From: Stefan Metzmacher Date: Tue, 6 Feb 2024 11:35:39 +0000 (+0100) Subject: s3:libads: call gensec_set_channel_bindings() for tls connections X-Git-Tag: tdb-1.4.11~944 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=576ac69cbb3a2c57507c80b48eed2572b047e98e;p=thirdparty%2Fsamba.git s3:libads: call gensec_set_channel_bindings() for tls connections Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index d56ce1777b7..ee48b0781ed 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -136,6 +136,7 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, const char *sasl_list[] = { sasl, NULL }; NTTIME end_nt_time; struct ads_saslwrap *wrap = &ads->ldap_wrap_data; + const DATA_BLOB *tls_cb = NULL; nt_status = auth_generic_client_prepare(NULL, &auth_generic_state); if (!NT_STATUS_IS_OK(nt_status)) { @@ -174,6 +175,29 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, } } + tls_cb = ads_tls_channel_bindings(&ads->ldap_tls_data); + if (tls_cb != NULL) { + uint32_t initiator_addrtype = 0; + const DATA_BLOB *initiator_address = NULL; + uint32_t acceptor_addrtype = 0; + const DATA_BLOB *acceptor_address = NULL; + const DATA_BLOB *application_data = tls_cb; + + nt_status = gensec_set_channel_bindings(auth_generic_state->gensec_security, + initiator_addrtype, + initiator_address, + acceptor_addrtype, + acceptor_address, + application_data); + if (!NT_STATUS_IS_OK(nt_status)) { + DBG_WARNING("Failed to set GENSEC channel bindings: %s\n", + nt_errstr(nt_status)); + return ADS_ERROR_NT(nt_status); + } + + wrap->wrap_type = ADS_SASLWRAP_TYPE_PLAIN; + } + switch (wrap->wrap_type) { case ADS_SASLWRAP_TYPE_SEAL: gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);