CVE-2016-2111: auth/gensec: require DCERPC_AUTH_LEVEL_INTEGRITY or higher in schannel...
[samba.git] / auth / gensec / schannel.c
index 9b28c45183c3e4ac489d49854fdd5369afe07f80..be2e94e14d805715313d8c0e3771649262f52a7b 100644 (file)
@@ -467,6 +467,16 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 
        *out = data_blob(NULL, 0);
 
 
        *out = data_blob(NULL, 0);
 
+       if (gensec_security->dcerpc_auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
+               switch (gensec_security->gensec_role) {
+               case GENSEC_CLIENT:
+                       return NT_STATUS_INVALID_PARAMETER_MIX;
+               case GENSEC_SERVER:
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
        switch (gensec_security->gensec_role) {
        case GENSEC_CLIENT:
                if (state != NULL) {
        switch (gensec_security->gensec_role) {
        case GENSEC_CLIENT:
                if (state != NULL) {