[Patches] The way to remove gensec_update_ev()
Stefan Metzmacher
metze at samba.org
Mon Jul 10 07:20:23 UTC 2017
Hi,
here's the next chunk ready for master.
Please review and push:-)
Thanks!
metze
-------------- next part --------------
From 9c8f6966fe213100b838ce61ef954ae1022ba67d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 14 Jun 2017 03:39:02 +0200
Subject: [PATCH 01/29] auth/spnego: move gensec_update_ev() out of
gensec_spnego_server_try_fallback()
This makes it easier to handle SPNEGO_FALLBACK code path completely async
from the first packet in future.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 6168c93..4dc215e 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -140,14 +140,13 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
- struct tevent_context *ev,
- TALLOC_CTX *out_mem_ctx,
- const DATA_BLOB in, DATA_BLOB *out)
+ TALLOC_CTX *mem_ctx,
+ const DATA_BLOB in)
{
int i,j;
const struct gensec_security_ops **all_ops;
- all_ops = gensec_security_mechs(gensec_security, out_mem_ctx);
+ all_ops = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; all_ops && all_ops[i]; i++) {
bool is_spnego;
@@ -195,9 +194,8 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev, in, out);
- return nt_status;
+
+ return NT_STATUS_OK;
}
DEBUG(1, ("Failed to parse SPNEGO request\n"));
return NT_STATUS_INVALID_PARAMETER;
@@ -1096,8 +1094,17 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
len = spnego_read_data(gensec_security, in, &spnego);
if (len == -1) {
- return gensec_spnego_server_try_fallback(gensec_security, spnego_state,
- ev, out_mem_ctx, in, out);
+ nt_status = gensec_spnego_server_try_fallback(gensec_security,
+ spnego_state,
+ out_mem_ctx,
+ in);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ return gensec_update_ev(spnego_state->sub_sec_security,
+ out_mem_ctx, ev,
+ in, out);
}
/* client sent NegTargetInit, we send NegTokenTarg */
--
1.9.1
From 0dadfd8f96351edb86912628131a2c6c9f63f315 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 30 Dec 2016 12:59:01 +0100
Subject: [PATCH 02/29] auth/spnego: skip gensec_update_ev() if sub_sec_ready
is already true in gensec_spnego_update_server()
This matches the flow already used in the client case.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 4dc215e..f8f6c4b 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1206,15 +1206,19 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
goto server_response;
}
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev,
- spnego.negTokenTarg.responseToken,
- &unwrapped_out);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->sub_sec_ready = true;
- }
- if (!NT_STATUS_IS_OK(nt_status)) {
- goto server_response;
+ if (!spnego_state->sub_sec_ready) {
+ nt_status = gensec_update_ev(spnego_state->sub_sec_security,
+ out_mem_ctx, ev,
+ spnego.negTokenTarg.responseToken,
+ &unwrapped_out);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ spnego_state->sub_sec_ready = true;
+ }
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ goto server_response;
+ }
+ } else {
+ nt_status = NT_STATUS_OK;
}
have_sign = gensec_have_feature(spnego_state->sub_sec_security,
--
1.9.1
From ea183aea287043c23cc4468a0964d50b725b532d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 5 Jul 2017 09:59:16 +0200
Subject: [PATCH 03/29] auth/spnego: introduce a 'spnego_in' helper variable in
gensec_spnego_update_client()
In the following commits we'll pass that in from the caller
and this preparation will reduce the diff for the following patch.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 37 ++++++++++++++++++++-----------------
1 file changed, 20 insertions(+), 17 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index f8f6c4b..f47ab76 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -643,6 +643,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
DATA_BLOB unwrapped_out = data_blob_null;
struct spnego_data spnego_out;
struct spnego_data spnego;
+ struct spnego_data *spnego_in = NULL;
ssize_t len;
*out = data_blob_null;
@@ -683,8 +684,9 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
+ spnego_in = &spnego;
- tp = spnego.negTokenInit.targetPrincipal;
+ tp = spnego_in->negTokenInit.targetPrincipal;
if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
DEBUG(5, ("Server claims it's principal name is %s\n", tp));
if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
@@ -696,7 +698,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_state,
out_mem_ctx,
ev,
- &spnego,
+ spnego_in,
&unwrapped_out);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
@@ -759,7 +761,8 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
- ta = &spnego.negTokenTarg;
+ spnego_in = &spnego;
+ ta = &spnego_in->negTokenTarg;
spnego_state->num_targs++;
@@ -767,7 +770,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
return NT_STATUS_LOGON_FAILURE;
}
- if (spnego.negTokenTarg.negResult == SPNEGO_REQUEST_MIC) {
+ if (spnego_in->negTokenTarg.negResult == SPNEGO_REQUEST_MIC) {
spnego_state->mic_requested = true;
}
@@ -804,9 +807,9 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
};
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
- DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC;
- const DATA_BLOB *r = &spnego.negTokenTarg.responseToken;
+ if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ DATA_BLOB *m = &spnego_in->negTokenTarg.mechListMIC;
+ const DATA_BLOB *r = &spnego_in->negTokenTarg.responseToken;
/*
* Windows 2000 has a bug, it repeats the
@@ -822,20 +825,20 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
if (spnego_state->sub_sec_ready) {
spnego_state->needs_mic_check = true;
}
}
if (spnego_state->needs_mic_check) {
- if (spnego.negTokenTarg.responseToken.length != 0) {
+ if (spnego_in->negTokenTarg.responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
- if (spnego.negTokenTarg.mechListMIC.length == 0
+ if (spnego_in->negTokenTarg.mechListMIC.length == 0
&& spnego_state->may_skip_mic_check) {
/*
* In this case we don't require
@@ -857,7 +860,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego.negTokenTarg.mechListMIC);
+ &spnego_in->negTokenTarg.mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
@@ -872,7 +875,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (!spnego_state->sub_sec_ready) {
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx, ev,
- spnego.negTokenTarg.responseToken,
+ spnego_in->negTokenTarg.responseToken,
&unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->sub_sec_ready = true;
@@ -896,7 +899,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
- switch (spnego.negTokenTarg.negResult) {
+ switch (spnego_in->negTokenTarg.negResult) {
case SPNEGO_ACCEPT_COMPLETED:
case SPNEGO_NONE_RESULT:
if (spnego_state->num_targs == 1) {
@@ -910,7 +913,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
break;
case SPNEGO_ACCEPT_INCOMPLETE:
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
break;
}
@@ -957,7 +960,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
break;
case SPNEGO_REQUEST_MIC:
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
break;
@@ -977,13 +980,13 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego.negTokenTarg.mechListMIC);
+ &spnego_in->negTokenTarg.mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
--
1.9.1
From 72d91781c52da8daf065704d6bf29ee16bd9cf01 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 5 Jul 2017 09:59:16 +0200
Subject: [PATCH 04/29] auth/spnego: introduce a 'spnego_in' helper variable in
gensec_spnego_update_client()
In the following commits we'll pass that in from the caller
and this preparation will reduce the diff for the following patch.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index f47ab76..3d8dd25 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1079,6 +1079,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
DATA_BLOB mech_list_mic = data_blob_null;
DATA_BLOB unwrapped_out = data_blob_null;
struct spnego_data spnego;
+ struct spnego_data *spnego_in = NULL;
ssize_t len;
/* and switch into the state machine */
@@ -1119,12 +1120,13 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
+ spnego_in = &spnego;
nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
spnego_state,
out_mem_ctx,
ev,
- &spnego,
+ spnego_in,
&unwrapped_out);
if (spnego_state->simulate_w2k) {
@@ -1177,6 +1179,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
+ spnego_in = &spnego;
spnego_state->num_targs++;
@@ -1187,7 +1190,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
}
if (spnego_state->needs_mic_check) {
- if (spnego.negTokenTarg.responseToken.length != 0) {
+ if (spnego_in->negTokenTarg.responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
@@ -1198,7 +1201,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego.negTokenTarg.mechListMIC);
+ &spnego_in->negTokenTarg.mechListMIC);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
@@ -1212,7 +1215,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
if (!spnego_state->sub_sec_ready) {
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx, ev,
- spnego.negTokenTarg.responseToken,
+ spnego_in->negTokenTarg.responseToken,
&unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->sub_sec_ready = true;
@@ -1231,7 +1234,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
}
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
@@ -1240,13 +1243,13 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
spnego_state->needs_mic_sign = true;
}
- if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (have_sign && spnego_in->negTokenTarg.mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego.negTokenTarg.mechListMIC);
+ &spnego_in->negTokenTarg.mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
--
1.9.1
From c9621aaac700b2a6516a22f083c67c1f166f9e49 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 14 Jun 2017 03:39:02 +0200
Subject: [PATCH 05/29] auth/spnego: do parse the incoming blob already in
gensec_spnego_update_send()
It's easier to have this in one central place.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 199 +++++++++++++++++++++------------------------------
1 file changed, 80 insertions(+), 119 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 3d8dd25..d3b9096 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -636,15 +636,13 @@ static NTSTATUS gensec_spnego_server_response(struct spnego_state *spnego_state,
static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
- const DATA_BLOB in, DATA_BLOB *out)
+ struct spnego_data *spnego_in,
+ DATA_BLOB *out)
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
DATA_BLOB mech_list_mic = data_blob_null;
DATA_BLOB unwrapped_out = data_blob_null;
struct spnego_data spnego_out;
- struct spnego_data spnego;
- struct spnego_data *spnego_in = NULL;
- ssize_t len;
*out = data_blob_null;
@@ -660,7 +658,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
bool ok;
const char *tp = NULL;
- if (!in.length) {
+ if (spnego_in == NULL) {
/* client to produce negTokenInit */
return gensec_spnego_create_negTokenInit(gensec_security,
spnego_state,
