From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 20 Jun 2015 14:19:31 +0000 (+0200)
Subject: auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting
X-Git-Tag: samba-4.1.20~35
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=55709541204cb1066c13744a4c577bf3c02b2e3c;p=thirdparty%2Fsamba.git

auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting

We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the given
auth_level and should not have GENSEC_FEATURE_SEAL if
DCERPC_AUTH_LEVEL_INTEGRITY is desired.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 756508c8c37b0370301a096e35abc171fe08d31c)
---

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index e46f0ee8510..8b649e51908 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -701,6 +701,12 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 	gensec_security->dcerpc_auth_level = auth_level;
+	/*
+	 * We need to reset sign/seal in order to reset it.
+	 * We may got some default features inherited by the credentials
+	 */
+	gensec_security->want_features &= ~GENSEC_FEATURE_SIGN;
+	gensec_security->want_features &= ~GENSEC_FEATURE_SEAL;
 	gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
 	gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
 	if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {