Author: abartlet Date: 2006-02-21 00:17:52 +0000 (Tue, 21 Feb 2006) New Revision: 13584
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13584 Log: Another try at SPNEGO stuff. I need to write a better testsuite for this. This tries to ensure that when we are a client, we cope with mechs (like GSSAPI) that only abort (unknown server) at first runtime. Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/gensec/spnego.c Changeset: Modified: branches/SAMBA_4_0/source/auth/gensec/spnego.c =================================================================== --- branches/SAMBA_4_0/source/auth/gensec/spnego.c 2006-02-21 00:07:59 UTC (rev 13583) +++ branches/SAMBA_4_0/source/auth/gensec/spnego.c 2006-02-21 00:17:52 UTC (rev 13584) @@ -358,6 +358,10 @@ } } + /* Having tried any optomisitc token from the client (if we + * were the server), if we didn't get anywhere, walk our list + * in our preference order */ + if (!spnego_state->sub_sec_security) { for (i=0; all_sec && all_sec[i].op; i++) { nt_status = gensec_subcontext_start(spnego_state, @@ -382,6 +386,25 @@ out_mem_ctx, null_data_blob, unwrapped_out); + + /* it is likely that a NULL input token will + * not be liked by most server mechs, but if + * we are in the client, we want the first + * update packet to be able to abort the use + * of this mech */ + if (spnego_state->state_position != SPNEGO_SERVER_START) { + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) || + NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) { + /* Pretend we never started it (lets the first run find some incompatible demand) */ + + DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse: %s\n", + spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); + talloc_free(spnego_state->sub_sec_security); + spnego_state->sub_sec_security = NULL; + continue; + } + } + break; } }