svn commit: samba r9418 - in branches/SAMBA_4_0/source/auth/gensec:
.
abartlet at samba.org
abartlet at samba.org
Sat Aug 20 06:36:35 GMT 2005
Author: abartlet
Date: 2005-08-20 06:36:35 +0000 (Sat, 20 Aug 2005)
New Revision: 9418
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=9418
Log:
SPNEGO fixes:
- Fix mixing of code and data
- send mechListMic again in SPENGO server
- only send optomistic first packet in the client.
Modified:
branches/SAMBA_4_0/source/auth/gensec/spnego.c
Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/spnego.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/spnego.c 2005-08-20 06:14:46 UTC (rev 9417)
+++ branches/SAMBA_4_0/source/auth/gensec/spnego.c 2005-08-20 06:36:35 UTC (rev 9418)
@@ -408,11 +408,11 @@
DATA_BLOB null_data_blob = data_blob(NULL,0);
const char **mechTypes = NULL;
DATA_BLOB unwrapped_out = data_blob(NULL, 0);
+ const struct gensec_security_ops_wrapper *all_sec;
mechTypes = gensec_security_oids(out_mem_ctx, GENSEC_OID_SPNEGO);
- const struct gensec_security_ops_wrapper *all_sec
- = gensec_security_by_oid_list(out_mem_ctx,
+ all_sec = gensec_security_by_oid_list(out_mem_ctx,
mechTypes,
GENSEC_OID_SPNEGO);
for (i=0; all_sec && all_sec[i].op; i++) {
@@ -432,27 +432,38 @@
continue;
}
- nt_status = gensec_update(spnego_state->sub_sec_security,
- out_mem_ctx,
- null_data_blob,
- &unwrapped_out);
+ /* In the client, try and produce the first (optimistic) packet */
+ if (spnego_state->state_position = SPNEGO_CLIENT_START) {
+ nt_status = gensec_update(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ null_data_blob,
+ &unwrapped_out);
+
+ if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
+ && !NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n",
+ spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+ talloc_free(spnego_state->sub_sec_security);
+ spnego_state->sub_sec_security = NULL;
+ /* Pretend we never started it (lets the first run find some incompatible demand) */
+
+ continue;
+ }
+ }
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)
- && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
- && !NT_STATUS_IS_OK(nt_status)) {
- DEBUG(3, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n",
- spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
- talloc_free(spnego_state->sub_sec_security);
- spnego_state->sub_sec_security = NULL;
- /* Pretend we never started it (lets the first run find some incompatible demand) */
-
- continue;
- }
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
+
+ /* List the remaining mechs as options */
spnego_out.negTokenInit.mechTypes = gensec_security_oids_from_ops_wrapped(out_mem_ctx,
&all_sec[i]);
spnego_out.negTokenInit.reqFlags = 0;
- spnego_out.negTokenInit.mechListMIC = null_data_blob;
+
+ if (spnego_state->state_position = SPNEGO_SERVER_START) {
+ spnego_out.negTokenInit.mechListMIC
+ = data_blob_string_const(talloc_asprintf(out_mem_ctx, "%s$@%s", lp_netbios_name(), lp_realm()));
+ } else {
+ spnego_out.negTokenInit.mechListMIC = null_data_blob;
+ }
spnego_out.negTokenInit.mechToken = unwrapped_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
More information about the samba-cvs
mailing list