s4:gensec/spnego: only look at the optimistic token if we support the first mech

As a server only try the mechs the client proposed
and only call gensec_update() with the optimistic token
for the first mech in the list.

If the server doesn't support the first mech we pick the
first one in the clients list we also support.
That's how w2k8r2 works.

metze

diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index 1f6c9198c5d28f9ccd338a49e574863e6583f698..380d6c1a12151c64d747791fc66455c0e31c3c88 100644 (file)
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -420,9 +420,14 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
        }
 
        if (spnego_state->state_position == SPNEGO_SERVER_START) {
-               for (i=0; all_sec && all_sec[i].op; i++) {
-                       /* optimistic token */
-                       if (strcmp(all_sec[i].oid, mechType[0]) == 0) {
+               uint32_t j;
+
+               for (j=0; mechType && mechType[j]; j++) {
+                       for (i=0; all_sec && all_sec[i].op; i++) {
+                               if (strcmp(mechType[j], all_sec[i].oid) != 0) {
+                                       continue;
+                               }
+
                                nt_status = gensec_subcontext_start(spnego_state,
                                                                    gensec_security,
                                                                    &spnego_state->sub_sec_security);
@@ -437,7 +442,15 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
                                        spnego_state->sub_sec_security = NULL;
                                        break;
                                }
-                               
+
+                               if (j > 0) {
+                                       /* no optimistic token */
+                                       spnego_state->neg_oid = all_sec[i].oid;
+                                       *unwrapped_out = data_blob_null;
+                                       nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+                                       break;
+                               }
+
                                nt_status = gensec_update(spnego_state->sub_sec_security,
                                                          out_mem_ctx, 
                                                          unwrapped_in,
@@ -457,6 +470,11 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
                                break;
                        }
                }
+
+               if (!spnego_state->sub_sec_security) {
+                       DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
        }
        
        /* Having tried any optimistic token from the client (if we