summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-09-22 22:20:30 -0700
committerAndrew Tridgell <tridge@samba.org>2010-09-23 07:17:57 +0000
commit202525db1339805af5d5e837712b0aa834e8f5e0 (patch)
tree68c46be94ad3929996bb3db6508752e0a3fc39e1
parentd1cbd68bb12c6d5193e864e5b0bae16c7ec4c5f4 (diff)
downloadsamba-202525db1339805af5d5e837712b0aa834e8f5e0.tar.gz
samba-202525db1339805af5d5e837712b0aa834e8f5e0.tar.bz2
samba-202525db1339805af5d5e837712b0aa834e8f5e0.zip
s4-gensec: fixed a GSSAPI SASL negotiation bug
Fixed a bug that affected mismatched negotiation between the GSSAPI layer and the SASL SSF subsequent negotiation. This caused some ldap clients to hang when trying to authentication with a Samba LDAP server. The client thought the connection should be signed, the server thought it should be in plain text Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source4/auth/gensec/gensec_gssapi.c25
1 files changed, 14 insertions, 11 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index d2f19e961e..a864bca49b 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -777,25 +777,28 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
/* first byte is the proposed security */
security_accepted = maxlength_accepted[0];
maxlength_accepted[0] = '\0';
-
+
/* Rest is the proposed max wrap length */
gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_accepted, 0),
gensec_gssapi_state->max_wrap_buf_size);
gensec_gssapi_state->sasl_protection = 0;
- if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
- if (security_accepted & NEG_SEAL) {
- gensec_gssapi_state->sasl_protection |= NEG_SEAL;
+ if (security_accepted & NEG_SEAL) {
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+ DEBUG(1, ("Remote client wanted seal, but gensec refused\n"));
+ return NT_STATUS_ACCESS_DENIED;
}
- } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
- if (security_accepted & NEG_SIGN) {
- gensec_gssapi_state->sasl_protection |= NEG_SIGN;
+ gensec_gssapi_state->sasl_protection |= NEG_SEAL;
+ }
+ if (security_accepted & NEG_SIGN) {
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+ DEBUG(1, ("Remote client wanted sign, but gensec refused\n"));
+ return NT_STATUS_ACCESS_DENIED;
}
- } else if (security_accepted & NEG_NONE) {
+ gensec_gssapi_state->sasl_protection |= NEG_SIGN;
+ }
+ if (security_accepted & NEG_NONE) {
gensec_gssapi_state->sasl_protection |= NEG_NONE;
- } else {
- DEBUG(1, ("Remote client does not support unprotected connections, but we failed to negotiate anything better"));
- return NT_STATUS_ACCESS_DENIED;
}
/* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */