s3-ntlmssp Add mem_ctx argument to auth_ntlmssp_update

This clarifies the lifetime of the returned token.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>

9 files changed, 36 insertions, 37 deletions

diff --git a/source3/include/ntlmssp_wrap.h b/source3/include/ntlmssp_wrap.h
index ff534da46fe..7cdc2d90206 100644
--- a/source3/include/ntlmssp_wrap.h
+++ b/source3/include/ntlmssp_wrap.h
@@ -79,6 +79,7 @@ DATA_BLOB auth_ntlmssp_get_session_key(struct auth_ntlmssp_state *ans,
 				       TALLOC_CTX *mem_ctx);
 
 NTSTATUS auth_ntlmssp_update(struct auth_ntlmssp_state *ans,
+			     TALLOC_CTX *mem_ctx,
 			     const DATA_BLOB request, DATA_BLOB *reply);
 
 NTSTATUS auth_ntlmssp_client_start(TALLOC_CTX *mem_ctx,
diff --git a/source3/librpc/crypto/cli_spnego.c b/source3/librpc/crypto/cli_spnego.c
index f2454846530..3e40d15569f 100644
--- a/source3/librpc/crypto/cli_spnego.c
+++ b/source3/librpc/crypto/cli_spnego.c
@@ -217,7 +217,7 @@ NTSTATUS spnego_get_client_auth_token(TALLOC_CTX *mem_ctx,
 	case SPNEGO_NTLMSSP:
 
 		ntlmssp_ctx = sp_ctx->mech_ctx.ntlmssp_state;
-		status = auth_ntlmssp_update(ntlmssp_ctx,
+		status = auth_ntlmssp_update(ntlmssp_ctx, mem_ctx,
 					     token_in, &token_out);
 		if (NT_STATUS_EQUAL(status,
 				    NT_STATUS_MORE_PROCESSING_REQUIRED)) {
diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
index db6260efc77..3e268b5e6f8 100644
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -636,7 +636,8 @@ NTSTATUS cli_raw_ntlm_smb_encryption_start(struct cli_state *cli,
 	}
 
 	do {
-		status = auth_ntlmssp_update(es->s.auth_ntlmssp_state, blob_in, &blob_out);
+		status = auth_ntlmssp_update(es->s.auth_ntlmssp_state, es->s.auth_ntlmssp_state,
+					     blob_in, &blob_out);
 		data_blob_free(&blob_in);
 		data_blob_free(&param_out);
 		if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) || NT_STATUS_IS_OK(status)) {
diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c
index 43cde19b3b7..454720423aa 100644
--- a/source3/libsmb/ntlmssp_wrap.c
+++ b/source3/libsmb/ntlmssp_wrap.c
@@ -186,12 +186,19 @@ DATA_BLOB auth_ntlmssp_get_session_key(struct auth_ntlmssp_state *ans, TALLOC_CT
 }
 
 NTSTATUS auth_ntlmssp_update(struct auth_ntlmssp_state *ans,
+			     TALLOC_CTX *mem_ctx,
 			     const DATA_BLOB request, DATA_BLOB *reply)
 {
+	NTSTATUS status;
 	if (ans->gensec_security) {
-		return gensec_update(ans->gensec_security, ans, request, reply);
+		return gensec_update(ans->gensec_security, mem_ctx, request, reply);
+	}
+	status = ntlmssp_update(ans->ntlmssp_state, request, reply);
+	if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+		return status;
 	}
-	return ntlmssp_update(ans->ntlmssp_state, request, reply);
+	talloc_steal(mem_ctx, reply->data);
+	return status;
 }
 
 NTSTATUS auth_ntlmssp_client_start(TALLOC_CTX *mem_ctx,
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 9d0abfc6127..3224f09e279 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1037,6 +1037,7 @@ static NTSTATUS create_gssapi_auth_bind_req(TALLOC_CTX *mem_ctx,
  ********************************************************************/
 
 static NTSTATUS create_ntlmssp_auth_rpc_bind_req(struct rpc_pipe_client *cli,
+						 TALLOC_CTX *mem_ctx,
 						 DATA_BLOB *auth_token)
 {
 	struct auth_ntlmssp_state *ntlmssp_ctx;
@@ -1047,7 +1048,7 @@ static NTSTATUS create_ntlmssp_auth_rpc_bind_req(struct rpc_pipe_client *cli,
 					    struct auth_ntlmssp_state);
 
