|
|
4bc27b |
From a8021d9515ecf75d52d038fe78f72da2c79731af Mon Sep 17 00:00:00 2001
|
|
|
4bc27b |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
4bc27b |
Date: Wed, 4 Sep 2019 16:31:21 +0300
|
|
|
4bc27b |
Subject: [PATCH 1/3] spnego: add client option to omit sending an optimistic
|
|
|
4bc27b |
token
|
|
|
4bc27b |
|
|
|
4bc27b |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
|
|
|
4bc27b |
|
|
|
4bc27b |
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
|
|
|
4bc27b |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
4bc27b |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
4bc27b |
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
|
4bc27b |
---
|
|
|
4bc27b |
auth/gensec/spnego.c | 11 +++++++++++
|
|
|
4bc27b |
1 file changed, 11 insertions(+)
|
|
|
4bc27b |
|
|
|
4bc27b |
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
|
|
|
4bc27b |
index dc73e324d99..97472c26837 100644
|
|
|
4bc27b |
--- a/auth/gensec/spnego.c
|
|
|
4bc27b |
+++ b/auth/gensec/spnego.c
|
|
|
4bc27b |
@@ -136,6 +136,7 @@ struct spnego_state {
|
|
|
4bc27b |
bool done_mic_check;
|
|
|
4bc27b |
|
|
|
4bc27b |
bool simulate_w2k;
|
|
|
4bc27b |
+ bool no_optimistic;
|
|
|
4bc27b |
|
|
|
4bc27b |
/*
|
|
|
4bc27b |
* The following is used to implement
|
|
|
4bc27b |
@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
|
|
|
4bc27b |
|
|
|
4bc27b |
spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
|
|
|
4bc27b |
"spnego", "simulate_w2k", false);
|
|
|
4bc27b |
+ spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
|
|
|
4bc27b |
+ "spnego",
|
|
|
4bc27b |
+ "client_no_optimistic",
|
|
|
4bc27b |
+ false);
|
|
|
4bc27b |
|
|
|
4bc27b |
gensec_security->private_data = spnego_state;
|
|
|
4bc27b |
return NT_STATUS_OK;
|
|
|
4bc27b |
@@ -1944,6 +1949,12 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
|
|
|
4bc27b |
* blob and NT_STATUS_OK.
|
|
|
4bc27b |
*/
|
|
|
4bc27b |
state->sub.status = NT_STATUS_OK;
|
|
|
4bc27b |
+ } else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
|
|
|
4bc27b |
+ spnego_state->no_optimistic) {
|
|
|
4bc27b |
+ /*
|
|
|
4bc27b |
+ * Skip optimistic token per conf.
|
|
|
4bc27b |
+ */
|
|
|
4bc27b |
+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
|
|
|
4bc27b |
} else {
|
|
|
4bc27b |
/*
|
|
|
4bc27b |
* MORE_PROCESSING_REQUIRED =>
|
|
|
4bc27b |
--
|
|
|
4bc27b |
2.21.0
|
|
|
4bc27b |
|
|
|
4bc27b |
|
|
|
4bc27b |
From aa379f36ac5feb718c924b030308a29769657f7b Mon Sep 17 00:00:00 2001
|
|
|
4bc27b |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
4bc27b |
Date: Wed, 4 Sep 2019 16:39:43 +0300
|
|
|
4bc27b |
Subject: [PATCH 2/3] selftest: add tests for no optimistic spnego exchange
|
|
|
4bc27b |
|
|
|
4bc27b |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
|
|
|
4bc27b |
|
|
|
4bc27b |
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
|
|
|
4bc27b |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
4bc27b |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
4bc27b |
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
|
4bc27b |
---
|
|
|
4bc27b |
selftest/knownfail.d/spnego_no_optimistic | 1 +
|
|
|
4bc27b |
source4/selftest/tests.py | 4 ++++
|
|
|
4bc27b |
2 files changed, 5 insertions(+)
|
|
|
4bc27b |
create mode 100644 selftest/knownfail.d/spnego_no_optimistic
|
|
|
4bc27b |
|
|
|
4bc27b |
diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic
|
|
|
4bc27b |
new file mode 100644
|
|
|
4bc27b |
index 00000000000..54f51446be0
|
|
|
4bc27b |
--- /dev/null
|
|
|
4bc27b |
+++ b/selftest/knownfail.d/spnego_no_optimistic
|
|
|
4bc27b |
@@ -0,0 +1 @@
|
|
|
4bc27b |
+^samba4.smb.spnego.*.no_optimistic
|
|
|
4bc27b |
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
|
|
|
4bc27b |
index 34ebe10cd79..d73d426ee3c 100755
|
|
|
4bc27b |
--- a/source4/selftest/tests.py
|
|
|
4bc27b |
+++ b/source4/selftest/tests.py
|
|
|
4bc27b |
@@ -542,6 +542,10 @@ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_sha
|
|
|
4bc27b |
plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=required', '-U%'], modname="samba4.smb.signing --signing=required anon")
|
|
|
4bc27b |
plansmbtorture4testsuite('base.xcopy', "s4member", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=no', '-U%'], modname="samba4.smb.signing --signing=no anon")
|
|
|
4bc27b |
|
|
|
4bc27b |
+# Test SPNEGO without issuing an optimistic token
|
|
|
4bc27b |
+opt='--option=spnego:client_no_optimistic=yes'
|
|
|
4bc27b |
+plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'no'], modname="samba4.smb.spnego.ntlmssp.no_optimistic")
|
|
|
4bc27b |
+plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'yes'], modname="samba4.smb.spnego.krb5.no_optimistic")
|
|
|
4bc27b |
|
|
|
4bc27b |
wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:timelimit=1\"", "--option=\"torture:winbindd_separator=/\"", "--option=\"torture:winbindd_netbios_name=$SERVER\"", "--option=\"torture:winbindd_netbios_domain=$DOMAIN\""]
|
|
|
4bc27b |
|
|
|
4bc27b |
--
|
|
|
4bc27b |
2.21.0
|
|
|
4bc27b |
|
|
|
4bc27b |
|
|
|
4bc27b |
From 0119cf5a2888cd3d97927cb77872fbad82362020 Mon Sep 17 00:00:00 2001
|
|
|
4bc27b |
From: Isaac Boukris <iboukris@gmail.com>
|
|
|
4bc27b |
Date: Wed, 4 Sep 2019 17:04:12 +0300
|
|
|
4bc27b |
Subject: [PATCH 3/3] spnego: fix server handling of no optimistic exchange
|
|
|
4bc27b |
|
|
|
4bc27b |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106
|
|
|
4bc27b |
|
|
|
4bc27b |
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
|
|
|
4bc27b |
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
|
4bc27b |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
4bc27b |
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
|
4bc27b |
|
|
|
4bc27b |
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
|
|
|
4bc27b |
Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184
|
|
|
4bc27b |
---
|
|
|
4bc27b |
auth/gensec/spnego.c | 13 +++++++++++++
|
|
|
4bc27b |
selftest/knownfail.d/spnego_no_optimistic | 1 -
|
|
|
4bc27b |
4 files changed, 13 insertions(+), 4 deletions(-)
|
|
|
4bc27b |
delete mode 100644 selftest/knownfail.d/spnego_no_optimistic
|
|
|
4bc27b |
|
|
|
4bc27b |
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
|
|
|
4bc27b |
index 97472c26837..ddbe03c5d6b 100644
|
|
|
4bc27b |
--- a/auth/gensec/spnego.c
|
|
|
4bc27b |
+++ b/auth/gensec/spnego.c
|
|
|
4bc27b |
@@ -1321,6 +1321,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step(
|
|
|
4bc27b |
spnego_state->mic_requested = true;
|
|
|
4bc27b |
}
|
|
|
4bc27b |
|
|
|
4bc27b |
+ if (sub_in.length == 0) {
|
|
|
4bc27b |
+ spnego_state->no_optimistic = true;
|
|
|
4bc27b |
+ }
|
|
|
4bc27b |
+
|
|
|
4bc27b |
/*
|
|
|
4bc27b |
* Note that 'cur_sec' is temporary memory, but
|
|
|
4bc27b |
* cur_sec->oid points to a const string in the
|
|
|
4bc27b |
@@ -1955,6 +1959,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
|
|
|
4bc27b |
* Skip optimistic token per conf.
|
|
|
4bc27b |
*/
|
|
|
4bc27b |
state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
|
|
|
4bc27b |
+ } else if (spnego_state->state_position == SPNEGO_SERVER_START &&
|
|
|
4bc27b |
+ state->sub.in.length == 0 && spnego_state->no_optimistic) {
|
|
|
4bc27b |
+ /*
|
|
|
4bc27b |
+ * If we didn't like the mechanism for which the client sent us
|
|
|
4bc27b |
+ * an optimistic token, or if he didn't send any, don't call
|
|
|
4bc27b |
+ * the sub mechanism just yet.
|
|
|
4bc27b |
+ */
|
|
|
4bc27b |
+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
|
|
|
4bc27b |
+ spnego_state->no_optimistic = false;
|
|
|
4bc27b |
} else {
|
|
|
4bc27b |
/*
|
|
|
4bc27b |
* MORE_PROCESSING_REQUIRED =>
|
|
|
4bc27b |
diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic
|
|
|
4bc27b |
deleted file mode 100644
|
|
|
4bc27b |
index 54f51446be0..00000000000
|
|
|
4bc27b |
--- a/selftest/knownfail.d/spnego_no_optimistic
|
|
|
4bc27b |
+++ /dev/null
|
|
|
4bc27b |
@@ -1 +0,0 @@
|
|
|
4bc27b |
-^samba4.smb.spnego.*.no_optimistic
|
|
|
4bc27b |
--
|
|
|
4bc27b |
2.21.0
|
|
|
4bc27b |
|