diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-09-01 10:54:17 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2016-10-26 11:20:12 +0200 |
commit | 5db81a11013541eb9c543501e37d670471727cee (patch) | |
tree | b1e8e2ff99abf495d68902b5276ba28c3465294e /auth | |
parent | 3a0b835408a6efa339e8b34333906bfe3aacd6e3 (diff) | |
download | samba-5db81a11013541eb9c543501e37d670471727cee.tar.gz |
auth/gensec: always verify the wanted SIGN/SEAL flags
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'auth')
-rw-r--r-- | auth/gensec/gensec.c | 43 |
1 files changed, 15 insertions, 28 deletions
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c index 3f3c31ba220..373af5c6eae 100644 --- a/auth/gensec/gensec.c +++ b/auth/gensec/gensec.c @@ -227,45 +227,32 @@ _PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security) return gensec_security->max_update_size; } -static NTSTATUS gensec_verify_dcerpc_auth_level(struct gensec_security *gensec_security) +static NTSTATUS gensec_verify_features(struct gensec_security *gensec_security) { - if (gensec_security->dcerpc_auth_level == 0) { - return NT_STATUS_OK; - } - /* - * Because callers using the - * gensec_start_mech_by_auth_type() never call - * gensec_want_feature(), it isn't sensible for them - * to have to call gensec_have_feature() manually, and - * these are not points of negotiation, but are - * asserted by the client + * gensec_want_feature(GENSEC_FEATURE_SIGN) + * and + * gensec_want_feature(GENSEC_FEATURE_SEAL) + * require these flags to be available. */ - switch (gensec_security->dcerpc_auth_level) { - case DCERPC_AUTH_LEVEL_INTEGRITY: + if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { DEBUG(0,("Did not manage to negotiate mandatory feature " - "SIGN for dcerpc auth_level %u\n", - gensec_security->dcerpc_auth_level)); + "SIGN\n")); return NT_STATUS_ACCESS_DENIED; } - break; - case DCERPC_AUTH_LEVEL_PRIVACY: - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + } + if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { DEBUG(0,("Did not manage to negotiate mandatory feature " - "SIGN for dcerpc auth_level %u\n", - gensec_security->dcerpc_auth_level)); + "SEAL\n")); return NT_STATUS_ACCESS_DENIED; } - if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { DEBUG(0,("Did not manage to negotiate mandatory feature " - "SEAL for dcerpc auth_level %u\n", - gensec_security->dcerpc_auth_level)); + "SIGN for SEAL\n")); return NT_STATUS_ACCESS_DENIED; } - break; - default: - break; } return NT_STATUS_OK; @@ -315,7 +302,7 @@ _PUBLIC_ NTSTATUS gensec_update_ev(struct gensec_security *gensec_security, * these are not points of negotiation, but are * asserted by the client */ - status = gensec_verify_dcerpc_auth_level(gensec_security); + status = gensec_verify_features(gensec_security); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -490,7 +477,7 @@ static void gensec_update_subreq_done(struct tevent_req *subreq) * these are not points of negotiation, but are * asserted by the client */ - status = gensec_verify_dcerpc_auth_level(state->gensec_security); + status = gensec_verify_features(state->gensec_security); if (tevent_req_nterror(req, status)) { return; } |