}
_PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
- DATA_BLOB *session_key)
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *session_key)
{
if (!gensec_security->ops->session_key) {
return NT_STATUS_NOT_IMPLEMENTED;
return NT_STATUS_NO_USER_SESSION_KEY;
}
- return gensec_security->ops->session_key(gensec_security, session_key);
+ return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
}
/**
*/
_PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
- struct auth_session_info **session_info)
+ TALLOC_CTX *mem_ctx,
+ struct auth_session_info **session_info)
{
if (!gensec_security->ops->session_info) {
return NT_STATUS_NOT_IMPLEMENTED;
}
- return gensec_security->ops->session_info(gensec_security, session_info);
+ return gensec_security->ops->session_info(gensec_security, mem_ctx, session_info);
}
/**
size_t *len_processed);
NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
DATA_BLOB blob, size_t *size);
- NTSTATUS (*session_key)(struct gensec_security *gensec_security, DATA_BLOB *session_key);
- NTSTATUS (*session_info)(struct gensec_security *gensec_security,
+ NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
+ DATA_BLOB *session_key);
+ NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info);
void (*want_feature)(struct gensec_security *gensec_security,
uint32_t feature);
NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_security, const char *hostname);
const char *gensec_get_target_hostname(struct gensec_security *gensec_security);
NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key);
NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
const char *mech_oid);
struct auth4_context *auth_context,
struct gensec_security **gensec_security);
NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info);
NTSTATUS gensec_set_local_address(struct gensec_security *gensec_security,
break;
}
- gensec_gssapi_state->session_key = data_blob(NULL, 0);
- gensec_gssapi_state->pac = data_blob(NULL, 0);
-
ret = smb_krb5_init_context(gensec_gssapi_state,
NULL,
gensec_security->settings->lp_ctx,
* This breaks all the abstractions, but what do you expect...
*/
static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key)
{
struct gensec_gssapi_state *gensec_gssapi_state
return NT_STATUS_NO_USER_SESSION_KEY;
}
- if (gensec_gssapi_state->session_key.data) {
- *session_key = gensec_gssapi_state->session_key;
- return NT_STATUS_OK;
- }
-
maj_stat = gsskrb5_get_subkey(&min_stat,
gensec_gssapi_state->gssapi_context,
&subkey);
DEBUG(10, ("Got KRB5 session key of length %d%s\n",
(int)KRB5_KEY_LENGTH(subkey),
(gensec_gssapi_state->sasl_state == STAGE_DONE)?" (done)":""));
- *session_key = data_blob_talloc(gensec_gssapi_state,
+ *session_key = data_blob_talloc(mem_ctx,
KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, subkey);
- gensec_gssapi_state->session_key = *session_key;
dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
return NT_STATUS_OK;
* this session. This uses either the PAC (if present) or a local
* database lookup */
static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx_out,
struct auth_session_info **_session_info)
{
NTSTATUS nt_status;
return NT_STATUS_INVALID_PARAMETER;
}
- mem_ctx = talloc_named(gensec_gssapi_state, 0, "gensec_gssapi_session_info context");
+ mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context");
NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
nt_status = gssapi_obtain_pac_blob(mem_ctx, gensec_gssapi_state->gssapi_context,
return nt_status;
}
- nt_status = gensec_gssapi_session_key(gensec_security, &session_info->session_key);
+ nt_status = gensec_gssapi_session_key(gensec_security, session_info, &session_info->session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
/* It has been taken from this place... */
gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
}
- talloc_steal(gensec_gssapi_state, session_info);
+ *_session_info = talloc_steal(mem_ctx_out, session_info);
talloc_free(mem_ctx);
- *_session_info = session_info;
return NT_STATUS_OK;
}
OM_uint32 want_flags, got_flags;
gss_OID gss_oid;
- DATA_BLOB session_key;
- DATA_BLOB pac;
-
struct smb_krb5_context *smb_krb5_context;
struct gssapi_creds_container *client_cred;
struct gssapi_creds_container *server_cred;
};
struct gensec_krb5_state {
- DATA_BLOB session_key;
- DATA_BLOB pac;
enum GENSEC_KRB5_STATE state_position;
struct smb_krb5_context *smb_krb5_context;
krb5_auth_context auth_context;
gensec_krb5_state->ticket = NULL;
ZERO_STRUCT(gensec_krb5_state->enc_ticket);
gensec_krb5_state->keyblock = NULL;
- gensec_krb5_state->session_key = data_blob(NULL, 0);
- gensec_krb5_state->pac = data_blob(NULL, 0);
gensec_krb5_state->gssapi = gssapi;
talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy);
}
static NTSTATUS gensec_krb5_session_key(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key)
{
struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
return NT_STATUS_NO_USER_SESSION_KEY;
}
- if (gensec_krb5_state->session_key.data) {
- *session_key = gensec_krb5_state->session_key;
- return NT_STATUS_OK;
- }
-
switch (gensec_security->gensec_role) {
case GENSEC_CLIENT:
err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
if (err == 0 && skey != NULL) {
DEBUG(10, ("Got KRB5 session key of length %d\n",
(int)KRB5_KEY_LENGTH(skey)));
- gensec_krb5_state->session_key = data_blob_talloc(gensec_krb5_state,
- KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
- *session_key = gensec_krb5_state->session_key;
+ *session_key = data_blob_talloc(mem_ctx,
+ KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
krb5_free_keyblock(context, skey);
}
static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx_out,
struct auth_session_info **_session_info)
{
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
krb5_error_code ret;
- TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+ TALLOC_CTX *mem_ctx = talloc_new(mem_ctx_out);
if (!mem_ctx) {
return NT_STATUS_NO_MEMORY;
}
return nt_status;
}
- nt_status = gensec_krb5_session_key(gensec_security, &session_info->session_key);
+ nt_status = gensec_krb5_session_key(gensec_security, session_info, &session_info->session_key);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
- *_session_info = session_info;
+ *_session_info = talloc_steal(mem_ctx_out, session_info);
- talloc_steal(gensec_krb5_state, session_info);
talloc_free(mem_ctx);
return NT_STATUS_OK;
}
static PyObject *py_gensec_session_info(PyObject *self)
{
+ TALLOC_CTX *mem_ctx;
NTSTATUS status;
PyObject *py_session_info;
struct gensec_security *security = py_talloc_get_type(self, struct gensec_security);
PyErr_SetString(PyExc_RuntimeError, "no mechanism selected");
return NULL;
}
- status = gensec_session_info(security, &info);
+ mem_ctx = talloc_new(NULL);
+
+ status = gensec_session_info(security, mem_ctx, &info);
if (NT_STATUS_IS_ERR(status)) {
PyErr_SetNTSTATUS(status);
return NULL;
py_session_info = py_return_ndr_struct("samba.dcerpc.auth", "session_info",
info, info);
+ talloc_free(mem_ctx);
return py_session_info;
}
}
static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
- DATA_BLOB *session_key)
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *session_key)
{
return NT_STATUS_NOT_IMPLEMENTED;
}
*/
static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
- struct auth_session_info **_session_info)
+ TALLOC_CTX *mem_ctx,
+ struct auth_session_info **_session_info)
{
struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
- return auth_anonymous_session_info(state, gensec_security->settings->lp_ctx, _session_info);
+ return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
}
static NTSTATUS schannel_start(struct gensec_security *gensec_security)
}
static NTSTATUS gensec_spnego_session_key(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key)
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
}
return gensec_session_key(spnego_state->sub_sec_security,
+ mem_ctx,
session_key);
}
static NTSTATUS gensec_spnego_session_info(struct gensec_security *gensec_security,
- struct auth_session_info **session_info)
+ TALLOC_CTX *mem_ctx,
+ struct auth_session_info **session_info)
{
struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
if (!spnego_state->sub_sec_security) {
}
return gensec_session_info(spnego_state->sub_sec_security,
+ mem_ctx,
session_info);
}
*/
NTSTATUS gensec_ntlmssp_session_key(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
DATA_BLOB *session_key)
{
struct gensec_ntlmssp_context *gensec_ntlmssp =
if (!ntlmssp_state->session_key.data) {
return NT_STATUS_NO_USER_SESSION_KEY;
}
- *session_key = ntlmssp_state->session_key;
+ *session_key = data_blob_talloc(mem_ctx, ntlmssp_state->session_key.data, ntlmssp_state->session_key.length);
+ if (!session_key->data) {
+ return NT_STATUS_NO_MEMORY;
+ }
return NT_STATUS_OK;
}
*/
NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info)
{
NTSTATUS nt_status;
struct gensec_ntlmssp_context);
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
- nt_status = gensec_generate_session_info(ntlmssp_state,
+ nt_status = gensec_generate_session_info(mem_ctx,
gensec_security,
gensec_ntlmssp->user_info_dc,
session_info);
NT_STATUS_NOT_OK_RETURN(nt_status);
- (*session_info)->session_key = data_blob_talloc(*session_info,
- ntlmssp_state->session_key.data,
- ntlmssp_state->session_key.length);
-
- return NT_STATUS_OK;
+ return gensec_ntlmssp_session_key(gensec_security, *session_info,
+ &(*session_info)->session_key);
}
/**
state->drsuapi->drsuapi_handle = state->drsuapi->pipe->binding_handle;
status = gensec_session_key(state->drsuapi->pipe->conn->security_state.generic_state,
+ state->drsuapi,
&state->drsuapi->gensec_skey);
if (tevent_req_nterror(req, status)) {
return;
size_t pw_len;
if (!NT_STATUS_IS_OK(gensec_session_info(gensec_security,
+ mem_ctx,
&session_info))) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_HARDERROR,
errstr = NULL;
talloc_unlink(call->conn, call->conn->session_info);
- call->conn->session_info = session_info;
- talloc_steal(call->conn, session_info);
+ call->conn->session_info = talloc_steal(call->conn, session_info);
/* don't leak the old LDB */
talloc_unlink(call->conn, call->conn->ldb);
old_session_info = conn->session_info;
conn->session_info = NULL;
- status = gensec_session_info(conn->gensec, &conn->session_info);
+ status = gensec_session_info(conn->gensec, conn, &conn->session_info);
if (!NT_STATUS_IS_OK(status)) {
conn->session_info = old_session_info;
result = LDAP_OPERATIONS_ERROR;
req->creds.SASL.mechanism, nt_errstr(status));
} else {
talloc_unlink(conn, old_session_info);
- talloc_steal(conn, conn->session_info);
/* don't leak the old LDB */
talloc_unlink(conn, conn->ldb);
tevent_req_data(req,
struct smb2_session_setup_spnego_state);
struct smb2_session *session = subreq->session;
- NTSTATUS session_key_err;
- DATA_BLOB session_key;
NTSTATUS peer_status;
NTSTATUS status;
return;
}
- session_key_err = gensec_session_key(session->gensec, &session_key);
- if (NT_STATUS_IS_OK(session_key_err)) {
- session->session_key = session_key;
- }
+ gensec_session_key(session->gensec, session, &session->session_key);
if (session->transport->signing_required) {
if (session->session_key.length == 0) {
c->status = NT_STATUS_INTERNAL_ERROR;
break;
}
- session_key_err = gensec_session_key(session->gensec, &session_key);
+ session_key_err = gensec_session_key(session->gensec, session, &session->user_session_key);
if (NT_STATUS_IS_OK(session_key_err)) {
- set_user_session_key(session, &session_key);
- smbcli_transport_simple_set_signing(session->transport, session_key, null_data_blob);
+ smbcli_transport_simple_set_signing(session->transport, session->user_session_key, null_data_blob);
}
}
s->drsuapi1.drsuapi_handle = s->drsuapi1.pipe->binding_handle;
c->status = gensec_session_key(s->drsuapi1.pipe->conn->security_state.generic_state,
+ s,
&s->drsuapi1.gensec_skey);
if (!composite_is_ok(c)) return;
s->drsuapi2.drsuapi_handle = s->drsuapi2.pipe->binding_handle;
c->status = gensec_session_key(s->drsuapi2.pipe->conn->security_state.generic_state,
+ s,
&s->drsuapi2.gensec_skey);
if (!composite_is_ok(c)) return;
s->drsuapi3.drsuapi_handle = s->drsuapi3.pipe->binding_handle;
c->status = gensec_session_key(s->drsuapi3.pipe->conn->security_state.generic_state,
+ s,
&s->drsuapi3.gensec_skey);
if (!composite_is_ok(c)) return;
}
status = gensec_session_key(s->drs_pipe->pipe->conn->security_state.generic_state,
+ s,
&s->gensec_skey);
if (!NT_STATUS_IS_OK(status)) {
PyErr_Format(PyExc_RuntimeError, "Unable to get session key from drspipe: %s",
