Wireshark · Ethereal-dev: Re: [Ethereal-dev] I am confused by the MS impl of SPNEGO vs spec ...

Ethereal-dev: Re: [Ethereal-dev] I am confused by the MS impl of SPNEGO vs spec ...

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Guy Harris <gharris@xxxxxxxxx>

Date: Wed, 28 Aug 2002 01:24:04 -0700

On Wed, Aug 28, 2002 at 05:15:40PM +0930, Richard Sharpe wrote:
> I assumed that this means that I would find a negTokenTarg consisting of:
> 
>  OBJECT IDENTIFIER SPNEGO (1 3 6 1 5 5 2)

That's not part of a negTokenTarg.  That's the thisMech member of an
InitialContextToken, as per section 3.1 or RFC 2078.

Everything that follows it is the innerContextToken.
complnent of the initial token of a GSS-API context establishment
sequence, as per section 3.1 of RFC 2078.

> However, what I seem to find is:
> 
>     <60 50>
> 0000 60   50: [APPLICATION 0] {
>     <06 06>
> 0002 06    6:   OBJECT IDENTIFIER SPNEGO (1 3 6 1 5 5 2)

Yup, that's an InitialContextToken, as per RFC 2078:

       InitialContextToken ::=
       -- option indication (delegation, etc.) indicated within
       -- mechanism-specific token
       [APPLICATION 0] IMPLICIT SEQUENCE {
               thisMech MechType,
               innerContextToken ANY DEFINED BY thisMech
                  -- contents mechanism-specific
                  -- ASN.1 structure not required
               }

and all the stuff that follows is the innerContextToken, which, as RFC
2478 says, is described by the syntax you quoted.

>     <A0 46>
> 000A A0   46:   [0] {

So that's the "CHOICE { [0] {" part of a NegotiationToken, and it chose
[0], or a NegTokenInit.

>     <30 44>
> 000C 30   44:     SEQUENCE {

So that's the "SEQUENCE {" part of a NegTokenInit...

>     <A0 0E>
> 000E A0    E:       [0] {

...and that's the "[0]" part of a NegTokenInit, so the next item
is a MechTypeList.

>     <30 0C>
> 0010 30    C:         SEQUENCE {

SEQUENCE and SEQUENCE OF both have a tag of universal class and number
16, so they both start with hex 30, so that's actually

    <30 0C>
0010 30    C:         SEQUENCE OF {

which means this is a MechTypeList, or a sequence of MechTypes, which
are OBJECT IDENTIFIERs.

>     <06 0A>
> 0012 06    A:           OBJECT IDENTIFIER
>             :             Microsoft NTLMSSP (1 3 6 1 4 1 311 2 2 10
>             :           }
>             :         }

and there's the first (and presumably only) member of that list.

>     <A2 32>
> 001E A2   32:       [2] {

That's the [2] part of a NegTokenInit; all parts are optional, and the
reqFlags part ([1]) was omitted.

>     <04 30>
> 0020 04   30:         OCTET STRING    

...and that introduces the mechToken.

Follow-Ups:
- Re: [Ethereal-dev] I am confused by the MS impl of SPNEGO vs spec ...
  - From: Richard Sharpe

References:
- [Ethereal-dev] I am confused by the MS impl of SPNEGO vs spec ...
  - From: Richard Sharpe

Prev by Date: Re: [Ethereal-dev] Damn ASN1 decode code is locked up in packet-ldap.c
Next by Date: [Ethereal-dev] resolving of well-known mac-addresses
Previous by thread: [Ethereal-dev] I am confused by the MS impl of SPNEGO vs spec ...
Next by thread: Re: [Ethereal-dev] I am confused by the MS impl of SPNEGO vs spec ...
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$