summaryrefslogtreecommitdiff
path: root/source4/libcli/auth/spnego.c
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-01-10 10:48:19 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:08:37 -0500
commit7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b (patch)
tree380cf934d5d65d5ef2af720d381252efc6056c26 /source4/libcli/auth/spnego.c
parent047d41cc490c05dd07eeab29913b3f2882887678 (diff)
downloadsamba-7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b.tar.gz
samba-7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b.tar.bz2
samba-7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b.zip
r4635: Fix NTLMSSP to return NT_STATUS_OK when it has constructed the auth
token in the client (the final token in the negotiation). Consequential fixes in the SPNEGO code, which now uses the out.length as the indicator of 'I need to send something to the other side'. Merge the NTLM and SPNEGO DCE-RPC authentication routines in the client. Fix the RPC-MULTIBIND test consequent to this merge. Andrew Bartlett (This used to be commit 43e3516fc03008e97ebb4ad1a0cde464303f43c6)
Diffstat (limited to 'source4/libcli/auth/spnego.c')
-rw-r--r--source4/libcli/auth/spnego.c61
1 files changed, 31 insertions, 30 deletions
diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c
index 31dd5aa47d..84bd7ce42c 100644
--- a/source4/libcli/auth/spnego.c
+++ b/source4/libcli/auth/spnego.c
@@ -685,24 +685,34 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
if (spnego_state->no_response_expected) {
- nt_status = NT_STATUS_OK;
+ if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
+ DEBUG(1,("gensec_update ok but not accepted\n"));
+ nt_status = NT_STATUS_INVALID_PARAMETER;
+ } else {
+ nt_status = NT_STATUS_OK;
+ }
} else {
nt_status = gensec_update(spnego_state->sub_sec_security,
out_mem_ctx,
spnego.negTokenTarg.responseToken,
&unwrapped_out);
- }
-
-
- if (NT_STATUS_IS_OK(nt_status)
- && (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED)) {
- DEBUG(1,("gensec_update ok but not accepted\n"));
- nt_status = NT_STATUS_INVALID_PARAMETER;
+
+ if (NT_STATUS_IS_OK(nt_status)) {
+ spnego_state->no_response_expected = True;
+ }
}
spnego_free_data(&spnego);
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
+ && !NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
+ spnego_state->sub_sec_security->ops->name,
+ nt_errstr(nt_status)));
+ return nt_status;
+ }
+
+ if (unwrapped_out.length) {
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
@@ -716,30 +726,21 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
spnego_state->state_position = SPNEGO_CLIENT_TARG;
- } else if (NT_STATUS_IS_OK(nt_status)) {
+ nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else {
+
/* all done - server has accepted, and we agree */
-
- if (unwrapped_out.length) {
- spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
- spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
- spnego_out.negTokenTarg.supportedMech = NULL;
- spnego_out.negTokenTarg.responseToken = unwrapped_out;
- spnego_out.negTokenTarg.mechListMIC = null_data_blob;
-
- if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
- } else {
- *out = null_data_blob;
- }
+ *out = null_data_blob;
- spnego_state->state_position = SPNEGO_DONE;
- } else {
- DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
- spnego_state->sub_sec_security->ops->name,
- nt_errstr(nt_status)));
+ if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
+ /* unless of course it did not accept */
+ DEBUG(1,("gensec_update ok but not accepted\n"));
+ nt_status = NT_STATUS_INVALID_PARAMETER;
+ }
}
+
+ spnego_state->state_position = SPNEGO_DONE;
+
return nt_status;
}
case SPNEGO_DONE: