git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8a96359)
spnego: fix server handling of no optimistic exchange
authorIsaac Boukris <iboukris@gmail.com>
Wed, 4 Sep 2019 14:04:12 +0000 (17:04 +0300)
committerAndreas Schneider <asn@cryptomilk.org>
Sat, 12 Oct 2019 15:51:42 +0000 (15:51 +0000)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184

auth/gensec/spnego.c patch | blob | history
selftest/knownfail.d/samba.tests.gensec [deleted file] patch | blob | history
selftest/knownfail.d/spnego_downgrade [deleted file] patch | blob | history
selftest/knownfail.d/spnego_no_optimistic [deleted file] patch | blob | history

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index f706de30672407f209fb542014c4c4a661e55070..db8a91b6f34a8a7f7ed05861a23b73ebbd2034da 100644 (file)
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1319,6 +1319,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step(
                        spnego_state->mic_requested = true;
                }
 
+               if (sub_in.length == 0) {
+                       spnego_state->no_optimistic = true;
+               }
+
                /*
                 * Note that 'cur_sec' is temporary memory, but
                 * cur_sec->oid points to a const string in the
@@ -1953,6 +1957,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
                 * Skip optimistic token per conf.
                 */
                state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+       } else if (spnego_state->state_position == SPNEGO_SERVER_START &&
+                  state->sub.in.length == 0 && spnego_state->no_optimistic) {
+               /*
+                * If we didn't like the mechanism for which the client sent us
+                * an optimistic token, or if he didn't send any, don't call
+                * the sub mechanism just yet.
+                */
+               state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+               spnego_state->no_optimistic = false;
        } else {
                /*
                 * MORE_PROCESSING_REQUIRED =>
diff --git a/selftest/knownfail.d/samba.tests.gensec b/selftest/knownfail.d/samba.tests.gensec
deleted file mode 100644 (file)
index afc9eba..0000000
--- a/selftest/knownfail.d/samba.tests.gensec
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba.tests.gensec.samba.tests.gensec.GensecTests.test_update_no_optimistic_spnego
-^samba.tests.gensec.samba.tests.gensec.GensecTests.test_update_spnego_downgrade
diff --git a/selftest/knownfail.d/spnego_downgrade b/selftest/knownfail.d/spnego_downgrade
deleted file mode 100644 (file)
index 494a55f..0000000
--- a/selftest/knownfail.d/spnego_downgrade
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.blackbox.smbd_no_krb5.test_spnego_downgrade
diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic
deleted file mode 100644 (file)
index 54f5144..0000000
--- a/selftest/knownfail.d/spnego_no_optimistic
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.smb.spnego.*.no_optimistic
Work in progress branches