The Samba-Bugzilla – Attachment 5851 Details for
Bug 7577
SPNEGO auth fails when contacting Win7 system using Microsoft Live Sign-in Assistant
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
[PATCH] SPNEGO: Don't assume principal (ASN1_CONTEXT(3)) always follows OIDs in negTokenInit packet.
samba_bug7577_spnego_win7.patch (text/plain), 2.00 KB, created by
David Kondrad
on 2010-07-19 12:57:55 UTC
(
hide
)
Description:
[PATCH] SPNEGO: Don't assume principal (ASN1_CONTEXT(3)) always follows OIDs in negTokenInit packet.
Filename:
MIME Type:
Creator:
David Kondrad
Created:
2010-07-19 12:57:55 UTC
Size:
2.00 KB
patch
obsolete
>[PATCH] SPNEGO: Don't assume principal [ASN1_CONTEXT(3)] always follows OIDs in negTokenInit packet. > >Some servers, notably Windows 7 + Live Sign-in Assistant, >include a mechToken [ASN1_CONTEXT(2)] along with OIDs in negTokenInit packet. > >Current code assumed the next object, if any, in the packet was the mechListMIC >[ASN1_CONTEXT(3)] object. This assumption broke authentication with servers >that supplied a mechToken as the next object. > >This patch uses asn1_peek_tag to see if the next tag contains the principal, >or it contains a mechToken (which we consume and throw away). > >Signed-off-by: David Kondrad <david.kondrad@legrand.us> >--- > source3/libsmb/clispnego.c | 18 +++++++++++++++++- > 1 files changed, 17 insertions(+), 1 deletions(-) > >diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c >index 264743b..12f42d8 100644 >--- a/source3/libsmb/clispnego.c >+++ b/source3/libsmb/clispnego.c >@@ -135,6 +135,7 @@ bool spnego_parse_negTokenInit(DATA_BLOB blob, > int i; > bool ret; > ASN1_DATA *data; >+ DATA_BLOB token; > > data = asn1_init(talloc_tos()); > if (data == NULL) { >@@ -161,7 +162,15 @@ bool spnego_parse_negTokenInit(DATA_BLOB blob, > asn1_end_tag(data); > > *principal = NULL; >- if (asn1_tag_remaining(data) > 0) { >+ >+ /* >+ Win7 + Live Sign-in Assistant attaches a mechToken >+ ASN1_CONTEXT(2) to the negTokenInit packet >+ which breaks our negotiation if we just assume >+ the next tag is ASN1_CONTEXT(3). >+ */ >+ >+ if (asn1_peek_tag(data, ASN1_CONTEXT(3))) { > asn1_start_tag(data, ASN1_CONTEXT(3)); > asn1_start_tag(data, ASN1_SEQUENCE(0)); > asn1_start_tag(data, ASN1_CONTEXT(0)); >@@ -169,6 +178,13 @@ bool spnego_parse_negTokenInit(DATA_BLOB blob, > asn1_end_tag(data); > asn1_end_tag(data); > asn1_end_tag(data); >+ } else if (asn1_peek_tag(data, ASN1_CONTEXT(2))) { >+ asn1_start_tag(data, ASN1_CONTEXT(2)); >+ asn1_read_OctetString(data, talloc_autofree_context(), &token); >+ asn1_end_tag(data); >+ >+ /* Throw away the token */ >+ data_blob_free(&token); > } > > asn1_end_tag(data); >-- >1.5.6 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 7577
:
5850
|
5851
|
5852
|
5854
|
5855