spnego: add client option to omit sending an optimistic token

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index c4b7efbed76aa5fae07935e29c5d758e10540e7d..f706de30672407f209fb542014c4c4a661e55070 100644 (file)
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -136,6 +136,7 @@ struct spnego_state {
        bool done_mic_check;
 
        bool simulate_w2k;
+       bool no_optimistic;
 
        /*
         * The following is used to implement
@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
 
        spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
                                                "spnego", "simulate_w2k", false);
+       spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
+                                                         "spnego",
+                                                         "client_no_optimistic",
+                                                         false);
 
        gensec_security->private_data = spnego_state;
        return NT_STATUS_OK;
@@ -1942,6 +1947,12 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
                 * blob and NT_STATUS_OK.
                 */
                state->sub.status = NT_STATUS_OK;
+       } else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
+                  spnego_state->no_optimistic) {
+               /*
+                * Skip optimistic token per conf.
+                */
+               state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
        } else {
                /*
                 * MORE_PROCESSING_REQUIRED =>