#include "lib/util/asn1.h"
#include "lib/util/base64.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
#undef strcasecmp
_PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx);
return n;
}
-static NTSTATUS gensec_spnego_neg_loop(struct gensec_security *gensec_security,
- struct spnego_state *spnego_state,
- const const struct spnego_neg_ops *ops,
- struct tevent_context *ev,
- struct spnego_data *spnego_in,
- TALLOC_CTX *out_mem_ctx,
- DATA_BLOB *out)
-{
- struct spnego_neg_state *n = NULL;
- NTSTATUS status;
- DATA_BLOB sub_in = data_blob_null;
- DATA_BLOB sub_out = data_blob_null;
-
- *out = data_blob_null;
-
- n = gensec_spnego_neg_state(out_mem_ctx, ops);
- if (n == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- status = n->ops->start_fn(gensec_security, spnego_state, n,
- spnego_in, n, &sub_in);
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
- TALLOC_FREE(n);
- return status;
- }
-
- while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- status = gensec_update_ev(spnego_state->sub_sec_security,
- n, ev, sub_in, &sub_out);
- sub_in = data_blob_null;
- if (NT_STATUS_IS_OK(status)) {
- spnego_state->sub_sec_ready = true;
- }
- if (!GENSEC_UPDATE_IS_NTERROR(status)) {
- break;
- }
- sub_out = data_blob_null;
-
- status = n->ops->step_fn(gensec_security, spnego_state, n,
- spnego_in, status, n, &sub_in);
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
- TALLOC_FREE(n);
- return status;
- }
- }
-
- status = n->ops->finish_fn(gensec_security, spnego_state, n,
- spnego_in, status, sub_out,
- out_mem_ctx, out);
- TALLOC_FREE(n);
- return status;
-}
-
-static void gensec_spnego_update_sub_abort(struct spnego_state *spnego_state)
+static void gensec_spnego_reset_sub_sec(struct spnego_state *spnego_state)
{
spnego_state->sub_sec_ready = false;
TALLOC_FREE(spnego_state->sub_sec_security);
/*
* Pretend we never started it
*/
- gensec_spnego_update_sub_abort(spnego_state);
+ gensec_spnego_reset_sub_sec(spnego_state);
/*
* And try the next one...
status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
cur_sec->op);
if (!NT_STATUS_IS_OK(status)) {
- gensec_spnego_update_sub_abort(spnego_state);
+ gensec_spnego_reset_sub_sec(spnego_state);
continue;
}
.finish_fn = gensec_spnego_create_negTokenInit_finish,
};
-/** create a negTokenInit
- *
- * This is the same packet, no matter if the client or server sends it first, but it is always the first packet
-*/
-static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec_security,
- struct spnego_state *spnego_state,
- TALLOC_CTX *out_mem_ctx,
- struct tevent_context *ev,
- DATA_BLOB *out)
-{
- struct spnego_data *spnego_in = NULL;
- return gensec_spnego_neg_loop(gensec_security, spnego_state,
- &gensec_spnego_create_negTokenInit_ops,
- ev, spnego_in, out_mem_ctx, out);
-}
-
static NTSTATUS gensec_spnego_client_negTokenInit_start(
struct gensec_security *gensec_security,
struct spnego_state *spnego_state,
/*
* Pretend we never started it.
*/
- gensec_spnego_update_sub_abort(spnego_state);
+ gensec_spnego_reset_sub_sec(spnego_state);
/*
* And try the next one...
