diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-02-21 00:17:52 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:51:58 -0500 |
commit | 08195b0ed5ffdd2373fedcae7b4872284719de6c (patch) | |
tree | 05cb87fc4480ece8ea8308ce9dce76f40ed9fc87 /source4/auth | |
parent | 9d1954c25d646c46daa38c3f96f4c4029b9bb417 (diff) | |
download | samba-08195b0ed5ffdd2373fedcae7b4872284719de6c.tar.gz samba-08195b0ed5ffdd2373fedcae7b4872284719de6c.tar.bz2 samba-08195b0ed5ffdd2373fedcae7b4872284719de6c.zip |
r13584: Another try at SPNEGO stuff. I need to write a better testsuite for this.
This tries to ensure that when we are a client, we cope with mechs
(like GSSAPI) that only abort (unknown server) at first runtime.
Andrew Bartlett
(This used to be commit cb5d18c6190fa1809478aeb60e352cb93c4214f6)
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/gensec/spnego.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c index 6f38576a3f..32b4ff96be 100644 --- a/source4/auth/gensec/spnego.c +++ b/source4/auth/gensec/spnego.c @@ -358,6 +358,10 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ } } + /* Having tried any optomisitc token from the client (if we + * were the server), if we didn't get anywhere, walk our list + * in our preference order */ + if (!spnego_state->sub_sec_security) { for (i=0; all_sec && all_sec[i].op; i++) { nt_status = gensec_subcontext_start(spnego_state, @@ -382,6 +386,25 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ out_mem_ctx, null_data_blob, unwrapped_out); + + /* it is likely that a NULL input token will + * not be liked by most server mechs, but if + * we are in the client, we want the first + * update packet to be able to abort the use + * of this mech */ + if (spnego_state->state_position != SPNEGO_SERVER_START) { + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) || + NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) { + /* Pretend we never started it (lets the first run find some incompatible demand) */ + + DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse: %s\n", + spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); + talloc_free(spnego_state->sub_sec_security); + spnego_state->sub_sec_security = NULL; + continue; + } + } + break; } } |