diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2011-08-01 15:39:01 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2011-08-03 18:48:02 +1000 |
| commit | 35b309fa0cac9341f364243b03ebfcc80f74198e (patch) | |
| tree | b99fc49ec70be97a41289b3978db367fba63a769 | |
| parent | d3fe48ba48b25f359292ee96dbf5cecc0b0b16a3 (diff) | |
| download | samba-35b309fa0cac9341f364243b03ebfcc80f74198e.tar.gz samba-35b309fa0cac9341f364243b03ebfcc80f74198e.tar.bz2 samba-35b309fa0cac9341f364243b03ebfcc80f74198e.zip | |
gensec: clarify memory ownership for gensec_session_info() and gensec_session_key()
This is slightly less efficient, because we no longer keep a cache on
the gensec structures, but much clearer in terms of memory ownership.
Both gensec_session_info() and gensec_session_key() now take a mem_ctx
and put the result only on that context.
Some duplication of memory in the callers (who were rightly uncertain
about who was the rightful owner of the returned memory) has been
removed to compensate for the internal copy.
Andrew Bartlett
24 files changed, 74 insertions, 75 deletions
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c index 4736e73d5a..417b05cf06 100644 --- a/auth/gensec/gensec.c +++ b/auth/gensec/gensec.c @@ -148,7 +148,8 @@ _PUBLIC_ NTSTATUS gensec_unwrap(struct gensec_security *gensec_security, } _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, - DATA_BLOB *session_key) + TALLOC_CTX *mem_ctx, + DATA_BLOB *session_key) { if (!gensec_security->ops->session_key) { return NT_STATUS_NOT_IMPLEMENTED; @@ -157,7 +158,7 @@ _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, return NT_STATUS_NO_USER_SESSION_KEY; } - return gensec_security->ops->session_key(gensec_security, session_key); + return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key); } /** @@ -171,12 +172,13 @@ _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, */ _PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security, - struct auth_session_info **session_info) + TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info) { if (!gensec_security->ops->session_info) { return NT_STATUS_NOT_IMPLEMENTED; } - return gensec_security->ops->session_info(gensec_security, session_info); + return gensec_security->ops->session_info(gensec_security, mem_ctx, session_info); } /** diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h index 852618c1af..38f2513742 100644 --- a/auth/gensec/gensec.h +++ b/auth/gensec/gensec.h @@ -132,8 +132,9 @@ struct gensec_security_ops { size_t *len_processed); NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security, DATA_BLOB blob, size_t *size); - NTSTATUS (*session_key)(struct gensec_security *gensec_security, DATA_BLOB *session_key); - NTSTATUS (*session_info)(struct gensec_security *gensec_security, + NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, + DATA_BLOB *session_key); + NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, struct auth_session_info **session_info); void (*want_feature)(struct gensec_security *gensec_security, uint32_t feature); @@ -233,6 +234,7 @@ const char *gensec_get_target_service(struct gensec_security *gensec_security); NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname); const char *gensec_get_target_hostname(struct gensec_security *gensec_security); NTSTATUS gensec_session_key(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, DATA_BLOB *session_key); NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, const char *mech_oid); @@ -269,6 +271,7 @@ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, struct auth4_context *auth_context, struct gensec_security **gensec_security); NTSTATUS gensec_session_info(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, struct auth_session_info **session_info); NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security, diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 4dd809856c..55610f5742 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -169,9 +169,6 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) break; } - gensec_gssapi_state->session_key = data_blob(NULL, 0); - gensec_gssapi_state->pac = data_blob(NULL, 0); - ret = smb_krb5_init_context(gensec_gssapi_state, NULL, gensec_security->settings->lp_ctx, @@ -1242,6 +1239,7 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security, * This breaks all the abstractions, but what do you expect... */ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, DATA_BLOB *session_key) { struct gensec_gssapi_state *gensec_gssapi_state @@ -1253,11 +1251,6 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit return NT_STATUS_NO_USER_SESSION_KEY; } - if (gensec_gssapi_state->session_key.data) { - *session_key = gensec_gssapi_state->session_key; - return NT_STATUS_OK; - } - maj_stat = gsskrb5_get_subkey(&min_stat, gensec_gssapi_state->gssapi_context, &subkey); @@ -1269,10 +1262,9 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit DEBUG(10, ("Got KRB5 session key of length %d%s\n", (int)KRB5_KEY_LENGTH(subkey), (gensec_gssapi_state->sasl_state == STAGE_DONE)?" (done)":"")); - *session_key = data_blob_talloc(gensec_gssapi_state, + *session_key = data_blob_talloc(mem_ctx, KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey)); krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, subkey); - gensec_gssapi_state->session_key = *session_key; dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); return NT_STATUS_OK; @@ -1282,6 +1274,7 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit * this session. This uses either the PAC (if present) or a local * database lookup */ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx_out, struct auth_session_info **_session_info) { NTSTATUS nt_status; @@ -1302,7 +1295,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi return NT_STATUS_INVALID_PARAMETER; } - mem_ctx = talloc_named(gensec_gssapi_state, 0, "gensec_gssapi_session_info context"); + mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context"); NT_STATUS_HAVE_NO_MEMORY(mem_ctx); nt_status = gssapi_obtain_pac_blob(mem_ctx, gensec_gssapi_state->gssapi_context, @@ -1391,7 +1384,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi return nt_status; } - nt_status = gensec_gssapi_session_key(gensec_security, &session_info->session_key); + nt_status = gensec_gssapi_session_key(gensec_security, session_info, &session_info->session_key); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; @@ -1436,9 +1429,8 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi /* It has been taken from this place... */ gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL; } - talloc_steal(gensec_gssapi_state, session_info); + *_session_info = talloc_steal(mem_ctx_out, session_info); talloc_free(mem_ctx); - *_session_info = session_info; return NT_STATUS_OK; } diff --git a/source4/auth/gensec/gensec_gssapi.h b/source4/auth/gensec/gensec_gssapi.h index 1b826b963d..246fc99a72 100644 --- a/source4/auth/gensec/gensec_gssapi.h +++ b/source4/auth/gensec/gensec_gssapi.h @@ -43,9 +43,6 @@ struct gensec_gssapi_state { OM_uint32 want_flags, got_flags; gss_OID gss_oid; - DATA_BLOB session_key; - DATA_BLOB pac; - struct smb_krb5_context *smb_krb5_context; struct gssapi_creds_container *client_cred; struct gssapi_creds_container *server_cred; diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 90794b850c..b3a20e4b63 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -50,8 +50,6 @@ enum GENSEC_KRB5_STATE { }; struct gensec_krb5_state { - DATA_BLOB session_key; - DATA_BLOB pac; enum GENSEC_KRB5_STATE state_position; struct smb_krb5_context *smb_krb5_context; krb5_auth_context auth_context; @@ -115,8 +113,6 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security, bool gensec_krb5_state->ticket = NULL; ZERO_STRUCT(gensec_krb5_state->enc_ticket); gensec_krb5_state->keyblock = NULL; - gensec_krb5_state->session_key = data_blob(NULL, 0); - gensec_krb5_state->pac = data_blob(NULL, 0); gensec_krb5_state->gssapi = gssapi; talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); @@ -559,6 +555,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, } static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, DATA_BLOB *session_key) { struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; @@ -571,11 +568,6 @@ static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, return NT_STATUS_NO_USER_SESSION_KEY; } - if (gensec_krb5_state->session_key.data) { - *session_key = gensec_krb5_state->session_key; - return NT_STATUS_OK; - } - switch (gensec_security->gensec_role) { case GENSEC_CLIENT: err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey); @@ -587,9 +579,8 @@ static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, if (err == 0 && skey != NULL) { DEBUG(10, ("Got KRB5 session key of length %d\n", (int)KRB5_KEY_LENGTH(skey))); - gensec_krb5_state->session_key = data_blob_talloc(gensec_krb5_state, - KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); - *session_key = gensec_krb5_state->session_key; + *session_key = data_blob_talloc(mem_ctx, + KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey)); dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length); krb5_free_keyblock(context, skey); @@ -601,6 +592,7 @@ static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security, } static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx_out, struct auth_session_info **_session_info) { NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; @@ -618,7 +610,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security krb5_error_code ret; - TALLOC_CTX *mem_ctx = talloc_new(gensec_security); + TALLOC_CTX *mem_ctx = talloc_new(mem_ctx_out); if (!mem_ctx) { return NT_STATUS_NO_MEMORY; } @@ -736,16 +728,15 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security return nt_status; } - nt_status = gensec_krb5_session_key(gensec_security, &session_info->session_key); + nt_status = gensec_krb5_session_key(gensec_security, session_info, &session_info->session_key); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; } - *_session_info = session_info; + *_session_info = talloc_steal(mem_ctx_out, session_info); - talloc_steal(gensec_krb5_state, session_info); talloc_free(mem_ctx); return NT_STATUS_OK; } diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c index 102836533c..6a69fd3f9d 100644 --- a/source4/auth/gensec/pygensec.c +++ b/source4/auth/gensec/pygensec.c @@ -257,6 +257,7 @@ static PyObject *py_gensec_set_credentials(PyObject *self, PyObject *args) static PyObject *py_gensec_session_info(PyObject *self) { + TALLOC_CTX *mem_ctx; NTSTATUS status; PyObject *py_session_info; struct gensec_security *security = py_talloc_get_type(self, struct gensec_security); @@ -265,7 +266,9 @@ static PyObject *py_gensec_session_info(PyObject *self) PyErr_SetString(PyExc_RuntimeError, "no mechanism selected"); return NULL; } - status = gensec_session_info(security, &info); + mem_ctx = talloc_new(NULL); + + status = gensec_session_info(security, mem_ctx, &info); if (NT_STATUS_IS_ERR(status)) { PyErr_SetNTSTATUS(status); return NULL; @@ -273,6 +276,7 @@ static PyObject *py_gensec_session_info(PyObject *self) py_session_info = py_return_ndr_struct("samba.dcerpc.auth", "session_info", info, info); + talloc_free(mem_ctx); return py_session_info; } diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index 8f9aa921a9..67d928e710 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -43,7 +43,8 @@ static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t } static NTSTATUS schannel_session_key(struct gensec_security *gensec_security, - DATA_BLOB *session_key) + TALLOC_CTX *mem_ctx, + DATA_BLOB *session_key) { return NT_STATUS_NOT_IMPLEMENTED; } @@ -215,10 +216,11 @@ _PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, */ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security, - struct auth_session_info **_session_info) + TALLOC_CTX *mem_ctx, + struct auth_session_info **_session_info) { struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); - return auth_anonymous_session_info(state, gensec_security->settings->lp_ctx, _session_info); + return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info); } static NTSTATUS schannel_start(struct gensec_security *gensec_security) diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c index c48e87e8b5..66204ee262 100644 --- a/source4/auth/gensec/spnego.c +++ b/source4/auth/gensec/spnego.c @@ -295,6 +295,7 @@ static size_t gensec_spnego_max_wrapped_size(struct gensec_security *gensec_secu } static NTSTATUS gensec_spnego_session_key(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, DATA_BLOB *session_key) { struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data; @@ -303,11 +304,13 @@ static NTSTATUS gensec_spnego_session_key(struct gensec_security *gensec_securit } return gensec_session_key(spnego_state->sub_sec_security, + mem_ctx, session_key); } static NTSTATUS gensec_spnego_session_info(struct gensec_security *gensec_security, - struct auth_session_info **session_info) + TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info) { struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data; if (!spnego_state->sub_sec_security) { @@ -315,6 +318,7 @@ static NTSTATUS gensec_spnego_session_info(struct gensec_security *gensec_securi } return gensec_session_info(spnego_state->sub_sec_security, + mem_ctx, session_info); } diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c index 1a15d319a9..a53e5547ab 100644 --- a/source4/auth/ntlmssp/ntlmssp.c +++ b/source4/auth/ntlmssp/ntlmssp.c @@ -181,6 +181,7 @@ static NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security, */ NTSTATUS gensec_ntlmssp_session_key(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, DATA_BLOB *session_key) { struct gensec_ntlmssp_context *gensec_ntlmssp = @@ -195,7 +196,10 @@ NTSTATUS gensec_ntlmssp_session_key(struct gensec_security *gensec_security, if (!ntlmssp_state->session_key.data) { return NT_STATUS_NO_USER_SESSION_KEY; } - *session_key = ntlmssp_state->session_key; + *session_key = data_blob_talloc(mem_ctx, ntlmssp_state->session_key.data, ntlmssp_state->session_key.length); + if (!session_key->data) { + return NT_STATUS_NO_MEMORY; + } return NT_STATUS_OK; } diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index 240edbeaad..477972d1d4 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -213,6 +213,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, */ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, struct auth_session_info **session_info) { NTSTATUS nt_status; @@ -221,17 +222,14 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security, struct gensec_ntlmssp_context); struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; - nt_status = gensec_generate_session_info(ntlmssp_state, + nt_status = gensec_generate_session_info(mem_ctx, gensec_security, gensec_ntlmssp->user_info_dc, session_info); NT_STATUS_NOT_OK_RETURN(nt_status); - (*session_info)->session_key = data_blob_talloc(*session_info, - ntlmssp_state->session_key.data, - ntlmssp_state->session_key.length); - - return NT_STATUS_OK; + return gensec_ntlmssp_session_key(gensec_security, *session_info, + &(*session_info)->session_key); } /** diff --git a/source4/dsdb/repl/drepl_out_helpers.c b/source4/dsdb/repl/drepl_out_helpers.c index ebf2f77708..7b513a8050 100644 --- a/source4/dsdb/repl/drepl_out_helpers.c +++ b/source4/dsdb/repl/drepl_out_helpers.c @@ -114,6 +114,7 @@ static void dreplsrv_out_drsuapi_connect_done(struct composite_context *creq) state->drsuapi->drsuapi_handle = state->drsuapi->pipe->binding_handle; status = gensec_session_key(state->drsuapi->pipe->conn->security_state.generic_state, + state->drsuapi, &state->drsuapi->gensec_skey); if (tevent_req_nterror(req, status)) { return; diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index 5d288f69a7..478dcaf573 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -227,6 +227,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc, size_t pw_len; if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security, + mem_ctx, &session_info))) { return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_HARDERROR, diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 105e64078f..fd7deda499 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -68,8 +68,7 @@ static NTSTATUS ldapsrv_BindSimple(struct ldapsrv_call *call) errstr = NULL; talloc_unlink(call->conn, call->conn->session_info); - call->conn->session_info = session_info; - talloc_steal(call->conn, session_info); + call->conn->session_info = talloc_steal(call->conn, session_info); /* don't leak the old LDB */ talloc_unlink(call->conn, call->conn->ldb); @@ -277,7 +276,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) old_session_info = conn->session_info; conn->session_info = NULL; - status = gensec_session_info(conn->gensec, &conn->session_info); + status = gensec_session_info(conn->gensec, conn, &conn->session_info); if (!NT_STATUS_IS_OK(status)) { conn->session_info = old_session_info; result = LDAP_OPERATIONS_ERROR; @@ -286,7 +285,6 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) req->creds.SASL.mechanism, nt_errstr(status)); } else { talloc_unlink(conn, old_session_info); - talloc_steal(conn, conn->session_info); /* don't leak the old LDB */ talloc_unlink(conn, conn->ldb); diff --git a/source4/libcli/smb2/session.c b/source4/libcli/smb2/session.c index d46cdefc69..0f749a0b6c 100644 --- a/source4/libcli/smb2/session.c +++ b/source4/libcli/smb2/session.c @@ -233,8 +233,6 @@ static void smb2_session_setup_spnego_handler(struct smb2_request *subreq) tevent_req_data(req, struct smb2_session_setup_spnego_state); struct smb2_session *session = subreq->session; - NTSTATUS session_key_err; - DATA_BLOB session_key; NTSTATUS peer_status; NTSTATUS status; @@ -267,10 +265,7 @@ static void smb2_session_setup_spnego_handler(struct smb2_request *subreq) return; } - session_key_err = gensec_session_key(session->gensec, &session_key); - if (NT_STATUS_IS_OK(session_key_err)) { - session->session_key = session_key; - } + gensec_session_key(session->gensec, session, &session->session_key); if (session->transport->signing_required) { if (session->session_key.length == 0) { diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c index ebc35983d2..d617055c41 100644 --- a/source4/libcli/smb_composite/sesssetup.c +++ b/source4/libcli/smb_composite/sesssetup.c @@ -200,10 +200,9 @@ static void request_handler(struct smbcli_request *req) c->status = NT_STATUS_INTERNAL_ERROR; break; } - session_key_err = gensec_session_key(session->gensec, &session_key); + session_key_err = gensec_session_key(session->gensec, session, &session->user_session_key); if (NT_STATUS_IS_OK(session_key_err)) { - set_user_session_key(session, &session_key); - smbcli_transport_simple_set_signing(session->transport, session_key, null_data_blob); + smbcli_transport_simple_set_signing(session->transport, session->user_session_key, null_data_blob); } } diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c index 4d845ca1f0..aabb3b41a8 100644 --- a/source4/libnet/libnet_become_dc.c +++ b/source4/libnet/libnet_become_dc.c @@ -1595,6 +1595,7 @@ static void becomeDC_drsuapi1_connect_recv(struct composite_context *req) s->drsuapi1.drsuapi_handle = s->drsuapi1.pipe->binding_handle; c->status = gensec_session_key(s->drsuapi1.pipe->conn->security_state.generic_state, + s, &s->drsuapi1.gensec_skey); if (!composite_is_ok(c)) return; @@ -2475,6 +2476,7 @@ static void becomeDC_drsuapi2_connect_recv(struct composite_context *req) s->drsuapi2.drsuapi_handle = s->drsuapi2.pipe->binding_handle; c->status = gensec_session_key(s->drsuapi2.pipe->conn->security_state.generic_state, + s, &s->drsuapi2.gensec_skey); if (!composite_is_ok(c)) return; @@ -2535,6 +2537,7 @@ static void becomeDC_drsuapi3_connect_recv(struct composite_context *req) s->drsuapi3.drsuapi_handle = s->drsuapi3.pipe->binding_handle; c->status = gensec_session_key(s->drsuapi3.pipe->conn->security_state.generic_state, + s, &s->drsuapi3.gensec_skey); if (!composite_is_ok(c)) return; diff --git a/source4/libnet/py_net.c b/source4/libnet/py_net.c index fdf21592ad..90fa1d56d6 100644 --- a/source4/libnet/py_net.c +++ b/source4/libnet/py_net.c @@ -434,6 +434,7 @@ static PyObject *py_net_replicate_init(py_net_Object *self, PyObject *args, PyOb } status = gensec_session_key(s->drs_pipe->pipe->conn->security_state.generic_state, + s, &s->gensec_skey); if (!NT_STATUS_IS_OK(status)) { PyErr_Format(PyExc_RuntimeError, "Unable to get session key from drspipe: %s", diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 0802cd4323..ee7a86ab85 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -119,6 +119,7 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe if (NT_STATUS_IS_OK(status)) { status = gensec_session_info(dce_conn->auth_state.gensec_security, + dce_conn, &dce_conn->auth_state.session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); @@ -175,6 +176,7 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call) &dce_conn->auth_state.auth_info->credentials); if (NT_STATUS_IS_OK(status)) { status = gensec_session_info(dce_conn->auth_state.gensec_security, + dce_conn, &dce_conn->auth_state.session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); @@ -254,6 +256,7 @@ NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_pack if (NT_STATUS_IS_OK(status)) { status = gensec_session_info(dce_conn->auth_state.gensec_security, + dce_conn, &dce_conn->auth_state.session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c index 116f2cd958..c84be7f79b 100644 --- a/source4/smb_server/smb/sesssetup.c +++ b/source4/smb_server/smb/sesssetup.c @@ -379,10 +379,11 @@ static void sesssetup_spnego_send(struct tevent_req *subreq) goto failed; } - status = gensec_session_info(smb_sess->gensec_ctx, &session_info); + status = gensec_session_info(smb_sess->gensec_ctx, smb_sess, &session_info); if (!NT_STATUS_IS_OK(status)) goto failed; - skey_status = gensec_session_key(smb_sess->gensec_ctx, &session_key); + /* The session_key is only needed until the end of the smbsrv_setup_signing() call */ + skey_status = gensec_session_key(smb_sess->gensec_ctx, req, &session_key); if (NT_STATUS_IS_OK(skey_status)) { smbsrv_setup_signing(req->smb_conn, &session_key, NULL); } diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c index 94fe0da9fa..60e5500ee7 100644 --- a/source4/smb_server/smb2/sesssetup.c +++ b/source4/smb_server/smb2/sesssetup.c @@ -79,7 +79,7 @@ static void smb2srv_sesssetup_callback(struct tevent_req *subreq) goto failed; } - status = gensec_session_info(smb_sess->gensec_ctx, &session_info); + status = gensec_session_info(smb_sess->gensec_ctx, smb_sess, &session_info); if (!NT_STATUS_IS_OK(status)) { goto failed; } diff --git a/source4/torture/drs/rpc/dssync.c b/source4/torture/drs/rpc/dssync.c index 8279e736b1..7149da4a85 100644 --- a/source4/torture/drs/rpc/dssync.c +++ b/source4/torture/drs/rpc/dssync.c @@ -678,7 +678,7 @@ static bool test_GetNCChanges(struct torture_context *tctx, } } status = gensec_session_key(ctx->new_dc.drsuapi.drs_pipe->conn->security_state.generic_state, - &gensec_skey); + ctx, &gensec_skey); if (!NT_STATUS_IS_OK(status)) { printf("failed to get gensec session key: %s\n", nt_errstr(status)); return false; diff --git a/source4/torture/drs/rpc/msds_intid.c b/source4/torture/drs/rpc/msds_intid.c index 14c6454abe..c866c2181b 100644 --- a/source4/torture/drs/rpc/msds_intid.c +++ b/source4/torture/drs/rpc/msds_intid.c @@ -185,7 +185,7 @@ static bool _test_DsaBind(struct torture_context *tctx, bi->drs_handle = bi->drs_pipe->binding_handle; status = gensec_session_key(bi->drs_pipe->conn->security_state.generic_state, - &bi->gensec_skey); + mem_ctx, &bi->gensec_skey); torture_assert_ntstatus_ok(tctx, status, "failed to get gensec session key"); /* Bind to DRSUAPI interface */ diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 37fb8af147..88a40b4fe4 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -129,7 +129,7 @@ static bool test_PACVerify(struct torture_context *tctx, /* Extract the PAC using Samba's code */ - status = gensec_session_info(gensec_server_context, &session_info); + status = gensec_session_info(gensec_server_context, gensec_server_context, &session_info); torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed"); torture_assert(tctx, session_info->torture != NULL, "gensec_session_info failed to fill in torture sub struct"); torture_assert(tctx, session_info->torture->pac_srv_sig != NULL, "pac_srv_sig not present"); @@ -468,7 +468,7 @@ static bool test_S2U4Self(struct torture_context *tctx, /* Extract the PAC using Samba's code */ - status = gensec_session_info(gensec_server_context, &kinit_session_info); + status = gensec_session_info(gensec_server_context, gensec_server_context, &kinit_session_info); torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed"); @@ -530,7 +530,7 @@ static bool test_S2U4Self(struct torture_context *tctx, /* Extract the PAC using Samba's code */ - status = gensec_session_info(gensec_server_context, &s2u4self_session_info); + status = gensec_session_info(gensec_server_context, gensec_server_context, &s2u4self_session_info); torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed"); cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx, diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index d5c385cbc6..465d9b5982 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -575,7 +575,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, char *grouplist = NULL; struct auth_session_info *session_info; - nt_status = gensec_session_info(state->gensec_state, &session_info); + nt_status = gensec_session_info(state->gensec_state, mem_ctx, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("gensec_session_info failed: %s\n", nt_errstr(nt_status))); mux_printf(mux_id, "BH %s\n", nt_errstr(nt_status)); @@ -604,7 +604,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (strncmp(buf, "GK", 2) == 0) { char *base64_key; DEBUG(10, ("Requested session key\n")); - nt_status = gensec_session_key(state->gensec_state, &session_key); + nt_status = gensec_session_key(state->gensec_state, mem_ctx, &session_key); if(!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("gensec_session_key failed: %s\n", nt_errstr(nt_status))); mux_printf(mux_id, "BH No session key\n"); @@ -671,7 +671,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, } else if /* OK */ (state->gensec_state->gensec_role == GENSEC_SERVER) { struct auth_session_info *session_info; - nt_status = gensec_session_info(state->gensec_state, &session_info); + nt_status = gensec_session_info(state->gensec_state, mem_ctx, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { reply_code = "BH Failed to retrive session info"; reply_arg = nt_errstr(nt_status); |