search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4-torture: don't build the lsa forest trust krb5 tests when building with MIT Kerberos.
[Samba.git] / auth / gensec / gensec.c
blob9fd5f2545544304ec6005011ecdd4f6e3b62bdf9
1 /*
2 Unix SMB/CIFS implementation.
3
4 Generic Authentication Interface
5
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/network.h"
25 #define TEVENT_DEPRECATED 1
26 #include <tevent.h>
27 #include "lib/tsocket/tsocket.h"
28 #include "lib/util/tevent_ntstatus.h"
29 #include "auth/gensec/gensec.h"
30 #include "auth/gensec/gensec_internal.h"
31 #include "librpc/gen_ndr/dcerpc.h"
32
33 /*
34 wrappers for the gensec function pointers
35 */
36 _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
37 uint8_t *data, size_t length,
38 const uint8_t *whole_pdu, size_t pdu_length,
39 const DATA_BLOB *sig)
40 {
41 if (!gensec_security->ops->unseal_packet) {
42 return NT_STATUS_NOT_IMPLEMENTED;
43 }
44 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
45 return NT_STATUS_INVALID_PARAMETER;
46 }
47 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
48 return NT_STATUS_INVALID_PARAMETER;
49 }
50 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
51 return NT_STATUS_INVALID_PARAMETER;
52 }
53
54 return gensec_security->ops->unseal_packet(gensec_security,
55 data, length,
56 whole_pdu, pdu_length,
57 sig);
58 }
59
60 _PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
61 const uint8_t *data, size_t length,
62 const uint8_t *whole_pdu, size_t pdu_length,
63 const DATA_BLOB *sig)
64 {
65 if (!gensec_security->ops->check_packet) {
66 return NT_STATUS_NOT_IMPLEMENTED;
67 }
68 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
69 return NT_STATUS_INVALID_PARAMETER;
70 }
71
72 return gensec_security->ops->check_packet(gensec_security, data, length, whole_pdu, pdu_length, sig);
73 }
74
75 _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
76 TALLOC_CTX *mem_ctx,
77 uint8_t *data, size_t length,
78 const uint8_t *whole_pdu, size_t pdu_length,
79 DATA_BLOB *sig)
80 {
81 if (!gensec_security->ops->seal_packet) {
82 return NT_STATUS_NOT_IMPLEMENTED;
83 }
84 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
85 return NT_STATUS_INVALID_PARAMETER;
86 }
87 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
88 return NT_STATUS_INVALID_PARAMETER;
89 }
90 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
91 return NT_STATUS_INVALID_PARAMETER;
92 }
93
94 return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
95 }
96
97 _PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
98 TALLOC_CTX *mem_ctx,
99 const uint8_t *data, size_t length,
100 const uint8_t *whole_pdu, size_t pdu_length,
101 DATA_BLOB *sig)
102 {
103 if (!gensec_security->ops->sign_packet) {
104 return NT_STATUS_NOT_IMPLEMENTED;
105 }
106 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
107 return NT_STATUS_INVALID_PARAMETER;
108 }
109
110 return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
111 }
112
113 _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size)
114 {
115 if (!gensec_security->ops->sig_size) {
116 return 0;
117 }
118 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
119 return 0;
120 }
121 if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
122 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE)) {
123 return 0;
124 }
125 }
126
127 return gensec_security->ops->sig_size(gensec_security, data_size);
128 }
129
130 _PUBLIC_ size_t gensec_max_wrapped_size(struct gensec_security *gensec_security)
131 {
132 if (!gensec_security->ops->max_wrapped_size) {
133 return (1 << 17);
134 }
135
136 return gensec_security->ops->max_wrapped_size(gensec_security);
137 }
138
139 _PUBLIC_ size_t gensec_max_input_size(struct gensec_security *gensec_security)
140 {
141 if (!gensec_security->ops->max_input_size) {
142 return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17);
143 }
144
145 return gensec_security->ops->max_input_size(gensec_security);
146 }
147
148 _PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
149 TALLOC_CTX *mem_ctx,
150 const DATA_BLOB *in,
151 DATA_BLOB *out)
152 {
153 if (!gensec_security->ops->wrap) {
154 return NT_STATUS_NOT_IMPLEMENTED;
155 }
156 return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out);
157 }
158
159 _PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
160 TALLOC_CTX *mem_ctx,
161 const DATA_BLOB *in,
162 DATA_BLOB *out)
163 {
164 if (!gensec_security->ops->unwrap) {
165 return NT_STATUS_NOT_IMPLEMENTED;
166 }
167 return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out);
168 }
169
170 _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
171 TALLOC_CTX *mem_ctx,
172 DATA_BLOB *session_key)
173 {
174 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
175 return NT_STATUS_NO_USER_SESSION_KEY;
176 }
177
178 if (!gensec_security->ops->session_key) {
179 return NT_STATUS_NOT_IMPLEMENTED;
180 }
181
182 return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
183 }
184
185 /**
186 * Return the credentials of a logged on user, including session keys
187 * etc.
188 *
189 * Only valid after a successful authentication
190 *
191 * May only be called once per authentication.
192 *
193 */
194
195 _PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
196 TALLOC_CTX *mem_ctx,
197 struct auth_session_info **session_info)
198 {
199 if (!gensec_security->ops->session_info) {
200 return NT_STATUS_NOT_IMPLEMENTED;
201 }
202 return gensec_security->ops->session_info(gensec_security, mem_ctx, session_info);
203 }
204
205 _PUBLIC_ void gensec_set_max_update_size(struct gensec_security *gensec_security,
206 uint32_t max_update_size)
207 {
208 gensec_security->max_update_size = max_update_size;
209 }
210
211 _PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security)
212 {
213 if (gensec_security->max_update_size == 0) {
214 return UINT32_MAX;
215 }
216
217 return gensec_security->max_update_size;
218 }
219
220 _PUBLIC_ NTSTATUS gensec_update_ev(struct gensec_security *gensec_security,
221 TALLOC_CTX *out_mem_ctx,
222 struct tevent_context *ev,
223 const DATA_BLOB in, DATA_BLOB *out)
224 {
225 NTSTATUS status;
226 const struct gensec_security_ops *ops = gensec_security->ops;
227 TALLOC_CTX *frame = NULL;
228 struct tevent_req *subreq = NULL;
229 bool ok;
230
231 if (ops->update_send == NULL) {
232
233 if (ev == NULL) {
234 frame = talloc_stackframe();
235
236 ev = samba_tevent_context_init(frame);
237 if (ev == NULL) {
238 status = NT_STATUS_NO_MEMORY;
239 goto fail;
240 }
241
242 /*
243 * TODO: remove this hack once the backends
244 * are fixed.
245 */
246 tevent_loop_allow_nesting(ev);
247 }
248
249 status = ops->update(gensec_security, out_mem_ctx,
250 ev, in, out);
251 TALLOC_FREE(frame);
252 if (!NT_STATUS_IS_OK(status)) {
253 return status;
254 }
255
256 /*
257 * Because callers using the
258 * gensec_start_mech_by_auth_type() never call
259 * gensec_want_feature(), it isn't sensible for them
260 * to have to call gensec_have_feature() manually, and
261 * these are not points of negotiation, but are
262 * asserted by the client
263 */
264 switch (gensec_security->dcerpc_auth_level) {
265 case DCERPC_AUTH_LEVEL_INTEGRITY:
266 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
267 DEBUG(0,("Did not manage to negotiate mandetory feature "
268 "SIGN for dcerpc auth_level %u\n",
269 gensec_security->dcerpc_auth_level));
270 return NT_STATUS_ACCESS_DENIED;
271 }
272 break;
273 case DCERPC_AUTH_LEVEL_PRIVACY:
274 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
275 DEBUG(0,("Did not manage to negotiate mandetory feature "
276 "SIGN for dcerpc auth_level %u\n",
277 gensec_security->dcerpc_auth_level));
278 return NT_STATUS_ACCESS_DENIED;
279 }
280 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
281 DEBUG(0,("Did not manage to negotiate mandetory feature "
282 "SEAL for dcerpc auth_level %u\n",
283 gensec_security->dcerpc_auth_level));
284 return NT_STATUS_ACCESS_DENIED;
285 }
286 break;
287 default:
288 break;
289 }
290
291 return NT_STATUS_OK;
292 }
293
294 frame = talloc_stackframe();
295
296 if (ev == NULL) {
297 ev = samba_tevent_context_init(frame);
298 if (ev == NULL) {
299 status = NT_STATUS_NO_MEMORY;
300 goto fail;
301 }
302
303 /*
304 * TODO: remove this hack once the backends
305 * are fixed.
306 */
307 tevent_loop_allow_nesting(ev);
308 }
309
310 subreq = ops->update_send(frame, ev, gensec_security, in);
311 if (subreq == NULL) {
312 status = NT_STATUS_NO_MEMORY;
313 goto fail;
314 }
315 ok = tevent_req_poll_ntstatus(subreq, ev, &status);
316 if (!ok) {
317 goto fail;
318 }
319 status = ops->update_recv(subreq, out_mem_ctx, out);
320 fail:
321 TALLOC_FREE(frame);
322 return status;
323 }
324
325 /**
326 * Next state function for the GENSEC state machine
327 *
328 * @param gensec_security GENSEC State
329 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
330 * @param in The request, as a DATA_BLOB
331 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
332 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
333 * or NT_STATUS_OK if the user is authenticated.
334 */
335
336 _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security,
337 TALLOC_CTX *out_mem_ctx,
338 const DATA_BLOB in, DATA_BLOB *out)
339 {
340 return gensec_update_ev(gensec_security, out_mem_ctx, NULL, in, out);
341 }
342
343 struct gensec_update_state {
344 const struct gensec_security_ops *ops;
345 struct tevent_req *subreq;
346 struct gensec_security *gensec_security;
347 DATA_BLOB out;
348
349 /*
350 * only for sync backends, we should remove this
351 * once all backends are async.
352 */
353 struct tevent_immediate *im;
354 DATA_BLOB in;
355 };
356
357 static void gensec_update_async_trigger(struct tevent_context *ctx,
358 struct tevent_immediate *im,
359 void *private_data);
360 static void gensec_update_subreq_done(struct tevent_req *subreq);
361
362 /**
363 * Next state function for the GENSEC state machine async version
364 *
365 * @param mem_ctx The memory context for the request
366 * @param ev The event context for the request
367 * @param gensec_security GENSEC State
368 * @param in The request, as a DATA_BLOB
369 *
370 * @return The request handle or NULL on no memory failure
371 */
372
373 _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
374 struct tevent_context *ev,
375 struct gensec_security *gensec_security,
376 const DATA_BLOB in)
377 {
378 struct tevent_req *req;
379 struct gensec_update_state *state = NULL;
380
381 req = tevent_req_create(mem_ctx, &state,
382 struct gensec_update_state);
383 if (req == NULL) {
384 return NULL;
385 }
386
387 state->ops = gensec_security->ops;
388 state->gensec_security = gensec_security;
389
390 if (state->ops->update_send == NULL) {
391 state->in = in;
392 state->im = tevent_create_immediate(state);
393 if (tevent_req_nomem(state->im, req)) {
394 return tevent_req_post(req, ev);
395 }
396
397 tevent_schedule_immediate(state->im, ev,
398 gensec_update_async_trigger,
399 req);
400
401 return req;
402 }
403
404 state->subreq = state->ops->update_send(state, ev, gensec_security, in);
405 if (tevent_req_nomem(state->subreq, req)) {
406 return tevent_req_post(req, ev);
407 }
408
409 tevent_req_set_callback(state->subreq,
410 gensec_update_subreq_done,
411 req);
412
413 return req;
414 }
415
416 static void gensec_update_async_trigger(struct tevent_context *ctx,
417 struct tevent_immediate *im,
418 void *private_data)
419 {
420 struct tevent_req *req =
421 talloc_get_type_abort(private_data, struct tevent_req);
422 struct gensec_update_state *state =
423 tevent_req_data(req, struct gensec_update_state);
424 NTSTATUS status;
425
426 status = state->ops->update(state->gensec_security, state, ctx,
427 state->in, &state->out);
428 if (tevent_req_nterror(req, status)) {
429 return;
430 }
431
432 tevent_req_done(req);
433 }
434
435 static void gensec_update_subreq_done(struct tevent_req *subreq)
436 {
437 struct tevent_req *req =
438 tevent_req_callback_data(subreq,
439 struct tevent_req);
440 struct gensec_update_state *state =
441 tevent_req_data(req,
442 struct gensec_update_state);
443 NTSTATUS status;
444
445 state->subreq = NULL;
446
447 status = state->ops->update_recv(subreq, state, &state->out);
448 TALLOC_FREE(subreq);
449 if (tevent_req_nterror(req, status)) {
450 return;
451 }
452
453 /*
454 * Because callers using the
455 * gensec_start_mech_by_authtype() never call
