s4:gensec_gssapi: make sure gensec_gssapi_[un]seal_packet() rejects header signing

If header signing is requested we should error out instead of
silently ignoring it, our peer would hopefully reject it,
but we should also do that.

TODO: we should implement header signing using gss_wrap_iov().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 3f61cb584dacfae7b6407605e5af8075dfd4b987..8aad3dcb06a36eb6ec2127e215edfe5d7a8f8174 100644 (file)
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1029,6 +1029,12 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
        int conf_state;
        ssize_t sig_length;
 
+       if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+               DEBUG(1, ("gensec_gssapi_seal_packet: "
+                         "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        input_token.length = length;
        input_token.value = data;
        
@@ -1083,6 +1089,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
 
        dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
 
+       if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+               DEBUG(1, ("gensec_gssapi_unseal_packet: "
+                         "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        in = data_blob_talloc(gensec_security, NULL, sig->length + length);
 
        memcpy(in.data, sig->data, sig->length);