diff options
author | Andrew Bartlett <abartlet@samba.org> | 2005-01-10 10:48:19 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:08:37 -0500 |
commit | 7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b (patch) | |
tree | 380cf934d5d65d5ef2af720d381252efc6056c26 /source4/libcli | |
parent | 047d41cc490c05dd07eeab29913b3f2882887678 (diff) | |
download | samba-7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b.tar.gz samba-7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b.tar.bz2 samba-7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b.zip |
r4635: Fix NTLMSSP to return NT_STATUS_OK when it has constructed the auth
token in the client (the final token in the negotiation).
Consequential fixes in the SPNEGO code, which now uses the out.length
as the indicator of 'I need to send something to the other side'.
Merge the NTLM and SPNEGO DCE-RPC authentication routines in the client.
Fix the RPC-MULTIBIND test consequent to this merge.
Andrew Bartlett
(This used to be commit 43e3516fc03008e97ebb4ad1a0cde464303f43c6)
Diffstat (limited to 'source4/libcli')
-rw-r--r-- | source4/libcli/auth/ntlmssp.c | 5 | ||||
-rw-r--r-- | source4/libcli/auth/spnego.c | 61 |
2 files changed, 34 insertions, 32 deletions
diff --git a/source4/libcli/auth/ntlmssp.c b/source4/libcli/auth/ntlmssp.c index 7f4a86e274..a9fb66d41e 100644 --- a/source4/libcli/auth/ntlmssp.c +++ b/source4/libcli/auth/ntlmssp.c @@ -1257,13 +1257,14 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state, ntlmssp_state->expected_state = NTLMSSP_DONE; - if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) { + nt_status = ntlmssp_sign_init(ntlmssp_state); + if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status))); return nt_status; } - return NT_STATUS_MORE_PROCESSING_REQUIRED; + return nt_status; } NTSTATUS ntlmssp_client_start(TALLOC_CTX *mem_ctx, struct ntlmssp_state **ntlmssp_state) diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c index 31dd5aa47d..84bd7ce42c 100644 --- a/source4/libcli/auth/spnego.c +++ b/source4/libcli/auth/spnego.c @@ -685,24 +685,34 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } if (spnego_state->no_response_expected) { - nt_status = NT_STATUS_OK; + if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) { + DEBUG(1,("gensec_update ok but not accepted\n")); + nt_status = NT_STATUS_INVALID_PARAMETER; + } else { + nt_status = NT_STATUS_OK; + } } else { nt_status = gensec_update(spnego_state->sub_sec_security, out_mem_ctx, spnego.negTokenTarg.responseToken, &unwrapped_out); - } - - - if (NT_STATUS_IS_OK(nt_status) - && (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED)) { - DEBUG(1,("gensec_update ok but not accepted\n")); - nt_status = NT_STATUS_INVALID_PARAMETER; + + if (NT_STATUS_IS_OK(nt_status)) { + spnego_state->no_response_expected = True; + } } spnego_free_data(&spnego); - if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) + && !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("SPNEGO(%s) login failed: %s\n", + spnego_state->sub_sec_security->ops->name, + nt_errstr(nt_status))); + return nt_status; + } + + if (unwrapped_out.length) { /* compose reply */ spnego_out.type = SPNEGO_NEG_TOKEN_TARG; spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT; @@ -716,30 +726,21 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } spnego_state->state_position = SPNEGO_CLIENT_TARG; - } else if (NT_STATUS_IS_OK(nt_status)) { + nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + } else { + /* all done - server has accepted, and we agree */ - - if (unwrapped_out.length) { - spnego_out.type = SPNEGO_NEG_TOKEN_TARG; - spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT; - spnego_out.negTokenTarg.supportedMech = NULL; - spnego_out.negTokenTarg.responseToken = unwrapped_out; - spnego_out.negTokenTarg.mechListMIC = null_data_blob; - - if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) { - DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n")); - return NT_STATUS_INVALID_PARAMETER; - } - } else { - *out = null_data_blob; - } + *out = null_data_blob; - spnego_state->state_position = SPNEGO_DONE; - } else { - DEBUG(1, ("SPNEGO(%s) login failed: %s\n", - spnego_state->sub_sec_security->ops->name, - nt_errstr(nt_status))); + if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) { + /* unless of course it did not accept */ + DEBUG(1,("gensec_update ok but not accepted\n")); + nt_status = NT_STATUS_INVALID_PARAMETER; + } } + + spnego_state->state_position = SPNEGO_DONE; + return nt_status; } case SPNEGO_DONE: |