diff options
author | Isaac Boukris <iboukris@gmail.com> | 2019-09-04 17:04:12 +0300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2019-10-16 19:25:14 +0000 |
commit | 0d292ca72a389010306e79e7f782783b452cc603 (patch) | |
tree | 43d3331ae9555e7552d6715f01fc20b242786b13 | |
parent | f3a02fdf780578194d4ad722ebd822a04a2dd886 (diff) | |
download | samba-0d292ca72a389010306e79e7f782783b452cc603.tar.gz |
spnego: fix server handling of no optimistic exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
-rw-r--r-- | auth/gensec/spnego.c | 13 | ||||
-rw-r--r-- | selftest/knownfail.d/samba.tests.gensec | 2 | ||||
-rw-r--r-- | selftest/knownfail.d/spnego_downgrade | 1 | ||||
-rw-r--r-- | selftest/knownfail.d/spnego_no_optimistic | 1 |
4 files changed, 13 insertions, 4 deletions
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 97472c26837..ddbe03c5d6b 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -1321,6 +1321,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step( spnego_state->mic_requested = true; } + if (sub_in.length == 0) { + spnego_state->no_optimistic = true; + } + /* * Note that 'cur_sec' is temporary memory, but * cur_sec->oid points to a const string in the @@ -1955,6 +1959,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req) * Skip optimistic token per conf. */ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; + } else if (spnego_state->state_position == SPNEGO_SERVER_START && + state->sub.in.length == 0 && spnego_state->no_optimistic) { + /* + * If we didn't like the mechanism for which the client sent us + * an optimistic token, or if he didn't send any, don't call + * the sub mechanism just yet. + */ + state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; + spnego_state->no_optimistic = false; } else { /* * MORE_PROCESSING_REQUIRED => diff --git a/selftest/knownfail.d/samba.tests.gensec b/selftest/knownfail.d/samba.tests.gensec deleted file mode 100644 index afc9eba9af5..00000000000 --- a/selftest/knownfail.d/samba.tests.gensec +++ /dev/null @@ -1,2 +0,0 @@ -^samba.tests.gensec.samba.tests.gensec.GensecTests.test_update_no_optimistic_spnego -^samba.tests.gensec.samba.tests.gensec.GensecTests.test_update_spnego_downgrade diff --git a/selftest/knownfail.d/spnego_downgrade b/selftest/knownfail.d/spnego_downgrade deleted file mode 100644 index 494a55fd43d..00000000000 --- a/selftest/knownfail.d/spnego_downgrade +++ /dev/null @@ -1 +0,0 @@ -^samba3.blackbox.smbd_no_krb5.test_spnego_downgrade diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic deleted file mode 100644 index 54f51446be0..00000000000 --- a/selftest/knownfail.d/spnego_no_optimistic +++ /dev/null @@ -1 +0,0 @@ -^samba4.smb.spnego.*.no_optimistic |