From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 19 Jun 2015 12:46:53 +0000 (+0200)
Subject: auth/gensec: gensec_[un]seal_packet() should only work with GENSEC_FEATURE_DCE_STYLE
X-Git-Tag: samba-4.1.20~36
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=54b9c1c8cb58608cfaa98fc75654557f8fab2df7;p=thirdparty%2Fsamba.git

auth/gensec: gensec_[un]seal_packet() should only work with GENSEC_FEATURE_DCE_STYLE

gensec_sig_size() also requires GENSEC_FEATURE_DCE_STYLE if
GENSEC_FEATURE_SEAL is negotiated.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3542d33314e32279340f07f995c1dcbd16106352)
---

diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index ea628617971..01c4ac6d954 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -39,9 +39,15 @@ _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
 	if (!gensec_security->ops->unseal_packet) {
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 
 	return gensec_security->ops->unseal_packet(gensec_security,
 						   data, length,
@@ -79,6 +85,9 @@ _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
+	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 
 	return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
 }
@@ -107,6 +116,11 @@ _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 		return 0;
 	}
+	if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+		if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
+			return 0;
+		}
+	}
 
 	return gensec_security->ops->sig_size(gensec_security, data_size);
 }