auth/spnego: consitently set spnego_state->sub_sec_ready = true after gensec_update_ev()
authorStefan Metzmacher <metze@samba.org>
Fri, 30 Dec 2016 08:04:47 +0000 (09:04 +0100)
committerAndreas Schneider <asn@cryptomilk.org>
Thu, 29 Jun 2017 13:59:22 +0000 (15:59 +0200)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
auth/gensec/spnego.c

index f8be423..c548db4 100644 (file)
@@ -270,6 +270,9 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
                                                          ev,
                                                          unwrapped_in,
                                                          unwrapped_out);
+                               if (NT_STATUS_IS_OK(nt_status)) {
+                                       spnego_state->sub_sec_ready = true;
+                               }
                                if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) || 
                                    NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
                                        /* Pretend we never started it (lets the first run find some incompatible demand) */
@@ -324,6 +327,9 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
                                                  ev,
                                                  data_blob_null,
                                                  unwrapped_out);
+                       if (NT_STATUS_IS_OK(nt_status)) {
+                               spnego_state->sub_sec_ready = true;
+                       }
 
                        /* it is likely that a NULL input token will
                         * not be liked by most server mechs, but if
@@ -463,6 +469,9 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
                                                  ev,
                                                  data_blob_null,
                                                  &unwrapped_out);
+                       if (NT_STATUS_IS_OK(nt_status)) {
+                               spnego_state->sub_sec_ready = true;
+                       }
 
                        if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) 
                            && !NT_STATUS_IS_OK(nt_status)) {
@@ -535,10 +544,6 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
                /* set next state */
                spnego_state->neg_oid = all_sec[i].oid;
 
-               if (NT_STATUS_IS_OK(nt_status)) {
-                       spnego_state->sub_sec_ready = true;
-               }
-
                return NT_STATUS_MORE_PROCESSING_REQUIRED;
        } 
        talloc_free(spnego_state->sub_sec_security);
@@ -768,10 +773,6 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
                spnego_state->state_position = SPNEGO_CLIENT_TARG;
 
-               if (NT_STATUS_IS_OK(nt_status)) {
-                       spnego_state->sub_sec_ready = true;
-               }
-
                spnego_free_data(&spnego);
                return NT_STATUS_MORE_PROCESSING_REQUIRED;
        }
@@ -837,6 +838,9 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                                             out_mem_ctx, ev,
                                             spnego.negTokenTarg.responseToken,
                                             &unwrapped_out);
+               if (NT_STATUS_IS_OK(nt_status)) {
+                       spnego_state->sub_sec_ready = true;
+               }
                if (!NT_STATUS_IS_OK(nt_status)) {
                        goto server_response;
                }
@@ -1046,11 +1050,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                                                  out_mem_ctx, ev,
                                                  spnego.negTokenTarg.responseToken, 
                                                  &unwrapped_out);
+                       if (NT_STATUS_IS_OK(nt_status)) {
+                               spnego_state->sub_sec_ready = true;
+                       }
                        if (!NT_STATUS_IS_OK(nt_status)) {
                                goto client_response;
                        }
-
-                       spnego_state->sub_sec_ready = true;
                } else {
                        nt_status = NT_STATUS_OK;
                }