git.samba.org / samba.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
r4044: only send supportedMech when we also send other data
[samba.git] / source4 / libcli / auth / spnego.c
diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c
index dff9cb0c516e9687d8c99b840b5cf88e75091868..3af1bc1e81fe0bfeaaeb240e90d74c94fc0d565a 100644 (file)
--- a/source4/libcli/auth/spnego.c
+++ b/source4/libcli/auth/spnego.c
@@ -23,6 +23,8 @@
 */
 
 #include "includes.h"
+#include "auth/auth.h"
+#include "asn_1.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
@@ -216,6 +218,10 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
                if (!all_ops[i]->oid) {
                        continue;
                }
+               if (strcasecmp(OID_SPNEGO,all_ops[i]->oid) == 0) {
+                       continue;
+               }
+
                nt_status = gensec_subcontext_start(gensec_security, 
                                                    &spnego_state->sub_sec_security);
                if (!NT_STATUS_IS_OK(nt_status)) {
@@ -369,24 +375,26 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec
        spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
        spnego_out.negTokenTarg.responseToken = unwrapped_out;
        spnego_out.negTokenTarg.mechListMIC = null_data_blob;
-       
+       spnego_out.negTokenTarg.supportedMech = NULL;
+
        if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-               spnego_out.negTokenTarg.supportedMech 
+               spnego_out.negTokenTarg.supportedMech
                        = spnego_state->sub_sec_security->ops->oid;
                spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
                spnego_state->state_position = SPNEGO_SERVER_TARG;
        } else if (NT_STATUS_IS_OK(nt_status)) {
-               spnego_out.negTokenTarg.supportedMech 
-                       = spnego_state->sub_sec_security->ops->oid;
+               if (unwrapped_out.data) {
+                       spnego_out.negTokenTarg.supportedMech
+                               = spnego_state->sub_sec_security->ops->oid;
+               }
                spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
                spnego_state->state_position = SPNEGO_DONE;
        } else {
-               spnego_out.negTokenTarg.supportedMech = NULL;
                spnego_out.negTokenTarg.negResult = SPNEGO_REJECT;
                DEBUG(1, ("SPNEGO login failed: %s\n", nt_errstr(nt_status)));
                spnego_state->state_position = SPNEGO_DONE;
        }
-       
+
        if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
                DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
                return NT_STATUS_INVALID_PARAMETER;
@@ -436,7 +444,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                        if (spnego.type != spnego_state->expected_packet) {
                                DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type, 
                                          spnego_state->expected_packet));
-                               dump_data(1, (const char *)in.data, in.length);
+                               dump_data(1, in.data, in.length);
                                spnego_free_data(&spnego);
                                return NT_STATUS_INVALID_PARAMETER;
                        }
@@ -460,11 +468,19 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                        return nt_status;
                } else {
                        const char **mechlist = gensec_security_oids(out_mem_ctx, OID_SPNEGO);
+                       const char *mechListMIC;
+
+                       mechListMIC = talloc_asprintf(out_mem_ctx,"%s$@%s",
+                                                       lp_netbios_name(),
+                                                       lp_realm());
+                       if (!mechListMIC) {
+                               return NT_STATUS_NO_MEMORY;
+                       }
 
                        spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
                        spnego_out.negTokenInit.mechTypes = mechlist;
                        spnego_out.negTokenInit.reqFlags = 0;
-                       spnego_out.negTokenInit.mechListMIC = null_data_blob;
+                       spnego_out.negTokenInit.mechListMIC = data_blob(mechListMIC, strlen(mechListMIC));
                        spnego_out.negTokenInit.mechToken = unwrapped_out;
                        
                        if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
@@ -484,7 +500,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
        {
                /* The server offers a list of mechanisms */
                
-               char *my_mechs[] = {NULL, NULL};
+               const char *my_mechs[] = {NULL, NULL};
                NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
 
                if (!in.length) {
@@ -496,7 +512,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                
                if (len == -1) {
                        DEBUG(1, ("Invalid SPNEGO request:\n"));
-                       dump_data(1, (const char *)in.data, in.length);
+                       dump_data(1, in.data, in.length);
                        return NT_STATUS_INVALID_PARAMETER;
                }
                
@@ -504,7 +520,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                if (spnego.type != spnego_state->expected_packet) {
                        DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type, 
                                  spnego_state->expected_packet));
-                       dump_data(1, (const char *)in.data, in.length);
+                       dump_data(1, in.data, in.length);
                        spnego_free_data(&spnego);
                        return NT_STATUS_INVALID_PARAMETER;
                }
@@ -562,7 +578,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                
                if (len == -1) {
                        DEBUG(1, ("Invalid SPNEGO request:\n"));
-                       dump_data(1, (const char *)in.data, in.length);
+                       dump_data(1, in.data, in.length);
                        return NT_STATUS_INVALID_PARAMETER;
                }
                
@@ -570,7 +586,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                if (spnego.type != spnego_state->expected_packet) {
                        DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type, 
                                  spnego_state->expected_packet));
-                       dump_data(1, (const char *)in.data, in.length);
+                       dump_data(1, in.data, in.length);
                        spnego_free_data(&spnego);
                        return NT_STATUS_INVALID_PARAMETER;
                }
@@ -602,7 +618,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                
                if (len == -1) {
                        DEBUG(1, ("Invalid SPNEGO request:\n"));
-                       dump_data(1, (const char *)in.data, in.length);
+                       dump_data(1, in.data, in.length);
                        return NT_STATUS_INVALID_PARAMETER;
                }
                
@@ -610,7 +626,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                if (spnego.type != spnego_state->expected_packet) {
                        DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type, 
                                  spnego_state->expected_packet));
-                       dump_data(1, (const char *)in.data, in.length);
+                       dump_data(1, in.data, in.length);
                        spnego_free_data(&spnego);
                        return NT_STATUS_INVALID_PARAMETER;
                }
@@ -713,7 +729,7 @@ static const struct gensec_security_ops gensec_spnego_security_ops = {
 NTSTATUS gensec_spnego_init(void)
 {
        NTSTATUS ret;
-       ret = register_backend("gensec", &gensec_spnego_security_ops);
+       ret = gensec_register(&gensec_spnego_security_ops);
        if (!NT_STATUS_IS_OK(ret)) {
                DEBUG(0,("Failed to register '%s' gensec backend!\n",
                        gensec_spnego_security_ops.name));
Samba Shared Repository