@@ -668,24 +666,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
ev, out);
}
- len = spnego_read_data(gensec_security, in, &spnego);
-
- if (len == -1) {
- DEBUG(1, ("Invalid SPNEGO request:\n"));
- dump_data(1, in.data, in.length);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* OK, so it's real SPNEGO, check the packet's the one we expect */
- if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
- spnego_state->expected_packet));
- dump_data(1, in.data, in.length);
- spnego_free_data(&spnego);
- return NT_STATUS_INVALID_PARAMETER;
- }
- spnego_in = &spnego;
-
tp = spnego_in->negTokenInit.targetPrincipal;
if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
DEBUG(5, ("Server claims it's principal name is %s\n", tp));
@@ -702,7 +682,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
&unwrapped_out);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
- spnego_free_data(&spnego);
return nt_status;
}
@@ -732,37 +711,14 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->state_position = SPNEGO_CLIENT_TARG;
- spnego_free_data(&spnego);
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
case SPNEGO_CLIENT_TARG:
{
NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
- const struct spnego_negTokenTarg *ta = NULL;
-
- if (!in.length) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- len = spnego_read_data(gensec_security, in, &spnego);
-
- if (len == -1) {
- DEBUG(1, ("Invalid SPNEGO request:\n"));
- dump_data(1, in.data, in.length);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* OK, so it's real SPNEGO, check the packet's the one we expect */
- if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
- spnego_state->expected_packet));
- dump_data(1, in.data, in.length);
- spnego_free_data(&spnego);
- return NT_STATUS_INVALID_PARAMETER;
- }
- spnego_in = &spnego;
- ta = &spnego_in->negTokenTarg;
+ const struct spnego_negTokenTarg *ta =
+ &spnego_in->negTokenTarg;
spnego_state->num_targs++;
@@ -788,21 +744,18 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
- spnego_free_data(&spnego);
return nt_status;
}
/* select the sub context */
nt_status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
ta->supportedMech);
if (!NT_STATUS_IS_OK(nt_status)) {
- spnego_free_data(&spnego);
return nt_status;
}
spnego_state->neg_oid = talloc_strdup(spnego_state,
ta->supportedMech);
if (spnego_state->neg_oid == NULL) {
- spnego_free_data(&spnego);
return NT_STATUS_NO_MEMORY;
};
}
@@ -834,7 +787,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (spnego_state->needs_mic_check) {
if (spnego_in->negTokenTarg.responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -864,7 +816,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
- spnego_free_data(&spnego);
return nt_status;
}
spnego_state->needs_mic_check = false;
@@ -990,7 +941,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
- spnego_free_data(&spnego);
return nt_status;
}
spnego_state->needs_mic_check = false;
@@ -1008,7 +958,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
nt_errstr(nt_status)));
- spnego_free_data(&spnego);
return nt_status;
}
spnego_state->needs_mic_sign = false;
@@ -1019,8 +968,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
client_response:
- spnego_free_data(&spnego);
-
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
&& !NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
@@ -1073,14 +1020,12 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
- const DATA_BLOB in, DATA_BLOB *out)
+ struct spnego_data *spnego_in,
+ DATA_BLOB *out)
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
DATA_BLOB mech_list_mic = data_blob_null;
DATA_BLOB unwrapped_out = data_blob_null;
- struct spnego_data spnego;
- struct spnego_data *spnego_in = NULL;
- ssize_t len;
/* and switch into the state machine */
@@ -1089,39 +1034,13 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
{
NTSTATUS nt_status;
- if (in.length == 0) {
+ if (spnego_in == NULL) {
return gensec_spnego_create_negTokenInit(gensec_security,
spnego_state,
out_mem_ctx,
ev, out);
}
- len = spnego_read_data(gensec_security, in, &spnego);
- if (len == -1) {
- nt_status = gensec_spnego_server_try_fallback(gensec_security,
- spnego_state,
- out_mem_ctx,
- in);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-
- return gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev,
- in, out);
- }
- /* client sent NegTargetInit, we send NegTokenTarg */
-
- /* OK, so it's real SPNEGO, check the packet's the one we expect */
- if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
- spnego_state->expected_packet));
- dump_data(1, in.data, in.length);
- spnego_free_data(&spnego);
- return NT_STATUS_INVALID_PARAMETER;
- }
- spnego_in = &spnego;
-
nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
spnego_state,
out_mem_ctx,
@@ -1148,8 +1067,6 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
mech_list_mic,
out);
- spnego_free_data(&spnego);
-
return nt_status;
}
@@ -1159,40 +1076,16 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
bool have_sign = true;
bool new_spnego = false;
- if (!in.length) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- len = spnego_read_data(gensec_security, in, &spnego);
-
- if (len == -1) {
- DEBUG(1, ("Invalid SPNEGO request:\n"));
- dump_data(1, in.data, in.length);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* OK, so it's real SPNEGO, check the packet's the one we expect */
- if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
- spnego_state->expected_packet));
- dump_data(1, in.data, in.length);
- spnego_free_data(&spnego);
- return NT_STATUS_INVALID_PARAMETER;
- }
- spnego_in = &spnego;
-
spnego_state->num_targs++;
if (!spnego_state->sub_sec_security) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
if (spnego_state->needs_mic_check) {
if (spnego_in->negTokenTarg.responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -1288,8 +1181,6 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
mech_list_mic,
out);
- spnego_free_data(&spnego);
-
return nt_status;
}
@@ -1305,6 +1196,8 @@ struct gensec_spnego_update_state {
struct gensec_security *gensec;
struct spnego_state *spnego;
DATA_BLOB full_in;
+ struct spnego_data _spnego_in;
+ struct spnego_data *spnego_in;
NTSTATUS status;
DATA_BLOB out;
};
@@ -1348,6 +1241,7 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
struct tevent_req *req = NULL;
struct gensec_spnego_update_state *state = NULL;
NTSTATUS status;
+ ssize_t len;
req = tevent_req_create(mem_ctx, &state,
struct gensec_spnego_update_state);
@@ -1390,6 +1284,73 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
+ /* Check if we got a valid SPNEGO blob... */
+
+ switch (spnego_state->state_position) {
+ case SPNEGO_FALLBACK:
+ break;
+
+ case SPNEGO_CLIENT_TARG:
+ case SPNEGO_SERVER_TARG:
+ if (state->full_in.length == 0) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ /* fall through */
+ case SPNEGO_CLIENT_START:
+ case SPNEGO_SERVER_START:
+
+ if (state->full_in.length == 0) {
+ /* create_negTokenInit later */
+ break;
+ }
+
+ len = spnego_read_data(state,
+ state->full_in,
+ &state->_spnego_in);
+ if (len == -1) {
+ if (spnego_state->state_position != SPNEGO_SERVER_START) {
+ DEBUG(1, ("Invalid SPNEGO request:\n"));
+ dump_data(1, state->full_in.data,
+ state->full_in.length);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ status = gensec_spnego_server_try_fallback(gensec_security,
+ spnego_state,
+ state,
+ state->full_in);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ /*
+ * We'll continue with SPNEGO_FALLBACK below...
+ */
+ break;
+ }
+ state->spnego_in = &state->_spnego_in;
+
+ /* OK, so it's real SPNEGO, check the packet's the one we expect */
+ if (state->spnego_in->type != spnego_state->expected_packet) {
+ DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n",
+ state->spnego_in->type,
+ spnego_state->expected_packet));
+ dump_data(1, state->full_in.data,
+ state->full_in.length);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ break;
+
+ default:
+ smb_panic(__location__);
+ return NULL;
+ }
+
/* and switch into the state machine */
switch (spnego_state->state_position) {
@@ -1404,7 +1365,7 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
case SPNEGO_CLIENT_TARG:
status = gensec_spnego_update_client(gensec_security,
state, ev,
- state->full_in,
+ state->spnego_in,
&spnego_state->out_frag);
break;
@@ -1412,7 +1373,7 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
case SPNEGO_SERVER_TARG:
status = gensec_spnego_update_server(gensec_security,
state, ev,
- state->full_in,
+ state->spnego_in,
&spnego_state->out_frag);
break;
--
1.9.1
From e0cd6f7c33808e3e5dab85c8afe437a0eb99486f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 6 Jul 2017 15:36:36 +0200
Subject: [PATCH 06/29] auth/spnego: call gensec_spnego_create_negTokenInit()
directly in gensec_spnego_update_send()
This simplifies further refactoring.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 33 ++++++++++++++++++---------------
1 file changed, 18 insertions(+), 15 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index d3b9096..32bc274 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -658,14 +658,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
bool ok;
const char *tp = NULL;
- if (spnego_in == NULL) {
- /* client to produce negTokenInit */
- return gensec_spnego_create_negTokenInit(gensec_security,
- spnego_state,
- out_mem_ctx,
- ev, out);
- }
-
tp = spnego_in->negTokenInit.targetPrincipal;
if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
DEBUG(5, ("Server claims it's principal name is %s\n", tp));
@@ -1034,13 +1026,6 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
{
NTSTATUS nt_status;
- if (spnego_in == NULL) {
- return gensec_spnego_create_negTokenInit(gensec_security,
- spnego_state,
- out_mem_ctx,
- ev, out);
- }
-
nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
spnego_state,
out_mem_ctx,
@@ -1362,6 +1347,15 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
break;
case SPNEGO_CLIENT_START:
+ if (state->spnego_in == NULL) {
+ /* client to produce negTokenInit */
+ status = gensec_spnego_create_negTokenInit(gensec_security,
+ spnego_state, state, ev,
+ &spnego_state->out_frag);
+ break;
+ }
+
+ /* fall through */
case SPNEGO_CLIENT_TARG:
status = gensec_spnego_update_client(gensec_security,
state, ev,
@@ -1370,6 +1364,15 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
break;
case SPNEGO_SERVER_START:
+ if (state->spnego_in == NULL) {
+ /* server to produce negTokenInit */
+ status = gensec_spnego_create_negTokenInit(gensec_security,
+ spnego_state, state, ev,
+ &spnego_state->out_frag);
+ break;
+ }
+
+ /* fall through */
case SPNEGO_SERVER_TARG:
status = gensec_spnego_update_server(gensec_security,
state, ev,
--
1.9.1
From dd71b80cdcfa474c2b8094ac9c53a81ab142453f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 07:53:29 +0200
Subject: [PATCH 07/29] auth/spnego: simplify the error handling logic in
gensec_spnego_parse_negTokenInit()
We can just use GENSEC_UPDATE_IS_NTERROR() as NT_STATUS_INVALID_PARAMETER
is mapped to NT_STATUS_MORE_PROCESSING_REQUIRED in the lines above.
