diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-08-23 05:29:37 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:34:24 -0500 |
commit | ba90b652d918fb34f1e43083f8283f669c73c340 (patch) | |
tree | 2c656b05b9d164c9294f5c47089481355685336e /source4/auth | |
parent | 8f9478b09d39d8c13871684a6af3d3e1629a0e84 (diff) | |
download | samba-ba90b652d918fb34f1e43083f8283f669c73c340.tar.gz samba-ba90b652d918fb34f1e43083f8283f669c73c340.tar.bz2 samba-ba90b652d918fb34f1e43083f8283f669c73c340.zip |
r9505: Work on GENSEC and the code that calls it, for tighter interface
requirements, and for better error reporting.
In particular, the composite session setup (extended security/SPNEGO)
code now returns errors, rather than NT_STATUS_NO_MEMORY. This is
seen particularly when GENSEC fails to start.
The tighter interface rules apply to NTLMSSP, which must be called
exactly the right number of times. This is to match some of our other
less-tested modules, where adding flexablity is harder. (and this is
security code, so let's just get it right). As such, the DCE/RPC and
LDAP clients have been updated.
Andrew Bartlett
(This used to be commit 134550cf752b9edad66c3368750bfb4bbd9d55d1)
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp.c | 7 | ||||
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp_client.c | 12 |
2 files changed, 13 insertions, 6 deletions
diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c index 82d6dd0e8f..ef870af3bf 100644 --- a/source4/auth/ntlmssp/ntlmssp.c +++ b/source4/auth/ntlmssp/ntlmssp.c @@ -123,7 +123,12 @@ static NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security, *out = data_blob(NULL, 0); if (gensec_ntlmssp_state->expected_state == NTLMSSP_DONE) { - return NT_STATUS_OK; + /* We are strict here because other modules, which we + * don't fully control (such as GSSAPI) are also + * strict, but are tested less often */ + + DEBUG(1, ("Called NTLMSSP after state machine was 'done'\n")); + return NT_STATUS_INVALID_PARAMETER; } if (!out_mem_ctx) { diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 726885c82f..add774f84e 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -353,11 +353,13 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, gensec_ntlmssp_state->expected_state = NTLMSSP_DONE; - nt_status = ntlmssp_sign_init(gensec_ntlmssp_state); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", - nt_errstr(nt_status))); - return nt_status; + if (gensec_security->want_features & GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL) { + nt_status = ntlmssp_sign_init(gensec_ntlmssp_state); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", + nt_errstr(nt_status))); + return nt_status; + } } return nt_status; |