/* parse a krb5 GSS-API wrapper packet giving a ticket */ static bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8_t tok_id[2]) { bool ret; struct asn1_data *data = asn1_init(mem_ctx); int data_remaining; if (!data) { return false; } asn1_load(data, *blob); asn1_start_tag(data, ASN1_APPLICATION(0)); asn1_check_OID(data, GENSEC_OID_KERBEROS5); data_remaining = asn1_tag_remaining(data); if (data_remaining < 3) { data->has_error = true; } else { asn1_read(data, tok_id, 2); data_remaining -= 2; *ticket = data_blob_talloc(mem_ctx, NULL, data_remaining); asn1_read(data, ticket->data, ticket->length); } asn1_end_tag(data); ret = !data->has_error; asn1_free(data); return ret; }
/* parse a krb5 GSS-API wrapper packet giving a ticket */ BOOL spnego_parse_krb5_wrap(DATA_BLOB blob, DATA_BLOB *ticket, uint8 tok_id[2]) { BOOL ret; ASN1_DATA data; int data_remaining; asn1_load(&data, blob); asn1_start_tag(&data, ASN1_APPLICATION(0)); asn1_check_OID(&data, OID_KERBEROS5); data_remaining = asn1_tag_remaining(&data); if (data_remaining < 3) { data.has_error = True; } else { asn1_read(&data, tok_id, 2); data_remaining -= 2; *ticket = data_blob(NULL, data_remaining); asn1_read(&data, ticket->data, ticket->length); } asn1_end_tag(&data); ret = !data.has_error; asn1_free(&data); return ret; }
/* parse a spnego NTLMSSP challenge packet giving two security blobs */ bool spnego_parse_challenge(TALLOC_CTX *ctx, const DATA_BLOB blob, DATA_BLOB *chal1, DATA_BLOB *chal2) { bool ret = false; ASN1_DATA *data; ZERO_STRUCTP(chal1); ZERO_STRUCTP(chal2); data = asn1_init(talloc_tos()); if (data == NULL) { return false; } if (!asn1_load(data, blob)) goto err; if (!asn1_start_tag(data,ASN1_CONTEXT(1))) goto err; if (!asn1_start_tag(data,ASN1_SEQUENCE(0))) goto err; if (!asn1_start_tag(data,ASN1_CONTEXT(0))) goto err; if (!asn1_check_enumerated(data,1)) goto err; if (!asn1_end_tag(data)) goto err; if (!asn1_start_tag(data,ASN1_CONTEXT(1))) goto err; if (!asn1_check_OID(data, OID_NTLMSSP)) goto err; if (!asn1_end_tag(data)) goto err; if (!asn1_start_tag(data,ASN1_CONTEXT(2))) goto err; if (!asn1_read_OctetString(data, ctx, chal1)) goto err; if (!asn1_end_tag(data)) goto err; /* the second challenge is optional (XP doesn't send it) */ if (asn1_tag_remaining(data)) { if (!asn1_start_tag(data,ASN1_CONTEXT(3))) goto err; if (!asn1_read_OctetString(data, ctx, chal2)) goto err; if (!asn1_end_tag(data)) goto err; } if (!asn1_end_tag(data)) goto err; if (!asn1_end_tag(data)) goto err; ret = !asn1_has_error(data); err: if (asn1_has_error(data)) { data_blob_free(chal1); data_blob_free(chal2); } asn1_free(data); return ret; }
static bool read_negTokenTarg(struct asn1_data *asn1, TALLOC_CTX *mem_ctx, struct spnego_negTokenTarg *token) { ZERO_STRUCTP(token); asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) { uint8_t context; char *oid; if (!asn1_peek_uint8(asn1, &context)) { asn1->has_error = true; break; } switch (context) { case ASN1_CONTEXT(0): asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_ENUMERATED); asn1_read_uint8(asn1, &token->negResult); asn1_end_tag(asn1); asn1_end_tag(asn1); break; case ASN1_CONTEXT(1): asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_read_OID(asn1, mem_ctx, &oid); token->supportedMech = oid; asn1_end_tag(asn1); break; case ASN1_CONTEXT(2): asn1_start_tag(asn1, ASN1_CONTEXT(2)); asn1_read_OctetString(asn1, mem_ctx, &token->responseToken); asn1_end_tag(asn1); break; case ASN1_CONTEXT(3): asn1_start_tag(asn1, ASN1_CONTEXT(3)); asn1_read_OctetString(asn1, mem_ctx, &token->mechListMIC); asn1_end_tag(asn1); break; default: asn1->has_error = true; break; } } asn1_end_tag(asn1); asn1_end_tag(asn1); return !asn1->has_error; }
/* parse a negTokenInit packet giving a GUID, a list of supported OIDs (the mechanisms) and a principal name string */ BOOL spnego_parse_negTokenInit(DATA_BLOB blob, char *OIDs[ASN1_MAX_OIDS], char **principal) { int i; BOOL ret; ASN1_DATA data; asn1_load(&data, blob); asn1_start_tag(&data,ASN1_APPLICATION(0)); asn1_check_OID(&data,OID_SPNEGO); asn1_start_tag(&data,ASN1_CONTEXT(0)); asn1_start_tag(&data,ASN1_SEQUENCE(0)); asn1_start_tag(&data,ASN1_CONTEXT(0)); asn1_start_tag(&data,ASN1_SEQUENCE(0)); for (i=0; asn1_tag_remaining(&data) > 0 && i < ASN1_MAX_OIDS; i++) { char *oid_str = NULL; asn1_read_OID(&data,&oid_str); OIDs[i] = oid_str; } OIDs[i] = NULL; asn1_end_tag(&data); asn1_end_tag(&data); asn1_start_tag(&data, ASN1_CONTEXT(3)); asn1_start_tag(&data, ASN1_SEQUENCE(0)); asn1_start_tag(&data, ASN1_CONTEXT(0)); asn1_read_GeneralString(&data,principal); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); ret = !data.has_error; asn1_free(&data); return ret; }
static bool read_negTokenTarg(ASN1_DATA *asn1, negTokenTarg_t *token) { ZERO_STRUCTP(token); asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) { switch (asn1->data[asn1->ofs]) { case ASN1_CONTEXT(0): asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_ENUMERATED); asn1_read_uint8(asn1, &token->negResult); asn1_end_tag(asn1); asn1_end_tag(asn1); break; case ASN1_CONTEXT(1): asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_read_OID(asn1, &token->supportedMech); asn1_end_tag(asn1); break; case ASN1_CONTEXT(2): asn1_start_tag(asn1, ASN1_CONTEXT(2)); asn1_read_OctetString(asn1, &token->responseToken); asn1_end_tag(asn1); break; case ASN1_CONTEXT(3): asn1_start_tag(asn1, ASN1_CONTEXT(3)); asn1_read_OctetString(asn1, &token->mechListMIC); asn1_end_tag(asn1); break; default: asn1->has_error = True; break; } } asn1_end_tag(asn1); asn1_end_tag(asn1); return !asn1->has_error; }
/* parse a negTokenTarg packet giving a list of OIDs and a security blob */ BOOL parse_negTokenTarg(DATA_BLOB blob, char *OIDs[ASN1_MAX_OIDS], DATA_BLOB *secblob) { int i; ASN1_DATA data; asn1_load(&data, blob); asn1_start_tag(&data, ASN1_APPLICATION(0)); asn1_check_OID(&data,OID_SPNEGO); asn1_start_tag(&data, ASN1_CONTEXT(0)); asn1_start_tag(&data, ASN1_SEQUENCE(0)); asn1_start_tag(&data, ASN1_CONTEXT(0)); asn1_start_tag(&data, ASN1_SEQUENCE(0)); for (i=0; asn1_tag_remaining(&data) > 0 && i < ASN1_MAX_OIDS; i++) { char *oid_str = NULL; asn1_read_OID(&data,&oid_str); OIDs[i] = oid_str; } OIDs[i] = NULL; asn1_end_tag(&data); asn1_end_tag(&data); asn1_start_tag(&data, ASN1_CONTEXT(2)); asn1_read_OctetString(&data,secblob); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); if (data.has_error) { DEBUG(1,("Failed to parse negTokenTarg at offset %d\n", (int)data.ofs)); asn1_free(&data); return False; } asn1_free(&data); return True; }
/* parse a spnego NTLMSSP challenge packet giving two security blobs */ BOOL spnego_parse_challenge(const DATA_BLOB blob, DATA_BLOB *chal1, DATA_BLOB *chal2) { BOOL ret; ASN1_DATA data; ZERO_STRUCTP(chal1); ZERO_STRUCTP(chal2); asn1_load(&data, blob); asn1_start_tag(&data,ASN1_CONTEXT(1)); asn1_start_tag(&data,ASN1_SEQUENCE(0)); asn1_start_tag(&data,ASN1_CONTEXT(0)); asn1_check_enumerated(&data,1); asn1_end_tag(&data); asn1_start_tag(&data,ASN1_CONTEXT(1)); asn1_check_OID(&data, OID_NTLMSSP); asn1_end_tag(&data); asn1_start_tag(&data,ASN1_CONTEXT(2)); asn1_read_OctetString(&data, chal1); asn1_end_tag(&data); /* the second challenge is optional (XP doesn't send it) */ if (asn1_tag_remaining(&data)) { asn1_start_tag(&data,ASN1_CONTEXT(3)); asn1_read_OctetString(&data, chal2); asn1_end_tag(&data); } asn1_end_tag(&data); asn1_end_tag(&data); ret = !data.has_error; asn1_free(&data); return ret; }
/* parse a krb5 GSS-API wrapper packet giving a ticket */ bool spnego_parse_krb5_wrap(TALLOC_CTX *ctx, DATA_BLOB blob, DATA_BLOB *ticket, uint8 tok_id[2]) { bool ret; ASN1_DATA *data; int data_remaining; data = asn1_init(talloc_tos()); if (data == NULL) { return false; } asn1_load(data, blob); asn1_start_tag(data, ASN1_APPLICATION(0)); asn1_check_OID(data, OID_KERBEROS5); data_remaining = asn1_tag_remaining(data); if (data_remaining < 3) { data->has_error = True; } else { asn1_read(data, tok_id, 2); data_remaining -= 2; *ticket = data_blob_talloc(ctx, NULL, data_remaining); asn1_read(data, ticket->data, ticket->length); } asn1_end_tag(data); ret = !data->has_error; if (data->has_error) { data_blob_free(ticket); } asn1_free(data); return ret; }
static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx, struct spnego_negTokenInit *token) { ZERO_STRUCTP(token); asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) { int i; uint8_t context; if (!asn1_peek_uint8(asn1, &context)) { asn1->has_error = true; break; } switch (context) { /* Read mechTypes */ case ASN1_CONTEXT(0): asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); token->mechTypes = talloc(NULL, const char *); for (i = 0; !asn1->has_error && 0 < asn1_tag_remaining(asn1); i++) { token->mechTypes = talloc_realloc(NULL, token->mechTypes, const char *, i+2); asn1_read_OID(asn1, token->mechTypes, token->mechTypes + i); } token->mechTypes[i] = NULL; asn1_end_tag(asn1); asn1_end_tag(asn1); break; /* Read reqFlags */ case ASN1_CONTEXT(1): asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_read_Integer(asn1, &token->reqFlags); token->reqFlags |= SPNEGO_REQ_FLAG; asn1_end_tag(asn1); break; /* Read mechToken */ case ASN1_CONTEXT(2): asn1_start_tag(asn1, ASN1_CONTEXT(2)); asn1_read_OctetString(asn1, mem_ctx, &token->mechToken); asn1_end_tag(asn1); break; /* Read mecListMIC */ case ASN1_CONTEXT(3): { uint8_t type_peek; asn1_start_tag(asn1, ASN1_CONTEXT(3)); if (!asn1_peek_uint8(asn1, &type_peek)) { asn1->has_error = true; break; } if (type_peek == ASN1_OCTET_STRING) { asn1_read_OctetString(asn1, mem_ctx, &token->mechListMIC); } else { /* RFC 2478 says we have an Octet String here, but W2k sends something different... */ char *mechListMIC; asn1_push_tag(asn1, ASN1_SEQUENCE(0)); asn1_push_tag(asn1, ASN1_CONTEXT(0)); asn1_read_GeneralString(asn1, mem_ctx, &mechListMIC); asn1_pop_tag(asn1); asn1_pop_tag(asn1); token->targetPrincipal = mechListMIC; } asn1_end_tag(asn1); break; } default: asn1->has_error = true; break; } } asn1_end_tag(asn1); asn1_end_tag(asn1); return !asn1->has_error; }
/* parse a negTokenInit packet giving a GUID, a list of supported OIDs (the mechanisms) and a principal name string */ bool spnego_parse_negTokenInit(TALLOC_CTX *ctx, DATA_BLOB blob, char *OIDs[ASN1_MAX_OIDS], char **principal, DATA_BLOB *secblob) { int i; bool ret; ASN1_DATA *data; data = asn1_init(talloc_tos()); if (data == NULL) { return false; } asn1_load(data, blob); asn1_start_tag(data,ASN1_APPLICATION(0)); asn1_check_OID(data,OID_SPNEGO); /* negTokenInit [0] NegTokenInit */ asn1_start_tag(data,ASN1_CONTEXT(0)); asn1_start_tag(data,ASN1_SEQUENCE(0)); /* mechTypes [0] MechTypeList OPTIONAL */ /* Not really optional, we depend on this to decide * what mechanisms we have to work with. */ asn1_start_tag(data,ASN1_CONTEXT(0)); asn1_start_tag(data,ASN1_SEQUENCE(0)); for (i=0; asn1_tag_remaining(data) > 0 && i < ASN1_MAX_OIDS-1; i++) { asn1_read_OID(data,ctx, &OIDs[i]); if (data->has_error) { break; } } OIDs[i] = NULL; asn1_end_tag(data); asn1_end_tag(data); if (principal) { *principal = NULL; } if (secblob) { *secblob = data_blob_null; } /* Win7 + Live Sign-in Assistant attaches a mechToken ASN1_CONTEXT(2) to the negTokenInit packet which breaks our negotiation if we just assume the next tag is ASN1_CONTEXT(3). */ if (asn1_peek_tag(data, ASN1_CONTEXT(1))) { uint8 flags; /* reqFlags [1] ContextFlags OPTIONAL */ asn1_start_tag(data, ASN1_CONTEXT(1)); asn1_start_tag(data, ASN1_BIT_STRING); while (asn1_tag_remaining(data) > 0) { asn1_read_uint8(data, &flags); } asn1_end_tag(data); asn1_end_tag(data); } if (asn1_peek_tag(data, ASN1_CONTEXT(2))) { DATA_BLOB sblob = data_blob_null; /* mechToken [2] OCTET STRING OPTIONAL */ asn1_start_tag(data, ASN1_CONTEXT(2)); asn1_read_OctetString(data, ctx, &sblob); asn1_end_tag(data); if (secblob) { *secblob = sblob; } else { data_blob_free(&sblob); } } if (asn1_peek_tag(data, ASN1_CONTEXT(3))) { char *princ = NULL; /* mechListMIC [3] OCTET STRING OPTIONAL */ asn1_start_tag(data, ASN1_CONTEXT(3)); asn1_start_tag(data, ASN1_SEQUENCE(0)); asn1_start_tag(data, ASN1_CONTEXT(0)); asn1_read_GeneralString(data, ctx, &princ); asn1_end_tag(data); asn1_end_tag(data); asn1_end_tag(data); if (principal) { *principal = princ; } else { TALLOC_FREE(princ); } } asn1_end_tag(data); asn1_end_tag(data); asn1_end_tag(data); ret = !data->has_error; if (data->has_error) { int j; if (principal) { TALLOC_FREE(*principal); } if (secblob) { data_blob_free(secblob); } for(j = 0; j < i && j < ASN1_MAX_OIDS-1; j++) { TALLOC_FREE(OIDs[j]); } } asn1_free(data); return ret; }
/* parse a SPNEGO auth packet. This contains the encrypted passwords */ bool spnego_parse_auth_response(TALLOC_CTX *ctx, DATA_BLOB blob, NTSTATUS nt_status, const char *mechOID, DATA_BLOB *auth) { ASN1_DATA *data; uint8 negResult; if (NT_STATUS_IS_OK(nt_status)) { negResult = SPNEGO_ACCEPT_COMPLETED; } else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { negResult = SPNEGO_ACCEPT_INCOMPLETE; } else { negResult = SPNEGO_REJECT; } data = asn1_init(talloc_tos()); if (data == NULL) { return false; } asn1_load(data, blob); asn1_start_tag(data, ASN1_CONTEXT(1)); asn1_start_tag(data, ASN1_SEQUENCE(0)); asn1_start_tag(data, ASN1_CONTEXT(0)); asn1_check_enumerated(data, negResult); asn1_end_tag(data); *auth = data_blob_null; if (asn1_tag_remaining(data)) { asn1_start_tag(data,ASN1_CONTEXT(1)); asn1_check_OID(data, mechOID); asn1_end_tag(data); if (asn1_tag_remaining(data)) { asn1_start_tag(data,ASN1_CONTEXT(2)); asn1_read_OctetString(data, ctx, auth); asn1_end_tag(data); } } else if (negResult == SPNEGO_ACCEPT_INCOMPLETE) { data->has_error = 1; } /* Binding against Win2K DC returns a duplicate of the responseToken in * the optional mechListMIC field. This is a bug in Win2K. We ignore * this field if it exists. Win2K8 may return a proper mechListMIC at * which point we need to implement the integrity checking. */ if (asn1_tag_remaining(data)) { DATA_BLOB mechList = data_blob_null; asn1_start_tag(data, ASN1_CONTEXT(3)); asn1_read_OctetString(data, ctx, &mechList); asn1_end_tag(data); data_blob_free(&mechList); DEBUG(5,("spnego_parse_auth_response received mechListMIC, " "ignoring.\n")); } asn1_end_tag(data); asn1_end_tag(data); if (data->has_error) { DEBUG(3,("spnego_parse_auth_response failed at %d\n", (int)data->ofs)); asn1_free(data); data_blob_free(auth); return False; } asn1_free(data); return True; }
static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx, struct spnego_negTokenInit *token) { ZERO_STRUCTP(token); asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) { int i; uint8_t context; if (!asn1_peek_uint8(asn1, &context)) { asn1->has_error = true; break; } switch (context) { /* Read mechTypes */ case ASN1_CONTEXT(0): { const char **mechTypes; asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); mechTypes = talloc(mem_ctx, const char *); if (mechTypes == NULL) { asn1->has_error = true; return false; } for (i = 0; !asn1->has_error && 0 < asn1_tag_remaining(asn1); i++) { char *oid; const char **p; p = talloc_realloc(mem_ctx, mechTypes, const char *, i+2); if (p == NULL) { talloc_free(mechTypes); asn1->has_error = true; return false; } mechTypes = p; asn1_read_OID(asn1, mechTypes, &oid); mechTypes[i] = oid; } mechTypes[i] = NULL; token->mechTypes = mechTypes; asn1_end_tag(asn1); asn1_end_tag(asn1); break; } /* Read reqFlags */ case ASN1_CONTEXT(1): asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_read_BitString(asn1, mem_ctx, &token->reqFlags, &token->reqFlagsPadding); asn1_end_tag(asn1); break; /* Read mechToken */ case ASN1_CONTEXT(2): asn1_start_tag(asn1, ASN1_CONTEXT(2)); asn1_read_OctetString(asn1, mem_ctx, &token->mechToken); asn1_end_tag(asn1); break; /* Read mecListMIC */ case ASN1_CONTEXT(3): { uint8_t type_peek; asn1_start_tag(asn1, ASN1_CONTEXT(3)); if (!asn1_peek_uint8(asn1, &type_peek)) { asn1->has_error = true; break; } if (type_peek == ASN1_OCTET_STRING) { asn1_read_OctetString(asn1, mem_ctx, &token->mechListMIC); } else { /* RFC 2478 says we have an Octet String here, but W2k sends something different... */ char *mechListMIC; asn1_start_tag(asn1, ASN1_SEQUENCE(0)); asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_read_GeneralString(asn1, mem_ctx, &mechListMIC); asn1_end_tag(asn1); asn1_end_tag(asn1); token->targetPrincipal = mechListMIC; } asn1_end_tag(asn1); break; } default: asn1->has_error = true; break; } } asn1_end_tag(asn1); asn1_end_tag(asn1); return !asn1->has_error; }
static bool read_negTokenInit(ASN1_DATA *asn1, negTokenInit_t *token) { ZERO_STRUCTP(token); asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) { int i; switch (asn1->data[asn1->ofs]) { /* Read mechTypes */ case ASN1_CONTEXT(0): asn1_start_tag(asn1, ASN1_CONTEXT(0)); asn1_start_tag(asn1, ASN1_SEQUENCE(0)); token->mechTypes = SMB_MALLOC_P(const char *); for (i = 0; !asn1->has_error && 0 < asn1_tag_remaining(asn1); i++) { char *p_oid = NULL; token->mechTypes = SMB_REALLOC_ARRAY(token->mechTypes, const char *, i + 2); if (!token->mechTypes) { asn1->has_error = True; return False; } asn1_read_OID(asn1, &p_oid); token->mechTypes[i] = p_oid; } token->mechTypes[i] = NULL; asn1_end_tag(asn1); asn1_end_tag(asn1); break; /* Read reqFlags */ case ASN1_CONTEXT(1): asn1_start_tag(asn1, ASN1_CONTEXT(1)); asn1_read_Integer(asn1, &token->reqFlags); token->reqFlags |= SPNEGO_REQ_FLAG; asn1_end_tag(asn1); break; /* Read mechToken */ case ASN1_CONTEXT(2): asn1_start_tag(asn1, ASN1_CONTEXT(2)); asn1_read_OctetString(asn1, &token->mechToken); asn1_end_tag(asn1); break; /* Read mecListMIC */ case ASN1_CONTEXT(3): asn1_start_tag(asn1, ASN1_CONTEXT(3)); if (asn1->data[asn1->ofs] == ASN1_OCTET_STRING) { asn1_read_OctetString(asn1, &token->mechListMIC); } else { /* RFC 2478 says we have an Octet String here, but W2k sends something different... */ char *mechListMIC; asn1_push_tag(asn1, ASN1_SEQUENCE(0)); asn1_push_tag(asn1, ASN1_CONTEXT(0)); asn1_read_GeneralString(asn1, &mechListMIC); asn1_pop_tag(asn1); asn1_pop_tag(asn1); token->mechListMIC = data_blob(mechListMIC, strlen(mechListMIC)); SAFE_FREE(mechListMIC); } asn1_end_tag(asn1); break; default: asn1->has_error = True; break; } } asn1_end_tag(asn1); asn1_end_tag(asn1); return !asn1->has_error; }