r1605: GENSEC krb5 updates - fix a valgrind found uninitialised variable, and

allow tests for 'unwrapped' krb5, allowed by Win2k3.

SPENGO changes, trying to get the logic right (when and what
sub-mechanisms to wrap).

Andrew Bartlett
(This used to be commit 8a0f7bf5e282d021afe93994a91fd76fa9c05f42)

diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index c7c1a18d24647389074625e4dfa63b31996602a9..f5f02d142161b6483d7feadb461c769874f0bc1a 100644 (file)
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -187,7 +187,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
                case KRB5_CC_NOTFOUND:
                {
                        char *password;
-                       time_t kdc_time;
+                       time_t kdc_time = 0;
                        nt_status = gensec_get_password(gensec_security, 
                                                        gensec_security->mem_ctx, 
                                                        &password);
@@ -284,11 +284,15 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL
                        nt_status = NT_STATUS_LOGON_FAILURE;
                } else {
                        DATA_BLOB unwrapped_out;
+
+#ifndef GENSEC_SEND_UNWRAPPED_KRB5 /* This should be a switch for the torture code to set */
                        unwrapped_out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->ticket.data, gensec_krb5_state->ticket.length);
                        
                        /* wrap that up in a nice GSS-API wrapping */
                        *out = gensec_gssapi_gen_krb5_wrap(out_mem_ctx, &unwrapped_out, TOK_ID_KRB_AP_REQ);
-
+#else
+                       *out = data_blob_talloc(out_mem_ctx, gensec_krb5_state->ticket.data, gensec_krb5_state->ticket.length);
+#endif
                        gensec_krb5_state->state_position = GENSEC_KRB5_CLIENT_MUTUAL_AUTH;
                        nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
                }

diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c
index c16d77dad92ea149eaba133fdb99cca68f8646d7..23f0b1c0706f9f040e9286f5dfd0a790a2d095cc 100644 (file)
--- a/source4/libcli/auth/spnego.c
+++ b/source4/libcli/auth/spnego.c
@@ -511,15 +511,16 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                                          &unwrapped_out);
                
                
-               if ((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_COMPLETED) 
-                   && !NT_STATUS_IS_OK(nt_status)) {
+               if (NT_STATUS_IS_OK(nt_status) 
+                   && (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED)) {
                        DEBUG(1,("gensec_update ok but not accepted\n"));
                        nt_status = NT_STATUS_INVALID_PARAMETER;
                } 
                
                spnego_free_data(&spnego);
 
-               if (unwrapped_out.length) {
+               if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+                       /* compose reply */
                        spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
                        spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
                        spnego_out.negTokenTarg.supportedMech = NULL;
@@ -530,24 +531,31 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                                DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
                                return NT_STATUS_INVALID_PARAMETER;
                        }
-               } else {
-                       *out = null_data_blob;
-               }
-
-               if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-                       /* compose reply */
-                       
                
                        spnego_state->state_position = SPNEGO_CLIENT_TARG;
                } else if (NT_STATUS_IS_OK(nt_status)) {
                        /* all done - server has accepted, and we agree */
+                       
+                       if (unwrapped_out.length) {
+                               spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
+                               spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
+                               spnego_out.negTokenTarg.supportedMech = NULL;
+                               spnego_out.negTokenTarg.responseToken = unwrapped_out;
+                               spnego_out.negTokenTarg.mechListMIC = null_data_blob;
+                               
+                               if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
+                                       DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
+                                       return NT_STATUS_INVALID_PARAMETER;
+                               }
+                       } else {
+                               *out = null_data_blob;
+                       }
+
                        spnego_state->state_position = SPNEGO_DONE;
-                       return NT_STATUS_OK;
                } else {
                        DEBUG(1, ("SPNEGO(%s) login failed: %s\n", 
                                  spnego_state->sub_sec_security->ops->name, 
                                  nt_errstr(nt_status)));
-                       return nt_status;
                }
                return nt_status;
        }