1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

s4:gensec/spnego: only look at the optimistic token if we support the first mech

As a server only try the mechs the client proposed
and only call gensec_update() with the optimistic token
for the first mech in the list.

If the server doesn't support the first mech we pick the
first one in the clients list we also support.
That's how w2k8r2 works.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Tue Dec 14 16:50:50 CET 2010 on sn-devel-104
This commit is contained in:
Stefan Metzmacher 2010-12-01 07:02:15 +01:00
parent 4fd57cbe1b
commit f126cb9eea

View File

@ -420,9 +420,9 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
}
if (spnego_state->state_position == SPNEGO_SERVER_START) {
uint32_t j;
for (j=0; mechType && mechType[j]; j++) {
for (i=0; all_sec && all_sec[i].op; i++) {
/* optimistic token */
if (strcmp(all_sec[i].oid, mechType[0]) == 0) {
nt_status = gensec_subcontext_start(spnego_state,
gensec_security,
&spnego_state->sub_sec_security);
@ -438,6 +438,14 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
break;
}
if (j > 0) {
/* no optimistic token */
spnego_state->neg_oid = all_sec[i].oid;
*unwrapped_out = data_blob_null;
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
break;
}
nt_status = gensec_update(spnego_state->sub_sec_security,
out_mem_ctx,
unwrapped_in,
@ -456,6 +464,14 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
spnego_state->neg_oid = all_sec[i].oid;
break;
}
if (spnego_state->sub_sec_security) {
break;
}
}
if (!spnego_state->sub_sec_security) {
DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
return NT_STATUS_INVALID_PARAMETER;
}
}