2 Unix SMB/CIFS implementation.
4 Generic Authentication Interface
6 Copyright (C) Andrew Tridgell 2003
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "system/network.h"
25 #define TEVENT_DEPRECATED 1
27 #include "lib/tsocket/tsocket.h"
28 #include "lib/util/tevent_ntstatus.h"
29 #include "auth/gensec/gensec.h"
30 #include "auth/gensec/gensec_internal.h"
31 #include "librpc/gen_ndr/dcerpc.h"
32 #include "auth/common_auth.h"
35 #define DBGC_CLASS DBGC_AUTH
37 _PRIVATE_ NTSTATUS
gensec_may_reset_crypto(struct gensec_security
*gensec_security
,
40 if (!gensec_security
->ops
->may_reset_crypto
) {
44 return gensec_security
->ops
->may_reset_crypto(gensec_security
, full_reset
);
48 wrappers for the gensec function pointers
50 _PUBLIC_ NTSTATUS
gensec_unseal_packet(struct gensec_security
*gensec_security
,
51 uint8_t *data
, size_t length
,
52 const uint8_t *whole_pdu
, size_t pdu_length
,
55 if (!gensec_security
->ops
->unseal_packet
) {
56 return NT_STATUS_NOT_IMPLEMENTED
;
58 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
59 return NT_STATUS_INVALID_PARAMETER
;
61 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)) {
62 return NT_STATUS_INVALID_PARAMETER
;
64 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_DCE_STYLE
)) {
65 return NT_STATUS_INVALID_PARAMETER
;
68 return gensec_security
->ops
->unseal_packet(gensec_security
,
70 whole_pdu
, pdu_length
,
74 _PUBLIC_ NTSTATUS
gensec_check_packet(struct gensec_security
*gensec_security
,
75 const uint8_t *data
, size_t length
,
76 const uint8_t *whole_pdu
, size_t pdu_length
,
79 if (!gensec_security
->ops
->check_packet
) {
80 return NT_STATUS_NOT_IMPLEMENTED
;
82 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
83 return NT_STATUS_INVALID_PARAMETER
;
86 return gensec_security
->ops
->check_packet(gensec_security
, data
, length
, whole_pdu
, pdu_length
, sig
);
89 _PUBLIC_ NTSTATUS
gensec_seal_packet(struct gensec_security
*gensec_security
,
91 uint8_t *data
, size_t length
,
92 const uint8_t *whole_pdu
, size_t pdu_length
,
95 if (!gensec_security
->ops
->seal_packet
) {
96 return NT_STATUS_NOT_IMPLEMENTED
;
98 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)) {
99 return NT_STATUS_INVALID_PARAMETER
;
101 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
102 return NT_STATUS_INVALID_PARAMETER
;
104 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_DCE_STYLE
)) {
105 return NT_STATUS_INVALID_PARAMETER
;
108 return gensec_security
->ops
->seal_packet(gensec_security
, mem_ctx
, data
, length
, whole_pdu
, pdu_length
, sig
);
111 _PUBLIC_ NTSTATUS
gensec_sign_packet(struct gensec_security
*gensec_security
,
113 const uint8_t *data
, size_t length
,
114 const uint8_t *whole_pdu
, size_t pdu_length
,
117 if (!gensec_security
->ops
->sign_packet
) {
118 return NT_STATUS_NOT_IMPLEMENTED
;
120 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
121 return NT_STATUS_INVALID_PARAMETER
;
124 return gensec_security
->ops
->sign_packet(gensec_security
, mem_ctx
, data
, length
, whole_pdu
, pdu_length
, sig
);
127 _PUBLIC_
size_t gensec_sig_size(struct gensec_security
*gensec_security
, size_t data_size
)
129 if (!gensec_security
->ops
->sig_size
) {
132 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
135 if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)) {
136 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_DCE_STYLE
)) {
141 return gensec_security
->ops
->sig_size(gensec_security
, data_size
);
144 _PUBLIC_
size_t gensec_max_wrapped_size(struct gensec_security
*gensec_security
)
146 if (!gensec_security
->ops
->max_wrapped_size
) {
150 return gensec_security
->ops
->max_wrapped_size(gensec_security
);
153 _PUBLIC_
size_t gensec_max_input_size(struct gensec_security
*gensec_security
)
155 if (!gensec_security
->ops
->max_input_size
) {
156 return (1 << 17) - gensec_sig_size(gensec_security
, 1 << 17);
159 return gensec_security
->ops
->max_input_size(gensec_security
);
162 _PUBLIC_ NTSTATUS
gensec_wrap(struct gensec_security
