2025-01-08 21:18:16 +03:00 · 2023-11-17 17:41:53 +13:00 · 2023-11-17 17:41:53 +13:00 · bed1893a75
commit bed1893a75
parent dbb682f5fa
3 changed files with 59 additions and 1 deletions
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@ -351,4 +351,16 @@ int cli_credentials_get_aes256_key(struct cli_credentials *cred,
 				   const char *salt,
 				   DATA_BLOB *aes_256);

+/**
+ * Kerberos FAST handling
+ */
+
+NTSTATUS cli_credentials_set_krb5_fast_armor_credentials(struct cli_credentials *creds,
+							 struct cli_credentials *armor_creds,
+							 bool require_fast_armor);
+
+struct cli_credentials *cli_credentials_get_krb5_fast_armor_credentials(struct cli_credentials *creds);
+
+bool cli_credentials_get_krb5_require_fast_armor(struct cli_credentials *creds);
+
 #endif /* __CREDENTIALS_H__ */
--- a/auth/credentials/credentials_internal.h
+++ b/auth/credentials/credentials_internal.h
@ -131,6 +131,12 @@ struct cli_credentials {
 	enum smb_signing_setting ipc_signing_state;

 	enum smb_encryption_setting encryption_state;
+
+	/* Credentials to use for FAST */
+	struct cli_credentials *krb5_fast_armor_credentials;
+
+	/* Should we require FAST? */
+	bool krb5_require_fast_armor;
 };

 #endif /* __CREDENTIALS_INTERNAL_H__ */
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@ -1125,7 +1125,7 @@ static int cli_credentials_shallow_ccache(struct cli_credentials *cred)
 _PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
 						struct cli_credentials *src)
 {
-	struct cli_credentials *dst;
+	struct cli_credentials *dst, *armor_credentials;
 	int ret;

 	dst = talloc(mem_ctx, struct cli_credentials);
@ -1135,6 +1135,14 @@ _PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ct

 	*dst = *src;

+	if (dst->krb5_fast_armor_credentials != NULL) {
+		armor_credentials = talloc_reference(dst, dst->krb5_fast_armor_credentials);
+		if (armor_credentials == NULL) {
+			TALLOC_FREE(dst);
+			return NULL;
+		}
+	}
+
 	ret = cli_credentials_shallow_ccache(dst);
 	if (ret != 0) {
 		TALLOC_FREE(dst);
@ -1532,3 +1540,35 @@ _PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred,

 	return 0;
 }
+
+/* This take a reference to the armor credentials to ensure the lifetime is appropriate */
+
+NTSTATUS cli_credentials_set_krb5_fast_armor_credentials(struct cli_credentials *creds,
+							 struct cli_credentials *armor_creds,
+							 bool require_fast_armor)
+{
+	talloc_unlink(creds, creds->krb5_fast_armor_credentials);
+	if (armor_creds == NULL) {
+		creds->krb5_fast_armor_credentials = NULL;
+		return NT_STATUS_OK;
+	}
+
+	creds->krb5_fast_armor_credentials = talloc_reference(creds, armor_creds);
+	if (creds->krb5_fast_armor_credentials == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	creds->krb5_require_fast_armor = require_fast_armor;
+
+	return NT_STATUS_OK;
+}
+
+struct cli_credentials *cli_credentials_get_krb5_fast_armor_credentials(struct cli_credentials *creds)
+{
+	return creds->krb5_fast_armor_credentials;
+}
+
+bool cli_credentials_get_krb5_require_fast_armor(struct cli_credentials *creds)
+{
+	return creds->krb5_require_fast_armor;
+}