summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/auth/gensec/gensec_gssapi.c34
-rw-r--r--source4/libcli/ldap/ldap.c20
2 files changed, 41 insertions, 13 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 0b48a010eb..aaa79aa407 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -394,9 +394,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
gensec_gssapi_state->input_chan_bindings,
&gensec_gssapi_state->client_name,
&gss_oid_p,
- &output_token,
- &gensec_gssapi_state->got_flags,
- NULL,
+ &output_token,
+ &gensec_gssapi_state->got_flags,
+ NULL,
&gensec_gssapi_state->delegated_cred_handle);
gensec_gssapi_state->gss_oid = gss_oid_p;
break;
@@ -416,8 +416,22 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
}
- /* We may have been invoked as SASL, so there is more work to do */
+ /* We may have been invoked as SASL, so there
+ * is more work to do */
if (gensec_gssapi_state->sasl) {
+ /* Due to a very subtle interaction
+ * with SASL and the LDAP libs, we
+ * must ensure the data pointer is
+ * != NULL, but the length is 0.
+ *
+ * This ensures we send a 'zero
+ * length' (rather than NULL) response
+ */
+
+ if (!out->data) {
+ out->data = (uint8_t *)talloc_strdup(out_mem_ctx, "\0");
+ }
+
gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
@@ -543,11 +557,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
gensec_gssapi_state->sasl_state = STAGE_DONE;
if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
- DEBUG(3, ("GSSAPI Connection to server will be cryptographicly sealed\n"));
+ DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly sealed\n"));
} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
- DEBUG(3, ("GSSAPI Connection to server will be cryptographicly signed\n"));
+ DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly signed\n"));
} else {
- DEBUG(3, ("GSSAPI Connection to server will have no cryptographicly protection\n"));
+ DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographicly protection\n"));
}
return NT_STATUS_OK;
@@ -661,11 +675,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
/* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
gensec_gssapi_state->sasl_state = STAGE_DONE;
if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
- DEBUG(3, ("GSSAPI Connection from client will be cryptographicly sealed\n"));
+ DEBUG(3, ("SASL/GSSAPI Connection from client will be cryptographicly sealed\n"));
} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
- DEBUG(3, ("GSSAPI Connection from client will be cryptographicly signed\n"));
+ DEBUG(3, ("SASL/GSSAPI Connection from client will be cryptographicly signed\n"));
} else {
- DEBUG(3, ("GSSAPI Connection from client will have no cryptographicly protection\n"));
+ DEBUG(3, ("SASL/GSSAPI Connection from client will have no cryptographicly protection\n"));
}
*out = data_blob(NULL, 0);
diff --git a/source4/libcli/ldap/ldap.c b/source4/libcli/ldap/ldap.c
index b281f62ed0..496fec527f 100644
--- a/source4/libcli/ldap/ldap.c
+++ b/source4/libcli/ldap/ldap.c
@@ -219,8 +219,15 @@ BOOL ldap_encode(struct ldap_message *msg, DATA_BLOB *result, TALLOC_CTX *mem_ct
asn1_push_tag(&data, ASN1_CONTEXT(3));
asn1_write_OctetString(&data, r->creds.SASL.mechanism,
strlen(r->creds.SASL.mechanism));
- asn1_write_OctetString(&data, r->creds.SASL.secblob.data,
- r->creds.SASL.secblob.length);
+ /* The value of data indicates if this
+ * optional element exists at all. In SASL
+ * there is a difference between NULL and
+ * zero-legnth, but our APIs don't express it
+ * well */
+ if (r->creds.SASL.secblob.data) {
+ asn1_write_OctetString(&data, r->creds.SASL.secblob.data,
+ r->creds.SASL.secblob.length);
+ }
asn1_pop_tag(&data);
break;
default:
@@ -234,7 +241,14 @@ BOOL ldap_encode(struct ldap_message *msg, DATA_BLOB *result, TALLOC_CTX *mem_ct
struct ldap_BindResponse *r = &msg->r.BindResponse;
asn1_push_tag(&data, ASN1_APPLICATION(msg->type));
ldap_encode_response(&data, &r->response);
- asn1_write_ContextSimple(&data, 7, &r->SASL.secblob);
+ /* The value of data indicates if this
+ * optional element exists at all. In SASL
+ * there is a difference between NULL and
+ * zero-legnth, but our APIs don't express it
+ * well */
+ if (r->SASL.secblob.data) {
+ asn1_write_ContextSimple(&data, 7, &r->SASL.secblob);
+ }
asn1_pop_tag(&data);
break;
}