diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 0067a19d3b6..b5f92044ef6 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -114,7 +114,7 @@ static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads) } data_blob_free(&tmp_blob); } else if (rc == LDAP_SASL_BIND_IN_PROGRESS) { - if (!spnego_parse_auth_response(blob, nt_status, + if (!spnego_parse_auth_response(blob, nt_status, OID_NTLMSSP, &blob_in)) { ntlmssp_end(&ntlmssp_state); diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 3970731b45f..3b9c477b26a 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -722,7 +722,7 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use } data_blob_free(&tmp_blob); } else { - if (!spnego_parse_auth_response(blob, nt_status, + if (!spnego_parse_auth_response(blob, nt_status, OID_NTLMSSP, &blob_in)) { DEBUG(3,("Failed to parse auth response\n")); if (NT_STATUS_IS_OK(nt_status) diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index 6aca217e259..0c4217c4176 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -518,9 +518,10 @@ DATA_BLOB spnego_gen_auth_response(DATA_BLOB *reply, NTSTATUS nt_status, } /* - parse a SPNEGO NTLMSSP auth packet. This contains the encrypted passwords + parse a SPNEGO auth packet. This contains the encrypted passwords */ -BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status, +BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status, + const char *mechOID, DATA_BLOB *auth) { ASN1_DATA data; @@ -541,14 +542,20 @@ BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status, asn1_check_enumerated(&data, negResult); asn1_end_tag(&data); - if (negResult == SPNEGO_NEG_RESULT_INCOMPLETE) { + *auth = data_blob(NULL,0); + + if (asn1_tag_remaining(&data)) { asn1_start_tag(&data,ASN1_CONTEXT(1)); - asn1_check_OID(&data, OID_NTLMSSP); - asn1_end_tag(&data); - - asn1_start_tag(&data,ASN1_CONTEXT(2)); - asn1_read_OctetString(&data, auth); + asn1_check_OID(&data, mechOID); asn1_end_tag(&data); + + if (asn1_tag_remaining(&data)) { + asn1_start_tag(&data,ASN1_CONTEXT(2)); + asn1_read_OctetString(&data, auth); + asn1_end_tag(&data); + } + } else if (negResult == SPNEGO_NEG_RESULT_INCOMPLETE) { + data.has_error = 1; } asn1_end_tag(&data); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index c7c1b7fe69c..ab7f0b9b478 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2002,7 +2002,7 @@ static NTSTATUS rpc_finish_spnego_ntlmssp_bind(struct rpc_pipe_client *cli, prs_copy_data_out((char *)server_spnego_response.data, rbuf, phdr->auth_len); /* Check we got a valid auth response. */ - if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, &tmp_blob)) { + if (!spnego_parse_auth_response(server_spnego_response, NT_STATUS_OK, OID_NTLMSSP, &tmp_blob)) { data_blob_free(&server_spnego_response); data_blob_free(&tmp_blob); return NT_STATUS_INVALID_PARAMETER;