[SCM] Samba Shared Repository - branch master updated

[Stefan Metzmacher]

The branch, master has been updated
       via  f126cb9 s4:gensec/spnego: only look at the optimistic token if we support the first mech
      from  4fd57cb s3/net: don't use external "date" to make "net time set" more portable

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f126cb9eeace9d3ad277c333fe9dfac17153d264
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Dec 1 07:02:15 2010 +0100

    s4:gensec/spnego: only look at the optimistic token if we support the first mech
    
    As a server only try the mechs the client proposed
    and only call gensec_update() with the optimistic token
    for the first mech in the list.
    
    If the server doesn't support the first mech we pick the
    first one in the clients list we also support.
    That's how w2k8r2 works.
    
    metze
    
    Autobuild-User: Stefan Metzmacher <metze at samba.org>
    Autobuild-Date: Tue Dec 14 16:50:50 CET 2010 on sn-devel-104

-----------------------------------------------------------------------

Summary of changes:
 source4/auth/gensec/spnego.c |   24 ++++++++++++++++++++----
 1 files changed, 20 insertions(+), 4 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index 1f6c919..5555fc4 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -420,9 +420,9 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
 	}
 
 	if (spnego_state->state_position == SPNEGO_SERVER_START) {
-		for (i=0; all_sec && all_sec[i].op; i++) {
-			/* optimistic token */
-			if (strcmp(all_sec[i].oid, mechType[0]) == 0) {
+		uint32_t j;
+		for (j=0; mechType && mechType[j]; j++) {
+			for (i=0; all_sec && all_sec[i].op; i++) {
 				nt_status = gensec_subcontext_start(spnego_state,
 								    gensec_security,
 								    &spnego_state->sub_sec_security);
@@ -437,7 +437,15 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
 					spnego_state->sub_sec_security = NULL;
 					break;
 				}
-				
+
+				if (j > 0) {
+					/* no optimistic token */
+					spnego_state->neg_oid = all_sec[i].oid;
+					*unwrapped_out = data_blob_null;
+					nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+					break;
+				}
+
 				nt_status = gensec_update(spnego_state->sub_sec_security,
 							  out_mem_ctx, 
 							  unwrapped_in,
@@ -456,6 +464,14 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
 				spnego_state->neg_oid = all_sec[i].oid;
 				break;
 			}
+			if (spnego_state->sub_sec_security) {
+				break;
+			}
+		}
+
+		if (!spnego_state->sub_sec_security) {
+			DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
+			return NT_STATUS_INVALID_PARAMETER;
 		}
 	}
 	


-- 
Samba Shared Repository