[Patches] The way to remove gensec_update_ev() part5
Stefan Metzmacher
metze at samba.org
Thu Jul 20 22:16:37 UTC 2017
Hi,
> here's the next chunk ready for master.
>
> Please review and push:-)
I reworked the patches a little bit.
Most of them are already reviewed by Andreas.
The also passed private autobuilds a few times.
Please review and push:-)
Thanks!
metze
-------------- next part --------------
From 56aacabd630dc19f861be4c0ef18dd80fad55fb9 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn at samba.org>
Date: Wed, 19 Jul 2017 10:47:37 +0200
Subject: [PATCH 01/21] SIGN-OFF auth/spnego: Fix withespace and indent in
gensec_spnego_server_try_fallback()
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andreas Schneider <asn at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 6168c93..90b5cb0 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -153,9 +153,11 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
bool is_spnego;
NTSTATUS nt_status;
- if (gensec_security != NULL &&
- !gensec_security_ops_enabled(all_ops[i], gensec_security))
- continue;
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(all_ops[i], gensec_security))
+ {
+ continue;
+ }
if (!all_ops[i]->oid) {
continue;
--
1.9.1
From 8f5497858bd9c190d20481659a1ba0973050dae2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 14 Jun 2017 03:39:02 +0200
Subject: [PATCH 02/21] auth/spnego: move gensec_update_ev() out of
gensec_spnego_server_try_fallback()
This makes it easier to handle SPNEGO_FALLBACK code path completely async
from the first packet in future.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 90b5cb0..8248787 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -140,14 +140,13 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
- struct tevent_context *ev,
- TALLOC_CTX *out_mem_ctx,
- const DATA_BLOB in, DATA_BLOB *out)
+ TALLOC_CTX *mem_ctx,
+ const DATA_BLOB in)
{
int i,j;
const struct gensec_security_ops **all_ops;
- all_ops = gensec_security_mechs(gensec_security, out_mem_ctx);
+ all_ops = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; all_ops && all_ops[i]; i++) {
bool is_spnego;
@@ -197,9 +196,8 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev, in, out);
- return nt_status;
+
+ return NT_STATUS_OK;
}
DEBUG(1, ("Failed to parse SPNEGO request\n"));
return NT_STATUS_INVALID_PARAMETER;
@@ -1098,8 +1096,22 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
len = spnego_read_data(gensec_security, in, &spnego);
if (len == -1) {
- return gensec_spnego_server_try_fallback(gensec_security, spnego_state,
- ev, out_mem_ctx, in, out);
+ /*
+ * This is the 'fallback' case, where we don't get
+ * SPNEGO, and have to try all the other options (and
+ * hope they all have a magic string they check)
+ */
+ nt_status = gensec_spnego_server_try_fallback(gensec_security,
+ spnego_state,
+ out_mem_ctx,
+ in);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ return gensec_update_ev(spnego_state->sub_sec_security,
+ out_mem_ctx, ev,
+ in, out);
}
/* client sent NegTargetInit, we send NegTokenTarg */
--
1.9.1
From 7319a4f1b76a5bc6df5174e1585f652c35cd3de0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 30 Dec 2016 12:59:01 +0100
Subject: [PATCH 03/21] auth/spnego: skip gensec_update_ev() if sub_sec_ready
is already true in gensec_spnego_update_server()
This matches the flow already used in the client case.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 8248787..f46d46d 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1213,15 +1213,19 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
goto server_response;
}
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev,
- spnego.negTokenTarg.responseToken,
- &unwrapped_out);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->sub_sec_ready = true;
- }
- if (!NT_STATUS_IS_OK(nt_status)) {
- goto server_response;
+ if (!spnego_state->sub_sec_ready) {
+ nt_status = gensec_update_ev(spnego_state->sub_sec_security,
+ out_mem_ctx, ev,
+ spnego.negTokenTarg.responseToken,
+ &unwrapped_out);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ spnego_state->sub_sec_ready = true;
+ }
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ goto server_response;
+ }
+ } else {
+ nt_status = NT_STATUS_OK;
}
have_sign = gensec_have_feature(spnego_state->sub_sec_security,
--
1.9.1
From fd28b6993fb86e9157402f528ef19cf1eaf77ddd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 5 Jul 2017 09:59:16 +0200
Subject: [PATCH 04/21] auth/spnego: introduce a 'spnego_in' helper variable in
gensec_spnego_update_client()
In the following commits we'll pass that variable from the caller
and this preparation will reduce the diff for the following patches.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 37 ++++++++++++++++++++-----------------
1 file changed, 20 insertions(+), 17 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index f46d46d..0e727f9 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -645,6 +645,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
DATA_BLOB unwrapped_out = data_blob_null;
struct spnego_data spnego_out;
struct spnego_data spnego;
+ struct spnego_data *spnego_in = NULL;
ssize_t len;
*out = data_blob_null;
@@ -685,8 +686,9 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
+ spnego_in = &spnego;
- tp = spnego.negTokenInit.targetPrincipal;
+ tp = spnego_in->negTokenInit.targetPrincipal;
if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
DEBUG(5, ("Server claims it's principal name is %s\n", tp));
if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
@@ -698,7 +700,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_state,
out_mem_ctx,
ev,
- &spnego,
+ spnego_in,
&unwrapped_out);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
@@ -761,7 +763,8 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
- ta = &spnego.negTokenTarg;
+ spnego_in = &spnego;
+ ta = &spnego_in->negTokenTarg;
spnego_state->num_targs++;
@@ -769,7 +772,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
return NT_STATUS_LOGON_FAILURE;
}
- if (spnego.negTokenTarg.negResult == SPNEGO_REQUEST_MIC) {
+ if (spnego_in->negTokenTarg.negResult == SPNEGO_REQUEST_MIC) {
spnego_state->mic_requested = true;
}
@@ -806,9 +809,9 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
};
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
- DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC;
- const DATA_BLOB *r = &spnego.negTokenTarg.responseToken;
+ if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ DATA_BLOB *m = &spnego_in->negTokenTarg.mechListMIC;
+ const DATA_BLOB *r = &spnego_in->negTokenTarg.responseToken;
/*
* Windows 2000 has a bug, it repeats the
@@ -824,20 +827,20 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
if (spnego_state->sub_sec_ready) {
spnego_state->needs_mic_check = true;
}
}
if (spnego_state->needs_mic_check) {
- if (spnego.negTokenTarg.responseToken.length != 0) {
+ if (spnego_in->negTokenTarg.responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
- if (spnego.negTokenTarg.mechListMIC.length == 0
+ if (spnego_in->negTokenTarg.mechListMIC.length == 0
&& spnego_state->may_skip_mic_check) {
/*
* In this case we don't require
@@ -859,7 +862,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego.negTokenTarg.mechListMIC);
+ &spnego_in->negTokenTarg.mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
@@ -874,7 +877,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (!spnego_state->sub_sec_ready) {
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx, ev,
- spnego.negTokenTarg.responseToken,
+ spnego_in->negTokenTarg.responseToken,
&unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->sub_sec_ready = true;
@@ -898,7 +901,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
- switch (spnego.negTokenTarg.negResult) {
+ switch (spnego_in->negTokenTarg.negResult) {
case SPNEGO_ACCEPT_COMPLETED:
case SPNEGO_NONE_RESULT:
if (spnego_state->num_targs == 1) {
@@ -912,7 +915,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
break;
case SPNEGO_ACCEPT_INCOMPLETE:
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
break;
}
@@ -959,7 +962,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
break;
case SPNEGO_REQUEST_MIC:
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
break;
@@ -979,13 +982,13 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego.negTokenTarg.mechListMIC);
+ &spnego_in->negTokenTarg.mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
--
1.9.1
From 2690f4504431a490fe7b095ffffbb923ce7b4cdf Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 5 Jul 2017 09:59:16 +0200
Subject: [PATCH 05/21] auth/spnego: introduce a 'spnego_in' helper variable in
gensec_spnego_update_client()
In the following commits we'll pass that variable from the caller
and this preparation will reduce the diff for the following patches.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 0e727f9..f70a6e7 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1081,6 +1081,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
DATA_BLOB mech_list_mic = data_blob_null;
DATA_BLOB unwrapped_out = data_blob_null;
struct spnego_data spnego;
+ struct spnego_data *spnego_in = NULL;
ssize_t len;
/* and switch into the state machine */
@@ -1126,12 +1127,13 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
+ spnego_in = &spnego;
nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
spnego_state,
out_mem_ctx,
ev,
- &spnego,
+ spnego_in,
&unwrapped_out);
if (spnego_state->simulate_w2k) {
@@ -1184,6 +1186,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
+ spnego_in = &spnego;
spnego_state->num_targs++;
@@ -1194,7 +1197,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
}
if (spnego_state->needs_mic_check) {
- if (spnego.negTokenTarg.responseToken.length != 0) {
+ if (spnego_in->negTokenTarg.responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
@@ -1205,7 +1208,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego.negTokenTarg.mechListMIC);
+ &spnego_in->negTokenTarg.mechListMIC);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
@@ -1219,7 +1222,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
if (!spnego_state->sub_sec_ready) {
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx, ev,
- spnego.negTokenTarg.responseToken,
+ spnego_in->negTokenTarg.responseToken,
&unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->sub_sec_ready = true;
@@ -1238,7 +1241,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
}
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
@@ -1247,13 +1250,13 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
spnego_state->needs_mic_sign = true;
}
- if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (have_sign && spnego_in->negTokenTarg.mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego.negTokenTarg.mechListMIC);
+ &spnego_in->negTokenTarg.mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
--
1.9.1
From 34b749288b6d733282bc360d51ba40e458f13ef5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 14 Jun 2017 03:39:02 +0200
Subject: [PATCH 06/21] auth/spnego: do parse the incoming blob already in
gensec_spnego_update_send()
It's easier to have this in one central place.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 209 +++++++++++++++++++++------------------------------
1 file changed, 85 insertions(+), 124 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index f70a6e7..7b83b85 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -638,15 +638,13 @@ static NTSTATUS gensec_spnego_server_response(struct spnego_state *spnego_state,
static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
- const DATA_BLOB in, DATA_BLOB *out)
+ struct spnego_data *spnego_in,
+ DATA_BLOB *out)
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
DATA_BLOB mech_list_mic = data_blob_null;
DATA_BLOB unwrapped_out = data_blob_null;
struct spnego_data spnego_out;
- struct spnego_data spnego;
- struct spnego_data *spnego_in = NULL;
- ssize_t len;
*out = data_blob_null;
@@ -662,7 +660,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
bool ok;
const char *tp = NULL;
- if (!in.length) {
+ if (spnego_in == NULL) {
/* client to produce negTokenInit */
return gensec_spnego_create_negTokenInit(gensec_security,
spnego_state,
@@ -670,24 +668,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
ev, out);
}
- len = spnego_read_data(gensec_security, in, &spnego);
-
- if (len == -1) {
- DEBUG(1, ("Invalid SPNEGO request:\n"));
- dump_data(1, in.data, in.length);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* OK, so it's real SPNEGO, check the packet's the one we expect */
- if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
- spnego_state->expected_packet));
- dump_data(1, in.data, in.length);
- spnego_free_data(&spnego);
- return NT_STATUS_INVALID_PARAMETER;
- }
- spnego_in = &spnego;
-
tp = spnego_in->negTokenInit.targetPrincipal;
if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
DEBUG(5, ("Server claims it's principal name is %s\n", tp));
@@ -704,7 +684,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
&unwrapped_out);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
- spnego_free_data(&spnego);
return nt_status;
}
@@ -734,37 +713,14 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->state_position = SPNEGO_CLIENT_TARG;
- spnego_free_data(&spnego);
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
case SPNEGO_CLIENT_TARG:
{
NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
- const struct spnego_negTokenTarg *ta = NULL;
-
- if (!in.length) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- len = spnego_read_data(gensec_security, in, &spnego);
-
- if (len == -1) {
- DEBUG(1, ("Invalid SPNEGO request:\n"));
- dump_data(1, in.data, in.length);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* OK, so it's real SPNEGO, check the packet's the one we expect */
- if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
- spnego_state->expected_packet));
- dump_data(1, in.data, in.length);
- spnego_free_data(&spnego);
- return NT_STATUS_INVALID_PARAMETER;
- }
- spnego_in = &spnego;
- ta = &spnego_in->negTokenTarg;
+ const struct spnego_negTokenTarg *ta =
+ &spnego_in->negTokenTarg;
spnego_state->num_targs++;
@@ -790,21 +746,18 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
- spnego_free_data(&spnego);
return nt_status;
}
/* select the sub context */
nt_status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
ta->supportedMech);
if (!NT_STATUS_IS_OK(nt_status)) {
- spnego_free_data(&spnego);
return nt_status;
}
spnego_state->neg_oid = talloc_strdup(spnego_state,
ta->supportedMech);
if (spnego_state->neg_oid == NULL) {
- spnego_free_data(&spnego);
return NT_STATUS_NO_MEMORY;
};
}
@@ -836,7 +789,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (spnego_state->needs_mic_check) {
if (spnego_in->negTokenTarg.responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -866,7 +818,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
- spnego_free_data(&spnego);
return nt_status;
}
spnego_state->needs_mic_check = false;
@@ -992,7 +943,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
- spnego_free_data(&spnego);
return nt_status;
}
spnego_state->needs_mic_check = false;
@@ -1010,7 +960,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
nt_errstr(nt_status)));
- spnego_free_data(&spnego);
return nt_status;
}
spnego_state->needs_mic_sign = false;
@@ -1021,8 +970,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
client_response:
- spnego_free_data(&spnego);
-
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
&& !NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
@@ -1075,14 +1022,12 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
- const DATA_BLOB in, DATA_BLOB *out)
+ struct spnego_data *spnego_in,
+ DATA_BLOB *out)
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
DATA_BLOB mech_list_mic = data_blob_null;
DATA_BLOB unwrapped_out = data_blob_null;
- struct spnego_data spnego;
- struct spnego_data *spnego_in = NULL;
- ssize_t len;
/* and switch into the state machine */
@@ -1091,44 +1036,13 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
{
NTSTATUS nt_status;
- if (in.length == 0) {
+ if (spnego_in == NULL) {
return gensec_spnego_create_negTokenInit(gensec_security,
spnego_state,
out_mem_ctx,
ev, out);
}
- len = spnego_read_data(gensec_security, in, &spnego);
- if (len == -1) {
- /*
- * This is the 'fallback' case, where we don't get
- * SPNEGO, and have to try all the other options (and
- * hope they all have a magic string they check)
- */
- nt_status = gensec_spnego_server_try_fallback(gensec_security,
- spnego_state,
- out_mem_ctx,
- in);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-
- return gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev,
- in, out);
- }
- /* client sent NegTargetInit, we send NegTokenTarg */
-
- /* OK, so it's real SPNEGO, check the packet's the one we expect */
- if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
- spnego_state->expected_packet));
- dump_data(1, in.data, in.length);
- spnego_free_data(&spnego);
- return NT_STATUS_INVALID_PARAMETER;
- }
- spnego_in = &spnego;
-
nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
spnego_state,
out_mem_ctx,
@@ -1155,8 +1069,6 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
mech_list_mic,
out);
- spnego_free_data(&spnego);
-
return nt_status;
}
@@ -1166,40 +1078,16 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
bool have_sign = true;
bool new_spnego = false;
- if (!in.length) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- len = spnego_read_data(gensec_security, in, &spnego);
-
- if (len == -1) {
- DEBUG(1, ("Invalid SPNEGO request:\n"));
- dump_data(1, in.data, in.length);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* OK, so it's real SPNEGO, check the packet's the one we expect */
- if (spnego.type != spnego_state->expected_packet) {
- DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
- spnego_state->expected_packet));
- dump_data(1, in.data, in.length);
- spnego_free_data(&spnego);
- return NT_STATUS_INVALID_PARAMETER;
- }
- spnego_in = &spnego;
-
spnego_state->num_targs++;
if (!spnego_state->sub_sec_security) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
if (spnego_state->needs_mic_check) {
if (spnego_in->negTokenTarg.responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -1295,8 +1183,6 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
mech_list_mic,
out);
- spnego_free_data(&spnego);
-
return nt_status;
}
@@ -1312,6 +1198,8 @@ struct gensec_spnego_update_state {
struct gensec_security *gensec;
struct spnego_state *spnego;
DATA_BLOB full_in;
+ struct spnego_data _spnego_in;
+ struct spnego_data *spnego_in;
NTSTATUS status;
DATA_BLOB out;
};
@@ -1355,6 +1243,7 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
struct tevent_req *req = NULL;
struct gensec_spnego_update_state *state = NULL;
NTSTATUS status;
+ ssize_t len;
req = tevent_req_create(mem_ctx, &state,
struct gensec_spnego_update_state);
@@ -1397,6 +1286,78 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
+ /* Check if we got a valid SPNEGO blob... */
+
+ switch (spnego_state->state_position) {
+ case SPNEGO_FALLBACK:
+ break;
+
+ case SPNEGO_CLIENT_TARG:
+ case SPNEGO_SERVER_TARG:
+ if (state->full_in.length == 0) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ /* fall through */
+ case SPNEGO_CLIENT_START:
+ case SPNEGO_SERVER_START:
+
+ if (state->full_in.length == 0) {
+ /* create_negTokenInit later */
+ break;
+ }
+
+ len = spnego_read_data(state,
+ state->full_in,
+ &state->_spnego_in);
+ if (len == -1) {
+ if (spnego_state->state_position != SPNEGO_SERVER_START) {
+ DEBUG(1, ("Invalid SPNEGO request:\n"));
+ dump_data(1, state->full_in.data,
+ state->full_in.length);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ /*
+ * This is the 'fallback' case, where we don't get
+ * SPNEGO, and have to try all the other options (and
+ * hope they all have a magic string they check)
+ */
+ status = gensec_spnego_server_try_fallback(gensec_security,
+ spnego_state,
+ state,
+ state->full_in);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
+
+ /*
+ * We'll continue with SPNEGO_FALLBACK below...
+ */
+ break;
+ }
+ state->spnego_in = &state->_spnego_in;
+
+ /* OK, so it's real SPNEGO, check the packet's the one we expect */
+ if (state->spnego_in->type != spnego_state->expected_packet) {
+ DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n",
+ state->spnego_in->type,
+ spnego_state->expected_packet));
+ dump_data(1, state->full_in.data,
+ state->full_in.length);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return tevent_req_post(req, ev);
+ }
+
+ break;
+
+ default:
+ smb_panic(__location__);
+ return NULL;
+ }
+
/* and switch into the state machine */
switch (spnego_state->state_position) {
@@ -1411,7 +1372,7 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
case SPNEGO_CLIENT_TARG:
status = gensec_spnego_update_client(gensec_security,
state, ev,
- state->full_in,
+ state->spnego_in,
&spnego_state->out_frag);
break;
@@ -1419,7 +1380,7 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
case SPNEGO_SERVER_TARG:
status = gensec_spnego_update_server(gensec_security,
state, ev,
- state->full_in,
+ state->spnego_in,
&spnego_state->out_frag);
break;
--
1.9.1
From b162b73aa737c93f91223d982ced037c04c7b00b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 6 Jul 2017 15:36:36 +0200
Subject: [PATCH 07/21] auth/spnego: call gensec_spnego_create_negTokenInit()
directly in gensec_spnego_update_send()
This simplifies further refactoring.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 33 ++++++++++++++++++---------------
1 file changed, 18 insertions(+), 15 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 7b83b85..9291332 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -660,14 +660,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
bool ok;
const char *tp = NULL;
- if (spnego_in == NULL) {
- /* client to produce negTokenInit */
- return gensec_spnego_create_negTokenInit(gensec_security,
- spnego_state,
- out_mem_ctx,
- ev, out);
- }
-
tp = spnego_in->negTokenInit.targetPrincipal;
if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
DEBUG(5, ("Server claims it's principal name is %s\n", tp));
@@ -1036,13 +1028,6 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
{
NTSTATUS nt_status;
- if (spnego_in == NULL) {
- return gensec_spnego_create_negTokenInit(gensec_security,
- spnego_state,
- out_mem_ctx,
- ev, out);
- }
-
nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
spnego_state,
out_mem_ctx,
@@ -1369,6 +1354,15 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
break;
case SPNEGO_CLIENT_START:
+ if (state->spnego_in == NULL) {
+ /* client to produce negTokenInit */
+ status = gensec_spnego_create_negTokenInit(gensec_security,
+ spnego_state, state, ev,
+ &spnego_state->out_frag);
+ break;
+ }
+
+ /* fall through */
case SPNEGO_CLIENT_TARG:
status = gensec_spnego_update_client(gensec_security,
state, ev,
@@ -1377,6 +1371,15 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
break;
case SPNEGO_SERVER_START:
+ if (state->spnego_in == NULL) {
+ /* server to produce negTokenInit */
+ status = gensec_spnego_create_negTokenInit(gensec_security,
+ spnego_state, state, ev,
+ &spnego_state->out_frag);
+ break;
+ }
+
+ /* fall through */
case SPNEGO_SERVER_TARG:
status = gensec_spnego_update_server(gensec_security,
state, ev,
--
1.9.1
From 41c8f9fad8621a75b3d34353bfe5dedea7827629 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 07:53:29 +0200
Subject: [PATCH 08/21] auth/spnego: simplify the error handling logic in
gensec_spnego_parse_negTokenInit()
We can just use GENSEC_UPDATE_IS_NTERROR() as NT_STATUS_INVALID_PARAMETER
is mapped to NT_STATUS_MORE_PROCESSING_REQUIRED in the lines above.
Check with git show -U10
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 9291332..cec44bc 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -414,9 +414,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
}
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER)
- && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
- && !NT_STATUS_IS_OK(nt_status)) {
+ if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
@@ -428,7 +426,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
return nt_status;
}
- return nt_status; /* OK, INVALID_PARAMETER ore MORE PROCESSING */
+ return nt_status; /* OK or MORE PROCESSING */
}
DEBUG(1, ("SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT\n"));
--
1.9.1
From 03ff77fafb652a2ce809fe87fd0bb2326c50d3cc Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 28 Jun 2017 14:53:49 +0200
Subject: [PATCH 09/21] auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in
gensec_spnego_update_send()
Check with git show -U15
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 31 ++++++++++++++-----------------
1 file changed, 14 insertions(+), 17 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index cec44bc..fe819ad 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1245,15 +1245,12 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
status = gensec_spnego_update_out(gensec_security,
state, &state->out);
- state->status = status;
- if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- tevent_req_done(req);
- return tevent_req_post(req, ev);
- }
- if (tevent_req_nterror(req, status)) {
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
return tevent_req_post(req, ev);
}
+ state->status = status;
tevent_req_done(req);
return tevent_req_post(req, ev);
}
@@ -1390,6 +1387,11 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
return NULL;
}
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
+ return tevent_req_post(req, ev);
+ }
+
if (NT_STATUS_IS_OK(status)) {
bool reset_full = true;
@@ -1397,26 +1399,21 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
status = gensec_may_reset_crypto(spnego_state->sub_sec_security,
reset_full);
- }
- if (!NT_STATUS_IS_OK(status) &&
- !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- tevent_req_nterror(req, status);
- return tevent_req_post(req, ev);
+ if (tevent_req_nterror(req, status)) {
+ return tevent_req_post(req, ev);
+ }
}
spnego_state->out_status = status;
status = gensec_spnego_update_out(gensec_security,
state, &state->out);
- state->status = status;
- if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- tevent_req_done(req);
- return tevent_req_post(req, ev);
- }
- if (tevent_req_nterror(req, status)) {
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
return tevent_req_post(req, ev);
}
+ state->status = status;
tevent_req_done(req);
return tevent_req_post(req, ev);
}
--
1.9.1
From 19e85a56feaaeca25518c7384a0112bfbec1a71c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 07:58:51 +0200
Subject: [PATCH 10/21] auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in
gensec_spnego_create_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index fe819ad..0e7f751 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -491,8 +491,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
spnego_state->sub_sec_ready = true;
}
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
- && !NT_STATUS_IS_OK(nt_status)) {
+ if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
const char *next = NULL;
const char *principal = NULL;
int dbg_level = DBGLVL_WARNING;
--
1.9.1
From 2f73a55032a4add27cdd880b52b59befdcb2f420 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 08:00:00 +0200
Subject: [PATCH 11/21] auth/spnego: make use of GENSEC_UPDATE_IS_NTERROR() in
gensec_spnego_update_client()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 0e7f751..29f0b01 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -672,7 +672,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_in,
&unwrapped_out);
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
+ if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
return nt_status;
}
@@ -959,8 +959,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
client_response:
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
- && !NT_STATUS_IS_OK(nt_status)) {
+ if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
spnego_state->sub_sec_security->ops->name,
nt_errstr(nt_status)));
--
1.9.1
From e4c100a1b70cfcc4b8e2fc4a9822d88aeeea29a5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 08:11:32 +0200
Subject: [PATCH 12/21] auth/spnego: split out a
gensec_spnego_client_negTokenInit() function.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 123 ++++++++++++++++++++++++++++-----------------------
1 file changed, 68 insertions(+), 55 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 29f0b01..f730845 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -578,6 +578,70 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
return nt_status;
}
+static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct tevent_context *ev,
+ struct spnego_data *spnego_in,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
+{
+ DATA_BLOB sub_out = data_blob_null;
+ const char *tp = NULL;
+ struct spnego_data spnego_out;
+ const char *my_mechs[] = {NULL, NULL};
+ NTSTATUS status;
+ bool ok;
+
+ *out = data_blob_null;
+
+ /* The server offers a list of mechanisms */
+
+ tp = spnego_in->negTokenInit.targetPrincipal;
+ if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
+ DBG_INFO("Server claims it's principal name is %s\n", tp);
+ if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
+ gensec_set_target_principal(gensec_security, tp);
+ }
+ }
+
+ status = gensec_spnego_parse_negTokenInit(gensec_security,
+ spnego_state,
+ out_mem_ctx,
+ ev,
+ spnego_in,
+ &sub_out);
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ return status;
+ }
+
+ my_mechs[0] = spnego_state->neg_oid;
+ /* compose reply */
+ spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
+ spnego_out.negTokenInit.mechTypes = my_mechs;
+ spnego_out.negTokenInit.reqFlags = data_blob_null;