status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
cur_sec->op);
if (!NT_STATUS_IS_OK(status)) {
- gensec_spnego_update_sub_abort(spnego_state);
+ gensec_spnego_reset_sub_sec(spnego_state);
continue;
}
.finish_fn = gensec_spnego_client_negTokenInit_finish,
};
-static NTSTATUS gensec_spnego_client_negTokenInit(struct gensec_security *gensec_security,
- struct spnego_state *spnego_state,
- struct tevent_context *ev,
- struct spnego_data *spnego_in,
- TALLOC_CTX *out_mem_ctx,
- DATA_BLOB *out)
-{
- return gensec_spnego_neg_loop(gensec_security, spnego_state,
- &gensec_spnego_client_negTokenInit_ops,
- ev, spnego_in, out_mem_ctx, out);
-}
-
-static NTSTATUS gensec_spnego_client_negTokenTarg(struct gensec_security *gensec_security,
- struct spnego_state *spnego_state,
- struct tevent_context *ev,
- struct spnego_data *spnego_in,
- TALLOC_CTX *out_mem_ctx,
- DATA_BLOB *out)
+static NTSTATUS gensec_spnego_client_negTokenTarg_start(
+ struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct spnego_neg_state *n,
+ struct spnego_data *spnego_in,
+ TALLOC_CTX *in_mem_ctx,
+ DATA_BLOB *in_next)
{
struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
- DATA_BLOB sub_in = ta->responseToken;
- DATA_BLOB mech_list_mic = data_blob_null;
- DATA_BLOB sub_out = data_blob_null;
- struct spnego_data spnego_out;
NTSTATUS status;
- *out = data_blob_null;
-
spnego_state->num_targs++;
if (ta->negResult == SPNEGO_REJECT) {
client_mech, client_oid, server_mech, server_oid);
spnego_state->downgraded = true;
- gensec_spnego_update_sub_abort(spnego_state);
+ gensec_spnego_reset_sub_sec(spnego_state);
status = gensec_subcontext_start(spnego_state,
gensec_security,
* https://bugzilla.samba.org/show_bug.cgi?id=11994
*/
spnego_state->needs_mic_check = false;
- status = NT_STATUS_OK;
- goto client_response;
+ return NT_STATUS_OK;
}
status = gensec_check_packet(spnego_state->sub_sec_security,
}
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
- goto client_response;
+ return NT_STATUS_OK;
}
if (!spnego_state->sub_sec_ready) {
- status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev,
- sub_in,
- &sub_out);
- if (NT_STATUS_IS_OK(status)) {
- spnego_state->sub_sec_ready = true;
- }
- if (!NT_STATUS_IS_OK(status)) {
- goto client_response;
- }
- } else {
- status = NT_STATUS_OK;
+ *in_next = ta->responseToken;
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS gensec_spnego_client_negTokenTarg_step(
+ struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct spnego_neg_state *n,
+ struct spnego_data *spnego_in,
+ NTSTATUS last_status,
+ TALLOC_CTX *in_mem_ctx,
+ DATA_BLOB *in_next)
+{
+ if (GENSEC_UPDATE_IS_NTERROR(last_status)) {
+ DBG_WARNING("SPNEGO(%s) login failed: %s\n",
+ spnego_state->sub_sec_security->ops->name,
+ nt_errstr(last_status));
+ return last_status;
+ }
+
+ /*
+ * This should never be reached!
+ * The step function is only called on errors!
+ */
+ smb_panic(__location__);
+ return NT_STATUS_INTERNAL_ERROR;
+}
+
+static NTSTATUS gensec_spnego_client_negTokenTarg_finish(
+ struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct spnego_neg_state *n,
+ struct spnego_data *spnego_in,
+ NTSTATUS sub_status,
+ const DATA_BLOB sub_out,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
+{
+ const struct spnego_negTokenTarg *ta =
+ &spnego_in->negTokenTarg;
+ DATA_BLOB mech_list_mic = data_blob_null;
+ NTSTATUS status;
+ struct spnego_data spnego_out;
+
+ status = sub_status;
+
+ if (!spnego_state->sub_sec_ready) {
+ /*
+ * We're not yet ready to deal with signatures.
+ */
+ goto client_response;
+ }
+
+ if (spnego_state->done_mic_check) {
+ /*
+ * We already checked the mic,
+ * either the in last round here
+ * in gensec_spnego_client_negTokenTarg_finish()
+ * or during this round in
+ * gensec_spnego_client_negTokenTarg_start().
+ *
+ * Both cases we're sure we don't have to
+ * call gensec_sign_packet().
+ */
+ goto client_response;
+ }
+
+ if (spnego_state->may_skip_mic_check) {
+ /*
+ * This can only be set during
+ * the last round here in
+ * gensec_spnego_client_negTokenTarg_finish()
+ * below. And during this round
+ * we already passed the checks in
+ * gensec_spnego_client_negTokenTarg_start().
+ *
+ * So we need to skip to deal with
+ * any signatures now.
+ */
+ goto client_response;
}
if (!spnego_state->done_mic_check) {
if (spnego_state->needs_mic_sign) {
status = gensec_sign_packet(spnego_state->sub_sec_security,
- out_mem_ctx,
+ n,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
}
client_response:
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
- DBG_WARNING("SPNEGO(%s) login failed: %s\n",
- spnego_state->sub_sec_security->ops->name,
- nt_errstr(status));
- return status;
- }
-
if (sub_out.length == 0 && mech_list_mic.length == 0) {
*out = data_blob_null;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
+static const struct spnego_neg_ops gensec_spnego_client_negTokenTarg_ops = {
+ .name = "client_negTokenTarg",
+ .start_fn = gensec_spnego_client_negTokenTarg_start,
+ .step_fn = gensec_spnego_client_negTokenTarg_step,
+ .finish_fn = gensec_spnego_client_negTokenTarg_finish,
+};
+
/** create a server negTokenTarg
*
* This is the case, where the client is the first one who sends data
return nt_status;
}
-static NTSTATUS gensec_spnego_server_negTokenInit(struct gensec_security *gensec_security,
- struct spnego_state *spnego_state,
- struct tevent_context *ev,
- struct spnego_data *spnego_in,
- TALLOC_CTX *out_mem_ctx,
- DATA_BLOB *out)
+static NTSTATUS gensec_spnego_server_negTokenInit_start(
+ struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct spnego_neg_state *n,
+ struct spnego_data *spnego_in,
+ TALLOC_CTX *in_mem_ctx,
+ DATA_BLOB *in_next)
{
- TALLOC_CTX *frame = talloc_stackframe();
- DATA_BLOB sub_out = data_blob_null;
- DATA_BLOB mech_list_mic = data_blob_null;
- const char * const *mech_types = NULL;
- size_t all_idx = 0;
- const struct gensec_security_ops_wrapper *all_sec = NULL;
- size_t mech_idx = 0;
- NTSTATUS status;
bool ok;
- mech_types = spnego_in->negTokenInit.mechTypes;
- if (mech_types == NULL) {
- TALLOC_FREE(frame);
+ n->mech_idx = 0;
+ n->mech_types = spnego_in->negTokenInit.mechTypes;
+ if (n->mech_types == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
- all_sec = gensec_security_by_oid_list(gensec_security, frame,
- mech_types, GENSEC_OID_SPNEGO);
- if (all_sec == NULL) {
+ n->all_idx = 0;
+ n->all_sec = gensec_security_by_oid_list(gensec_security,
+ n, n->mech_types,
+ GENSEC_OID_SPNEGO);
+ if (n->all_sec == NULL) {
DBG_WARNING("gensec_security_by_oid_list() failed\n");
- TALLOC_FREE(frame);
return NT_STATUS_INVALID_PARAMETER;
}
- ok = spnego_write_mech_types(spnego_state, mech_types,
+ ok = spnego_write_mech_types(spnego_state,
+ n->mech_types,
&spnego_state->mech_types);
if (!ok) {
DBG_ERR("Failed to write mechTypes\n");
- TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
+ return n->ops->step_fn(gensec_security, spnego_state, n,
+ spnego_in, NT_STATUS_OK, in_mem_ctx, in_next);
+}
+
+static NTSTATUS gensec_spnego_server_negTokenInit_step(
+ struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct spnego_neg_state *n,
+ struct spnego_data *spnego_in,
+ NTSTATUS last_status,
+ TALLOC_CTX *in_mem_ctx,
+ DATA_BLOB *in_next)
+{
+ if (!NT_STATUS_IS_OK(last_status)) {
+ const struct gensec_security_ops_wrapper *cur_sec =
+ &n->all_sec[n->all_idx];
+ const char *next_mech = n->mech_types[n->mech_idx+1];
+ const struct gensec_security_ops_wrapper *next_sec = NULL;
+ const char *next = NULL;
+ int dbg_level = DBGLVL_WARNING;
+ bool allow_fallback = false;
+ NTSTATUS status = last_status;
+ size_t i;
+
+ for (i = 0; next_mech != NULL && n->all_sec[i].op != NULL; i++) {
+ if (strcmp(next_mech, n->all_sec[i].oid) != 0) {
+ continue;
+ }
+
+ next_sec = &n->all_sec[i];
+ break;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) ||
+ NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO))
+ {
+ allow_fallback = true;
+ }
+
+ if (allow_fallback && next_sec != NULL) {
+ next = next_sec->op->name;
+ dbg_level = DBGLVL_NOTICE;
+ }
+
+ DBG_PREFIX(dbg_level, (
+ "%s: parsing NEG_TOKEN_INIT content failed "
+ "(next[%s]): %s\n", cur_sec->op->name,
+ next, nt_errstr(status)));
+
+ if (next == NULL) {
+ /*
+ * A hard error without a possible fallback.
+ */
+ return status;
+ }
+
+ /*
+ * Pretend we never started it
+ */
+ gensec_spnego_reset_sub_sec(spnego_state);
+
+ /*
+ * And try the next one, based on the clients
+ * mech type list...
+ */
+ n->mech_idx += 1;
+ }
+
/*
- * First try the preferred mechs from the client.
+ * we always reset all_idx here, as the negotiation is
+ * done via mech_idx!
*/
- for (; mech_types[mech_idx]; mech_idx++) {
- const char *cur_mech = mech_types[mech_idx];
+ n->all_idx = 0;
+
+ for (; n->mech_types[n->mech_idx] != NULL; n->mech_idx++) {
+ const char *cur_mech = n->mech_types[n->mech_idx];
const struct gensec_security_ops_wrapper *cur_sec = NULL;
+ NTSTATUS status;
DATA_BLOB sub_in = data_blob_null;
+ size_t i;
- for (all_idx = 0; all_sec[all_idx].op; all_idx++) {
- if (strcmp(cur_mech, all_sec[all_idx].oid) == 0) {
- cur_sec = &all_sec[all_idx];
- break;
+ for (i = 0; n->all_sec[i].op != NULL; i++) {
+ if (strcmp(cur_mech, n->all_sec[i].oid) != 0) {
+ continue;
}
+
+ cur_sec = &n->all_sec[i];
+ n->all_idx = i;
+ break;
}
if (cur_sec == NULL) {
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(frame);
return status;
}
/*
* Pretend we never started it
*/
- gensec_spnego_update_sub_abort(spnego_state);
+ gensec_spnego_reset_sub_sec(spnego_state);
continue;
}
- if (mech_idx > 0) {
+ if (n->mech_idx == 0) {
+ /*
+ * We can use the optimistic token.
+ */
+ sub_in = spnego_in->negTokenInit.mechToken;
+ } else {
/*
* Indicate the downgrade and request a
* mic.
*/
spnego_state->downgraded = true;
spnego_state->mic_requested = true;
- /* no optimistic token */
- spnego_state->neg_oid = cur_sec->oid;
- sub_out = data_blob_null;
- status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- goto reply;
}
/*
- * Try the optimistic token from the client
+ * Note that 'cur_sec' is temporary memory, but
+ * cur_sec->oid points to a const string in the
+ * backends gensec_security_ops structure.
