From c31c0ed2e2f1f2f05991e50324fc2fd4a3878cb4 Mon Sep 17 00:00:00 2001
From: Seth Hall <seth@icir.org>
Date: Thu, 7 Jul 2016 13:03:33 -0400
Subject: [PATCH] Fix for an issue with GSSAPI mech_token from Florent Monjalet

From Florent's patch:
Previously, the ASN1EncodingMeta was in the NTLM_SSP_Token; this broke the
NTLM decoding when used directly with DCE-RPC. NTLM now works on DCE-RPC
and should work properly on other layers in the future (e.g. HTTP
Authentication data).
---
 src/analyzer/protocol/gssapi/gssapi-analyzer.pac | 5 ++---
 src/analyzer/protocol/gssapi/gssapi-protocol.pac | 9 +++++++--
 src/analyzer/protocol/ntlm/ntlm-protocol.pac     | 1 -
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
index e502fff923..a913441f1d 100644
--- a/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-analyzer.pac
@@ -36,12 +36,11 @@ refine connection GSSAPI_Conn += {
 		%}
 }
 
-refine typeattr GSSAPI_NEG_TOKEN_INIT_Arg_Data += &let {
-	fwd: bool = $context.connection.forward_ntlm(mech_token, true) &if(index==2); 
+refine typeattr GSSAPI_NEG_TOKEN_MECH_TOKEN += &let {
+	fwd: bool = $context.connection.forward_ntlm(mech_token, is_orig);
 };
 
 refine typeattr GSSAPI_NEG_TOKEN_RESP_Arg += &let {
 	proc: bool = $context.connection.proc_gssapi_neg_result(this) &if(seq_meta.index==0);
-	fwd: bool = $context.connection.forward_ntlm(response_token, false) &if(seq_meta.index==2);
 };
 
diff --git a/src/analyzer/protocol/gssapi/gssapi-protocol.pac b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
index 67a84ceb0b..024d480f35 100644
--- a/src/analyzer/protocol/gssapi/gssapi-protocol.pac
+++ b/src/analyzer/protocol/gssapi/gssapi-protocol.pac
@@ -30,7 +30,7 @@ type GSSAPI_NEG_TOKEN_INIT_Arg = record {
 type GSSAPI_NEG_TOKEN_INIT_Arg_Data(index: uint8) = case index of {
 	0 -> mech_type_list : ASN1Encoding;
 	1 -> req_flags      : ASN1Encoding;
-	2 -> mech_token     : bytestring &restofdata;
+	2 -> mech_token     : GSSAPI_NEG_TOKEN_MECH_TOKEN(true);
 	3 -> mech_list_mic  : ASN1OctetString;
 };
 
@@ -44,7 +44,12 @@ type GSSAPI_NEG_TOKEN_RESP_Arg = record {
 	args     : case seq_meta.index of {
 		0       -> neg_state      : ASN1Integer;
 		1       -> supported_mech : ASN1Encoding;
-		2       -> response_token : bytestring &restofdata;
+		2       -> response_token : GSSAPI_NEG_TOKEN_MECH_TOKEN(false);
 		3       -> mech_list_mic  : ASN1OctetString;
 	} &length=seq_meta.length;
 };
+
+type GSSAPI_NEG_TOKEN_MECH_TOKEN(is_orig: bool) = record {
+	meta       : ASN1EncodingMeta;
+	mech_token : bytestring &length=meta.length;
+};
diff --git a/src/analyzer/protocol/ntlm/ntlm-protocol.pac b/src/analyzer/protocol/ntlm/ntlm-protocol.pac
index 6f5fef29b9..471a124301 100644
--- a/src/analyzer/protocol/ntlm/ntlm-protocol.pac
+++ b/src/analyzer/protocol/ntlm/ntlm-protocol.pac
@@ -1,6 +1,5 @@
 
 type NTLM_SSP_Token(is_orig: bool) = record {
-	meta        : ASN1EncodingMeta;
 	signature   : bytestring &length=8;
 	msg_type    : uint32;
 	msg         : case msg_type of {