[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Wed Jul 5 04:44:02 UTC 2017
The branch, master has been updated
via 79faf30 auth/spnego: pass spnego_in to gensec_spnego_parse_negTokenInit()
via f266b35 auth/spnego: remove useless indentation level for SPNEGO_SERVER_START
via 1dfad27 auth/spnego: move SERVER gensec_spnego_create_negTokenInit() handling to the top
via c0b2f85 auth/spnego: set spnego_state->{state_position,expected_packet} gensec_spnego_create_negTokenInit()
via b337d26 auth/spnego: don't pass 'in' to gensec_spnego_create_negTokenInit()
via 9d7a01d auth/spnego: add a struct spnego_negTokenTarg *ta variable to make some lines shorter
via 7ba307a auth/spnego: use a helper variable for spnego.negTokenInit.targetPrincipal
via a15953a auth/spnego: rename gensec_spnego_server_negTokenTarg() into gensec_spnego_server_response()
from 31019d3 python: tests: Add test for tdb_copy function from tdb_util module.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 79faf30151297c2c0557d7707207589d49c81cfb
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 30 16:06:49 2016 +0100
auth/spnego: pass spnego_in to gensec_spnego_parse_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Jul 5 06:43:17 CEST 2017 on sn-devel-144
commit f266b3550130b2c9dfd8fe3822c2ed4dd74e3826
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 13 23:56:47 2017 +0200
auth/spnego: remove useless indentation level for SPNEGO_SERVER_START
Check with git show -w
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1dfad27c16d6e5ca5dd5fba9f1a513a5b477713c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Jun 13 23:55:00 2017 +0200
auth/spnego: move SERVER gensec_spnego_create_negTokenInit() handling to the top
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit c0b2f85da2dcceaeb156262a68a7e37fce5a6951
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 29 16:55:09 2017 +0200
auth/spnego: set spnego_state->{state_position,expected_packet} gensec_spnego_create_negTokenInit()
We should only do the state change in a defined place
and not with any error gensec_spnego_create_negTokenInit() might return.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b337d2661707ea763064c138c27a00c85ea6c241
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 14 02:46:29 2017 +0200
auth/spnego: don't pass 'in' to gensec_spnego_create_negTokenInit()
It's always en empty blob.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9d7a01dea9396f0ddf8558a86d5d6eb6bd6163b1
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 14 03:36:22 2017 +0200
auth/spnego: add a struct spnego_negTokenTarg *ta variable to make some lines shorter
This makes future modifications easier to review.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7ba307a4c884c149cc7ec1c6910d363b2b1f44be
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Jun 14 03:33:21 2017 +0200
auth/spnego: use a helper variable for spnego.negTokenInit.targetPrincipal
This makes the lines a bit shorter and the future diff easier to review.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a15953ae5f9a09d51e1ba49cd8d1b543f04a2a78
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 30 11:00:12 2017 +0200
auth/spnego: rename gensec_spnego_server_negTokenTarg() into gensec_spnego_server_response()
gensec_spnego_server_negTokenTarg() will reappear as function that
handles the whole negTokenTarg processing.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/spnego.c | 190 ++++++++++++++++++++++++++++-----------------------
1 file changed, 103 insertions(+), 87 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 964f44f..6168c93 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -212,15 +212,24 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
struct spnego_state *spnego_state,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
- const char * const *mechType,
- const DATA_BLOB unwrapped_in, DATA_BLOB *unwrapped_out)
+ struct spnego_data *spnego_in,
+ DATA_BLOB *unwrapped_out)
{
int i;
NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
+ const char * const *mechType = NULL;
+ DATA_BLOB unwrapped_in = data_blob_null;
bool ok;
+ const struct gensec_security_ops_wrapper *all_sec = NULL;
- const struct gensec_security_ops_wrapper *all_sec
- = gensec_security_by_oid_list(gensec_security,
+ if (spnego_in->type != SPNEGO_NEG_TOKEN_INIT) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ mechType = spnego_in->negTokenInit.mechTypes;
+ unwrapped_in = spnego_in->negTokenInit.mechToken;
+
+ all_sec = gensec_security_by_oid_list(gensec_security,
out_mem_ctx,
mechType,
GENSEC_OID_SPNEGO);
