use of malloc, and data_blob().
Jeremy.
DATA_BLOB spnego_gen_negTokenInit(const char *OIDs[],
DATA_BLOB *psecblob,
const char *principal);
-bool spnego_parse_negTokenInit(DATA_BLOB blob,
+bool spnego_parse_negTokenInit(TALLOC_CTX *ctx,
+ DATA_BLOB blob,
char *OIDs[ASN1_MAX_OIDS],
char **principal,
DATA_BLOB *secblob);
struct auth_serversupplied_info **server_info,
const char *user, const char *domain);
-NTSTATUS parse_spnego_mechanisms(DATA_BLOB blob_in,
+NTSTATUS parse_spnego_mechanisms(TALLOC_CTX *ctx,
+ DATA_BLOB blob_in,
DATA_BLOB *pblob_out,
char **kerb_mechOID);
void reply_sesssetup_and_X(struct smb_request *req);
/* the server sent us the first part of the SPNEGO exchange in the negprot
reply */
- if (!spnego_parse_negTokenInit(blob, OIDs, &given_principal, NULL)) {
+ if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &given_principal, NULL)) {
data_blob_free(&blob);
status = ADS_ERROR(LDAP_OPERATIONS_ERROR);
goto failed;
* negprot reply. It is WRONG to depend on the principal sent in the
* negprot reply, but right now we do it. If we don't receive one,
* we try to best guess, then fall back to NTLM. */
- if (!spnego_parse_negTokenInit(blob, OIDs, &principal, NULL)) {
+ if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL)) {
data_blob_free(&blob);
return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
status = cli_set_username(cli, user);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(principal);
return ADS_ERROR_NT(status);
}
machine = SMB_STRDUP(cli->desthost);
}
if (machine == NULL) {
+ TALLOC_FREE(principal);
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
parse a negTokenInit packet giving a GUID, a list of supported
OIDs (the mechanisms) and a principal name string
*/
-bool spnego_parse_negTokenInit(DATA_BLOB blob,
+bool spnego_parse_negTokenInit(TALLOC_CTX *ctx,
+ DATA_BLOB blob,
char *OIDs[ASN1_MAX_OIDS],
char **principal,
DATA_BLOB *secblob)
asn1_start_tag(data,ASN1_SEQUENCE(0));
for (i=0; asn1_tag_remaining(data) > 0 && i < ASN1_MAX_OIDS-1; i++) {
const char *oid_str = NULL;
- asn1_read_OID(data,talloc_autofree_context(),&oid_str);
+ asn1_read_OID(data,ctx,&oid_str);
OIDs[i] = CONST_DISCARD(char *, oid_str);
}
OIDs[i] = NULL;
DATA_BLOB sblob = data_blob_null;
/* mechToken [2] OCTET STRING OPTIONAL */
asn1_start_tag(data, ASN1_CONTEXT(2));
- asn1_read_OctetString(data, talloc_autofree_context(),
- &sblob);
+ asn1_read_OctetString(data, ctx, &sblob);
asn1_end_tag(data);
if (secblob) {
*secblob = sblob;
asn1_start_tag(data, ASN1_CONTEXT(3));
asn1_start_tag(data, ASN1_SEQUENCE(0));
asn1_start_tag(data, ASN1_CONTEXT(0));
- asn1_read_GeneralString(data,talloc_autofree_context(),
- &princ);
+ asn1_read_GeneralString(data, ctx, &princ);
asn1_end_tag(data);
asn1_end_tag(data);
asn1_end_tag(data);
}
/* parse out the OIDs and the first sec blob */
- if (!spnego_parse_negTokenInit(pauth_info->credentials, OIDs, NULL, &secblob)) {
+ if (!spnego_parse_negTokenInit(talloc_tos(),
+ pauth_info->credentials, OIDs, NULL, &secblob)) {
DEBUG(0,("pipe_spnego_auth_bind_negotiate: Failed to parse the security blob.\n"));
goto err;
}
blob = data_blob_const(*ppdata, *p_data_size);
- status = parse_spnego_mechanisms(blob, &secblob, &kerb_mech);
+ status = parse_spnego_mechanisms(talloc_tos(), blob, &secblob, &kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
return nt_status_squash(status);
}
srv_free_encryption_context(&partial_srv_trans_enc_ctx);
if (kerb_mech) {
- SAFE_FREE(kerb_mech);
+ TALLOC_FREE(kerb_mech);
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
status = srv_enc_spnego_gss_negotiate(ppdata, p_data_size, secblob);
Is this a krb5 mechanism ?
