spnego: add client option to omit sending an optimistic token

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 0b3fbdce7acd1b44a85f1109d4e2961e0d5668e0..6bb5c8b6417d96f9d628a51891a131c7da19f2ba 100644 (file)
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -136,6 +136,7 @@ struct spnego_state {
        bool done_mic_check;
 
        bool simulate_w2k;
+       bool no_optimistic;
 
        /*
         * The following is used to implement
@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
 
        spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
                                                "spnego", "simulate_w2k", false);
+       spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
+                                                         "spnego",
+                                                         "client_no_optimistic",
+                                                         false);
 
        gensec_security->private_data = spnego_state;
        return NT_STATUS_OK;
@@ -1923,6 +1928,12 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
                 * blob and NT_STATUS_OK.
                 */
                state->sub.status = NT_STATUS_OK;
+       } else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
+                  spnego_state->no_optimistic) {
+               /*
+                * Skip optimistic token per conf.
+                */
+               state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
        } else {
                /*
                 * MORE_PROCESSING_REQUIRED =>