s3-libsmb: Use data_blob_talloc to get krb5 ticket and session keys

7 files changed, 44 insertions, 26 deletions

diff --git a/source3/include/krb5_protos.h b/source3/include/krb5_protos.h
index b65fb17d9c..97e6871c89 100644
--- a/source3/include/krb5_protos.h
+++ b/source3/include/krb5_protos.h
@@ -46,7 +46,10 @@ krb5_error_code smb_krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, st
 krb5_error_code krb5_locate_kdc(krb5_context ctx, const krb5_data *realm, struct sockaddr **addr_pp, int *naddrs, int get_masters);
 #endif
 krb5_error_code get_kerberos_allowed_etypes(krb5_context context, krb5_enctype **enctypes);
-bool get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, DATA_BLOB *session_key, bool remote);
+bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx,
+			      krb5_context context,
+			      krb5_auth_context auth_context,
+			      DATA_BLOB *session_key, bool remote);
 krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
 krb5_principal kerberos_fetch_salt_princ_for_host_princ(krb5_context context, krb5_principal host_princ, int enctype);
 void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
@@ -141,9 +144,10 @@ char *smb_krb5_principal_get_realm(krb5_context context,
 				   krb5_principal principal);
 #endif /* HAVE_KRB5 */
 
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
+int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
+			const char *principal, time_t time_offset,
 			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
-			uint32 extra_ap_opts, const char *ccname,
+			uint32_t extra_ap_opts, const char *ccname,
 			time_t *tgs_expire,
 			const char *impersonate_princ_s);
 
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 305b6072bc..00062f4457 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -406,7 +406,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INVALID_LOGON_TYPE;
 	}
 
-	ret = cli_krb5_get_ticket(local_service,
+	ret = cli_krb5_get_ticket(mem_ctx,
+				  local_service,
 				  time_offset,
 				  &tkt,
 				  &sesskey1,
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index c07259394b..10edd076bb 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -615,7 +615,8 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 		ZERO_STRUCT(packet);
 	}
 
-	get_krb5_smb_session_key(context, auth_context, session_key, True);
+	get_krb5_smb_session_key(mem_ctx, context,
+				 auth_context, session_key, true);
 	dump_data_pw("SMB session key (from ticket)\n", session_key->data, session_key->length);
 
 #if 0
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index adec435728..68b45d8908 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -828,9 +828,10 @@ cleanup_princ:
 /*
   get a kerberos5 ticket for the given service
 */
-int cli_krb5_get_ticket(const char *principal, time_t time_offset,
+int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
+			const char *principal, time_t time_offset,
 			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
-			uint32 extra_ap_opts, const char *ccname,
+			uint32_t extra_ap_opts, const char *ccname,
 			time_t *tgs_expire,
 			const char *impersonate_princ_s)
 
@@ -881,10 +882,10 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset,
 		goto failed;
 	}
 
-	get_krb5_smb_session_key(context, auth_context,
-				 session_key_krb5, False);
+	get_krb5_smb_session_key(mem_ctx, context, auth_context,
+				 session_key_krb5, false);
 
-	*ticket = data_blob(packet.data, packet.length);
+	*ticket = data_blob_talloc(mem_ctx, packet.data, packet.length);
 
  	kerberos_free_data_contents(context, &packet);
 
@@ -901,7 +902,8 @@ failed:
 	return retval;
 }
 
-bool get_krb5_smb_session_key(krb5_context context,
+bool get_krb5_smb_session_key(TALLOC_CTX *mem_ctx,
+			      krb5_context context,
 			      krb5_auth_context auth_context,
 			      DATA_BLOB *session_key, bool remote)
 {
@@ -925,9 +927,12 @@ bool get_krb5_smb_session_key(krb5_context context,
 	DEBUG(10, ("Got KRB5 session key of length %d\n",
 		   (int)KRB5_KEY_LENGTH(skey)));
 
-	*session_key = data_blob(KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
+	*session_key = data_blob_talloc(mem_ctx,
+					 KRB5_KEY_DATA(skey),
+					 KRB5_KEY_LENGTH(skey));
 	dump_data_pw("KRB5 Session Key:\n",
-			session_key->data, session_key->length);
+		     session_key->data,
+		     session_key->length);
 
 	ret = true;
 
@@ -2277,8 +2282,10 @@ char *smb_krb5_principal_get_realm(krb5_context context,
 
 #else /* HAVE_KRB5 */
  /* this saves a few linking headaches */
- int cli_krb5_get_ticket(const char *principal, time_t time_offset, 
-			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts,
+ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
+			const char *principal, time_t time_offset,
+			DATA_BLOB *ticket, DATA_BLOB *session_key_krb5,
+			uint32_t extra_ap_opts,
 			const char *ccname, time_t *tgs_expire,
 			const char *impersonate_princ_s)
 {
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index 66e023a91d..539b411056 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -301,12 +301,13 @@ int spnego_gen_krb5_negTokenInit(TALLOC_CTX *ctx,
 	const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_KERBEROS5, OID_NTLMSSP, NULL};
 
 	/* get a kerberos ticket for the service and extract the session key */
-	retval = cli_krb5_get_ticket(principal, time_offset,
-					&tkt, session_key_krb5, extra_ap_opts, NULL, 
-					expire_time, NULL);
-
-	if (retval)
+	retval = cli_krb5_get_ticket(ctx, principal, time_offset,
+					  &tkt, session_key_krb5,
+					  extra_ap_opts, NULL,
+					  expire_time, NULL);
+	if (retval) {
 		return retval;
+	}
 
 	/* wrap that up in a nice GSS-API wrapping */
 	tkt_wrapped = spnego_gen_krb5_wrap(ctx, tkt, TOK_ID_KRB_AP_REQ);
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 50b0efadb2..c3712f77ba 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1288,8 +1288,10 @@ static NTSTATUS create_krb5_auth_bind_req(struct rpc_pipe_client *cli,
 
 	/* Create the ticket for the service principal and return it in a gss-api wrapped blob. */
 
-	ret = cli_krb5_get_ticket(a->service_principal, 0, &tkt,
-			&a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL, NULL, NULL);
+	ret = cli_krb5_get_ticket(a, a->service_principal, 0,
+				  &tkt, &a->session_key,
+				  AP_OPTS_MUTUAL_REQUIRED, NULL,
+				  NULL, NULL);
 
 	if (ret) {
 		DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s "
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index bfdc369b15..971ba96220 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1602,8 +1602,9 @@ static bool manage_client_krb5_init(struct spnego_data spnego)
 	       spnego.negTokenInit.mechListMIC.length);
 	principal[spnego.negTokenInit.mechListMIC.length] = '\0';
 
-	retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL, NULL);
-
+	retval = cli_krb5_get_ticket(ctx, principal, 0,
+					  &tkt, &session_key_krb5,
+					  0, NULL, NULL, NULL);
 	if (retval) {
 		char *user = NULL;
 
@@ -1626,8 +1627,9 @@ static bool manage_client_krb5_init(struct spnego_data spnego)
 			return False;
 		}
 
-		retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL, NULL);
-
+		retval = cli_krb5_get_ticket(ctx, principal, 0,
+						  &tkt, &session_key_krb5,
+						  0, NULL, NULL, NULL);
 		if (retval) {
 			DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
 			return False;