spnego: fix server handling of no optimistic exchange

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106

Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184

auth/gensec/spnego.c

@@ -1321,6 +1321,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step(
 			spnego_state->mic_requested = true;
 		}
 
+		if (sub_in.length == 0) {
+			spnego_state->no_optimistic = true;
+		}
+
 		/*
 		 * Note that 'cur_sec' is temporary memory, but
 		 * cur_sec->oid points to a const string in the
@@ -1955,6 +1959,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req)
 		 * Skip optimistic token per conf.
 		 */
 		state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+	} else if (spnego_state->state_position == SPNEGO_SERVER_START &&
+		   state->sub.in.length == 0 && spnego_state->no_optimistic) {
+		/*
+		 * If we didn't like the mechanism for which the client sent us
+		 * an optimistic token, or if he didn't send any, don't call
+		 * the sub mechanism just yet.
+		 */
+		state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+		spnego_state->no_optimistic = false;
 	} else {
 		/*
 		 * MORE_PROCESSING_REQUIRED =>

selftest/knownfail.d/samba.tests.gensec

@@ -1,2 +0,0 @@
-^samba.tests.gensec.samba.tests.gensec.GensecTests.test_update_no_optimistic_spnego
-^samba.tests.gensec.samba.tests.gensec.GensecTests.test_update_spnego_downgrade

selftest/knownfail.d/spnego_downgrade

@@ -1 +0,0 @@
-^samba3.blackbox.smbd_no_krb5.test_spnego_downgrade

selftest/knownfail.d/spnego_no_optimistic

@@ -1 +0,0 @@
-^samba4.smb.spnego.*.no_optimistic