svn commit: samba r13344 - in branches/SAMBA_4_0/source: auth/gensec libcli/ldap

[abartlet at samba.org]

Author: abartlet
Date: 2006-02-04 11:19:09 +0000 (Sat, 04 Feb 2006)
New Revision: 13344

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13344

Log:
Trust SASL to have subtle distinctions between NULL and zero-length
responses...

Also trust OpenLDAP to be pedantic about it, breaking connections to AD.

In any case, we now get this 'right' (by nasty overloading hacks, but
hey), and we can now use system-supplied OpenLDAP libs and SASL/GSSAPI
to talk to Samba4.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
   branches/SAMBA_4_0/source/libcli/ldap/ldap.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c	2006-02-04 10:01:56 UTC (rev 13343)
+++ branches/SAMBA_4_0/source/auth/gensec/gensec_gssapi.c	2006-02-04 11:19:09 UTC (rev 13344)
@@ -394,9 +394,9 @@
 							  gensec_gssapi_state->input_chan_bindings,
 							  &gensec_gssapi_state->client_name, 
 							  &gss_oid_p,
-						  &output_token, 
-						  &gensec_gssapi_state->got_flags, 
-						  NULL, 
+							  &output_token, 
+							  &gensec_gssapi_state->got_flags, 
+							  NULL, 
 							  &gensec_gssapi_state->delegated_cred_handle);
 			gensec_gssapi_state->gss_oid = gss_oid_p;
 			break;
@@ -416,8 +416,22 @@
 				DEBUG(5, ("gensec_gssapi: NO credentials were delegated\n"));
 			}
 
-			/* We may have been invoked as SASL, so there is more work to do */
+			/* We may have been invoked as SASL, so there
+			 * is more work to do */
 			if (gensec_gssapi_state->sasl) {
+				/* Due to a very subtle interaction
+				 * with SASL and the LDAP libs, we
+				 * must ensure the data pointer is 
+				 * != NULL, but the length is 0.  
+				 *
+				 * This ensures we send a 'zero
+				 * length' (rather than NULL) response 
+				 */
+				
+				if (!out->data) {
+					out->data = (uint8_t *)talloc_strdup(out_mem_ctx, "\0");
+				}
+
 				gensec_gssapi_state->sasl_state = STAGE_SASL_SSF_NEG;
 				return NT_STATUS_MORE_PROCESSING_REQUIRED;
 			} else {
@@ -543,11 +557,11 @@
 			gensec_gssapi_state->sasl_state = STAGE_DONE;
 
 			if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-				DEBUG(3, ("GSSAPI Connection to server will be cryptographicly sealed\n"));
+				DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly sealed\n"));
 			} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-				DEBUG(3, ("GSSAPI Connection to server will be cryptographicly signed\n"));
+				DEBUG(3, ("SASL/GSSAPI Connection to server will be cryptographicly signed\n"));
 			} else {
-				DEBUG(3, ("GSSAPI Connection to server will have no cryptographicly protection\n"));
+				DEBUG(3, ("SASL/GSSAPI Connection to server will have no cryptographicly protection\n"));
 			}
 
 			return NT_STATUS_OK;
@@ -661,11 +675,11 @@
 		/* quirk:  This changes the value that gensec_have_feature returns, to be that after SASL negotiation */
 		gensec_gssapi_state->sasl_state = STAGE_DONE;
 		if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-			DEBUG(3, ("GSSAPI Connection from client will be cryptographicly sealed\n"));
+			DEBUG(3, ("SASL/GSSAPI Connection from client will be cryptographicly sealed\n"));
 		} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-			DEBUG(3, ("GSSAPI Connection from client will be cryptographicly signed\n"));
+			DEBUG(3, ("SASL/GSSAPI Connection from client will be cryptographicly signed\n"));
 		} else {
-			DEBUG(3, ("GSSAPI Connection from client will have no cryptographicly protection\n"));
+			DEBUG(3, ("SASL/GSSAPI Connection from client will have no cryptographicly protection\n"));
 		}
 
 		*out = data_blob(NULL, 0);

Modified: branches/SAMBA_4_0/source/libcli/ldap/ldap.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/ldap/ldap.c	2006-02-04 10:01:56 UTC (rev 13343)
+++ branches/SAMBA_4_0/source/libcli/ldap/ldap.c	2006-02-04 11:19:09 UTC (rev 13344)
@@ -219,8 +219,15 @@
 			asn1_push_tag(&data, ASN1_CONTEXT(3));
 			asn1_write_OctetString(&data, r->creds.SASL.mechanism,
 					       strlen(r->creds.SASL.mechanism));
-			asn1_write_OctetString(&data, r->creds.SASL.secblob.data,
-					       r->creds.SASL.secblob.length);
+			/* The value of data indicates if this
+			 * optional element exists at all.  In SASL
+			 * there is a difference between NULL and
+			 * zero-legnth, but our APIs don't express it
+			 * well */
+			if (r->creds.SASL.secblob.data) {
+				asn1_write_OctetString(&data, r->creds.SASL.secblob.data,
+						       r->creds.SASL.secblob.length);
+			}
 			asn1_pop_tag(&data);
 			break;
 		default:
@@ -234,7 +241,14 @@
 		struct ldap_BindResponse *r = &msg->r.BindResponse;
 		asn1_push_tag(&data, ASN1_APPLICATION(msg->type));
 		ldap_encode_response(&data, &r->response);
-		asn1_write_ContextSimple(&data, 7, &r->SASL.secblob);
+		/* The value of data indicates if this
+		 * optional element exists at all.  In SASL
+		 * there is a difference between NULL and
+		 * zero-legnth, but our APIs don't express it
+		 * well */
+		if (r->SASL.secblob.data) {
+			asn1_write_ContextSimple(&data, 7, &r->SASL.secblob);
+		}
 		asn1_pop_tag(&data);
 		break;
 	}