diff options
-rw-r--r-- | source3/include/proto.h | 8 | ||||
-rw-r--r-- | source3/libads/sasl.c | 9 | ||||
-rw-r--r-- | source3/libsmb/cliconnect.c | 4 | ||||
-rw-r--r-- | source3/libsmb/clifsinfo.c | 13 | ||||
-rw-r--r-- | source3/libsmb/clispnego.c | 12 | ||||
-rw-r--r-- | source3/rpc_client/cli_pipe.c | 4 | ||||
-rw-r--r-- | source3/smbd/negprot.c | 4 |
7 files changed, 32 insertions, 22 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index ce94ae531b..4af95090f0 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -2796,7 +2796,8 @@ bool cli_set_secdesc(struct cli_state *cli, uint16_t fnum, struct security_descr /* The following definitions come from libsmb/clispnego.c */ -DATA_BLOB spnego_gen_negTokenInit(const char *OIDs[], +DATA_BLOB spnego_gen_negTokenInit(TALLOC_CTX *ctx, + const char *OIDs[], DATA_BLOB *psecblob, const char *principal); bool spnego_parse_negTokenInit(TALLOC_CTX *ctx, @@ -2807,8 +2808,9 @@ bool spnego_parse_negTokenInit(TALLOC_CTX *ctx, DATA_BLOB gen_negTokenTarg(const char *OIDs[], DATA_BLOB blob); DATA_BLOB spnego_gen_krb5_wrap(const DATA_BLOB ticket, const uint8 tok_id[2]); bool spnego_parse_krb5_wrap(DATA_BLOB blob, DATA_BLOB *ticket, uint8 tok_id[2]); -int spnego_gen_krb5_negTokenInit(const char *principal, int time_offset, - DATA_BLOB *targ, +int spnego_gen_krb5_negTokenInit(TALLOC_CTX *ctx, + const char *principal, int time_offset, + DATA_BLOB *targ, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, time_t *expire_time); bool spnego_parse_challenge(const DATA_BLOB blob, diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 1b62daf8db..d0b3f2a7ec 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -192,7 +192,8 @@ static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads) if (turn == 1) { const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL}; /* and wrap it in a SPNEGO wrapper */ - msg1 = spnego_gen_negTokenInit(OIDs_ntlm, &blob_out, NULL); + msg1 = spnego_gen_negTokenInit(talloc_tos(), + OIDs_ntlm, &blob_out, NULL); } else { /* wrap it in SPNEGO */ msg1 = spnego_gen_auth(blob_out); @@ -508,7 +509,8 @@ static ADS_STATUS ads_sasl_spnego_gsskrb5_bind(ADS_STRUCT *ads, const gss_name_t /* and wrap that in a shiny SPNEGO wrapper */ unwrapped = data_blob_const(output_token.value, output_token.length); - wrapped = spnego_gen_negTokenInit(spnego_mechs, &unwrapped, NULL); + wrapped = spnego_gen_negTokenInit(talloc_tos(), + spnego_mechs, &unwrapped, NULL); gss_release_buffer(&minor_status, &output_token); if (unwrapped.length > wrapped.length) { status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); @@ -705,7 +707,8 @@ static ADS_STATUS ads_sasl_spnego_rawkrb5_bind(ADS_STRUCT *ads, const char *prin return ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED); } - rc = spnego_gen_krb5_negTokenInit(principal, ads->auth.time_offset, &blob, &session_key, 0, + rc = spnego_gen_krb5_negTokenInit(talloc_tos(), principal, + ads->auth.time_offset, &blob, &session_key, 0, &ads->auth.tgs_expire); if (rc) { diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 86338d0ef3..86448ff6b3 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -857,7 +857,7 @@ static struct tevent_req *cli_session_setup_kerberos_send( * Ok, this is cheating: spnego_gen_krb5_negTokenInit can block if * we have to acquire a ticket. To be fixed later :-) */ - rc = spnego_gen_krb5_negTokenInit(principal, 0, &state->negTokenTarg, + rc = spnego_gen_krb5_negTokenInit(state, principal, 0, &state->negTokenTarg, &state->session_key_krb5, 0, NULL); if (rc) { DEBUG(1, ("cli_session_setup_kerberos: " @@ -1033,7 +1033,7 @@ static struct tevent_req *cli_session_setup_ntlmssp_send( goto fail; } - state->blob_out = spnego_gen_negTokenInit(OIDs_ntlm, &blob_out, NULL); + state->blob_out = spnego_gen_negTokenInit(state, OIDs_ntlm, &blob_out, NULL); data_blob_free(&blob_out); subreq = cli_sesssetup_blob_send(state, ev, cli, state->blob_out); diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c index 3c8e5442ce..aa7d1fb9ad 100644 --- a/source3/libsmb/clifsinfo.c +++ b/source3/libsmb/clifsinfo.c @@ -716,7 +716,8 @@ NTSTATUS cli_raw_ntlm_smb_encryption_start(struct cli_state *cli, Get client gss blob to send to a server. ******************************************************************************/ -static NTSTATUS make_cli_gss_blob(struct smb_trans_enc_state *es, +static NTSTATUS make_cli_gss_blob(TALLOC_CTX *ctx, + struct smb_trans_enc_state *es, const char *service, const char *host, NTSTATUS status_in, @@ -798,10 +799,10 @@ static NTSTATUS make_cli_gss_blob(struct smb_trans_enc_state *es, status = NT_STATUS_ACCESS_DENIED; } - blob_out = data_blob(tok_out.value, tok_out.length); + blob_out = data_blob_talloc(ctx, tok_out.value, tok_out.length); /* Wrap in an SPNEGO wrapper */ - *p_blob_out = spnego_gen_negTokenInit(krb_mechs, &blob_out, NULL); + *p_blob_out = spnego_gen_negTokenInit(ctx, krb_mechs, &blob_out, NULL); fail: @@ -837,10 +838,10 @@ NTSTATUS cli_gss_smb_encryption_start(struct cli_state *cli) strlower_m(fqdn); servicename = "cifs"; - status = make_cli_gss_blob(es, servicename, fqdn, NT_STATUS_OK, blob_recv, &blob_send); + status = make_cli_gss_blob(talloc_tos(), es, servicename, fqdn, NT_STATUS_OK, blob_recv, &blob_send); if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED)) { servicename = "host"; - status = make_cli_gss_blob(es, servicename, fqdn, NT_STATUS_OK, blob_recv, &blob_send); + status = make_cli_gss_blob(talloc_tos(), es, servicename, fqdn, NT_STATUS_OK, blob_recv, &blob_send); if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED)) { goto fail; } @@ -853,7 +854,7 @@ NTSTATUS cli_gss_smb_encryption_start(struct cli_state *cli) es->enc_ctx_num = SVAL(param_out.data, 0); } data_blob_free(&blob_send); - status = make_cli_gss_blob(es, servicename, fqdn, status, blob_recv, &blob_send); + status = make_cli_gss_blob(talloc_tos(), es, servicename, fqdn, status, blob_recv, &blob_send); } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)); data_blob_free(&blob_recv); diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index 0935041a34..d5867120ea 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -29,7 +29,8 @@ OIDs (the mechanisms) a blob, and a principal name string */ -DATA_BLOB spnego_gen_negTokenInit(const char *OIDs[], +DATA_BLOB spnego_gen_negTokenInit(TALLOC_CTX *ctx, + const char *OIDs[], DATA_BLOB *psecblob, const char *principal) { @@ -81,7 +82,7 @@ DATA_BLOB spnego_gen_negTokenInit(const char *OIDs[], DEBUG(1,("Failed to build negTokenInit at offset %d\n", (int)data->ofs)); } - ret = data_blob(data->data, data->length); + ret = data_blob_talloc(ctx, data->data, data->length); asn1_free(data); return ret; @@ -289,8 +290,9 @@ bool spnego_parse_krb5_wrap(DATA_BLOB blob, DATA_BLOB *ticket, uint8 tok_id[2]) generate a SPNEGO krb5 negTokenInit packet, ready for a EXTENDED_SECURITY kerberos session setup */ -int spnego_gen_krb5_negTokenInit(const char *principal, int time_offset, - DATA_BLOB *targ, +int spnego_gen_krb5_negTokenInit(TALLOC_CTX *ctx, + const char *principal, int time_offset, + DATA_BLOB *targ, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, time_t *expire_time) { @@ -310,7 +312,7 @@ int spnego_gen_krb5_negTokenInit(const char *principal, int time_offset, tkt_wrapped = spnego_gen_krb5_wrap(tkt, TOK_ID_KRB_AP_REQ); /* and wrap that in a shiny SPNEGO wrapper */ - *targ = spnego_gen_negTokenInit(krb_mechs, &tkt_wrapped, NULL); + *targ = spnego_gen_negTokenInit(ctx, krb_mechs, &tkt_wrapped, NULL); data_blob_free(&tkt_wrapped); data_blob_free(&tkt); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 226f1391ff..3ca9271a82 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -1352,7 +1352,7 @@ static NTSTATUS create_spnego_ntlmssp_auth_rpc_bind_req(struct rpc_pipe_client * } /* Wrap this in SPNEGO. */ - spnego_msg = spnego_gen_negTokenInit(OIDs_ntlm, &request, NULL); + spnego_msg = spnego_gen_negTokenInit(talloc_tos(), OIDs_ntlm, &request, NULL); data_blob_free(&request); @@ -1363,6 +1363,7 @@ static NTSTATUS create_spnego_ntlmssp_auth_rpc_bind_req(struct rpc_pipe_client * 1, /* auth_context_id */ &spnego_msg, auth_info); + if (!NT_STATUS_IS_OK(status)) { data_blob_free(&spnego_msg); return status; @@ -1370,6 +1371,7 @@ static NTSTATUS create_spnego_ntlmssp_auth_rpc_bind_req(struct rpc_pipe_client * DEBUG(5, ("create_spnego_ntlmssp_auth_rpc_bind_req: NTLMSSP Negotiate:\n")); dump_data(5, spnego_msg.data, spnego_msg.length); + data_blob_free(&spnego_msg); return NT_STATUS_OK; } diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index c5c83cac30..4ff4eee404 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -211,7 +211,7 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) blob = data_blob(guid, 16); #else /* Code for standalone WXP client */ - blob = spnego_gen_negTokenInit(OIDs_ntlm, NULL, "NONE"); + blob = spnego_gen_negTokenInit(ctx, OIDs_ntlm, NULL, "NONE"); #endif } else { fstring myname; @@ -222,7 +222,7 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) == -1) { return data_blob_null; } - blob = spnego_gen_negTokenInit(OIDs_krb5, NULL, host_princ_s); + blob = spnego_gen_negTokenInit(ctx, OIDs_krb5, NULL, host_princ_s); SAFE_FREE(host_princ_s); } |