diff options
| author | Stefan Metzmacher <metze@samba.org> | 2017-07-17 21:54:51 +0200 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2017-07-25 13:51:11 +0200 |
| commit | eedb8105507ed14ed19da185dcf32537dc39c7fe (patch) | |
| tree | 51dd5540f2b4f8ed81689bfa74a32c7cc909d73f /auth | |
| parent | 3e6daa30f5594c25da190773be79003eef9b157a (diff) | |
| download | samba-eedb8105507ed14ed19da185dcf32537dc39c7fe.tar.gz | |
auth/spnego: don't call gensec_spnego_server_response() with a fatal error
It doesn't make sense to produce an output token without
returning OK or MORE_PROCESSING_REQUIRED.
Even in v4-0-test we had gensec_spnego_update_wrapper()
which only passed the constructed output token to the caller
with OK or MORE_PROCESSING_REQUIRED.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'auth')
| -rw-r--r-- | auth/gensec/spnego.c | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 5eb75ad47aa..474f0a9fe1c 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -1048,7 +1048,8 @@ static NTSTATUS gensec_spnego_server_negTokenInit(struct gensec_security *gensec if (GENSEC_UPDATE_IS_NTERROR(status)) { DBG_WARNING("%s: NEG_TOKEN_INIT failed: %s\n", cur_sec->op->name, nt_errstr(status)); - goto reply; + TALLOC_FREE(frame); + return status; } spnego_state->neg_oid = cur_sec->oid; @@ -1056,7 +1057,8 @@ static NTSTATUS gensec_spnego_server_negTokenInit(struct gensec_security *gensec } DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n"); - status = NT_STATUS_INVALID_PARAMETER; + TALLOC_FREE(frame); + return NT_STATUS_INVALID_PARAMETER; reply: if (spnego_state->simulate_w2k) { @@ -1118,7 +1120,7 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec if (!NT_STATUS_IS_OK(status)) { DBG_WARNING("failed to verify mechListMIC: %s\n", nt_errstr(status)); - goto server_response; + return status; } spnego_state->needs_mic_check = false; @@ -1130,6 +1132,11 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec status = gensec_update_ev(spnego_state->sub_sec_security, out_mem_ctx, ev, sub_in, &sub_out); + if (GENSEC_UPDATE_IS_NTERROR(status)) { + DEBUG(2, ("SPNEGO login failed: %s\n", + nt_errstr(status))); + return status; + } if (NT_STATUS_IS_OK(status)) { spnego_state->sub_sec_ready = true; } @@ -1166,7 +1173,7 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec if (!NT_STATUS_IS_OK(status)) { DBG_WARNING("failed to verify mechListMIC: %s\n", nt_errstr(status)); - goto server_response; + return status; } spnego_state->needs_mic_check = false; |