diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-07-29 10:33:36 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:57:44 -0500 |
commit | 188a8014ea77e8d03916da8b6bc103bc49086155 (patch) | |
tree | 592727abcbe3fab36a0ff2d00e7186d5348d9d19 /source4/libcli/auth | |
parent | f1a215f5cb174a0bfe50f288fbd998c8fabb0b63 (diff) | |
download | samba-188a8014ea77e8d03916da8b6bc103bc49086155.tar.gz samba-188a8014ea77e8d03916da8b6bc103bc49086155.tar.bz2 samba-188a8014ea77e8d03916da8b6bc103bc49086155.zip |
r1605: GENSEC krb5 updates - fix a valgrind found uninitialised variable, and
allow tests for 'unwrapped' krb5, allowed by Win2k3.
SPENGO changes, trying to get the logic right (when and what
sub-mechanisms to wrap).
Andrew Bartlett
(This used to be commit 8a0f7bf5e282d021afe93994a91fd76fa9c05f42)
Diffstat (limited to 'source4/libcli/auth')
-rw-r--r-- | source4/libcli/auth/gensec_krb5.c | 8 | ||||
-rw-r--r-- | source4/libcli/auth/spnego.c | 32 |
2 files changed, 26 insertions, 14 deletions
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c index c7c1a18d24..f5f02d1421 100644 --- a/source4/libcli/auth/gensec_krb5.c +++ b/source4/libcli/auth/gensec_krb5.c @@ -187,7 +187,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security case KRB5_CC_NOTFOUND: { char *password; - time_t kdc_time; + time_t kdc_time = 0; nt_status = gensec_get_password(gensec_security, gensec_security->mem_ctx, &password); @@ -284,11 +284,15 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL nt_status = NT_STATUS_LOGON_FAILURE; } else { DATA_BLOB unwrapped_out; + +#ifndef GENSEC_SEND_UNWRAPPED_KRB5 /* This should be a switch for the torture code to set */ unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->ticket.data, gensec_krb5_state->ticket.length); /* wrap that up in a nice GSS-API wrapping */ *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ); - +#else + *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->ticket.data, gensec_krb5_state->ticket.length); +#endif gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH; nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED; } diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c index c16d77dad9..23f0b1c070 100644 --- a/source4/libcli/auth/spnego.c +++ b/source4/libcli/auth/spnego.c @@ -511,15 +511,16 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA &unwrapped_out); - if ((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_COMPLETED) - && !NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_IS_OK(nt_status) + && (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED)) { DEBUG(1,("gensec_update ok but not accepted\n")); nt_status = NT_STATUS_INVALID_PARAMETER; } spnego_free_data(&spnego); - if (unwrapped_out.length) { + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + /* compose reply */ spnego_out.type = SPNEGO_NEG_TOKEN_TARG; spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT; spnego_out.negTokenTarg.supportedMech = NULL; @@ -530,24 +531,31 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n")); return NT_STATUS_INVALID_PARAMETER; } - } else { - *out = null_data_blob; - } - - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - /* compose reply */ - spnego_state->state_position = SPNEGO_CLIENT_TARG; } else if (NT_STATUS_IS_OK(nt_status)) { /* all done - server has accepted, and we agree */ + + if (unwrapped_out.length) { + spnego_out.type = SPNEGO_NEG_TOKEN_TARG; + spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT; + spnego_out.negTokenTarg.supportedMech = NULL; + spnego_out.negTokenTarg.responseToken = unwrapped_out; + spnego_out.negTokenTarg.mechListMIC = null_data_blob; + + if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { + DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n")); + return NT_STATUS_INVALID_PARAMETER; + } + } else { + *out = null_data_blob; + } + spnego_state->state_position = SPNEGO_DONE; - return NT_STATUS_OK; } else { DEBUG(1, ("SPNEGO(%s) login failed: %s\n", spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); - return nt_status; } return nt_status; } |