auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting

We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the given
auth_level and should not have GENSEC_FEATURE_SEAL if
DCERPC_AUTH_LEVEL_INTEGRITY is desired.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 955cc36f4cb37ab2653bfcdba8fe9d46379677b9..be316978a0b77ce7687d724c58d0d0d23cdab505 100644 (file)
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -724,6 +724,12 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
                return NT_STATUS_INVALID_PARAMETER;
        }
        gensec_security->dcerpc_auth_level = auth_level;
+       /*
+        * We need to reset sign/seal in order to reset it.
+        * We may got some default features inherited by the credentials
+        */
+       gensec_security->want_features &= ~GENSEC_FEATURE_SIGN;
+       gensec_security->want_features &= ~GENSEC_FEATURE_SEAL;
        gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
        gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
        if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {