2 files changed, 41 insertions, 13 deletions

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 0b48a010eb..aaa79aa407 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -394,9 +394,9 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 							  gensec_gssapi_state->input_chan_bindings,
 							  &gensec_gssapi_state->client_name, 
 							  &gss_oid_p,
-						  &output_token, 
-						  &gensec_gssapi_state->got_flags, 
-						  NULL, 
+							  &output_token, 
+							  &gensec_gssapi_state->got_flags, 
+							  NULL, 
 							  &gensec_gssapi_state->delegated_cred_handle);
 			gensec_gssapi_state->gss_oid = gss_oid_p;
 			break;
@@ -416,8 +416,22 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 				DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
 			}
 
-			/* We may have been invoked as SASL, so there is more work to do */
+			/* We may have been invoked as SASL, so there
+			 * is more work to do */
 			if (gensec_gssapi_state->sasl) {
+				/* Due to a very subtle interaction
+				 * with SASL and the LDAP libs, we
+				 * must ensure the data pointer is 
+				 * != NULL, but the length is 0.  
+				 *
+				 * This ensures we send a 'zero
+				 * length' (rather than NULL) response 
+				 */
+				
+				if (!out->data) {
+					out->data = (uint8_t *)talloc_strdup(out_mem_ctx, "\0");
+				}
+
 				gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG;
 				return NT_STATUS_MORE_PROCESSING_REQUIRED;
 			} else {
@@ -543,11 +557,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 			gensec_gssapi_state->sasl_state = STAGE_DONE;
 
 			if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-				DEBUG(3, ("GSSAPI Connection to server will be cryptographicly sealed\n"));
+				DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly sealed\n"));
 			} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-				DEBUG(3, ("GSSAPI Connection to server will be cryptographicly signed\n"));
+				DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly signed\n"));
 			} else {
-				DEBUG(3, ("GSSAPI Connection to server will have no cryptographicly protection\n"));
+				DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographicly protection\n"));
 			}
 
 			return NT_STATUS_OK;
@@ -661,11 +675,11 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 		/* quirk:  This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
 		gensec_gssapi_state->sasl_state = STAGE_DONE;
 		if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-			DEBUG(3, ("GSSAPI Connection from client will be cryptographicly sealed\n"));
+			DEBUG(3, ("SASL/GSSAPI Connection from client will be cryptographicly sealed\n"));
 		} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-			DEBUG(3, ("GSSAPI Connection from client will be cryptographicly signed\n"));
+			DEBUG(3, ("SASL/GSSAPI Connection from client will be cryptographicly signed\n"));
 		} else {
-			DEBUG(3, ("GSSAPI Connection from client will have no cryptographicly protection\n"));
+			DEBUG(3, ("SASL/GSSAPI Connection from client will have no cryptographicly protection\n"));
 		}
 
 		*out = data_blob(NULL, 0);
diff --git a/source4/libcli/ldap/ldap.c b/source4/libcli/ldap/ldap.c
index b281f62ed0..496fec527f 100644
--- a/source4/libcli/ldap/ldap.c
+++ b/source4/libcli/ldap/ldap.c
@@ -219,8 +219,15 @@ BOOL ldap_encode(struct ldap_message *msg, DATA_BLOB *result, TALLOC_CTX *mem_ct
 			asn1_push_tag(&data, ASN1_CONTEXT(3));
 			asn1_write_OctetString(&data, r->creds.SASL.mechanism,
 					       strlen(r->creds.SASL.mechanism));
-			asn1_write_OctetString(&data, r->creds.SASL.secblob.data,
-					       r->creds.SASL.secblob.length);
+			/* The value of data indicates if this
+			 * optional element exists at all.  In SASL
+			 * there is a difference between NULL and
+			 * zero-legnth, but our APIs don't express it
+			 * well */
+			if (r->creds.SASL.secblob.data) {
+				asn1_write_OctetString(&data, r->creds.SASL.secblob.data,
+						       r->creds.SASL.secblob.length);
+			}
 			asn1_pop_tag(&data);
 			break;
 		default:
@@ -234,7 +241,14 @@ BOOL ldap_encode(struct ldap_message *msg, DATA_BLOB *result, TALLOC_CTX *mem_ct
 		struct ldap_BindResponse *r = &msg->r.BindResponse;
 		asn1_push_tag(&data, ASN1_APPLICATION(msg->type));
 		ldap_encode_response(&data, &r->response);
-		asn1_write_ContextSimple(&data, 7, &r->SASL.secblob);
+		/* The value of data indicates if this
+		 * optional element exists at all.  In SASL
+		 * there is a difference between NULL and
+		 * zero-legnth, but our APIs don't express it
+		 * well */
+		if (r->SASL.secblob.data) {
+			asn1_write_ContextSimple(&data, 7, &r->SASL.secblob);
+		}
 		asn1_pop_tag(&data);
 		break;
 	}