1.1.patch"
+  patch -p1 -i "${srcdir}/0004-Upon-HTTP_1_1_REQUIRED-retry-the-request-with-HTTP-1.patch"
   autoreconf -vfi
 }