+ spnego_out.negTokenInit.reqFlagsPadding = 0;
+ spnego_out.negTokenInit.mechListMIC = data_blob_null;
+ spnego_out.negTokenInit.mechToken = sub_out;
+
+ if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
+ DBG_ERR("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ ok = spnego_write_mech_types(spnego_state,
+ my_mechs,
+ &spnego_state->mech_types);
+ if (!ok) {
+ DBG_ERR("failed to write mechTypes\n");
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* set next state */
+ spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
+ spnego_state->state_position = SPNEGO_CLIENT_TARG;
+
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
+}
/** create a server negTokenTarg
*
@@ -649,61 +713,10 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
switch (spnego_state->state_position) {
case SPNEGO_CLIENT_START:
- {
- /* The server offers a list of mechanisms */
-
- const char *my_mechs[] = {NULL, NULL};
- NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
- bool ok;
- const char *tp = NULL;
-
- tp = spnego_in->negTokenInit.targetPrincipal;
- if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
- DEBUG(5, ("Server claims it's principal name is %s\n", tp));
- if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
- gensec_set_target_principal(gensec_security, tp);
- }
- }
-
- nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
- spnego_state,
- out_mem_ctx,
- ev,
- spnego_in,
- &unwrapped_out);
-
- if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
- return nt_status;
- }
-
- my_mechs[0] = spnego_state->neg_oid;
- /* compose reply */
- spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
- spnego_out.negTokenInit.mechTypes = my_mechs;
- spnego_out.negTokenInit.reqFlags = data_blob_null;
- spnego_out.negTokenInit.reqFlagsPadding = 0;
- spnego_out.negTokenInit.mechListMIC = data_blob_null;
- spnego_out.negTokenInit.mechToken = unwrapped_out;
-
- if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- ok = spnego_write_mech_types(spnego_state,
- my_mechs,
- &spnego_state->mech_types);
- if (!ok) {
- DEBUG(1, ("SPNEGO: Failed to write mechTypes\n"));
- return NT_STATUS_NO_MEMORY;
- }
-
- /* set next state */
- spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
- spnego_state->state_position = SPNEGO_CLIENT_TARG;
-
- return NT_STATUS_MORE_PROCESSING_REQUIRED;
- }
+ return gensec_spnego_client_negTokenInit(gensec_security,
+ spnego_state,
+ ev, spnego_in,
+ out_mem_ctx, out);
case SPNEGO_CLIENT_TARG:
{
--
1.9.1
From b57b333b3b4bcbc68a28a809f065f17d9dc9c75d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 08:30:24 +0200
Subject: [PATCH 13/21] auth/spnego: split out a
gensec_spnego_server_negTokenInit() function.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 73 ++++++++++++++++++++++++++++++----------------------
1 file changed, 42 insertions(+), 31 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index f730845..53fd81c 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -696,6 +696,44 @@ static NTSTATUS gensec_spnego_server_response(struct spnego_state *spnego_state,
return nt_status;
}
+static NTSTATUS gensec_spnego_server_negTokenInit(struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct tevent_context *ev,
+ struct spnego_data *spnego_in,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
+{
+ DATA_BLOB sub_out = data_blob_null;
+ DATA_BLOB mech_list_mic = data_blob_null;
+ NTSTATUS status;
+
+ status = gensec_spnego_parse_negTokenInit(gensec_security,
+ spnego_state,
+ out_mem_ctx,
+ ev,
+ spnego_in,
+ &sub_out);
+
+ if (spnego_state->simulate_w2k) {
+ /*
+ * Windows 2000 returns the unwrapped token
+ * also in the mech_list_mic field.
+ *
+ * In order to verify our client code,
+ * we need a way to have a server with this
+ * broken behaviour
+ */
+ mech_list_mic = sub_out;
+ }
+
+ return gensec_spnego_server_response(spnego_state,
+ out_mem_ctx,
+ status,
+ sub_out,
+ mech_list_mic,
+ out);
+}
+
static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
@@ -1034,37 +1072,10 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
switch (spnego_state->state_position) {
case SPNEGO_SERVER_START:
- {
- NTSTATUS nt_status;
-
- nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
- spnego_state,
- out_mem_ctx,
- ev,
- spnego_in,
- &unwrapped_out);
-
- if (spnego_state->simulate_w2k) {
- /*
- * Windows 2000 returns the unwrapped token
- * also in the mech_list_mic field.
- *
- * In order to verify our client code,
- * we need a way to have a server with this
- * broken behaviour
- */
- mech_list_mic = unwrapped_out;
- }
-
- nt_status = gensec_spnego_server_response(spnego_state,
- out_mem_ctx,
- nt_status,
- unwrapped_out,
- mech_list_mic,
- out);
-
- return nt_status;
- }
+ return gensec_spnego_server_negTokenInit(gensec_security,
+ spnego_state,
+ ev, spnego_in,
+ out_mem_ctx, out);
case SPNEGO_SERVER_TARG:
{
--
1.9.1
From ce94fbdcb4c7bfe83e2fd0deca4d68c0f2789320 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 08:42:08 +0200
Subject: [PATCH 14/21] auth/spnego: make more use of the 'ta' helper variable
in gensec_spnego_update_client()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 53fd81c..46b0e3b 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -759,7 +759,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
case SPNEGO_CLIENT_TARG:
{
NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
- const struct spnego_negTokenTarg *ta =
+ struct spnego_negTokenTarg *ta =
&spnego_in->negTokenTarg;
spnego_state->num_targs++;
@@ -768,7 +768,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
return NT_STATUS_LOGON_FAILURE;
}
- if (spnego_in->negTokenTarg.negResult == SPNEGO_REQUEST_MIC) {
+ if (ta->negResult == SPNEGO_REQUEST_MIC) {
spnego_state->mic_requested = true;
}
@@ -802,9 +802,9 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
};
}
- if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
- DATA_BLOB *m = &spnego_in->negTokenTarg.mechListMIC;
- const DATA_BLOB *r = &spnego_in->negTokenTarg.responseToken;
+ if (ta->mechListMIC.length > 0) {
+ DATA_BLOB *m = &ta->mechListMIC;
+ const DATA_BLOB *r = &ta->responseToken;
/*
* Windows 2000 has a bug, it repeats the
@@ -820,19 +820,19 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
}
- if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ if (ta->mechListMIC.length > 0) {
if (spnego_state->sub_sec_ready) {
spnego_state->needs_mic_check = true;
}
}
if (spnego_state->needs_mic_check) {
- if (spnego_in->negTokenTarg.responseToken.length != 0) {
+ if (ta->responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
return NT_STATUS_INVALID_PARAMETER;
}
- if (spnego_in->negTokenTarg.mechListMIC.length == 0
+ if (ta->mechListMIC.length == 0
&& spnego_state->may_skip_mic_check) {
/*
* In this case we don't require
@@ -854,7 +854,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego_in->negTokenTarg.mechListMIC);
+ &ta->mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
@@ -868,7 +868,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (!spnego_state->sub_sec_ready) {
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx, ev,
- spnego_in->negTokenTarg.responseToken,
+ ta->responseToken,
&unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->sub_sec_ready = true;
@@ -892,7 +892,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
- switch (spnego_in->negTokenTarg.negResult) {
+ switch (ta->negResult) {
case SPNEGO_ACCEPT_COMPLETED:
case SPNEGO_NONE_RESULT:
if (spnego_state->num_targs == 1) {
@@ -906,7 +906,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
break;
case SPNEGO_ACCEPT_INCOMPLETE:
- if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ if (ta->mechListMIC.length > 0) {
new_spnego = true;
break;
}
@@ -953,7 +953,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
break;
case SPNEGO_REQUEST_MIC:
- if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ if (ta->mechListMIC.length > 0) {
new_spnego = true;
}
break;
@@ -973,13 +973,13 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
}
- if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ if (ta->mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego_in->negTokenTarg.mechListMIC);
+ &ta->mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
--
1.9.1
From 0562a723ddb3781a2cef85240ded01f29522d5bd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 09:01:18 +0200
Subject: [PATCH 15/21] auth/spnego: split out a
gensec_spnego_client_negTokenTarg() function
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 619 +++++++++++++++++++++++++++------------------------
1 file changed, 324 insertions(+), 295 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 46b0e3b..0f3aae1 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -643,6 +643,326 @@ static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
+static NTSTATUS gensec_spnego_client_negTokenTarg(struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct tevent_context *ev,
+ struct spnego_data *spnego_in,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
+{
+ struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
+ DATA_BLOB sub_in = ta->responseToken;
+ DATA_BLOB mech_list_mic = data_blob_null;
+ DATA_BLOB sub_out = data_blob_null;
+ struct spnego_data spnego_out;
+ NTSTATUS status;
+
+ *out = data_blob_null;
+
+ spnego_state->num_targs++;
+
+ if (ta->negResult == SPNEGO_REJECT) {
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ if (ta->negResult == SPNEGO_REQUEST_MIC) {
+ spnego_state->mic_requested = true;
+ }
+
+ if (ta->mechListMIC.length > 0) {
+ DATA_BLOB *m = &ta->mechListMIC;
+ const DATA_BLOB *r = &ta->responseToken;
+
+ /*
+ * Windows 2000 has a bug, it repeats the
+ * responseToken in the mechListMIC field.