Check with git show -U10
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 32bc274..7eee241 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -412,9 +412,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
}
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)
- && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
- && !NT_STATUS_IS_OK(nt_status)) {
+ if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
@@ -426,7 +424,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
return nt_status;
}
- return nt_status; /* OK, INVALID_PARAMETER ore MORE PROCESSING */
+ return nt_status; /* OK or MORE PROCESSING */
}
DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
--
1.9.1
From 3a05b68dc29894c9a20c1234b9fa53873a243a1d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 28 Jun 2017 14:53:49 +0200
Subject: [PATCH 08/29] auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in
gensec_spnego_update_send()
Check with git show -U15
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 31 ++++++++++++++-----------------
1 file changed, 14 insertions(+), 17 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 7eee241..201832c 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1243,15 +1243,12 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
status = gensec_spnego_update_out(gensec_security,
state, &state->out);
- state->status = status;
- if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- tevent_req_done(req);
- return tevent_req_post(req, ev);
- }
- if (tevent_req_nterror(req, status)) {
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
return tevent_req_post(req, ev);
}
+ state->status = status;
tevent_req_done(req);
return tevent_req_post(req, ev);
}
@@ -1383,6 +1380,11 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
return NULL;
}
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
+ return tevent_req_post(req, ev);
+ }
+
if (NT_STATUS_IS_OK(status)) {
bool reset_full = true;
@@ -1390,26 +1392,21 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
status = gensec_may_reset_crypto(spnego_state->sub_sec_security,
reset_full);
- }
- if (!NT_STATUS_IS_OK(status) &&
- !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- tevent_req_nterror(req, status);
- return tevent_req_post(req, ev);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
}
spnego_state->out_status = status;
status = gensec_spnego_update_out(gensec_security,
state, &state->out);
- state->status = status;
- if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- tevent_req_done(req);
- return tevent_req_post(req, ev);
- }
- if (tevent_req_nterror(req, status)) {
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
return tevent_req_post(req, ev);
}
+ state->status = status;
tevent_req_done(req);
return tevent_req_post(req, ev);
}
--
1.9.1
From 156b53c383012d06f2212c85bdd59fb9f894d120 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 07:58:51 +0200
Subject: [PATCH 09/29] auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in
gensec_spnego_create_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 201832c..cbe9b26 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -489,8 +489,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
spnego_state->sub_sec_ready = true;
}
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
- && !NT_STATUS_IS_OK(nt_status)) {
+ if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
const char *next = NULL;
const char *principal = NULL;
int dbg_level = DBGLVL_WARNING;
--
1.9.1
From 9bf92f3073f79ea23d63d612cd87c500a64ebb66 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 08:00:00 +0200
Subject: [PATCH 10/29] auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in
gensec_spnego_update_client()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index cbe9b26..1c42360 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -670,7 +670,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_in,
&unwrapped_out);
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
+ if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
return nt_status;
}
@@ -957,8 +957,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
client_response:
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
- && !NT_STATUS_IS_OK(nt_status)) {
+ if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(nt_status)));
--
1.9.1
From 12717ae56d15fcdafcc48583580e57db6290ed3e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 08:11:32 +0200
Subject: [PATCH 11/29] auth/spnego: split out a
gensec_spnego_client_negTokenInit() function.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 123 ++++++++++++++++++++++++++++-----------------------
1 file changed, 68 insertions(+), 55 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 1c42360..1823d73 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -576,6 +576,70 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
return nt_status;
}
+static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct tevent_context *ev,
+ struct spnego_data *spnego_in,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
+{
+ DATA_BLOB sub_out = data_blob_null;
+ const char *tp = NULL;
+ struct spnego_data spnego_out;
+ const char *my_mechs[] = {NULL, NULL};
+ NTSTATUS status;
+ bool ok;
+
+ *out = data_blob_null;
+
+ /* The server offers a list of mechanisms */
+
+ tp = spnego_in->negTokenInit.targetPrincipal;
+ if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
+ DBG_INFO("Server claims it's principal name is %s\n", tp);
+ if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
+ gensec_set_target_principal(gensec_security, tp);
+ }
+ }
+
+ status = gensec_spnego_parse_negTokenInit(gensec_security,
+ spnego_state,
+ out_mem_ctx,
+ ev,
+ spnego_in,
+ &sub_out);
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ return status;
+ }
+
+ my_mechs[0] = spnego_state->neg_oid;
+ /* compose reply */
+ spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
+ spnego_out.negTokenInit.mechTypes = my_mechs;
+ spnego_out.negTokenInit.reqFlags = data_blob_null;
+ spnego_out.negTokenInit.reqFlagsPadding = 0;
+ spnego_out.negTokenInit.mechListMIC = data_blob_null;
+ spnego_out.negTokenInit.mechToken = sub_out;
+
+ if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
+ DBG_ERR("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ ok = spnego_write_mech_types(spnego_state,
+ my_mechs,
+ &spnego_state->mech_types);
+ if (!ok) {
+ DBG_ERR("failed to write mechTypes\n");
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* set next state */
+ spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
+ spnego_state->state_position = SPNEGO_CLIENT_TARG;
+
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
+}
/** create a server negTokenTarg
*
@@ -647,61 +711,10 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
switch (spnego_state->state_position) {
case SPNEGO_CLIENT_START:
- {
- /* The server offers a list of mechanisms */
-
- const char *my_mechs[] = {NULL, NULL};
- NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
- bool ok;
- const char *tp = NULL;
-
- tp = spnego_in->negTokenInit.targetPrincipal;
- if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
- DEBUG(5, ("Server claims it's principal name is %s\n", tp));
- if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
- gensec_set_target_principal(gensec_security, tp);
- }
- }
-
- nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
- spnego_state,
- out_mem_ctx,
- ev,
- spnego_in,
- &unwrapped_out);
-
- if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
- return nt_status;
- }
-
- my_mechs[0] = spnego_state->neg_oid;
- /* compose reply */
- spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
- spnego_out.negTokenInit.mechTypes = my_mechs;
- spnego_out.negTokenInit.reqFlags = data_blob_null;
- spnego_out.negTokenInit.reqFlagsPadding = 0;
- spnego_out.negTokenInit.mechListMIC = data_blob_null;
- spnego_out.negTokenInit.mechToken = unwrapped_out;
-
- if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- ok = spnego_write_mech_types(spnego_state,
- my_mechs,
- &spnego_state->mech_types);
- if (!ok) {
- DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- /* set next state */
- spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
- spnego_state->state_position = SPNEGO_CLIENT_TARG;
-
- return NT_STATUS_MORE_PROCESSING_REQUIRED;
- }
+ return gensec_spnego_client_negTokenInit(gensec_security,
+ spnego_state,
+ ev, spnego_in,
+ out_mem_ctx, out);
case SPNEGO_CLIENT_TARG:
{
--
1.9.1
From 6b66c20de153c8999ab3e7650d672e71f07b8f9b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 08:30:24 +0200
Subject: [PATCH 12/29] auth/spnego: split out a
gensec_spnego_server_negTokenInit() function.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 73 ++++++++++++++++++++++++++++++----------------------
1 file changed, 42 insertions(+), 31 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 1823d73..1335ee0 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -694,6 +694,44 @@ static NTSTATUS gensec_spnego_server_response(struct spnego_state *spnego_state,
return nt_status;
}
+static NTSTATUS gensec_spnego_server_negTokenInit(struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct tevent_context *ev,
+ struct spnego_data *spnego_in,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
+{
+ DATA_BLOB sub_out = data_blob_null;
+ DATA_BLOB mech_list_mic = data_blob_null;
+ NTSTATUS status;
+
+ status = gensec_spnego_parse_negTokenInit(gensec_security,
+ spnego_state,
+ out_mem_ctx,
+ ev,
+ spnego_in,
+ &sub_out);
+
+ if (spnego_state->simulate_w2k) {
+ /*
+ * Windows 2000 returns the unwrapped token
+ * also in the mech_list_mic field.
+ *
+ * In order to verify our client code,
+ * we need a way to have a server with this
+ * broken behaviour
+ */
+ mech_list_mic = sub_out;
+ }
+
+ return gensec_spnego_server_response(spnego_state,
+ out_mem_ctx,
+ status,
+ sub_out,
+ mech_list_mic,
+ out);
+}
+
static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
@@ -1032,37 +1070,10 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
switch (spnego_state->state_position) {
case SPNEGO_SERVER_START:
- {
- NTSTATUS nt_status;
-
- nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
- spnego_state,
- out_mem_ctx,
- ev,
- spnego_in,
- &unwrapped_out);
-
- if (spnego_state->simulate_w2k) {
- /*
- * Windows 2000 returns the unwrapped token
- * also in the mech_list_mic field.
- *
- * In order to verify our client code,
- * we need a way to have a server with this
- * broken behaviour
- */
- mech_list_mic = unwrapped_out;
- }
-
- nt_status = gensec_spnego_server_response(spnego_state,
- out_mem_ctx,
- nt_status,
- unwrapped_out,
- mech_list_mic,
- out);
-
- return nt_status;
- }
+ return gensec_spnego_server_negTokenInit(gensec_security,
+ spnego_state,
+ ev, spnego_in,
+ out_mem_ctx, out);
case SPNEGO_SERVER_TARG:
{
--
1.9.1
From a20740c92dd3e59051067d33181d7421e010b91c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 08:42:08 +0200
Subject: [PATCH 13/29] auth/spnego: make more use of the 'ta' helper variable
in gensec_spnego_update_client()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 1335ee0..a1ef725 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -757,7 +757,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
case SPNEGO_CLIENT_TARG:
{
NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
- const struct spnego_negTokenTarg *ta =
+ struct spnego_negTokenTarg *ta =
&spnego_in->negTokenTarg;
spnego_state->num_targs++;
@@ -766,7 +766,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
return NT_STATUS_LOGON_FAILURE;
}
- if (spnego_in->negTokenTarg.negResult == SPNEGO_REQUEST_MIC) {
+ if (ta->negResult == SPNEGO_REQUEST_MIC) {
spnego_state->mic_requested = true;
}
@@ -800,9 +800,9 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
};
}
- if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
- DATA_BLOB *m = &spnego_in->negTokenTarg.mechListMIC;
- const DATA_BLOB *r = &spnego_in->negTokenTarg.responseToken;
+ if (ta->mechListMIC.length > 0) {
+ DATA_BLOB *m = &ta->mechListMIC;
+ const DATA_BLOB *r = &ta->responseToken;
/*
* Windows 2000 has a bug, it repeats the
@@ -818,19 +818,19 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
}
- if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ if (ta->mechListMIC.length > 0) {
if (spnego_state->sub_sec_ready) {
spnego_state->needs_mic_check = true;
}
}
if (spnego_state->needs_mic_check) {
- if (spnego_in->negTokenTarg.responseToken.length != 0) {
+ if (ta->responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
return NT_STATUS_INVALID_PARAMETER;
}
- if (spnego_in->negTokenTarg.mechListMIC.length == 0
+ if (ta->mechListMIC.length == 0
&& spnego_state->may_skip_mic_check) {
/*
* In this case we don't require
@@ -852,7 +852,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego_in->negTokenTarg.mechListMIC);
+ &ta->mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
@@ -866,7 +866,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (!spnego_state->sub_sec_ready) {
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx, ev,
- spnego_in->negTokenTarg.responseToken,
+ ta->responseToken,
&unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->sub_sec_ready = true;
@@ -890,7 +890,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
- switch (spnego_in->negTokenTarg.negResult) {
+ switch (ta->negResult) {
case SPNEGO_ACCEPT_COMPLETED:
case SPNEGO_NONE_RESULT:
if (spnego_state->num_targs == 1) {
@@ -904,7 +904,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
break;
case SPNEGO_ACCEPT_INCOMPLETE:
- if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ if (ta->mechListMIC.length > 0) {
new_spnego = true;
break;
}
@@ -951,7 +951,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
break;
case SPNEGO_REQUEST_MIC:
- if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ if (ta->mechListMIC.length > 0) {
new_spnego = true;
}
break;
@@ -971,13 +971,13 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
}
- if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ if (ta->mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego_in->negTokenTarg.mechListMIC);
+ &ta->mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
--
1.9.1
From 19ee6df41a095fe4b4e3900a22103896fe8b157c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 09:01:18 +0200
Subject: [PATCH 14/29] auth/spnego: split out a
gensec_spnego_client_negTokenTarg() function
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 619 +++++++++++++++++++++++++++------------------------
1 file changed, 324 insertions(+), 295 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index a1ef725..5b7da05 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -641,6 +641,326 @@ static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
+static NTSTATUS gensec_spnego_client_negTokenTarg(struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct tevent_context *ev,
+ struct spnego_data *spnego_in,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
+{
+ struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
+ DATA_BLOB sub_in = ta->responseToken;
+ DATA_BLOB mech_list_mic = data_blob_null;
+ DATA_BLOB sub_out = data_blob_null;
+ struct spnego_data spnego_out;
+ NTSTATUS status;
+
+ *out = data_blob_null;
+
+ spnego_state->num_targs++;
+
+ if (ta->negResult == SPNEGO_REJECT) {
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ if (ta->negResult == SPNEGO_REQUEST_MIC) {
+ spnego_state->mic_requested = true;
+ }
+
+ if (ta->mechListMIC.length > 0) {
+ DATA_BLOB *m = &ta->mechListMIC;
+ const DATA_BLOB *r = &ta->responseToken;
+
+ /*
+ * Windows 2000 has a bug, it repeats the
+ * responseToken in the mechListMIC field.
+ */
+ if (m->length == r->length) {
+ int cmp;
+
+ cmp = memcmp(m->data, r->data, m->length);
+ if (cmp == 0) {
+ data_blob_free(m);
+ }
+ }
+ }
+
+ /* Server didn't like our choice of mech, and chose something else */
+ if (((ta->negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
+ (ta->negResult == SPNEGO_REQUEST_MIC)) &&
+ ta->supportedMech != NULL &&
+ strcmp(ta->supportedMech, spnego_state->neg_oid) != 0)
+ {
+ const char *client_mech = NULL;
+ const char *client_oid = NULL;
+ const char *server_mech = NULL;
+ const char *server_oid = NULL;
+
+ client_mech = gensec_get_name_by_oid(gensec_security,
+ spnego_state->neg_oid);
+ client_oid = spnego_state->neg_oid;
+ server_mech = gensec_get_name_by_oid(gensec_security,
+ ta->supportedMech);
+ server_oid = ta->supportedMech;
+
+ DBG_NOTICE("client preferred mech (%s[%s]) not accepted, "
+ "server wants: %s[%s]\n",
+ client_mech, client_oid, server_mech, server_oid);
+
+ spnego_state->downgraded = true;
+ gensec_spnego_update_sub_abort(spnego_state);
+
+ status = gensec_subcontext_start(spnego_state,
+ gensec_security,
+ &spnego_state->sub_sec_security);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /* select the sub context */
+ status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
+ ta->supportedMech);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ spnego_state->neg_oid = talloc_strdup(spnego_state,
+ ta->supportedMech);
+ if (spnego_state->neg_oid == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if (ta->mechListMIC.length > 0) {
+ if (spnego_state->sub_sec_ready) {
+ spnego_state->needs_mic_check = true;
+ }
+ }
+
+ if (spnego_state->needs_mic_check) {
+ if (ta->responseToken.length != 0) {
+ DBG_WARNING("non empty response token not expected\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (ta->mechListMIC.length == 0
+ && spnego_state->may_skip_mic_check) {
+ /*
+ * In this case we don't require
+ * a mechListMIC from the server.
+ *
+ * This works around bugs in the Azure
+ * and Apple spnego implementations.
+ *
+ * See
+ * https://bugzilla.samba.org/show_bug.cgi?id=11994
+ */
+ spnego_state->needs_mic_check = false;
+ status = NT_STATUS_OK;
+ goto client_response;
+ }
+
+ status = gensec_check_packet(spnego_state->sub_sec_security,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &ta->mechListMIC);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("failed to verify mechListMIC: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+ spnego_state->needs_mic_check = false;
+ spnego_state->done_mic_check = true;
+ goto client_response;
+ }
+
+ if (!spnego_state->sub_sec_ready) {
+ status = gensec_update_ev(spnego_state->sub_sec_security,
+ out_mem_ctx, ev,
+ sub_in,
+ &sub_out);
+ if (NT_STATUS_IS_OK(status)) {
+ spnego_state->sub_sec_ready = true;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ goto client_response;
+ }
+ } else {
+ status = NT_STATUS_OK;
+ }
+
+ if (!spnego_state->done_mic_check) {
+ bool have_sign = true;
+ bool new_spnego = false;
+
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
+ new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_NEW_SPNEGO);
+
+ switch (ta->negResult) {
+ case SPNEGO_ACCEPT_COMPLETED:
+ case SPNEGO_NONE_RESULT:
+ if (spnego_state->num_targs == 1) {
+ /*
+ * the first exchange doesn't require
+ * verification
+ */
+ new_spnego = false;
+ }
+
+ break;
+
+ case SPNEGO_ACCEPT_INCOMPLETE:
+ if (ta->mechListMIC.length > 0) {
+ new_spnego = true;
+ break;
+ }
+
+ if (spnego_state->downgraded) {
+ /*
+ * A downgrade should be protected if
+ * supported
+ */
+ break;
+ }
+
+ /*
+ * The caller may just asked for
+ * GENSEC_FEATURE_SESSION_KEY, this
+ * is only reflected in the want_features.
+ *
+ * As it will imply
+ * gensec_have_features(GENSEC_FEATURE_SIGN)
+ * to return true.
+ */
+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
+ break;
+ }
+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
+ break;
+ }
+ /*
+ * Here we're sure our preferred mech was
+ * selected by the server and our caller doesn't
+ * need GENSEC_FEATURE_SIGN nor
+ * GENSEC_FEATURE_SEAL support.
+ *
+ * In this case we don't require
+ * a mechListMIC from the server.
+ *
+ * This works around bugs in the Azure
+ * and Apple spnego implementations.
+ *
+ * See
+ * https://bugzilla.samba.org/show_bug.cgi?id=11994
+ */
+ spnego_state->may_skip_mic_check = true;
+ break;
+
+ case SPNEGO_REQUEST_MIC:
+ if (ta->mechListMIC.length > 0) {
+ new_spnego = true;
+ }
+ break;
+ default:
+ break;
+ }
+
+ if (spnego_state->mic_requested) {
+ if (have_sign) {
+ new_spnego = true;
+ }
+ }
+
+ if (have_sign && new_spnego) {
+ spnego_state->needs_mic_check = true;
+ spnego_state->needs_mic_sign = true;
+ }
+ }
+
+ if (ta->mechListMIC.length > 0) {
+ status = gensec_check_packet(spnego_state->sub_sec_security,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &ta->mechListMIC);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("failed to verify mechListMIC: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+ spnego_state->needs_mic_check = false;
+ spnego_state->done_mic_check = true;
+ }
+
+ if (spnego_state->needs_mic_sign) {
+ status = gensec_sign_packet(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &mech_list_mic);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("failed to sign mechListMIC: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+ spnego_state->needs_mic_sign = false;
+ }
+
+ if (spnego_state->needs_mic_check) {
+ status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+
+ client_response:
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ DBG_WARNING("SPNEGO(%s) login failed: %s\n",
+ spnego_state->sub_sec_security->ops->name,
+ nt_errstr(status));
+ return status;
+ }
+
+ if (sub_out.length || mech_list_mic.length) {
+ /* compose reply */
+ spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
+ spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
+ spnego_out.negTokenTarg.supportedMech = NULL;
+ spnego_out.negTokenTarg.responseToken = sub_out;
+ spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
+
+ if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
+ DBG_WARNING("Failed to write NEG_TOKEN_TARG\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ spnego_state->num_targs++;
+ spnego_state->state_position = SPNEGO_CLIENT_TARG;
+ status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else {
+
+ /* all done - server has accepted, and we agree */
+ *out = data_blob_null;
+
+ if (ta->negResult != SPNEGO_ACCEPT_COMPLETED) {
+ /* unless of course it did not accept */
+ DBG_WARNING("gensec_update ok but not accepted\n");
+ status = NT_STATUS_INVALID_PARAMETER;
+ }
+
+ spnego_state->state_position = SPNEGO_DONE;
+ }
+
+ return status;
+}
+
/** create a server negTokenTarg
*
* This is the case, where the client is the first one who sends data
@@ -739,9 +1059,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
DATA_BLOB *out)
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
- DATA_BLOB mech_list_mic = data_blob_null;
- DATA_BLOB unwrapped_out = data_blob_null;
- struct spnego_data spnego_out;
*out = data_blob_null;
@@ -755,298 +1072,10 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
out_mem_ctx, out);
case SPNEGO_CLIENT_TARG:
- {
- NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
- struct spnego_negTokenTarg *ta =
- &spnego_in->negTokenTarg;
-
- spnego_state->num_targs++;
-
- if (ta->negResult == SPNEGO_REJECT) {
- return NT_STATUS_LOGON_FAILURE;
- }
-
- if (ta->negResult == SPNEGO_REQUEST_MIC) {
- spnego_state->mic_requested = true;
- }
-
- /* Server didn't like our choice of mech, and chose something else */
- if (((ta->negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
- (ta->negResult == SPNEGO_REQUEST_MIC)) &&
- ta->supportedMech != NULL&&
- strcmp(ta->supportedMech, spnego_state->neg_oid) != 0) {
- DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
- gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
- gensec_get_name_by_oid(gensec_security, ta->supportedMech)));
- spnego_state->downgraded = true;
- gensec_spnego_update_sub_abort(spnego_state);
- nt_status = gensec_subcontext_start(spnego_state,
- gensec_security,
- &spnego_state->sub_sec_security);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
- /* select the sub context */
- nt_status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
- ta->supportedMech);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-
- spnego_state->neg_oid = talloc_strdup(spnego_state,
- ta->supportedMech);
- if (spnego_state->neg_oid == NULL) {
- return NT_STATUS_NO_MEMORY;
- };
- }
-
- if (ta->mechListMIC.length > 0) {
- DATA_BLOB *m = &ta->mechListMIC;
- const DATA_BLOB *r = &ta->responseToken;
-
- /*
- * Windows 2000 has a bug, it repeats the
- * responseToken in the mechListMIC field.
- */
- if (m->length == r->length) {
- int cmp;
-
- cmp = memcmp(m->data, r->data, m->length);
- if (cmp == 0) {
- data_blob_free(m);
- }
- }
- }
-
- if (ta->mechListMIC.length > 0) {
- if (spnego_state->sub_sec_ready) {
- spnego_state->needs_mic_check = true;
- }
- }
-
- if (spnego_state->needs_mic_check) {
- if (ta->responseToken.length != 0) {
- DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (ta->mechListMIC.length == 0
- && spnego_state->may_skip_mic_check) {
- /*
- * In this case we don't require
- * a mechListMIC from the server.
- *
- * This works around bugs in the Azure
- * and Apple spnego implementations.
- *
- * See
- * https://bugzilla.samba.org/show_bug.cgi?id=11994
- */
- spnego_state->needs_mic_check = false;
- nt_status = NT_STATUS_OK;
- goto client_response;
- }
-
- nt_status = gensec_check_packet(spnego_state->sub_sec_security,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &ta->mechListMIC);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
- nt_errstr(nt_status)));
- return nt_status;
- }
- spnego_state->needs_mic_check = false;
- spnego_state->done_mic_check = true;
- goto client_response;
- }
-
- if (!spnego_state->sub_sec_ready) {
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev,
- ta->responseToken,
- &unwrapped_out);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->sub_sec_ready = true;
- }
- if (!NT_STATUS_IS_OK(nt_status)) {
- goto client_response;
- }
- } else {
- nt_status = NT_STATUS_OK;
- }
-
- if (!spnego_state->done_mic_check) {
- bool have_sign = true;
- bool new_spnego = false;
-
- have_sign = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_SIGN);
- if (spnego_state->simulate_w2k) {
- have_sign = false;
- }
- new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_NEW_SPNEGO);
-
- switch (ta->negResult) {
- case SPNEGO_ACCEPT_COMPLETED:
- case SPNEGO_NONE_RESULT:
- if (spnego_state->num_targs == 1) {
- /*
- * the first exchange doesn't require
- * verification
- */
- new_spnego = false;
- }
-
- break;
-
- case SPNEGO_ACCEPT_INCOMPLETE:
- if (ta->mechListMIC.length > 0) {
- new_spnego = true;
- break;
- }
-
- if (spnego_state->downgraded) {
- /*
- * A downgrade should be protected if
- * supported
- */
- break;
- }
-
- /*
- * The caller may just asked for
- * GENSEC_FEATURE_SESSION_KEY, this
- * is only reflected in the want_features.
- *
- * As it will imply
- * gensec_have_features(GENSEC_FEATURE_SIGN)
- * to return true.
- */
- if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
- break;
- }
- if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
- break;
- }
- /*
- * Here we're sure our preferred mech was
- * selected by the server and our caller doesn't
- * need GENSEC_FEATURE_SIGN nor
- * GENSEC_FEATURE_SEAL support.
- *
- * In this case we don't require
- * a mechListMIC from the server.
- *
- * This works around bugs in the Azure
- * and Apple spnego implementations.
