r22092: - make spnego_parse_auth_response() more generic and

  not specific for NTLMSSP
- it's possible that the server sends a mechOID and authdata
  if negResult != SPNEGO_NEG_RESULT_INCOMPLETE, but we still
  force the mechOID to be present if negResult == SPNEGO_NEG_RESULT_INCOMPLETE

metze
(This used to be commit e9f2aa22f90208a5e530ef3b68664151960a0a22)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 0067a19d3b602156f1fd3c226ca222a4cbd6dcf0..b5f92044ef6125a8d2af5289b67aa11e029b51d7 100644 (file)
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -114,7 +114,7 @@ static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
                        }
                        data_blob_free(&tmp_blob);
                } else if (rc == LDAP_SASL_BIND_IN_PROGRESS) {
-                       if (!spnego_parse_auth_response(blob, nt_status, 
+                       if (!spnego_parse_auth_response(blob, nt_status, OID_NTLMSSP, 
                                                        &blob_in)) {
 
                                ntlmssp_end(&ntlmssp_state);

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 3970731b45fba45eff90e3533a23e1e6c4c6c640..3b9c477b26a04f4a30725b128c0f7dcbcfbcdff7 100644 (file)
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -722,7 +722,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use
                        }
                        data_blob_free(&tmp_blob);
                } else {
-                       if (!spnego_parse_auth_response(blob, nt_status, 
+                       if (!spnego_parse_auth_response(blob, nt_status, OID_NTLMSSP, 
                                                        &blob_in)) {
                                DEBUG(3,("Failed to parse auth response\n"));
                                if (NT_STATUS_IS_OK(nt_status) 

diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index 6aca217e259304be67eccd7c6ba484d1874f66b6..0c4217c4176d499b9b6b813842203b140a7896de 100644 (file)
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -518,9 +518,10 @@ DATA_BLOB spnego_gen_auth_response(DATA_BLOB *reply, NTSTATUS nt_status,
 }
 
 /*
- parse a SPNEGO NTLMSSP auth packet. This contains the encrypted passwords
+ parse a SPNEGO auth packet. This contains the encrypted passwords
 */
-BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status, 
+BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status,
+                               const char *mechOID,
                                DATA_BLOB *auth)
 {
        ASN1_DATA data;
@@ -541,14 +542,20 @@ BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status,
        asn1_check_enumerated(&data, negResult);
        asn1_end_tag(&data);
 
-       if (negResult == SPNEGO_NEG_RESULT_INCOMPLETE) {
+       *auth = data_blob(NULL,0);
+
+       if (asn1_tag_remaining(&data)) {
                asn1_start_tag(&data,ASN1_CONTEXT(1));
-               asn1_check_OID(&data, OID_NTLMSSP);
-               asn1_end_tag(&data);
-               
-               asn1_start_tag(&data,ASN1_CONTEXT(2));
-               asn1_read_OctetString(&data, auth);
+               asn1_check_OID(&data, mechOID);
                asn1_end_tag(&data);
+
+               if (asn1_tag_remaining(&data)) {
+                       asn1_start_tag(&data,ASN1_CONTEXT(2));
+                       asn1_read_OctetString(&data, auth);
+                       asn1_end_tag(&data);
+               }
+       } else if (negResult == SPNEGO_NEG_RESULT_INCOMPLETE) {
+               data.has_error = 1;
        }
 
        asn1_end_tag(&data);

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index c7c1b7fe69c9699567c62e315d63bdcf4adacf10..ab7f0b9b4784be75a56202d870d984153b65618f 100644 (file)
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2002,7 +2002,7 @@ static NTSTATUS rpc_finish_spnego_ntlmssp_bind(struct rpc_pipe_client *cli,
        prs_copy_data_out((char *)server_spnego_response.data, rbuf, phdr->auth_len);
 
        /* Check we got a valid auth response. */
-       if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, &tmp_blob)) {
+       if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, OID_NTLMSSP, &tmp_blob)) {
                data_blob_free(&server_spnego_response);
                data_blob_free(&tmp_blob);
                return NT_STATUS_INVALID_PARAMETER;