mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s4:gensec_gssapi: make sure gensec_gssapi_[un]seal_packet() rejects header signing
If header signing is requested we should error out instead of silently ignoring it, our peer would hopefully reject it, but we should also do that. TODO: we should implement header signing using gss_wrap_iov(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
14f6c41754
commit
54b5b3067f
@ -1029,6 +1029,12 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
|
||||
int conf_state;
|
||||
ssize_t sig_length;
|
||||
|
||||
if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
|
||||
DEBUG(1, ("gensec_gssapi_seal_packet: "
|
||||
"GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
input_token.length = length;
|
||||
input_token.value = data;
|
||||
|
||||
@ -1083,6 +1089,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
|
||||
|
||||
dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
|
||||
|
||||
if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
|
||||
DEBUG(1, ("gensec_gssapi_unseal_packet: "
|
||||
"GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
in = data_blob_talloc(gensec_security, NULL, sig->length + length);
|
||||
|
||||
memcpy(in.data, sig->data, sig->length);
|
||||
|
Loading…
Reference in New Issue
Block a user