summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/gensec/gensec_gssapi.c34
1 files changed, 24 insertions, 10 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 0b48a010eb..aaa79aa407 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -394,9 +394,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
gensec_gssapi_state->input_chan_bindings,
&gensec_gssapi_state->client_name,
&gss_oid_p,
- &output_token,
- &gensec_gssapi_state->got_flags,
- NULL,
+ &output_token,
+ &gensec_gssapi_state->got_flags,
+ NULL,
&gensec_gssapi_state->delegated_cred_handle);
gensec_gssapi_state->gss_oid = gss_oid_p;
break;
@@ -416,8 +416,22 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
}
- /* We may have been invoked as SASL, so there is more work to do */
+ /* We may have been invoked as SASL, so there
+ * is more work to do */
if (gensec_gssapi_state->sasl) {
+ /* Due to a very subtle interaction
+ * with SASL and the LDAP libs, we
+ * must ensure the data pointer is
+ * != NULL, but the length is 0.
+ *
+ * This ensures we send a 'zero
+ * length' (rather than NULL) response
+ */
+
+ if (!out->data) {
+ out->data = (uint8_t *)talloc_strdup(out_mem_ctx, "\0");
+ }
+
gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG;
return NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
@@ -543,11 +557,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
gensec_gssapi_state->sasl_state = STAGE_DONE;
if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
- DEBUG(3, ("GSSAPI Connection to server will be cryptographicly sealed\n"));
+ DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly sealed\n"));
} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
- DEBUG(3, ("GSSAPI Connection to server will be cryptographicly signed\n"));
+ DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly signed\n"));
} else {
- DEBUG(3, ("GSSAPI Connection to server will have no cryptographicly protection\n"));
+ DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographicly protection\n"));
}
return NT_STATUS_OK;
@@ -661,11 +675,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
/* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
gensec_gssapi_state->sasl_state = STAGE_DONE;
if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
- DEBUG(3, ("GSSAPI Connection from client will be cryptographicly sealed\n"));
+ DEBUG(3, ("SASL/GSSAPI Connection from client will be cryptographicly sealed\n"));
} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
- DEBUG(3, ("GSSAPI Connection from client will be cryptographicly signed\n"));
+ DEBUG(3, ("SASL/GSSAPI Connection from client will be cryptographicly signed\n"));
} else {
- DEBUG(3, ("GSSAPI Connection from client will have no cryptographicly protection\n"));
+ DEBUG(3, ("SASL/GSSAPI Connection from client will have no cryptographicly protection\n"));
}
*out = data_blob(NULL, 0);