From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 6 Nov 2024 13:29:10 +0000 (+0100)
Subject: gensec: add GENSEC_FEATURE_NO_DELEGATION flag to avoid GSS_C_DELEG[_POLICY]_FLAG
X-Git-Tag: tdb-1.4.13~387
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ec6892bd1fcc0391f9aa831d7e4f095825dafb56;p=thirdparty%2Fsamba.git

gensec: add GENSEC_FEATURE_NO_DELEGATION flag to avoid GSS_C_DELEG[_POLICY]_FLAG

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index 24abacfb2aa..06d77c7f648 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -72,6 +72,7 @@ struct gensec_target {
 #define GENSEC_FEATURE_SMB_TRANSPORT	0x00001000
 #define GENSEC_FEATURE_LDAPS_TRANSPORT	0x00002000
 #define GENSEC_FEATURE_CB_OPTIONAL	0x00004000
+#define GENSEC_FEATURE_NO_DELEGATION	0x00008000
 
 #define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
 
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index a071025c6f6..e6f96d2464e 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -196,7 +196,6 @@ static NTSTATUS gse_context_init(struct gensec_security *gensec_security,
 	memcpy(&gse_ctx->gss_mech, mech, sizeof(gss_OID_desc));
 
 	gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
-				GSS_C_DELEG_POLICY_FLAG |
 				GSS_C_REPLAY_FLAG |
 				GSS_C_SEQUENCE_FLAG;
 	if (do_sign) {
@@ -1137,6 +1136,10 @@ static NTSTATUS gensec_gse_client_start(struct gensec_security *gensec_security)
 		want_flags |= GSS_C_DCE_STYLE;
 	}
 
+	if (!(gensec_security->want_features & GENSEC_FEATURE_NO_DELEGATION)) {
+		want_flags |= GSS_C_DELEG_POLICY_FLAG;
+	}
+
 #ifdef HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG
 	/*
 	 * We can only use GSS_C_CHANNEL_BOUND_FLAG if the kerberos library
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 997d073d7e1..c43dc66ab4a 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -200,6 +200,10 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) {
 		gensec_gssapi_state->gss_want_flags |= GSS_C_SEQUENCE_FLAG;
 	}
+	if (!(gensec_security->want_features & GENSEC_FEATURE_NO_DELEGATION)) {
+		gensec_gssapi_state->gss_want_flags &= ~GSS_C_DELEG_FLAG;
+		gensec_gssapi_state->gss_want_flags &= ~GSS_C_DELEG_POLICY_FLAG;
+	}
 
 	if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
 		gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;