auth/gensec: enforce that all DCERPC contexts support SIGN_PKT_HEADER

That's currently always the case and will simplifies the callers.

WORKS now???
TDB_NO_FSYNC=1 buildnice make -j test FAIL_IMMEDIATELY=1 SOCKET_WRAPPER_KEEP_PCAP=1 TESTS='samba4.rpc.lsa.secrets.*ncacn_np.*Kerberos.*Samba3.*fl2000dc'
and
TDB_NO_FSYNC=1 buildnice make -j test FAIL_IMMEDIATELY=1 SOCKET_WRAPPER_KEEP_PCAP=1 TESTS='samba3.rpc.lsa.*ncacn_ip_tcp.*nt4_dc'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sun Dec 23 21:33:51 CET 2018 on sn-devel-144

1 files changed, 16 insertions, 0 deletions

diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index e021d0ce3fe..91d8cce3f4c 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -293,6 +293,8 @@ _PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security)
 
 static NTSTATUS gensec_verify_features(struct gensec_security *gensec_security)
 {
+	bool ok;
+
 	/*
 	 * gensec_want_feature(GENSEC_FEATURE_SIGN)
 	 * and
@@ -319,6 +321,20 @@ static NTSTATUS gensec_verify_features(struct gensec_security *gensec_security)
 		}
 	}
 
+	if (gensec_security->dcerpc_auth_level < DCERPC_AUTH_LEVEL_PACKET) {
+		return NT_STATUS_OK;
+	}
+
+	ok = gensec_have_feature(gensec_security,
+				 GENSEC_FEATURE_SIGN_PKT_HEADER);
+	if (!ok) {
+		DBG_ERR("backend [%s] does not support header signing! "
+			"auth_level[0x%x]\n",
+			gensec_security->ops->name,
+			gensec_security->dcerpc_auth_level);
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
 	return NT_STATUS_OK;
 }