6 files changed, 56 insertions, 31 deletions

diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c
index 4400bc7..a036242 100644
--- a/src/gss_sec_ctx.c
+++ b/src/gss_sec_ctx.c
@@ -1001,7 +1001,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
                                       ctx->neg_flags,
                                       &lm_chal_resp, &nt_chal_resp,
                                       &dom_name, &usr_name, &wks_name,
-                                      &enc_sess_key, &mic);
+                                      &enc_sess_key, &target_info, &mic);
         if (retmin) {
             retmaj = GSS_S_DEFECTIVE_TOKEN;
             goto done;
diff --git a/src/ntlm.c b/src/ntlm.c
index 73934d7..2a311c6 100644
--- a/src/ntlm.c
+++ b/src/ntlm.c
@@ -1307,6 +1307,7 @@ int ntlm_decode_auth_msg(struct ntlm_ctx *ctx,
                          char **domain_name, char **user_name,
                          char **workstation,
                          struct ntlm_buffer *enc_sess_key,
+                         struct ntlm_buffer *target_info,
                          struct ntlm_buffer *mic)
 {
     struct wire_auth_msg *msg;
@@ -1353,6 +1354,27 @@ int ntlm_decode_auth_msg(struct ntlm_ctx *ctx,
         ret = ntlm_decode_field(&msg->nt_chalresp, buffer,
                                 payload_offs, nt_chalresp);
         if (ret) goto done;
+
+        if (target_info) {
+            union wire_ntlm_response *resp;
+            struct wire_ntlmv2_cli_chal *chal;
+            uint8_t *data;
+            int len;
+            resp = (union wire_ntlm_response *)nt_chalresp->data;
+            chal = (struct wire_ntlmv2_cli_chal *)resp->v2.cli_chal;
+            len = nt_chalresp->length - sizeof(resp->v2.resp)
+                    - offsetof(struct wire_ntlmv2_cli_chal, target_info);
+            if (len > 0) {
+                data = chal->target_info;
+                target_info->data = malloc(len);
+                if (!target_info->data) {
+                    ret = ENOMEM;
+                    goto done;
+                }
+                memcpy(target_info->data, data, len);
+                target_info->length = len;
+            }
+        }
     }
     if (msg->domain_name.len != 0 && domain_name) {
         if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
diff --git a/src/ntlm.h b/src/ntlm.h
index f338bbd..648e811 100644
--- a/src/ntlm.h
+++ b/src/ntlm.h
@@ -666,6 +666,7 @@ int ntlm_encode_auth_msg(struct ntlm_ctx *ctx,
  * @param user_name     The User name
  * @param workstation   The Workstation name
  * @param enc_sess_key  The session key
+ * @param target_info   The target_info AV_PAIR embedded in the NT Response
  * @param mic           A MIC of the messages
  *                      Passing a pointer to a mic means the caller has
  *                      previously requested the presence of a MIC field from
@@ -688,6 +689,7 @@ int ntlm_decode_auth_msg(struct ntlm_ctx *ctx,
                          char **domain_name, char **user_name,
                          char **workstation,
                          struct ntlm_buffer *enc_sess_key,
+                         struct ntlm_buffer *target_info,
                          struct ntlm_buffer *mic);
 
 #endif /* _NTLM_H_ */
diff --git a/src/ntlm_common.h b/src/ntlm_common.h
index 01d6b16..1c62171 100644
--- a/src/ntlm_common.h
+++ b/src/ntlm_common.h
@@ -103,4 +103,34 @@ struct wire_version {
 };
 #pragma pack(pop)
 
+/* ln/ntlm response, v1 or v2 */
+#pragma pack(push, 1)
+union wire_ntlm_response {
+    struct {
+        uint8_t resp[24];
+    } v1;
+    struct {
+        uint8_t resp[16];
+        uint8_t cli_chal[];
+    } v2;
+};
+#pragma pack(pop)
+
+#pragma pack(push, 1)
+struct wire_ntlmv2_cli_chal {
+    uint8_t resp_version;
+    uint8_t hi_resp_version;
+    uint8_t zero_6[6];
+    uint64_t timestamp;
+    uint8_t client_chal[8];
+    uint8_t zero_4[4];
+    uint8_t target_info[];
+        /* NOTE: the target_info array must terminate with 4 zero bytes.
+         * This is consistent with just copying the target_info array
+         * returned in the challenge message as the last AV_PAIR there is
+         * always MSV_AV_EOL which happens to be 4 bytes of zeros */
+
+};
+#pragma pack(pop)
+
 #endif /* _NTLM_COMMON_H_ */
diff --git a/src/ntlm_crypto.c b/src/ntlm_crypto.c
index 5bccb39..f3701db 100644
--- a/src/ntlm_crypto.c
+++ b/src/ntlm_crypto.c
@@ -33,35 +33,6 @@
 #include "ntlm.h"
 #include "crypto.h"
 
-/* ntlm response, v1 or v2 */
-#pragma pack(push, 1)
-union wire_ntlm_response {
-    struct {
-        uint8_t resp[24];
-    } v1;
-    struct {
-        uint8_t resp[16];
-        uint8_t cli_chal[];
-    } v2;
-};
-#pragma pack(pop)
-
-#pragma pack(push, 1)
-struct wire_ntlmv2_cli_chal {
-    uint8_t resp_version;
-    uint8_t hi_resp_version;
-    uint8_t zero_6[6];
-    uint64_t timestamp;
-    uint8_t client_chal[8];
-    uint8_t zero_4[4];
-    uint8_t target_info[];
-        /* NOTE: the target_info array must terminate with 4 zero bytes.
-         * This is consistent with just copying the target_info array
-         * returned in the challenge message as the last AV_PAIR there is
-         * always MSV_AV_EOL which happens to be 4 bytes of zeros */
-};
-#pragma pack(pop)
-
 /* signature structure, v1 or v2 */
 #pragma pack(push, 1)
 union wire_msg_signature {
diff --git a/tests/ntlmssptest.c b/tests/ntlmssptest.c
index 6915a8c..7a77db7 100644
--- a/tests/ntlmssptest.c
+++ b/tests/ntlmssptest.c
@@ -910,7 +910,7 @@ int test_DecodeAuthenticateMessageV2(struct ntlm_ctx *ctx)
     ret = ntlm_decode_auth_msg(ctx, &auth_msg, T_NTLMv2.ChallengeFlags,
                                &lm_chalresp, &nt_chalresp,
                                &dom, &usr, &wks,
-                               &enc_sess_key, NULL);
+                               &enc_sess_key, NULL, NULL);
     if (ret) return ret;
 
     if ((lm_chalresp.length != 24) ||