r9411: Ensure we don't send a challenge without first getting a negotiate in

NTLMSSP, unless we are in datagram mode (not fully implemented yet).

Andrew Bartlett
(This used to be commit 727f5109421e9414a335e42e3ad3dd3ff19776bd)

2 files changed, 9 insertions, 2 deletions

diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index a02e160259..f55e5354ad 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -40,6 +40,7 @@ struct gensec_target {
 #define GENSEC_FEATURE_SEAL		0x00000004
 #define GENSEC_FEATURE_DCE_STYLE	0x00000008
 #define GENSEC_FEATURE_ASYNC_REPLIES	0x00000010
+#define GENSEC_FEATURE_DATAGRAM_MODE	0x00000020
 
 /* GENSEC mode */
 enum gensec_role
diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index 1fd7ac6756..339c219f62 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -138,8 +138,14 @@ static NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security,
 			ntlmssp_command = NTLMSSP_INITIAL;
 			break;
 		case NTLMSSP_SERVER:
-			/* 'datagram' mode - no neg packet */
-			ntlmssp_command = NTLMSSP_NEGOTIATE;
+			if (gensec_security->want_features & GENSEC_FEATURE_DATAGRAM_MODE) {
+				/* 'datagram' mode - no neg packet */
+				ntlmssp_command = NTLMSSP_NEGOTIATE;
+			} else {
+				/* This is normal in SPNEGO mech negotiation fallback */
+				DEBUG(2, ("Failed to parse NTLMSSP packet: zero length\n"));
+				return NT_STATUS_INVALID_PARAMETER;
+			}
 			break;
 		}
 	} else {