[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Mon Jul 19 15:23:47 MDT 2010 

The branch, master has been updated
       via  962951e... Fix [Bug 7577] SPNEGO auth fails when contacting Win7 system using Microsoft Live Sign-in Assistant Based on code from <david.kondrad at legrand.us>. Cope with every NegTokenInit ::= SEQUENCE value. Jeremy.
      from  6763730... s3: Avoid pwrite calls for the 1-byte writes with zero content

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 962951e63d0bd3588085314b3bd94bac35415347
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Jul 19 14:21:01 2010 -0700

    Fix [Bug 7577] SPNEGO auth fails when contacting Win7 system using Microsoft Live Sign-in Assistant
    Based on code from <david.kondrad at legrand.us>. Cope with every NegTokenInit ::= SEQUENCE value.
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source3/libsmb/clispnego.c |   61 ++++++++++++++++++++++++++++++++++++++-----
 1 files changed, 54 insertions(+), 7 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index 264743b..09efb56 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -146,9 +146,16 @@ bool spnego_parse_negTokenInit(DATA_BLOB blob,
 	asn1_start_tag(data,ASN1_APPLICATION(0));
 
 	asn1_check_OID(data,OID_SPNEGO);
+
+	/* negTokenInit  [0]  NegTokenInit */
 	asn1_start_tag(data,ASN1_CONTEXT(0));
 	asn1_start_tag(data,ASN1_SEQUENCE(0));
 
+	/* mechTypes [0] MechTypeList  OPTIONAL */
+
+	/* Not really optional, we depend on this to decide
+	 * what mechanisms we have to work with. */
+
 	asn1_start_tag(data,ASN1_CONTEXT(0));
 	asn1_start_tag(data,ASN1_SEQUENCE(0));
 	for (i=0; asn1_tag_remaining(data) > 0 && i < ASN1_MAX_OIDS-1; i++) {
@@ -161,14 +168,54 @@ bool spnego_parse_negTokenInit(DATA_BLOB blob,
 	asn1_end_tag(data);
 
 	*principal = NULL;
+
+	/*
+	  Win7 + Live Sign-in Assistant attaches a mechToken
+	  ASN1_CONTEXT(2) to the negTokenInit packet
+	  which breaks our negotiation if we just assume
+	  the next tag is ASN1_CONTEXT(3).
+	*/
+
 	if (asn1_tag_remaining(data) > 0) {
-		asn1_start_tag(data, ASN1_CONTEXT(3));
-		asn1_start_tag(data, ASN1_SEQUENCE(0));
-		asn1_start_tag(data, ASN1_CONTEXT(0));
-		asn1_read_GeneralString(data,talloc_autofree_context(),principal);
-		asn1_end_tag(data);
-		asn1_end_tag(data);
-		asn1_end_tag(data);
+		if (asn1_peek_tag(data, ASN1_CONTEXT(1))) {
+			uint8 flags;
+
+			/* reqFlags [1] ContextFlags  OPTIONAL */
+			asn1_start_tag(data, ASN1_CONTEXT(1));
+			asn1_start_tag(data, ASN1_BIT_STRING);
+			while (asn1_tag_remaining(data) > 0) {
+				asn1_read_uint8(data, &flags);
+			}
+			asn1_end_tag(data);
+			asn1_end_tag(data);
+		}
+	}
+
+	if (asn1_tag_remaining(data) > 0) {
+		if (asn1_peek_tag(data, ASN1_CONTEXT(2))) {
+			/* mechToken [2] OCTET STRING  OPTIONAL */
+			DATA_BLOB token;
+			asn1_start_tag(data, ASN1_CONTEXT(2));
+			asn1_read_OctetString(data, talloc_autofree_context(),
+				&token);
+			asn1_end_tag(data);
+			/* Throw away the token - not used. */
+			data_blob_free(&token);
+		}
+	}
+
+	if (asn1_tag_remaining(data) > 0) {
+		if (asn1_peek_tag(data, ASN1_CONTEXT(3))) {
+			/* mechListMIC [3] OCTET STRING  OPTIONAL */
+			asn1_start_tag(data, ASN1_CONTEXT(3));
+			asn1_start_tag(data, ASN1_SEQUENCE(0));
+			asn1_start_tag(data, ASN1_CONTEXT(0));
+			asn1_read_GeneralString(data,talloc_autofree_context(),
+				principal);
+			asn1_end_tag(data);
+			asn1_end_tag(data);
+			asn1_end_tag(data);
+		}
 	}
 
 	asn1_end_tag(data);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list