- *
- * See
- * https://bugzilla.samba.org/show_bug.cgi?id=11994
- */
- spnego_state->may_skip_mic_check = true;
- break;
-
- case SPNEGO_REQUEST_MIC:
- if (ta->mechListMIC.length > 0) {
- new_spnego = true;
- }
- break;
- default:
- break;
- }
-
- if (spnego_state->mic_requested) {
- if (have_sign) {
- new_spnego = true;
- }
- }
-
- if (have_sign && new_spnego) {
- spnego_state->needs_mic_check = true;
- spnego_state->needs_mic_sign = true;
- }
- }
-
- if (ta->mechListMIC.length > 0) {
- nt_status = gensec_check_packet(spnego_state->sub_sec_security,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &ta->mechListMIC);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
- nt_errstr(nt_status)));
- return nt_status;
- }
- spnego_state->needs_mic_check = false;
- spnego_state->done_mic_check = true;
- }
-
- if (spnego_state->needs_mic_sign) {
- nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
- out_mem_ctx,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &mech_list_mic);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
- nt_errstr(nt_status)));
- return nt_status;
- }
- spnego_state->needs_mic_sign = false;
- }
-
- if (spnego_state->needs_mic_check) {
- nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- }
-
- client_response:
- if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
- DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
- spnego_state->sub_sec_security->ops->name,
- nt_errstr(nt_status)));
- return nt_status;
- }
-
- if (unwrapped_out.length || mech_list_mic.length) {
- /* compose reply */
- spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
- spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
- spnego_out.negTokenTarg.supportedMech = NULL;
- spnego_out.negTokenTarg.responseToken = unwrapped_out;
- spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
-
- if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- spnego_state->num_targs++;
- spnego_state->state_position = SPNEGO_CLIENT_TARG;
- nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- } else {
-
- /* all done - server has accepted, and we agree */
- *out = data_blob_null;
-
- if (ta->negResult != SPNEGO_ACCEPT_COMPLETED) {
- /* unless of course it did not accept */
- DEBUG(1,("gensec_update ok but not accepted\n"));
- nt_status = NT_STATUS_INVALID_PARAMETER;
- }
-
- spnego_state->state_position = SPNEGO_DONE;
- }
-
- return nt_status;
- }
+ return gensec_spnego_client_negTokenTarg(gensec_security,
+ spnego_state,
+ ev, spnego_in,
+ out_mem_ctx, out);
default:
break;
--
1.9.1
From 4164c42e27ebd378df561a815f72bd01cab7ae9c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 09:05:29 +0200
Subject: [PATCH 15/29] auth/spnego: introduce a 'struct spnego_negTokenTarg
*ta' helper variable in gensec_spnego_update_server()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 5b7da05..420eec8 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1106,6 +1106,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
case SPNEGO_SERVER_TARG:
{
+ const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
NTSTATUS nt_status;
bool have_sign = true;
bool new_spnego = false;
@@ -1118,7 +1119,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
}
if (spnego_state->needs_mic_check) {
- if (spnego_in->negTokenTarg.responseToken.length != 0) {
+ if (ta->responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -1128,7 +1129,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego_in->negTokenTarg.mechListMIC);
+ &ta->mechListMIC);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
@@ -1142,7 +1143,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
if (!spnego_state->sub_sec_ready) {
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx, ev,
- spnego_in->negTokenTarg.responseToken,
+ ta->responseToken,
&unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->sub_sec_ready = true;
@@ -1161,7 +1162,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
}
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
- if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ if (ta->mechListMIC.length > 0) {
new_spnego = true;
}
@@ -1170,13 +1171,13 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
spnego_state->needs_mic_sign = true;
}
- if (have_sign && spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ if (have_sign && ta->mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego_in->negTokenTarg.mechListMIC);
+ &ta->mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
--
1.9.1
From 5b20ce9b267fc35fdef304d373da92261e69b215 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 09:18:18 +0200
Subject: [PATCH 16/29] auth/spnego: split out a
gensec_spnego_server_negTokenTarg() function
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 240 +++++++++++++++++++++++++++------------------------
1 file changed, 125 insertions(+), 115 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 420eec8..53bee09 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1052,6 +1052,127 @@ static NTSTATUS gensec_spnego_server_negTokenInit(struct gensec_security *gensec
out);
}
+static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct tevent_context *ev,
+ struct spnego_data *spnego_in,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
+{
+ const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
+ DATA_BLOB sub_in = ta->responseToken;
+ DATA_BLOB mech_list_mic = data_blob_null;
+ DATA_BLOB sub_out = data_blob_null;
+ NTSTATUS status;
+ bool have_sign = true;
+ bool new_spnego = false;
+
+ spnego_state->num_targs++;
+
+ if (spnego_state->sub_sec_security == NULL) {
+ DBG_ERR("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (spnego_state->needs_mic_check) {
+ if (ta->responseToken.length != 0) {
+ DBG_WARNING("non empty response token not expected\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = gensec_check_packet(spnego_state->sub_sec_security,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &ta->mechListMIC);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("failed to verify mechListMIC: %s\n",
+ nt_errstr(status));
+ goto server_response;
+ }
+
+ spnego_state->needs_mic_check = false;
+ spnego_state->done_mic_check = true;
+ goto server_response;
+ }
+
+ if (!spnego_state->sub_sec_ready) {
+ status = gensec_update_ev(spnego_state->sub_sec_security,
+ out_mem_ctx, ev,
+ sub_in, &sub_out);
+ if (NT_STATUS_IS_OK(status)) {
+ spnego_state->sub_sec_ready = true;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ goto server_response;
+ }
+ } else {
+ status = NT_STATUS_OK;
+ }
+
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
+ new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_NEW_SPNEGO);
+ if (ta->mechListMIC.length > 0) {
+ new_spnego = true;
+ }
+
+ if (have_sign && new_spnego) {
+ spnego_state->needs_mic_check = true;
+ spnego_state->needs_mic_sign = true;
+ }
+
+ if (have_sign && ta->mechListMIC.length > 0) {
+ status = gensec_check_packet(spnego_state->sub_sec_security,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &ta->mechListMIC);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("failed to verify mechListMIC: %s\n",
+ nt_errstr(status));
+ goto server_response;
+ }
+
+ spnego_state->needs_mic_check = false;
+ spnego_state->done_mic_check = true;
+ }
+
+ if (spnego_state->needs_mic_sign) {
+ status = gensec_sign_packet(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &mech_list_mic);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("failed to sign mechListMIC: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+ spnego_state->needs_mic_sign = false;
+ }
+
+ if (spnego_state->needs_mic_check) {
+ status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+
+ server_response:
+ return gensec_spnego_server_response(spnego_state,
+ out_mem_ctx,
+ status,
+ sub_out,
+ mech_list_mic,
+ out);
+}
+
static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
@@ -1092,8 +1213,6 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
DATA_BLOB *out)
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
- DATA_BLOB mech_list_mic = data_blob_null;
- DATA_BLOB unwrapped_out = data_blob_null;
/* and switch into the state machine */
@@ -1105,119 +1224,10 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
out_mem_ctx, out);
case SPNEGO_SERVER_TARG:
- {
- const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
- NTSTATUS nt_status;
- bool have_sign = true;
- bool new_spnego = false;
-
- spnego_state->num_targs++;
-
- if (!spnego_state->sub_sec_security) {
- DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (spnego_state->needs_mic_check) {
- if (ta->responseToken.length != 0) {
- DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- nt_status = gensec_check_packet(spnego_state->sub_sec_security,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &ta->mechListMIC);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->needs_mic_check = false;
- spnego_state->done_mic_check = true;
- } else {
- DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
- nt_errstr(nt_status)));
- }
- goto server_response;
- }
-
- if (!spnego_state->sub_sec_ready) {
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev,
- ta->responseToken,
- &unwrapped_out);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->sub_sec_ready = true;
- }
- if (!NT_STATUS_IS_OK(nt_status)) {
- goto server_response;
- }
- } else {
- nt_status = NT_STATUS_OK;
- }
-
- have_sign = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_SIGN);
- if (spnego_state->simulate_w2k) {
- have_sign = false;
- }
- new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_NEW_SPNEGO);
- if (ta->mechListMIC.length > 0) {
- new_spnego = true;
- }
-
- if (have_sign && new_spnego) {
- spnego_state->needs_mic_check = true;
- spnego_state->needs_mic_sign = true;
- }
-
- if (have_sign && ta->mechListMIC.length > 0) {
- nt_status = gensec_check_packet(spnego_state->sub_sec_security,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &ta->mechListMIC);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
- nt_errstr(nt_status)));
- goto server_response;
- }
-
- spnego_state->needs_mic_check = false;
- spnego_state->done_mic_check = true;
- }
-
- if (spnego_state->needs_mic_sign) {
- nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
- out_mem_ctx,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &mech_list_mic);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
- nt_errstr(nt_status)));
- goto server_response;
- }
- spnego_state->needs_mic_sign = false;
- }
-
- if (spnego_state->needs_mic_check) {
- nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- }
-
- server_response:
- nt_status = gensec_spnego_server_response(spnego_state,
- out_mem_ctx,
- nt_status,
- unwrapped_out,
- mech_list_mic,
- out);
-
- return nt_status;
- }
+ return gensec_spnego_server_negTokenTarg(gensec_security,
+ spnego_state,
+ ev, spnego_in,
+ out_mem_ctx, out);
default:
break;
--
1.9.1
From 5bd56d0f078961ba4564d380cb5fe707672c9d39 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 09:22:25 +0200
Subject: [PATCH 17/29] auth/spnego: inline gensec_spnego_update_client() into
gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 48 ++++++++++--------------------------------------
1 file changed, 10 insertions(+), 38 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 53bee09..11f5692 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1173,39 +1173,6 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec
out);
}
-static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_security,
- TALLOC_CTX *out_mem_ctx,
- struct tevent_context *ev,
- struct spnego_data *spnego_in,
- DATA_BLOB *out)
-{
- struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
-
- *out = data_blob_null;
-
- /* and switch into the state machine */
-
- switch (spnego_state->state_position) {
- case SPNEGO_CLIENT_START:
- return gensec_spnego_client_negTokenInit(gensec_security,
- spnego_state,
- ev, spnego_in,
- out_mem_ctx, out);
-
- case SPNEGO_CLIENT_TARG:
- return gensec_spnego_client_negTokenTarg(gensec_security,
- spnego_state,
- ev, spnego_in,
- out_mem_ctx, out);
-
- default:
- break;
- }
-
- smb_panic(__location__);
- return NT_STATUS_INTERNAL_ERROR;
-}
-
static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
@@ -1412,12 +1379,17 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
break;
}
- /* fall through */
+ status = gensec_spnego_client_negTokenInit(gensec_security,
+ spnego_state, ev,
+ state->spnego_in, state,
+ &spnego_state->out_frag);
+ break;
+
case SPNEGO_CLIENT_TARG:
- status = gensec_spnego_update_client(gensec_security,
- state, ev,
- state->spnego_in,
- &spnego_state->out_frag);
+ status = gensec_spnego_client_negTokenTarg(gensec_security,
+ spnego_state, ev,
+ state->spnego_in, state,
+ &spnego_state->out_frag);
break;
case SPNEGO_SERVER_START:
--
1.9.1
From 6a017cf347a7188678c79a5ac22ebfacad7dd611 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 09:22:25 +0200
Subject: [PATCH 18/29] auth/spnego: inline gensec_spnego_update_server() into
gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 46 ++++++++++------------------------------------
1 file changed, 10 insertions(+), 36 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 11f5692..80ac2492 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1173,37 +1173,6 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec
out);
}
-static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_security,
- TALLOC_CTX *out_mem_ctx,
- struct tevent_context *ev,
- struct spnego_data *spnego_in,
- DATA_BLOB *out)
-{
- struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
-
- /* and switch into the state machine */
-
- switch (spnego_state->state_position) {
- case SPNEGO_SERVER_START:
- return gensec_spnego_server_negTokenInit(gensec_security,
- spnego_state,
- ev, spnego_in,
- out_mem_ctx, out);
-
- case SPNEGO_SERVER_TARG:
- return gensec_spnego_server_negTokenTarg(gensec_security,
- spnego_state,
- ev, spnego_in,
- out_mem_ctx, out);
-
- default:
- break;
- }
-
- smb_panic(__location__);
- return NT_STATUS_INTERNAL_ERROR;
-}
-
struct gensec_spnego_update_state {
struct gensec_security *gensec;
struct spnego_state *spnego;
@@ -1401,12 +1370,17 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
break;
}
- /* fall through */
+ status = gensec_spnego_server_negTokenInit(gensec_security,
+ spnego_state, ev,
+ state->spnego_in, state,
+ &spnego_state->out_frag);
+ break;
+
case SPNEGO_SERVER_TARG:
- status = gensec_spnego_update_server(gensec_security,
- state, ev,
- state->spnego_in,
- &spnego_state->out_frag);
+ status = gensec_spnego_server_negTokenTarg(gensec_security,
+ spnego_state, ev,
+ state->spnego_in, state,
+ &spnego_state->out_frag);
break;
default:
--
1.9.1
From d336c1500bea4785c65d639492ffc4ca12bf8ee1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 10:44:00 +0200
Subject: [PATCH 19/29] auth/spnego: let gensec_spnego_parse_negTokenInit()
require client provides mechs
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 80ac2492..fd25208 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -225,12 +225,19 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
}
mechType = spnego_in->negTokenInit.mechTypes;
+ if (mechType == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
unwrapped_in = spnego_in->negTokenInit.mechToken;
all_sec = gensec_security_by_oid_list(gensec_security,
out_mem_ctx,
mechType,
GENSEC_OID_SPNEGO);
+ if (all_sec == NULL) {
+ DBG_WARNING("gensec_security_by_oid_list() failed\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
ok = spnego_write_mech_types(spnego_state,
mechType,
--
1.9.1
From 2aba4c7fc01cd4d545e0dede2d04e7fa29819b9c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 10:11:43 +0200
Subject: [PATCH 20/29] auth/spnego: inline gensec_spnego_parse_negTokenInit()
client logic into gensec_spnego_client_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 128 ++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 121 insertions(+), 7 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index fd25208..90b8120 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -590,8 +590,12 @@ static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
+ TALLOC_CTX *frame = talloc_stackframe();
DATA_BLOB sub_out = data_blob_null;
const char *tp = NULL;
+ const char * const *mech_types = NULL;
+ size_t all_idx = 0;
+ const struct gensec_security_ops_wrapper *all_sec = NULL;
struct spnego_data spnego_out;
const char *my_mechs[] = {NULL, NULL};
NTSTATUS status;
@@ -609,16 +613,123 @@ static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec
}
}
- status = gensec_spnego_parse_negTokenInit(gensec_security,
- spnego_state,
- out_mem_ctx,
- ev,
- spnego_in,
- &sub_out);
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ mech_types = spnego_in->negTokenInit.mechTypes;
+ if (mech_types == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ all_sec = gensec_security_by_oid_list(gensec_security,
+ frame, mech_types,
+ GENSEC_OID_SPNEGO);
+ if (all_sec == NULL) {
+ DBG_WARNING("gensec_security_by_oid_list() failed\n");
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ for (; all_sec[all_idx].op; all_idx++) {
+ const struct gensec_security_ops_wrapper *cur_sec =
+ &all_sec[all_idx];
+ const char *next = NULL;
+ const char *principal = NULL;
+ int dbg_level = DBGLVL_WARNING;
+ bool allow_fallback = false;
+
+ status = gensec_subcontext_start(spnego_state,
+ gensec_security,
+ &spnego_state->sub_sec_security);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ /* select the sub context */
+ status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
+ cur_sec->op);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * Pretend we never started it.
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
+ continue;
+ }
+
+ spnego_state->neg_oid = cur_sec->oid;
+
+ /*
+ * As client we don't use an optimitic token from the server.
+ */
+ status = gensec_update_ev(spnego_state->sub_sec_security,
+ frame, ev, data_blob_null, &sub_out);
+ if (NT_STATUS_IS_OK(status)) {
+ spnego_state->sub_sec_ready = true;
+ }
+
+ if (!GENSEC_UPDATE_IS_NTERROR(status)) {
+ /* OK or MORE_PROCESSING_REQUIRED */
+ goto reply;
+ }
+
+ /*
+ * it is likely that a NULL input token will
+ * not be liked by most server mechs, but if
+ * we are in the client, we want the first
+ * update packet to be able to abort the use
+ * of this mech
+ */
+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_NO_LOGON_SERVERS) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO))
+ {
+ allow_fallback = true;
+ }
+
+ if (allow_fallback && cur_sec[1].op != NULL) {
+ next = cur_sec[1].op->name;
+ dbg_level = DBGLVL_NOTICE;
+ }
+
+ if (gensec_security->target.principal != NULL) {
+ principal = gensec_security->target.principal;
+ } else if (gensec_security->target.service != NULL &&
+ gensec_security->target.hostname != NULL)
+ {
+ principal = talloc_asprintf(spnego_state->sub_sec_security,
+ "%s/%s",
+ gensec_security->target.service,
+ gensec_security->target.hostname);
+ } else {
+ principal = gensec_security->target.hostname;
+ }
+
+ DBG_PREFIX(dbg_level, (
+ "%s: creating NEG_TOKEN_INIT "
+ "for %s failed (next[%s]): %s\n",
+ spnego_state->sub_sec_security->ops->name,
+ principal, next, nt_errstr(status)));
+
+ if (allow_fallback && next != NULL) {
+ /*
+ * Pretend we never started it.
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
+ continue;
+ }
+
+ /*
+ * Hard error.
+ */
+ TALLOC_FREE(frame);
return status;
}
+ DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n");
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+
+ reply:
my_mechs[0] = spnego_state->neg_oid;
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
@@ -630,6 +741,7 @@ static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DBG_ERR("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n");
+ TALLOC_FREE(frame);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -638,6 +750,7 @@ static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("failed to write mechTypes\n");
+ TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
@@ -645,6 +758,7 @@ static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->state_position = SPNEGO_CLIENT_TARG;
+ TALLOC_FREE(frame);
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
--
1.9.1
From d2fdf0117ccb8193e1a7ce755f81763301e6457a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 10:54:54 +0200
Subject: [PATCH 21/29] auth/spnego: remove unused indentation level from
gensec_spnego_parse_negTokenInit()
gensec_spnego_parse_negTokenInit() is only used as server now.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 128 ++++++++++++++++++++++++++-------------------------
1 file changed, 65 insertions(+), 63 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 90b8120..72571fa 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -219,6 +219,11 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
DATA_BLOB unwrapped_in = data_blob_null;
bool ok;
const struct gensec_security_ops_wrapper *all_sec = NULL;
+ uint32_t j;
+
+ if (spnego_state->state_position != SPNEGO_SERVER_START) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
if (spnego_in->type != SPNEGO_NEG_TOKEN_INIT) {
return NT_STATUS_INTERNAL_ERROR;
@@ -247,80 +252,77 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
return NT_STATUS_NO_MEMORY;
}
- if (spnego_state->state_position == SPNEGO_SERVER_START) {
- uint32_t j;
- for (j=0; mechType && mechType[j]; j++) {
- for (i=0; all_sec && all_sec[i].op; i++) {
- if (strcmp(mechType[j], all_sec[i].oid) != 0) {
- continue;
- }
-
- nt_status = gensec_subcontext_start(spnego_state,
- gensec_security,
- &spnego_state->sub_sec_security);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
- /* select the sub context */
- nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
- all_sec[i].op);
- if (!NT_STATUS_IS_OK(nt_status)) {
- /*
- * Pretend we never started it
- */
- gensec_spnego_update_sub_abort(spnego_state);
- break;
- }
-
- if (j > 0) {
- /* no optimistic token */
- spnego_state->neg_oid = all_sec[i].oid;
- *unwrapped_out = data_blob_null;
- nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- /*
- * Indicate the downgrade and request a
- * mic.
- */
- spnego_state->downgraded = true;
- spnego_state->mic_requested = true;
- break;
- }
-
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx,
- ev,
- unwrapped_in,
- unwrapped_out);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->sub_sec_ready = true;
- }
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
- NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
-
- DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse contents: %s\n",
- spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+ for (j=0; mechType && mechType[j]; j++) {
+ for (i=0; all_sec && all_sec[i].op; i++) {
+ if (strcmp(mechType[j], all_sec[i].oid) != 0) {
+ continue;
+ }
- /*
- * Pretend we never started it
- */
- gensec_spnego_update_sub_abort(spnego_state);
- break;
- }
+ nt_status = gensec_subcontext_start(spnego_state,
+ gensec_security,
+ &spnego_state->sub_sec_security);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+ /* select the sub context */
+ nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
+ all_sec[i].op);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ /*
+ * Pretend we never started it
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
+ break;
+ }
+ if (j > 0) {
+ /* no optimistic token */
spnego_state->neg_oid = all_sec[i].oid;
+ *unwrapped_out = data_blob_null;
+ nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ /*
+ * Indicate the downgrade and request a
+ * mic.
+ */
+ spnego_state->downgraded = true;
+ spnego_state->mic_requested = true;
break;
}
- if (spnego_state->sub_sec_security) {
+
+ nt_status = gensec_update_ev(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ ev,
+ unwrapped_in,
+ unwrapped_out);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ spnego_state->sub_sec_ready = true;
+ }
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
+ NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
+
+ DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse contents: %s\n",
+ spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+
+ /*
+ * Pretend we never started it
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
break;
}
- }
- if (!spnego_state->sub_sec_security) {
- DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
- return NT_STATUS_INVALID_PARAMETER;
+ spnego_state->neg_oid = all_sec[i].oid;
+ break;
+ }
+ if (spnego_state->sub_sec_security) {
+ break;
}
}
+ if (!spnego_state->sub_sec_security) {
+ DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/* Having tried any optimistic token from the client (if we
* were the server), if we didn't get anywhere, walk our list
* in our preference order */
--
1.9.1
From ede061a5e1d6295ec289a2035f540a5dac2d6e15 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 10:57:52 +0200
Subject: [PATCH 22/29] auth/spnego: remove dead code from
gensec_spnego_parse_negTokenInit()
Check with git show -U15
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 85 ----------------------------------------------------
1 file changed, 85 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 72571fa..1592b60 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -323,91 +323,6 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
return NT_STATUS_INVALID_PARAMETER;
}
- /* Having tried any optimistic token from the client (if we
- * were the server), if we didn't get anywhere, walk our list
- * in our preference order */
- unwrapped_in = data_blob_null;
-
- if (!spnego_state->sub_sec_security) {
- for (i=0; all_sec && all_sec[i].op; i++) {
- nt_status = gensec_subcontext_start(spnego_state,
- gensec_security,
- &spnego_state->sub_sec_security);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
- /* select the sub context */
- nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
- all_sec[i].op);
- if (!NT_STATUS_IS_OK(nt_status)) {
- /*
- * Pretend we never started it.
- */
- gensec_spnego_update_sub_abort(spnego_state);
- continue;
- }
-
- spnego_state->neg_oid = all_sec[i].oid;
-
- /* only get the helping start blob for the first OID */
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx,
- ev,
- unwrapped_in,
- unwrapped_out);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->sub_sec_ready = true;
- }
-
- /* it is likely that a NULL input token will
- * not be liked by most server mechs, but if
- * we are in the client, we want the first
- * update packet to be able to abort the use
- * of this mech */
- if (spnego_state->state_position != SPNEGO_SERVER_START) {
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
- NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS) ||
- NT_STATUS_EQUAL(nt_status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
- NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
- const char *next = NULL;
- const char *principal = NULL;
- int dbg_level = DBGLVL_WARNING;
-
- if (all_sec[i+1].op != NULL) {
- next = all_sec[i+1].op->name;
- dbg_level = DBGLVL_NOTICE;
- }
-
- if (gensec_security->target.principal != NULL) {
- principal = gensec_security->target.principal;
- } else if (gensec_security->target.service != NULL &&
- gensec_security->target.hostname != NULL)
- {
- principal = talloc_asprintf(spnego_state->sub_sec_security,
- "%s/%s",
- gensec_security->target.service,
- gensec_security->target.hostname);
- } else {
- principal = gensec_security->target.hostname;
- }
-
- DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
- spnego_state->sub_sec_security->ops->name,
- principal,
- next, nt_errstr(nt_status)));
-
- /*
- * Pretend we never started it.
- */
- gensec_spnego_update_sub_abort(spnego_state);
- continue;
- }
- }
-
- break;
- }
- }
-
if (spnego_state->sub_sec_security) {
/* it is likely that a NULL input token will
* not be liked by most server mechs, but this
--
1.9.1
From 5477eac21ca46b9e00eee72c0b133d58a00f4b5b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 11:03:37 +0200
Subject: [PATCH 23/29] auth/spnego: remove one more useless indentation level
from gensec_spnego_parse_negTokenInit()
Check with 'git show -w -U45' and carefully check the 'break' vs. 'continue'
changes.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 112 ++++++++++++++++++++++++++-------------------------
1 file changed, 58 insertions(+), 54 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 1592b60..8f01a38 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -253,69 +253,73 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
}
for (j=0; mechType && mechType[j]; j++) {
- for (i=0; all_sec && all_sec[i].op; i++) {
- if (strcmp(mechType[j], all_sec[i].oid) != 0) {
- continue;
- }
-
- nt_status = gensec_subcontext_start(spnego_state,
- gensec_security,
- &spnego_state->sub_sec_security);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
- /* select the sub context */
- nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
- all_sec[i].op);
- if (!NT_STATUS_IS_OK(nt_status)) {
- /*
- * Pretend we never started it
- */
- gensec_spnego_update_sub_abort(spnego_state);
- break;
- }
+ const struct gensec_security_ops_wrapper *cur_sec = NULL;
- if (j > 0) {
- /* no optimistic token */
- spnego_state->neg_oid = all_sec[i].oid;
- *unwrapped_out = data_blob_null;
- nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- /*
- * Indicate the downgrade and request a
- * mic.
- */
- spnego_state->downgraded = true;
- spnego_state->mic_requested = true;
+ for (i=0; all_sec && all_sec[i].op; i++) {
+ if (strcmp(mechType[j], all_sec[i].oid) == 0) {
+ cur_sec = &all_sec[i];
break;
}
+ }
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx,
- ev,
- unwrapped_in,
- unwrapped_out);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->sub_sec_ready = true;
- }
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
- NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
-
- DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse contents: %s\n",
- spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+ if (cur_sec == NULL) {
+ continue;
+ }
- /*
- * Pretend we never started it
- */
- gensec_spnego_update_sub_abort(spnego_state);
- break;
- }
+ nt_status = gensec_subcontext_start(spnego_state,
+ gensec_security,
+ &spnego_state->sub_sec_security);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+ /* select the sub context */
+ nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
+ cur_sec->op);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ /*
+ * Pretend we never started it
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
+ continue;
+ }
- spnego_state->neg_oid = all_sec[i].oid;
+ if (j > 0) {
+ /* no optimistic token */
+ spnego_state->neg_oid = cur_sec->oid;
+ *unwrapped_out = data_blob_null;
+ nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ /*
+ * Indicate the downgrade and request a
+ * mic.
+ */
+ spnego_state->downgraded = true;
+ spnego_state->mic_requested = true;
break;
}
- if (spnego_state->sub_sec_security) {
- break;
+
+ nt_status = gensec_update_ev(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ ev,
+ unwrapped_in,
+ unwrapped_out);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ spnego_state->sub_sec_ready = true;
}
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
+ NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
+
+ DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse contents: %s\n",
+ spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+
+ /*
+ * Pretend we never started it
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
+ continue;
+ }
+
+ spnego_state->neg_oid = cur_sec->oid;
+ break;
}
if (!spnego_state->sub_sec_security) {
--
1.9.1
From ae294c742b6dc311abcc6aa6694d271ef38ef948 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 11:05:39 +0200
Subject: [PATCH 24/29] auth/spnego: do an early return when we downgraded the
mech in gensec_spnego_parse_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 8f01a38..257d46c 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -294,7 +294,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
*/
spnego_state->downgraded = true;
spnego_state->mic_requested = true;
- break;
+ return nt_status;
}
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
--
1.9.1
From 3ec377a8e464d7a2f0f391127517cadc5e9e0758 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 11:07:41 +0200
Subject: [PATCH 25/29] auth/spnego: add an early return for a hard error in
gensec_spnego_parse_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 257d46c..99079bd 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -318,6 +318,13 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
continue;
}
+ if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
+ DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
+ spnego_state->sub_sec_security->ops->name,
+ nt_errstr(nt_status)));
+ return nt_status;
+ }
+
spnego_state->neg_oid = cur_sec->oid;
break;
}
--
1.9.1
From 8d6c40aa713d4e2e1ba855237dc8c975354c3c4b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 11:09:59 +0200
Subject: [PATCH 26/29] auth/spnego: add an early return for OK or MORE
PROCESSING in gensec_spnego_parse_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 99079bd..d3ff252 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -326,7 +326,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
}
spnego_state->neg_oid = cur_sec->oid;
- break;
+ return nt_status; /* OK or MORE PROCESSING */
}
if (!spnego_state->sub_sec_security) {
--
1.9.1
From c58c5c701b739370cc89de78551b13f6b7e42cbd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 11:11:57 +0200
Subject: [PATCH 27/29] auth/spnego: remove more dead code from
gensec_spnego_parse_negTokenInit()
Now we finally have a logic that someone can understand while reading it.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 40 +---------------------------------------
1 file changed, 1 insertion(+), 39 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index d3ff252..ec525e6 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -329,46 +329,8 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
return nt_status; /* OK or MORE PROCESSING */
}
- if (!spnego_state->sub_sec_security) {
- DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (spnego_state->sub_sec_security) {
- /* it is likely that a NULL input token will
- * not be liked by most server mechs, but this
- * does the right thing in the CIFS client.
- * just push us along the merry-go-round
- * again, and hope for better luck next
- * time */
-
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)) {
- *unwrapped_out = data_blob_null;
- nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- }
-
- if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
- DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
- spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
-
- /* We started the mech correctly, and the
- * input from the other side was valid.
- * Return the error (say bad password, invalid
- * ticket) */
- gensec_spnego_update_sub_abort(spnego_state);
- return nt_status;
- }
-
- return nt_status; /* OK or MORE PROCESSING */
- }
-
DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
- /* we could re-negotiate here, but it would only work
- * if the client or server lied about what it could
- * support the first time. Lets keep this code to
- * reality */
-
- return nt_status;
+ return NT_STATUS_INVALID_PARAMETER;
}
/** create a negTokenInit
--
1.9.1
From 316b9959429fca7567cfe1d5431b12dd9df71bb0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 11:39:39 +0200
Subject: [PATCH 28/29] auth/spnego: inline gensec_spnego_parse_negTokenInit()
into gensec_spnego_server_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 267 ++++++++++++++++++++++++---------------------------
1 file changed, 123 insertions(+), 144 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index ec525e6..fd58b7a 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -201,138 +201,6 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
return NT_STATUS_INVALID_PARAMETER;
}
-/*
- Parse the netTokenInit, either from the client, to the server, or
- from the server to the client.
-*/
-
-static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_security,
- struct spnego_state *spnego_state,
- TALLOC_CTX *out_mem_ctx,
- struct tevent_context *ev,
- struct spnego_data *spnego_in,
- DATA_BLOB *unwrapped_out)
-{
- int i;
- NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
- const char * const *mechType = NULL;
- DATA_BLOB unwrapped_in = data_blob_null;
- bool ok;
- const struct gensec_security_ops_wrapper *all_sec = NULL;
- uint32_t j;
-
- if (spnego_state->state_position != SPNEGO_SERVER_START) {
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- if (spnego_in->type != SPNEGO_NEG_TOKEN_INIT) {
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- mechType = spnego_in->negTokenInit.mechTypes;
- if (mechType == NULL) {
- return NT_STATUS_INVALID_PARAMETER;
- }
- unwrapped_in = spnego_in->negTokenInit.mechToken;
-
- all_sec = gensec_security_by_oid_list(gensec_security,
- out_mem_ctx,
- mechType,
- GENSEC_OID_SPNEGO);
- if (all_sec == NULL) {
- DBG_WARNING("gensec_security_by_oid_list() failed\n");
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- ok = spnego_write_mech_types(spnego_state,
- mechType,
- &spnego_state->mech_types);
- if (!ok) {
- DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- for (j=0; mechType && mechType[j]; j++) {
- const struct gensec_security_ops_wrapper *cur_sec = NULL;
-
- for (i=0; all_sec && all_sec[i].op; i++) {
- if (strcmp(mechType[j], all_sec[i].oid) == 0) {
- cur_sec = &all_sec[i];
- break;
- }
- }
-
- if (cur_sec == NULL) {
- continue;
- }
-
- nt_status = gensec_subcontext_start(spnego_state,
- gensec_security,
- &spnego_state->sub_sec_security);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
- /* select the sub context */
- nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
- cur_sec->op);
- if (!NT_STATUS_IS_OK(nt_status)) {
- /*
- * Pretend we never started it
- */
- gensec_spnego_update_sub_abort(spnego_state);
- continue;
- }
-
- if (j > 0) {
- /* no optimistic token */
- spnego_state->neg_oid = cur_sec->oid;
- *unwrapped_out = data_blob_null;
- nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- /*
- * Indicate the downgrade and request a
- * mic.
- */
- spnego_state->downgraded = true;
- spnego_state->mic_requested = true;
- return nt_status;
- }
-
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx,
- ev,
- unwrapped_in,
- unwrapped_out);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->sub_sec_ready = true;
- }
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
- NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
-
- DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse contents: %s\n",
- spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
-
- /*
- * Pretend we never started it
- */
- gensec_spnego_update_sub_abort(spnego_state);
- continue;
- }
-
- if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
- DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
- spnego_state->sub_sec_security->ops->name,
- nt_errstr(nt_status)));
- return nt_status;
- }
-
- spnego_state->neg_oid = cur_sec->oid;
- return nt_status; /* OK or MORE PROCESSING */
- }
-
- DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
- return NT_STATUS_INVALID_PARAMETER;
-}
-
/** create a negTokenInit
*
* This is the same packet, no matter if the client or server sends it first, but it is always the first packet
@@ -1032,17 +900,126 @@ static NTSTATUS gensec_spnego_server_negTokenInit(struct gensec_security *gensec
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
+ TALLOC_CTX *frame = talloc_stackframe();
DATA_BLOB sub_out = data_blob_null;
DATA_BLOB mech_list_mic = data_blob_null;
+ const char * const *mech_types = NULL;
+ size_t all_idx = 0;
+ const struct gensec_security_ops_wrapper *all_sec = NULL;
+ size_t mech_idx = 0;
NTSTATUS status;
+ bool ok;
- status = gensec_spnego_parse_negTokenInit(gensec_security,
- spnego_state,
- out_mem_ctx,
- ev,
- spnego_in,
- &sub_out);
+ mech_types = spnego_in->negTokenInit.mechTypes;
+ if (mech_types == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ all_sec = gensec_security_by_oid_list(gensec_security, frame,
+ mech_types, GENSEC_OID_SPNEGO);
+ if (all_sec == NULL) {
+ DBG_WARNING("gensec_security_by_oid_list() failed\n");
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ ok = spnego_write_mech_types(spnego_state, mech_types,
+ &spnego_state->mech_types);
+ if (!ok) {
+ DBG_ERR("Failed to write mechTypes\n");
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /*
+ * First try the preferred mechs from the client.
+ */
+ for (; mech_types[mech_idx]; mech_idx++) {
+ const char *cur_mech = mech_types[mech_idx];
+ const struct gensec_security_ops_wrapper *cur_sec = NULL;
+ DATA_BLOB sub_in = data_blob_null;
+ for (all_idx = 0; all_sec[all_idx].op; all_idx++) {
+ if (strcmp(cur_mech, all_sec[all_idx].oid) == 0) {
+ cur_sec = &all_sec[all_idx];
+ break;
+ }
+ }
+
+ if (cur_sec == NULL) {
+ continue;
+ }
+
+ status = gensec_subcontext_start(spnego_state,
+ gensec_security,
+ &spnego_state->sub_sec_security);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ /* select the sub context */
+ status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
+ cur_sec->op);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * Pretend we never started it
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
+ continue;
+ }
+
+ if (mech_idx > 0) {
+ /*
+ * Indicate the downgrade and request a
+ * mic.
+ */
+ spnego_state->downgraded = true;
+ spnego_state->mic_requested = true;
+ /* no optimistic token */
+ spnego_state->neg_oid = cur_sec->oid;
+ sub_out = data_blob_null;
+ status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ goto reply;
+ }
+
+ /*
+ * Try the optimistic token from the client
+ */
+ sub_in = spnego_in->negTokenInit.mechToken;
+ status = gensec_update_ev(spnego_state->sub_sec_security,
+ frame, ev, sub_in, &sub_out);
+ if (NT_STATUS_IS_OK(status)) {
+ spnego_state->sub_sec_ready = true;
+ }
+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
+
+ DBG_WARNING("%s: NEG_TOKEN_INIT failed to parse contents: %s\n",
+ cur_sec->op->name, nt_errstr(status));
+
+ /*
+ * Pretend we never started it
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
+ continue;
+ }
+
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ DBG_WARNING("%s: NEG_TOKEN_INIT failed: %s\n",
+ cur_sec->op->name, nt_errstr(status));
+ goto reply;
+ }
+
+ spnego_state->neg_oid = cur_sec->oid;
+ goto reply; /* OK or MORE PROCESSING */
+ }
+
+ DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n");
+ status = NT_STATUS_INVALID_PARAMETER;
+
+ reply:
if (spnego_state->simulate_w2k) {
/*
* Windows 2000 returns the unwrapped token
@@ -1055,12 +1032,14 @@ static NTSTATUS gensec_spnego_server_negTokenInit(struct gensec_security *gensec
mech_list_mic = sub_out;
}
- return gensec_spnego_server_response(spnego_state,
- out_mem_ctx,
- status,
- sub_out,
- mech_list_mic,
- out);
+ status = gensec_spnego_server_response(spnego_state,
+ out_mem_ctx,
+ status,
+ sub_out,
+ mech_list_mic,
+ out);
+ TALLOC_FREE(frame);
+ return status;
}
static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec_security,
--
1.9.1
From a62a4546fdfa90066237596878f7a14a5734ab26 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 13 Jun 2017 23:43:01 +0200
Subject: [PATCH 29/29] auth/spnego: split out gensec_spnego_update_pre/post()
functions
For now we keep doing sync processing only, in future
we'll do some preprocessing before a gensec_update_send()
on the subcontext in gensec_spnego_update_pre()
and handle the the result of gensec_update_recv()
in gensec_spnego_update_post().
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 234 +++++++++++++++++++++++++++++++++------------------
1 file changed, 153 insertions(+), 81 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index fd58b7a..1395063 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1164,6 +1164,7 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec
}
struct gensec_spnego_update_state {
+ struct tevent_context *ev;
struct gensec_security *gensec;
struct spnego_state *spnego;
DATA_BLOB full_in;
@@ -1197,6 +1198,8 @@ static void gensec_spnego_update_cleanup(struct tevent_req *req,
static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
const DATA_BLOB in, TALLOC_CTX *mem_ctx,
DATA_BLOB *full_in);
+static void gensec_spnego_update_pre(struct tevent_req *req);
+static void gensec_spnego_update_post(struct tevent_req *req);
static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *_out);
@@ -1219,6 +1222,7 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
if (req == NULL) {
return NULL;
}
+ state->ev = ev;
state->gensec = gensec_security;
state->spnego = spnego_state;
tevent_req_set_cleanup_fn(req, gensec_spnego_update_cleanup);
@@ -1319,94 +1323,21 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
return NULL;
}
- /* and switch into the state machine */
-
- switch (spnego_state->state_position) {
- case SPNEGO_FALLBACK:
- status = gensec_update_ev(spnego_state->sub_sec_security,
- state, ev,
- state->full_in,
- &spnego_state->out_frag);
- break;
-
- case SPNEGO_CLIENT_START:
- if (state->spnego_in == NULL) {
- /* client to produce negTokenInit */
- status = gensec_spnego_create_negTokenInit(gensec_security,
- spnego_state, state, ev,
- &spnego_state->out_frag);
- break;
- }
-
- status = gensec_spnego_client_negTokenInit(gensec_security,
- spnego_state, ev,
- state->spnego_in, state,
- &spnego_state->out_frag);
- break;
-
- case SPNEGO_CLIENT_TARG:
- status = gensec_spnego_client_negTokenTarg(gensec_security,
- spnego_state, ev,
- state->spnego_in, state,
- &spnego_state->out_frag);
- break;
-
- case SPNEGO_SERVER_START:
- if (state->spnego_in == NULL) {
- /* server to produce negTokenInit */
- status = gensec_spnego_create_negTokenInit(gensec_security,
- spnego_state, state, ev,
- &spnego_state->out_frag);
- break;
- }
-
- status = gensec_spnego_server_negTokenInit(gensec_security,
- spnego_state, ev,
- state->spnego_in, state,
- &spnego_state->out_frag);
- break;
-
- case SPNEGO_SERVER_TARG:
- status = gensec_spnego_server_negTokenTarg(gensec_security,
- spnego_state, ev,
- state->spnego_in, state,
- &spnego_state->out_frag);
- break;
-
- default:
- smb_panic(__location__);
- return NULL;
- }
-
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
- tevent_req_nterror(req, status);
+ gensec_spnego_update_pre(req);
+ if (!tevent_req_is_in_progress(req)) {
return tevent_req_post(req, ev);
}
- if (NT_STATUS_IS_OK(status)) {
- bool reset_full = true;
-
- reset_full = !spnego_state->done_mic_check;
-
- status = gensec_may_reset_crypto(spnego_state->sub_sec_security,
- reset_full);
- if (tevent_req_nterror(req, status)) {
- return tevent_req_post(req, ev);
- }
- }
-
- spnego_state->out_status = status;
+ /*
+ * TODO: prepare async processing here in future.
+ */
- status = gensec_spnego_update_out(gensec_security,
- state, &state->out);
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
- tevent_req_nterror(req, status);
+ gensec_spnego_update_post(req);
+ if (!tevent_req_is_in_progress(req)) {
return tevent_req_post(req, ev);
}
- state->status = status;
- tevent_req_done(req);
- return tevent_req_post(req, ev);
+ return req;
}
static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
@@ -1517,6 +1448,147 @@ static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
return NT_STATUS_OK;
}
+static void gensec_spnego_update_pre(struct tevent_req *req)
+{
+ struct gensec_spnego_update_state *state =
+ tevent_req_data(req,
+ struct gensec_spnego_update_state);
+ struct gensec_security *gensec_security = state->gensec;
+ struct spnego_state *spnego_state = state->spnego;
+ struct tevent_context *ev = state->ev;
+ NTSTATUS status;
+
+ if (spnego_state->state_position == SPNEGO_FALLBACK) {
+ status = gensec_update_ev(spnego_state->sub_sec_security,
+ state, ev,
+ state->full_in,
+ &spnego_state->out_frag);
+ /*
+ * We don't check status here.
+ */
+ spnego_state->out_status = status;
+ return;
+ }
+
+ switch (spnego_state->state_position) {
+ case SPNEGO_CLIENT_START:
+ if (state->spnego_in == NULL) {
+ /* client to produce negTokenInit */
+ status = gensec_spnego_create_negTokenInit(gensec_security,
+ spnego_state, state, ev,
+ &spnego_state->out_frag);
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ break;
+ }
+
+ status = gensec_spnego_client_negTokenInit(gensec_security,
+ spnego_state, ev,
+ state->spnego_in, state,
+ &spnego_state->out_frag);
+ break;
+
+ case SPNEGO_CLIENT_TARG:
+ status = gensec_spnego_client_negTokenTarg(gensec_security,
+ spnego_state, ev,
+ state->spnego_in, state,
+ &spnego_state->out_frag);
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ break;
+
+ case SPNEGO_SERVER_START:
+ if (state->spnego_in == NULL) {
+ /* server to produce negTokenInit */
+ status = gensec_spnego_create_negTokenInit(gensec_security,
+ spnego_state, state, ev,
+ &spnego_state->out_frag);
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ break;
+ }
+
+ status = gensec_spnego_server_negTokenInit(gensec_security,
+ spnego_state, ev,
+ state->spnego_in, state,
+ &spnego_state->out_frag);
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ break;
+
+ case SPNEGO_SERVER_TARG:
+ status = gensec_spnego_server_negTokenTarg(gensec_security,
+ spnego_state, ev,
+ state->spnego_in, state,
+ &spnego_state->out_frag);
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+ break;
+
+ default:
+ smb_panic(__location__);
+ return;
+ }
+
+ spnego_state->out_status = status;
+}
+
+static void gensec_spnego_update_post(struct tevent_req *req)
+{
+ struct gensec_spnego_update_state *state =
+ tevent_req_data(req,
+ struct gensec_spnego_update_state);
+ struct spnego_state *spnego_state = state->spnego;
+ NTSTATUS status;
+
+ if (spnego_state->state_position == SPNEGO_FALLBACK) {
+ status = spnego_state->out_status;
+ goto respond;
+ }
+
+ /*
+ * For now just handle the sync processing done
+ * in gensec_spnego_update_pre()
+ */
+ status = spnego_state->out_status;
+
+ if (NT_STATUS_IS_OK(status)) {
+ bool reset_full = true;
+
+ reset_full = !spnego_state->done_mic_check;
+
+ status = gensec_may_reset_crypto(spnego_state->sub_sec_security,
+ reset_full);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+ }
+
+respond:
+ spnego_state->out_status = status;
+
+ status = gensec_spnego_update_out(state->gensec,
+ state, &state->out);
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+
+ state->status = status;
+ tevent_req_done(req);
+ return;
+}
+
static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *_out)
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170710/7b1d5c98/signature-0001.sig>
More information about the samba-technical
mailing list