auth/gensec: make sure gensec_start_mech_by_authtype() resets SIGN/SEAL before starting

We want to set GENSEC_FEATURE_SIGN and GENSEC_FEATURE_SEAL based on the given
auth_level and should not have GENSEC_FEATURE_SEAL if
DCERPC_AUTH_LEVEL_INTEGRITY is desired.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 756508c8c37b0370301a096e35abc171fe08d31c)

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index e46f0ee85107f51ab80fa29c509e7c9a1d3d84b0..8b649e5190842a72e0b0e0ebb2b2bed4e0329412 100644 (file)
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -701,6 +701,12 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
                return NT_STATUS_INVALID_PARAMETER;
        }
        gensec_security->dcerpc_auth_level = auth_level;
+       /*
+        * We need to reset sign/seal in order to reset it.
+        * We may got some default features inherited by the credentials
+        */
+       gensec_security->want_features &= ~GENSEC_FEATURE_SIGN;
+       gensec_security->want_features &= ~GENSEC_FEATURE_SEAL;
        gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
        gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
        if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {