summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2010-12-01 07:02:15 +0100
committerStefan Metzmacher <metze@samba.org>2010-12-14 16:50:49 +0100
commitf126cb9eeace9d3ad277c333fe9dfac17153d264 (patch)
tree931b859579bf36627c4508559345bb3d26019d29 /source4/auth/gensec
parent4fd57cbe1ba35d3b3deb01b2eb6aba1d0aa4ddfd (diff)
downloadsamba-f126cb9eeace9d3ad277c333fe9dfac17153d264.tar.gz
samba-f126cb9eeace9d3ad277c333fe9dfac17153d264.tar.bz2
samba-f126cb9eeace9d3ad277c333fe9dfac17153d264.zip
s4:gensec/spnego: only look at the optimistic token if we support the first mech
As a server only try the mechs the client proposed and only call gensec_update() with the optimistic token for the first mech in the list. If the server doesn't support the first mech we pick the first one in the clients list we also support. That's how w2k8r2 works. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Dec 14 16:50:50 CET 2010 on sn-devel-104
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r--source4/auth/gensec/spnego.c24
1 files changed, 20 insertions, 4 deletions
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index 1f6c9198c5..5555fc4170 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -420,9 +420,9 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
}
if (spnego_state->state_position == SPNEGO_SERVER_START) {
- for (i=0; all_sec && all_sec[i].op; i++) {
- /* optimistic token */
- if (strcmp(all_sec[i].oid, mechType[0]) == 0) {
+ uint32_t j;
+ for (j=0; mechType && mechType[j]; j++) {
+ for (i=0; all_sec && all_sec[i].op; i++) {
nt_status = gensec_subcontext_start(spnego_state,
gensec_security,
&spnego_state->sub_sec_security);
@@ -437,7 +437,15 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
spnego_state->sub_sec_security = NULL;
break;
}
-
+
+ if (j > 0) {
+ /* no optimistic token */
+ spnego_state->neg_oid = all_sec[i].oid;
+ *unwrapped_out = data_blob_null;
+ nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ break;
+ }
+
nt_status = gensec_update(spnego_state->sub_sec_security,
out_mem_ctx,
unwrapped_in,
@@ -456,6 +464,14 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
spnego_state->neg_oid = all_sec[i].oid;
break;
}
+ if (spnego_state->sub_sec_security) {
+ break;
+ }
+ }
+
+ if (!spnego_state->sub_sec_security) {
+ DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
+ return NT_STATUS_INVALID_PARAMETER;
}
}