const char **mechTypes = NULL;
DATA_BLOB unwrapped_out = data_blob_null;
const struct gensec_security_ops_wrapper *all_sec;
+ const char **send_mech_types = NULL;
+ struct spnego_data spnego_out;
+ bool ok;
mechTypes = gensec_security_oids(gensec_security,
out_mem_ctx, GENSEC_OID_SPNEGO);
mechTypes,
GENSEC_OID_SPNEGO);
for (i=0; all_sec && all_sec[i].op; i++) {
- struct spnego_data spnego_out;
- const char **send_mech_types;
- bool ok;
+ const char *next = NULL;
+ const char *principal = NULL;
+ int dbg_level = DBGLVL_WARNING;
nt_status = gensec_subcontext_start(spnego_state,
gensec_security,
continue;
}
+ if (spnego_state->state_position != SPNEGO_CLIENT_START) {
+ /*
+ * The server doesn't generate an optimistic token.
+ */
+ goto reply;
+ }
+
/* In the client, try and produce the first (optimistic) packet */
- if (spnego_state->state_position == SPNEGO_CLIENT_START) {
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx,
- ev,
- data_blob_null,
- &unwrapped_out);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->sub_sec_ready = true;
- }
+ nt_status = gensec_update_ev(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ ev,
+ data_blob_null,
+ &unwrapped_out);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ spnego_state->sub_sec_ready = true;
+ }
- if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
- const char *next = NULL;
- const char *principal = NULL;
- int dbg_level = DBGLVL_WARNING;
-
- if (all_sec[i+1].op != NULL) {
- next = all_sec[i+1].op->name;
- dbg_level = DBGLVL_NOTICE;
- }
-
- if (gensec_security->target.principal != NULL) {
- principal = gensec_security->target.principal;
- } else if (gensec_security->target.service != NULL &&
- gensec_security->target.hostname != NULL)
- {
- principal = talloc_asprintf(spnego_state->sub_sec_security,
- "%s/%s",
- gensec_security->target.service,
- gensec_security->target.hostname);
- } else {
- principal = gensec_security->target.hostname;
- }
-
- DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
- spnego_state->sub_sec_security->ops->name,
- principal,
- next, nt_errstr(nt_status)));
+ if (!GENSEC_UPDATE_IS_NTERROR(nt_status)) {
+ goto reply;
+ }
- /*
- * Pretend we never started it
- */
- gensec_spnego_update_sub_abort(spnego_state);
- continue;
- }
+ if (all_sec[i+1].op != NULL) {
+ next = all_sec[i+1].op->name;
+ dbg_level = DBGLVL_NOTICE;
}
- spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
+ if (gensec_security->target.principal != NULL) {
+ principal = gensec_security->target.principal;
+ } else if (gensec_security->target.service != NULL &&
+ gensec_security->target.hostname != NULL)
+ {
+ principal = talloc_asprintf(spnego_state->sub_sec_security,
+ "%s/%s",
+ gensec_security->target.service,
+ gensec_security->target.hostname);
+ } else {
+ principal = gensec_security->target.hostname;
+ }
- send_mech_types = gensec_security_oids_from_ops_wrapped(out_mem_ctx,
- &all_sec[i]);
+ DBG_PREFIX(dbg_level, (
+ "%s: creating NEG_TOKEN_INIT for %s failed "
+ "(next[%s]): %s\n",
+ spnego_state->sub_sec_security->ops->name,
+ principal, next, nt_errstr(nt_status)));
- ok = spnego_write_mech_types(spnego_state,
- send_mech_types,
- &spnego_state->mech_types);
- if (!ok) {
- DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
- return NT_STATUS_NO_MEMORY;
- }
+ /*
+ * Pretend we never started it
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
+ }
- /* List the remaining mechs as options */
- spnego_out.negTokenInit.mechTypes = send_mech_types;
- spnego_out.negTokenInit.reqFlags = data_blob_null;
- spnego_out.negTokenInit.reqFlagsPadding = 0;
+ DBG_WARNING("Failed to setup SPNEGO negTokenInit request: %s\n",
+ nt_errstr(nt_status));
+ return nt_status;
- if (spnego_state->state_position == SPNEGO_SERVER_START) {
- spnego_out.negTokenInit.mechListMIC
- = data_blob_string_const(ADS_IGNORE_PRINCIPAL);
- } else {
- spnego_out.negTokenInit.mechListMIC = data_blob_null;
- }
+reply:
+ spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
- spnego_out.negTokenInit.mechToken = unwrapped_out;
+ send_mech_types = gensec_security_oids_from_ops_wrapped(out_mem_ctx,
+ &all_sec[i]);
- if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write NEG_TOKEN_INIT\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
+ ok = spnego_write_mech_types(spnego_state,
+ send_mech_types,
+ &spnego_state->mech_types);
+ if (!ok) {
+ DBG_ERR("Failed to write mechTypes\n");
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* List the remaining mechs as options */
+ spnego_out.negTokenInit.mechTypes = send_mech_types;
+ spnego_out.negTokenInit.reqFlags = data_blob_null;
+ spnego_out.negTokenInit.reqFlagsPadding = 0;
- /* set next state */
- spnego_state->neg_oid = all_sec[i].oid;
+ if (spnego_state->state_position == SPNEGO_SERVER_START) {
+ spnego_out.negTokenInit.mechListMIC
+ = data_blob_string_const(ADS_IGNORE_PRINCIPAL);
+ } else {
+ spnego_out.negTokenInit.mechListMIC = data_blob_null;
+ }
- if (spnego_state->state_position == SPNEGO_SERVER_START) {
- spnego_state->state_position = SPNEGO_SERVER_START;
- spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
- } else {
- spnego_state->state_position = SPNEGO_CLIENT_TARG;
- spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
- }
+ spnego_out.negTokenInit.mechToken = unwrapped_out;
- return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
+ DBG_ERR("Failed to write NEG_TOKEN_INIT\n");
+ return NT_STATUS_INVALID_PARAMETER;
}
- gensec_spnego_update_sub_abort(spnego_state);
- DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
- return nt_status;
+ /* set next state */
+ spnego_state->neg_oid = all_sec[i].oid;
+
+ if (spnego_state->state_position == SPNEGO_SERVER_START) {
+ spnego_state->state_position = SPNEGO_SERVER_START;
+ spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
+ } else {
+ spnego_state->state_position = SPNEGO_CLIENT_TARG;
+ spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
+ }
+
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec_security,