static bool read_negTokenTarg(struct asn1_data *asn1, TALLOC_CTX *mem_ctx, struct spnego_negTokenTarg *token) { ZERO_STRUCTP(token); asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) { uint8_t context; if (!asn1_peek_uint8(asn1, &context)) { asn1->has_error = true; break; } switch (context) { case ASN1_CONTEXT(0): asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_ENUMERATED); asn1_read_uint8(asn1, &token->negResult); asn1_end_tag(asn1); asn1_end_tag(asn1); break; case ASN1_CONTEXT(1): asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_read_OID(asn1, mem_ctx, &token->supportedMech); asn1_end_tag(asn1); break; case ASN1_CONTEXT(2): asn1_start_tag(asn1, ASN1_CONTEXT(2)); asn1_read_OctetString(asn1, mem_ctx, &token->responseToken); asn1_end_tag(asn1); break; case ASN1_CONTEXT(3): asn1_start_tag(asn1, ASN1_CONTEXT(3)); asn1_read_OctetString(asn1, mem_ctx, &token->mechListMIC); asn1_end_tag(asn1); break; default: asn1->has_error = true; break; } } asn1_end_tag(asn1); asn1_end_tag(asn1); return !asn1->has_error; }
/* parse a SPNEGO NTLMSSP auth packet. This contains the encrypted passwords */ BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status, DATA_BLOB *auth) { ASN1_DATA data; uint8 negResult; if (NT_STATUS_IS_OK(nt_status)) { negResult = SPNEGO_NEG_RESULT_ACCEPT; } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { negResult = SPNEGO_NEG_RESULT_INCOMPLETE; } else { negResult = SPNEGO_NEG_RESULT_REJECT; } asn1_load(&data, blob); asn1_start_tag(&data, ASN1_CONTEXT(1)); asn1_start_tag(&data, ASN1_SEQUENCE(0)); asn1_start_tag(&data, ASN1_CONTEXT(0)); asn1_check_enumerated(&data, negResult); asn1_end_tag(&data); if (negResult == SPNEGO_NEG_RESULT_INCOMPLETE) { asn1_start_tag(&data,ASN1_CONTEXT(1)); asn1_check_OID(&data, OID_NTLMSSP); asn1_end_tag(&data); asn1_start_tag(&data,ASN1_CONTEXT(2)); asn1_read_OctetString(&data, auth); asn1_end_tag(&data); } asn1_end_tag(&data); asn1_end_tag(&data); if (data.has_error) { DEBUG(3,("spnego_parse_auth_response failed at %d\n", (int)data.ofs)); asn1_free(&data); data_blob_free(auth); return False; } asn1_free(&data); return True; }
/* parse a negTokenInit packet giving a GUID, a list of supported OIDs (the mechanisms) and a principal name string */ BOOL spnego_parse_negTokenInit(DATA_BLOB blob, char *OIDs[ASN1_MAX_OIDS], char **principal) { int i; BOOL ret; ASN1_DATA data; asn1_load(&data, blob); asn1_start_tag(&data,ASN1_APPLICATION(0)); asn1_check_OID(&data,OID_SPNEGO); asn1_start_tag(&data,ASN1_CONTEXT(0)); asn1_start_tag(&data,ASN1_SEQUENCE(0)); asn1_start_tag(&data,ASN1_CONTEXT(0)); asn1_start_tag(&data,ASN1_SEQUENCE(0)); for (i=0; asn1_tag_remaining(&data) > 0 && i < ASN1_MAX_OIDS; i++) { char *oid_str = NULL; asn1_read_OID(&data,&oid_str); OIDs[i] = oid_str; } OIDs[i] = NULL; asn1_end_tag(&data); asn1_end_tag(&data); asn1_start_tag(&data, ASN1_CONTEXT(3)); asn1_start_tag(&data, ASN1_SEQUENCE(0)); asn1_start_tag(&data, ASN1_CONTEXT(0)); asn1_read_GeneralString(&data,principal); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); ret = !data.has_error; asn1_free(&data); return ret; }
/* generate a SPNEGO auth packet. This will contain the encrypted passwords */ DATA_BLOB spnego_gen_auth(DATA_BLOB blob) { ASN1_DATA data; DATA_BLOB ret; memset(&data, 0, sizeof(data)); asn1_push_tag(&data, ASN1_CONTEXT(1)); asn1_push_tag(&data, ASN1_SEQUENCE(0)); asn1_push_tag(&data, ASN1_CONTEXT(2)); asn1_write_OctetString(&data,blob.data,blob.length); asn1_pop_tag(&data); asn1_pop_tag(&data); asn1_pop_tag(&data); ret = data_blob(data.data, data.length); asn1_free(&data); return ret; }
/* generate a minimal SPNEGO response packet. Doesn't contain much. */ DATA_BLOB spnego_gen_auth_response(DATA_BLOB *reply, NTSTATUS nt_status, const char *mechOID) { ASN1_DATA data; DATA_BLOB ret; uint8 negResult; if (NT_STATUS_IS_OK(nt_status)) { negResult = SPNEGO_NEG_RESULT_ACCEPT; } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { negResult = SPNEGO_NEG_RESULT_INCOMPLETE; } else { negResult = SPNEGO_NEG_RESULT_REJECT; } ZERO_STRUCT(data); asn1_push_tag(&data, ASN1_CONTEXT(1)); asn1_push_tag(&data, ASN1_SEQUENCE(0)); asn1_push_tag(&data, ASN1_CONTEXT(0)); asn1_write_enumerated(&data, negResult); asn1_pop_tag(&data); if (reply->data != NULL) { asn1_push_tag(&data,ASN1_CONTEXT(1)); asn1_write_OID(&data, mechOID); asn1_pop_tag(&data); asn1_push_tag(&data,ASN1_CONTEXT(2)); asn1_write_OctetString(&data, reply->data, reply->length); asn1_pop_tag(&data); } asn1_pop_tag(&data); asn1_pop_tag(&data); ret = data_blob(data.data, data.length); asn1_free(&data); return ret; }
/* parse a negTokenTarg packet giving a list of OIDs and a security blob */ BOOL parse_negTokenTarg(DATA_BLOB blob, char *OIDs[ASN1_MAX_OIDS], DATA_BLOB *secblob) { int i; ASN1_DATA data; asn1_load(&data, blob); asn1_start_tag(&data, ASN1_APPLICATION(0)); asn1_check_OID(&data,OID_SPNEGO); asn1_start_tag(&data, ASN1_CONTEXT(0)); asn1_start_tag(&data, ASN1_SEQUENCE(0)); asn1_start_tag(&data, ASN1_CONTEXT(0)); asn1_start_tag(&data, ASN1_SEQUENCE(0)); for (i=0; asn1_tag_remaining(&data) > 0 && i < ASN1_MAX_OIDS; i++) { char *oid_str = NULL; asn1_read_OID(&data,&oid_str); OIDs[i] = oid_str; } OIDs[i] = NULL; asn1_end_tag(&data); asn1_end_tag(&data); asn1_start_tag(&data, ASN1_CONTEXT(2)); asn1_read_OctetString(&data,secblob); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); if (data.has_error) { DEBUG(1,("Failed to parse negTokenTarg at offset %d\n", (int)data.ofs)); asn1_free(&data); return False; } asn1_free(&data); return True; }
