Try to fix the problems with the SPNEGO negTokenInit differences in Microsoft implementations

Change-Id: Ifbfca88469a6bc479072c921deba280e667c7087 Reviewed-on: https://code.wireshark.org/review/1804 Reviewed-by: Michael Mann <mmann78@netscape.net>
author: Richard Sharpe <realrichardsharpe@gmail.com> 2014-05-28 21:05:41 -0400
committer: Michael Mann <mmann78@netscape.net> 2014-05-29 01:15:26 +0000
commit: 0ed2672abf6d8a41e0ddc11358bb73d86a30fe92 (patch)
tree: 34e0a1c3508c5b262b5b7b1af0cbbc54e86c4c89 /asn1/spnego/spnego.asn
parent: bb78e8f6e5bf770f1effbc84c44656436add5a5d (diff)
1 files changed, 47 insertions, 44 deletions
diff --git a/asn1/spnego/spnego.asn b/asn1/spnego/spnego.asn
index 190b3f1555..b62973df2f 100644
--- a/asn1/spnego/spnego.asn
+++ b/asn1/spnego/spnego.asn
@@ -13,21 +13,11 @@ NegotiationToken ::= CHOICE {
 MechTypeList ::= SEQUENCE OF MechType
 
 --
--- In some cases, the mechListMIC is a sequence of GeneralString,
--- rather than an OCTET STRING.  We define that sequence here so
--- that we can call its dissector.
--- The IRC discussion at
+-- MS-SPNG tells us that the format of a negTokenInit is actually
+-- negTokenInit2 if a negTokenInit is seen in a response. It might need
+-- to be the first negTokenInit seen in a response, but I am not sure.
+-- It will only occur in a NegotiateProtocol response in CIFS/SMB or SMB2.
 --
---	http://irc.vernstok.nl/samba-technical.dy
---
--- seems to suggest that it's a Kerberos principal of some sort, thanks
--- to some flavor of "embrace, extend, expectorate" sequence from
--- Microsoft.
---
-PrincipalSeq ::= SEQUENCE {
-	principal [0] GeneralString
-}
-
 NegTokenInit ::= SEQUENCE {
                             mechTypes       [0] MechTypeList  OPTIONAL,
                             reqFlags        [1] ContextFlags  OPTIONAL,
@@ -35,6 +25,19 @@ NegTokenInit ::= SEQUENCE {
                             mechListMIC     [3] OCTET STRING  OPTIONAL
                          }
 
+NegHints ::= SEQUENCE {
+        hintName        [0] GeneralString OPTIONAL,
+        hintAddress     [1] OCTET STRING OPTIONAL
+}
+
+NegTokenInit2 ::= SEQUENCE {
+        mechTypes       [0] MechTypeList OPTIONAL,
+        reqFlags        [1] ContextFlags OPTIONAL,
+        mechToken       [2] OCTET STRING OPTIONAL,
+        negHints        [3] NegHints OPTIONAL,
+        mechListMIC     [4] OCTET STRING OPTIONAL
+}
+
 ContextFlags ::= BIT STRING {
         delegFlag       (0),
         mutualFlag      (1),
@@ -55,46 +58,46 @@ NegTokenTarg ::= SEQUENCE {
     mechListMIC    [3] OCTET STRING                            OPTIONAL
 }
 
---GSS-API DEFINITIONS ::= 
---BEGIN 
---MechType ::= OBJECT IDENTIFIER 
--- data structure definitions 
--- callers must be able to distinguish among 
--- InitialContextToken, SubsequentContextToken, 
--- PerMsgToken, and SealedMessage data elements 
--- based on the usage in which they occur 
-InitialContextToken ::= 
-	-- option indication (delegation, etc.) indicated within 
-	-- mechanism-specific token 
-[APPLICATION 0] IMPLICIT SEQUENCE { 
-	thisMech MechType, 
-	innerContextToken InnerContextToken 
-	--	DEFINED BY thisMech 
-	-- contents mechanism-specific 
+--GSS-API DEFINITIONS ::=
+--BEGIN
+--MechType ::= OBJECT IDENTIFIER
+-- data structure definitions
+-- callers must be able to distinguish among
+-- InitialContextToken, SubsequentContextToken,
+-- PerMsgToken, and SealedMessage data elements
+-- based on the usage in which they occur
+InitialContextToken ::=
+	-- option indication (delegation, etc.) indicated within
+	-- mechanism-specific token
+[APPLICATION 0] IMPLICIT SEQUENCE {
+	thisMech MechType,
+	innerContextToken InnerContextToken
+	--	DEFINED BY thisMech
+	-- contents mechanism-specific
 	-- ASN.1 structure not required
-	 } 
+	 }
 
 -- SubsequentContextToken ::= InnerContextToken
 
 InnerContextToken ::= ANY
--- interpretation based on predecessor InitialContextToken 
--- ASN.1 structure not required 
+-- interpretation based on predecessor InitialContextToken
+-- ASN.1 structure not required
 
--- PerMsgToken ::= 
--- as emitted by GSS_GetMIC and processed by GSS_VerifyMIC 
--- ASN.1 structure not required 
+-- PerMsgToken ::=
+-- as emitted by GSS_GetMIC and processed by GSS_VerifyMIC
+-- ASN.1 structure not required
 --	InnerMsgToken
 
 -- InnerMsgToken ::= ANY
 
--- SealedMessage ::= 
--- as emitted by GSS_Wrap and processed by GSS_Unwrap 
--- includes internal, mechanism-defined indicator 
--- of whether or not encrypted 
--- ASN.1 structure not required 
---	SealedUserData 
-	
--- SealedUserData ::= ANY 
+-- SealedMessage ::=
+-- as emitted by GSS_Wrap and processed by GSS_Unwrap
+-- includes internal, mechanism-defined indicator
+-- of whether or not encrypted
+-- ASN.1 structure not required
+--	SealedUserData
+
+-- SealedUserData ::= ANY
 
 -- END GSS-API DEFINITIONS
author	Richard Sharpe <realrichardsharpe@gmail.com>	2014-05-28 21:05:41 -0400
committer	Michael Mann <mmann78@netscape.net>	2014-05-29 01:15:26 +0000
commit	0ed2672abf6d8a41e0ddc11358bb73d86a30fe92 (patch)
tree	34e0a1c3508c5b262b5b7b1af0cbbc54e86c4c89 /asn1/spnego/spnego.asn
parent	bb78e8f6e5bf770f1effbc84c44656436add5a5d (diff)