diff options
-rw-r--r-- | source3/include/proto.h | 4 | ||||
-rw-r--r-- | source3/libads/sasl.c | 3 | ||||
-rw-r--r-- | source3/libsmb/cliconnect.c | 3 | ||||
-rw-r--r-- | source3/libsmb/clispnego.c | 70 | ||||
-rw-r--r-- | source3/rpc_client/cli_pipe.c | 3 | ||||
-rw-r--r-- | source3/smbd/negprot.c | 6 |
6 files changed, 28 insertions, 61 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index a0bb55c0a8..a85f7b5434 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -2821,9 +2821,9 @@ bool cli_set_secdesc(struct cli_state *cli, uint16_t fnum, struct security_descr /* The following definitions come from libsmb/clispnego.c */ -DATA_BLOB spnego_gen_negTokenInit(const char *OIDs[], +DATA_BLOB spnego_gen_negTokenInit(const char *OIDs[], + DATA_BLOB *psecblob, const char *principal); -DATA_BLOB gen_negTokenInit(const char *OID, DATA_BLOB blob); bool spnego_parse_negTokenInit(DATA_BLOB blob, char *OIDs[ASN1_MAX_OIDS], char **principal, diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index aa3acbd9ae..b314eb9c0f 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -190,8 +190,9 @@ static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads) || NT_STATUS_IS_OK(nt_status)) && blob_out.length) { if (turn == 1) { + const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL}; /* and wrap it in a SPNEGO wrapper */ - msg1 = gen_negTokenInit(OID_NTLMSSP, blob_out); + msg1 = spnego_gen_negTokenInit(OIDs_ntlm, &blob_out, NULL); } else { /* wrap it in SPNEGO */ msg1 = spnego_gen_auth(blob_out); diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 7fe359b9ae..a8e359dab1 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -984,6 +984,7 @@ static struct tevent_req *cli_session_setup_ntlmssp_send( struct cli_session_setup_ntlmssp_state *state; NTSTATUS status; DATA_BLOB blob_out; + const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL}; req = tevent_req_create(mem_ctx, &state, struct cli_session_setup_ntlmssp_state); @@ -1032,7 +1033,7 @@ static struct tevent_req *cli_session_setup_ntlmssp_send( goto fail; } - state->blob_out = gen_negTokenInit(OID_NTLMSSP, blob_out); + state->blob_out = spnego_gen_negTokenInit(OIDs_ntlm, &blob_out, NULL); data_blob_free(&blob_out); subreq = cli_sesssetup_blob_send(state, ev, cli, state->blob_out); diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index 2cf276485e..e1eb03bb6f 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -25,9 +25,11 @@ /* generate a negTokenInit packet given a list of supported - OIDs (the mechanisms) and a principal name string + OIDs (the mechanisms) a blob, and a principal name string */ -DATA_BLOB spnego_gen_negTokenInit(const char *OIDs[], + +DATA_BLOB spnego_gen_negTokenInit(const char *OIDs[], + DATA_BLOB *psecblob, const char *principal) { int i; @@ -52,61 +54,23 @@ DATA_BLOB spnego_gen_negTokenInit(const char *OIDs[], asn1_pop_tag(data); asn1_pop_tag(data); - asn1_push_tag(data, ASN1_CONTEXT(3)); - asn1_push_tag(data, ASN1_SEQUENCE(0)); - asn1_push_tag(data, ASN1_CONTEXT(0)); - asn1_write_GeneralString(data,principal); - asn1_pop_tag(data); - asn1_pop_tag(data); - asn1_pop_tag(data); - - asn1_pop_tag(data); - asn1_pop_tag(data); - - asn1_pop_tag(data); - - if (data->has_error) { - DEBUG(1,("Failed to build negTokenInit at offset %d\n", (int)data->ofs)); + if (psecblob && psecblob->length && psecblob->data) { + asn1_push_tag(data, ASN1_CONTEXT(2)); + asn1_write_OctetString(data,psecblob->data, + psecblob->length); + asn1_pop_tag(data); } - ret = data_blob(data->data, data->length); - asn1_free(data); - - return ret; -} - -/* - Generate a negTokenInit as used by the client side ... It has a mechType - (OID), and a mechToken (a security blob) ... - - Really, we need to break out the NTLMSSP stuff as well, because it could be - raw in the packets! -*/ -DATA_BLOB gen_negTokenInit(const char *OID, DATA_BLOB blob) -{ - ASN1_DATA *data; - DATA_BLOB ret; - - data = asn1_init(talloc_tos()); - if (data == NULL) { - return data_blob_null; + if (principal) { + asn1_push_tag(data, ASN1_CONTEXT(3)); + asn1_push_tag(data, ASN1_SEQUENCE(0)); + asn1_push_tag(data, ASN1_CONTEXT(0)); + asn1_write_GeneralString(data,principal); + asn1_pop_tag(data); + asn1_pop_tag(data); + asn1_pop_tag(data); } - asn1_push_tag(data, ASN1_APPLICATION(0)); - asn1_write_OID(data,OID_SPNEGO); - asn1_push_tag(data, ASN1_CONTEXT(0)); - asn1_push_tag(data, ASN1_SEQUENCE(0)); - - asn1_push_tag(data, ASN1_CONTEXT(0)); - asn1_push_tag(data, ASN1_SEQUENCE(0)); - asn1_write_OID(data, OID); - asn1_pop_tag(data); - asn1_pop_tag(data); - - asn1_push_tag(data, ASN1_CONTEXT(2)); - asn1_write_OctetString(data,blob.data,blob.length); - asn1_pop_tag(data); - asn1_pop_tag(data); asn1_pop_tag(data); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 8dd9386eab..2e777466c4 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -1338,6 +1338,7 @@ static NTSTATUS create_spnego_ntlmssp_auth_rpc_bind_req(struct rpc_pipe_client * DATA_BLOB null_blob = data_blob_null; DATA_BLOB request = data_blob_null; DATA_BLOB spnego_msg = data_blob_null; + const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL}; DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n")); status = ntlmssp_update(cli->auth->a_u.ntlmssp_state, @@ -1350,7 +1351,7 @@ static NTSTATUS create_spnego_ntlmssp_auth_rpc_bind_req(struct rpc_pipe_client * } /* Wrap this in SPNEGO. */ - spnego_msg = gen_negTokenInit(OID_NTLMSSP, request); + spnego_msg = spnego_gen_negTokenInit(OIDs_ntlm, &request, NULL); data_blob_free(&request); diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index e7cf5b7591..c5c83cac30 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -189,7 +189,7 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) OID_KERBEROS5_OLD, OID_NTLMSSP, NULL}; - const char *OIDs_plain[] = {OID_NTLMSSP, NULL}; + const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL}; sconn->smb1.negprot.spnego = true; /* strangely enough, NT does not sent the single OID NTLMSSP when @@ -211,7 +211,7 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) blob = data_blob(guid, 16); #else /* Code for standalone WXP client */ - blob = spnego_gen_negTokenInit(OIDs_plain, "NONE"); + blob = spnego_gen_negTokenInit(OIDs_ntlm, NULL, "NONE"); #endif } else { fstring myname; @@ -222,7 +222,7 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) == -1) { return data_blob_null; } - blob = spnego_gen_negTokenInit(OIDs_krb5, host_princ_s); + blob = spnego_gen_negTokenInit(OIDs_krb5, NULL, host_princ_s); SAFE_FREE(host_princ_s); } |