*gensec_security
,
167 if (!gensec_security
->ops
->wrap
) {
168 return NT_STATUS_NOT_IMPLEMENTED
;
170 return gensec_security
->ops
->wrap(gensec_security
, mem_ctx
, in
, out
);
173 _PUBLIC_ NTSTATUS
gensec_unwrap(struct gensec_security
*gensec_security
,
178 if (!gensec_security
->ops
->unwrap
) {
179 return NT_STATUS_NOT_IMPLEMENTED
;
181 return gensec_security
->ops
->unwrap(gensec_security
, mem_ctx
, in
, out
);
184 _PUBLIC_ NTSTATUS
gensec_session_key(struct gensec_security
*gensec_security
,
186 DATA_BLOB
*session_key
)
188 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_SESSION_KEY
)) {
189 return NT_STATUS_NO_USER_SESSION_KEY
;
192 if (!gensec_security
->ops
->session_key
) {
193 return NT_STATUS_NOT_IMPLEMENTED
;
196 return gensec_security
->ops
->session_key(gensec_security
, mem_ctx
, session_key
);
199 const char *gensec_final_auth_type(struct gensec_security
*gensec_security
)
201 if (!gensec_security
->ops
->final_auth_type
) {
202 return gensec_security
->ops
->name
;
205 return gensec_security
->ops
->final_auth_type(gensec_security
);
209 * Log details of a successful GENSEC authorization to a service.
211 * Only successful authorizations are logged, as only these call gensec_session_info()
213 * The service may later refuse authorization due to an ACL.
216 static void log_successful_gensec_authz_event(struct gensec_security
*gensec_security
,
217 struct auth_session_info
*session_info
)
219 const struct tsocket_address
*remote
220 = gensec_get_remote_address(gensec_security
);
221 const struct tsocket_address
*local
222 = gensec_get_local_address(gensec_security
);
223 const char *service_description
224 = gensec_get_target_service_description(gensec_security
);
225 const char *final_auth_type
226 = gensec_final_auth_type(gensec_security
);
227 const char *transport_protection
= NULL
;
228 if (gensec_security
->want_features
& GENSEC_FEATURE_SMB_TRANSPORT
) {
229 transport_protection
= AUTHZ_TRANSPORT_PROTECTION_SMB
;
230 } else if (gensec_security
->want_features
& GENSEC_FEATURE_LDAPS_TRANSPORT
) {
231 transport_protection
= AUTHZ_TRANSPORT_PROTECTION_TLS
;
232 } else if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)) {
233 transport_protection
= AUTHZ_TRANSPORT_PROTECTION_SEAL
;
234 } else if (gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
235 transport_protection
= AUTHZ_TRANSPORT_PROTECTION_SIGN
;
237 transport_protection
= AUTHZ_TRANSPORT_PROTECTION_NONE
;
239 log_successful_authz_event(gensec_security
->auth_context
->msg_ctx
,
240 gensec_security
->auth_context
->lp_ctx
,
244 transport_protection
,
250 * Return the credentials of a logged on user, including session keys
253 * Only valid after a successful authentication
255 * May only be called once per authentication. This will also make an
256 * authorization log entry, as it is already called by all the
261 _PUBLIC_ NTSTATUS
gensec_session_info(struct gensec_security
*gensec_security
,
263 struct auth_session_info
**session_info
)
266 if (!gensec_security
->ops
->session_info
) {
267 return NT_STATUS_NOT_IMPLEMENTED
;
269 status
= gensec_security
->ops
->session_info(gensec_security
, mem_ctx
, session_info
);
271 if (NT_STATUS_IS_OK(status
) && !gensec_security
->subcontext
272 && (gensec_security
->want_features
& GENSEC_FEATURE_NO_AUTHZ_LOG
) == 0) {
273 log_successful_gensec_authz_event(gensec_security
, *session_info
);
279 _PUBLIC_
void gensec_set_max_update_size(struct gensec_security
*gensec_security
,
280 uint32_t max_update_size
)
282 gensec_security
->max_update_size
= max_update_size
;
285 _PUBLIC_
size_t gensec_max_update_size(struct gensec_security
*gensec_security
)
287 if (gensec_security
->max_update_size
== 0) {
291 return gensec_security
->max_update_size
;
294 static NTSTATUS
gensec_verify_features(struct gensec_security
*gensec_security
)
299 * gensec_want_feature(GENSEC_FEATURE_SIGN)
301 * gensec_want_feature(GENSEC_FEATURE_SEAL)
302 * require these flags to be available.
304 if (gensec_security
->want_features
& GENSEC_FEATURE_SIGN
) {
305 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
306 DEBUG(0,("Did not manage to negotiate mandatory feature "
308 return NT_STATUS_ACCESS_DENIED
;
311 if (gensec_security
->want_features
& GENSEC_FEATURE_SEAL
) {
312 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_SEAL
)) {
313 DEBUG(0,("Did not manage to negotiate mandatory feature "
315 return NT_STATUS_ACCESS_DENIED
;
317 if (!gensec_have_feature(gensec_security
, GENSEC_FEATURE_SIGN
)) {
318 DEBUG(0,("Did not manage to negotiate mandatory feature "
320 return NT_STATUS_ACCESS_DENIED
;
324 if (gensec_security
->dcerpc_auth_level
< DCERPC_AUTH_LEVEL_PACKET
) {
328 ok
= gensec_have_feature(gensec_security
,
329 GENSEC_FEATURE_SIGN_PKT_HEADER
);
331 DBG_ERR("backend [%s] does not support header signing! "
332 "auth_level[0x%x]\n",
333 gensec_security
->ops
->name
,
334 gensec_security
->dcerpc_auth_level
);
335 return NT_STATUS_INTERNAL_ERROR
;
342 * Next state function for the GENSEC state machine
344 * @param gensec_security GENSEC State
345 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
346 * @param in The request, as a DATA_BLOB
347 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
348 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
349 * or NT_STATUS_OK if the user is authenticated.
351 _PUBLIC_ NTSTATUS
gensec_update(struct gensec_security
*gensec_security
,
352 TALLOC_CTX
*out_mem_ctx
,
353 const DATA_BLOB in
, DATA_BLOB
*out
)
356 TALLOC_CTX
*frame
= NULL
;
357 struct tevent_context
*ev
= NULL
;
358 struct tevent_req
*subreq
= NULL
;
361 if (gensec_security
->subcontext
) {
363 * gensec modules are not allowed to call the sync version.
365 return NT_STATUS_INTERNAL_ERROR
;
368 frame
= talloc_stackframe();
370 ev
= samba_tevent_context_init(frame
);
372 status
= NT_STATUS_NO_MEMORY
;
377 * TODO: remove this hack once the backends
380 tevent_loop_allow_nesting(ev
);
382 subreq
= gensec_update_send(frame
, ev
, gensec_security
, in
);
383 if (subreq
== NULL
) {
384 status
= NT_STATUS_NO_MEMORY
;
387 ok
= tevent_req_poll_ntstatus(subreq
, ev
, &status
);
391 status
= gensec_update_recv(subreq
, out_mem_ctx
, out
);
397 struct gensec_update_state
{
398 const struct gensec_security_ops
*ops
;
399 struct gensec_security
*gensec_security
;
404 static void gensec_update_cleanup(struct tevent_req
*req
,
405 enum tevent_req_state req_state
);
406 static void gensec_update_done(struct tevent_req
*subreq
);
409 * Next state function for the GENSEC state machine async version
411 * @param mem_ctx The memory context for the request
412 * @param ev The event context for the request
413 * @param gensec_security GENSEC State
414 * @param in The request, as a DATA_BLOB
416 * @return The request handle or NULL on no memory failure
419 _PUBLIC_
struct tevent_req
*gensec_update_send(TALLOC_CTX
*mem_ctx
,
420 struct tevent_context
*ev
,
421 struct gensec_security
*gensec_security
,
424 struct tevent_req
*req
= NULL
;
425 struct gensec_update_state
*state
= NULL
;
426 struct tevent_req
*subreq
= NULL
;
428 req
= tevent_req_create(mem_ctx
, &state
,
429 struct gensec_update_state
);
433 state
->ops
= gensec_security
->ops
;
434 state
->gensec_security
= gensec_security
;
436 if (gensec_security
->update_busy_ptr
!= NULL
) {
437 tevent_req_nterror(req
, NT_STATUS_INTERNAL_ERROR
);
438 return tevent_req_post(req
, ev
);
441 if (gensec_security
->child_security
!= NULL
) {
442 tevent_req_nterror(req
, NT_STATUS_INVALID_PARAMETER
);
443 return tevent_req_post(req
, ev
);
446 gensec_security
->update_busy_ptr
= &state
->gensec_security
;
447 tevent_req_set_cleanup_fn(req
, gensec_update_cleanup
);
449 subreq
= state
->ops
->update_send(state
, ev
, gensec_security
, in
);
450 if (tevent_req_nomem(subreq
, req
)) {
451 return tevent_req_post(req
, ev
);
453 tevent_req_set_callback(subreq
, gensec_update_done
, req
);
455 DBG_DEBUG("%s[%p]: subreq: %p\n", state
->ops
->name
,
456 state
->gensec_security
, subreq
);
461 static void gensec_update_cleanup(struct tevent_req
*req
,
462 enum tevent_req_state req_state
)
464 struct gensec_update_state
*state
=
466 struct gensec_update_state
);
468 if (state
->gensec_security
== NULL
) {
472 if (state
->gensec_security
->update_busy_ptr
== &state
->gensec_security
) {
473 state
->gensec_security
->update_busy_ptr
= NULL
;
476 state
->gensec_security
= NULL
;
479 static void gensec_update_done(struct tevent_req
*subreq
)
481 struct tevent_req
*req
=
482 tevent_req_callback_data(subreq
,
484 struct gensec_update_state
*state
=
486 struct gensec_update_state
);
488 const char *debug_subreq
= NULL
;
490 if (CHECK_DEBUGLVL(DBGLVL_DEBUG
)) {
492 * We need to call tevent_req_print()
493 * before calling the _recv function,
494 * before tevent_req_received() was called.
495 * in order to print the pointer value of
498 debug_subreq
= tevent_req_print(state
, subreq
);
501 status
= state
->ops
->update_recv(subreq
, state
, &state
->out
);
503 state
->status
= status
;
504 if (GENSEC_UPDATE_IS_NTERROR(status
)) {
505 NTSTATUS orig_status
= status
;
506 bool force_no_such_user
= false;
509 * callers only expect NT_STATUS_NO_SUCH_USER.
511 if (NT_STATUS_EQUAL(status
, NT_STATUS_INVALID_ACCOUNT_NAME
)) {
512 force_no_such_user
= true;
513 } else if (NT_STATUS_EQUAL(status
, NT_STATUS_NO_SUCH_DOMAIN
)) {
514 force_no_such_user
= true;
517 if (state
->gensec_security
->subcontext
) {
519 * We should only map on the outer
520 * gensec_update exchange, spnego
521 * needs the raw status.
523 force_no_such_user
= false;
526 if (force_no_such_user
) {
528 * nt_status_squash() may map
529 * to NT_STATUS_LOGON_FAILURE later
531 status
= NT_STATUS_NO_SUCH_USER
;
534 DBG_INFO("%s[%p]: %s%s%s%s%s\n",
536 state
->gensec_security
,
537 NT_STATUS_EQUAL(status
, orig_status
) ?
538 "" : nt_errstr(orig_status
),
539 NT_STATUS_EQUAL(status
, orig_status
) ?
