summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2007-04-05 12:30:23 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:19:10 -0500
commiteceb926df94063e91c5abc96f52a1bc7b45ce290 (patch)
tree80b5557d9972349a5e1782fe5355ab68acd75fdf
parentbcab9254cc65e72dcb885aac8faec095143587e9 (diff)
downloadsamba-eceb926df94063e91c5abc96f52a1bc7b45ce290.tar.gz
samba-eceb926df94063e91c5abc96f52a1bc7b45ce290.tar.bz2
samba-eceb926df94063e91c5abc96f52a1bc7b45ce290.zip
r22092: - make spnego_parse_auth_response() more generic and
not specific for NTLMSSP - it's possible that the server sends a mechOID and authdata if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE metze (This used to be commit e9f2aa22f90208a5e530ef3b68664151960a0a22)
-rw-r--r--source3/libads/sasl.c2
-rw-r--r--source3/libsmb/cliconnect.c2
-rw-r--r--source3/libsmb/clispnego.c23
-rw-r--r--source3/rpc_client/cli_pipe.c2
4 files changed, 18 insertions, 11 deletions
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 0067a19d3b..b5f92044ef 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -114,7 +114,7 @@ static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
}
data_blob_free(&tmp_blob);
} else if (rc == LDAP_SASL_BIND_IN_PROGRESS) {
- if (!spnego_parse_auth_response(blob, nt_status,
+ if (!spnego_parse_auth_response(blob, nt_status, OID_NTLMSSP,
&blob_in)) {
ntlmssp_end(&ntlmssp_state);
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 3970731b45..3b9c477b26 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -722,7 +722,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use
}
data_blob_free(&tmp_blob);
} else {
- if (!spnego_parse_auth_response(blob, nt_status,
+ if (!spnego_parse_auth_response(blob, nt_status, OID_NTLMSSP,
&blob_in)) {
DEBUG(3,("Failed to parse auth response\n"));
if (NT_STATUS_IS_OK(nt_status)
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index 6aca217e25..0c4217c417 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -518,9 +518,10 @@ DATA_BLOB spnego_gen_auth_response(DATA_BLOB *reply, NTSTATUS nt_status,
}
/*
- parse a SPNEGO NTLMSSP auth packet. This contains the encrypted passwords
+ parse a SPNEGO auth packet. This contains the encrypted passwords
*/
-BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status,
+BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status,
+ const char *mechOID,
DATA_BLOB *auth)
{
ASN1_DATA data;
@@ -541,14 +542,20 @@ BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status,
asn1_check_enumerated(&data, negResult);
asn1_end_tag(&data);
- if (negResult == SPNEGO_NEG_RESULT_INCOMPLETE) {
+ *auth = data_blob(NULL,0);
+
+ if (asn1_tag_remaining(&data)) {
asn1_start_tag(&data,ASN1_CONTEXT(1));
- asn1_check_OID(&data, OID_NTLMSSP);
- asn1_end_tag(&data);
-
- asn1_start_tag(&data,ASN1_CONTEXT(2));
- asn1_read_OctetString(&data, auth);
+ asn1_check_OID(&data, mechOID);
asn1_end_tag(&data);
+
+ if (asn1_tag_remaining(&data)) {
+ asn1_start_tag(&data,ASN1_CONTEXT(2));
+ asn1_read_OctetString(&data, auth);
+ asn1_end_tag(&data);
+ }
+ } else if (negResult == SPNEGO_NEG_RESULT_INCOMPLETE) {
+ data.has_error = 1;
}
asn1_end_tag(&data);
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index c7c1b7fe69..ab7f0b9b47 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2002,7 +2002,7 @@ static NTSTATUS rpc_finish_spnego_ntlmssp_bind(struct rpc_pipe_client *cli,
prs_copy_data_out((char *)server_spnego_response.data, rbuf, phdr->auth_len);
/* Check we got a valid auth response. */
- if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, &tmp_blob)) {
+ if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, OID_NTLMSSP, &tmp_blob)) {
data_blob_free(&server_spnego_response);
data_blob_free(&tmp_blob);
return NT_STATUS_INVALID_PARAMETER;