s4:gensec_gssapi: make sure gensec_gssapi_[un]seal_packet() rejects header signing

If header signing is requested we should error out instead of
silently ignoring it, our peer would hopefully reject it,
but we should also do that.

TODO: we should implement header signing using gss_wrap_iov().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 12 insertions, 0 deletions

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 3f61cb584da..8aad3dcb06a 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1029,6 +1029,12 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
 	int conf_state;
 	ssize_t sig_length;
 
+	if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+		DEBUG(1, ("gensec_gssapi_seal_packet: "
+			  "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	input_token.length = length;
 	input_token.value = data;
 	
@@ -1083,6 +1089,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
 
 	dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
 
+	if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+		DEBUG(1, ("gensec_gssapi_unseal_packet: "
+			  "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	in = data_blob_talloc(gensec_security, NULL, sig->length + length);
 
 	memcpy(in.data, sig->data, sig->length);