Author: metze Date: 2007-07-25 12:43:40 +0000 (Wed, 25 Jul 2007) New Revision: 24043
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24043 Log: merge from SAMBA_3_0 (r22092-r22093): - make spnego_parse_auth_response() more generic and not specific for NTLMSSP - it's possible that the server sends a mechOID and authdata if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE - send also the correct OID_KERBEROS5 not only the broken OID_KERBEROS_OLD one. metze Modified: branches/SAMBA_3_2_0/source/libads/sasl.c branches/SAMBA_3_2_0/source/libsmb/cliconnect.c branches/SAMBA_3_2_0/source/libsmb/clispnego.c branches/SAMBA_3_2_0/source/rpc_client/cli_pipe.c Changeset: Modified: branches/SAMBA_3_2_0/source/libads/sasl.c =================================================================== --- branches/SAMBA_3_2_0/source/libads/sasl.c 2007-07-25 10:34:16 UTC (rev 24042) +++ branches/SAMBA_3_2_0/source/libads/sasl.c 2007-07-25 12:43:40 UTC (rev 24043) @@ -228,7 +228,7 @@ } data_blob_free(&tmp_blob); } else if (rc == LDAP_SASL_BIND_IN_PROGRESS) { - if (!spnego_parse_auth_response(blob, nt_status, + if (!spnego_parse_auth_response(blob, nt_status, OID_NTLMSSP, &blob_in)) { ntlmssp_end(&ntlmssp_state); Modified: branches/SAMBA_3_2_0/source/libsmb/cliconnect.c =================================================================== --- branches/SAMBA_3_2_0/source/libsmb/cliconnect.c 2007-07-25 10:34:16 UTC (rev 24042) +++ branches/SAMBA_3_2_0/source/libsmb/cliconnect.c 2007-07-25 12:43:40 UTC (rev 24043) @@ -723,7 +723,7 @@ } data_blob_free(&tmp_blob); } else { - if (!spnego_parse_auth_response(blob, nt_status, + if (!spnego_parse_auth_response(blob, nt_status, OID_NTLMSSP, &blob_in)) { DEBUG(3,("Failed to parse auth response\n")); if (NT_STATUS_IS_OK(nt_status) Modified: branches/SAMBA_3_2_0/source/libsmb/clispnego.c =================================================================== --- branches/SAMBA_3_2_0/source/libsmb/clispnego.c 2007-07-25 10:34:16 UTC (rev 24042) +++ branches/SAMBA_3_2_0/source/libsmb/clispnego.c 2007-07-25 12:43:40 UTC (rev 24043) @@ -347,7 +347,7 @@ { int retval; DATA_BLOB tkt, tkt_wrapped; - const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_NTLMSSP, NULL}; + const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_KERBEROS5, OID_NTLMSSP, NULL}; /* get a kerberos ticket for the service and extract the session key */ retval = cli_krb5_get_ticket(principal, time_offset, @@ -517,9 +517,10 @@ } /* - parse a SPNEGO NTLMSSP auth packet. This contains the encrypted passwords + parse a SPNEGO auth packet. This contains the encrypted passwords */ -BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status, +BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status, + const char *mechOID, DATA_BLOB *auth) { ASN1_DATA data; @@ -540,14 +541,20 @@ asn1_check_enumerated(&data, negResult); asn1_end_tag(&data); - if (negResult == SPNEGO_NEG_RESULT_INCOMPLETE) { + *auth = data_blob(NULL,0); + + if (asn1_tag_remaining(&data)) { asn1_start_tag(&data,ASN1_CONTEXT(1)); - asn1_check_OID(&data, OID_NTLMSSP); + asn1_check_OID(&data, mechOID); asn1_end_tag(&data); - - asn1_start_tag(&data,ASN1_CONTEXT(2)); - asn1_read_OctetString(&data, auth); - asn1_end_tag(&data); + + if (asn1_tag_remaining(&data)) { + asn1_start_tag(&data,ASN1_CONTEXT(2)); + asn1_read_OctetString(&data, auth); + asn1_end_tag(&data); + } + } else if (negResult == SPNEGO_NEG_RESULT_INCOMPLETE) { + data.has_error = 1; } asn1_end_tag(&data); Modified: branches/SAMBA_3_2_0/source/rpc_client/cli_pipe.c =================================================================== --- branches/SAMBA_3_2_0/source/rpc_client/cli_pipe.c 2007-07-25 10:34:16 UTC (rev 24042) +++ branches/SAMBA_3_2_0/source/rpc_client/cli_pipe.c 2007-07-25 12:43:40 UTC (rev 24043) @@ -2001,7 +2001,7 @@ prs_copy_data_out((char *)server_spnego_response.data, rbuf, phdr->auth_len); /* Check we got a valid auth response. */ - if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, &tmp_blob)) { + if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, OID_NTLMSSP, &tmp_blob)) { data_blob_free(&server_spnego_response); data_blob_free(&tmp_blob); return NT_STATUS_INVALID_PARAMETER;
