diff options
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 34 | ||||
-rw-r--r-- | source4/libcli/ldap/ldap.c | 20 |
2 files changed, 41 insertions, 13 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 0b48a010eb..aaa79aa407 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -394,9 +394,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, gensec_gssapi_state->input_chan_bindings, &gensec_gssapi_state->client_name, &gss_oid_p, - &output_token, - &gensec_gssapi_state->got_flags, - NULL, + &output_token, + &gensec_gssapi_state->got_flags, + NULL, &gensec_gssapi_state->delegated_cred_handle); gensec_gssapi_state->gss_oid = gss_oid_p; break; @@ -416,8 +416,22 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n")); } - /* We may have been invoked as SASL, so there is more work to do */ + /* We may have been invoked as SASL, so there + * is more work to do */ if (gensec_gssapi_state->sasl) { + /* Due to a very subtle interaction + * with SASL and the LDAP libs, we + * must ensure the data pointer is + * != NULL, but the length is 0. + * + * This ensures we send a 'zero + * length' (rather than NULL) response + */ + + if (!out->data) { + out->data = (uint8_t *)talloc_strdup(out_mem_ctx, "\0"); + } + gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG; return NT_STATUS_MORE_PROCESSING_REQUIRED; } else { @@ -543,11 +557,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, gensec_gssapi_state->sasl_state = STAGE_DONE; if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { - DEBUG(3, ("GSSAPI Connection to server will be cryptographicly sealed\n")); + DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly sealed\n")); } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { - DEBUG(3, ("GSSAPI Connection to server will be cryptographicly signed\n")); + DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly signed\n")); } else { - DEBUG(3, ("GSSAPI Connection to server will have no cryptographicly protection\n")); + DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographicly protection\n")); } return NT_STATUS_OK; @@ -661,11 +675,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, /* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */ gensec_gssapi_state->sasl_state = STAGE_DONE; if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { - DEBUG(3, ("GSSAPI Connection from client will be cryptographicly sealed\n")); + DEBUG(3, ("SASL/GSSAPI Connection from client will be cryptographicly sealed\n")); } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { - DEBUG(3, ("GSSAPI Connection from client will be cryptographicly signed\n")); + DEBUG(3, ("SASL/GSSAPI Connection from client will be cryptographicly signed\n")); } else { - DEBUG(3, ("GSSAPI Connection from client will have no cryptographicly protection\n")); + DEBUG(3, ("SASL/GSSAPI Connection from client will have no cryptographicly protection\n")); } *out = data_blob(NULL, 0); diff --git a/source4/libcli/ldap/ldap.c b/source4/libcli/ldap/ldap.c index b281f62ed0..496fec527f 100644 --- a/source4/libcli/ldap/ldap.c +++ b/source4/libcli/ldap/ldap.c @@ -219,8 +219,15 @@ BOOL ldap_encode(struct ldap_message *msg, DATA_BLOB *result, TALLOC_CTX *mem_ct asn1_push_tag(&data, ASN1_CONTEXT(3)); asn1_write_OctetString(&data, r->creds.SASL.mechanism, strlen(r->creds.SASL.mechanism)); - asn1_write_OctetString(&data, r->creds.SASL.secblob.data, - r->creds.SASL.secblob.length); + /* The value of data indicates if this + * optional element exists at all. In SASL + * there is a difference between NULL and + * zero-legnth, but our APIs don't express it + * well */ + if (r->creds.SASL.secblob.data) { + asn1_write_OctetString(&data, r->creds.SASL.secblob.data, + r->creds.SASL.secblob.length); + } asn1_pop_tag(&data); break; default: @@ -234,7 +241,14 @@ BOOL ldap_encode(struct ldap_message *msg, DATA_BLOB *result, TALLOC_CTX *mem_ct struct ldap_BindResponse *r = &msg->r.BindResponse; asn1_push_tag(&data, ASN1_APPLICATION(msg->type)); ldap_encode_response(&data, &r->response); - asn1_write_ContextSimple(&data, 7, &r->SASL.secblob); + /* The value of data indicates if this + * optional element exists at all. In SASL + * there is a difference between NULL and + * zero-legnth, but our APIs don't express it + * well */ + if (r->SASL.secblob.data) { + asn1_write_ContextSimple(&data, 7, &r->SASL.secblob); + } asn1_pop_tag(&data); break; } |