From fb1aef085e0ae52869bb3906e803e10951da5781 Mon Sep 17 00:00:00 2001
From: Simo Sorce <idra@samba.org>
Date: Fri, 20 Aug 2010 09:31:07 -0400
Subject: dcerpc-gssapi: add function to check flags
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Günther Deschner <gd@samba.org>
---
 source3/librpc/rpc/dcerpc_gssapi.c | 32 ++++++++++++++++++++++++++++++--
 1 file changed, 30 insertions(+), 2 deletions(-)

(limited to 'source3')

diff --git a/source3/librpc/rpc/dcerpc_gssapi.c b/source3/librpc/rpc/dcerpc_gssapi.c
index e8a15b8e8b..e79231b912 100644
--- a/source3/librpc/rpc/dcerpc_gssapi.c
+++ b/source3/librpc/rpc/dcerpc_gssapi.c
@@ -480,9 +480,37 @@ NTSTATUS gse_verify_server_auth_flags(struct gse_context *gse_ctx)
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
-	/* TODO: verify the mech oid identifies KRB5 */
+	if (memcmp(gse_ctx->ret_mech,
+		   gss_mech_krb5, sizeof(gss_OID_desc)) != 0) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	/* GSS_C_MUTUAL_FLAG */
+	if (gse_ctx->gss_c_flags & GSS_C_MUTUAL_FLAG) {
+		if (!(gse_ctx->ret_flags & GSS_C_MUTUAL_FLAG)) {
+			return NT_STATUS_ACCESS_DENIED;
+		}
+	}
+
+	/* GSS_C_DELEG_FLAG */
+	/* GSS_C_DELEG_POLICY_FLAG */
+	/* GSS_C_REPLAY_FLAG */
+	/* GSS_C_SEQUENCE_FLAG */
+
+	/* GSS_C_INTEG_FLAG */
+	if (gse_ctx->gss_c_flags & GSS_C_INTEG_FLAG) {
+		if (!(gse_ctx->ret_flags & GSS_C_INTEG_FLAG)) {
+			return NT_STATUS_ACCESS_DENIED;
+		}
+	}
+
+	/* GSS_C_CONF_FLAG */
+	if (gse_ctx->gss_c_flags & GSS_C_CONF_FLAG) {
+		if (!(gse_ctx->ret_flags & GSS_C_CONF_FLAG)) {
+			return NT_STATUS_ACCESS_DENIED;
+		}
+	}
 
-	/* FIXME: implement checks */
 	return NT_STATUS_OK;
 }
 
-- 
cgit