From 202525db1339805af5d5e837712b0aa834e8f5e0 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Wed, 22 Sep 2010 22:20:30 -0700 Subject: s4-gensec: fixed a GSSAPI SASL negotiation bug Fixed a bug that affected mismatched negotiation between the GSSAPI layer and the SASL SSF subsequent negotiation. This caused some ldap clients to hang when trying to authentication with a Samba LDAP server. The client thought the connection should be signed, the server thought it should be in plain text Pair-Programmed-With: Andrew Bartlett --- source4/auth/gensec/gensec_gssapi.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) (limited to 'source4/auth/gensec/gensec_gssapi.c') diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index d2f19e961e..a864bca49b 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -777,25 +777,28 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, /* first byte is the proposed security */ security_accepted = maxlength_accepted[0]; maxlength_accepted[0] = '\0'; - + /* Rest is the proposed max wrap length */ gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_accepted, 0), gensec_gssapi_state->max_wrap_buf_size); gensec_gssapi_state->sasl_protection = 0; - if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { - if (security_accepted & NEG_SEAL) { - gensec_gssapi_state->sasl_protection |= NEG_SEAL; + if (security_accepted & NEG_SEAL) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + DEBUG(1, ("Remote client wanted seal, but gensec refused\n")); + return NT_STATUS_ACCESS_DENIED; } - } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { - if (security_accepted & NEG_SIGN) { - gensec_gssapi_state->sasl_protection |= NEG_SIGN; + gensec_gssapi_state->sasl_protection |= NEG_SEAL; + } + if (security_accepted & NEG_SIGN) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + DEBUG(1, ("Remote client wanted sign, but gensec refused\n")); + return NT_STATUS_ACCESS_DENIED; } - } else if (security_accepted & NEG_NONE) { + gensec_gssapi_state->sasl_protection |= NEG_SIGN; + } + if (security_accepted & NEG_NONE) { gensec_gssapi_state->sasl_protection |= NEG_NONE; - } else { - DEBUG(1, ("Remote client does not support unprotected connections, but we failed to negotiate anything better")); - return NT_STATUS_ACCESS_DENIED; } /* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */ -- cgit