s3-librpc: Remove gse_verify_server_auth_flags
authorAndrew Bartlett <abartlet@samba.org>
Tue, 7 Feb 2012 11:27:53 +0000 (22:27 +1100)
committerStefan Metzmacher <metze@samba.org>
Thu, 16 Feb 2012 20:19:44 +0000 (21:19 +0100)
gensec_update() ensures that DCE-style and sign/seal are negotiated correctly
for DCE/RPC pipes.  Also, the smb sealing client/server already check for the
gensec_have_feature().

This additional check just keeps causing trouble, and is 'protecting'
an already secure negoitated exchange.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Feb 16 21:19:44 CET 2012 on sn-devel-104

source3/librpc/crypto/gse.c

index 9f06dc3d8c036b4c58401f836e375f9a8116bc62..fba2c2fba377f8fa7a0ab8e0c341deb041ef1251 100644 (file)
@@ -525,52 +525,6 @@ done:
        return status;
 }
 
-static NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
-{
-       if (memcmp(gse_ctx->ret_mech,
-                  gss_mech_krb5, sizeof(gss_OID_desc)) != 0) {
-               return NT_STATUS_ACCESS_DENIED;
-       }
-
-       /* GSS_C_MUTUAL_FLAG */
-       /* GSS_C_DELEG_FLAG */
-       /* GSS_C_DELEG_POLICY_FLAG */
-       /* GSS_C_REPLAY_FLAG */
-       /* GSS_C_SEQUENCE_FLAG */
-
-       /* GSS_C_INTEG_FLAG */
-       if (gse_ctx->gss_want_flags & GSS_C_INTEG_FLAG) {
-               if (!(gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG)) {
-                       return NT_STATUS_ACCESS_DENIED;
-               }
-       }
-
-       /* GSS_C_CONF_FLAG */
-       if (gse_ctx->gss_want_flags & GSS_C_CONF_FLAG) {
-               if (!(gse_ctx->gss_got_flags & GSS_C_CONF_FLAG)) {
-                       return NT_STATUS_ACCESS_DENIED;
-               }
-
-               /* GSS_C_CONF_FLAG implies GSS_C_INTEG_FLAG */
-               if (!(gse_ctx->gss_got_flags & GSS_C_INTEG_FLAG)) {
-                       return NT_STATUS_ACCESS_DENIED;
-               }
-       }
-
-       /* GSS_C_DCE_STYLE */
-       if (gse_ctx->gss_want_flags & GSS_C_DCE_STYLE) {
-               if (!(gse_ctx->gss_got_flags & GSS_C_DCE_STYLE)) {
-                       return NT_STATUS_ACCESS_DENIED;
-               }
-               /* GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG */
-               if (!(gse_ctx->gss_got_flags & GSS_C_MUTUAL_FLAG)) {
-                       return NT_STATUS_ACCESS_DENIED;
-               }
-       }
-
-       return NT_STATUS_OK;
-}
-
 static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min)
 {
        OM_uint32 gss_min, gss_maj;
@@ -1019,10 +973,6 @@ static NTSTATUS gensec_gse_update(struct gensec_security *gensec_security,
                return status;
        }
 
-       if (gensec_security->gensec_role == GENSEC_SERVER) {
-               return gse_verify_server_auth_flags(gse_ctx);
-       }
-
        return NT_STATUS_OK;
 }