 	DEBUG(5, ("create_ntlmssp_auth_rpc_bind_req: Processing NTLMSSP Negotiate\n"));
-	status = auth_ntlmssp_update(ntlmssp_ctx, null_blob, auth_token);
+	status = auth_ntlmssp_update(ntlmssp_ctx, mem_ctx, null_blob, auth_token);
 
 	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 		data_blob_free(auth_token);
@@ -1171,7 +1172,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
 		break;
 
 	case DCERPC_AUTH_TYPE_NTLMSSP:
-		ret = create_ntlmssp_auth_rpc_bind_req(cli, &auth_token);
+		ret = create_ntlmssp_auth_rpc_bind_req(cli, mem_ctx, &auth_token);
 		if (!NT_STATUS_IS_OK(ret)) {
 			return ret;
 		}
@@ -1772,7 +1773,7 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
 	case DCERPC_AUTH_TYPE_NTLMSSP:
 		ntlmssp_ctx = talloc_get_type_abort(pauth->auth_ctx,
 						    struct auth_ntlmssp_state);
-		status = auth_ntlmssp_update(ntlmssp_ctx,
+		status = auth_ntlmssp_update(ntlmssp_ctx, state,
 					     auth.credentials, &auth_token);
 		if (NT_STATUS_EQUAL(status,
 				    NT_STATUS_MORE_PROCESSING_REQUIRED)) {
diff --git a/source3/rpc_server/dcesrv_ntlmssp.c b/source3/rpc_server/dcesrv_ntlmssp.c
index 26f924eedfb..87c8e0becea 100644
--- a/source3/rpc_server/dcesrv_ntlmssp.c
+++ b/source3/rpc_server/dcesrv_ntlmssp.c
@@ -56,15 +56,13 @@ NTSTATUS ntlmssp_server_auth_start(TALLOC_CTX *mem_ctx,
 					 NTLMSSP_NEGOTIATE_SEAL);
 	}
 
-	status = auth_ntlmssp_update(a, *token_in, token_out);
+	status = auth_ntlmssp_update(a, mem_ctx, *token_in, token_out);
 	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 		DEBUG(0, (__location__ ": auth_ntlmssp_update failed: %s\n",
 			  nt_errstr(status)));
 		goto done;
 	}
 
-	/* Make sure data is bound to the memctx, to be freed the caller */
-	talloc_steal(mem_ctx, token_out->data);
 	/* steal ntlmssp context too */
 	*ctx = talloc_move(mem_ctx, &a);
 
@@ -87,12 +85,9 @@ NTSTATUS ntlmssp_server_step(struct auth_ntlmssp_state *ctx,
 
 	/* this has to be done as root in order to verify the password */
 	become_root();
-	status = auth_ntlmssp_update(ctx, *token_in, token_out);
+	status = auth_ntlmssp_update(ctx, mem_ctx, *token_in, token_out);
 	unbecome_root();
 
-	/* put the output token data on the given mem_ctx */
-	talloc_steal(mem_ctx, token_out->data);
-
 	return status;
 }
 
diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c
index e6b683d97fc..5481e52fe04 100644
--- a/source3/smbd/seal.c
+++ b/source3/smbd/seal.c
@@ -478,7 +478,9 @@ static NTSTATUS srv_enc_ntlm_negotiate(const struct tsocket_address *remote_addr
 		return status;
 	}
 
-	status = auth_ntlmssp_update(partial_srv_trans_enc_ctx->auth_ntlmssp_state, secblob, &chal);
+	status = auth_ntlmssp_update(partial_srv_trans_enc_ctx->auth_ntlmssp_state,
+				     partial_srv_trans_enc_ctx->auth_ntlmssp_state,
+				     secblob, &chal);
 
 	/* status here should be NT_STATUS_MORE_PROCESSING_REQUIRED
 	 * for success ... */
@@ -601,7 +603,7 @@ static NTSTATUS srv_enc_spnego_ntlm_auth(connection_struct *conn,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	status = auth_ntlmssp_update(ec->auth_ntlmssp_state, auth, &auth_reply);
+	status = auth_ntlmssp_update(ec->auth_ntlmssp_state, talloc_tos(), auth, &auth_reply);
 	data_blob_free(&auth);
 
 	/* From RFC4178.
@@ -671,7 +673,9 @@ static NTSTATUS srv_enc_raw_ntlm_auth(connection_struct *conn,
 	}
 
 	/* Second step. */
-	status = auth_ntlmssp_update(partial_srv_trans_enc_ctx->auth_ntlmssp_state, blob, &response);
+	status = auth_ntlmssp_update(partial_srv_trans_enc_ctx->auth_ntlmssp_state,
+				     talloc_tos(),
+				     blob, &response);
 
 	if (NT_STATUS_IS_OK(status)) {
 		/* Return the context we're using for this encryption state. */
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 329b8b6aa52..b1fed41e8e5 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -633,8 +633,8 @@ static void reply_spnego_negotiate(struct smb_request *req,
 		return;
 	}
 
-	status = auth_ntlmssp_update(*auth_ntlmssp_state,
-					secblob, &chal);
+	status = auth_ntlmssp_update(*auth_ntlmssp_state, talloc_tos(),
+				     secblob, &chal);
 
 	data_blob_free(&secblob);
 
@@ -736,8 +736,8 @@ static void reply_spnego_auth(struct smb_request *req,
 		}
 	}
 
-	status = auth_ntlmssp_update(*auth_ntlmssp_state,
-					auth, &auth_reply);
+	status = auth_ntlmssp_update(*auth_ntlmssp_state, talloc_tos(),
+				     auth, &auth_reply);
 
 	data_blob_free(&auth);
 
@@ -1151,7 +1151,8 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
 		}
 
 		status = auth_ntlmssp_update(vuser->auth_ntlmssp_state,
-						blob1, &chal);
+					     talloc_tos(),
+					     blob1, &chal);
 
 		data_blob_free(&blob1);
 
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 511df8639dd..320a7077581 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -393,6 +393,7 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
 		}
 
 		status = auth_ntlmssp_update(session->auth_ntlmssp_state,
+					     talloc_tos(),
 					     secblob_in,
 					     &chal_out);
 	}
@@ -584,7 +585,7 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
 	}
 
 	status = auth_ntlmssp_update(session->auth_ntlmssp_state,
-				     auth,
+				     talloc_tos(), auth,
 				     &auth_out);
 	/* If status is NT_STATUS_OK then we need to get the token.
 	 * Map to guest is now internal to auth_ntlmssp */
@@ -637,7 +638,6 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
 					uint64_t *out_session_id)
 {
 	NTSTATUS status;
-	DATA_BLOB secblob_out = data_blob_null;
 
 	if (session->auth_ntlmssp_state == NULL) {
 		status = auth_ntlmssp_start(session->sconn->remote_address,
@@ -650,20 +650,9 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
 
 	/* RAW NTLMSSP */
 	status = auth_ntlmssp_update(session->auth_ntlmssp_state,
+				     smb2req,
 				     in_security_buffer,
-				     &secblob_out);
-
-	if (NT_STATUS_IS_OK(status) ||
-			NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-		*out_security_buffer = data_blob_talloc(smb2req,
-						secblob_out.data,
-						secblob_out.length);
-		if (secblob_out.data && out_security_buffer->data == NULL) {
-			TALLOC_FREE(session->auth_ntlmssp_state);
-			TALLOC_FREE(session);
-			return NT_STATUS_NO_MEMORY;
-		}
-	}
+				     out_security_buffer);
 
 	if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 		*out_session_id = session->vuid;