auth:creds: Add obtained arg to cli_credentials_set_gensec_features()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

4 files changed, 36 insertions, 6 deletions

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index f7c7a47bd4e..85fe03bdf94 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -150,9 +150,18 @@ _PUBLIC_ enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(st
 	return creds->krb_forwardable;
 }
 
-_PUBLIC_ void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features)
+_PUBLIC_ bool cli_credentials_set_gensec_features(struct cli_credentials *creds,
+						  uint32_t gensec_features,
+						  enum credentials_obtained obtained)
 {
-	creds->gensec_features = gensec_features;
+	if (obtained >= creds->gensec_features_obtained) {
+		creds->gensec_features_obtained = obtained;
+		creds->gensec_features = gensec_features;
+
+		return true;
+	}
+
+	return false;
 }
 
 _PUBLIC_ uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds)
@@ -1017,8 +1026,6 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
 				break;
 			}
 		}
-
-		cred->encryption_state_obtained = CRED_SMB_CONF;
 	}
 
 	if (cred->kerberos_state_obtained <= CRED_SMB_CONF) {
@@ -1026,6 +1033,24 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
 		cred->kerberos_state = lpcfg_client_use_kerberos(lp_ctx);
 		cred->kerberos_state_obtained = CRED_SMB_CONF;
 	}
+
+	if (cred->gensec_features_obtained <= CRED_SMB_CONF) {
+		switch (protection) {
+		case CRED_CLIENT_PROTECTION_DEFAULT:
+			break;
+		case CRED_CLIENT_PROTECTION_PLAIN:
+			cred->gensec_features = 0;
+			break;
+		case CRED_CLIENT_PROTECTION_SIGN:
+			cred->gensec_features = GENSEC_FEATURE_SIGN;
+			break;
+		case CRED_CLIENT_PROTECTION_ENCRYPT:
+			cred->gensec_features =
+				GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL;
+			break;
+		}
+		cred->gensec_features_obtained = CRED_SMB_CONF;
+	}
 }
 
 /**
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 540e4cfb6b6..1007d8e3d66 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -233,7 +233,9 @@ int cli_credentials_set_keytab_name(struct cli_credentials *cred,
 				    struct loadparm_context *lp_ctx,
 				    const char *keytab_name, 
 				    enum credentials_obtained obtained);
-void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
+bool cli_credentials_set_gensec_features(struct cli_credentials *creds,
+					 uint32_t gensec_features,
+					 enum credentials_obtained obtained);
 uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
 int cli_credentials_set_ccache(struct cli_credentials *cred, 
 			       struct loadparm_context *lp_ctx,
diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
index d39ead3b379..afbda1a4b48 100644
--- a/auth/credentials/credentials_internal.h
+++ b/auth/credentials/credentials_internal.h
@@ -41,6 +41,7 @@ struct cli_credentials {
 	enum credentials_obtained ipc_signing_state_obtained;
 	enum credentials_obtained encryption_state_obtained;
 	enum credentials_obtained kerberos_state_obtained;
+	enum credentials_obtained gensec_features_obtained;
 
 	/* Threshold values (essentially a MAX() over a number of the
 	 * above) for the ccache and GSS credentials, to ensure we
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 127085f4950..0ba2618cec9 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -842,7 +842,9 @@ static PyObject *py_creds_set_gensec_features(PyObject *self, PyObject *args)
 	if (!PyArg_ParseTuple(args, "I", &gensec_features))
 		return NULL;
 
-	cli_credentials_set_gensec_features(creds, gensec_features);
+	cli_credentials_set_gensec_features(creds,
+					    gensec_features,
+					    CRED_SPECIFIED);
 
 	Py_RETURN_NONE;
 }