/* generate a negTokenTarg packet given a list of OIDs and a security blob */ DATA_BLOB gen_negTokenTarg(const char *OIDs[], DATA_BLOB blob) { int i; ASN1_DATA data; DATA_BLOB ret; memset(&data, 0, sizeof(data)); asn1_push_tag(&data, ASN1_APPLICATION(0)); asn1_write_OID(&data,OID_SPNEGO); asn1_push_tag(&data, ASN1_CONTEXT(0)); asn1_push_tag(&data, ASN1_SEQUENCE(0)); asn1_push_tag(&data, ASN1_CONTEXT(0)); asn1_push_tag(&data, ASN1_SEQUENCE(0)); for (i=0; OIDs[i]; i++) { asn1_write_OID(&data,OIDs[i]); } asn1_pop_tag(&data); asn1_pop_tag(&data); asn1_push_tag(&data, ASN1_CONTEXT(2)); asn1_write_OctetString(&data,blob.data,blob.length); asn1_pop_tag(&data); asn1_pop_tag(&data); asn1_pop_tag(&data); asn1_pop_tag(&data); if (data.has_error) { DEBUG(1,("Failed to build negTokenTarg at offset %d\n", (int)data.ofs)); asn1_free(&data); } ret = data_blob(data.data, data.length); asn1_free(&data); return ret; }
/* parse a SPNEGO auth packet. This contains the encrypted passwords */ BOOL spnego_parse_auth(DATA_BLOB blob, DATA_BLOB *auth) { ASN1_DATA data; asn1_load(&data, blob); asn1_start_tag(&data, ASN1_CONTEXT(1)); asn1_start_tag(&data, ASN1_SEQUENCE(0)); asn1_start_tag(&data, ASN1_CONTEXT(2)); asn1_read_OctetString(&data,auth); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); if (data.has_error) { DEBUG(3,("spnego_parse_auth failed at %d\n", (int)data.ofs)); asn1_free(&data); return False; } asn1_free(&data); return True; }
/* parse a spnego NTLMSSP challenge packet giving two security blobs */ BOOL spnego_parse_challenge(const DATA_BLOB blob, DATA_BLOB *chal1, DATA_BLOB *chal2) { BOOL ret; ASN1_DATA data; ZERO_STRUCTP(chal1); ZERO_STRUCTP(chal2); asn1_load(&data, blob); asn1_start_tag(&data,ASN1_CONTEXT(1)); asn1_start_tag(&data,ASN1_SEQUENCE(0)); asn1_start_tag(&data,ASN1_CONTEXT(0)); asn1_check_enumerated(&data,1); asn1_end_tag(&data); asn1_start_tag(&data,ASN1_CONTEXT(1)); asn1_check_OID(&data, OID_NTLMSSP); asn1_end_tag(&data); asn1_start_tag(&data,ASN1_CONTEXT(2)); asn1_read_OctetString(&data, chal1); asn1_end_tag(&data); /* the second challenge is optional (XP doesn't send it) */ if (asn1_tag_remaining(&data)) { asn1_start_tag(&data,ASN1_CONTEXT(3)); asn1_read_OctetString(&data, chal2); asn1_end_tag(&data); } asn1_end_tag(&data); asn1_end_tag(&data); ret = !data.has_error; asn1_free(&data); return ret; }
static bool read_negTokenTarg(ASN1_DATA *asn1, negTokenTarg_t *token) { ZERO_STRUCTP(token); asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) { switch (asn1->data[asn1->ofs]) { case ASN1_CONTEXT(0): asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_ENUMERATED); asn1_read_uint8(asn1, &token->negResult); asn1_end_tag(asn1); asn1_end_tag(asn1); break; case ASN1_CONTEXT(1): asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_read_OID(asn1, &token->supportedMech); asn1_end_tag(asn1); break; case ASN1_CONTEXT(2): asn1_start_tag(asn1, ASN1_CONTEXT(2)); asn1_read_OctetString(asn1, &token->responseToken); asn1_end_tag(asn1); break; case ASN1_CONTEXT(3): asn1_start_tag(asn1, ASN1_CONTEXT(3)); asn1_read_OctetString(asn1, &token->mechListMIC); asn1_end_tag(asn1); break; default: asn1->has_error = True; break; } } asn1_end_tag(asn1); asn1_end_tag(asn1); return !asn1->has_error; }
BOOL unwrap_pac(TALLOC_CTX *mem_ctx, DATA_BLOB *auth_data, DATA_BLOB *unwrapped_pac_data) { DATA_BLOB pac_contents; ASN1_DATA data; int data_type; if (!auth_data->length) { return False; } asn1_load(&data, *auth_data); asn1_start_tag(&data, ASN1_SEQUENCE(0)); asn1_start_tag(&data, ASN1_SEQUENCE(0)); asn1_start_tag(&data, ASN1_CONTEXT(0)); asn1_read_Integer(&data, &data_type); if (data_type != KRB5_AUTHDATA_WIN2K_PAC ) { DEBUG(10,("authorization data is not a Windows PAC (type: %d)\n", data_type)); asn1_free(&data); return False; } asn1_end_tag(&data); asn1_start_tag(&data, ASN1_CONTEXT(1)); asn1_read_OctetString(&data, &pac_contents); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); asn1_free(&data); *unwrapped_pac_data = data_blob_talloc(mem_ctx, pac_contents.data, pac_contents.length); data_blob_free(&pac_contents); return True; }
static bool write_negTokenTarg(struct asn1_data *asn1, struct spnego_negTokenTarg *token) { asn1_push_tag(asn1, ASN1_CONTEXT(1)); asn1_push_tag(asn1, ASN1_SEQUENCE(0)); if (token->negResult != SPNEGO_NONE_RESULT) { asn1_push_tag(asn1, ASN1_CONTEXT(0)); asn1_write_enumerated(asn1, token->negResult); asn1_pop_tag(asn1); } if (token->supportedMech) { asn1_push_tag(asn1, ASN1_CONTEXT(1)); asn1_write_OID(asn1, token->supportedMech); asn1_pop_tag(asn1); } if (token->responseToken.data) { asn1_push_tag(asn1, ASN1_CONTEXT(2)); asn1_write_OctetString(asn1, token->responseToken.data, token->responseToken.length); asn1_pop_tag(asn1); } if (token->mechListMIC.data) { asn1_push_tag(asn1, ASN1_CONTEXT(3)); asn1_write_OctetString(asn1, token->mechListMIC.data, token->mechListMIC.length); asn1_pop_tag(asn1); } asn1_pop_tag(asn1); asn1_pop_tag(asn1); return !asn1->has_error; }
/* generate a SPNEGO auth packet. This will contain the encrypted passwords */ DATA_BLOB spnego_gen_auth(TALLOC_CTX *ctx, DATA_BLOB blob) { ASN1_DATA *data; DATA_BLOB ret; data = asn1_init(talloc_tos()); if (data == NULL) { return data_blob_null; } asn1_push_tag(data, ASN1_CONTEXT(1)); asn1_push_tag(data, ASN1_SEQUENCE(0)); asn1_push_tag(data, ASN1_CONTEXT(2)); asn1_write_OctetString(data,blob.data,blob.length); asn1_pop_tag(data); asn1_pop_tag(data); asn1_pop_tag(data); ret = data_blob_talloc(ctx, data->data, data->length); asn1_free(data); return ret; }
ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data *token) { struct asn1_data *asn1; ssize_t ret = -1; uint8_t context; ZERO_STRUCTP(token); if (data.length == 0) { return ret; } asn1 = asn1_init(mem_ctx); if (asn1 == NULL) { return -1; } asn1_load(asn1, data); if (!asn1_peek_uint8(asn1, &context)) { asn1->has_error = true; } else { switch (context) { case ASN1_APPLICATION(0): asn1_start_tag(asn1, ASN1_APPLICATION(0)); asn1_check_OID(asn1, GENSEC_OID_SPNEGO); if (read_negTokenInit(asn1, mem_ctx, &token->negTokenInit)) { token->type = SPNEGO_NEG_TOKEN_INIT; } asn1_end_tag(asn1); break; case ASN1_CONTEXT(1): if (read_negTokenTarg(asn1, mem_ctx, &token->negTokenTarg)) { token->type = SPNEGO_NEG_TOKEN_TARG; } break; default: asn1->has_error = true; break; } } if (!asn1->has_error) ret = asn1->ofs; asn1_free(asn1); return ret; }
DATA_BLOB spnego_gen_negTokenInit(TALLOC_CTX *ctx, const char *OIDs[], DATA_BLOB *psecblob, const char *principal) { int i; ASN1_DATA *data; DATA_BLOB ret = data_blob_null; data = asn1_init(talloc_tos()); if (data == NULL) { return data_blob_null; } if (!asn1_push_tag(data,ASN1_APPLICATION(0))) goto err; if (!asn1_write_OID(data,OID_SPNEGO)) goto err; if (!asn1_push_tag(data,ASN1_CONTEXT(0))) goto err; if (!asn1_push_tag(data,ASN1_SEQUENCE(0))) goto err; if (!asn1_push_tag(data,ASN1_CONTEXT(0))) goto err; if (!asn1_push_tag(data,ASN1_SEQUENCE(0))) goto err; for (i=0; OIDs[i]; i++) { if (!asn1_write_OID(data,OIDs[i])) goto err; } if (!asn1_pop_tag(data)) goto err; if (!asn1_pop_tag(data)) goto err; if (psecblob && psecblob->length && psecblob->data) { if (!asn1_push_tag(data, ASN1_CONTEXT(2))) goto err; if (!asn1_write_OctetString(data,psecblob->data, psecblob->length)) goto err; if (!asn1_pop_tag(data)) goto err; } if (principal) { if (!asn1_push_tag(data, ASN1_CONTEXT(3))) goto err; if (!asn1_push_tag(data, ASN1_SEQUENCE(0))) goto err; if (!asn1_push_tag(data, ASN1_CONTEXT(0))) goto err; if (!asn1_write_GeneralString(data,principal)) goto err; if (!asn1_pop_tag(data)) goto err; if (!asn1_pop_tag(data)) goto err; if (!asn1_pop_tag(data)) goto err; } if (!asn1_pop_tag(data)) goto err; if (!asn1_pop_tag(data)) goto err; if (!asn1_pop_tag(data)) goto err; if (!asn1_extract_blob(data, ctx, &ret)) { goto err; } err: if (asn1_has_error(data)) { DEBUG(1, ("Failed to build negTokenInit at offset %d\n", (int)asn1_current_ofs(data))); } asn1_free(data); return ret; }
static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf, char *outbuf, int length,int bufsize) { uint8 *p; DATA_BLOB blob1; int ret; size_t bufrem; fstring native_os, native_lanman, primary_domain; char *p2; uint16 data_blob_len = SVAL(inbuf, smb_vwv7); enum remote_arch_types ra_type = get_remote_arch(); int vuid = SVAL(inbuf,smb_uid); user_struct *vuser = NULL; NTSTATUS status = NT_STATUS_OK; uint16 smbpid = SVAL(inbuf,smb_pid); DEBUG(3,("Doing spnego session setup\n")); if (global_client_caps == 0) { global_client_caps = IVAL(inbuf,smb_vwv10); if (!(global_client_caps & CAP_STATUS32)) { remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES); } } p = (uint8 *)smb_buf(inbuf); if (data_blob_len == 0) { /* an invalid request */ return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE)); } bufrem = smb_bufrem(inbuf, p); /* pull the spnego blob */ blob1 = data_blob(p, MIN(bufrem, data_blob_len)); #if 0 file_save("negotiate.dat", blob1.data, blob1.length); #endif p2 = inbuf + smb_vwv13 + data_blob_len; p2 += srvstr_pull_buf(inbuf, native_os, p2, sizeof(native_os), STR_TERMINATE); p2 += srvstr_pull_buf(inbuf, native_lanman, p2, sizeof(native_lanman), STR_TERMINATE); p2 += srvstr_pull_buf(inbuf, primary_domain, p2, sizeof(primary_domain), STR_TERMINATE); DEBUG(3,("NativeOS=[%s] NativeLanMan=[%s] PrimaryDomain=[%s]\n", native_os, native_lanman, primary_domain)); if ( ra_type == RA_WIN2K ) { /* Vista sets neither the OS or lanman strings */ if ( !strlen(native_os) && !strlen(native_lanman) ) set_remote_arch(RA_VISTA); /* Windows 2003 doesn't set the native lanman string, but does set primary domain which is a bug I think */ if ( !strlen(native_lanman) ) { ra_lanman_string( primary_domain ); } else { ra_lanman_string( native_lanman ); } } vuser = get_partial_auth_user_struct(vuid); if (!vuser) { struct pending_auth_data *pad = get_pending_auth_data(smbpid); if (pad) { DEBUG(10,("reply_sesssetup_and_X_spnego: found pending vuid %u\n", (unsigned int)pad->vuid )); vuid = pad->vuid; vuser = get_partial_auth_user_struct(vuid); } } if (!vuser) { vuid = register_vuid(NULL, data_blob(NULL, 0), data_blob(NULL, 0), NULL); if (vuid == UID_FIELD_INVALID ) { data_blob_free(&blob1); return ERROR_NT(nt_status_squash(NT_STATUS_INVALID_PARAMETER)); } vuser = get_partial_auth_user_struct(vuid); } if (!vuser) { data_blob_free(&blob1); return ERROR_NT(nt_status_squash(NT_STATUS_INVALID_PARAMETER)); } SSVAL(outbuf,smb_uid,vuid); /* Large (greater than 4k) SPNEGO blobs are split into multiple * sessionsetup requests as the Windows limit on the security blob * field is 4k. Bug #4400. JRA. */ status = check_spnego_blob_complete(smbpid, vuid, &blob1); if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { /* Real error - kill the intermediate vuid */ invalidate_vuid(vuid); } data_blob_free(&blob1); return ERROR_NT(nt_status_squash(status)); } if (blob1.data[0] == ASN1_APPLICATION(0)) { /* its a negTokenTarg packet */ ret = reply_spnego_negotiate(conn, inbuf, outbuf, vuid, length, bufsize, blob1, &vuser->auth_ntlmssp_state); data_blob_free(&blob1); return ret; } if (blob1.data[0] == ASN1_CONTEXT(1)) { /* its a auth packet */ ret = reply_spnego_auth(conn, inbuf, outbuf, vuid, length, bufsize, blob1, &vuser->auth_ntlmssp_state); data_blob_free(&blob1); return ret; } if (strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0) { DATA_BLOB chal; if (!vuser->auth_ntlmssp_state) { status = auth_ntlmssp_start(&vuser->auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(vuid); data_blob_free(&blob1); return ERROR_NT(nt_status_squash(status)); } } status = auth_ntlmssp_update(vuser->auth_ntlmssp_state, blob1, &chal); data_blob_free(&blob1); reply_spnego_ntlmssp(conn, inbuf, outbuf, vuid, &vuser->auth_ntlmssp_state, &chal, status, False); data_blob_free(&chal); return -1; } /* what sort of packet is this? */ DEBUG(1,("Unknown packet in reply_sesssetup_and_X_spnego\n")); data_blob_free(&blob1); return ERROR_NT(nt_status_squash(NT_STATUS_LOGON_FAILURE)); }
static bool write_negTokenInit(struct asn1_data *asn1, struct spnego_negTokenInit *token) { asn1_push_tag(asn1, ASN1_CONTEXT(0)); asn1_push_tag(asn1, ASN1_SEQUENCE(0)); /* Write mechTypes */ if (token->mechTypes && *token->mechTypes) { int i; asn1_push_tag(asn1, ASN1_CONTEXT(0)); asn1_push_tag(asn1, ASN1_SEQUENCE(0)); for (i = 0; token->mechTypes[i]; i++) { asn1_write_OID(asn1, token->mechTypes[i]); } asn1_pop_tag(asn1); asn1_pop_tag(asn1); } /* write reqFlags */ if (token->reqFlags & SPNEGO_REQ_FLAG) { int flags = token->reqFlags & ~SPNEGO_REQ_FLAG; asn1_push_tag(asn1, ASN1_CONTEXT(1)); asn1_write_Integer(asn1, flags); asn1_pop_tag(asn1); } /* write mechToken */ if (token->mechToken.data) { asn1_push_tag(asn1, ASN1_CONTEXT(2)); asn1_write_OctetString(asn1, token->mechToken.data, token->mechToken.length); asn1_pop_tag(asn1); } /* write mechListMIC */ if (token->mechListMIC.data) { asn1_push_tag(asn1, ASN1_CONTEXT(3)); #if 0 /* This is what RFC 2478 says ... */ asn1_write_OctetString(asn1, token->mechListMIC.data, token->mechListMIC.length); #else /* ... but unfortunately this is what Windows sends/expects */ asn1_push_tag(asn1, ASN1_SEQUENCE(0)); asn1_push_tag(asn1, ASN1_CONTEXT(0)); asn1_push_tag(asn1, ASN1_GENERAL_STRING); asn1_write(asn1, token->mechListMIC.data, token->mechListMIC.length); asn1_pop_tag(asn1); asn1_pop_tag(asn1); asn1_pop_tag(asn1); #endif asn1_pop_tag(asn1); } asn1_pop_tag(asn1); asn1_pop_tag(asn1); return !asn1->has_error; }
/* do a cldap netlogon query */ static int send_cldap_netlogon(int sock, const char *domain, const char *hostname, unsigned ntversion) { ASN1_DATA data; char ntver[4]; #ifdef CLDAP_USER_QUERY char aac[4]; SIVAL(aac, 0, 0x00000180); #endif SIVAL(ntver, 0, ntversion); memset(&data, 0, sizeof(data)); asn1_push_tag(&data,ASN1_SEQUENCE(0)); asn1_write_Integer(&data, 4); asn1_push_tag(&data, ASN1_APPLICATION(3)); asn1_write_OctetString(&data, NULL, 0); asn1_write_enumerated(&data, 0); asn1_write_enumerated(&data, 0); asn1_write_Integer(&data, 0); asn1_write_Integer(&data, 0); asn1_write_BOOLEAN2(&data, False); asn1_push_tag(&data, ASN1_CONTEXT(0)); if (domain) { asn1_push_tag(&data, ASN1_CONTEXT(3)); asn1_write_OctetString(&data, "DnsDomain", 9); asn1_write_OctetString(&data, domain, strlen(domain)); asn1_pop_tag(&data); } asn1_push_tag(&data, ASN1_CONTEXT(3)); asn1_write_OctetString(&data, "Host", 4); asn1_write_OctetString(&data, hostname, strlen(hostname)); asn1_pop_tag(&data); #ifdef CLDAP_USER_QUERY asn1_push_tag(&data, ASN1_CONTEXT(3)); asn1_write_OctetString(&data, "User", 4); asn1_write_OctetString(&data, "SAMBA$", 6); asn1_pop_tag(&data); asn1_push_tag(&data, ASN1_CONTEXT(3)); asn1_write_OctetString(&data, "AAC", 4); asn1_write_OctetString(&data, aac, 4); asn1_pop_tag(&data); #endif asn1_push_tag(&data, ASN1_CONTEXT(3)); asn1_write_OctetString(&data, "NtVer", 5); asn1_write_OctetString(&data, ntver, 4); asn1_pop_tag(&data); asn1_pop_tag(&data); asn1_push_tag(&data,ASN1_SEQUENCE(0)); asn1_write_OctetString(&data, "NetLogon", 8); asn1_pop_tag(&data); asn1_pop_tag(&data); asn1_pop_tag(&data); if (data.has_error) { DEBUG(2,("Failed to build cldap netlogon at offset %d\n", (int)data.ofs)); asn1_free(&data); return -1; } if (write(sock, data.data, data.length) != (ssize_t)data.length) { DEBUG(2,("failed to send cldap query (%s)\n", strerror(errno))); asn1_free(&data); return -1; } asn1_free(&data); return 0; }