*/
- sub_in = spnego_in->negTokenInit.mechToken;
- status = gensec_update_ev(spnego_state->sub_sec_security,
- frame, ev, sub_in, &sub_out);
- if (NT_STATUS_IS_OK(status)) {
- spnego_state->sub_sec_ready = true;
- }
- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) ||
- NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
-
- DBG_WARNING("%s: NEG_TOKEN_INIT failed to parse contents: %s\n",
- cur_sec->op->name, nt_errstr(status));
-
- /*
- * Pretend we never started it
- */
- gensec_spnego_update_sub_abort(spnego_state);
- continue;
- }
-
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
- DBG_WARNING("%s: NEG_TOKEN_INIT failed: %s\n",
- cur_sec->op->name, nt_errstr(status));
- TALLOC_FREE(frame);
- return status;
- }
-
spnego_state->neg_oid = cur_sec->oid;
- goto reply; /* OK or MORE PROCESSING */
+
+ /* we need some content from the mech */
+ *in_next = sub_in;
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n");
- TALLOC_FREE(frame);
return NT_STATUS_INVALID_PARAMETER;
+}
+
+static NTSTATUS gensec_spnego_server_negTokenInit_finish(
+ struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct spnego_neg_state *n,
+ struct spnego_data *spnego_in,
+ NTSTATUS sub_status,
+ const DATA_BLOB sub_out,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
+{
+ DATA_BLOB mech_list_mic = data_blob_null;
- reply:
if (spnego_state->simulate_w2k) {
/*
* Windows 2000 returns the unwrapped token
mech_list_mic = sub_out;
}
- status = gensec_spnego_server_response(spnego_state,
- out_mem_ctx,
- status,
- sub_out,
- mech_list_mic,
- out);
- TALLOC_FREE(frame);
- return status;
+ return gensec_spnego_server_response(spnego_state,
+ out_mem_ctx,
+ sub_status,
+ sub_out,
+ mech_list_mic,
+ out);
}
-static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec_security,
- struct spnego_state *spnego_state,
- struct tevent_context *ev,
- struct spnego_data *spnego_in,
- TALLOC_CTX *out_mem_ctx,
- DATA_BLOB *out)
+static const struct spnego_neg_ops gensec_spnego_server_negTokenInit_ops = {
+ .name = "server_negTokenInit",
+ .start_fn = gensec_spnego_server_negTokenInit_start,
+ .step_fn = gensec_spnego_server_negTokenInit_step,
+ .finish_fn = gensec_spnego_server_negTokenInit_finish,
+};
+
+static NTSTATUS gensec_spnego_server_negTokenTarg_start(
+ struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct spnego_neg_state *n,
+ struct spnego_data *spnego_in,
+ TALLOC_CTX *in_mem_ctx,
+ DATA_BLOB *in_next)
{
const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
- DATA_BLOB sub_in = ta->responseToken;
- DATA_BLOB mech_list_mic = data_blob_null;
- DATA_BLOB sub_out = data_blob_null;
NTSTATUS status;
- bool have_sign = true;
- bool new_spnego = false;
spnego_state->num_targs++;
spnego_state->needs_mic_check = false;
spnego_state->done_mic_check = true;
- goto server_response;
+ return NT_STATUS_OK;
}
if (!spnego_state->sub_sec_ready) {
- status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx, ev,
- sub_in, &sub_out);
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
- DEBUG(2, ("SPNEGO login failed: %s\n",
- nt_errstr(status)));
- return status;
- }
- if (NT_STATUS_IS_OK(status)) {
- spnego_state->sub_sec_ready = true;
- }
- if (!NT_STATUS_IS_OK(status)) {
- goto server_response;
- }
- } else {
- status = NT_STATUS_OK;
+ *in_next = ta->responseToken;
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS gensec_spnego_server_negTokenTarg_step(
+ struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct spnego_neg_state *n,
+ struct spnego_data *spnego_in,
+ NTSTATUS last_status,
+ TALLOC_CTX *in_mem_ctx,
+ DATA_BLOB *in_next)
+{
+ if (GENSEC_UPDATE_IS_NTERROR(last_status)) {
+ DBG_NOTICE("SPNEGO(%s) login failed: %s\n",
+ spnego_state->sub_sec_security->ops->name,
+ nt_errstr(last_status));
+ return last_status;
+ }
+
+ /*
+ * This should never be reached!
+ * The step function is only called on errors!
+ */
+ smb_panic(__location__);
+ return NT_STATUS_INTERNAL_ERROR;
+}
+
+static NTSTATUS gensec_spnego_server_negTokenTarg_finish(
+ struct gensec_security *gensec_security,
+ struct spnego_state *spnego_state,
+ struct spnego_neg_state *n,
+ struct spnego_data *spnego_in,
+ NTSTATUS sub_status,
+ const DATA_BLOB sub_out,
+ TALLOC_CTX *out_mem_ctx,
+ DATA_BLOB *out)
+{
+ const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
+ DATA_BLOB mech_list_mic = data_blob_null;
+ NTSTATUS status;
+ bool have_sign = true;
+ bool new_spnego = false;
+
+ status = sub_status;
+
+ if (!spnego_state->sub_sec_ready) {
+ /*
+ * We're not yet ready to deal with signatures.
+ */
+ goto server_response;
+ }
+
+ if (spnego_state->done_mic_check) {
+ /*
+ * We already checked the mic,
+ * either the in last round here
+ * in gensec_spnego_server_negTokenTarg_finish()
+ * or during this round in
+ * gensec_spnego_server_negTokenTarg_start().
+ *
+ * Both cases we're sure we don't have to
+ * call gensec_sign_packet().
+ */
+ goto server_response;
}
have_sign = gensec_have_feature(spnego_state->sub_sec_security,
if (spnego_state->needs_mic_sign) {
status = gensec_sign_packet(spnego_state->sub_sec_security,
- out_mem_ctx,
+ n,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
spnego_state->mech_types.data,
out);
}
+static const struct spnego_neg_ops gensec_spnego_server_negTokenTarg_ops = {
+ .name = "server_negTokenTarg",
+ .start_fn = gensec_spnego_server_negTokenTarg_start,
+ .step_fn = gensec_spnego_server_negTokenTarg_step,
+ .finish_fn = gensec_spnego_server_negTokenTarg_finish,
+};
+
struct gensec_spnego_update_state {
struct tevent_context *ev;
struct gensec_security *gensec;
DATA_BLOB out;
} sub;
+ struct spnego_neg_state *n;
+
NTSTATUS status;
DATA_BLOB out;
};
return tevent_req_post(req, ev);
}
- /* fall through */
+ FALL_THROUGH;
case SPNEGO_CLIENT_START:
case SPNEGO_SERVER_START:
const DATA_BLOB in, TALLOC_CTX *mem_ctx,
DATA_BLOB *full_in)
{
- struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
+ struct spnego_state *spnego_state =
+ talloc_get_type_abort(gensec_security->private_data,
+ struct spnego_state);
size_t expected;
bool ok;
struct gensec_spnego_update_state *state =
tevent_req_data(req,
struct gensec_spnego_update_state);
- struct gensec_security *gensec_security = state->gensec;
struct spnego_state *spnego_state = state->spnego;
- struct tevent_context *ev = state->ev;
+ const struct spnego_neg_ops *ops = NULL;
NTSTATUS status;
state->sub.needed = false;
case SPNEGO_CLIENT_START:
if (state->spnego_in == NULL) {
/* client to produce negTokenInit */
- status = gensec_spnego_create_negTokenInit(gensec_security,
- spnego_state, state, ev,
- &spnego_state->out_frag);
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
- tevent_req_nterror(req, status);
- return;
- }
+ ops = &gensec_spnego_create_negTokenInit_ops;
break;
}
- status = gensec_spnego_client_negTokenInit(gensec_security,
- spnego_state, ev,
- state->spnego_in, state,
- &spnego_state->out_frag);
+ ops = &gensec_spnego_client_negTokenInit_ops;
break;
case SPNEGO_CLIENT_TARG:
- status = gensec_spnego_client_negTokenTarg(gensec_security,
- spnego_state, ev,
- state->spnego_in, state,
- &spnego_state->out_frag);
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
- tevent_req_nterror(req, status);
- return;
- }
+ ops = &gensec_spnego_client_negTokenTarg_ops;
break;
case SPNEGO_SERVER_START:
if (state->spnego_in == NULL) {
/* server to produce negTokenInit */
- status = gensec_spnego_create_negTokenInit(gensec_security,
- spnego_state, state, ev,
- &spnego_state->out_frag);
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
- tevent_req_nterror(req, status);
- return;
- }
+ ops = &gensec_spnego_create_negTokenInit_ops;
break;
}
- status = gensec_spnego_server_negTokenInit(gensec_security,
- spnego_state, ev,
- state->spnego_in, state,
- &spnego_state->out_frag);
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
- tevent_req_nterror(req, status);
- return;
- }
+ ops = &gensec_spnego_server_negTokenInit_ops;
break;
case SPNEGO_SERVER_TARG:
- status = gensec_spnego_server_negTokenTarg(gensec_security,
- spnego_state, ev,
- state->spnego_in, state,
- &spnego_state->out_frag);
- if (GENSEC_UPDATE_IS_NTERROR(status)) {
- tevent_req_nterror(req, status);
- return;
- }
+ ops = &gensec_spnego_server_negTokenTarg_ops;
break;
default:
return;
}
- spnego_state->out_status = status;
+ state->n = gensec_spnego_neg_state(state, ops);
+ if (tevent_req_nomem(state->n, req)) {
+ return;
+ }
+
+ status = ops->start_fn(state->gensec, spnego_state, state->n,
+ state->spnego_in, state, &state->sub.in);
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+
+ if (NT_STATUS_IS_OK(status)) {
+ /*
+ * Call finish_fn() with an empty
+ * blob and NT_STATUS_OK.
+ */
+ state->sub.status = NT_STATUS_OK;
+ } else {
+ /*
+ * MORE_PROCESSING_REQUIRED =>
+ * we need to call gensec_update_send().
+ */
+ state->sub.needed = true;
+ }
}
static void gensec_spnego_update_done(struct tevent_req *subreq)
tevent_req_data(req,
struct gensec_spnego_update_state);
struct spnego_state *spnego_state = state->spnego;
+ const struct spnego_neg_ops *ops = NULL;
NTSTATUS status;
state->sub.in = data_blob_null;
goto respond;
}
- /*
- * For now just handle the sync processing done
- * in gensec_spnego_update_pre()
- */
- status = spnego_state->out_status;
+ ops = state->n->ops;
+
+ if (GENSEC_UPDATE_IS_NTERROR(state->sub.status)) {
+
+
+ /*
+ * gensec_update_recv() returned an error,
+ * let's see if the step_fn() want to
+ * handle it and negotiate something else.
+ */
+
+ status = ops->step_fn(state->gensec,
+ spnego_state,
+ state->n,
+ state->spnego_in,
+ state->sub.status,
+ state,
+ &state->sub.in);
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
+
+ state->sub.out = data_blob_null;
+ state->sub.status = NT_STATUS_INTERNAL_ERROR;
+
+ if (NT_STATUS_IS_OK(status)) {
+ /*
+ * Call finish_fn() with an empty
+ * blob and NT_STATUS_OK.
+ */
+ state->sub.status = NT_STATUS_OK;
+ } else {
+ /*
+ * MORE_PROCESSING_REQUIRED...
+ */
+ state->sub.needed = true;
+ }
+ }
+
+ if (state->sub.needed) {
+ struct tevent_req *subreq = NULL;
+
+ /*
+ * We may need one more roundtrip...
+ */
+ subreq = gensec_update_send(state, state->ev,
+ spnego_state->sub_sec_security,
+ state->sub.in);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq,
+ gensec_spnego_update_done,
+ req);
+ state->sub.needed = false;
+ return;
+ }
+
+ status = ops->finish_fn(state->gensec,
+ spnego_state,
+ state->n,
+ state->spnego_in,
+ state->sub.status,
+ state->sub.out,
+ spnego_state,
+ &spnego_state->out_frag);
+ TALLOC_FREE(state->n);
+ if (GENSEC_UPDATE_IS_NTERROR(status)) {
+ tevent_req_nterror(req, status);
+ return;
+ }
if (NT_STATUS_IS_OK(status)) {
bool reset_full = true;
TALLOC_CTX *out_mem_ctx,
DATA_BLOB *_out)
{
- struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
+ struct spnego_state *spnego_state =
+ talloc_get_type_abort(gensec_security->private_data,
+ struct spnego_state);
DATA_BLOB out = data_blob_null;
bool ok;
.expire_time = gensec_child_expire_time,
.final_auth_type = gensec_child_final_auth_type,
.enabled = true,
- .priority = GENSEC_SPNEGO
+ .priority = GENSEC_SPNEGO,
+ .glue = true,
};
_PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx)