diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-08-20 06:36:35 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:33:36 -0500 |
commit | 7f7b6a59b45c14843be091b2a53a444f98830bbb (patch) | |
tree | 7b5bcf7c30f3842d9911ec9ad86a7808b4fd6bce | |
parent | 897e9f2b4dcef7593766fcb7ba439013e1022376 (diff) | |
download | samba-7f7b6a59b45c14843be091b2a53a444f98830bbb.tar.gz samba-7f7b6a59b45c14843be091b2a53a444f98830bbb.tar.bz2 samba-7f7b6a59b45c14843be091b2a53a444f98830bbb.zip |
r9418: SPNEGO fixes:
- Fix mixing of code and data
- send mechListMic again in SPENGO server
- only send optomistic first packet in the client.
(This used to be commit 9941da8081ef5a669b0946265860d2f20d3718d3)
-rw-r--r-- | source4/auth/gensec/spnego.c | 47 |
1 files changed, 29 insertions, 18 deletions
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c index 1a7cb1f0ed..d9b1ce495c 100644 --- a/source4/auth/gensec/spnego.c +++ b/source4/auth/gensec/spnego.c @@ -408,11 +408,11 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec DATA_BLOB null_data_blob = data_blob(NULL,0); const char **mechTypes = NULL; DATA_BLOB unwrapped_out = data_blob(NULL, 0); + const struct gensec_security_ops_wrapper *all_sec; mechTypes = gensec_security_oids(out_mem_ctx, GENSEC_OID_SPNEGO); - const struct gensec_security_ops_wrapper *all_sec - = gensec_security_by_oid_list(out_mem_ctx, + all_sec = gensec_security_by_oid_list(out_mem_ctx, mechTypes, GENSEC_OID_SPNEGO); for (i=0; all_sec && all_sec[i].op; i++) { @@ -432,27 +432,38 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec continue; } - nt_status = gensec_update(spnego_state->sub_sec_security, - out_mem_ctx, - null_data_blob, - &unwrapped_out); - - if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) - && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) - && !NT_STATUS_IS_OK(nt_status)) { - DEBUG(3, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n", - spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); - talloc_free(spnego_state->sub_sec_security); - spnego_state->sub_sec_security = NULL; - /* Pretend we never started it (lets the first run find some incompatible demand) */ - - continue; + /* In the client, try and produce the first (optimistic) packet */ + if (spnego_state->state_position = SPNEGO_CLIENT_START) { + nt_status = gensec_update(spnego_state->sub_sec_security, + out_mem_ctx, + null_data_blob, + &unwrapped_out); + + if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) + && !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n", + spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); + talloc_free(spnego_state->sub_sec_security); + spnego_state->sub_sec_security = NULL; + /* Pretend we never started it (lets the first run find some incompatible demand) */ + + continue; + } } + spnego_out.type = SPNEGO_NEG_TOKEN_INIT; + + /* List the remaining mechs as options */ spnego_out.negTokenInit.mechTypes = gensec_security_oids_from_ops_wrapped(out_mem_ctx, &all_sec[i]); spnego_out.negTokenInit.reqFlags = 0; - spnego_out.negTokenInit.mechListMIC = null_data_blob; + + if (spnego_state->state_position = SPNEGO_SERVER_START) { + spnego_out.negTokenInit.mechListMIC + = data_blob_string_const(talloc_asprintf(out_mem_ctx, "%s$@%s", lp_netbios_name(), lp_realm())); + } else { + spnego_out.negTokenInit.mechListMIC = null_data_blob; + } spnego_out.negTokenInit.mechToken = unwrapped_out; if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { |