diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2004-07-16 02:54:57 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:57:39 -0500 |
| commit | b3c46674a670ea51607d5c2a73271dff531ae7d6 (patch) | |
| tree | c09e07ce443ab9521ff1b0f57e55c8945d7df513 /source4/libcli/auth | |
| parent | 526d687cbbdf323dc883bb1298dfd2dc952fecc6 (diff) | |
| download | samba-b3c46674a670ea51607d5c2a73271dff531ae7d6.tar.gz samba-b3c46674a670ea51607d5c2a73271dff531ae7d6.tar.bz2 samba-b3c46674a670ea51607d5c2a73271dff531ae7d6.zip | |
r1521: Updates to our SMB signing code.
- This causes our client and server code to use the same core code,
with the same debugs etc.
- In turn, this will allow the 'mandetory/fallback' signing algorithms
to be shared, and only written once.
Updates to the SPNEGO code
- Don't wrap an empty token to the server, if we are actually already finished.
Andrew Bartlett
(This used to be commit 35b83eb329482ac1b3bc67285854cc47844ff353)
Diffstat (limited to 'source4/libcli/auth')
| -rw-r--r-- | source4/libcli/auth/gensec_krb5.c | 4 | ||||
| -rw-r--r-- | source4/libcli/auth/spnego.c | 43 |
2 files changed, 26 insertions, 21 deletions
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c index 8268eb6051..c7c1a18d24 100644 --- a/source4/libcli/auth/gensec_krb5.c +++ b/source4/libcli/auth/gensec_krb5.c @@ -304,6 +304,8 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL DATA_BLOB unwrapped_in; if (!gensec_gssapi_parse_krb5_wrap(out_mem_ctx, &in, &unwrapped_in, tok_id)) { + DEBUG(1,("gensec_gssapi_parse_krb5_wrap(mutual authentication) failed to parse\n")); + dump_data_pw("Mutual authentication message:\n", in.data, in.length); return NT_STATUS_INVALID_PARAMETER; } /* TODO: check the tok_id */ @@ -316,7 +318,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL if (ret) { DEBUG(1,("krb5_rd_rep (mutual authentication) failed (%s)\n", error_message(ret))); - dump_data_pw("Mutual authentication message:\n", in.data, in.length); + dump_data_pw("Mutual authentication message:\n", inbuf.data, inbuf.length); nt_status = NT_STATUS_ACCESS_DENIED; } else { *out = data_blob(NULL, 0); diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c index d4910eb92f..c16d77dad9 100644 --- a/source4/libcli/auth/spnego.c +++ b/source4/libcli/auth/spnego.c @@ -41,7 +41,6 @@ struct spnego_state { uint_t ref_count; enum spnego_message_type expected_packet; enum spnego_state_position state_position; - enum spnego_negResult result; struct gensec_security *sub_sec_security; }; @@ -60,7 +59,6 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT; spnego_state->state_position = SPNEGO_CLIENT_START; - spnego_state->result = SPNEGO_ACCEPT_INCOMPLETE; spnego_state->mem_ctx = mem_ctx; spnego_state->sub_sec_security = NULL; @@ -140,8 +138,7 @@ static NTSTATUS gensec_spnego_session_key(struct gensec_security *gensec_securit DATA_BLOB *session_key) { struct spnego_state *spnego_state = gensec_security->private_data; - if (spnego_state->state_position != SPNEGO_DONE - && spnego_state->state_position != SPNEGO_FALLBACK) { + if (!spnego_state->sub_sec_security) { return NT_STATUS_INVALID_PARAMETER; } @@ -450,7 +447,6 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA spnego.negTokenTarg.responseToken, &unwrapped_out); - spnego_state->result = spnego.negTokenTarg.negResult; spnego_free_data(&spnego); /* compose reply */ @@ -514,38 +510,45 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA spnego.negTokenTarg.responseToken, &unwrapped_out); - if (NT_STATUS_IS_OK(nt_status) - && (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED)) { + + if ((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_COMPLETED) + && !NT_STATUS_IS_OK(nt_status)) { DEBUG(1,("gensec_update ok but not accepted\n")); nt_status = NT_STATUS_INVALID_PARAMETER; - } + } - spnego_state->result = spnego.negTokenTarg.negResult; spnego_free_data(&spnego); - - spnego_out.type = SPNEGO_NEG_TOKEN_TARG; - spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT; - spnego_out.negTokenTarg.supportedMech = NULL; - spnego_out.negTokenTarg.responseToken = unwrapped_out; - spnego_out.negTokenTarg.mechListMIC = null_data_blob; + + if (unwrapped_out.length) { + spnego_out.type = SPNEGO_NEG_TOKEN_TARG; + spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT; + spnego_out.negTokenTarg.supportedMech = NULL; + spnego_out.negTokenTarg.responseToken = unwrapped_out; + spnego_out.negTokenTarg.mechListMIC = null_data_blob; + + if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { + DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n")); + return NT_STATUS_INVALID_PARAMETER; + } + } else { + *out = null_data_blob; + } if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { /* compose reply */ + spnego_state->state_position = SPNEGO_CLIENT_TARG; } else if (NT_STATUS_IS_OK(nt_status)) { + /* all done - server has accepted, and we agree */ spnego_state->state_position = SPNEGO_DONE; + return NT_STATUS_OK; } else { DEBUG(1, ("SPNEGO(%s) login failed: %s\n", spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); return nt_status; } - if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { - DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n")); - return NT_STATUS_INVALID_PARAMETER; - } - return nt_status; } case SPNEGO_DONE: |