CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG

We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 963c98a9e9d25d675865aa8ff4920a6d1222ab4b..c4c4bbc8a0cfa9e7634126f12e746ccf07f6b7f9 100644 (file)
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
        memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
 
        gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
-                               GSS_C_DELEG_FLAG |
                                GSS_C_DELEG_POLICY_FLAG |
                                GSS_C_REPLAY_FLAG |
                                GSS_C_SEQUENCE_FLAG;