From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 7 Feb 2012 11:27:53 +0000 (+1100)
Subject: s3-librpc: Remove gse_verify_server_auth_flags
X-Git-Tag: samba-4.0.0alpha18~140
X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=91c325bb706c5a7df32710dff3b781fca13bbc54

s3-librpc: Remove gse_verify_server_auth_flags

gensec_update() ensures that DCE-style and sign/seal are negotiated correctly
for DCE/RPC pipes.  Also, the smb sealing client/server already check for the
gensec_have_feature().

This additional check just keeps causing trouble, and is 'protecting'
an already secure negoitated exchange.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Feb 16 21:19:44 CET 2012 on sn-devel-104
---

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 9f06dc3d8c0..fba2c2fba37 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -525,52 +525,6 @@ done:
 	return status;
 }
 
-static NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
-{
-	if (memcmp(gse_ctx->ret_mech,
-		   gss_mech_krb5, sizeof(gss_OID_desc)) != 0) {
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
-	/* GSS_C_MUTUAL_FLAG */
-	/* GSS_C_DELEG_FLAG */
-	/* GSS_C_DELEG_POLICY_FLAG */
-	/* GSS_C_REPLAY_FLAG */
-	/* GSS_C_SEQUENCE_FLAG */
-
-	/* GSS_C_INTEG_FLAG */
-	if (gse_ctx->gss_want_flags & GSS_C_INTEG_FLAG) {
-		if (!(gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG)) {
-			return NT_STATUS_ACCESS_DENIED;
-		}
-	}
-
-	/* GSS_C_CONF_FLAG */
-	if (gse_ctx->gss_want_flags & GSS_C_CONF_FLAG) {
-		if (!(gse_ctx->gss_got_flags & GSS_C_CONF_FLAG)) {
-			return NT_STATUS_ACCESS_DENIED;
-		}
-
-		/* GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAG */
-		if (!(gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG)) {
-			return NT_STATUS_ACCESS_DENIED;
-		}
-	}
-
-	/* GSS_C_DCE_STYLE */
-	if (gse_ctx->gss_want_flags & GSS_C_DCE_STYLE) {
-		if (!(gse_ctx->gss_got_flags & GSS_C_DCE_STYLE)) {
-			return NT_STATUS_ACCESS_DENIED;
-		}
-		/* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */
-		if (!(gse_ctx->gss_got_flags & GSS_C_MUTUAL_FLAG)) {
-			return NT_STATUS_ACCESS_DENIED;
-		}
-	}
-
-	return NT_STATUS_OK;
-}
-
 static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min)
 {
 	OM_uint32 gss_min, gss_maj;
@@ -1019,10 +973,6 @@ static NTSTATUS gensec_gse_update(struct gensec_security *gensec_security,
 		return status;
 	}
 
-	if (gensec_security->gensec_role == GENSEC_SERVER) {
-		return gse_verify_server_auth_flags(gse_ctx);
-	}
-
 	return NT_STATUS_OK;
 }