1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

gensec: add GENSEC_FEATURE_NO_DELEGATION flag to avoid GSS_C_DELEG[_POLICY]_FLAG

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Stefan Metzmacher 2024-11-06 14:29:10 +01:00
parent f59b8ac136
commit ec6892bd1f
3 changed files with 9 additions and 1 deletions

View File

@ -72,6 +72,7 @@ struct gensec_target {
#define GENSEC_FEATURE_SMB_TRANSPORT 0x00001000
#define GENSEC_FEATURE_LDAPS_TRANSPORT 0x00002000
#define GENSEC_FEATURE_CB_OPTIONAL 0x00004000
#define GENSEC_FEATURE_NO_DELEGATION 0x00008000
#define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL

View File

@ -196,7 +196,6 @@ static NTSTATUS gse_context_init(struct gensec_security *gensec_security,
memcpy(&gse_ctx->gss_mech, mech, sizeof(gss_OID_desc));
gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
if (do_sign) {
@ -1137,6 +1136,10 @@ static NTSTATUS gensec_gse_client_start(struct gensec_security *gensec_security)
want_flags |= GSS_C_DCE_STYLE;
}
if (!(gensec_security->want_features & GENSEC_FEATURE_NO_DELEGATION)) {
want_flags |= GSS_C_DELEG_POLICY_FLAG;
}
#ifdef HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG
/*
* We can only use GSS_C_CHANNEL_BOUND_FLAG if the kerberos library

View File

@ -200,6 +200,10 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_SEQUENCE_FLAG;
}
if (!(gensec_security->want_features & GENSEC_FEATURE_NO_DELEGATION)) {
gensec_gssapi_state->gss_want_flags &= ~GSS_C_DELEG_FLAG;
gensec_gssapi_state->gss_want_flags &= ~GSS_C_DELEG_POLICY_FLAG;
}
if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;