git.samba.org / kai / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c0ff93b)
s4-gensec: fixed a client side bug in GENSEC/SASL/SSF negotiation
authorAndrew Tridgell <tridge@samba.org>
Thu, 23 Sep 2010 05:41:02 +0000 (22:41 -0700)
committerAndrew Tridgell <tridge@samba.org>
Thu, 23 Sep 2010 07:17:57 +0000 (07:17 +0000)
this is the client side equivalent change for the previous fix

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

source4/auth/gensec/gensec_gssapi.c patch | blob | history

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index a864bca49b19b77d878224948050f03d88c8619c..ecf2a73b1f76dc38e584c42ba504faa60e4ab3c0 100644 (file)
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -632,18 +632,21 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
                        gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_proposed, 0), 
                                                                     gensec_gssapi_state->max_wrap_buf_size);
                        gensec_gssapi_state->sasl_protection = 0;
-                       if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-                               if (security_supported & NEG_SEAL) {
+                       if (security_supported & NEG_SEAL) {
+                               if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
                                        gensec_gssapi_state->sasl_protection |= NEG_SEAL;
                                }
-                       } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-                               if (security_supported & NEG_SIGN) {
+                       }
+                       if (security_supported & NEG_SIGN) {
+                               if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
                                        gensec_gssapi_state->sasl_protection |= NEG_SIGN;
                                }
-                       } else if (security_supported & NEG_NONE) {
+                       }
+                       if (security_supported & NEG_NONE) {
                                gensec_gssapi_state->sasl_protection |= NEG_NONE;
-                       } else {
-                               DEBUG(1, ("Remote server does not support unprotected connections"));
+                       }
+                       if (gensec_gssapi_state->sasl_protection == 0) {
+                               DEBUG(1, ("Remote server does not support unprotected connections\n"));
                                return NT_STATUS_ACCESS_DENIED;
                        }
 
Kai's WIP code