diff options
Diffstat (limited to 'source4/auth/gensec/gensec_gssapi.c')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 34 |
1 files changed, 24 insertions, 10 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 0b48a010eb..aaa79aa407 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -394,9 +394,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, gensec_gssapi_state->input_chan_bindings, &gensec_gssapi_state->client_name, &gss_oid_p, - &output_token, - &gensec_gssapi_state->got_flags, - NULL, + &output_token, + &gensec_gssapi_state->got_flags, + NULL, &gensec_gssapi_state->delegated_cred_handle); gensec_gssapi_state->gss_oid = gss_oid_p; break; @@ -416,8 +416,22 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n")); } - /* We may have been invoked as SASL, so there is more work to do */ + /* We may have been invoked as SASL, so there + * is more work to do */ if (gensec_gssapi_state->sasl) { + /* Due to a very subtle interaction + * with SASL and the LDAP libs, we + * must ensure the data pointer is + * != NULL, but the length is 0. + * + * This ensures we send a 'zero + * length' (rather than NULL) response + */ + + if (!out->data) { + out->data = (uint8_t *)talloc_strdup(out_mem_ctx, "\0"); + } + gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG; return NT_STATUS_MORE_PROCESSING_REQUIRED; } else { @@ -543,11 +557,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, gensec_gssapi_state->sasl_state = STAGE_DONE; if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { - DEBUG(3, ("GSSAPI Connection to server will be cryptographicly sealed\n")); + DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly sealed\n")); } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { - DEBUG(3, ("GSSAPI Connection to server will be cryptographicly signed\n")); + DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly signed\n")); } else { - DEBUG(3, ("GSSAPI Connection to server will have no cryptographicly protection\n")); + DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographicly protection\n")); } return NT_STATUS_OK; @@ -661,11 +675,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, /* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */ gensec_gssapi_state->sasl_state = STAGE_DONE; if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { - DEBUG(3, ("GSSAPI Connection from client will be cryptographicly sealed\n")); + DEBUG(3, ("SASL/GSSAPI Connection from client will be cryptographicly sealed\n")); } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { - DEBUG(3, ("GSSAPI Connection from client will be cryptographicly signed\n")); + DEBUG(3, ("SASL/GSSAPI Connection from client will be cryptographicly signed\n")); } else { - DEBUG(3, ("GSSAPI Connection from client will have no cryptographicly protection\n")); + DEBUG(3, ("SASL/GSSAPI Connection from client will have no cryptographicly protection\n")); } *out = data_blob(NULL, 0); |