1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

auth/spnego: do parse the incoming blob already in gensec_spnego_update_send()

It's easier to have this in one central place.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Stefan Metzmacher 2017-06-14 03:39:02 +02:00 committed by Andreas Schneider
parent 00c195b431
commit 6521967c4b

View File

@ -638,15 +638,13 @@ static NTSTATUS gensec_spnego_server_response(struct spnego_state *spnego_state,
static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
const DATA_BLOB in, DATA_BLOB *out)
struct spnego_data *spnego_in,
DATA_BLOB *out)
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
DATA_BLOB mech_list_mic = data_blob_null;
DATA_BLOB unwrapped_out = data_blob_null;
struct spnego_data spnego_out;
struct spnego_data spnego;
struct spnego_data *spnego_in = NULL;
ssize_t len;
*out = data_blob_null;
@ -662,7 +660,7 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
bool ok;
const char *tp = NULL;
if (!in.length) {
if (spnego_in == NULL) {
/* client to produce negTokenInit */
return gensec_spnego_create_negTokenInit(gensec_security,
spnego_state,
@ -670,24 +668,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
ev, out);
}
len = spnego_read_data(gensec_security, in, &spnego);
if (len == -1) {
DEBUG(1, ("Invalid SPNEGO request:\n"));
dump_data(1, in.data, in.length);
return NT_STATUS_INVALID_PARAMETER;
}
/* OK, so it's real SPNEGO, check the packet's the one we expect */
if (spnego.type != spnego_state->expected_packet) {
DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
spnego_state->expected_packet));
dump_data(1, in.data, in.length);
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
spnego_in = &spnego;
tp = spnego_in->negTokenInit.targetPrincipal;
if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
DEBUG(5, ("Server claims it's principal name is %s\n", tp));
@ -704,7 +684,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
&unwrapped_out);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
spnego_free_data(&spnego);
return nt_status;
}
@ -734,37 +713,14 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
spnego_state->state_position = SPNEGO_CLIENT_TARG;
spnego_free_data(&spnego);
return NT_STATUS_MORE_PROCESSING_REQUIRED;
}
case SPNEGO_CLIENT_TARG:
{
NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
const struct spnego_negTokenTarg *ta = NULL;
if (!in.length) {
return NT_STATUS_INVALID_PARAMETER;
}
len = spnego_read_data(gensec_security, in, &spnego);
if (len == -1) {
DEBUG(1, ("Invalid SPNEGO request:\n"));
dump_data(1, in.data, in.length);
return NT_STATUS_INVALID_PARAMETER;
}
/* OK, so it's real SPNEGO, check the packet's the one we expect */
if (spnego.type != spnego_state->expected_packet) {
DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
spnego_state->expected_packet));
dump_data(1, in.data, in.length);
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
spnego_in = &spnego;
ta = &spnego_in->negTokenTarg;
const struct spnego_negTokenTarg *ta =
&spnego_in->negTokenTarg;
spnego_state->num_targs++;
@ -790,21 +746,18 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
gensec_security,
&spnego_state->sub_sec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
spnego_free_data(&spnego);
return nt_status;
}
/* select the sub context */
nt_status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
ta->supportedMech);
if (!NT_STATUS_IS_OK(nt_status)) {
spnego_free_data(&spnego);
return nt_status;
}
spnego_state->neg_oid = talloc_strdup(spnego_state,
ta->supportedMech);
if (spnego_state->neg_oid == NULL) {
spnego_free_data(&spnego);
return NT_STATUS_NO_MEMORY;
};
}
@ -836,7 +789,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (spnego_state->needs_mic_check) {
if (spnego_in->negTokenTarg.responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
@ -866,7 +818,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
spnego_free_data(&spnego);
return nt_status;
}
spnego_state->needs_mic_check = false;
@ -992,7 +943,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to verify mechListMIC: %s\n",
nt_errstr(nt_status)));
spnego_free_data(&spnego);
return nt_status;
}
spnego_state->needs_mic_check = false;
@ -1010,7 +960,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(2,("GENSEC SPNEGO: failed to sign mechListMIC: %s\n",
nt_errstr(nt_status)));
spnego_free_data(&spnego);
return nt_status;
}
spnego_state->needs_mic_sign = false;
@ -1021,8 +970,6 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
}
client_response:
spnego_free_data(&spnego);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
&& !NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("SPNEGO(%s) login failed: %s\n",
@ -1075,14 +1022,12 @@ static NTSTATUS gensec_spnego_update_client(struct gensec_security *gensec_secur
static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_security,
TALLOC_CTX *out_mem_ctx,
struct tevent_context *ev,
const DATA_BLOB in, DATA_BLOB *out)
struct spnego_data *spnego_in,
DATA_BLOB *out)
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
DATA_BLOB mech_list_mic = data_blob_null;
DATA_BLOB unwrapped_out = data_blob_null;
struct spnego_data spnego;
struct spnego_data *spnego_in = NULL;