456 * gensec_want_feature(), it isn't sensible for them
457 * to have to call gensec_have_feature() manually, and
458 * these are not points of negotiation, but are
459 * asserted by the client
460 */
461 switch (state->gensec_security->dcerpc_auth_level) {
462 case DCERPC_AUTH_LEVEL_INTEGRITY:
463 if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
464 DEBUG(0,("Did not manage to negotiate mandetory feature "
465 "SIGN for dcerpc auth_level %u\n",
466 state->gensec_security->dcerpc_auth_level));
467 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
468 return;
469 }
470 break;
471 case DCERPC_AUTH_LEVEL_PRIVACY:
472 if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
473 DEBUG(0,("Did not manage to negotiate mandetory feature "
474 "SIGN for dcerpc auth_level %u\n",
475 state->gensec_security->dcerpc_auth_level));
476 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
477 return;
478 }
479 if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SEAL)) {
480 DEBUG(0,("Did not manage to negotiate mandetory feature "
481 "SEAL for dcerpc auth_level %u\n",
482 state->gensec_security->dcerpc_auth_level));
483 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
484 return;
485 }
486 break;
487 default:
488 break;
489 }
490
491 tevent_req_done(req);
492 }
493
494 /**
495 * Next state function for the GENSEC state machine
496 *
497 * @param req request state
498 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
499 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
500 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
501 * or NT_STATUS_OK if the user is authenticated.
502 */
503 _PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
504 TALLOC_CTX *out_mem_ctx,
505 DATA_BLOB *out)
506 {
507 struct gensec_update_state *state =
508 tevent_req_data(req, struct gensec_update_state);
509 NTSTATUS status;
510
511 if (tevent_req_is_nterror(req, &status)) {
512 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
513 tevent_req_received(req);
514 return status;
515 }
516 } else {
517 status = NT_STATUS_OK;
518 }
519
520 *out = state->out;
521 talloc_steal(out_mem_ctx, out->data);
522
523 tevent_req_received(req);
524 return status;
525 }
526
527 /**
528 * Set the requirement for a certain feature on the connection
529 *
530 */
531
532 _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
533 uint32_t feature)
534 {
535 if (!gensec_security->ops || !gensec_security->ops->want_feature) {
536 gensec_security->want_features |= feature;
537 return;
538 }
539 gensec_security->ops->want_feature(gensec_security, feature);
540 }
541
542 /**
543 * Check the requirement for a certain feature on the connection
544 *
545 */
546
547 _PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security,
548 uint32_t feature)
549 {
550 if (!gensec_security->ops || !gensec_security->ops->have_feature) {
551 return false;
552 }
553
554 /* We might 'have' features that we don't 'want', because the
555 * other end demanded them, or we can't neotiate them off */
556 return gensec_security->ops->have_feature(gensec_security, feature);
557 }
558
559 _PUBLIC_ NTTIME gensec_expire_time(struct gensec_security *gensec_security)
560 {
561 if (!gensec_security->ops->expire_time) {
562 return GENSEC_EXPIRE_TIME_INFINITY;
563 }
564
565 return gensec_security->ops->expire_time(gensec_security);
566 }
567 /**
568 * Return the credentials structure associated with a GENSEC context
569 *
570 */
571
572 _PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security)
573 {
574 if (!gensec_security) {
575 return NULL;
576 }
577 return gensec_security->credentials;
578 }
579
580 /**
581 * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed
582 *
583 */
584
585 _PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service)
586 {
587 gensec_security->target.service = talloc_strdup(gensec_security, service);
588 if (!gensec_security->target.service) {
589 return NT_STATUS_NO_MEMORY;
590 }
591 return NT_STATUS_OK;
592 }
593
594 _PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security)
595 {
596 if (gensec_security->target.service) {
