auth/spnego: make sure a fatal error or the final success make the state as SPNEGO_DONE

This means any further gensec_update() will fail with
NT_STATUS_INVALID_PARAMETER.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index db791ce4ca82bc131ce086144c4da7b968624397..aec4b5e47a7d9e99a394459c596555c6373f2867 100644 (file)
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1351,6 +1351,10 @@ static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security
                        return spnego_state->out_status;
                }
 
+               /*
+                * We're completely done, further updates are not allowed.
+                */
+               spnego_state->state_position = SPNEGO_DONE;
                return gensec_child_ready(gensec_security,
                                          spnego_state->sub_sec_security);
        }
@@ -1424,6 +1428,10 @@ static NTSTATUS gensec_spnego_update_wrapper(struct gensec_security *gensec_secu
        }
        if (!NT_STATUS_IS_OK(status) &&
            !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+               /*
+                * A fatal error, further updates are not allowed.
+                */
+               spnego_state->state_position = SPNEGO_DONE;
                return status;
        }