svn commit: samba r24043 - in branches/SAMBA_3_2_0/source: libads libsmb rpc_client

metze at samba.org metze at samba.org
Wed Jul 25 12:43:41 GMT 2007


Author: metze
Date: 2007-07-25 12:43:40 +0000 (Wed, 25 Jul 2007)
New Revision: 24043

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24043

Log:
merge from SAMBA_3_0 (r22092-r22093):
- make spnego_parse_auth_response() more generic and
  not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
  if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
  force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE
- send also the correct OID_KERBEROS5 not only the broken
  OID_KERBEROS_OLD one.
 
metze    
Modified:
   branches/SAMBA_3_2_0/source/libads/sasl.c
   branches/SAMBA_3_2_0/source/libsmb/cliconnect.c
   branches/SAMBA_3_2_0/source/libsmb/clispnego.c
   branches/SAMBA_3_2_0/source/rpc_client/cli_pipe.c


Changeset:
Modified: branches/SAMBA_3_2_0/source/libads/sasl.c
===================================================================
--- branches/SAMBA_3_2_0/source/libads/sasl.c	2007-07-25 10:34:16 UTC (rev 24042)
+++ branches/SAMBA_3_2_0/source/libads/sasl.c	2007-07-25 12:43:40 UTC (rev 24043)
@@ -228,7 +228,7 @@
 			}
 			data_blob_free(&tmp_blob);
 		} else if (rc == LDAP_SASL_BIND_IN_PROGRESS) {
-			if (!spnego_parse_auth_response(blob, nt_status, 
+			if (!spnego_parse_auth_response(blob, nt_status, OID_NTLMSSP, 
 							&blob_in)) {
 
 				ntlmssp_end(&ntlmssp_state);

Modified: branches/SAMBA_3_2_0/source/libsmb/cliconnect.c
===================================================================
--- branches/SAMBA_3_2_0/source/libsmb/cliconnect.c	2007-07-25 10:34:16 UTC (rev 24042)
+++ branches/SAMBA_3_2_0/source/libsmb/cliconnect.c	2007-07-25 12:43:40 UTC (rev 24043)
@@ -723,7 +723,7 @@
 			}
 			data_blob_free(&tmp_blob);
 		} else {
-			if (!spnego_parse_auth_response(blob, nt_status, 
+			if (!spnego_parse_auth_response(blob, nt_status, OID_NTLMSSP, 
 							&blob_in)) {
 				DEBUG(3,("Failed to parse auth response\n"));
 				if (NT_STATUS_IS_OK(nt_status) 

Modified: branches/SAMBA_3_2_0/source/libsmb/clispnego.c
===================================================================
--- branches/SAMBA_3_2_0/source/libsmb/clispnego.c	2007-07-25 10:34:16 UTC (rev 24042)
+++ branches/SAMBA_3_2_0/source/libsmb/clispnego.c	2007-07-25 12:43:40 UTC (rev 24043)
@@ -347,7 +347,7 @@
 {
 	int retval;
 	DATA_BLOB tkt, tkt_wrapped;
-	const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_NTLMSSP, NULL};
+	const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_KERBEROS5, OID_NTLMSSP, NULL};
 
 	/* get a kerberos ticket for the service and extract the session key */
 	retval = cli_krb5_get_ticket(principal, time_offset,
@@ -517,9 +517,10 @@
 }
 
 /*
- parse a SPNEGO NTLMSSP auth packet. This contains the encrypted passwords
+ parse a SPNEGO auth packet. This contains the encrypted passwords
 */
-BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status, 
+BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status,
+				const char *mechOID,
 				DATA_BLOB *auth)
 {
 	ASN1_DATA data;
@@ -540,14 +541,20 @@
 	asn1_check_enumerated(&data, negResult);
 	asn1_end_tag(&data);
 
-	if (negResult == SPNEGO_NEG_RESULT_INCOMPLETE) {
+	*auth = data_blob(NULL,0);
+
+	if (asn1_tag_remaining(&data)) {
 		asn1_start_tag(&data,ASN1_CONTEXT(1));
-		asn1_check_OID(&data, OID_NTLMSSP);
+		asn1_check_OID(&data, mechOID);
 		asn1_end_tag(&data);
-		
-		asn1_start_tag(&data,ASN1_CONTEXT(2));
-		asn1_read_OctetString(&data, auth);
-		asn1_end_tag(&data);
+
+		if (asn1_tag_remaining(&data)) {
+			asn1_start_tag(&data,ASN1_CONTEXT(2));
+			asn1_read_OctetString(&data, auth);
+			asn1_end_tag(&data);
+		}
+	} else if (negResult == SPNEGO_NEG_RESULT_INCOMPLETE) {
+		data.has_error = 1;
 	}
 
 	asn1_end_tag(&data);

Modified: branches/SAMBA_3_2_0/source/rpc_client/cli_pipe.c
===================================================================
--- branches/SAMBA_3_2_0/source/rpc_client/cli_pipe.c	2007-07-25 10:34:16 UTC (rev 24042)
+++ branches/SAMBA_3_2_0/source/rpc_client/cli_pipe.c	2007-07-25 12:43:40 UTC (rev 24043)
@@ -2001,7 +2001,7 @@
 	prs_copy_data_out((char *)server_spnego_response.data, rbuf, phdr->auth_len);
 
 	/* Check we got a valid auth response. */
-	if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, &tmp_blob)) {
+	if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, OID_NTLMSSP, &tmp_blob)) {
 		data_blob_free(&server_spnego_response);
 		data_blob_free(&tmp_blob);
 		return NT_STATUS_INVALID_PARAMETER;



More information about the samba-cvs mailing list