597 return gensec_security->target.service;
598 }
599
600 return "host";
601 }
602
603 /**
604 * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed
605 *
606 */
607
608 _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname)
609 {
610 gensec_security->target.hostname = talloc_strdup(gensec_security, hostname);
611 if (hostname && !gensec_security->target.hostname) {
612 return NT_STATUS_NO_MEMORY;
613 }
614 return NT_STATUS_OK;
615 }
616
617 _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
618 {
619 /* We allow the target hostname to be overriden for testing purposes */
620 if (gensec_security->settings->target_hostname) {
621 return gensec_security->settings->target_hostname;
622 }
623
624 if (gensec_security->target.hostname) {
625 return gensec_security->target.hostname;
626 }
627
628 /* We could add use the 'set sockaddr' call, and do a reverse
629 * lookup, but this would be both insecure (compromising the
630 * way kerberos works) and add DNS timeouts */
631 return NULL;
632 }
633
634 /**
635 * Set (and copy) local and peer socket addresses onto a socket
636 * context on the GENSEC context.
637 *
638 * This is so that kerberos can include these addresses in
639 * cryptographic tokens, to avoid certain attacks.
640 */
641
642 /**
643 * @brief Set the local gensec address.
644 *
645 * @param gensec_security The gensec security context to use.
646 *
647 * @param remote The local address to set.
648 *
649 * @return On success NT_STATUS_OK is returned or an NT_STATUS
650 * error.
651 */
652 _PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
653 const struct tsocket_address *local)
654 {
655 TALLOC_FREE(gensec_security->local_addr);
656
657 if (local == NULL) {
658 return NT_STATUS_OK;
659 }
660
661 gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
662 if (gensec_security->local_addr == NULL) {
663 return NT_STATUS_NO_MEMORY;
664 }
665
666 return NT_STATUS_OK;
667 }
668
669 /**
670 * @brief Set the remote gensec address.
671 *
672 * @param gensec_security The gensec security context to use.
673 *
674 * @param remote The remote address to set.
675 *
676 * @return On success NT_STATUS_OK is returned or an NT_STATUS
677 * error.
678 */
679 _PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
680 const struct tsocket_address *remote)
681 {
682 TALLOC_FREE(gensec_security->remote_addr);
683
684 if (remote == NULL) {
685 return NT_STATUS_OK;
686 }
687
688 gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
689 if (gensec_security->remote_addr == NULL) {
690 return NT_STATUS_NO_MEMORY;
691 }
692
693 return NT_STATUS_OK;
694 }
695
696 /**
697 * @brief Get the local address from a gensec security context.
698 *
699 * @param gensec_security The security context to get the address from.
700 *
701 * @return The address as tsocket_address which could be NULL if
702 * no address is set.
703 */
704 _PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
705 {
706 if (gensec_security == NULL) {
707 return NULL;
708 }
709 return gensec_security->local_addr;
710 }
711
712 /**
713 * @brief Get the remote address from a gensec security context.
714 *
715 * @param gensec_security The security context to get the address from.
716 *
717 * @return The address as tsocket_address which could be NULL if
718 * no address is set.
719 */
720 _PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
721 {
722 if (gensec_security == NULL) {
723 return NULL;
724 }
725 return gensec_security->remote_addr;
726 }
727
728 /**
729 * Set the target principal (assuming it it known, say from the SPNEGO reply)
730 * - ensures it is talloc()ed
731 *
732 */
733
734 _PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
735 {
736 gensec_security->target.principal = talloc_strdup(gensec_security, principal);
737 if (!gensec_security->target.principal) {
738 return NT_STATUS_NO_MEMORY;
739 }
740 return NT_STATUS_OK;
741 }
742
743 _PUBLIC_ const char *gensec_get_target_principal(struct gensec_security *gensec_security)
744 {
745 if (gensec_security->target.principal) {
746 return gensec_security->target.principal;
747 }
748
749 return NULL;
750 }
Samba GIT mirror