search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
wscript: Only build gensec_krb5 with heimdal.
[Samba.git] / auth / gensec / gensec.c
blob8b5c02d111cef7a8d36bd9b50051de680f88c35f
1 /*
2 Unix SMB/CIFS implementation.
3
4 Generic Authentication Interface
5
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/network.h"
25 #define TEVENT_DEPRECATED 1
26 #include <tevent.h>
27 #include "lib/tsocket/tsocket.h"
28 #include "lib/util/tevent_ntstatus.h"
29 #include "auth/gensec/gensec.h"
30 #include "auth/gensec/gensec_internal.h"
31 #include "librpc/gen_ndr/dcerpc.h"
32
33 /*
34 wrappers for the gensec function pointers
35 */
36 _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
37 uint8_t *data, size_t length,
38 const uint8_t *whole_pdu, size_t pdu_length,
39 const DATA_BLOB *sig)
40 {
41 if (!gensec_security->ops->unseal_packet) {
42 return NT_STATUS_NOT_IMPLEMENTED;
43 }
44 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
45 return NT_STATUS_INVALID_PARAMETER;
46 }
47
48 return gensec_security->ops->unseal_packet(gensec_security,
49 data, length,
50 whole_pdu, pdu_length,
51 sig);
52 }
53
54 _PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
55 const uint8_t *data, size_t length,
56 const uint8_t *whole_pdu, size_t pdu_length,
57 const DATA_BLOB *sig)
58 {
59 if (!gensec_security->ops->check_packet) {
60 return NT_STATUS_NOT_IMPLEMENTED;
61 }
62 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
63 return NT_STATUS_INVALID_PARAMETER;
64 }
65
66 return gensec_security->ops->check_packet(gensec_security, data, length, whole_pdu, pdu_length, sig);
67 }
68
69 _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
70 TALLOC_CTX *mem_ctx,
71 uint8_t *data, size_t length,
72 const uint8_t *whole_pdu, size_t pdu_length,
73 DATA_BLOB *sig)
74 {
75 if (!gensec_security->ops->seal_packet) {
76 return NT_STATUS_NOT_IMPLEMENTED;
77 }
78 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
79 return NT_STATUS_INVALID_PARAMETER;
80 }
81 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
82 return NT_STATUS_INVALID_PARAMETER;
83 }
84
85 return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
86 }
87
88 _PUBLIC_ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
89 TALLOC_CTX *mem_ctx,
90 const uint8_t *data, size_t length,
91 const uint8_t *whole_pdu, size_t pdu_length,
92 DATA_BLOB *sig)
93 {
94 if (!gensec_security->ops->sign_packet) {
95 return NT_STATUS_NOT_IMPLEMENTED;
96 }
97 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
98 return NT_STATUS_INVALID_PARAMETER;
99 }
100
101 return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
102 }
103
104 _PUBLIC_ size_t gensec_sig_size(struct gensec_security *gensec_security, size_t data_size)
105 {
106 if (!gensec_security->ops->sig_size) {
107 return 0;
108 }
109 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
110 return 0;
111 }
112
113 return gensec_security->ops->sig_size(gensec_security, data_size);
114 }
115
116 _PUBLIC_ size_t gensec_max_wrapped_size(struct gensec_security *gensec_security)
117 {
118 if (!gensec_security->ops->max_wrapped_size) {
119 return (1 << 17);
120 }
121
122 return gensec_security->ops->max_wrapped_size(gensec_security);
123 }
124
125 _PUBLIC_ size_t gensec_max_input_size(struct gensec_security *gensec_security)
126 {
127 if (!gensec_security->ops->max_input_size) {
128 return (1 << 17) - gensec_sig_size(gensec_security, 1 << 17);
129 }
130
131 return gensec_security->ops->max_input_size(gensec_security);
132 }
133
134 _PUBLIC_ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
135 TALLOC_CTX *mem_ctx,
136 const DATA_BLOB *in,
137 DATA_BLOB *out)
138 {
139 if (!gensec_security->ops->wrap) {
140 return NT_STATUS_NOT_IMPLEMENTED;
141 }
142 return gensec_security->ops->wrap(gensec_security, mem_ctx, in, out);
143 }
144
145 _PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security,
146 TALLOC_CTX *mem_ctx,
147 const DATA_BLOB *in,
148 DATA_BLOB *out)
149 {
150 if (!gensec_security->ops->unwrap) {
151 return NT_STATUS_NOT_IMPLEMENTED;
152 }
153 return gensec_security->ops->unwrap(gensec_security, mem_ctx, in, out);
154 }
155
156 _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
157 TALLOC_CTX *mem_ctx,
158 DATA_BLOB *session_key)
159 {
160 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
161 return NT_STATUS_NO_USER_SESSION_KEY;
162 }
163
164 if (!gensec_security->ops->session_key) {
165 return NT_STATUS_NOT_IMPLEMENTED;
166 }
167
168 return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
169 }
170
171 /**
172 * Return the credentials of a logged on user, including session keys
173 * etc.