/* parse a negTokenInit packet giving a GUID, a list of supported OIDs (the mechanisms) and a principal name string */ bool spnego_parse_negTokenInit(TALLOC_CTX *ctx, DATA_BLOB blob, char *OIDs[ASN1_MAX_OIDS], char **principal, DATA_BLOB *secblob) { int i; bool ret; ASN1_DATA *data; data = asn1_init(talloc_tos()); if (data == NULL) { return false; } asn1_load(data, blob); asn1_start_tag(data,ASN1_APPLICATION(0)); asn1_check_OID(data,OID_SPNEGO); /* negTokenInit [0] NegTokenInit */ asn1_start_tag(data,ASN1_CONTEXT(0)); asn1_start_tag(data,ASN1_SEQUENCE(0)); /* mechTypes [0] MechTypeList OPTIONAL */ /* Not really optional, we depend on this to decide * what mechanisms we have to work with. */ asn1_start_tag(data,ASN1_CONTEXT(0)); asn1_start_tag(data,ASN1_SEQUENCE(0)); for (i=0; asn1_tag_remaining(data) > 0 && i < ASN1_MAX_OIDS-1; i++) { asn1_read_OID(data,ctx, &OIDs[i]); if (data->has_error) { break; } } OIDs[i] = NULL; asn1_end_tag(data); asn1_end_tag(data); if (principal) { *principal = NULL; } if (secblob) { *secblob = data_blob_null; } /* Win7 + Live Sign-in Assistant attaches a mechToken ASN1_CONTEXT(2) to the negTokenInit packet which breaks our negotiation if we just assume the next tag is ASN1_CONTEXT(3). */ if (asn1_peek_tag(data, ASN1_CONTEXT(1))) { uint8 flags; /* reqFlags [1] ContextFlags OPTIONAL */ asn1_start_tag(data, ASN1_CONTEXT(1)); asn1_start_tag(data, ASN1_BIT_STRING); while (asn1_tag_remaining(data) > 0) { asn1_read_uint8(data, &flags); } asn1_end_tag(data); asn1_end_tag(data); } if (asn1_peek_tag(data, ASN1_CONTEXT(2))) { DATA_BLOB sblob = data_blob_null; /* mechToken [2] OCTET STRING OPTIONAL */ asn1_start_tag(data, ASN1_CONTEXT(2)); asn1_read_OctetString(data, ctx, &sblob); asn1_end_tag(data); if (secblob) { *secblob = sblob; } else { data_blob_free(&sblob); } } if (asn1_peek_tag(data, ASN1_CONTEXT(3))) { char *princ = NULL; /* mechListMIC [3] OCTET STRING OPTIONAL */ asn1_start_tag(data, ASN1_CONTEXT(3)); asn1_start_tag(data, ASN1_SEQUENCE(0)); asn1_start_tag(data, ASN1_CONTEXT(0)); asn1_read_GeneralString(data, ctx, &princ); asn1_end_tag(data); asn1_end_tag(data); asn1_end_tag(data); if (principal) { *principal = princ; } else { TALLOC_FREE(princ); } } asn1_end_tag(data); asn1_end_tag(data); asn1_end_tag(data); ret = !data->has_error; if (data->has_error) { int j; if (principal) { TALLOC_FREE(*principal); } if (secblob) { data_blob_free(secblob); } for(j = 0; j < i && j < ASN1_MAX_OIDS-1; j++) { TALLOC_FREE(OIDs[j]); } } asn1_free(data); return ret; }
/* parse a SPNEGO auth packet. This contains the encrypted passwords */ bool spnego_parse_auth_response(TALLOC_CTX *ctx, DATA_BLOB blob, NTSTATUS nt_status, const char *mechOID, DATA_BLOB *auth) { ASN1_DATA *data; uint8 negResult; if (NT_STATUS_IS_OK(nt_status)) { negResult = SPNEGO_ACCEPT_COMPLETED; } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { negResult = SPNEGO_ACCEPT_INCOMPLETE; } else { negResult = SPNEGO_REJECT; } data = asn1_init(talloc_tos()); if (data == NULL) { return false; } asn1_load(data, blob); asn1_start_tag(data, ASN1_CONTEXT(1)); asn1_start_tag(data, ASN1_SEQUENCE(0)); asn1_start_tag(data, ASN1_CONTEXT(0)); asn1_check_enumerated(data, negResult); asn1_end_tag(data); *auth = data_blob_null; if (asn1_tag_remaining(data)) { asn1_start_tag(data,ASN1_CONTEXT(1)); asn1_check_OID(data, mechOID); asn1_end_tag(data); if (asn1_tag_remaining(data)) { asn1_start_tag(data,ASN1_CONTEXT(2)); asn1_read_OctetString(data, ctx, auth); asn1_end_tag(data); } } else if (negResult == SPNEGO_ACCEPT_INCOMPLETE) { data->has_error = 1; } /* Binding against Win2K DC returns a duplicate of the responseToken in * the optional mechListMIC field. This is a bug in Win2K. We ignore * this field if it exists. Win2K8 may return a proper mechListMIC at * which point we need to implement the integrity checking. */ if (asn1_tag_remaining(data)) { DATA_BLOB mechList = data_blob_null; asn1_start_tag(data, ASN1_CONTEXT(3)); asn1_read_OctetString(data, ctx, &mechList); asn1_end_tag(data); data_blob_free(&mechList); DEBUG(5,("spnego_parse_auth_response received mechListMIC, " "ignoring.\n")); } asn1_end_tag(data); asn1_end_tag(data); if (data->has_error) { DEBUG(3,("spnego_parse_auth_response failed at %d\n", (int)data->ofs)); asn1_free(data); data_blob_free(auth); return False; } asn1_free(data); return True; }
/* This implements kerberos password change protocol as specified in * kerb-chg-password-02.txt and kerberos-set-passwd-02.txt * as well as microsoft version of the protocol * as specified in kerberos-set-passwd-00.txt */ static DATA_BLOB encode_krb5_setpw(const char *principal, const char *password) { char* princ_part1 = NULL; char* princ_part2 = NULL; char* realm = NULL; char* c; char* princ; ASN1_DATA *req; DATA_BLOB ret; princ = SMB_STRDUP(principal); if ((c = strchr_m(princ, '/')) == NULL) { c = princ; } else { *c = '\0'; c++; princ_part1 = princ; } princ_part2 = c; if ((c = strchr_m(c, '@')) != NULL) { *c = '\0'; c++; realm = c; } else { /* We must have a realm component. */ return data_blob_null; } req = asn1_init(talloc_tos()); if (req == NULL) { return data_blob_null; } asn1_push_tag(req, ASN1_SEQUENCE(0)); asn1_push_tag(req, ASN1_CONTEXT(0)); asn1_write_OctetString(req, password, strlen(password)); asn1_pop_tag(req); asn1_push_tag(req, ASN1_CONTEXT(1)); asn1_push_tag(req, ASN1_SEQUENCE(0)); asn1_push_tag(req, ASN1_CONTEXT(0)); asn1_write_Integer(req, 1); asn1_pop_tag(req); asn1_push_tag(req, ASN1_CONTEXT(1)); asn1_push_tag(req, ASN1_SEQUENCE(0)); if (princ_part1) { asn1_write_GeneralString(req, princ_part1); } asn1_write_GeneralString(req, princ_part2); asn1_pop_tag(req); asn1_pop_tag(req); asn1_pop_tag(req); asn1_pop_tag(req); asn1_push_tag(req, ASN1_CONTEXT(2)); asn1_write_GeneralString(req, realm); asn1_pop_tag(req); asn1_pop_tag(req); ret = data_blob(req->data, req->length); asn1_free(req); free(princ); return ret; }
static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx, struct spnego_negTokenInit *token) { ZERO_STRUCTP(token); asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) { int i; uint8_t context; if (!asn1_peek_uint8(asn1, &context)) { asn1->has_error = true; break; } switch (context) { /* Read mechTypes */ case ASN1_CONTEXT(0): { const char **mechTypes; asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); mechTypes = talloc(mem_ctx, const char *); if (mechTypes == NULL) { asn1->has_error = true; return false; } for (i = 0; !asn1->has_error && 0 < asn1_tag_remaining(asn1); i++) { char *oid; const char **p; p = talloc_realloc(mem_ctx, mechTypes, const char *, i+2); if (p == NULL) { talloc_free(mechTypes); asn1->has_error = true; return false; } mechTypes = p; asn1_read_OID(asn1, mechTypes, &oid); mechTypes[i] = oid; } mechTypes[i] = NULL; token->mechTypes = mechTypes; asn1_end_tag(asn1); asn1_end_tag(asn1); break; } /* Read reqFlags */ case ASN1_CONTEXT(1): asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_read_BitString(asn1, mem_ctx, &token->reqFlags, &token->reqFlagsPadding); asn1_end_tag(asn1); break; /* Read mechToken */ case ASN1_CONTEXT(2): asn1_start_tag(asn1, ASN1_CONTEXT(2)); asn1_read_OctetString(asn1, mem_ctx, &token->mechToken); asn1_end_tag(asn1); break; /* Read mecListMIC */ case ASN1_CONTEXT(3): { uint8_t type_peek; asn1_start_tag(asn1, ASN1_CONTEXT(3)); if (!asn1_peek_uint8(asn1, &type_peek)) { asn1->has_error = true; break; } if (type_peek == ASN1_OCTET_STRING) { asn1_read_OctetString(asn1, mem_ctx, &token->mechListMIC); } else { /* RFC 2478 says we have an Octet String here, but W2k sends something different... */ char *mechListMIC; asn1_start_tag(asn1, ASN1_SEQUENCE(0)); asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_read_GeneralString(asn1, mem_ctx, &mechListMIC); asn1_end_tag(asn1); asn1_end_tag(asn1); token->targetPrincipal = mechListMIC; } asn1_end_tag(asn1); break; } default: asn1->has_error = true; break; } } asn1_end_tag(asn1); asn1_end_tag(asn1); return !asn1->has_error; }
static bool read_negTokenInit(ASN1_DATA *asn1, negTokenInit_t *token) { ZERO_STRUCTP(token); asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) { int i; switch (asn1->data[asn1->ofs]) { /* Read mechTypes */ case ASN1_CONTEXT(0): asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); token->mechTypes = SMB_MALLOC_P(const char *); for (i = 0; !asn1->has_error && 0 < asn1_tag_remaining(asn1); i++) { char *p_oid = NULL; token->mechTypes = SMB_REALLOC_ARRAY(token->mechTypes, const char *, i + 2); if (!token->mechTypes) { asn1->has_error = True; return False; } asn1_read_OID(asn1, &p_oid); token->mechTypes[i] = p_oid; } token->mechTypes[i] = NULL; asn1_end_tag(asn1); asn1_end_tag(asn1); break; /* Read reqFlags */ case ASN1_CONTEXT(1): asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_read_Integer(asn1, &token->reqFlags); token->reqFlags |= SPNEGO_REQ_FLAG; asn1_end_tag(asn1); break; /* Read mechToken */ case ASN1_CONTEXT(2): asn1_start_tag(asn1, ASN1_CONTEXT(2)); asn1_read_OctetString(asn1, &token->mechToken); asn1_end_tag(asn1); break; /* Read mecListMIC */ case ASN1_CONTEXT(3): asn1_start_tag(asn1, ASN1_CONTEXT(3)); if (asn1->data[asn1->ofs] == ASN1_OCTET_STRING) { asn1_read_OctetString(asn1, &token->mechListMIC); } else { /* RFC 2478 says we have an Octet String here, but W2k sends something different... */ char *mechListMIC; asn1_push_tag(asn1, ASN1_SEQUENCE(0)); asn1_push_tag(asn1, ASN1_CONTEXT(0)); asn1_read_GeneralString(asn1, &mechListMIC); asn1_pop_tag(asn1); asn1_pop_tag(asn1); token->mechListMIC = data_blob(mechListMIC, strlen(mechListMIC)); SAFE_FREE(mechListMIC); } asn1_end_tag(asn1); break; default: asn1->has_error = True; break; } } asn1_end_tag(asn1); asn1_end_tag(asn1); return !asn1->has_error; }