@@ -310,6 +319,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
/* Having tried any optimistic token from the client (if we
* were the server), if we didn't get anywhere, walk our list
* in our preference order */
+ unwrapped_in = data_blob_null;
if (!spnego_state->sub_sec_security) {
for (i=0; all_sec && all_sec[i].op; i++) {
@@ -336,7 +346,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx,
ev,
- data_blob_null,
+ unwrapped_in,
unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->sub_sec_ready = true;
@@ -438,7 +448,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
struct spnego_state *spnego_state,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
- const DATA_BLOB in, DATA_BLOB *out)
+ DATA_BLOB *out)
{
int i;
NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
@@ -555,6 +565,14 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
/* set next state */
spnego_state->neg_oid = all_sec[i].oid;
+ if (spnego_state->state_position == SPNEGO_SERVER_START) {
+ spnego_state->state_position = SPNEGO_SERVER_START;
+ spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
+ } else {
+ spnego_state->state_position = SPNEGO_CLIENT_TARG;
+ spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
+ }
+
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
gensec_spnego_update_sub_abort(spnego_state);
@@ -569,12 +587,12 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
* This is the case, where the client is the first one who sends data
*/
-static NTSTATUS gensec_spnego_server_negTokenTarg(struct spnego_state *spnego_state,
- TALLOC_CTX *out_mem_ctx,
- NTSTATUS nt_status,
- const DATA_BLOB unwrapped_out,
- DATA_BLOB mech_list_mic,
- DATA_BLOB *out)
+static NTSTATUS gensec_spnego_server_response(struct spnego_state *spnego_state,
+ TALLOC_CTX *out_mem_ctx,
+ NTSTATUS nt_status,
+ const DATA_BLOB unwrapped_out,
+ DATA_BLOB mech_list_mic,
+ DATA_BLOB *out)
{
struct spnego_data spnego_out;
@@ -641,14 +659,14 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
const char *my_mechs[] = {NULL, NULL};
NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
bool ok;
+ const char *tp = NULL;
if (!in.length) {
/* client to produce negTokenInit */
- nt_status = gensec_spnego_create_negTokenInit(gensec_security, spnego_state,
- out_mem_ctx, ev, in, out);
- spnego_state->state_position = SPNEGO_CLIENT_TARG;
- spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
- return nt_status;
+ return gensec_spnego_create_negTokenInit(gensec_security,
+ spnego_state,
+ out_mem_ctx,
+ ev, out);
}
len = spnego_read_data(gensec_security, in, &spnego);
@@ -668,11 +686,11 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
return NT_STATUS_INVALID_PARAMETER;
}
- if (spnego.negTokenInit.targetPrincipal
- && strcmp(spnego.negTokenInit.targetPrincipal, ADS_IGNORE_PRINCIPAL) != 0) {
- DEBUG(5, ("Server claims it's principal name is %s\n", spnego.negTokenInit.targetPrincipal));
+ tp = spnego.negTokenInit.targetPrincipal;
+ if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
+ DEBUG(5, ("Server claims it's principal name is %s\n", tp));
if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
- gensec_set_target_principal(gensec_security, spnego.negTokenInit.targetPrincipal);
+ gensec_set_target_principal(gensec_security, tp);
}
}
@@ -680,8 +698,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_state,
out_mem_ctx,
ev,
- spnego.negTokenInit.mechTypes,
- spnego.negTokenInit.mechToken,
+ &spnego,
&unwrapped_out);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
@@ -722,6 +739,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
case SPNEGO_CLIENT_TARG:
{
NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
+ const struct spnego_negTokenTarg *ta = NULL;
if (!in.length) {
return NT_STATUS_INVALID_PARAMETER;
@@ -743,11 +761,11 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
+ ta = &spnego.negTokenTarg;
spnego_state->num_targs++;
- if (spnego.negTokenTarg.negResult == SPNEGO_REJECT) {
- spnego_free_data(&spnego);
+ if (ta->negResult == SPNEGO_REJECT) {
return NT_STATUS_LOGON_FAILURE;
}
@@ -756,13 +774,13 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
/* Server didn't like our choice of mech, and chose something else */
- if (((spnego.negTokenTarg.negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
- (spnego.negTokenTarg.negResult == SPNEGO_REQUEST_MIC)) &&
- spnego.negTokenTarg.supportedMech &&
- strcmp(spnego.negTokenTarg.supportedMech, spnego_state->neg_oid) != 0) {
+ if (((ta->negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
+ (ta->negResult == SPNEGO_REQUEST_MIC)) &&
