diff options
-rw-r--r-- | auth/gensec/gensec.c | 6 | ||||
-rw-r--r-- | auth/gensec/gensec.h | 6 | ||||
-rw-r--r-- | libcli/auth/schannel_proto.h | 1 | ||||
-rw-r--r-- | libcli/auth/schannel_sign.c | 1 | ||||
-rw-r--r-- | source3/librpc/rpc/dcerpc_helpers.c | 4 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 15 | ||||
-rw-r--r-- | source4/auth/gensec/schannel.c | 6 | ||||
-rw-r--r-- | source4/auth/gensec/spnego.c | 6 | ||||
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp_sign.c | 2 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc.c | 2 | ||||
-rw-r--r-- | source4/rpc_server/dcesrv_auth.c | 2 | ||||
-rw-r--r-- | source4/torture/auth/ntlmssp.c | 8 |
12 files changed, 21 insertions, 38 deletions
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c index 390913d01b..4736e73d5a 100644 --- a/auth/gensec/gensec.c +++ b/auth/gensec/gensec.c @@ -31,7 +31,6 @@ wrappers for the gensec function pointers */ _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig) @@ -43,14 +42,13 @@ _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, return NT_STATUS_INVALID_PARAMETER; } - return gensec_security->ops->unseal_packet(gensec_security, mem_ctx, + return gensec_security->ops->unseal_packet(gensec_security, data, length, whole_pdu, pdu_length, sig); } _PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig) @@ -62,7 +60,7 @@ _PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, return NT_STATUS_INVALID_PARAMETER; } - return gensec_security->ops->check_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig); + return gensec_security->ops->check_packet(gensec_security, data, length, whole_pdu, pdu_length, sig); } _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security, diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h index b897419473..852618c1af 100644 --- a/auth/gensec/gensec.h +++ b/auth/gensec/gensec.h @@ -104,11 +104,11 @@ struct gensec_security_ops { size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size); size_t (*max_input_size)(struct gensec_security *gensec_security); size_t (*max_wrapped_size)(struct gensec_security *gensec_security); - NTSTATUS (*check_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, + NTSTATUS (*check_packet)(struct gensec_security *gensec_security, const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig); - NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, + NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security, uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig); @@ -241,12 +241,10 @@ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_se NTSTATUS gensec_init(void); size_t gensec_max_input_size(struct gensec_security *gensec_security); NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig); NTSTATUS gensec_check_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig); diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h index e454c3da53..e3aeb5a9bc 100644 --- a/libcli/auth/schannel_proto.h +++ b/libcli/auth/schannel_proto.h @@ -29,7 +29,6 @@ struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx, const char *private_dir); NTSTATUS netsec_incoming_packet(struct schannel_state *state, - TALLOC_CTX *mem_ctx, bool do_unseal, uint8_t *data, size_t length, const DATA_BLOB *sig); diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c index eb605f4b07..29a97b9282 100644 --- a/libcli/auth/schannel_sign.c +++ b/libcli/auth/schannel_sign.c @@ -139,7 +139,6 @@ static void netsec_do_sign(struct schannel_state *state, } NTSTATUS netsec_incoming_packet(struct schannel_state *state, - TALLOC_CTX *mem_ctx, bool do_unseal, uint8_t *data, size_t length, const DATA_BLOB *sig) diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c index 7520d767ba..b53587ddb3 100644 --- a/source3/librpc/rpc/dcerpc_helpers.c +++ b/source3/librpc/rpc/dcerpc_helpers.c @@ -553,7 +553,7 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx, case DCERPC_AUTH_LEVEL_PRIVACY: /* Data portion is encrypted. */ return netsec_incoming_packet(auth_state, - mem_ctx, true, + true, data->data, data->length, auth_token); @@ -561,7 +561,7 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx, case DCERPC_AUTH_LEVEL_INTEGRITY: /* Data is signed. */ return netsec_incoming_packet(auth_state, - mem_ctx, false, + false, data->data, data->length, auth_token); diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 6ecd29bf34..4dd809856c 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1038,7 +1038,6 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit } static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig) @@ -1053,7 +1052,7 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length); - in = data_blob_talloc(mem_ctx, NULL, sig->length + length); + in = data_blob_talloc(gensec_security, NULL, sig->length + length); memcpy(in.data, sig->data, sig->length); memcpy(in.data + sig->length, data, length); @@ -1067,9 +1066,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur &output_token, &conf_state, &qop_state); + talloc_free(in.data); if (GSS_ERROR(maj_stat)) { + char *error_string = gssapi_error_string(NULL, maj_stat, min_stat, gensec_gssapi_state->gss_oid); DEBUG(1, ("gensec_gssapi_unseal_packet: GSS UnWrap failed: %s\n", - gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); + error_string)); + talloc_free(error_string); return NT_STATUS_ACCESS_DENIED; } @@ -1128,7 +1130,6 @@ static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_securit } static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig) @@ -1159,8 +1160,10 @@ static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_securi &input_token, &qop_state); if (GSS_ERROR(maj_stat)) { - DEBUG(1, ("GSS VerifyMic failed: %s\n", - gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); + char *error_string = gssapi_error_string(NULL, maj_stat, min_stat, gensec_gssapi_state->gss_oid); + DEBUG(1, ("GSS VerifyMic failed: %s\n", error_string)); + talloc_free(error_string); + return NT_STATUS_ACCESS_DENIED; } diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index 2e3f0219e9..8f9aa921a9 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -290,7 +290,6 @@ static bool schannel_have_feature(struct gensec_security *gensec_security, unseal a packet */ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig) @@ -299,7 +298,7 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security, talloc_get_type(gensec_security->private_data, struct schannel_state); - return netsec_incoming_packet(state, mem_ctx, true, + return netsec_incoming_packet(state, true, discard_const_p(uint8_t, data), length, sig); } @@ -308,7 +307,6 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security, check the signature on a packet */ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig) @@ -317,7 +315,7 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security, talloc_get_type(gensec_security->private_data, struct schannel_state); - return netsec_incoming_packet(state, mem_ctx, false, + return netsec_incoming_packet(state, false, discard_const_p(uint8_t, data), length, sig); } diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c index 3611d31a23..c48e87e8b5 100644 --- a/source4/auth/gensec/spnego.c +++ b/source4/auth/gensec/spnego.c @@ -96,7 +96,6 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi wrappers for the spnego_*() functions */ static NTSTATUS gensec_spnego_unseal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig) @@ -109,14 +108,12 @@ static NTSTATUS gensec_spnego_unseal_packet(struct gensec_security *gensec_secur } return gensec_unseal_packet(spnego_state->sub_sec_security, - mem_ctx, data, length, whole_pdu, pdu_length, sig); } static NTSTATUS gensec_spnego_check_packet(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig) @@ -129,7 +126,6 @@ static NTSTATUS gensec_spnego_check_packet(struct gensec_security *gensec_securi } return gensec_check_packet(spnego_state->sub_sec_security, - mem_ctx, data, length, whole_pdu, pdu_length, sig); @@ -922,7 +918,6 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA if (NT_STATUS_IS_OK(nt_status) && spnego.negTokenTarg.mechListMIC.length > 0) { new_spnego = true; nt_status = gensec_check_packet(spnego_state->sub_sec_security, - out_mem_ctx, spnego_state->mech_types.data, spnego_state->mech_types.length, spnego_state->mech_types.data, @@ -1029,7 +1024,6 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } if (NT_STATUS_IS_OK(nt_status) && spnego.negTokenTarg.mechListMIC.length > 0) { nt_status = gensec_check_packet(spnego_state->sub_sec_security, - out_mem_ctx, spnego_state->mech_types.data, spnego_state->mech_types.length, spnego_state->mech_types.data, diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c b/source4/auth/ntlmssp/ntlmssp_sign.c index 95466b0407..72cd1549fe 100644 --- a/source4/auth/ntlmssp/ntlmssp_sign.c +++ b/source4/auth/ntlmssp/ntlmssp_sign.c @@ -45,7 +45,6 @@ NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security, } NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security, - TALLOC_CTX *sig_mem_ctx, const uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig) @@ -87,7 +86,6 @@ NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security, wrappers for the ntlmssp_*() functions */ NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security, - TALLOC_CTX *sig_mem_ctx, uint8_t *data, size_t length, const uint8_t *whole_pdu, size_t pdu_length, const DATA_BLOB *sig) diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c index 110da57c93..496cc0b2a6 100644 --- a/source4/librpc/rpc/dcerpc.c +++ b/source4/librpc/rpc/dcerpc.c @@ -708,7 +708,6 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX switch (c->security_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: status = gensec_unseal_packet(c->security_state.generic_state, - mem_ctx, raw_packet->data + DCERPC_REQUEST_LENGTH, pkt->u.response.stub_and_verifier.length, raw_packet->data, @@ -721,7 +720,6 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX case DCERPC_AUTH_LEVEL_INTEGRITY: status = gensec_check_packet(c->security_state.generic_state, - mem_ctx, pkt->u.response.stub_and_verifier.data, pkt->u.response.stub_and_verifier.length, raw_packet->data, diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 1e6aa24c82..0802cd4323 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -328,7 +328,6 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) switch (dce_conn->auth_state.auth_info->auth_level) { case DCERPC_AUTH_LEVEL_PRIVACY: status = gensec_unseal_packet(dce_conn->auth_state.gensec_security, - call, full_packet->data + hdr_size, pkt->u.request.stub_and_verifier.length, full_packet->data, @@ -341,7 +340,6 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet) case DCERPC_AUTH_LEVEL_INTEGRITY: status = gensec_check_packet(dce_conn->auth_state.gensec_security, - call, pkt->u.request.stub_and_verifier.data, pkt->u.request.stub_and_verifier.length, full_packet->data, diff --git a/source4/torture/auth/ntlmssp.c b/source4/torture/auth/ntlmssp.c index 93529eeb1d..c98985c97c 100644 --- a/source4/torture/auth/ntlmssp.c +++ b/source4/torture/auth/ntlmssp.c @@ -78,14 +78,14 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx) "data mismatch"); torture_assert_ntstatus_equal(tctx, - gensec_ntlmssp_check_packet(gensec_security, gensec_security, + gensec_ntlmssp_check_packet(gensec_security, data.data, data.length, data.data, data.length, &sig), NT_STATUS_ACCESS_DENIED, "Check of just signed packet (should fail, wrong end)"); ntlmssp_state->session_key = data_blob(NULL, 0); torture_assert_ntstatus_equal(tctx, - gensec_ntlmssp_check_packet(gensec_security, gensec_security, + gensec_ntlmssp_check_packet(gensec_security, data.data, data.length, data.data, data.length, &sig), NT_STATUS_NO_USER_SESSION_KEY, "Check of just signed packet without a session key should fail"); @@ -135,14 +135,14 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx) "data mismatch"); torture_assert_ntstatus_equal(tctx, - gensec_ntlmssp_check_packet(gensec_security, gensec_security, + gensec_ntlmssp_check_packet(gensec_security, data.data, data.length, data.data, data.length, &sig), NT_STATUS_ACCESS_DENIED, "Check of just signed packet (should fail, wrong end)"); sig.length /= 2; torture_assert_ntstatus_equal(tctx, - gensec_ntlmssp_check_packet(gensec_security, gensec_security, + gensec_ntlmssp_check_packet(gensec_security, data.data, data.length, data.data, data.length, &sig), NT_STATUS_ACCESS_DENIED, "Check of just signed packet with short sig"); |