static NTSTATUS check_spnego_blob_complete(uint16 smbpid, uint16 vuid, DATA_BLOB *pblob) { struct pending_auth_data *pad = NULL; ASN1_DATA data; size_t needed_len = 0; pad = get_pending_auth_data(smbpid); /* Ensure we have some data. */ if (pblob->length == 0) { /* Caller can cope. */ DEBUG(2,("check_spnego_blob_complete: zero blob length !\n")); delete_partial_auth(pad); return NT_STATUS_OK; } /* Were we waiting for more data ? */ if (pad) { DATA_BLOB tmp_blob; size_t copy_len = MIN(65536, pblob->length); /* Integer wrap paranoia.... */ if (pad->partial_data.length + copy_len < pad->partial_data.length || pad->partial_data.length + copy_len < copy_len) { DEBUG(2,("check_spnego_blob_complete: integer wrap " "pad->partial_data.length = %u, " "copy_len = %u\n", (unsigned int)pad->partial_data.length, (unsigned int)copy_len )); delete_partial_auth(pad); return NT_STATUS_INVALID_PARAMETER; } DEBUG(10,("check_spnego_blob_complete: " "pad->partial_data.length = %u, " "pad->needed_len = %u, " "copy_len = %u, " "pblob->length = %u,\n", (unsigned int)pad->partial_data.length, (unsigned int)pad->needed_len, (unsigned int)copy_len, (unsigned int)pblob->length )); tmp_blob = data_blob(NULL, pad->partial_data.length + copy_len); /* Concatenate the two (up to copy_len) bytes. */ memcpy(tmp_blob.data, pad->partial_data.data, pad->partial_data.length); memcpy(tmp_blob.data + pad->partial_data.length, pblob->data, copy_len); /* Replace the partial data. */ data_blob_free(&pad->partial_data); pad->partial_data = tmp_blob; ZERO_STRUCT(tmp_blob); /* Are we done ? */ if (pblob->length >= pad->needed_len) { /* Yes, replace pblob. */ data_blob_free(pblob); *pblob = pad->partial_data; ZERO_STRUCT(pad->partial_data); delete_partial_auth(pad); return NT_STATUS_OK; } /* Still need more data. */ pad->needed_len -= copy_len; return NT_STATUS_MORE_PROCESSING_REQUIRED; } if ((pblob->data[0] != ASN1_APPLICATION(0)) && (pblob->data[0] != ASN1_CONTEXT(1))) { /* Not something we can determine the * length of. */ return NT_STATUS_OK; } /* This is a new SPNEGO sessionsetup - see if * the data given in this blob is enough. */ asn1_load(&data, *pblob); asn1_start_tag(&data, pblob->data[0]); if (data.has_error || data.nesting == NULL) { asn1_free(&data); /* Let caller catch. */ return NT_STATUS_OK; } /* Integer wrap paranoia.... */ if (data.nesting->taglen + data.nesting->start < data.nesting->taglen || data.nesting->taglen + data.nesting->start < data.nesting->start) { DEBUG(2,("check_spnego_blob_complete: integer wrap " "data.nesting->taglen = %u, " "data.nesting->start = %u\n", (unsigned int)data.nesting->taglen, (unsigned int)data.nesting->start )); asn1_free(&data); return NT_STATUS_INVALID_PARAMETER; } /* Total length of the needed asn1 is the tag length * plus the current offset. */ needed_len = data.nesting->taglen + data.nesting->start; asn1_free(&data); DEBUG(10,("check_spnego_blob_complete: needed_len = %u, " "pblob->length = %u\n", (unsigned int)needed_len, (unsigned int)pblob->length )); if (needed_len <= pblob->length) { /* Nothing to do - blob is complete. */ return NT_STATUS_OK; } /* Refuse the blob if it's bigger than 64k. */ if (needed_len > 65536) { DEBUG(2,("check_spnego_blob_complete: needed_len too large (%u)\n", (unsigned int)needed_len )); return NT_STATUS_INVALID_PARAMETER; } /* We must store this blob until complete. */ pad = SMB_MALLOC(sizeof(struct pending_auth_data)); if (!pad) { return NT_STATUS_NO_MEMORY; } pad->needed_len = needed_len - pblob->length; pad->partial_data = data_blob(pblob->data, pblob->length); if (pad->partial_data.data == NULL) { SAFE_FREE(pad); return NT_STATUS_NO_MEMORY; } pad->smbpid = smbpid; pad->vuid = vuid; DLIST_ADD(pd_list, pad); return NT_STATUS_MORE_PROCESSING_REQUIRED; }
static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf, char *outbuf, int length,int bufsize) { uint8 *p; DATA_BLOB blob1; int ret; size_t bufrem; fstring native_os, native_lanman, primary_domain; char *p2; uint16 data_blob_len = SVAL(inbuf, smb_vwv7); enum remote_arch_types ra_type = get_remote_arch(); DEBUG(3,("Doing spnego session setup\n")); if (global_client_caps == 0) { global_client_caps = IVAL(inbuf,smb_vwv10); if (!(global_client_caps & CAP_STATUS32)) { remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES); } } p = (uint8 *)smb_buf(inbuf); if (data_blob_len == 0) { /* an invalid request */ return ERROR_NT(NT_STATUS_LOGON_FAILURE); } bufrem = smb_bufrem(inbuf, p); /* pull the spnego blob */ blob1 = data_blob(p, MIN(bufrem, data_blob_len)); #if 0 file_save("negotiate.dat", blob1.data, blob1.length); #endif p2 = inbuf + smb_vwv13 + data_blob_len; p2 += srvstr_pull_buf(inbuf, native_os, p2, sizeof(native_os), STR_TERMINATE); p2 += srvstr_pull_buf(inbuf, native_lanman, p2, sizeof(native_lanman), STR_TERMINATE); p2 += srvstr_pull_buf(inbuf, primary_domain, p2, sizeof(primary_domain), STR_TERMINATE); DEBUG(3,("NativeOS=[%s] NativeLanMan=[%s] PrimaryDomain=[%s]\n", native_os, native_lanman, primary_domain)); if ( ra_type == RA_WIN2K ) { /* Windows 2003 doesn't set the native lanman string, but does set primary domain which is a bug I think */ if ( !strlen(native_lanman) ) ra_lanman_string( primary_domain ); else ra_lanman_string( native_lanman ); } if (blob1.data[0] == ASN1_APPLICATION(0)) { /* its a negTokenTarg packet */ ret = reply_spnego_negotiate(conn, inbuf, outbuf, length, bufsize, blob1); data_blob_free(&blob1); return ret; } if (blob1.data[0] == ASN1_CONTEXT(1)) { /* its a auth packet */ ret = reply_spnego_auth(conn, inbuf, outbuf, length, bufsize, blob1); data_blob_free(&blob1); return ret; } /* what sort of packet is this? */ DEBUG(1,("Unknown packet in reply_sesssetup_and_X_spnego\n")); data_blob_free(&blob1); return ERROR_NT(NT_STATUS_LOGON_FAILURE); }
static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx, struct spnego_negTokenInit *token) { ZERO_STRUCTP(token); asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) { int i; uint8_t context; if (!asn1_peek_uint8(asn1, &context)) { asn1->has_error = true; break; } switch (context) { /* Read mechTypes */ case ASN1_CONTEXT(0): asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); token->mechTypes = talloc(NULL, const char *); for (i = 0; !asn1->has_error && 0 < asn1_tag_remaining(asn1); i++) { token->mechTypes = talloc_realloc(NULL, token->mechTypes, const char *, i+2); asn1_read_OID(asn1, token->mechTypes, token->mechTypes + i); } token->mechTypes[i] = NULL; asn1_end_tag(asn1); asn1_end_tag(asn1); break; /* Read reqFlags */ case ASN1_CONTEXT(1): asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_read_Integer(asn1, &token->reqFlags); token->reqFlags |= SPNEGO_REQ_FLAG; asn1_end_tag(asn1); break; /* Read mechToken */ case ASN1_CONTEXT(2): asn1_start_tag(asn1, ASN1_CONTEXT(2)); asn1_read_OctetString(asn1, mem_ctx, &token->mechToken); asn1_end_tag(asn1); break; /* Read mecListMIC */ case ASN1_CONTEXT(3): { uint8_t type_peek; asn1_start_tag(asn1, ASN1_CONTEXT(3)); if (!asn1_peek_uint8(asn1, &type_peek)) { asn1->has_error = true; break; } if (type_peek == ASN1_OCTET_STRING) { asn1_read_OctetString(asn1, mem_ctx, &token->mechListMIC); } else { /* RFC 2478 says we have an Octet String here, but W2k sends something different... */ char *mechListMIC; asn1_push_tag(asn1, ASN1_SEQUENCE(0)); asn1_push_tag(asn1, ASN1_CONTEXT(0)); asn1_read_GeneralString(asn1, mem_ctx, &mechListMIC); asn1_pop_tag(asn1); asn1_pop_tag(asn1); token->targetPrincipal = mechListMIC; } asn1_end_tag(asn1); break; } default: asn1->has_error = true; break; } } asn1_end_tag(asn1); asn1_end_tag(asn1); return !asn1->has_error; }
static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf, char *outbuf, int length,int bufsize) { uint8 *p; DATA_BLOB blob1; int ret; size_t bufrem; fstring native_os, native_lanman, primary_domain; char *p2; uint16 data_blob_len = SVAL(inbuf, smb_vwv7); enum remote_arch_types ra_type = get_remote_arch(); DEBUG(3,("Doing spnego session setup\n")); if (global_client_caps == 0) { global_client_caps = IVAL(inbuf,smb_vwv10); if (!(global_client_caps & CAP_STATUS32)) { remove_from_common_flags2(FLAGS2_32_BIT_ERROR_CODES); } } p = (uint8 *)smb_buf(inbuf); if (data_blob_len == 0) { /* an invalid request */ return ERROR_NT(NT_STATUS_LOGON_FAILURE); } bufrem = smb_bufrem(inbuf, p); /* pull the spnego blob */ blob1 = data_blob(p, MIN(bufrem, data_blob_len)); #if 0 file_save("negotiate.dat", blob1.data, blob1.length); #endif p2 = inbuf + smb_vwv13 + data_blob_len; p2 += srvstr_pull_buf(inbuf, native_os, p2, sizeof(native_os), STR_TERMINATE); p2 += srvstr_pull_buf(inbuf, native_lanman, p2, sizeof(native_lanman), STR_TERMINATE); p2 += srvstr_pull_buf(inbuf, primary_domain, p2, sizeof(primary_domain), STR_TERMINATE); DEBUG(3,("NativeOS=[%s] NativeLanMan=[%s] PrimaryDomain=[%s]\n", native_os, native_lanman, primary_domain)); if ( ra_type == RA_WIN2K ) { /* Windows 2003 doesn't set the native lanman string, but does set primary domain which is a bug I think */ if ( !strlen(native_lanman) ) ra_lanman_string( primary_domain ); else ra_lanman_string( native_lanman ); } if (blob1.data[0] == ASN1_APPLICATION(0)) { /* its a negTokenTarg packet */ ret = reply_spnego_negotiate(conn, inbuf, outbuf, length, bufsize, blob1); data_blob_free(&blob1); return ret; } if (blob1.data[0] == ASN1_CONTEXT(1)) { /* its a auth packet */ ret = reply_spnego_auth(conn, inbuf, outbuf, length, bufsize, blob1); data_blob_free(&blob1); return ret; } /* Foxconn modified start pling 12/29/2011 */ /* Fix Android partial auth issue. * Port from Samba 3.0.24 (used by WNDR3800) */ if (strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0) { DATA_BLOB chal; NTSTATUS nt_status; if (!global_ntlmssp_state) { nt_status = auth_ntlmssp_start(&global_ntlmssp_state); if (!NT_STATUS_IS_OK(nt_status)) { return ERROR_NT(nt_status_squash(nt_status)); } } nt_status = auth_ntlmssp_update(global_ntlmssp_state, blob1, &chal); data_blob_free(&blob1); reply_spnego_ntlmssp(conn, inbuf, outbuf, &global_ntlmssp_state, &chal, nt_status, False); data_blob_free(&chal); return -1; } /* Foxconn added end pling 12/29/2011 */ /* what sort of packet is this? */ DEBUG(1,("Unknown packet in reply_sesssetup_and_X_spnego\n")); data_blob_free(&blob1); return ERROR_NT(NT_STATUS_LOGON_FAILURE); }