VERSION: Disable GIT_SNAPSHOT for the 4.14.0rc1 release.
[Samba.git] / auth / gensec / spnego.c
blob87545d860e813fa4507897f9fcaf7ccace1681b1
1 /*
2 Unix SMB/CIFS implementation.
4 RFC2478 Compliant SPNEGO implementation
6 Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
8 Copyright (C) Stefan Metzmacher <metze@samba.org> 2004-2008
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "includes.h"
26 #include <tevent.h>
27 #include "lib/util/tevent_ntstatus.h"
28 #include "../libcli/auth/spnego.h"
29 #include "librpc/gen_ndr/ndr_dcerpc.h"
30 #include "auth/credentials/credentials.h"
31 #include "auth/gensec/gensec.h"
32 #include "auth/gensec/gensec_internal.h"
33 #include "param/param.h"
34 #include "lib/util/asn1.h"
35 #include "lib/util/base64.h"
37 #undef DBGC_CLASS
38 #define DBGC_CLASS DBGC_AUTH
40 #undef strcasecmp
42 _PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx);
44 enum spnego_state_position {
45 SPNEGO_SERVER_START,
46 SPNEGO_CLIENT_START,
47 SPNEGO_SERVER_TARG,
48 SPNEGO_CLIENT_TARG,
49 SPNEGO_FALLBACK,
50 SPNEGO_DONE
53 struct spnego_state;
54 struct spnego_neg_ops;
55 struct spnego_neg_state;
57 struct spnego_neg_state {
58 const struct spnego_neg_ops *ops;
59 const struct gensec_security_ops_wrapper *all_sec;
60 size_t all_idx;
61 const char * const *mech_types;
62 size_t mech_idx;
65 struct spnego_neg_ops {
66 const char *name;
68 * The start hook does the initial processing on the incoming paket and
69 * may starts the first possible subcontext. It indicates that
70 * gensec_update() is required on the subcontext by returning
71 * NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in
72 * 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the
73 * caller should treat 'in_next' as const and don't attempt to free the
74 * content. NT_STATUS_OK indicates the finish hook should be invoked
75 * directly within the need of gensec_update() on the subcontext.
76 * Every other error indicates an error that's returned to the caller.
78 NTSTATUS (*start_fn)(struct gensec_security *gensec_security,
79 struct spnego_state *spnego_state,
80 struct spnego_neg_state *n,
81 struct spnego_data *spnego_in,
82 TALLOC_CTX *in_mem_ctx,
83 DATA_BLOB *in_next);
85 * The step hook processes the result of a failed gensec_update() and
86 * can decide to ignore a failure and continue the negotiation by
87 * setting up the next possible subcontext. It indicates that
88 * gensec_update() is required on the subcontext by returning
89 * NT_STATUS_MORE_PROCESSING_REQUIRED and return something useful in
90 * 'in_next'. Note that 'in_mem_ctx' is just passed as a hint, the
91 * caller should treat 'in_next' as const and don't attempt to free the
92 * content. NT_STATUS_OK indicates the finish hook should be invoked
93 * directly within the need of gensec_update() on the subcontext.
94 * Every other error indicates an error that's returned to the caller.
96 NTSTATUS (*step_fn)(struct gensec_security *gensec_security,
97 struct spnego_state *spnego_state,
98 struct spnego_neg_state *n,
99 struct spnego_data *spnego_in,
100 NTSTATUS last_status,
101 TALLOC_CTX *in_mem_ctx,
102 DATA_BLOB *in_next);
104 * The finish hook processes the result of a successful gensec_update()
105 * (NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED). It forms the
106 * response pdu that will be returned from the toplevel gensec_update()
107 * together with NT_STATUS_OK or NT_STATUS_MORE_PROCESSING_REQUIRED. It
108 * may also alter the state machine to prepare receiving the next pdu
109 * from the peer.
111 NTSTATUS (*finish_fn)(struct gensec_security *gensec_security,
112 struct spnego_state *spnego_state,
113 struct spnego_neg_state *n,
114 struct spnego_data *spnego_in,
115 NTSTATUS sub_status,
116 const DATA_BLOB sub_out,
117 TALLOC_CTX *out_mem_ctx,
118 DATA_BLOB *out);
121 struct spnego_state {
122 enum spnego_message_type expected_packet;
123 enum spnego_state_position state_position;
124 struct gensec_security *sub_sec_security;
125 bool sub_sec_ready;
127 const char *neg_oid;
129 DATA_BLOB mech_types;
130 size_t num_targs;
131 bool downgraded;
132 bool mic_requested;
133 bool needs_mic_sign;
134 bool needs_mic_check;
135 bool may_skip_mic_check;
136 bool done_mic_check;
138 bool simulate_w2k;
139 bool no_optimistic;
142 * The following is used to implement
143 * the update token fragmentation
145 size_t in_needed;
146 DATA_BLOB in_frag;
147 size_t out_max_length;
148 DATA_BLOB out_frag;
149 NTSTATUS out_status;
152 static struct spnego_neg_state *gensec_spnego_neg_state(TALLOC_CTX *mem_ctx,
153 const struct spnego_neg_ops *ops)
155 struct spnego_neg_state *n = NULL;
157 n = talloc_zero(mem_ctx, struct spnego_neg_state);
158 if (n == NULL) {
159 return NULL;
161 n->ops = ops;
163 return n;
166 static void gensec_spnego_reset_sub_sec(struct spnego_state *spnego_state)
168 spnego_state->sub_sec_ready = false;
169 TALLOC_FREE(spnego_state->sub_sec_security);
172 static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_security)
174 struct spnego_state *spnego_state;
176 spnego_state = talloc_zero(gensec_security, struct spnego_state);
177 if (!spnego_state) {
178 return NT_STATUS_NO_MEMORY;
181 spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
182 spnego_state->state_position = SPNEGO_CLIENT_START;
183 spnego_state->sub_sec_security = NULL;
184 spnego_state->sub_sec_ready = false;
185 spnego_state->mech_types = data_blob_null;
186 spnego_state->out_max_length = gensec_max_update_size(gensec_security);
187 spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
189 spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
190 "spnego", "simulate_w2k", false);
191 spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings,
192 "spnego",
193 "client_no_optimistic",
194 false);
196 gensec_security->private_data = spnego_state;
197 return NT_STATUS_OK;
200 static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_security)
202 struct spnego_state *spnego_state;
204 spnego_state = talloc_zero(gensec_security, struct spnego_state);
205 if (!spnego_state) {
206 return NT_STATUS_NO_MEMORY;
209 spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
210 spnego_state->state_position = SPNEGO_SERVER_START;
211 spnego_state->sub_sec_security = NULL;
212 spnego_state->sub_sec_ready = false;
213 spnego_state->mech_types = data_blob_null;
214 spnego_state->out_max_length = gensec_max_update_size(gensec_security);
215 spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
217 spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
218 "spnego", "simulate_w2k", false);
220 gensec_security->private_data = spnego_state;
221 return NT_STATUS_OK;
224 /** Fallback to another GENSEC mechanism, based on magic strings
226 * This is the 'fallback' case, where we don't get SPNEGO, and have to
227 * try all the other options (and hope they all have a magic string
228 * they check)
231 static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security,
232 struct spnego_state *spnego_state,
233 TALLOC_CTX *mem_ctx,
234 const DATA_BLOB in)
236 int i,j;
237 const struct gensec_security_ops **all_ops;
239 all_ops = gensec_security_mechs(gensec_security, mem_ctx);
241 for (i=0; all_ops && all_ops[i]; i++) {
242 bool is_spnego;
243 NTSTATUS nt_status;
245 if (gensec_security != NULL &&
246 !gensec_security_ops_enabled(all_ops[i], gensec_security))
248 continue;
251 if (!all_ops[i]->oid) {
252 continue;
255 is_spnego = false;
256 for (j=0; all_ops[i]->oid[j]; j++) {
257 if (strcasecmp(GENSEC_OID_SPNEGO,all_ops[i]->oid[j]) == 0) {
258 is_spnego = true;
261 if (is_spnego) {
262 continue;
265 if (!all_ops[i]->magic) {
266 continue;
269 nt_status = all_ops[i]->magic(gensec_security, &in);
270 if (!NT_STATUS_IS_OK(nt_status)) {
271 continue;
274 spnego_state->state_position = SPNEGO_FALLBACK;
276 nt_status = gensec_subcontext_start(spnego_state,
277 gensec_security,
278 &spnego_state->sub_sec_security);
280 if (!NT_STATUS_IS_OK(nt_status)) {
281 return nt_status;
283 /* select the sub context */
284 nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
285 all_ops[i]);
286 if (!NT_STATUS_IS_OK(nt_status)) {
287 return nt_status;
290 return NT_STATUS_OK;
292 DEBUG(1, ("Failed to parse SPNEGO request\n"));
293 return NT_STATUS_INVALID_PARAMETER;
296 static NTSTATUS gensec_spnego_create_negTokenInit_start(
297 struct gensec_security *gensec_security,
298 struct spnego_state *spnego_state,
299 struct spnego_neg_state *n,
300 struct spnego_data *spnego_in,
301 TALLOC_CTX *in_mem_ctx,
302 DATA_BLOB *in_next)
304 n->mech_idx = 0;
305 n->mech_types = gensec_security_oids(gensec_security, n,
306 GENSEC_OID_SPNEGO);
307 if (n->mech_types == NULL) {
308 DBG_WARNING("gensec_security_oids() failed\n");
309 return NT_STATUS_NO_MEMORY;
312 n->all_idx = 0;
313 n->all_sec = gensec_security_by_oid_list(gensec_security,
314 n, n->mech_types,
315 GENSEC_OID_SPNEGO);
316 if (n->all_sec == NULL) {
317 DBG_WARNING("gensec_security_by_oid_list() failed\n");
318 return NT_STATUS_NO_MEMORY;
321 return n->ops->step_fn(gensec_security, spnego_state, n,
322 spnego_in, NT_STATUS_OK, in_mem_ctx, in_next);
325 static NTSTATUS gensec_spnego_create_negTokenInit_step(
326 struct gensec_security *gensec_security,
327 struct spnego_state *spnego_state,
328 struct spnego_neg_state *n,
329 struct spnego_data *spnego_in,
330 NTSTATUS last_status,
331 TALLOC_CTX *in_mem_ctx,
332 DATA_BLOB *in_next)
334 if (!NT_STATUS_IS_OK(last_status)) {
335 const struct gensec_security_ops_wrapper *cur_sec =
336 &n->all_sec[n->all_idx];
337 const struct gensec_security_ops_wrapper *next_sec = NULL;
338 const char *next = NULL;
339 const char *principal = NULL;
340 int dbg_level = DBGLVL_WARNING;
341 NTSTATUS status = last_status;
343 if (cur_sec[1].op != NULL) {
344 next_sec = &cur_sec[1];
347 if (next_sec != NULL) {
348 next = next_sec->op->name;
349 dbg_level = DBGLVL_NOTICE;
352 if (gensec_security->target.principal != NULL) {
353 principal = gensec_security->target.principal;
354 } else if (gensec_security->target.service != NULL &&
355 gensec_security->target.hostname != NULL)
357 principal = talloc_asprintf(spnego_state->sub_sec_security,
358 "%s/%s",
359 gensec_security->target.service,
360 gensec_security->target.hostname);
361 } else {
362 principal = gensec_security->target.hostname;
365 DBG_PREFIX(dbg_level, (
366 "%s: creating NEG_TOKEN_INIT for %s failed "
367 "(next[%s]): %s\n", cur_sec->op->name,
368 principal, next, nt_errstr(status)));
370 if (next == NULL) {
372 * A hard error without a possible fallback.
374 return status;
378 * Pretend we never started it
380 gensec_spnego_reset_sub_sec(spnego_state);
383 * And try the next one...
385 n->all_idx += 1;
388 for (; n->all_sec[n->all_idx].op != NULL; n->all_idx++) {
389 const struct gensec_security_ops_wrapper *cur_sec =
390 &n->all_sec[n->all_idx];
391 NTSTATUS status;
393 status = gensec_subcontext_start(spnego_state,
394 gensec_security,
395 &spnego_state->sub_sec_security);
396 if (!NT_STATUS_IS_OK(status)) {
397 return status;
400 /* select the sub context */
401 status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
402 cur_sec->op);
403 if (!NT_STATUS_IS_OK(status)) {
404 gensec_spnego_reset_sub_sec(spnego_state);
405 continue;
408 /* In the client, try and produce the first (optimistic) packet */
409 if (spnego_state->state_position == SPNEGO_CLIENT_START) {
410 *in_next = data_blob_null;
411 return NT_STATUS_MORE_PROCESSING_REQUIRED;
414 *in_next = data_blob_null;
415 return NT_STATUS_OK;
418 DBG_WARNING("Failed to setup SPNEGO negTokenInit request\n");
419 return NT_STATUS_INVALID_PARAMETER;
422 static NTSTATUS gensec_spnego_create_negTokenInit_finish(
423 struct gensec_security *gensec_security,
424 struct spnego_state *spnego_state,
425 struct spnego_neg_state *n,
426 struct spnego_data *spnego_in,
427 NTSTATUS sub_status,
428 const DATA_BLOB sub_out,
429 TALLOC_CTX *out_mem_ctx,
430 DATA_BLOB *out)
432 const struct gensec_security_ops_wrapper *cur_sec =
433 &n->all_sec[n->all_idx];
434 struct spnego_data spnego_out;
435 bool ok;
437 spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
439 n->mech_types = gensec_security_oids_from_ops_wrapped(n, cur_sec);
440 if (n->mech_types == NULL) {
441 DBG_WARNING("gensec_security_oids_from_ops_wrapped() failed\n");
442 return NT_STATUS_NO_MEMORY;
445 ok = spnego_write_mech_types(spnego_state,
446 n->mech_types,
447 &spnego_state->mech_types);
448 if (!ok) {
449 DBG_ERR("Failed to write mechTypes\n");
450 return NT_STATUS_NO_MEMORY;
453 /* List the remaining mechs as options */
454 spnego_out.negTokenInit.mechTypes = n->mech_types;
455 spnego_out.negTokenInit.reqFlags = data_blob_null;
456 spnego_out.negTokenInit.reqFlagsPadding = 0;
458 if (spnego_state->state_position == SPNEGO_SERVER_START) {
459 spnego_out.negTokenInit.mechListMIC
460 = data_blob_string_const(ADS_IGNORE_PRINCIPAL);
461 } else {
462 spnego_out.negTokenInit.mechListMIC = data_blob_null;
465 spnego_out.negTokenInit.mechToken = sub_out;
467 if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
468 DBG_ERR("Failed to write NEG_TOKEN_INIT\n");
469 return NT_STATUS_INVALID_PARAMETER;
473 * Note that 'cur_sec' is temporary memory, but
474 * cur_sec->oid points to a const string in the
475 * backends gensec_security_ops structure.
477 spnego_state->neg_oid = cur_sec->oid;
479 /* set next state */
480 if (spnego_state->state_position == SPNEGO_SERVER_START) {
481 spnego_state->state_position = SPNEGO_SERVER_START;
482 spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT;
483 } else {
484 spnego_state->state_position = SPNEGO_CLIENT_TARG;
485 spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
488 return NT_STATUS_MORE_PROCESSING_REQUIRED;
491 static const struct spnego_neg_ops gensec_spnego_create_negTokenInit_ops = {
492 .name = "create_negTokenInit",
493 .start_fn = gensec_spnego_create_negTokenInit_start,
494 .step_fn = gensec_spnego_create_negTokenInit_step,
495 .finish_fn = gensec_spnego_create_negTokenInit_finish,
498 static NTSTATUS gensec_spnego_client_negTokenInit_start(
499 struct gensec_security *gensec_security,
500 struct spnego_state *spnego_state,
501 struct spnego_neg_state *n,
502 struct spnego_data *spnego_in,
503 TALLOC_CTX *in_mem_ctx,
504 DATA_BLOB *in_next)
506 const char *tp = NULL;
508 /* The server offers a list of mechanisms */
510 tp = spnego_in->negTokenInit.targetPrincipal;
511 if (tp != NULL && strcmp(tp, ADS_IGNORE_PRINCIPAL) != 0) {
512 DBG_INFO("Server claims it's principal name is %s\n", tp);
513 if (lpcfg_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
514 gensec_set_target_principal(gensec_security, tp);
518 n->mech_idx = 0;
520 /* Do not use server mech list as it isn't protected. Instead, get all
521 * supported mechs (excluding SPNEGO). */
522 n->mech_types = gensec_security_oids(gensec_security, n,
523 GENSEC_OID_SPNEGO);
524 if (n->mech_types == NULL) {
525 return NT_STATUS_INVALID_PARAMETER;
528 n->all_idx = 0;
529 n->all_sec = gensec_security_by_oid_list(gensec_security,
530 n, n->mech_types,
531 GENSEC_OID_SPNEGO);
532 if (n->all_sec == NULL) {
533 DBG_WARNING("gensec_security_by_oid_list() failed\n");
534 return NT_STATUS_INVALID_PARAMETER;
537 return n->ops->step_fn(gensec_security, spnego_state, n,
538 spnego_in, NT_STATUS_OK, in_mem_ctx, in_next);
541 static NTSTATUS gensec_spnego_client_negTokenInit_step(
542 struct gensec_security *gensec_security,
543 struct spnego_state *spnego_state,
544 struct spnego_neg_state *n,
545 struct spnego_data *spnego_in,
546 NTSTATUS last_status,
547 TALLOC_CTX *in_mem_ctx,
548 DATA_BLOB *in_next)
550 if (!NT_STATUS_IS_OK(last_status)) {
551 const struct gensec_security_ops_wrapper *cur_sec =
552 &n->all_sec[n->all_idx];
553 const struct gensec_security_ops_wrapper *next_sec = NULL;
554 const char *next = NULL;
555 const char *principal = NULL;
556 int dbg_level = DBGLVL_WARNING;
557 bool allow_fallback = false;
558 NTSTATUS status = last_status;
560 if (cur_sec[1].op != NULL) {
561 next_sec = &cur_sec[1];
565 * it is likely that a NULL input token will
566 * not be liked by most server mechs, but if
567 * we are in the client, we want the first
568 * update packet to be able to abort the use
569 * of this mech
571 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) ||
572 NT_STATUS_EQUAL(status, NT_STATUS_INVALID_ACCOUNT_NAME) ||
573 NT_STATUS_EQUAL(status, NT_STATUS_INVALID_COMPUTER_NAME) ||
574 NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_DOMAIN) ||
575 NT_STATUS_EQUAL(status, NT_STATUS_NO_LOGON_SERVERS) ||
576 NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
577 NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO))
579 allow_fallback = true;
582 if (allow_fallback && next_sec != NULL) {
583 next = next_sec->op->name;
584 dbg_level = DBGLVL_NOTICE;
587 if (gensec_security->target.principal != NULL) {
588 principal = gensec_security->target.principal;
589 } else if (gensec_security->target.service != NULL &&
590 gensec_security->target.hostname != NULL)
592 principal = talloc_asprintf(spnego_state->sub_sec_security,
593 "%s/%s",
594 gensec_security->target.service,
595 gensec_security->target.hostname);
596 } else {
597 principal = gensec_security->target.hostname;
600 DBG_PREFIX(dbg_level, (
601 "%s: creating NEG_TOKEN_INIT for %s failed "
602 "(next[%s]): %s\n", cur_sec->op->name,
603 principal, next, nt_errstr(status)));
605 if (next == NULL) {
607 * A hard error without a possible fallback.
609 return status;
613 * Pretend we never started it.
615 gensec_spnego_reset_sub_sec(spnego_state);
618 * And try the next one...
620 n->all_idx += 1;
623 for (; n->all_sec[n->all_idx].op != NULL; n->all_idx++) {
624 const struct gensec_security_ops_wrapper *cur_sec =
625 &n->all_sec[n->all_idx];
626 NTSTATUS status;
628 status = gensec_subcontext_start(spnego_state,
629 gensec_security,
630 &spnego_state->sub_sec_security);
631 if (!NT_STATUS_IS_OK(status)) {
632 return status;
635 /* select the sub context */
636 status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
637 cur_sec->op);
638 if (!NT_STATUS_IS_OK(status)) {
639 gensec_spnego_reset_sub_sec(spnego_state);
640 continue;
644 * Note that 'cur_sec' is temporary memory, but
645 * cur_sec->oid points to a const string in the
646 * backends gensec_security_ops structure.
648 spnego_state->neg_oid = cur_sec->oid;
651 * As client we don't use an optimistic token from the server.
652 * But try to produce one for the server.
654 *in_next = data_blob_null;
655 return NT_STATUS_MORE_PROCESSING_REQUIRED;
658 DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n");
659 return NT_STATUS_INVALID_PARAMETER;
662 static NTSTATUS gensec_spnego_client_negTokenInit_finish(
663 struct gensec_security *gensec_security,
664 struct spnego_state *spnego_state,
665 struct spnego_neg_state *n,
666 struct spnego_data *spnego_in,
667 NTSTATUS sub_status,
668 const DATA_BLOB sub_out,
669 TALLOC_CTX *out_mem_ctx,
670 DATA_BLOB *out)
672 struct spnego_data spnego_out;
673 const char * const *mech_types = NULL;
674 bool ok;
676 if (n->mech_types == NULL) {
677 DBG_WARNING("No mech_types list\n");
678 return NT_STATUS_INVALID_PARAMETER;
681 for (mech_types = n->mech_types; *mech_types != NULL; mech_types++) {
682 int cmp = strcmp(*mech_types, spnego_state->neg_oid);
684 if (cmp == 0) {
685 break;
689 if (*mech_types == NULL) {
690 DBG_ERR("Can't find selected sub mechanism in mech_types\n");
691 return NT_STATUS_INVALID_PARAMETER;
694 /* compose reply */
695 spnego_out.type = SPNEGO_NEG_TOKEN_INIT;
696 spnego_out.negTokenInit.mechTypes = mech_types;
697 spnego_out.negTokenInit.reqFlags = data_blob_null;
698 spnego_out.negTokenInit.reqFlagsPadding = 0;
699 spnego_out.negTokenInit.mechListMIC = data_blob_null;
700 spnego_out.negTokenInit.mechToken = sub_out;
702 if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
703 DBG_ERR("Failed to write SPNEGO reply to NEG_TOKEN_INIT\n");
704 return NT_STATUS_INVALID_PARAMETER;
707 ok = spnego_write_mech_types(spnego_state,
708 mech_types,
709 &spnego_state->mech_types);
710 if (!ok) {
711 DBG_ERR("failed to write mechTypes\n");
712 return NT_STATUS_NO_MEMORY;
715 /* set next state */
716 spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
717 spnego_state->state_position = SPNEGO_CLIENT_TARG;
719 return NT_STATUS_MORE_PROCESSING_REQUIRED;
722 static const struct spnego_neg_ops gensec_spnego_client_negTokenInit_ops = {
723 .name = "client_negTokenInit",
724 .start_fn = gensec_spnego_client_negTokenInit_start,
725 .step_fn = gensec_spnego_client_negTokenInit_step,
726 .finish_fn = gensec_spnego_client_negTokenInit_finish,
729 static NTSTATUS gensec_spnego_client_negTokenTarg_start(
730 struct gensec_security *gensec_security,
731 struct spnego_state *spnego_state,
732 struct spnego_neg_state *n,
733 struct spnego_data *spnego_in,
734 TALLOC_CTX *in_mem_ctx,
735 DATA_BLOB *in_next)
737 struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
738 NTSTATUS status;
740 spnego_state->num_targs++;
742 if (ta->negResult == SPNEGO_REJECT) {
743 return NT_STATUS_LOGON_FAILURE;
746 if (ta->negResult == SPNEGO_REQUEST_MIC) {
747 spnego_state->mic_requested = true;
750 if (ta->mechListMIC.length > 0) {
751 DATA_BLOB *m = &ta->mechListMIC;
752 const DATA_BLOB *r = &ta->responseToken;
755 * Windows 2000 has a bug, it repeats the
756 * responseToken in the mechListMIC field.
758 if (m->length == r->length) {
759 int cmp;
761 cmp = memcmp(m->data, r->data, m->length);
762 if (cmp == 0) {
763 data_blob_free(m);
768 /* Server didn't like our choice of mech, and chose something else */
769 if (((ta->negResult == SPNEGO_ACCEPT_INCOMPLETE) ||
770 (ta->negResult == SPNEGO_REQUEST_MIC)) &&
771 ta->supportedMech != NULL &&
772 strcmp(ta->supportedMech, spnego_state->neg_oid) != 0)
774 const char *client_mech = NULL;
775 const char *client_oid = NULL;
776 const char *server_mech = NULL;
777 const char *server_oid = NULL;
779 client_mech = gensec_get_name_by_oid(gensec_security,
780 spnego_state->neg_oid);
781 client_oid = spnego_state->neg_oid;
782 server_mech = gensec_get_name_by_oid(gensec_security,
783 ta->supportedMech);
784 server_oid = ta->supportedMech;
786 DBG_NOTICE("client preferred mech (%s[%s]) not accepted, "
787 "server wants: %s[%s]\n",
788 client_mech, client_oid, server_mech, server_oid);
790 spnego_state->downgraded = true;
791 gensec_spnego_reset_sub_sec(spnego_state);
793 status = gensec_subcontext_start(spnego_state,
794 gensec_security,
795 &spnego_state->sub_sec_security);
796 if (!NT_STATUS_IS_OK(status)) {
797 return status;
800 /* select the sub context */
801 status = gensec_start_mech_by_oid(spnego_state->sub_sec_security,
802 ta->supportedMech);
803 if (!NT_STATUS_IS_OK(status)) {
804 return status;
807 spnego_state->neg_oid = talloc_strdup(spnego_state,
808 ta->supportedMech);
809 if (spnego_state->neg_oid == NULL) {
810 return NT_STATUS_NO_MEMORY;
814 if (ta->mechListMIC.length > 0) {
815 if (spnego_state->sub_sec_ready) {
816 spnego_state->needs_mic_check = true;
820 if (spnego_state->needs_mic_check) {
821 if (ta->responseToken.length != 0) {
822 DBG_WARNING("non empty response token not expected\n");
823 return NT_STATUS_INVALID_PARAMETER;
826 if (ta->mechListMIC.length == 0
827 && spnego_state->may_skip_mic_check) {
829 * In this case we don't require
830 * a mechListMIC from the server.
832 * This works around bugs in the Azure
833 * and Apple spnego implementations.
835 * See
836 * https://bugzilla.samba.org/show_bug.cgi?id=11994
838 spnego_state->needs_mic_check = false;
839 return NT_STATUS_OK;
842 status = gensec_check_packet(spnego_state->sub_sec_security,
843 spnego_state->mech_types.data,
844 spnego_state->mech_types.length,
845 spnego_state->mech_types.data,
846 spnego_state->mech_types.length,
847 &ta->mechListMIC);
848 if (!NT_STATUS_IS_OK(status)) {
849 DBG_WARNING("failed to verify mechListMIC: %s\n",
850 nt_errstr(status));
851 return status;
853 spnego_state->needs_mic_check = false;
854 spnego_state->done_mic_check = true;
855 return NT_STATUS_OK;
858 if (!spnego_state->sub_sec_ready) {
859 *in_next = ta->responseToken;
860 return NT_STATUS_MORE_PROCESSING_REQUIRED;
863 return NT_STATUS_OK;
866 static NTSTATUS gensec_spnego_client_negTokenTarg_step(
867 struct gensec_security *gensec_security,
868 struct spnego_state *spnego_state,
869 struct spnego_neg_state *n,
870 struct spnego_data *spnego_in,
871 NTSTATUS last_status,
872 TALLOC_CTX *in_mem_ctx,
873 DATA_BLOB *in_next)
875 if (GENSEC_UPDATE_IS_NTERROR(last_status)) {
876 DBG_WARNING("SPNEGO(%s) login failed: %s\n",
877 spnego_state->sub_sec_security->ops->name,
878 nt_errstr(last_status));
879 return last_status;
883 * This should never be reached!
884 * The step function is only called on errors!
886 smb_panic(__location__);
887 return NT_STATUS_INTERNAL_ERROR;
890 static NTSTATUS gensec_spnego_client_negTokenTarg_finish(
891 struct gensec_security *gensec_security,
892 struct spnego_state *spnego_state,
893 struct spnego_neg_state *n,
894 struct spnego_data *spnego_in,
895 NTSTATUS sub_status,
896 const DATA_BLOB sub_out,
897 TALLOC_CTX *out_mem_ctx,
898 DATA_BLOB *out)
900 const struct spnego_negTokenTarg *ta =
901 &spnego_in->negTokenTarg;
902 DATA_BLOB mech_list_mic = data_blob_null;
903 NTSTATUS status;
904 struct spnego_data spnego_out;
906 if (!spnego_state->sub_sec_ready) {
908 * We're not yet ready to deal with signatures.
910 goto client_response;
913 if (spnego_state->done_mic_check) {
915 * We already checked the mic,
916 * either the in last round here
917 * in gensec_spnego_client_negTokenTarg_finish()
918 * or during this round in
919 * gensec_spnego_client_negTokenTarg_start().
921 * Both cases we're sure we don't have to
922 * call gensec_sign_packet().
924 goto client_response;
927 if (spnego_state->may_skip_mic_check) {
929 * This can only be set during
930 * the last round here in
931 * gensec_spnego_client_negTokenTarg_finish()
932 * below. And during this round
933 * we already passed the checks in
934 * gensec_spnego_client_negTokenTarg_start().
936 * So we need to skip to deal with
937 * any signatures now.
939 goto client_response;
942 if (!spnego_state->done_mic_check) {
943 bool have_sign = true;
944 bool new_spnego = false;
946 have_sign = gensec_have_feature(spnego_state->sub_sec_security,
947 GENSEC_FEATURE_SIGN);
948 if (spnego_state->simulate_w2k) {
949 have_sign = false;
951 new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
952 GENSEC_FEATURE_NEW_SPNEGO);
954 switch (ta->negResult) {
955 case SPNEGO_ACCEPT_COMPLETED:
956 case SPNEGO_NONE_RESULT:
957 if (spnego_state->num_targs == 1) {
959 * the first exchange doesn't require
960 * verification
962 new_spnego = false;
965 break;
967 case SPNEGO_ACCEPT_INCOMPLETE:
968 if (ta->mechListMIC.length > 0) {
969 new_spnego = true;
970 break;
973 if (spnego_state->downgraded) {
975 * A downgrade should be protected if
976 * supported
978 break;
982 * The caller may just asked for
983 * GENSEC_FEATURE_SESSION_KEY, this
984 * is only reflected in the want_features.
986 * As it will imply
987 * gensec_have_features(GENSEC_FEATURE_SIGN)
988 * to return true.
990 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
991 break;
993 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
994 break;
997 * Here we're sure our preferred mech was
998 * selected by the server and our caller doesn't
999 * need GENSEC_FEATURE_SIGN nor
1000 * GENSEC_FEATURE_SEAL support.
1002 * In this case we don't require
1003 * a mechListMIC from the server.
1005 * This works around bugs in the Azure
1006 * and Apple spnego implementations.
1008 * See
1009 * https://bugzilla.samba.org/show_bug.cgi?id=11994
1011 spnego_state->may_skip_mic_check = true;
1012 break;
1014 case SPNEGO_REQUEST_MIC:
1015 if (ta->mechListMIC.length > 0) {
1016 new_spnego = true;
1018 break;
1019 default:
1020 break;
1023 if (spnego_state->mic_requested) {
1024 if (have_sign) {
1025 new_spnego = true;
1029 if (have_sign && new_spnego) {
1030 spnego_state->needs_mic_check = true;
1031 spnego_state->needs_mic_sign = true;
1035 if (ta->mechListMIC.length > 0) {
1036 status = gensec_check_packet(spnego_state->sub_sec_security,
1037 spnego_state->mech_types.data,
1038 spnego_state->mech_types.length,
1039 spnego_state->mech_types.data,
1040 spnego_state->mech_types.length,
1041 &ta->mechListMIC);
1042 if (!NT_STATUS_IS_OK(status)) {
1043 DBG_WARNING("failed to verify mechListMIC: %s\n",
1044 nt_errstr(status));
1045 return status;
1047 spnego_state->needs_mic_check = false;
1048 spnego_state->done_mic_check = true;
1051 if (spnego_state->needs_mic_sign) {
1052 status = gensec_sign_packet(spnego_state->sub_sec_security,
1054 spnego_state->mech_types.data,
1055 spnego_state->mech_types.length,
1056 spnego_state->mech_types.data,
1057 spnego_state->mech_types.length,
1058 &mech_list_mic);
1059 if (!NT_STATUS_IS_OK(status)) {
1060 DBG_WARNING("failed to sign mechListMIC: %s\n",
1061 nt_errstr(status));
1062 return status;
1064 spnego_state->needs_mic_sign = false;
1067 client_response:
1068 if (sub_out.length == 0 && mech_list_mic.length == 0) {
1069 *out = data_blob_null;
1071 if (!spnego_state->sub_sec_ready) {
1072 /* somethings wrong here... */
1073 DBG_ERR("gensec_update not ready without output\n");
1074 return NT_STATUS_INTERNAL_ERROR;
1077 if (ta->negResult != SPNEGO_ACCEPT_COMPLETED) {
1078 /* unless of course it did not accept */
1079 DBG_WARNING("gensec_update ok but not accepted\n");
1080 return NT_STATUS_INVALID_PARAMETER;
1083 if (!spnego_state->needs_mic_check) {
1084 spnego_state->state_position = SPNEGO_DONE;
1085 return NT_STATUS_OK;
1089 /* compose reply */
1090 spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
1091 spnego_out.negTokenTarg.negResult = SPNEGO_NONE_RESULT;
1092 spnego_out.negTokenTarg.supportedMech = NULL;
1093 spnego_out.negTokenTarg.responseToken = sub_out;
1094 spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
1096 if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
1097 DBG_WARNING("Failed to write NEG_TOKEN_TARG\n");
1098 return NT_STATUS_INVALID_PARAMETER;
1101 spnego_state->num_targs++;
1103 /* set next state */
1104 spnego_state->state_position = SPNEGO_CLIENT_TARG;
1105 spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
1107 return NT_STATUS_MORE_PROCESSING_REQUIRED;
1110 static const struct spnego_neg_ops gensec_spnego_client_negTokenTarg_ops = {
1111 .name = "client_negTokenTarg",
1112 .start_fn = gensec_spnego_client_negTokenTarg_start,
1113 .step_fn = gensec_spnego_client_negTokenTarg_step,
1114 .finish_fn = gensec_spnego_client_negTokenTarg_finish,
1117 /** create a server negTokenTarg
1119 * This is the case, where the client is the first one who sends data
1122 static NTSTATUS gensec_spnego_server_response(struct spnego_state *spnego_state,
1123 TALLOC_CTX *out_mem_ctx,
1124 NTSTATUS nt_status,
1125 const DATA_BLOB unwrapped_out,
1126 DATA_BLOB mech_list_mic,
1127 DATA_BLOB *out)
1129 struct spnego_data spnego_out;
1131 /* compose reply */
1132 spnego_out.type = SPNEGO_NEG_TOKEN_TARG;
1133 spnego_out.negTokenTarg.responseToken = unwrapped_out;
1134 spnego_out.negTokenTarg.mechListMIC = mech_list_mic;
1135 spnego_out.negTokenTarg.supportedMech = NULL;
1137 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1138 spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
1139 if (spnego_state->mic_requested) {
1140 spnego_out.negTokenTarg.negResult = SPNEGO_REQUEST_MIC;
1141 spnego_state->mic_requested = false;
1142 } else {
1143 spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_INCOMPLETE;
1145 spnego_state->state_position = SPNEGO_SERVER_TARG;
1146 } else if (NT_STATUS_IS_OK(nt_status)) {
1147 if (unwrapped_out.data) {
1148 spnego_out.negTokenTarg.supportedMech = spnego_state->neg_oid;
1150 spnego_out.negTokenTarg.negResult = SPNEGO_ACCEPT_COMPLETED;
1151 spnego_state->state_position = SPNEGO_DONE;
1154 if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
1155 DEBUG(1, ("Failed to write SPNEGO reply to NEG_TOKEN_TARG\n"));
1156 return NT_STATUS_INVALID_PARAMETER;
1159 spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG;
1160 spnego_state->num_targs++;
1162 return nt_status;
1165 static NTSTATUS gensec_spnego_server_negTokenInit_start(
1166 struct gensec_security *gensec_security,
1167 struct spnego_state *spnego_state,
1168 struct spnego_neg_state *n,
1169 struct spnego_data *spnego_in,
1170 TALLOC_CTX *in_mem_ctx,
1171 DATA_BLOB *in_next)
1173 bool ok;
1175 n->mech_idx = 0;
1176 n->mech_types = spnego_in->negTokenInit.mechTypes;
1177 if (n->mech_types == NULL) {
1178 return NT_STATUS_INVALID_PARAMETER;
1181 n->all_idx = 0;
1182 n->all_sec = gensec_security_by_oid_list(gensec_security,
1183 n, n->mech_types,
1184 GENSEC_OID_SPNEGO);
1185 if (n->all_sec == NULL) {
1186 DBG_WARNING("gensec_security_by_oid_list() failed\n");
1187 return NT_STATUS_INVALID_PARAMETER;
1190 ok = spnego_write_mech_types(spnego_state,
1191 n->mech_types,
1192 &spnego_state->mech_types);
1193 if (!ok) {
1194 DBG_ERR("Failed to write mechTypes\n");
1195 return NT_STATUS_NO_MEMORY;
1198 return n->ops->step_fn(gensec_security, spnego_state, n,
1199 spnego_in, NT_STATUS_OK, in_mem_ctx, in_next);
1202 static NTSTATUS gensec_spnego_server_negTokenInit_step(
1203 struct gensec_security *gensec_security,
1204 struct spnego_state *spnego_state,
1205 struct spnego_neg_state *n,
1206 struct spnego_data *spnego_in,
1207 NTSTATUS last_status,
1208 TALLOC_CTX *in_mem_ctx,
1209 DATA_BLOB *in_next)
1211 if (!NT_STATUS_IS_OK(last_status)) {
1212 const struct gensec_security_ops_wrapper *cur_sec =
1213 &n->all_sec[n->all_idx];
1214 const char *next_mech = n->mech_types[n->mech_idx+1];
1215 const struct gensec_security_ops_wrapper *next_sec = NULL;
1216 const char *next = NULL;
1217 int dbg_level = DBGLVL_WARNING;
1218 bool allow_fallback = false;
1219 NTSTATUS status = last_status;
1220 size_t i;
1222 for (i = 0; next_mech != NULL && n->all_sec[i].op != NULL; i++) {
1223 if (strcmp(next_mech, n->all_sec[i].oid) != 0) {
1224 continue;
1227 next_sec = &n->all_sec[i];
1228 break;
1231 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER) ||
1232 NT_STATUS_EQUAL(status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO))
1234 allow_fallback = true;
1237 if (allow_fallback && next_sec != NULL) {
1238 next = next_sec->op->name;
1239 dbg_level = DBGLVL_NOTICE;
1242 DBG_PREFIX(dbg_level, (
1243 "%s: parsing NEG_TOKEN_INIT content failed "
1244 "(next[%s]): %s\n", cur_sec->op->name,
1245 next, nt_errstr(status)));
1247 if (next == NULL) {
1249 * A hard error without a possible fallback.
1251 return status;
1255 * Pretend we never started it
1257 gensec_spnego_reset_sub_sec(spnego_state);
1260 * And try the next one, based on the clients
1261 * mech type list...
1263 n->mech_idx += 1;
1267 * we always reset all_idx here, as the negotiation is
1268 * done via mech_idx!
1270 n->all_idx = 0;
1272 for (; n->mech_types[n->mech_idx] != NULL; n->mech_idx++) {
1273 const char *cur_mech = n->mech_types[n->mech_idx];
1274 const struct gensec_security_ops_wrapper *cur_sec = NULL;
1275 NTSTATUS status;
1276 DATA_BLOB sub_in = data_blob_null;
1277 size_t i;
1279 for (i = 0; n->all_sec[i].op != NULL; i++) {
1280 if (strcmp(cur_mech, n->all_sec[i].oid) != 0) {
1281 continue;
1284 cur_sec = &n->all_sec[i];
1285 n->all_idx = i;
1286 break;
1289 if (cur_sec == NULL) {
1290 continue;
1293 status = gensec_subcontext_start(spnego_state,
1294 gensec_security,
1295 &spnego_state->sub_sec_security);
1296 if (!NT_STATUS_IS_OK(status)) {
1297 return status;
1300 /* select the sub context */
1301 status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
1302 cur_sec->op);
1303 if (!NT_STATUS_IS_OK(status)) {
1305 * Pretend we never started it
1307 gensec_spnego_reset_sub_sec(spnego_state);
1308 continue;
1311 if (n->mech_idx == 0) {
1313 * We can use the optimistic token.
1315 sub_in = spnego_in->negTokenInit.mechToken;
1316 } else {
1318 * Indicate the downgrade and request a
1319 * mic.
1321 spnego_state->downgraded = true;
1322 spnego_state->mic_requested = true;
1325 if (sub_in.length == 0) {
1326 spnego_state->no_optimistic = true;
1330 * Note that 'cur_sec' is temporary memory, but
1331 * cur_sec->oid points to a const string in the
1332 * backends gensec_security_ops structure.
1334 spnego_state->neg_oid = cur_sec->oid;
1336 /* we need some content from the mech */
1337 *in_next = sub_in;
1338 return NT_STATUS_MORE_PROCESSING_REQUIRED;
1341 DBG_WARNING("Could not find a suitable mechtype in NEG_TOKEN_INIT\n");
1342 return NT_STATUS_INVALID_PARAMETER;
1345 static NTSTATUS gensec_spnego_server_negTokenInit_finish(
1346 struct gensec_security *gensec_security,
1347 struct spnego_state *spnego_state,
1348 struct spnego_neg_state *n,
1349 struct spnego_data *spnego_in,
1350 NTSTATUS sub_status,
1351 const DATA_BLOB sub_out,
1352 TALLOC_CTX *out_mem_ctx,
1353 DATA_BLOB *out)
1355 DATA_BLOB mech_list_mic = data_blob_null;
1357 if (spnego_state->simulate_w2k) {
1359 * Windows 2000 returns the unwrapped token
1360 * also in the mech_list_mic field.
1362 * In order to verify our client code,
1363 * we need a way to have a server with this
1364 * broken behaviour
1366 mech_list_mic = sub_out;
1369 return gensec_spnego_server_response(spnego_state,
1370 out_mem_ctx,
1371 sub_status,
1372 sub_out,
1373 mech_list_mic,
1374 out);
1377 static const struct spnego_neg_ops gensec_spnego_server_negTokenInit_ops = {
1378 .name = "server_negTokenInit",
1379 .start_fn = gensec_spnego_server_negTokenInit_start,
1380 .step_fn = gensec_spnego_server_negTokenInit_step,
1381 .finish_fn = gensec_spnego_server_negTokenInit_finish,
1384 static NTSTATUS gensec_spnego_server_negTokenTarg_start(
1385 struct gensec_security *gensec_security,
1386 struct spnego_state *spnego_state,
1387 struct spnego_neg_state *n,
1388 struct spnego_data *spnego_in,
1389 TALLOC_CTX *in_mem_ctx,
1390 DATA_BLOB *in_next)
1392 const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
1393 NTSTATUS status;
1395 spnego_state->num_targs++;
1397 if (spnego_state->sub_sec_security == NULL) {
1398 DBG_ERR("SPNEGO: Did not setup a mech in NEG_TOKEN_INIT\n");
1399 return NT_STATUS_INVALID_PARAMETER;
1402 if (spnego_state->needs_mic_check) {
1403 if (ta->responseToken.length != 0) {
1404 DBG_WARNING("non empty response token not expected\n");
1405 return NT_STATUS_INVALID_PARAMETER;
1408 status = gensec_check_packet(spnego_state->sub_sec_security,
1409 spnego_state->mech_types.data,
1410 spnego_state->mech_types.length,
1411 spnego_state->mech_types.data,
1412 spnego_state->mech_types.length,
1413 &ta->mechListMIC);
1414 if (!NT_STATUS_IS_OK(status)) {
1415 DBG_WARNING("failed to verify mechListMIC: %s\n",
1416 nt_errstr(status));
1417 return status;
1420 spnego_state->needs_mic_check = false;
1421 spnego_state->done_mic_check = true;
1422 return NT_STATUS_OK;
1425 if (!spnego_state->sub_sec_ready) {
1426 *in_next = ta->responseToken;
1427 return NT_STATUS_MORE_PROCESSING_REQUIRED;
1430 return NT_STATUS_OK;
1433 static NTSTATUS gensec_spnego_server_negTokenTarg_step(
1434 struct gensec_security *gensec_security,
1435 struct spnego_state *spnego_state,
1436 struct spnego_neg_state *n,
1437 struct spnego_data *spnego_in,
1438 NTSTATUS last_status,
1439 TALLOC_CTX *in_mem_ctx,
1440 DATA_BLOB *in_next)
1442 if (GENSEC_UPDATE_IS_NTERROR(last_status)) {
1443 DBG_NOTICE("SPNEGO(%s) login failed: %s\n",
1444 spnego_state->sub_sec_security->ops->name,
1445 nt_errstr(last_status));
1446 return last_status;
1450 * This should never be reached!
1451 * The step function is only called on errors!
1453 smb_panic(__location__);
1454 return NT_STATUS_INTERNAL_ERROR;
1457 static NTSTATUS gensec_spnego_server_negTokenTarg_finish(
1458 struct gensec_security *gensec_security,
1459 struct spnego_state *spnego_state,
1460 struct spnego_neg_state *n,
1461 struct spnego_data *spnego_in,
1462 NTSTATUS sub_status,
1463 const DATA_BLOB sub_out,
1464 TALLOC_CTX *out_mem_ctx,
1465 DATA_BLOB *out)
1467 const struct spnego_negTokenTarg *ta = &spnego_in->negTokenTarg;
1468 DATA_BLOB mech_list_mic = data_blob_null;
1469 NTSTATUS status;
1470 bool have_sign = true;
1471 bool new_spnego = false;
1473 status = sub_status;
1475 if (!spnego_state->sub_sec_ready) {
1477 * We're not yet ready to deal with signatures.
1479 goto server_response;
1482 if (spnego_state->done_mic_check) {
1484 * We already checked the mic,
1485 * either the in last round here
1486 * in gensec_spnego_server_negTokenTarg_finish()
1487 * or during this round in
1488 * gensec_spnego_server_negTokenTarg_start().
1490 * Both cases we're sure we don't have to
1491 * call gensec_sign_packet().
1493 goto server_response;
1496 have_sign = gensec_have_feature(spnego_state->sub_sec_security,
1497 GENSEC_FEATURE_SIGN);
1498 if (spnego_state->simulate_w2k) {
1499 have_sign = false;
1501 new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
1502 GENSEC_FEATURE_NEW_SPNEGO);
1503 if (ta->mechListMIC.length > 0) {
1504 new_spnego = true;
1507 if (have_sign && new_spnego) {
1508 spnego_state->needs_mic_check = true;
1509 spnego_state->needs_mic_sign = true;
1512 if (have_sign && ta->mechListMIC.length > 0) {
1513 status = gensec_check_packet(spnego_state->sub_sec_security,
1514 spnego_state->mech_types.data,
1515 spnego_state->mech_types.length,
1516 spnego_state->mech_types.data,
1517 spnego_state->mech_types.length,
1518 &ta->mechListMIC);
1519 if (!NT_STATUS_IS_OK(status)) {
1520 DBG_WARNING("failed to verify mechListMIC: %s\n",
1521 nt_errstr(status));
1522 return status;
1525 spnego_state->needs_mic_check = false;
1526 spnego_state->done_mic_check = true;
1529 if (spnego_state->needs_mic_sign) {
1530 status = gensec_sign_packet(spnego_state->sub_sec_security,
1532 spnego_state->mech_types.data,
1533 spnego_state->mech_types.length,
1534 spnego_state->mech_types.data,
1535 spnego_state->mech_types.length,
1536 &mech_list_mic);
1537 if (!NT_STATUS_IS_OK(status)) {
1538 DBG_WARNING("failed to sign mechListMIC: %s\n",
1539 nt_errstr(status));
1540 return status;
1542 spnego_state->needs_mic_sign = false;
1545 if (spnego_state->needs_mic_check) {
1546 status = NT_STATUS_MORE_PROCESSING_REQUIRED;
1549 server_response:
1550 return gensec_spnego_server_response(spnego_state,
1551 out_mem_ctx,
1552 status,
1553 sub_out,
1554 mech_list_mic,
1555 out);
1558 static const struct spnego_neg_ops gensec_spnego_server_negTokenTarg_ops = {
1559 .name = "server_negTokenTarg",
1560 .start_fn = gensec_spnego_server_negTokenTarg_start,
1561 .step_fn = gensec_spnego_server_negTokenTarg_step,
1562 .finish_fn = gensec_spnego_server_negTokenTarg_finish,
1565 struct gensec_spnego_update_state {
1566 struct tevent_context *ev;
1567 struct gensec_security *gensec;
1568 struct spnego_state *spnego;
1570 DATA_BLOB full_in;
1571 struct spnego_data _spnego_in;
1572 struct spnego_data *spnego_in;
1574 struct {
1575 bool needed;
1576 DATA_BLOB in;
1577 NTSTATUS status;
1578 DATA_BLOB out;
1579 } sub;
1581 struct spnego_neg_state *n;
1583 NTSTATUS status;
1584 DATA_BLOB out;
1587 static void gensec_spnego_update_cleanup(struct tevent_req *req,
1588 enum tevent_req_state req_state)
1590 struct gensec_spnego_update_state *state =
1591 tevent_req_data(req,
1592 struct gensec_spnego_update_state);
1594 switch (req_state) {
1595 case TEVENT_REQ_USER_ERROR:
1596 case TEVENT_REQ_TIMED_OUT:
1597 case TEVENT_REQ_NO_MEMORY:
1599 * A fatal error, further updates are not allowed.
1601 state->spnego->state_position = SPNEGO_DONE;
1602 break;
1603 default:
1604 break;
1608 static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
1609 const DATA_BLOB in, TALLOC_CTX *mem_ctx,
1610 DATA_BLOB *full_in);
1611 static void gensec_spnego_update_pre(struct tevent_req *req);
1612 static void gensec_spnego_update_done(struct tevent_req *subreq);
1613 static void gensec_spnego_update_post(struct tevent_req *req);
1614 static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
1615 TALLOC_CTX *out_mem_ctx,
1616 DATA_BLOB *_out);
1618 static struct tevent_req *gensec_spnego_update_send(TALLOC_CTX *mem_ctx,
1619 struct tevent_context *ev,
1620 struct gensec_security *gensec_security,
1621 const DATA_BLOB in)
1623 struct spnego_state *spnego_state =
1624 talloc_get_type_abort(gensec_security->private_data,
1625 struct spnego_state);
1626 struct tevent_req *req = NULL;
1627 struct gensec_spnego_update_state *state = NULL;
1628 NTSTATUS status;
1629 ssize_t len;
1631 req = tevent_req_create(mem_ctx, &state,
1632 struct gensec_spnego_update_state);
1633 if (req == NULL) {
1634 return NULL;
1636 state->ev = ev;
1637 state->gensec = gensec_security;
1638 state->spnego = spnego_state;
1639 tevent_req_set_cleanup_fn(req, gensec_spnego_update_cleanup);
1641 if (spnego_state->out_frag.length > 0) {
1642 if (in.length > 0) {
1643 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1644 return tevent_req_post(req, ev);
1647 status = gensec_spnego_update_out(gensec_security,
1648 state, &state->out);
1649 if (GENSEC_UPDATE_IS_NTERROR(status)) {
1650 tevent_req_nterror(req, status);
1651 return tevent_req_post(req, ev);
1654 state->status = status;
1655 tevent_req_done(req);
1656 return tevent_req_post(req, ev);
1659 status = gensec_spnego_update_in(gensec_security, in,
1660 state, &state->full_in);
1661 state->status = status;
1662 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1663 tevent_req_done(req);
1664 return tevent_req_post(req, ev);
1666 if (tevent_req_nterror(req, status)) {
1667 return tevent_req_post(req, ev);
1670 /* Check if we got a valid SPNEGO blob... */
1672 switch (spnego_state->state_position) {
1673 case SPNEGO_FALLBACK:
1674 break;
1676 case SPNEGO_CLIENT_TARG:
1677 case SPNEGO_SERVER_TARG:
1678 if (state->full_in.length == 0) {
1679 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1680 return tevent_req_post(req, ev);
1683 FALL_THROUGH;
1684 case SPNEGO_CLIENT_START:
1685 case SPNEGO_SERVER_START:
1687 if (state->full_in.length == 0) {
1688 /* create_negTokenInit later */
1689 break;
1692 len = spnego_read_data(state,
1693 state->full_in,
1694 &state->_spnego_in);
1695 if (len == -1) {
1696 if (spnego_state->state_position != SPNEGO_SERVER_START) {
1697 DEBUG(1, ("Invalid SPNEGO request:\n"));
1698 dump_data(1, state->full_in.data,
1699 state->full_in.length);
1700 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1701 return tevent_req_post(req, ev);
1705 * This is the 'fallback' case, where we don't get
1706 * SPNEGO, and have to try all the other options (and
1707 * hope they all have a magic string they check)
1709 status = gensec_spnego_server_try_fallback(gensec_security,
1710 spnego_state,
1711 state,
1712 state->full_in);
1713 if (tevent_req_nterror(req, status)) {
1714 return tevent_req_post(req, ev);
1718 * We'll continue with SPNEGO_FALLBACK below...
1720 break;
1722 state->spnego_in = &state->_spnego_in;
1724 /* OK, so it's real SPNEGO, check the packet's the one we expect */
1725 if (state->spnego_in->type != spnego_state->expected_packet) {
1726 DEBUG(1, ("Invalid SPNEGO request: %d, expected %d\n",
1727 state->spnego_in->type,
1728 spnego_state->expected_packet));
1729 dump_data(1, state->full_in.data,
1730 state->full_in.length);
1731 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
1732 return tevent_req_post(req, ev);
1735 break;
1737 default:
1738 smb_panic(__location__);
1739 return NULL;
1742 gensec_spnego_update_pre(req);
1743 if (!tevent_req_is_in_progress(req)) {
1744 return tevent_req_post(req, ev);
1747 if (state->sub.needed) {
1748 struct tevent_req *subreq = NULL;
1751 * We may need one more roundtrip...
1753 subreq = gensec_update_send(state, state->ev,
1754 spnego_state->sub_sec_security,
1755 state->sub.in);
1756 if (tevent_req_nomem(subreq, req)) {
1757 return tevent_req_post(req, ev);
1759 tevent_req_set_callback(subreq,
1760 gensec_spnego_update_done,
1761 req);
1762 state->sub.needed = false;
1763 return req;
1766 gensec_spnego_update_post(req);
1767 if (!tevent_req_is_in_progress(req)) {
1768 return tevent_req_post(req, ev);
1771 return req;
1774 static NTSTATUS gensec_spnego_update_in(struct gensec_security *gensec_security,
1775 const DATA_BLOB in, TALLOC_CTX *mem_ctx,
1776 DATA_BLOB *full_in)
1778 struct spnego_state *spnego_state =
1779 talloc_get_type_abort(gensec_security->private_data,
1780 struct spnego_state);
1781 size_t expected;
1782 bool ok;
1784 *full_in = data_blob_null;
1786 switch (spnego_state->state_position) {
1787 case SPNEGO_FALLBACK:
1788 *full_in = in;
1789 spnego_state->in_needed = 0;
1790 return NT_STATUS_OK;
1792 case SPNEGO_CLIENT_START:
1793 case SPNEGO_CLIENT_TARG:
1794 case SPNEGO_SERVER_START:
1795 case SPNEGO_SERVER_TARG:
1796 break;
1798 case SPNEGO_DONE:
1799 default:
1800 return NT_STATUS_INVALID_PARAMETER;
1803 if (spnego_state->in_needed == 0) {
1804 size_t size = 0;
1805 int ret;
1808 * try to work out the size of the full
1809 * input token, it might be fragmented
1811 ret = asn1_peek_full_tag(in, ASN1_APPLICATION(0), &size);
1812 if ((ret != 0) && (ret != EAGAIN)) {
1813 ret = asn1_peek_full_tag(in, ASN1_CONTEXT(1), &size);
1816 if ((ret == 0) || (ret == EAGAIN)) {
1817 spnego_state->in_needed = size;
1818 } else {
1820 * If it is not an asn1 message
1821 * just call the next layer.
1823 spnego_state->in_needed = in.length;
1827 if (spnego_state->in_needed > UINT16_MAX) {
1829 * limit the incoming message to 0xFFFF
1830 * to avoid DoS attacks.
1832 return NT_STATUS_INVALID_BUFFER_SIZE;
1835 if ((spnego_state->in_needed > 0) && (in.length == 0)) {
1837 * If we reach this, we know we got at least
1838 * part of an asn1 message, getting 0 means
1839 * the remote peer wants us to spin.
1841 return NT_STATUS_INVALID_PARAMETER;
1844 expected = spnego_state->in_needed - spnego_state->in_frag.length;
1845 if (in.length > expected) {
1847 * we got more than expected
1849 return NT_STATUS_INVALID_PARAMETER;
1852 if (in.length == spnego_state->in_needed) {
1854 * if the in.length contains the full blob
1855 * we are done.
1857 * Note: this implies spnego_state->in_frag.length == 0,
1858 * but we do not need to check this explicitly
1859 * because we already know that we did not get
1860 * more than expected.
1862 *full_in = in;
1863 spnego_state->in_needed = 0;
1864 return NT_STATUS_OK;
1867 ok = data_blob_append(spnego_state, &spnego_state->in_frag,
1868 in.data, in.length);
1869 if (!ok) {
1870 return NT_STATUS_NO_MEMORY;
1873 if (spnego_state->in_needed > spnego_state->in_frag.length) {
1874 return NT_STATUS_MORE_PROCESSING_REQUIRED;
1877 *full_in = spnego_state->in_frag;
1878 talloc_steal(mem_ctx, full_in->data);
1879 spnego_state->in_frag = data_blob_null;
1880 spnego_state->in_needed = 0;
1881 return NT_STATUS_OK;
1884 static void gensec_spnego_update_pre(struct tevent_req *req)
1886 struct gensec_spnego_update_state *state =
1887 tevent_req_data(req,
1888 struct gensec_spnego_update_state);
1889 struct spnego_state *spnego_state = state->spnego;
1890 const struct spnego_neg_ops *ops = NULL;
1891 NTSTATUS status;
1893 state->sub.needed = false;
1894 state->sub.in = data_blob_null;
1895 state->sub.status = NT_STATUS_INTERNAL_ERROR;
1896 state->sub.out = data_blob_null;
1898 if (spnego_state->state_position == SPNEGO_FALLBACK) {
1899 state->sub.in = state->full_in;
1900 state->full_in = data_blob_null;
1901 state->sub.needed = true;
1902 return;
1905 switch (spnego_state->state_position) {
1906 case SPNEGO_CLIENT_START:
1907 if (state->spnego_in == NULL) {
1908 /* client to produce negTokenInit */
1909 ops = &gensec_spnego_create_negTokenInit_ops;
1910 break;
1913 ops = &gensec_spnego_client_negTokenInit_ops;
1914 break;
1916 case SPNEGO_CLIENT_TARG:
1917 ops = &gensec_spnego_client_negTokenTarg_ops;
1918 break;
1920 case SPNEGO_SERVER_START:
1921 if (state->spnego_in == NULL) {
1922 /* server to produce negTokenInit */
1923 ops = &gensec_spnego_create_negTokenInit_ops;
1924 break;
1927 ops = &gensec_spnego_server_negTokenInit_ops;
1928 break;
1930 case SPNEGO_SERVER_TARG:
1931 ops = &gensec_spnego_server_negTokenTarg_ops;
1932 break;
1934 default:
1935 smb_panic(__location__);
1936 return;
1939 state->n = gensec_spnego_neg_state(state, ops);
1940 if (tevent_req_nomem(state->n, req)) {
1941 return;
1944 status = ops->start_fn(state->gensec, spnego_state, state->n,
1945 state->spnego_in, state, &state->sub.in);
1946 if (GENSEC_UPDATE_IS_NTERROR(status)) {
1947 tevent_req_nterror(req, status);
1948 return;
1951 if (NT_STATUS_IS_OK(status)) {
1953 * Call finish_fn() with an empty
1954 * blob and NT_STATUS_OK.
1956 state->sub.status = NT_STATUS_OK;
1957 } else if (spnego_state->state_position == SPNEGO_CLIENT_START &&
1958 spnego_state->no_optimistic) {
1960 * Skip optimistic token per conf.
1962 state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
1963 } else if (spnego_state->state_position == SPNEGO_SERVER_START &&
1964 state->sub.in.length == 0 && spnego_state->no_optimistic) {
1966 * If we didn't like the mechanism for which the client sent us
1967 * an optimistic token, or if he didn't send any, don't call
1968 * the sub mechanism just yet.
1970 state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED;
1971 spnego_state->no_optimistic = false;
1972 } else {
1974 * MORE_PROCESSING_REQUIRED =>
1975 * we need to call gensec_update_send().
1977 state->sub.needed = true;
1981 static void gensec_spnego_update_done(struct tevent_req *subreq)
1983 struct tevent_req *req =
1984 tevent_req_callback_data(subreq,
1985 struct tevent_req);
1986 struct gensec_spnego_update_state *state =
1987 tevent_req_data(req,
1988 struct gensec_spnego_update_state);
1989 struct spnego_state *spnego_state = state->spnego;
1991 state->sub.status = gensec_update_recv(subreq, state, &state->sub.out);
1992 TALLOC_FREE(subreq);
1993 if (NT_STATUS_IS_OK(state->sub.status)) {
1994 spnego_state->sub_sec_ready = true;
1997 gensec_spnego_update_post(req);
2000 static void gensec_spnego_update_post(struct tevent_req *req)
2002 struct gensec_spnego_update_state *state =
2003 tevent_req_data(req,
2004 struct gensec_spnego_update_state);
2005 struct spnego_state *spnego_state = state->spnego;
2006 const struct spnego_neg_ops *ops = NULL;
2007 NTSTATUS status;
2009 state->sub.in = data_blob_null;
2010 state->sub.needed = false;
2012 if (spnego_state->state_position == SPNEGO_FALLBACK) {
2013 status = state->sub.status;
2014 spnego_state->out_frag = state->sub.out;
2015 talloc_steal(spnego_state, spnego_state->out_frag.data);
2016 state->sub.out = data_blob_null;
2017 goto respond;
2020 ops = state->n->ops;
2022 if (GENSEC_UPDATE_IS_NTERROR(state->sub.status)) {
2026 * gensec_update_recv() returned an error,
2027 * let's see if the step_fn() want to
2028 * handle it and negotiate something else.
2031 status = ops->step_fn(state->gensec,
2032 spnego_state,
2033 state->n,
2034 state->spnego_in,
2035 state->sub.status,
2036 state,
2037 &state->sub.in);
2038 if (GENSEC_UPDATE_IS_NTERROR(status)) {
2039 tevent_req_nterror(req, status);
2040 return;
2043 state->sub.out = data_blob_null;
2044 state->sub.status = NT_STATUS_INTERNAL_ERROR;
2046 if (NT_STATUS_IS_OK(status)) {
2048 * Call finish_fn() with an empty
2049 * blob and NT_STATUS_OK.
2051 state->sub.status = NT_STATUS_OK;
2052 } else {
2054 * MORE_PROCESSING_REQUIRED...
2056 state->sub.needed = true;
2060 if (state->sub.needed) {
2061 struct tevent_req *subreq = NULL;
2064 * We may need one more roundtrip...
2066 subreq = gensec_update_send(state, state->ev,
2067 spnego_state->sub_sec_security,
2068 state->sub.in);
2069 if (tevent_req_nomem(subreq, req)) {
2070 return;
2072 tevent_req_set_callback(subreq,
2073 gensec_spnego_update_done,
2074 req);
2075 state->sub.needed = false;
2076 return;
2079 status = ops->finish_fn(state->gensec,
2080 spnego_state,
2081 state->n,
2082 state->spnego_in,
2083 state->sub.status,
2084 state->sub.out,
2085 spnego_state,
2086 &spnego_state->out_frag);
2087 TALLOC_FREE(state->n);
2088 if (GENSEC_UPDATE_IS_NTERROR(status)) {
2089 tevent_req_nterror(req, status);
2090 return;
2093 if (NT_STATUS_IS_OK(status)) {
2094 bool reset_full = true;
2096 reset_full = !spnego_state->done_mic_check;
2098 status = gensec_may_reset_crypto(spnego_state->sub_sec_security,
2099 reset_full);
2100 if (tevent_req_nterror(req, status)) {
2101 return;
2105 respond:
2106 spnego_state->out_status = status;
2108 status = gensec_spnego_update_out(state->gensec,
2109 state, &state->out);
2110 if (GENSEC_UPDATE_IS_NTERROR(status)) {
2111 tevent_req_nterror(req, status);
2112 return;
2115 state->status = status;
2116 tevent_req_done(req);
2117 return;
2120 static NTSTATUS gensec_spnego_update_out(struct gensec_security *gensec_security,
2121 TALLOC_CTX *out_mem_ctx,
2122 DATA_BLOB *_out)
2124 struct spnego_state *spnego_state =
2125 talloc_get_type_abort(gensec_security->private_data,
2126 struct spnego_state);
2127 DATA_BLOB out = data_blob_null;
2128 bool ok;
2130 *_out = data_blob_null;
2132 if (spnego_state->out_frag.length <= spnego_state->out_max_length) {
2134 * Fast path, we can deliver everything
2137 *_out = spnego_state->out_frag;
2138 if (spnego_state->out_frag.length > 0) {
2139 talloc_steal(out_mem_ctx, _out->data);
2140 spnego_state->out_frag = data_blob_null;
2143 if (!NT_STATUS_IS_OK(spnego_state->out_status)) {
2144 return spnego_state->out_status;
2148 * We're completely done, further updates are not allowed.
2150 spnego_state->state_position = SPNEGO_DONE;
2151 return gensec_child_ready(gensec_security,
2152 spnego_state->sub_sec_security);
2155 out = spnego_state->out_frag;
2158 * copy the remaining bytes
2160 spnego_state->out_frag = data_blob_talloc(spnego_state,
2161 out.data + spnego_state->out_max_length,
2162 out.length - spnego_state->out_max_length);
2163 if (spnego_state->out_frag.data == NULL) {
2164 return NT_STATUS_NO_MEMORY;
2168 * truncate the buffer
2170 ok = data_blob_realloc(spnego_state, &out,
2171 spnego_state->out_max_length);
2172 if (!ok) {
2173 return NT_STATUS_NO_MEMORY;
2176 talloc_steal(out_mem_ctx, out.data);
2177 *_out = out;
2178 return NT_STATUS_MORE_PROCESSING_REQUIRED;
2181 static NTSTATUS gensec_spnego_update_recv(struct tevent_req *req,
2182 TALLOC_CTX *out_mem_ctx,
2183 DATA_BLOB *out)
2185 struct gensec_spnego_update_state *state =
2186 tevent_req_data(req,
2187 struct gensec_spnego_update_state);
2188 NTSTATUS status;
2190 *out = data_blob_null;
2192 if (tevent_req_is_nterror(req, &status)) {
2193 tevent_req_received(req);
2194 return status;
2197 *out = state->out;
2198 talloc_steal(out_mem_ctx, state->out.data);
2199 status = state->status;
2200 tevent_req_received(req);
2201 return status;
2204 static const char *gensec_spnego_oids[] = {
2205 GENSEC_OID_SPNEGO,
2206 NULL
2209 static const struct gensec_security_ops gensec_spnego_security_ops = {
2210 .name = "spnego",
2211 .sasl_name = "GSS-SPNEGO",
2212 .auth_type = DCERPC_AUTH_TYPE_SPNEGO,
2213 .oid = gensec_spnego_oids,
2214 .client_start = gensec_spnego_client_start,
2215 .server_start = gensec_spnego_server_start,
2216 .update_send = gensec_spnego_update_send,
2217 .update_recv = gensec_spnego_update_recv,
2218 .seal_packet = gensec_child_seal_packet,
2219 .sign_packet = gensec_child_sign_packet,
2220 .sig_size = gensec_child_sig_size,
2221 .max_wrapped_size = gensec_child_max_wrapped_size,
2222 .max_input_size = gensec_child_max_input_size,
2223 .check_packet = gensec_child_check_packet,
2224 .unseal_packet = gensec_child_unseal_packet,
2225 .wrap = gensec_child_wrap,
2226 .unwrap = gensec_child_unwrap,
2227 .session_key = gensec_child_session_key,
2228 .session_info = gensec_child_session_info,
2229 .want_feature = gensec_child_want_feature,
2230 .have_feature = gensec_child_have_feature,
2231 .expire_time = gensec_child_expire_time,
2232 .final_auth_type = gensec_child_final_auth_type,
2233 .enabled = true,
2234 .priority = GENSEC_SPNEGO,
2235 .glue = true,
2238 _PUBLIC_ NTSTATUS gensec_spnego_init(TALLOC_CTX *ctx)
2240 NTSTATUS ret;
2241 ret = gensec_register(ctx, &gensec_spnego_security_ops);
2242 if (!NT_STATUS_IS_OK(ret)) {
2243 DEBUG(0,("Failed to register '%s' gensec backend!\n",
2244 gensec_spnego_security_ops.name));
2245 return ret;
2248 return ret;