diff options
author | Andreas Schneider <asn@samba.org> | 2020-08-20 10:50:30 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2021-04-28 03:43:34 +0000 |
commit | 2fbc63cacc81ab9e1dfdbe6d979c248c3bdea686 (patch) | |
tree | 85b981157ba97d208535871a094d4aa1fbd96754 /auth | |
parent | 7accd9003521f38b03d1073890761f7d8dc8d675 (diff) | |
download | samba-2fbc63cacc81ab9e1dfdbe6d979c248c3bdea686.tar.gz |
auth:creds: Add obtained arg to cli_credentials_set_gensec_features()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'auth')
-rw-r--r-- | auth/credentials/credentials.c | 33 | ||||
-rw-r--r-- | auth/credentials/credentials.h | 4 | ||||
-rw-r--r-- | auth/credentials/credentials_internal.h | 1 | ||||
-rw-r--r-- | auth/credentials/pycredentials.c | 4 |
4 files changed, 36 insertions, 6 deletions
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index f7c7a47bd4e..85fe03bdf94 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -150,9 +150,18 @@ _PUBLIC_ enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(st return creds->krb_forwardable; } -_PUBLIC_ void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features) +_PUBLIC_ bool cli_credentials_set_gensec_features(struct cli_credentials *creds, + uint32_t gensec_features, + enum credentials_obtained obtained) { - creds->gensec_features = gensec_features; + if (obtained >= creds->gensec_features_obtained) { + creds->gensec_features_obtained = obtained; + creds->gensec_features = gensec_features; + + return true; + } + + return false; } _PUBLIC_ uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds) @@ -1017,8 +1026,6 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred, break; } } - - cred->encryption_state_obtained = CRED_SMB_CONF; } if (cred->kerberos_state_obtained <= CRED_SMB_CONF) { @@ -1026,6 +1033,24 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred, cred->kerberos_state = lpcfg_client_use_kerberos(lp_ctx); cred->kerberos_state_obtained = CRED_SMB_CONF; } + + if (cred->gensec_features_obtained <= CRED_SMB_CONF) { + switch (protection) { + case CRED_CLIENT_PROTECTION_DEFAULT: + break; + case CRED_CLIENT_PROTECTION_PLAIN: + cred->gensec_features = 0; + break; + case CRED_CLIENT_PROTECTION_SIGN: + cred->gensec_features = GENSEC_FEATURE_SIGN; + break; + case CRED_CLIENT_PROTECTION_ENCRYPT: + cred->gensec_features = + GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL; + break; + } + cred->gensec_features_obtained = CRED_SMB_CONF; + } } /** diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index 540e4cfb6b6..1007d8e3d66 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -233,7 +233,9 @@ int cli_credentials_set_keytab_name(struct cli_credentials *cred, struct loadparm_context *lp_ctx, const char *keytab_name, enum credentials_obtained obtained); -void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features); +bool cli_credentials_set_gensec_features(struct cli_credentials *creds, + uint32_t gensec_features, + enum credentials_obtained obtained); uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds); int cli_credentials_set_ccache(struct cli_credentials *cred, struct loadparm_context *lp_ctx, diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h index d39ead3b379..afbda1a4b48 100644 --- a/auth/credentials/credentials_internal.h +++ b/auth/credentials/credentials_internal.h @@ -41,6 +41,7 @@ struct cli_credentials { enum credentials_obtained ipc_signing_state_obtained; enum credentials_obtained encryption_state_obtained; enum credentials_obtained kerberos_state_obtained; + enum credentials_obtained gensec_features_obtained; /* Threshold values (essentially a MAX() over a number of the * above) for the ccache and GSS credentials, to ensure we diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 127085f4950..0ba2618cec9 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -842,7 +842,9 @@ static PyObject *py_creds_set_gensec_features(PyObject *self, PyObject *args) if (!PyArg_ParseTuple(args, "I", &gensec_features)) return NULL; - cli_credentials_set_gensec_features(creds, gensec_features); + cli_credentials_set_gensec_features(creds, + gensec_features, + CRED_SPECIFIED); Py_RETURN_NONE; } |