174 *
175 * Only valid after a successful authentication
176 *
177 * May only be called once per authentication.
178 *
179 */
180
181 _PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
182 TALLOC_CTX *mem_ctx,
183 struct auth_session_info **session_info)
184 {
185 if (!gensec_security->ops->session_info) {
186 return NT_STATUS_NOT_IMPLEMENTED;
187 }
188 return gensec_security->ops->session_info(gensec_security, mem_ctx, session_info);
189 }
190
191 _PUBLIC_ void gensec_set_max_update_size(struct gensec_security *gensec_security,
192 uint32_t max_update_size)
193 {
194 gensec_security->max_update_size = max_update_size;
195 }
196
197 _PUBLIC_ size_t gensec_max_update_size(struct gensec_security *gensec_security)
198 {
199 if (gensec_security->max_update_size == 0) {
200 return UINT32_MAX;
201 }
202
203 return gensec_security->max_update_size;
204 }
205
206 _PUBLIC_ NTSTATUS gensec_update_ev(struct gensec_security *gensec_security,
207 TALLOC_CTX *out_mem_ctx,
208 struct tevent_context *ev,
209 const DATA_BLOB in, DATA_BLOB *out)
210 {
211 NTSTATUS status;
212 const struct gensec_security_ops *ops = gensec_security->ops;
213 TALLOC_CTX *frame = NULL;
214 struct tevent_req *subreq = NULL;
215 bool ok;
216
217 if (ops->update_send == NULL) {
218
219 if (ev == NULL) {
220 frame = talloc_stackframe();
221
222 ev = samba_tevent_context_init(frame);
223 if (ev == NULL) {
224 status = NT_STATUS_NO_MEMORY;
225 goto fail;
226 }
227
228 /*
229 * TODO: remove this hack once the backends
230 * are fixed.
231 */
232 tevent_loop_allow_nesting(ev);
233 }
234
235 status = ops->update(gensec_security, out_mem_ctx,
236 ev, in, out);
237 TALLOC_FREE(frame);
238 if (!NT_STATUS_IS_OK(status)) {
239 return status;
240 }
241
242 /*
243 * Because callers using the
244 * gensec_start_mech_by_auth_type() never call
245 * gensec_want_feature(), it isn't sensible for them
246 * to have to call gensec_have_feature() manually, and
247 * these are not points of negotiation, but are
248 * asserted by the client
249 */
250 switch (gensec_security->dcerpc_auth_level) {
251 case DCERPC_AUTH_LEVEL_INTEGRITY:
252 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
253 DEBUG(0,("Did not manage to negotiate mandetory feature "
254 "SIGN for dcerpc auth_level %u\n",
255 gensec_security->dcerpc_auth_level));
256 return NT_STATUS_ACCESS_DENIED;
257 }
258 break;
259 case DCERPC_AUTH_LEVEL_PRIVACY:
260 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
261 DEBUG(0,("Did not manage to negotiate mandetory feature "
262 "SIGN for dcerpc auth_level %u\n",
263 gensec_security->dcerpc_auth_level));
264 return NT_STATUS_ACCESS_DENIED;
265 }
266 if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
267 DEBUG(0,("Did not manage to negotiate mandetory feature "
268 "SEAL for dcerpc auth_level %u\n",
269 gensec_security->dcerpc_auth_level));
270 return NT_STATUS_ACCESS_DENIED;
271 }
272 break;
273 default:
274 break;
275 }
276
277 return NT_STATUS_OK;
278 }
279
280 frame = talloc_stackframe();
281
282 if (ev == NULL) {
283 ev = samba_tevent_context_init(frame);
284 if (ev == NULL) {
285 status = NT_STATUS_NO_MEMORY;
286 goto fail;
287 }
288
289 /*
290 * TODO: remove this hack once the backends
291 * are fixed.
292 */
293 tevent_loop_allow_nesting(ev);
294 }
295
296 subreq = ops->update_send(frame, ev, gensec_security, in);
297 if (subreq == NULL) {
298 status = NT_STATUS_NO_MEMORY;
299 goto fail;
300 }
301 ok = tevent_req_poll_ntstatus(subreq, ev, &status);
302 if (!ok) {
303 goto fail;
304 }
305 status = ops->update_recv(subreq, out_mem_ctx, out);
306 fail:
307 TALLOC_FREE(frame);
308 return status;
309 }
310
311 /**
312 * Next state function for the GENSEC state machine
313 *
314 * @param gensec_security GENSEC State
315 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
316 * @param in The request, as a DATA_BLOB
317 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
318 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
319 * or NT_STATUS_OK if the user is authenticated.
320 */
321
322 _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security,
323 TALLOC_CTX *out_mem_ctx,
324 const DATA_BLOB in, DATA_BLOB *out)
325 {
326 return gensec_update_ev(gensec_security, out_mem_ctx, NULL, in, out);
327 }
328
329 struct gensec_update_state {
330 const struct gensec_security_ops *ops;
331 struct tevent_req *subreq;
332 struct gensec_security *gensec_security;
333 DATA_BLOB out;
334
335 /*
336 * only for sync backends, we should remove this
337 * once all backends are async.
338 */
339 struct tevent_immediate *im;
340 DATA_BLOB in;
341 };
342
343 static void gensec_update_async_trigger(struct tevent_context *ctx,
344 struct tevent_immediate *im,
345 void *private_data);
346 static void gensec_update_subreq_done(struct tevent_req *subreq);
347
348 /**
349 * Next state function for the GENSEC state machine async version
350 *
351 * @param mem_ctx The memory context for the request
352 * @param ev The event context for the request
353 * @param gensec_security GENSEC State
354 * @param in The request, as a DATA_BLOB
355 *
356 * @return The request handle or NULL on no memory failure
357 */
358
359 _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
360 struct tevent_context *ev,
361 struct gensec_security *gensec_security,
362 const DATA_BLOB in)
363 {
364 struct tevent_req *req;
365 struct gensec_update_state *state = NULL;
366
367 req = tevent_req_create(mem_ctx, &state,
368 struct gensec_update_state);
369 if (req == NULL) {
370 return NULL;
371 }
372
373 state->ops = gensec_security->ops;
374 state->gensec_security = gensec_security;
375
376 if (state->ops->update_send == NULL) {
377 state->in = in;
378 state->im = tevent_create_immediate(state);
379 if (tevent_req_nomem(state->im, req)) {
380 return tevent_req_post(req, ev);
381 }
382
383 tevent_schedule_immediate(state->im, ev,
384 gensec_update_async_trigger,
385 req);
386
387 return req;
388 }
389
390 state->subreq = state->ops->update_send(state, ev, gensec_security, in);
391 if (tevent_req_nomem(state->subreq, req)) {
392 return tevent_req_post(req, ev);
393 }
394
395 tevent_req_set_callback(state->subreq,
396 gensec_update_subreq_done,
397 req);
398
399 return req;
400 }
401
402 static void gensec_update_async_trigger(struct tevent_context *ctx,
403 struct tevent_immediate *im,
404 void *private_data)
405 {
406 struct tevent_req *req =
407 talloc_get_type_abort(private_data, struct tevent_req);
408 struct gensec_update_state *state =
409 tevent_req_data(req, struct gensec_update_state);
410 NTSTATUS status;
411
412 status = state->ops->update(state->gensec_security, state, ctx,
413 state->in, &state->out);
414 if (tevent_req_nterror(req, status)) {
415 return;
416 }
417
418 tevent_req_done(req);
419 }
420
421 static void gensec_update_subreq_done(struct tevent_req *subreq)
422 {
423 struct tevent_req *req =
424 tevent_req_callback_data(subreq,
425 struct tevent_req);
426 struct gensec_update_state *state =
427 tevent_req_data(req,
428 struct gensec_update_state);
429 NTSTATUS status;
430
431 state->subreq = NULL;
432
433 status = state->ops->update_recv(subreq, state, &state->out);
434 TALLOC_FREE(subreq);
435 if (tevent_req_nterror(req, status)) {
436 return;
437 }
438
439 /*
440 * Because callers using the
441 * gensec_start_mech_by_authtype() never call
442 * gensec_want_feature(), it isn't sensible for them
443 * to have to call gensec_have_feature() manually, and
444 * these are not points of negotiation, but are
445 * asserted by the client
446 */
447 switch (state->gensec_security->dcerpc_auth_level) {
448 case DCERPC_AUTH_LEVEL_INTEGRITY:
449 if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
450 DEBUG(0,("Did not manage to negotiate mandetory feature "
451 "SIGN for dcerpc auth_level %u\n",
452 state->gensec_security->dcerpc_auth_level));
453 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
454 return;
455 }
456 break;
457 case DCERPC_AUTH_LEVEL_PRIVACY:
458 if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
459 DEBUG(0,("Did not manage to negotiate mandetory feature "
460 "SIGN for dcerpc auth_level %u\n",
461 state->gensec_security->dcerpc_auth_level));
462 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
463 return;
464 }
465 if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SEAL)) {
466 DEBUG(0,("Did not manage to negotiate mandetory feature "
467 "SEAL for dcerpc auth_level %u\n",
468 state->gensec_security->dcerpc_auth_level));
469 tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
470 return;
471 }
472 break;
473 default:
474 break;
475 }
476
477 tevent_req_done(req);
478 }
479
480 /**
481 * Next state function for the GENSEC state machine
482 *
483 * @param req request state
484 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
485 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
486 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
487 * or NT_STATUS_OK if the user is authenticated.
488 */
489 _PUBLIC_ NTSTATUS gensec_update_recv(struct tevent_req *req,
490 TALLOC_CTX *out_mem_ctx,
491 DATA_BLOB *out)
492 {
493 struct gensec_update_state *state =
494 tevent_req_data(req, struct gensec_update_state);
495 NTSTATUS status;
496
497 if (tevent_req_is_nterror(req, &status)) {
498 if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
499 tevent_req_received(req);
500 return status;
501 }
502 } else {
503 status = NT_STATUS_OK;
504 }
505
506 *out = state->out;
507 talloc_steal(out_mem_ctx, out->data);
508
509 tevent_req_received(req);
510 return status;
511 }
512
513 /**
514 * Set the requirement for a certain feature on the connection
515 *
516 */
517
518 _PUBLIC_ void gensec_want_feature(struct gensec_security *gensec_security,
519 uint32_t feature)
520 {
521 if (!gensec_security->ops || !gensec_security->ops->want_feature) {
522 gensec_security->want_features |= feature;
523 return;
524 }
525 gensec_security->ops->want_feature(gensec_security, feature);
526 }
527
528 /**
529 * Check the requirement for a certain feature on the connection
530 *
531 */
532
533 _PUBLIC_ bool gensec_have_feature(struct gensec_security *gensec_security,
534 uint32_t feature)
535 {
536 if (!gensec_security->ops->have_feature) {
537 return false;
538 }
539
540 /* We might 'have' features that we don't 'want', because the
541 * other end demanded them, or we can't neotiate them off */
542 return gensec_security->ops->have_feature(gensec_security, feature);
543 }
544
545 _PUBLIC_ NTTIME gensec_expire_time(struct gensec_security *gensec_security)
546 {
547 if (!gensec_security->ops->expire_time) {
548 return GENSEC_EXPIRE_TIME_INFINITY;
549 }
550
551 return gensec_security->ops->expire_time(gensec_security);
552 }
553 /**
554 * Return the credentials structure associated with a GENSEC context
555 *
556 */
557
558 _PUBLIC_ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security)
559 {
560 if (!gensec_security) {
561 return NULL;
562 }
563 return gensec_security->credentials;
564 }
565
566 /**
567 * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed
568 *
569 */
570
571 _PUBLIC_ NTSTATUS gensec_set_target_service(struct gensec_security *gensec_security, const char *service)
572 {
573 gensec_security->target.service = talloc_strdup(gensec_security, service);
574 if (!gensec_security->target.service) {
575 return NT_STATUS_NO_MEMORY;
576 }
577 return NT_STATUS_OK;
578 }
579
580 _PUBLIC_ const char *gensec_get_target_service(struct gensec_security *gensec_security)
581 {
582 if (gensec_security->target.service) {
583 return gensec_security->target.service;
584 }
585
586 return "host";
587 }
588
589 /**
590 * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed
591 *
592 */
593
594 _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname)
595 {
596 gensec_security->target.hostname = talloc_strdup(gensec_security, hostname);
597 if (hostname && !gensec_security->target.hostname) {
598 return NT_STATUS_NO_MEMORY;
599 }
600 return NT_STATUS_OK;
601 }
602
603 _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
604 {
605 /* We allow the target hostname to be overriden for testing purposes */
606 if (gensec_security->settings->target_hostname) {
607 return gensec_security->settings->target_hostname;
608 }
609
610 if (gensec_security->target.hostname) {
611 return gensec_security->target.hostname;
612 }
613
614 /* We could add use the 'set sockaddr' call, and do a reverse
615 * lookup, but this would be both insecure (compromising the
616 * way kerberos works) and add DNS timeouts */
617 return NULL;
618 }
619
620 /**
621 * Set (and copy) local and peer socket addresses onto a socket
622 * context on the GENSEC context.
623 *
624 * This is so that kerberos can include these addresses in
625 * cryptographic tokens, to avoid certain attacks.
626 */
627
628 /**
629 * @brief Set the local gensec address.
630 *
631 * @param gensec_security The gensec security context to use.
632 *
633 * @param remote The local address to set.
634 *
635 * @return On success NT_STATUS_OK is returned or an NT_STATUS
636 * error.
637 */
638 _PUBLIC_ NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
639 const struct tsocket_address *local)
640 {
641 TALLOC_FREE(gensec_security->local_addr);
642
643 if (local == NULL) {
644 return NT_STATUS_OK;
645 }
646
647 gensec_security->local_addr = tsocket_address_copy(local, gensec_security);
648 if (gensec_security->local_addr == NULL) {
649 return NT_STATUS_NO_MEMORY;
650 }
651
652 return NT_STATUS_OK;
653 }
654
655 /**
656 * @brief Set the remote gensec address.
657 *
658 * @param gensec_security The gensec security context to use.
659 *
660 * @param remote The remote address to set.
661 *
662 * @return On success NT_STATUS_OK is returned or an NT_STATUS
663 * error.
664 */
665 _PUBLIC_ NTSTATUS gensec_set_remote_address(struct gensec_security *gensec_security,
666 const struct tsocket_address *remote)
667 {
668 TALLOC_FREE(gensec_security->remote_addr);
669
670 if (remote == NULL) {
671 return NT_STATUS_OK;
672 }
673
674 gensec_security->remote_addr = tsocket_address_copy(remote, gensec_security);
675 if (gensec_security->remote_addr == NULL) {
676 return NT_STATUS_NO_MEMORY;
677 }
678
679 return NT_STATUS_OK;
680 }
681
682 /**
683 * @brief Get the local address from a gensec security context.
684 *
685 * @param gensec_security The security context to get the address from.
686 *
687 * @return The address as tsocket_address which could be NULL if
688 * no address is set.
689 */
690 _PUBLIC_ const struct tsocket_address *gensec_get_local_address(struct gensec_security *gensec_security)
691 {
692 if (gensec_security == NULL) {
693 return NULL;
694 }
695 return gensec_security->local_addr;
696 }
697
698 /**
699 * @brief Get the remote address from a gensec security context.
700 *
701 * @param gensec_security The security context to get the address from.
702 *
703 * @return The address as tsocket_address which could be NULL if
704 * no address is set.
705 */
706 _PUBLIC_ const struct tsocket_address *gensec_get_remote_address(struct gensec_security *gensec_security)
707 {
708 if (gensec_security == NULL) {
709 return NULL;
710 }
711 return gensec_security->remote_addr;
712 }
713
714 /**
715 * Set the target principal (assuming it it known, say from the SPNEGO reply)
716 * - ensures it is talloc()ed
717 *
718 */
719
720 _PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
721 {
722 gensec_security->target.principal = talloc_strdup(gensec_security, principal);
723 if (!gensec_security->target.principal) {
724 return NT_STATUS_NO_MEMORY;
725 }
726 return NT_STATUS_OK;
727 }
728
729 _PUBLIC_ const char *gensec_get_target_principal(struct gensec_security *gensec_security)
730 {
731 if (gensec_security->target.principal) {
732 return gensec_security->target.principal;
733 }
734
735 return NULL;
736 }
Samba GIT mirror