542 debug_subreq
? " " : "",
543 debug_subreq
? debug_subreq
: "");
544 tevent_req_nterror(req
, status
);
547 DBG_DEBUG("%s[%p]: %s %s\n", state
->ops
->name
,
548 state
->gensec_security
, nt_errstr(status
),
550 if (NT_STATUS_EQUAL(status
, NT_STATUS_MORE_PROCESSING_REQUIRED
)) {
551 tevent_req_done(req
);
556 * Because callers using the
557 * gensec_start_mech_by_authtype() never call
558 * gensec_want_feature(), it isn't sensible for them
559 * to have to call gensec_have_feature() manually, and
560 * these are not points of negotiation, but are
561 * asserted by the client
563 status
= gensec_verify_features(state
->gensec_security
);
564 if (tevent_req_nterror(req
, status
)) {
568 tevent_req_done(req
);
572 * Next state function for the GENSEC state machine
574 * @param req request state
575 * @param out_mem_ctx The TALLOC_CTX for *out to be allocated on
576 * @param out The reply, as an talloc()ed DATA_BLOB, on *out_mem_ctx
577 * @return Error, MORE_PROCESSING_REQUIRED if a reply is sent,
578 * or NT_STATUS_OK if the user is authenticated.
580 _PUBLIC_ NTSTATUS
gensec_update_recv(struct tevent_req
*req
,
581 TALLOC_CTX
*out_mem_ctx
,
584 struct gensec_update_state
*state
=
585 tevent_req_data(req
, struct gensec_update_state
);
588 *out
= data_blob_null
;
590 if (tevent_req_is_nterror(req
, &status
)) {
591 tevent_req_received(req
);
596 talloc_steal(out_mem_ctx
, out
->data
);
597 status
= state
->status
;
598 tevent_req_received(req
);
603 * Set the requirement for a certain feature on the connection
607 _PUBLIC_
void gensec_want_feature(struct gensec_security
*gensec_security
,
610 if (!gensec_security
->ops
|| !gensec_security
->ops
->want_feature
) {
611 gensec_security
->want_features
|= feature
;
614 gensec_security
->ops
->want_feature(gensec_security
, feature
);
618 * Check the requirement for a certain feature on the connection
622 _PUBLIC_
bool gensec_have_feature(struct gensec_security
*gensec_security
,
625 if (!gensec_security
->ops
|| !gensec_security
->ops
->have_feature
) {
629 /* We might 'have' features that we don't 'want', because the
630 * other end demanded them, or we can't negotiate them off */
631 return gensec_security
->ops
->have_feature(gensec_security
, feature
);
634 _PUBLIC_ NTTIME
gensec_expire_time(struct gensec_security
*gensec_security
)
636 if (!gensec_security
->ops
->expire_time
) {
637 return GENSEC_EXPIRE_TIME_INFINITY
;
640 return gensec_security
->ops
->expire_time(gensec_security
);
643 * Return the credentials structure associated with a GENSEC context
647 _PUBLIC_
struct cli_credentials
*gensec_get_credentials(struct gensec_security
*gensec_security
)
649 if (!gensec_security
) {
652 return gensec_security
->credentials
;
656 * Set the target service (such as 'http' or 'host') on a GENSEC context - ensures it is talloc()ed
658 * This is used for Kerberos service principal name resolution.
661 _PUBLIC_ NTSTATUS
gensec_set_target_service(struct gensec_security
*gensec_security
, const char *service
)
663 gensec_security
->target
.service
= talloc_strdup(gensec_security
, service
);
664 if (!gensec_security
->target
.service
) {
665 return NT_STATUS_NO_MEMORY
;
670 _PUBLIC_
const char *gensec_get_target_service(struct gensec_security
*gensec_security
)
672 if (gensec_security
->target
.service
) {
673 return gensec_security
->target
.service
;
680 * Set the target service (such as 'samr') on an GENSEC context - ensures it is talloc()ed.
682 * This is not the Kerberos service principal, instead this is a
683 * constant value that can be logged as part of authentication and
684 * authorization logging
686 _PUBLIC_ NTSTATUS
gensec_set_target_service_description(struct gensec_security
*gensec_security
,
689 gensec_security
->target
.service_description
= talloc_strdup(gensec_security
, service
);
690 if (!gensec_security
->target
.service_description
) {
691 return NT_STATUS_NO_MEMORY
;
696 _PUBLIC_
const char *gensec_get_target_service_description(struct gensec_security
*gensec_security
)
698 if (gensec_security
->target
.service_description
) {
699 return gensec_security
->target
.service_description
;
700 } else if (gensec_security
->target
.service
) {
701 return gensec_security
->target
.service
;
708 * Set the target hostname (suitable for kerberos resolutation) on a GENSEC context - ensures it is talloc()ed
712 _PUBLIC_ NTSTATUS
gensec_set_target_hostname(struct gensec_security
*gensec_security
, const char *hostname
)
714 gensec_security
->target
.hostname
= talloc_strdup(gensec_security
, hostname
);
715 if (hostname
&& !gensec_security
->target
.hostname
) {
716 return NT_STATUS_NO_MEMORY
;
721 _PUBLIC_
const char *gensec_get_target_hostname(struct gensec_security
*gensec_security
)
723 /* We allow the target hostname to be overridden for testing purposes */
724 if (gensec_security
->settings
->target_hostname
) {
725 return gensec_security
->settings
->target_hostname
;
728 if (gensec_security
->target
.hostname
) {
729 return gensec_security
->target
.hostname
;
732 /* We could add use the 'set sockaddr' call, and do a reverse
733 * lookup, but this would be both insecure (compromising the
734 * way kerberos works) and add DNS timeouts */
739 * Set (and copy) local and peer socket addresses onto a socket
740 * context on the GENSEC context.
742 * This is so that kerberos can include these addresses in
743 * cryptographic tokens, to avoid certain attacks.
747 * @brief Set the local gensec address.
749 * @param gensec_security The gensec security context to use.
751 * @param remote The local address to set.
753 * @return On success NT_STATUS_OK is returned or an NT_STATUS
756 _PUBLIC_ NTSTATUS
gensec_set_local_address(struct gensec_security
*gensec_security
,
757 const struct tsocket_address
*local
)
759 TALLOC_FREE(gensec_security
->local_addr
);
765 gensec_security
->local_addr
= tsocket_address_copy(local
, gensec_security
);
766 if (gensec_security
->local_addr
== NULL
) {
767 return NT_STATUS_NO_MEMORY
;
774 * @brief Set the remote gensec address.
776 * @param gensec_security The gensec security context to use.
778 * @param remote The remote address to set.
780 * @return On success NT_STATUS_OK is returned or an NT_STATUS
783 _PUBLIC_ NTSTATUS
gensec_set_remote_address(struct gensec_security
*gensec_security
,
784 const struct tsocket_address
*remote
)
786 TALLOC_FREE(gensec_security
->remote_addr
);
788 if (remote
== NULL
) {
792 gensec_security
->remote_addr
= tsocket_address_copy(remote
, gensec_security
);
793 if (gensec_security
->remote_addr
== NULL
) {
794 return NT_STATUS_NO_MEMORY
;
801 * @brief Get the local address from a gensec security context.
803 * @param gensec_security The security context to get the address from.
805 * @return The address as tsocket_address which could be NULL if
808 _PUBLIC_
const struct tsocket_address
*gensec_get_local_address(struct gensec_security
*gensec_security
)
810 if (gensec_security
== NULL
) {
813 return gensec_security
->local_addr
;
817 * @brief Get the remote address from a gensec security context.
819 * @param gensec_security The security context to get the address from.
821 * @return The address as tsocket_address which could be NULL if
824 _PUBLIC_
const struct tsocket_address
*gensec_get_remote_address(struct gensec_security
*gensec_security
)
826 if (gensec_security
== NULL
) {
829 return gensec_security
->remote_addr
;
833 * Set the target principal (assuming it it known, say from the SPNEGO reply)
834 * - ensures it is talloc()ed
838 _PUBLIC_ NTSTATUS
gensec_set_target_principal(struct gensec_security
*gensec_security
, const char *principal
)
840 gensec_security
->target
.principal
= talloc_strdup(gensec_security
, principal
);
841 if (!gensec_security
->target
.principal
) {
842 return NT_STATUS_NO_MEMORY
;
847 _PUBLIC_
const char *gensec_get_target_principal(struct gensec_security
*gensec_security
)
849 if (gensec_security
->target
.principal
) {
850 return gensec_security
->target
.principal
;