ASN.1 and some fun...

Nicolas Williams Nicolas.Williams at
Mon Oct 30 21:14:27 GMT 2000

[Thanks to Peter Samuelson for fixing his archives to include Message-Id
 headers tarting in October... :)]

On Sun, 29 Oct 2000, Mayers, Philip J wrote:
> Hohoho... I've just had a real chuckle...
> The serious stuff first - we're going to need a GSSAPI library that can
> implement SNEGO (we knew that already). I don't know of any GPL ones, so
> we're going to have to write one. This has the advantage we can hook in and
> intercept the NTLM mechanism much more easily, too.

I think the NTLM stuff is not done in GSS-API/SPNEOG in W2K.

> So, SNEGO - fine. Does anyone have any recommendations for a good, GPL'd
> ASN.1 encoding and decoding library. Ideally, it should be self-contained,
> easy to use, and as cross-platform as possible.


> Thoughts?
> Now for the humorous event of the evening:
> If the extended security flags option in Flags2 of the SMB is set, the
> NegProt response payload will take a different form. The first 16 bytes are
> the server GUID (hence my earlier question). The remainder is the ASN.1
> encoding of the SNEGO token.
> As detailed in the presentation by Craig Russell from Unisys, MS clients
> seem to send the wrong OID for the Krb5 mechanism - they send (for the ASN.1
> heads):
> .1.2.840.48018.1.2.2 (encoded as 2A 86 48 82 F7 12 01 02 02)
> It should be:
> .1.2.840.113554.1.2.2 (encoded as 2A 86 48 86 F7 12 01 02 02)
> In other words, they managed to get bit 3 of octet 4 toggled off, when it
> should be on. All Win2K clients (certainly pre-SP1) show this behaviour.
> Hahahahahahahahahahahahahahahaha... Laugh, I nearly died...

I think there's two Kerberos GSS mechanism OIDs, because the original
spec was superceded by a new spec. Look it up, maybe the OID they use
isn't "wrong," just outdated.

> Regards,
> Phil


More information about the samba-technical mailing list