[PATCH] SPNEGO: Don't assume principal [ASN1_CONTEXT(3)] always follows OIDs in negTokenInit packet. Some servers, notably Windows 7 + Live Sign-in Assistant, include a mechToken [ASN1_CONTEXT(2)] along with OIDs in negTokenInit packet. Current code assumed the next object, if any, in the packet was the mechListMIC [ASN1_CONTEXT(3)] object. This assumption broke authentication with servers that supplied a mechToken as the next object. This patch uses asn1_peek_tag to see if the next tag contains the principal, or it contains a mechToken (which we consume and throw away). Signed-off-by: David Kondrad --- source3/libsmb/clispnego.c | 18 +++++++++++++++++- 1 files changed, 17 insertions(+), 1 deletions(-) diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index 264743b..12f42d8 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -135,6 +135,7 @@ bool spnego_parse_negTokenInit(DATA_BLOB blob, int i; bool ret; ASN1_DATA *data; + DATA_BLOB token; data = asn1_init(talloc_tos()); if (data == NULL) { @@ -161,7 +162,15 @@ bool spnego_parse_negTokenInit(DATA_BLOB blob, asn1_end_tag(data); *principal = NULL; - if (asn1_tag_remaining(data) > 0) { + + /* + Win7 + Live Sign-in Assistant attaches a mechToken + ASN1_CONTEXT(2) to the negTokenInit packet + which breaks our negotiation if we just assume + the next tag is ASN1_CONTEXT(3). + */ + + if (asn1_peek_tag(data, ASN1_CONTEXT(3))) { asn1_start_tag(data, ASN1_CONTEXT(3)); asn1_start_tag(data, ASN1_SEQUENCE(0)); asn1_start_tag(data, ASN1_CONTEXT(0)); @@ -169,6 +178,13 @@ bool spnego_parse_negTokenInit(DATA_BLOB blob, asn1_end_tag(data); asn1_end_tag(data); asn1_end_tag(data); + } else if (asn1_peek_tag(data, ASN1_CONTEXT(2))) { + asn1_start_tag(data, ASN1_CONTEXT(2)); + asn1_read_OctetString(data, talloc_autofree_context(), &token); + asn1_end_tag(data); + + /* Throw away the token */ + data_blob_free(&token); } asn1_end_tag(data); -- 1.5.6