****************************************************************************/
-NTSTATUS parse_spnego_mechanisms(DATA_BLOB blob_in,
+NTSTATUS parse_spnego_mechanisms(TALLOC_CTX *ctx,
+ DATA_BLOB blob_in,
DATA_BLOB *pblob_out,
char **kerb_mechOID)
{
*kerb_mechOID = NULL;
/* parse out the OIDs and the first sec blob */
- if (!spnego_parse_negTokenInit(blob_in, OIDs, NULL, pblob_out)) {
+ if (!spnego_parse_negTokenInit(ctx, blob_in, OIDs, NULL, pblob_out)) {
return NT_STATUS_LOGON_FAILURE;
}
#ifdef HAVE_KRB5
if (strcmp(OID_KERBEROS5, OIDs[0]) == 0 ||
strcmp(OID_KERBEROS5_OLD, OIDs[0]) == 0) {
- *kerb_mechOID = SMB_STRDUP(OIDs[0]);
+ *kerb_mechOID = talloc_strdup(ctx, OIDs[0]);
if (*kerb_mechOID == NULL) {
ret = NT_STATUS_NO_MEMORY;
}
NTSTATUS status;
struct smbd_server_connection *sconn = req->sconn;
- status = parse_spnego_mechanisms(blob1, &secblob, &kerb_mech);
+ status = parse_spnego_mechanisms(talloc_tos(),
+ blob1, &secblob, &kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
}
- SAFE_FREE(kerb_mech);
+ TALLOC_FREE(kerb_mech);
return;
}
#endif
/* The mechtoken is a krb5 ticket, but
* we need to fall back to NTLM. */
reply_spnego_downgrade_to_ntlmssp(req, vuid);
- SAFE_FREE(kerb_mech);
+ TALLOC_FREE(kerb_mech);
return;
}
/* Might be a second negTokenTarg packet */
char *kerb_mech = NULL;
- status = parse_spnego_mechanisms(auth, &secblob, &kerb_mech);
+ status = parse_spnego_mechanisms(talloc_tos(),
+ auth, &secblob, &kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
}
- SAFE_FREE(kerb_mech);
+ TALLOC_FREE(kerb_mech);
return;
}
#endif
"not enabled\n"));
reply_nterror(req, nt_status_squash(
NT_STATUS_LOGON_FAILURE));
- SAFE_FREE(kerb_mech);
+ TALLOC_FREE(kerb_mech);
}
}
/* Ensure we have no old NTLM state around. */
TALLOC_FREE(session->auth_ntlmssp_state);
- status = parse_spnego_mechanisms(in_security_buffer,
+ status = parse_spnego_mechanisms(talloc_tos(), in_security_buffer,
&secblob_in, &kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
goto out;
data_blob_free(&secblob_in);
data_blob_free(&secblob_out);
data_blob_free(&chal_out);
- SAFE_FREE(kerb_mech);
+ TALLOC_FREE(kerb_mech);
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status,
NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DATA_BLOB secblob_in = data_blob_null;
char *kerb_mech = NULL;
- status = parse_spnego_mechanisms(in_security_buffer,
+ status = parse_spnego_mechanisms(talloc_tos(),
+ in_security_buffer,
&secblob_in, &kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
out_session_id);
data_blob_free(&secblob_in);
- SAFE_FREE(kerb_mech);
+ TALLOC_FREE(kerb_mech);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
}
"not enabled\n"));
TALLOC_FREE(session);
data_blob_free(&secblob_in);
- SAFE_FREE(kerb_mech);
+ TALLOC_FREE(kerb_mech);
return NT_STATUS_LOGON_FAILURE;
}