ssize_t len;
/* and switch into the state machine */
@ -1091,44 +1036,13 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
{
NTSTATUS nt_status;
if (in.length == 0) {
if (spnego_in == NULL) {
return gensec_spnego_create_negTokenInit(gensec_security,
spnego_state,
out_mem_ctx,
ev, out);
}
len = spnego_read_data(gensec_security, in, &spnego);
if (len == -1) {
/*
* This is the 'fallback' case, where we don't get
* SPNEGO, and have to try all the other options (and
* hope they all have a magic string they check)
*/
nt_status = gensec_spnego_server_try_fallback(gensec_security,
spnego_state,
out_mem_ctx,
in);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
return gensec_update_ev(spnego_state->sub_sec_security,
out_mem_ctx, ev,
in, out);
}
/* client sent NegTargetInit, we send NegTokenTarg */
/* OK, so it's real SPNEGO, check the packet's the one we expect */
if (spnego.type != spnego_state->expected_packet) {
DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
spnego_state->expected_packet));
dump_data(1, in.data, in.length);
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
spnego_in = &spnego;
nt_status = gensec_spnego_parse_negTokenInit(gensec_security,
spnego_state,
out_mem_ctx,
@ -1155,8 +1069,6 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
mech_list_mic,
out);
spnego_free_data(&spnego);
return nt_status;
}
@ -1166,40 +1078,16 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
bool have_sign = true;
bool new_spnego = false;
if (!in.length) {
return NT_STATUS_INVALID_PARAMETER;
}
len = spnego_read_data(gensec_security, in, &spnego);
if (len == -1) {
DEBUG(1, ("Invalid SPNEGO request:\n"));
dump_data(1, in.data, in.length);
return NT_STATUS_INVALID_PARAMETER;
}
/* OK, so it's real SPNEGO, check the packet's the one we expect */
if (spnego.type != spnego_state->expected_packet) {
DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n", spnego.type,
spnego_state->expected_packet));
dump_data(1, in.data, in.length);
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
spnego_in = &spnego;
spnego_state->num_targs++;
if (!spnego_state->sub_sec_security) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
if (spnego_state->needs_mic_check) {
if (spnego_in->negTokenTarg.responseToken.length != 0) {
DEBUG(1, ("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n"));
spnego_free_data(&spnego);
return NT_STATUS_INVALID_PARAMETER;
}
@ -1295,8 +1183,6 @@ static NTSTATUS gensec_spnego_update_server(struct gensec_security *gensec_secur
mech_list_mic,
out);
spnego_free_data(&spnego);
return nt_status;
}
@ -1312,6 +1198,8 @@ struct gensec_spnego_update_state {
struct gensec_security *gensec;
struct spnego_state *spnego;
DATA_BLOB full_in;
struct spnego_data _spnego_in;
struct spnego_data *spnego_in;
NTSTATUS status;
DATA_BLOB out;
};
@ -1355,6 +1243,7 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
struct tevent_req *req = NULL;
struct gensec_spnego_update_state *state = NULL;
NTSTATUS status;
ssize_t len;
req = tevent_req_create(mem_ctx, &state,
struct gensec_spnego_update_state);
@ -1397,6 +1286,78 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
/* Check if we got a valid SPNEGO blob... */
switch (spnego_state->state_position) {
case SPNEGO_FALLBACK:
break;
case SPNEGO_CLIENT_TARG:
case SPNEGO_SERVER_TARG:
if (state->full_in.length == 0) {
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
/* fall through */
case SPNEGO_CLIENT_START:
case SPNEGO_SERVER_START:
if (state->full_in.length == 0) {
/* create_negTokenInit later */
break;
}
len = spnego_read_data(state,
state->full_in,
&state->_spnego_in);
if (len == -1) {
if (spnego_state->state_position != SPNEGO_SERVER_START) {
DEBUG(1, ("Invalid SPNEGO request:\n"));
dump_data(1, state->full_in.data,
state->full_in.length);
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
/*
* This is the 'fallback' case, where we don't get
* SPNEGO, and have to try all the other options (and
* hope they all have a magic string they check)
*/
status = gensec_spnego_server_try_fallback(gensec_security,
spnego_state,
state,
state->full_in);
if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
}
/*
* We'll continue with SPNEGO_FALLBACK below...
*/
break;
}
state->spnego_in = &state->_spnego_in;
/* OK, so it's real SPNEGO, check the packet's the one we expect */
if (state->spnego_in->type != spnego_state->expected_packet) {
DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n",
state->spnego_in->type,
spnego_state->expected_packet));
dump_data(1, state->full_in.data,
state->full_in.length);
tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
break;
default:
smb_panic(__location__);
return NULL;
}
/* and switch into the state machine */
switch (spnego_state->state_position) {
@ -1411,7 +1372,7 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
case SPNEGO_CLIENT_TARG:
status = gensec_spnego_update_client(gensec_security,
state, ev,
state->full_in,
state->spnego_in,
&spnego_state->out_frag);
break;
@ -1419,7 +1380,7 @@ static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
case SPNEGO_SERVER_TARG:
status = gensec_spnego_update_server(gensec_security,
state, ev,
state->full_in,
state->spnego_in,
&spnego_state->out_frag);
break;