+ */
+ if (m->length == r->length) {
+ int cmp;
+
+ cmp = memcmp(m->data, r->data, m->length);
+ if (cmp == 0) {
+ data_blob_free(m);
+ }
+ }
+ }
+
+ /* Server didn't like our choice of mech, and chose something else */
+ if (((ta->negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
+ (ta->negResult == SPNEGO_REQUEST_MIC)) &&
+ ta->supportedMech != NULL &&
+ strcmp(ta->supportedMech, spnego_state->neg_oid) != 0)
+ {
+ const char *client_mech = NULL;
+ const char *client_oid = NULL;
+ const char *server_mech = NULL;
+ const char *server_oid = NULL;
+
+ client_mech = gensec_get_name_by_oid(gensec_security,
+ spnego_state->neg_oid);
+ client_oid = spnego_state->neg_oid;
+ server_mech = gensec_get_name_by_oid(gensec_security,
+ ta->supportedMech);
+ server_oid = ta->supportedMech;
+
+ DBG_NOTICE("client preferred mech (%s[%s]) not accepted, "
+ "server wants: %s[%s]\n",
+ client_mech, client_oid, server_mech, server_oid);
+
+ spnego_state->downgraded = true;
+ gensec_spnego_update_sub_abort(spnego_state);
+
+ status = gensec_subcontext_start(spnego_state,
+ gensec_security,
+ &spnego_state->sub_sec_security);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /* select the sub context */
+ status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
+ ta->supportedMech);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ spnego_state->neg_oid = talloc_strdup(spnego_state,
+ ta->supportedMech);
+ if (spnego_state->neg_oid == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ if (ta->mechListMIC.length > 0) {
+ if (spnego_state->sub_sec_ready) {
+ spnego_state->needs_mic_check = true;
+ }
+ }
+
+ if (spnego_state->needs_mic_check) {
+ if (ta->responseToken.length != 0) {
+ DBG_WARNING("non empty response token not expected\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (ta->mechListMIC.length == 0
+ && spnego_state->may_skip_mic_check) {
+ /*
+ * In this case we don't require
+ * a mechListMIC from the server.
+ *
+ * This works around bugs in the Azure
+ * and Apple spnego implementations.
+ *
+ * See
+ * https://bugzilla.samba.org/show_bug.cgi?id=11994
+ */
+ spnego_state->needs_mic_check = false;
+ status = NT_STATUS_OK;
+ goto client_response;
+ }
+
+ status = gensec_check_packet(spnego_state->sub_sec_security,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &ta->mechListMIC);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("failed to verify mechListMIC: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+ spnego_state->needs_mic_check = false;
+ spnego_state->done_mic_check = true;
+ goto client_response;
+ }
+
+ if (!spnego_state->sub_sec_ready) {
+ status = gensec_update_ev(spnego_state->sub_sec_security,
+ out_mem_ctx, ev,
+ sub_in,
+ &sub_out);
+ if (NT_STATUS_IS_OK(status)) {
+ spnego_state->sub_sec_ready = true;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ goto client_response;
+ }
+ } else {
+ status = NT_STATUS_OK;
+ }
+
+ if (!spnego_state->done_mic_check) {
+ bool have_sign = true;
+ bool new_spnego = false;
+
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
+ new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_NEW_SPNEGO);
+
+ switch (ta->negResult) {
+ case SPNEGO_ACCEPT_COMPLETED:
+ case SPNEGO_NONE_RESULT:
+ if (spnego_state->num_targs == 1) {
+ /*
+ * the first exchange doesn't require
+ * verification
+ */
+ new_spnego = false;
+ }
+
+ break;
+
+ case SPNEGO_ACCEPT_INCOMPLETE:
+ if (ta->mechListMIC.length > 0) {
+ new_spnego = true;
+ break;
+ }
+
+ if (spnego_state->downgraded) {
+ /*
+ * A downgrade should be protected if
+ * supported
+ */
+ break;
+ }
+
+ /*
+ * The caller may just asked for
+ * GENSEC_FEATURE_SESSION_KEY, this
+ * is only reflected in the want_features.
+ *
+ * As it will imply
+ * gensec_have_features(GENSEC_FEATURE_SIGN)
+ * to return true.
+ */
+ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
+ break;
+ }
+ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
+ break;
+ }
+ /*
+ * Here we're sure our preferred mech was
+ * selected by the server and our caller doesn't
+ * need GENSEC_FEATURE_SIGN nor
+ * GENSEC_FEATURE_SEAL support.
+ *
+ * In this case we don't require
+ * a mechListMIC from the server.
+ *
+ * This works around bugs in the Azure
+ * and Apple spnego implementations.
+ *
+ * See
+ * https://bugzilla.samba.org/show_bug.cgi?id=11994
+ */
+ spnego_state->may_skip_mic_check = true;
+ break;
+
+ case SPNEGO_REQUEST_MIC:
+ if (ta->mechListMIC.length > 0) {
+ new_spnego = true;
+ }
+ break;
+ default:
+ break;
+ }
+
+ if (spnego_state->mic_requested) {
+ if (have_sign) {
+ new_spnego = true;
+ }
+ }
+
+ if (have_sign && new_spnego) {
+ spnego_state->needs_mic_check = true;
+ spnego_state->needs_mic_sign = true;
+ }
+ }
+
+ if (ta->mechListMIC.length > 0) {
+ status = gensec_check_packet(spnego_state->sub_sec_security,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &ta->mechListMIC);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("failed to verify mechListMIC: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+ spnego_state->needs_mic_check = false;
+ spnego_state->done_mic_check = true;
+ }
+
+ if (spnego_state->needs_mic_sign) {
+ status = gensec_sign_packet(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &mech_list_mic);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("failed to sign mechListMIC: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+ spnego_state->needs_mic_sign = false;
+ }
+
+ if (spnego_state->needs_mic_check) {
+ status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+
+ client_response:
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ DBG_WARNING("SPNEGO(%s) login failed: %s\n",
+ spnego_state->sub_sec_security->ops->name,
+ nt_errstr(status));
+ return status;
+ }
+
+ if (sub_out.length || mech_list_mic.length) {
+ /* compose reply */
+ spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
+ spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
+ spnego_out.negTokenTarg.supportedMech = NULL;
+ spnego_out.negTokenTarg.responseToken = sub_out;
+ spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
+
+ if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
+ DBG_WARNING("Failed to write NEG_TOKEN_TARG\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ spnego_state->num_targs++;
+ spnego_state->state_position = SPNEGO_CLIENT_TARG;
+ status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else {
+
+ /* all done - server has accepted, and we agree */
+ *out = data_blob_null;
+
+ if (ta->negResult != SPNEGO_ACCEPT_COMPLETED) {
+ /* unless of course it did not accept */
+ DBG_WARNING("gensec_update ok but not accepted\n");
+ status = NT_STATUS_INVALID_PARAMETER;
+ }
+
+ spnego_state->state_position = SPNEGO_DONE;
+ }
+
+ return status;
+}
+
/** create a server negTokenTarg
*
* This is the case, where the client is the first one who sends data
@@ -741,9 +1061,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
DATA_BLOB *out)
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
- DATA_BLOB mech_list_mic = data_blob_null;
- DATA_BLOB unwrapped_out = data_blob_null;
- struct spnego_data spnego_out;
*out = data_blob_null;
@@ -757,298 +1074,10 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
out_mem_ctx, out);
case SPNEGO_CLIENT_TARG:
- {
- NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
- struct spnego_negTokenTarg *ta =
- &spnego_in->negTokenTarg;
-
- spnego_state->num_targs++;
-
- if (ta->negResult == SPNEGO_REJECT) {
- return NT_STATUS_LOGON_FAILURE;
- }
-
- if (ta->negResult == SPNEGO_REQUEST_MIC) {
- spnego_state->mic_requested = true;
- }
-
- /* Server didn't like our choice of mech, and chose something else */
- if (((ta->negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
- (ta->negResult == SPNEGO_REQUEST_MIC)) &&
- ta->supportedMech != NULL&&
- strcmp(ta->supportedMech, spnego_state->neg_oid) != 0) {
- DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
- gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
- gensec_get_name_by_oid(gensec_security, ta->supportedMech)));
- spnego_state->downgraded = true;
- gensec_spnego_update_sub_abort(spnego_state);
- nt_status = gensec_subcontext_start(spnego_state,
- gensec_security,
- &spnego_state->sub_sec_security);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
- /* select the sub context */
- nt_status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
- ta->supportedMech);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-
- spnego_state->neg_oid = talloc_strdup(spnego_state,
- ta->supportedMech);
- if (spnego_state->neg_oid == NULL) {
- return NT_STATUS_NO_MEMORY;
- };
- }
-
- if (ta->mechListMIC.length > 0) {
- DATA_BLOB *m = &ta->mechListMIC;
- const DATA_BLOB *r = &ta->responseToken;
-
- /*
- * Windows 2000 has a bug, it repeats the
- * responseToken in the mechListMIC field.
- */
- if (m->length == r->length) {
- int cmp;
-
- cmp = memcmp(m->data, r->data, m->length);
- if (cmp == 0) {
- data_blob_free(m);
- }
- }
- }
-
- if (ta->mechListMIC.length > 0) {
- if (spnego_state->sub_sec_ready) {
- spnego_state->needs_mic_check = true;
- }
- }
-
- if (spnego_state->needs_mic_check) {
- if (ta->responseToken.length != 0) {
- DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (ta->mechListMIC.length == 0
- && spnego_state->may_skip_mic_check) {
- /*
- * In this case we don't require
- * a mechListMIC from the server.
- *
- * This works around bugs in the Azure
- * and Apple spnego implementations.
- *
- * See
- * https://bugzilla.samba.org/show_bug.cgi?id=11994
- */
- spnego_state->needs_mic_check = false;
- nt_status = NT_STATUS_OK;
- goto client_response;
- }
-
- nt_status = gensec_check_packet(spnego_state->sub_sec_security,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &ta->mechListMIC);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
- nt_errstr(nt_status)));
- return nt_status;
- }
- spnego_state->needs_mic_check = false;
- spnego_state->done_mic_check = true;
- goto client_response;
- }
-
- if (!spnego_state->sub_sec_ready) {
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev,
- ta->responseToken,
- &unwrapped_out);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->sub_sec_ready = true;
- }
- if (!NT_STATUS_IS_OK(nt_status)) {
- goto client_response;
- }
- } else {
- nt_status = NT_STATUS_OK;
- }
-
- if (!spnego_state->done_mic_check) {
- bool have_sign = true;
- bool new_spnego = false;
-
- have_sign = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_SIGN);
- if (spnego_state->simulate_w2k) {
- have_sign = false;
- }
- new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_NEW_SPNEGO);
-
- switch (ta->negResult) {
- case SPNEGO_ACCEPT_COMPLETED:
- case SPNEGO_NONE_RESULT:
- if (spnego_state->num_targs == 1) {
- /*
- * the first exchange doesn't require
- * verification
- */
- new_spnego = false;
- }
-
- break;
-
- case SPNEGO_ACCEPT_INCOMPLETE:
- if (ta->mechListMIC.length > 0) {
- new_spnego = true;
- break;
- }
-
- if (spnego_state->downgraded) {
- /*
- * A downgrade should be protected if
- * supported
- */
- break;
- }
-
- /*
- * The caller may just asked for
- * GENSEC_FEATURE_SESSION_KEY, this
- * is only reflected in the want_features.
- *
- * As it will imply
- * gensec_have_features(GENSEC_FEATURE_SIGN)
- * to return true.
- */
- if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
- break;
- }
- if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
- break;
- }
- /*
- * Here we're sure our preferred mech was
- * selected by the server and our caller doesn't
- * need GENSEC_FEATURE_SIGN nor
- * GENSEC_FEATURE_SEAL support.
- *
- * In this case we don't require
- * a mechListMIC from the server.
- *
- * This works around bugs in the Azure
- * and Apple spnego implementations.
- *
- * See
- * https://bugzilla.samba.org/show_bug.cgi?id=11994
- */
- spnego_state->may_skip_mic_check = true;
- break;
-
- case SPNEGO_REQUEST_MIC:
- if (ta->mechListMIC.length > 0) {
- new_spnego = true;
- }
- break;
- default:
- break;
- }
-
- if (spnego_state->mic_requested) {
- if (have_sign) {
- new_spnego = true;
- }
- }
-
- if (have_sign && new_spnego) {
- spnego_state->needs_mic_check = true;
- spnego_state->needs_mic_sign = true;
- }
- }
-
- if (ta->mechListMIC.length > 0) {
- nt_status = gensec_check_packet(spnego_state->sub_sec_security,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &ta->mechListMIC);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
- nt_errstr(nt_status)));
- return nt_status;
- }
- spnego_state->needs_mic_check = false;
- spnego_state->done_mic_check = true;
- }
-
- if (spnego_state->needs_mic_sign) {
- nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
- out_mem_ctx,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &mech_list_mic);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
- nt_errstr(nt_status)));
- return nt_status;
- }
- spnego_state->needs_mic_sign = false;
- }
-
- if (spnego_state->needs_mic_check) {
- nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- }
-
- client_response:
- if (GENSEC_UPDATE_IS_NTERROR(nt_status)) {
- DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
- spnego_state->sub_sec_security->ops->name,
- nt_errstr(nt_status)));
- return nt_status;
- }
-
- if (unwrapped_out.length || mech_list_mic.length) {
- /* compose reply */
- spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
- spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
- spnego_out.negTokenTarg.supportedMech = NULL;
- spnego_out.negTokenTarg.responseToken = unwrapped_out;
- spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
-
- if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
- DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- spnego_state->num_targs++;
- spnego_state->state_position = SPNEGO_CLIENT_TARG;
- nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- } else {
-
- /* all done - server has accepted, and we agree */
- *out = data_blob_null;
-
- if (ta->negResult != SPNEGO_ACCEPT_COMPLETED) {
- /* unless of course it did not accept */
- DEBUG(1,("gensec_update ok but not accepted\n"));
- nt_status = NT_STATUS_INVALID_PARAMETER;
- }
-
- spnego_state->state_position = SPNEGO_DONE;
- }
-
- return nt_status;
- }
+ return gensec_spnego_client_negTokenTarg(gensec_security,
+ spnego_state,
+ ev, spnego_in,
+ out_mem_ctx, out);
default:
break;
--
1.9.1
From a4573ccc7342ba42dca8078d2667f74dc8d35619 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 09:05:29 +0200
Subject: [PATCH 16/21] auth/spnego: introduce a 'struct spnego_negTokenTarg
*ta' helper variable in gensec_spnego_update_server()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 0f3aae1..137a4a3 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1108,6 +1108,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
case SPNEGO_SERVER_TARG:
{
+ const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
NTSTATUS nt_status;
bool have_sign = true;
bool new_spnego = false;
@@ -1120,7 +1121,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
}
if (spnego_state->needs_mic_check) {
- if (spnego_in->negTokenTarg.responseToken.length != 0) {
+ if (ta->responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
return NT_STATUS_INVALID_PARAMETER;
}
@@ -1130,7 +1131,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego_in->negTokenTarg.mechListMIC);
+ &ta->mechListMIC);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
@@ -1144,7 +1145,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
if (!spnego_state->sub_sec_ready) {
nt_status = gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx, ev,
- spnego_in->negTokenTarg.responseToken,
+ ta->responseToken,
&unwrapped_out);
if (NT_STATUS_IS_OK(nt_status)) {
spnego_state->sub_sec_ready = true;
@@ -1163,7 +1164,7 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
}
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
- if (spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ if (ta->mechListMIC.length > 0) {
new_spnego = true;
}
@@ -1172,13 +1173,13 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
spnego_state->needs_mic_sign = true;
}
- if (have_sign && spnego_in->negTokenTarg.mechListMIC.length > 0) {
+ if (have_sign && ta->mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
- &spnego_in->negTokenTarg.mechListMIC);
+ &ta->mechListMIC);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
--
1.9.1
From 85c484c3d7e7e6767830748034c2bbf6c8df8aa5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 09:18:18 +0200
Subject: [PATCH 17/21] auth/spnego: split out a
gensec_spnego_server_negTokenTarg() function
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 240 +++++++++++++++++++++++++++------------------------
1 file changed, 125 insertions(+), 115 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 137a4a3..291c9d7 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1054,6 +1054,127 @@ static NTSTATUS gensec_spnego_server_negTokenInit(struct gensec_security *gensec
out);
}
+static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct tevent_context *ev,
+ struct spnego_data *spnego_in,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
+{
+ const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
+ DATA_BLOB sub_in = ta->responseToken;
+ DATA_BLOB mech_list_mic = data_blob_null;
+ DATA_BLOB sub_out = data_blob_null;
+ NTSTATUS status;
+ bool have_sign = true;
+ bool new_spnego = false;
+
+ spnego_state->num_targs++;
+
+ if (spnego_state->sub_sec_security == NULL) {
+ DBG_ERR("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (spnego_state->needs_mic_check) {
+ if (ta->responseToken.length != 0) {
+ DBG_WARNING("non empty response token not expected\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = gensec_check_packet(spnego_state->sub_sec_security,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &ta->mechListMIC);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("failed to verify mechListMIC: %s\n",
+ nt_errstr(status));
+ goto server_response;
+ }
+
+ spnego_state->needs_mic_check = false;
+ spnego_state->done_mic_check = true;
+ goto server_response;
+ }
+
+ if (!spnego_state->sub_sec_ready) {
+ status = gensec_update_ev(spnego_state->sub_sec_security,
+ out_mem_ctx, ev,
+ sub_in, &sub_out);
+ if (NT_STATUS_IS_OK(status)) {
+ spnego_state->sub_sec_ready = true;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ goto server_response;
+ }
+ } else {
+ status = NT_STATUS_OK;
+ }
+
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
+ new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_NEW_SPNEGO);
+ if (ta->mechListMIC.length > 0) {
+ new_spnego = true;
+ }
+
+ if (have_sign && new_spnego) {
+ spnego_state->needs_mic_check = true;
+ spnego_state->needs_mic_sign = true;
+ }
+
+ if (have_sign && ta->mechListMIC.length > 0) {
+ status = gensec_check_packet(spnego_state->sub_sec_security,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &ta->mechListMIC);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("failed to verify mechListMIC: %s\n",
+ nt_errstr(status));
+ goto server_response;
+ }
+
+ spnego_state->needs_mic_check = false;
+ spnego_state->done_mic_check = true;
+ }
+
+ if (spnego_state->needs_mic_sign) {
+ status = gensec_sign_packet(spnego_state->sub_sec_security,
+ out_mem_ctx,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ spnego_state->mech_types.data,
+ spnego_state->mech_types.length,
+ &mech_list_mic);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("failed to sign mechListMIC: %s\n",
+ nt_errstr(status));
+ return status;
+ }
+ spnego_state->needs_mic_sign = false;
+ }
+
+ if (spnego_state->needs_mic_check) {
+ status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+
+ server_response:
+ return gensec_spnego_server_response(spnego_state,
+ out_mem_ctx,
+ status,
+ sub_out,
+ mech_list_mic,
+ out);
+}
+
static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
@@ -1094,8 +1215,6 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
DATA_BLOB *out)
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
- DATA_BLOB mech_list_mic = data_blob_null;
- DATA_BLOB unwrapped_out = data_blob_null;
/* and switch into the state machine */
@@ -1107,119 +1226,10 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
out_mem_ctx, out);
case SPNEGO_SERVER_TARG:
- {
- const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
- NTSTATUS nt_status;
- bool have_sign = true;
- bool new_spnego = false;
-
- spnego_state->num_targs++;
-
- if (!spnego_state->sub_sec_security) {
- DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (spnego_state->needs_mic_check) {
- if (ta->responseToken.length != 0) {
- DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- nt_status = gensec_check_packet(spnego_state->sub_sec_security,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &ta->mechListMIC);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->needs_mic_check = false;
- spnego_state->done_mic_check = true;
- } else {
- DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
- nt_errstr(nt_status)));
- }
- goto server_response;
- }
-
- if (!spnego_state->sub_sec_ready) {
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev,
- ta->responseToken,
- &unwrapped_out);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->sub_sec_ready = true;
- }
- if (!NT_STATUS_IS_OK(nt_status)) {
- goto server_response;
- }
- } else {
- nt_status = NT_STATUS_OK;
- }
-
- have_sign = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_SIGN);
- if (spnego_state->simulate_w2k) {
- have_sign = false;
- }
- new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_NEW_SPNEGO);
- if (ta->mechListMIC.length > 0) {
- new_spnego = true;
- }
-
- if (have_sign && new_spnego) {
- spnego_state->needs_mic_check = true;
- spnego_state->needs_mic_sign = true;
- }
-
- if (have_sign && ta->mechListMIC.length > 0) {
- nt_status = gensec_check_packet(spnego_state->sub_sec_security,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &ta->mechListMIC);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
- nt_errstr(nt_status)));
- goto server_response;
- }
-
- spnego_state->needs_mic_check = false;
- spnego_state->done_mic_check = true;
- }
-
- if (spnego_state->needs_mic_sign) {
- nt_status = gensec_sign_packet(spnego_state->sub_sec_security,
- out_mem_ctx,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- spnego_state->mech_types.data,
- spnego_state->mech_types.length,
- &mech_list_mic);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
- nt_errstr(nt_status)));
- goto server_response;
- }
- spnego_state->needs_mic_sign = false;
- }
-
- if (spnego_state->needs_mic_check) {
- nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- }
-
- server_response:
- nt_status = gensec_spnego_server_response(spnego_state,
- out_mem_ctx,
- nt_status,
- unwrapped_out,
- mech_list_mic,
- out);
-
- return nt_status;
- }
+ return gensec_spnego_server_negTokenTarg(gensec_security,
+ spnego_state,
+ ev, spnego_in,
+ out_mem_ctx, out);
default:
break;
--
1.9.1
From a690b839e3b964aece9eb1a3ef869e58ba724ea3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 09:22:25 +0200
Subject: [PATCH 18/21] auth/spnego: inline gensec_spnego_update_client() into
gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 48 ++++++++++--------------------------------------
1 file changed, 10 insertions(+), 38 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 291c9d7..26a56f0 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1175,39 +1175,6 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec
out);
}
-static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_security,
- TALLOC_CTX *out_mem_ctx,
- struct tevent_context *ev,
- struct spnego_data *spnego_in,
- DATA_BLOB *out)
-{
- struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
-
- *out = data_blob_null;
-
- /* and switch into the state machine */
-
- switch (spnego_state->state_position) {
- case SPNEGO_CLIENT_START:
- return gensec_spnego_client_negTokenInit(gensec_security,
- spnego_state,
- ev, spnego_in,
- out_mem_ctx, out);
-
- case SPNEGO_CLIENT_TARG:
- return gensec_spnego_client_negTokenTarg(gensec_security,
- spnego_state,
- ev, spnego_in,
- out_mem_ctx, out);
-
- default:
- break;
- }
-
- smb_panic(__location__);
- return NT_STATUS_INTERNAL_ERROR;
-}
-
static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
@@ -1419,12 +1386,17 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
break;
}
- /* fall through */
+ status = gensec_spnego_client_negTokenInit(gensec_security,
+ spnego_state, ev,
+ state->spnego_in, state,
+ &spnego_state->out_frag);
+ break;
+
case SPNEGO_CLIENT_TARG:
- status = gensec_spnego_update_client(gensec_security,
- state, ev,
- state->spnego_in,
- &spnego_state->out_frag);
+ status = gensec_spnego_client_negTokenTarg(gensec_security,
+ spnego_state, ev,
+ state->spnego_in, state,
+ &spnego_state->out_frag);
break;
case SPNEGO_SERVER_START:
--
1.9.1
From 078e19035e969d6eae604dcfd7478886a162be5b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 09:22:25 +0200
Subject: [PATCH 19/21] auth/spnego: inline gensec_spnego_update_server() into
gensec_spnego_update_send()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 46 ++++++++++------------------------------------
1 file changed, 10 insertions(+), 36 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 26a56f0..db90e01 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1175,37 +1175,6 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec
out);
}
-static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_security,
- TALLOC_CTX *out_mem_ctx,
- struct tevent_context *ev,
- struct spnego_data *spnego_in,
- DATA_BLOB *out)
-{
- struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
-
- /* and switch into the state machine */
-
- switch (spnego_state->state_position) {
- case SPNEGO_SERVER_START:
- return gensec_spnego_server_negTokenInit(gensec_security,
- spnego_state,
- ev, spnego_in,
- out_mem_ctx, out);
-
- case SPNEGO_SERVER_TARG:
- return gensec_spnego_server_negTokenTarg(gensec_security,
- spnego_state,
- ev, spnego_in,
- out_mem_ctx, out);
-
- default:
- break;
- }
-
- smb_panic(__location__);
- return NT_STATUS_INTERNAL_ERROR;
-}
-
struct gensec_spnego_update_state {
struct gensec_security *gensec;
struct spnego_state *spnego;
@@ -1408,12 +1377,17 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
break;
}
- /* fall through */
+ status = gensec_spnego_server_negTokenInit(gensec_security,
+ spnego_state, ev,
+ state->spnego_in, state,
+ &spnego_state->out_frag);
+ break;
+
case SPNEGO_SERVER_TARG:
- status = gensec_spnego_update_server(gensec_security,
- state, ev,
- state->spnego_in,
- &spnego_state->out_frag);
+ status = gensec_spnego_server_negTokenTarg(gensec_security,
+ spnego_state, ev,
+ state->spnego_in, state,
+ &spnego_state->out_frag);
break;
default:
--
1.9.1
From c8105648d71ea701b5fdd9901b220b10f4aeba78 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 10:44:00 +0200
Subject: [PATCH 20/21] auth/spnego: let gensec_spnego_parse_negTokenInit()
require client provides mechs
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index db90e01..9f7d1ad 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -227,12 +227,19 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
}
mechType = spnego_in->negTokenInit.mechTypes;
+ if (mechType == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
unwrapped_in = spnego_in->negTokenInit.mechToken;
all_sec = gensec_security_by_oid_list(gensec_security,
out_mem_ctx,
mechType,
GENSEC_OID_SPNEGO);
+ if (all_sec == NULL) {
+ DBG_WARNING("gensec_security_by_oid_list() failed\n");
+ return NT_STATUS_INVALID_PARAMETER;
+ }
ok = spnego_write_mech_types(spnego_state,
mechType,
--
1.9.1
From d02d15183933dcc0201d3210cf8e0a5e518e0faf Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 7 Jul 2017 10:11:43 +0200
Subject: [PATCH 21/21] auth/spnego: inline gensec_spnego_parse_negTokenInit()
client logic into gensec_spnego_client_negTokenInit()
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
---
auth/gensec/spnego.c | 128 ++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 121 insertions(+), 7 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 9f7d1ad..80f0af3 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -592,8 +592,12 @@ static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *out)
{
+ TALLOC_CTX *frame = talloc_stackframe();
DATA_BLOB sub_out = data_blob_null;
const char *tp = NULL;
+ const char * const *mech_types = NULL;
+ size_t all_idx = 0;
+ const struct gensec_security_ops_wrapper *all_sec = NULL;
struct spnego_data spnego_out;
const char *my_mechs[] = {NULL, NULL};
NTSTATUS status;
@@ -611,16 +615,123 @@ static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec
}
}
- status = gensec_spnego_parse_negTokenInit(gensec_security,
- spnego_state,
- out_mem_ctx,
- ev,
- spnego_in,
- &sub_out);
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ mech_types = spnego_in->negTokenInit.mechTypes;
+ if (mech_types == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ all_sec = gensec_security_by_oid_list(gensec_security,
+ frame, mech_types,
+ GENSEC_OID_SPNEGO);
+ if (all_sec == NULL) {
+ DBG_WARNING("gensec_security_by_oid_list() failed\n");
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ for (; all_sec[all_idx].op; all_idx++) {
+ const struct gensec_security_ops_wrapper *cur_sec =
+ &all_sec[all_idx];
+ const char *next = NULL;
+ const char *principal = NULL;
+ int dbg_level = DBGLVL_WARNING;
+ bool allow_fallback = false;
+
+ status = gensec_subcontext_start(spnego_state,
+ gensec_security,
+ &spnego_state->sub_sec_security);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ /* select the sub context */
+ status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
+ cur_sec->op);
+ if (!NT_STATUS_IS_OK(status)) {
+ /*
+ * Pretend we never started it.
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
+ continue;
+ }
+
+ spnego_state->neg_oid = cur_sec->oid;
+
+ /*
+ * As client we don't use an optimistic token from the server.
+ */
+ status = gensec_update_ev(spnego_state->sub_sec_security,
+ frame, ev, data_blob_null, &sub_out);
+ if (NT_STATUS_IS_OK(status)) {
+ spnego_state->sub_sec_ready = true;
+ }
+
+ if (!GENSEC_UPDATE_IS_NTERROR(status)) {
+ /* OK or MORE_PROCESSING_REQUIRED */
+ goto reply;
+ }
+
+ /*
+ * it is likely that a NULL input token will
+ * not be liked by most server mechs, but if
+ * we are in the client, we want the first
+ * update packet to be able to abort the use
+ * of this mech
+ */
+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_NO_LOGON_SERVERS) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO))
+ {
+ allow_fallback = true;
+ }
+
+ if (allow_fallback && cur_sec[1].op != NULL) {
+ next = cur_sec[1].op->name;
+ dbg_level = DBGLVL_NOTICE;
+ }
+
+ if (gensec_security->target.principal != NULL) {
+ principal = gensec_security->target.principal;
+ } else if (gensec_security->target.service != NULL &&
+ gensec_security->target.hostname != NULL)
+ {
+ principal = talloc_asprintf(spnego_state->sub_sec_security,
+ "%s/%s",
+ gensec_security->target.service,
+ gensec_security->target.hostname);
+ } else {
+ principal = gensec_security->target.hostname;
+ }
+
+ DBG_PREFIX(dbg_level, (
+ "%s: creating NEG_TOKEN_INIT "
+ "for %s failed (next[%s]): %s\n",
+ spnego_state->sub_sec_security->ops->name,
+ principal, next, nt_errstr(status)));
+
+ if (allow_fallback && next != NULL) {
+ /*
+ * Pretend we never started it.
+ */
+ gensec_spnego_update_sub_abort(spnego_state);
+ continue;
+ }
+
+ /*
+ * Hard error.
+ */
+ TALLOC_FREE(frame);
return status;
}
+ DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n");
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+
+ reply:
my_mechs[0] = spnego_state->neg_oid;
/* compose reply */
spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
@@ -632,6 +743,7 @@ static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
DBG_ERR("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n");
+ TALLOC_FREE(frame);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -640,6 +752,7 @@ static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("failed to write mechTypes\n");
+ TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
@@ -647,6 +760,7 @@ static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->state_position = SPNEGO_CLIENT_TARG;
+ TALLOC_FREE(frame);
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170721/4575e418/signature-0001.sig>
More information about the samba-technical
mailing list