1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:gensec_gssapi: make sure gensec_gssapi_[un]seal_packet() rejects header signing

If header signing is requested we should error out instead of
silently ignoring it, our peer would hopefully reject it,
but we should also do that.

TODO: we should implement header signing using gss_wrap_iov().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2014-01-03 15:30:46 +01:00
parent 14f6c41754
commit 54b5b3067f

View File

@ -1029,6 +1029,12 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
int conf_state;
ssize_t sig_length;
if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
DEBUG(1, ("gensec_gssapi_seal_packet: "
"GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
return NT_STATUS_ACCESS_DENIED;
}
input_token.length = length;
input_token.value = data;
@ -1083,6 +1089,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
DEBUG(1, ("gensec_gssapi_unseal_packet: "
"GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
return NT_STATUS_ACCESS_DENIED;
}
in = data_blob_talloc(gensec_security, NULL, sig->length + length);
memcpy(in.data, sig->data, sig->length);