if (NT_STATUS_IS_OK(status)) {
status = gensec_session_info(dce_conn->auth_state.gensec_security,
+ dce_conn,
&dce_conn->auth_state.session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
&dce_conn->auth_state.auth_info->credentials);
if (NT_STATUS_IS_OK(status)) {
status = gensec_session_info(dce_conn->auth_state.gensec_security,
+ dce_conn,
&dce_conn->auth_state.session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
if (NT_STATUS_IS_OK(status)) {
status = gensec_session_info(dce_conn->auth_state.gensec_security,
+ dce_conn,
&dce_conn->auth_state.session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
goto failed;
}
- status = gensec_session_info(smb_sess->gensec_ctx, &session_info);
+ status = gensec_session_info(smb_sess->gensec_ctx, smb_sess, &session_info);
if (!NT_STATUS_IS_OK(status)) goto failed;
- skey_status = gensec_session_key(smb_sess->gensec_ctx, &session_key);
+ /* The session_key is only needed until the end of the smbsrv_setup_signing() call */
+ skey_status = gensec_session_key(smb_sess->gensec_ctx, req, &session_key);
if (NT_STATUS_IS_OK(skey_status)) {
smbsrv_setup_signing(req->smb_conn, &session_key, NULL);
}
goto failed;
}
- status = gensec_session_info(smb_sess->gensec_ctx, &session_info);
+ status = gensec_session_info(smb_sess->gensec_ctx, smb_sess, &session_info);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
}
}
}
status = gensec_session_key(ctx->new_dc.drsuapi.drs_pipe->conn->security_state.generic_state,
- &gensec_skey);
+ ctx, &gensec_skey);
if (!NT_STATUS_IS_OK(status)) {
printf("failed to get gensec session key: %s\n", nt_errstr(status));
return false;
bi->drs_handle = bi->drs_pipe->binding_handle;
status = gensec_session_key(bi->drs_pipe->conn->security_state.generic_state,
- &bi->gensec_skey);
+ mem_ctx, &bi->gensec_skey);
torture_assert_ntstatus_ok(tctx, status, "failed to get gensec session key");
/* Bind to DRSUAPI interface */
/* Extract the PAC using Samba's code */
- status = gensec_session_info(gensec_server_context, &session_info);
+ status = gensec_session_info(gensec_server_context, gensec_server_context, &session_info);
torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
torture_assert(tctx, session_info->torture != NULL, "gensec_session_info failed to fill in torture sub struct");
torture_assert(tctx, session_info->torture->pac_srv_sig != NULL, "pac_srv_sig not present");
/* Extract the PAC using Samba's code */
- status = gensec_session_info(gensec_server_context, &kinit_session_info);
+ status = gensec_session_info(gensec_server_context, gensec_server_context, &kinit_session_info);
torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
/* Extract the PAC using Samba's code */
- status = gensec_session_info(gensec_server_context, &s2u4self_session_info);
+ status = gensec_session_info(gensec_server_context, gensec_server_context, &s2u4self_session_info);
torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
cli_credentials_get_ntlm_username_domain(cmdline_credentials, tctx,
char *grouplist = NULL;
struct auth_session_info *session_info;
- nt_status = gensec_session_info(state->gensec_state, &session_info);
+ nt_status = gensec_session_info(state->gensec_state, mem_ctx, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("gensec_session_info failed: %s\n", nt_errstr(nt_status)));
mux_printf(mux_id, "BH %s\n", nt_errstr(nt_status));
if (strncmp(buf, "GK", 2) == 0) {
char *base64_key;
DEBUG(10, ("Requested session key\n"));
- nt_status = gensec_session_key(state->gensec_state, &session_key);
+ nt_status = gensec_session_key(state->gensec_state, mem_ctx, &session_key);
if(!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("gensec_session_key failed: %s\n", nt_errstr(nt_status)));
mux_printf(mux_id, "BH No session key\n");
} else if /* OK */ (state->gensec_state->gensec_role == GENSEC_SERVER) {
struct auth_session_info *session_info;
- nt_status = gensec_session_info(state->gensec_state, &session_info);
+ nt_status = gensec_session_info(state->gensec_state, mem_ctx, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
reply_code = "BH Failed to retrive session info";
reply_arg = nt_errstr(nt_status);