s3-gse: the server should not check for GSS_C_MUTUAL_FLAG

[metze/samba/wip.git] / source3 / librpc / crypto / gse.c

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 76f6109e9337826f3b3c59806680d1a9815963e6..c7ce38e14f8e6526af73740f84db270573063f37 100644 (file)
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -527,12 +527,6 @@ static NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
        }
 
        /* GSS_C_MUTUAL_FLAG */
-       if (gse_ctx->gss_want_flags & GSS_C_MUTUAL_FLAG) {
-               if (!(gse_ctx->gss_got_flags & GSS_C_MUTUAL_FLAG)) {
-                       return NT_STATUS_ACCESS_DENIED;
-               }
-       }
-
        /* GSS_C_DELEG_FLAG */
        /* GSS_C_DELEG_POLICY_FLAG */
        /* GSS_C_REPLAY_FLAG */
@@ -552,6 +546,17 @@ static NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
                }
        }
 
+       /* GSS_C_DCE_STYLE */
+       if (gse_ctx->gss_want_flags & GSS_C_DCE_STYLE) {
+               if (!(gse_ctx->gss_got_flags & GSS_C_DCE_STYLE)) {
+                       return NT_STATUS_ACCESS_DENIED;
+               }
+               /* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */
+               if (!(gse_ctx->gss_got_flags & GSS_C_MUTUAL_FLAG)) {
+                       return NT_STATUS_ACCESS_DENIED;
+               }
+       }
+
        return NT_STATUS_OK;
 }