+ ta->supportedMech != NULL&&
+ strcmp(ta->supportedMech, spnego_state->neg_oid) != 0) {
DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
- gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
+ gensec_get_name_by_oid(gensec_security, ta->supportedMech)));
spnego_state->downgraded = true;
gensec_spnego_update_sub_abort(spnego_state);
nt_status = gensec_subcontext_start(spnego_state,
@@ -774,14 +792,14 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
/* select the sub context */
nt_status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
- spnego.negTokenTarg.supportedMech);
+ ta->supportedMech);
if (!NT_STATUS_IS_OK(nt_status)) {
spnego_free_data(&spnego);
return nt_status;
}
spnego_state->neg_oid = talloc_strdup(spnego_state,
- spnego.negTokenTarg.supportedMech);
+ ta->supportedMech);
if (spnego_state->neg_oid == NULL) {
spnego_free_data(&spnego);
return NT_STATUS_NO_MEMORY;
@@ -1031,7 +1049,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
/* all done - server has accepted, and we agree */
*out = data_blob_null;
- if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
+ if (ta->negResult != SPNEGO_ACCEPT_COMPLETED) {
/* unless of course it did not accept */
DEBUG(1,("gensec_update ok but not accepted\n"));
nt_status = NT_STATUS_INVALID_PARAMETER;
@@ -1068,61 +1086,59 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
case SPNEGO_SERVER_START:
{
NTSTATUS nt_status;
- if (in.length) {
- len = spnego_read_data(gensec_security, in, &spnego);
- if (len == -1) {
- return gensec_spnego_server_try_fallback(gensec_security, spnego_state,
- ev, out_mem_ctx, in, out);
- }
- /* client sent NegTargetInit, we send NegTokenTarg */
+ if (in.length == 0) {
+ return gensec_spnego_create_negTokenInit(gensec_security,
+ spnego_state,
+ out_mem_ctx,
+ ev, out);
+ }
- /* OK, so it's real SPNEGO, check the packet's the one we expect */
- if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
- spnego_state->expected_packet));
- dump_data(1, in.data, in.length);
- spnego_free_data(&spnego);
- return NT_STATUS_INVALID_PARAMETER;
- }
+ len = spnego_read_data(gensec_security, in, &spnego);
+ if (len == -1) {
+ return gensec_spnego_server_try_fallback(gensec_security, spnego_state,
+ ev, out_mem_ctx, in, out);
+ }
+ /* client sent NegTargetInit, we send NegTokenTarg */
- nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
- spnego_state,
- out_mem_ctx,
- ev,
- spnego.negTokenInit.mechTypes,
- spnego.negTokenInit.mechToken,
- &unwrapped_out);
+ /* OK, so it's real SPNEGO, check the packet's the one we expect */
+ if (spnego.type != spnego_state->expected_packet) {
+ DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
+ spnego_state->expected_packet));
+ dump_data(1, in.data, in.length);
+ spnego_free_data(&spnego);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- if (spnego_state->simulate_w2k) {
- /*
- * Windows 2000 returns the unwrapped token
- * also in the mech_list_mic field.
- *
- * In order to verify our client code,
- * we need a way to have a server with this
- * broken behaviour
- */
- mech_list_mic = unwrapped_out;
- }
+ nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
+ spnego_state,
+ out_mem_ctx,
+ ev,
+ &spnego,
+ &unwrapped_out);
- nt_status = gensec_spnego_server_negTokenTarg(spnego_state,
- out_mem_ctx,
- nt_status,
- unwrapped_out,
- mech_list_mic,
- out);
+ if (spnego_state->simulate_w2k) {
+ /*
+ * Windows 2000 returns the unwrapped token
+ * also in the mech_list_mic field.
+ *
+ * In order to verify our client code,
+ * we need a way to have a server with this
+ * broken behaviour
+ */
+ mech_list_mic = unwrapped_out;
+ }
- spnego_free_data(&spnego);
+ nt_status = gensec_spnego_server_response(spnego_state,
+ out_mem_ctx,
+ nt_status,
+ unwrapped_out,
+ mech_list_mic,
+ out);
- return nt_status;
- } else {
- nt_status = gensec_spnego_create_negTokenInit(gensec_security, spnego_state,
- out_mem_ctx, ev, in, out);
- spnego_state->state_position = SPNEGO_SERVER_START;
- spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
- return nt_status;
- }
+ spnego_free_data(&spnego);
+
+ return nt_status;
}
case SPNEGO_SERVER_TARG:
@@ -1248,12 +1264,12 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
}
server_response:
- nt_status = gensec_spnego_server_negTokenTarg(spnego_state,
- out_mem_ctx,
- nt_status,
- unwrapped_out,
- mech_list_mic,
- out);
+ nt_status = gensec_spnego_server_response(spnego_state,
+ out_mem_ctx,
+ nt_status,
+ unwrapped_out,
+ mech_list_mic,
+ out);
spnego_free_data(&spnego);
--
Samba Shared Repository
More information about the samba-cvs
mailing list