From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 22 Aug 2019 16:52:15 +0000 (+0000)
Subject: krb5_wrap: add smb_gss_krb5_prepare_acceptor_cred()
X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=30fcce70e5171e9d6c3524b6e8570027ece58195;p=metze%2Fsamba%2Fwip.git

krb5_wrap: add smb_gss_krb5_prepare_acceptor_cred()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14125

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/lib/krb5_wrap/gss_samba.c b/lib/krb5_wrap/gss_samba.c
index a5940561cdaf..9e46e2e0c851 100644
--- a/lib/krb5_wrap/gss_samba.c
+++ b/lib/krb5_wrap/gss_samba.c
@@ -218,5 +218,50 @@ uint32_t smb_gss_krb5_import_cred(uint32_t *minor_status, krb5_context ctx,
 	return major_status;
 }
 
+uint32_t smb_gss_krb5_prepare_acceptor_cred(uint32_t *minor_status,
+					    bool skip_transited_check,
+					    gss_cred_id_t *cred)
+{
+#ifdef HAVE_GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X
+	OM_uint32 gss_maj, gss_min;
+	gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER;
+	gss_OID skip_transit_oid = discard_const(GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X);
+#ifdef HAVE_GSS_KRB5_CRED_ITERATE_ACCEPTOR_KEYTAB_X /* only heimdal */
+	gss_OID iterate_keytab_oid =
+		discard_const(GSS_KRB5_CRED_ITERATE_ACCEPTOR_KEYTAB_X);
+
+	gss_maj = gss_set_cred_option(&gss_min, cred,
+				      iterate_keytab_oid,
+				      &empty_buffer);
+	if (gss_maj) {
+		DBG_ERR("gss_set_cred_option(ITERATE_ACCEPTOR_KEYTAB_X)\n");
+		*minor_status = gss_min;
+		return gss_maj;
+	}
+#endif /* HAVE_GSS_KRB5_CRED_ITERATE_ACCEPTOR_KEYTAB_X */
+
+	if (!skip_transited_check) {
+		goto done;
+	}
+
+	/*
+	 * If we require a valid PAC we can
+	 * skip the transit checks in the krb5
+	 * code.
+	 */
+	gss_maj = gss_set_cred_option(&gss_min, cred,
+				      skip_transit_oid,
+				      &empty_buffer);
+	if (gss_maj) {
+		DBG_ERR("gss_set_cred_option(NO_TRANSIT_CHECK_X)\n");
+		*minor_status = gss_min;
+		return gss_maj;
+	}
+
+done:
+#endif /* HAVE_GSS_KRB5_CRED_SKIP_TRANSIT_CHECK_X */
+	*minor_status = 0;
+	return 0;
+}
 
 #endif /* HAVE_GSSAPI */
diff --git a/lib/krb5_wrap/gss_samba.h b/lib/krb5_wrap/gss_samba.h
index 89aee3479c55..8131d50a9b05 100644
--- a/lib/krb5_wrap/gss_samba.h
+++ b/lib/krb5_wrap/gss_samba.h
@@ -45,5 +45,9 @@ uint32_t smb_gss_krb5_import_cred(OM_uint32 *minor_status, krb5_context ctx,
 				  krb5_ccache id, krb5_principal keytab_principal,
 				  krb5_keytab keytab, gss_cred_id_t *cred);
 
+uint32_t smb_gss_krb5_prepare_acceptor_cred(uint32_t *minor_status,
+					    bool skip_transited_check,
+					    gss_cred_id_t *cred);
+
 #endif /* HAVE_GSSAPI */
 #endif /* _GSS_SAMBA_H */