From e7d5f0a357c42593a015b80390dedf920117a7e2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 17 Oct 2011 09:22:33 +0200 Subject: [PATCH] gensec: move event context from gensec_*_init() to gensec_update() This avoids keeping the event context around on a the gensec_security context structure long term. In the Samba3 server, the event context we either supply is a NULL pointer as no server-side modules currently use the event context. Andrew Bartlett Signed-off-by: Stefan Metzmacher --- auth/gensec/gensec.c | 7 +++--- auth/gensec/gensec.h | 5 ++-- auth/gensec/gensec_start.c | 9 ++----- source3/auth/auth_ntlmssp.c | 3 ++- source3/libsmb/ntlmssp_wrap.c | 2 +- source4/auth/gensec/gensec_gssapi.c | 16 +++++++------ source4/auth/gensec/gensec_krb5.c | 13 ++++++---- source4/auth/gensec/pygensec.c | 30 +++++++++--------------- source4/auth/gensec/schannel.c | 3 ++- source4/auth/gensec/spnego.c | 27 ++++++++++++++------- source4/auth/ntlmssp/ntlmssp.c | 1 + source4/auth/samba_server_gensec.c | 1 - source4/kdc/kpasswdd.c | 2 +- source4/ldap_server/ldap_bind.c | 2 +- source4/libcli/ldap/ldap_bind.c | 2 +- source4/libcli/smb2/session.c | 3 ++- source4/libcli/smb_composite/sesssetup.c | 6 +++-- source4/librpc/rpc/dcerpc_auth.c | 3 ++- source4/rpc_server/dcesrv_auth.c | 6 ++--- source4/smb_server/smb/negprot.c | 2 +- source4/smb_server/smb2/negprot.c | 2 +- source4/torture/auth/ntlmssp.c | 4 ++-- source4/torture/rpc/remote_pac.c | 24 +++++++++---------- source4/utils/ntlm_auth.c | 6 ++--- 24 files changed, 93 insertions(+), 86 deletions(-) diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c index b7f89f1d563b..cdc7c670abd5 100644 --- a/auth/gensec/gensec.c +++ b/auth/gensec/gensec.c @@ -197,12 +197,13 @@ _PUBLIC_ NTSTATUS gensec_session_info(struct gensec_security *gensec_security, */ _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out) + struct tevent_context *ev, + const DATA_BLOB in, DATA_BLOB *out) { NTSTATUS status; status = gensec_security->ops->update(gensec_security, out_mem_ctx, - in, out); + ev, in, out); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -305,7 +306,7 @@ static void gensec_update_async_trigger(struct tevent_context *ctx, tevent_req_data(req, struct gensec_update_state); NTSTATUS status; - status = gensec_update(state->gensec_security, state, + status = gensec_update(state->gensec_security, state, ctx, state->in, &state->out); if (tevent_req_nterror(req, status)) { return; diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h index ee87a4da79e4..acfc54926c42 100644 --- a/auth/gensec/gensec.h +++ b/auth/gensec/gensec.h @@ -92,6 +92,7 @@ struct gensec_security_ops { NTSTATUS (*magic)(struct gensec_security *gensec_security, const DATA_BLOB *first_packet); NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, + struct tevent_context *ev, const DATA_BLOB in, DATA_BLOB *out); NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx, uint8_t *data, size_t length, @@ -161,7 +162,6 @@ struct gensec_security { bool subcontext; uint32_t want_features; uint8_t dcerpc_auth_level; - struct tevent_context *event_ctx; struct tsocket_address *local_addr, *remote_addr; struct gensec_settings *settings; @@ -212,13 +212,13 @@ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security); NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security, - struct tevent_context *ev, struct gensec_settings *settings); NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security, const struct gensec_security_ops *ops); NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, const char **sasl_names); NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, + struct tevent_context *ev, const DATA_BLOB in, DATA_BLOB *out); struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, @@ -267,7 +267,6 @@ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, uint8_t auth_type, uint8_t auth_level); const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype); NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, struct gensec_settings *settings, struct auth4_context *auth_context, struct gensec_security **gensec_security); diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index aa609c9b6fcb..d5a5dc83bbfb 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -506,7 +506,6 @@ const char **gensec_security_oids(struct gensec_security *gensec_security, @ gensec_security return */ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, struct gensec_settings *settings, struct auth4_context *auth_context, struct gensec_security **gensec_security) @@ -514,7 +513,6 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security); NT_STATUS_HAVE_NO_MEMORY(*gensec_security); - (*gensec_security)->event_ctx = ev; SMB_ASSERT(settings->lp_ctx != NULL); (*gensec_security)->settings = talloc_reference(*gensec_security, settings); @@ -548,7 +546,6 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, (*gensec_security)->subcontext = true; (*gensec_security)->want_features = parent->want_features; (*gensec_security)->dcerpc_auth_level = parent->dcerpc_auth_level; - (*gensec_security)->event_ctx = parent->event_ctx; (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context); (*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings); (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context); @@ -564,7 +561,6 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, */ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security, - struct tevent_context *ev, struct gensec_settings *settings) { NTSTATUS status; @@ -574,7 +570,7 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, return NT_STATUS_INTERNAL_ERROR; } - status = gensec_start(mem_ctx, ev, settings, NULL, gensec_security); + status = gensec_start(mem_ctx, settings, NULL, gensec_security); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -592,7 +588,6 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, @note The mem_ctx is only a parent and may be NULL. */ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, struct gensec_settings *settings, struct auth4_context *auth_context, struct gensec_security **gensec_security) @@ -604,7 +599,7 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, return NT_STATUS_INTERNAL_ERROR; } - status = gensec_start(mem_ctx, ev, settings, auth_context, gensec_security); + status = gensec_start(mem_ctx, settings, auth_context, gensec_security); if (!NT_STATUS_IS_OK(status)) { return status; } diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 9f29ce280151..75098409bd8a 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -67,6 +67,7 @@ static NTSTATUS gensec_ntlmssp3_server_session_info(struct gensec_security *gens static NTSTATUS gensec_ntlmssp3_server_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, + struct tevent_context *ev, const DATA_BLOB request, DATA_BLOB *reply) { @@ -268,7 +269,7 @@ NTSTATUS auth_ntlmssp_prepare(const struct tsocket_address *remote_address, return NT_STATUS_NO_MEMORY; } - nt_status = gensec_server_start(ans, NULL, gensec_settings, + nt_status = gensec_server_start(ans, gensec_settings, NULL, &ans->gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c index b90399c559c8..6f854f25cdc4 100644 --- a/source3/libsmb/ntlmssp_wrap.c +++ b/source3/libsmb/ntlmssp_wrap.c @@ -166,7 +166,7 @@ NTSTATUS auth_ntlmssp_update(struct auth_ntlmssp_state *ans, { NTSTATUS status; if (ans->gensec_security) { - return gensec_update(ans->gensec_security, mem_ctx, request, reply); + return gensec_update(ans->gensec_security, mem_ctx, NULL, request, reply); } status = ntlmssp_update(ans->ntlmssp_state, request, reply); if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 564c20cb4822..55c2970d5aaf 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -267,7 +267,8 @@ static NTSTATUS gensec_gssapi_sasl_server_start(struct gensec_security *gensec_s return nt_status; } -static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_security) +static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_security, + struct tevent_context *ev) { struct gensec_gssapi_state *gensec_gssapi_state; struct gssapi_creds_container *gcc; @@ -283,8 +284,8 @@ static NTSTATUS gensec_gssapi_client_creds(struct gensec_security *gensec_securi } ret = cli_credentials_get_client_gss_creds(creds, - gensec_security->event_ctx, - gensec_security->settings->lp_ctx, &gcc, &error_string); + ev, + gensec_security->settings->lp_ctx, &gcc, &error_string); switch (ret) { case 0: break; @@ -423,8 +424,9 @@ static NTSTATUS gensec_gssapi_magic(struct gensec_security *gensec_security, */ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, - TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out) + TALLOC_CTX *out_mem_ctx, + struct tevent_context *ev, + const DATA_BLOB in, DATA_BLOB *out) { struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state); @@ -445,13 +447,13 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, struct gsskrb5_send_to_kdc send_to_kdc; krb5_error_code ret; - nt_status = gensec_gssapi_client_creds(gensec_security); + nt_status = gensec_gssapi_client_creds(gensec_security, ev); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } send_to_kdc.func = smb_krb5_send_and_recv_func; - send_to_kdc.ptr = gensec_security->event_ctx; + send_to_kdc.ptr = ev; min_stat = gsskrb5_set_send_to_kdc(&send_to_kdc); if (min_stat) { diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index f17245ccec0d..2a3bd22d32ee 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -272,7 +272,9 @@ static NTSTATUS gensec_krb5_common_client_start(struct gensec_security *gensec_s return NT_STATUS_OK; } -static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_security, bool gssapi) +static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_security, + struct tevent_context *ev, + bool gssapi) { struct gensec_krb5_state *gensec_krb5_state; krb5_error_code ret; @@ -289,7 +291,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s hostname = gensec_get_target_hostname(gensec_security); ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), - gensec_security->event_ctx, + ev, gensec_security->settings->lp_ctx, &ccache_container, &error_string); switch (ret) { case 0: @@ -311,7 +313,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s in_data.length = 0; /* Do this every time, in case we have weird recursive issues here */ - ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, gensec_security->event_ctx, &previous_ev); + ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev); if (ret != 0) { DEBUG(1, ("gensec_krb5_start: Setting event context failed\n")); return NT_STATUS_NO_MEMORY; @@ -340,7 +342,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s &gensec_krb5_state->enc_ticket); } - smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, gensec_security->event_ctx); + smb_krb5_context_remove_event_ctx(gensec_krb5_state->smb_krb5_context, previous_ev, ev); switch (ret) { case 0: @@ -423,6 +425,7 @@ static NTSTATUS gensec_fake_gssapi_krb5_magic(struct gensec_security *gensec_sec static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, + struct tevent_context *ev, const DATA_BLOB in, DATA_BLOB *out) { struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; @@ -434,7 +437,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, { DATA_BLOB unwrapped_out; - nt_status = gensec_krb5_common_client_creds(gensec_security, gensec_krb5_state->gssapi); + nt_status = gensec_krb5_common_client_creds(gensec_security, ev, gensec_krb5_state->gssapi); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c index d7cbea6f574d..858cbe915e22 100644 --- a/source4/auth/gensec/pygensec.c +++ b/source4/auth/gensec/pygensec.c @@ -82,7 +82,6 @@ static PyObject *py_gensec_start_client(PyTypeObject *type, PyObject *args, PyOb struct gensec_settings *settings; const char *kwnames[] = { "settings", NULL }; PyObject *py_settings; - struct tevent_context *ev; struct gensec_security *gensec; if (!PyArg_ParseTupleAndKeywords(args, kwargs, "|O", discard_const_p(char *, kwnames), &py_settings)) @@ -120,13 +119,6 @@ static PyObject *py_gensec_start_client(PyTypeObject *type, PyObject *args, PyOb } } - ev = tevent_context_init(self->talloc_ctx); - if (ev == NULL) { - PyErr_NoMemory(); - PyObject_Del(self); - return NULL; - } - status = gensec_init(); if (!NT_STATUS_IS_OK(status)) { PyErr_SetNTSTATUS(status); @@ -134,7 +126,7 @@ static PyObject *py_gensec_start_client(PyTypeObject *type, PyObject *args, PyOb return NULL; } - status = gensec_client_start(self->talloc_ctx, &gensec, ev, settings); + status = gensec_client_start(self->talloc_ctx, &gensec, settings); if (!NT_STATUS_IS_OK(status)) { PyErr_SetNTSTATUS(status); PyObject_DEL(self); @@ -154,7 +146,6 @@ static PyObject *py_gensec_start_server(PyTypeObject *type, PyObject *args, PyOb const char *kwnames[] = { "settings", "auth_context", NULL }; PyObject *py_settings = Py_None; PyObject *py_auth_context = Py_None; - struct tevent_context *ev; struct gensec_security *gensec; struct auth4_context *auth_context = NULL; @@ -193,13 +184,6 @@ static PyObject *py_gensec_start_server(PyTypeObject *type, PyObject *args, PyOb } } - ev = tevent_context_init(self->talloc_ctx); - if (ev == NULL) { - PyErr_NoMemory(); - PyObject_Del(self); - return NULL; - } - if (py_auth_context != Py_None) { auth_context = pytalloc_get_type(py_auth_context, struct auth4_context); if (!auth_context) { @@ -217,7 +201,7 @@ static PyObject *py_gensec_start_server(PyTypeObject *type, PyObject *args, PyOb return NULL; } - status = gensec_server_start(self->talloc_ctx, ev, settings, auth_context, &gensec); + status = gensec_server_start(self->talloc_ctx, settings, auth_context, &gensec); if (!NT_STATUS_IS_OK(status)) { PyErr_SetNTSTATUS(status); PyObject_DEL(self); @@ -368,6 +352,7 @@ static PyObject *py_gensec_update(PyObject *self, PyObject *args) PyObject *ret, *py_in; struct gensec_security *security = pytalloc_get_type(self, struct gensec_security); PyObject *finished_processing; + struct tevent_context *ev; if (!PyArg_ParseTuple(args, "O", &py_in)) return NULL; @@ -382,7 +367,14 @@ static PyObject *py_gensec_update(PyObject *self, PyObject *args) in.data = (uint8_t *)PyString_AsString(py_in); in.length = PyString_Size(py_in); - status = gensec_update(security, mem_ctx, in, &out); + ev = tevent_context_init(mem_ctx); + if (ev == NULL) { + PyErr_NoMemory(); + PyObject_Del(self); + return NULL; + } + + status = gensec_update(security, mem_ctx, ev, in, &out); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) { diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index f947d4559689..51be445dbb32 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -52,7 +52,8 @@ static NTSTATUS schannel_session_key(struct gensec_security *gensec_security, } static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out) + struct tevent_context *ev, + const DATA_BLOB in, DATA_BLOB *out) { struct schannel_state *state = (struct schannel_state *)gensec_security->private_data; NTSTATUS status; diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c index 281b954210ba..fd3caaad87f9 100644 --- a/source4/auth/gensec/spnego.c +++ b/source4/auth/gensec/spnego.c @@ -331,6 +331,7 @@ static NTSTATUS gensec_spnego_session_info(struct gensec_security *gensec_securi static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec_security, struct spnego_state *spnego_state, + struct tevent_context *ev, TALLOC_CTX *out_mem_ctx, const DATA_BLOB in, DATA_BLOB *out) { @@ -384,7 +385,7 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec return nt_status; } nt_status = gensec_update(spnego_state->sub_sec_security, - out_mem_ctx, in, out); + ev, out_mem_ctx, in, out); return nt_status; } DEBUG(1, ("Failed to parse SPNEGO request\n")); @@ -400,6 +401,7 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_security, struct spnego_state *spnego_state, TALLOC_CTX *out_mem_ctx, + struct tevent_context *ev, const char **mechType, const DATA_BLOB unwrapped_in, DATA_BLOB *unwrapped_out) { @@ -451,6 +453,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ nt_status = gensec_update(spnego_state->sub_sec_security, out_mem_ctx, + ev, unwrapped_in, unwrapped_out); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) || @@ -504,6 +507,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ /* only get the helping start blob for the first OID */ nt_status = gensec_update(spnego_state->sub_sec_security, out_mem_ctx, + ev, null_data_blob, unwrapped_out); @@ -579,6 +583,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec_security, struct spnego_state *spnego_state, TALLOC_CTX *out_mem_ctx, + struct tevent_context *ev, const DATA_BLOB in, DATA_BLOB *out) { int i; @@ -619,6 +624,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec if (spnego_state->state_position == SPNEGO_CLIENT_START) { nt_status = gensec_update(spnego_state->sub_sec_security, out_mem_ctx, + ev, null_data_blob, &unwrapped_out); @@ -734,6 +740,7 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, + struct tevent_context *ev, const DATA_BLOB in, DATA_BLOB *out) { struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data; @@ -755,7 +762,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA switch (spnego_state->state_position) { case SPNEGO_FALLBACK: - return gensec_update(spnego_state->sub_sec_security, + return gensec_update(spnego_state->sub_sec_security, ev, out_mem_ctx, in, out); case SPNEGO_SERVER_START: { @@ -764,8 +771,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA len = spnego_read_data(gensec_security, in, &spnego); if (len == -1) { - return gensec_spnego_server_try_fallback(gensec_security, spnego_state, - out_mem_ctx, in, out); + return gensec_spnego_server_try_fallback(gensec_security, spnego_state, + out_mem_ctx, ev, in, out); } /* client sent NegTargetInit, we send NegTokenTarg */ @@ -781,6 +788,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA nt_status = gensec_spnego_parse_negTokenInit(gensec_security, spnego_state, out_mem_ctx, + ev, spnego.negTokenInit.mechTypes, spnego.negTokenInit.mechToken, &unwrapped_out); @@ -798,7 +806,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA return nt_status; } else { nt_status = gensec_spnego_create_negTokenInit(gensec_security, spnego_state, - out_mem_ctx, in, out); + out_mem_ctx, ev, in, out); spnego_state->state_position = SPNEGO_SERVER_START; spnego_state->expected_packet = SPNEGO_NEG_TOKEN_INIT; return nt_status; @@ -815,7 +823,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA if (!in.length) { /* client to produce negTokenInit */ nt_status = gensec_spnego_create_negTokenInit(gensec_security, spnego_state, - out_mem_ctx, in, out); + out_mem_ctx, ev, in, out); spnego_state->state_position = SPNEGO_CLIENT_TARG; spnego_state->expected_packet = SPNEGO_NEG_TOKEN_TARG; return nt_status; @@ -849,6 +857,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA nt_status = gensec_spnego_parse_negTokenInit(gensec_security, spnego_state, out_mem_ctx, + ev, spnego.negTokenInit.mechTypes, spnego.negTokenInit.mechToken, &unwrapped_out); @@ -916,7 +925,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } nt_status = gensec_update(spnego_state->sub_sec_security, - out_mem_ctx, + out_mem_ctx, ev, spnego.negTokenTarg.responseToken, &unwrapped_out); if (NT_STATUS_IS_OK(nt_status) && spnego.negTokenTarg.mechListMIC.length > 0) { @@ -1012,7 +1021,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } nt_status = gensec_update(spnego_state->sub_sec_security, - out_mem_ctx, + out_mem_ctx, ev, spnego.negTokenTarg.responseToken, &unwrapped_out); spnego_state->neg_oid = talloc_strdup(spnego_state, spnego.negTokenTarg.supportedMech); @@ -1042,7 +1051,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA bool new_spnego = false; nt_status = gensec_update(spnego_state->sub_sec_security, - out_mem_ctx, + out_mem_ctx, ev, spnego.negTokenTarg.responseToken, &unwrapped_out); diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c index 0c63d05d6835..47903d161bf9 100644 --- a/source4/auth/ntlmssp/ntlmssp.c +++ b/source4/auth/ntlmssp/ntlmssp.c @@ -142,6 +142,7 @@ static NTSTATUS gensec_ntlmssp_update_find(struct ntlmssp_state *ntlmssp_state, static NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, + struct tevent_context *ev, const DATA_BLOB input, DATA_BLOB *out) { struct gensec_ntlmssp_context *gensec_ntlmssp = diff --git a/source4/auth/samba_server_gensec.c b/source4/auth/samba_server_gensec.c index 24b658ad321f..7b09aa78d7e0 100644 --- a/source4/auth/samba_server_gensec.c +++ b/source4/auth/samba_server_gensec.c @@ -57,7 +57,6 @@ NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx, } nt_status = gensec_server_start(tmp_ctx, - event_ctx, lpcfg_gensec_settings(mem_ctx, lp_ctx), auth_context, &gensec_ctx); diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index 0763e9249864..8bed20e51814 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -571,7 +571,7 @@ enum kdc_process_ret kpasswdd_process(struct kdc_server *kdc, } /* Accept the AP-REQ and generate teh AP-REP we need for the reply */ - nt_status = gensec_update(gensec_security, tmp_ctx, ap_req, &ap_rep); + nt_status = gensec_update(gensec_security, tmp_ctx, kdc->task->event_ctx, ap_req, &ap_rep); if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { ret = kpasswdd_make_unauth_error_reply(kdc, mem_ctx, diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index fd7deda49903..e0db358b4f86 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -202,7 +202,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) input = *req->creds.SASL.secblob; } - status = gensec_update(conn->gensec, reply, + status = gensec_update(conn->gensec, reply, conn->connection->event.ctx, input, &output); /* Windows 2000 mmc doesn't like secblob == NULL and reports a decoding error */ diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c index e5e8cbadb4c4..f167f17de966 100644 --- a/source4/libcli/ldap/ldap_bind.c +++ b/source4/libcli/ldap/ldap_bind.c @@ -225,7 +225,6 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, gensec_init(); status = gensec_client_start(conn, &conn->gensec, - conn->event.event_ctx, lpcfg_gensec_settings(conn, lp_ctx)); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status))); @@ -319,6 +318,7 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, int result = LDAP_OTHER; status = gensec_update(conn->gensec, tmp_ctx, + conn->event.event_ctx, input, &output); /* The status value here, from GENSEC is vital to the security diff --git a/source4/libcli/smb2/session.c b/source4/libcli/smb2/session.c index 0f749a0b6c2f..f30152329e91 100644 --- a/source4/libcli/smb2/session.c +++ b/source4/libcli/smb2/session.c @@ -53,7 +53,6 @@ struct smb2_session *smb2_session_init(struct smb2_transport *transport, /* prepare a gensec context for later use */ status = gensec_client_start(session, &session->gensec, - session->transport->socket->event.ctx, settings); if (!NT_STATUS_IS_OK(status)) { talloc_free(session); @@ -203,6 +202,7 @@ struct tevent_req *smb2_session_setup_spnego_send(TALLOC_CTX *mem_ctx, } status = gensec_update(session->gensec, state, + session->transport->socket->event.ctx, session->transport->negotiate.secblob, &state->io.in.secblob); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { @@ -242,6 +242,7 @@ static void smb2_session_setup_spnego_handler(struct smb2_request *subreq) (NT_STATUS_IS_OK(peer_status) && NT_STATUS_EQUAL(state->gensec_status, NT_STATUS_MORE_PROCESSING_REQUIRED))) { status = gensec_update(session->gensec, state, + session->transport->socket->event.ctx, state->io.out.secblob, &state->io.in.secblob); state->gensec_status = status; diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c index 738566983685..8b1571cc495e 100644 --- a/source4/libcli/smb_composite/sesssetup.c +++ b/source4/libcli/smb_composite/sesssetup.c @@ -181,7 +181,7 @@ static void request_handler(struct smbcli_request *req) * host/attacker might avoid mutal authentication * requirements */ - state->gensec_status = gensec_update(session->gensec, state, + state->gensec_status = gensec_update(session->gensec, state, c->event_ctx, state->setup.spnego.out.secblob, &state->setup.spnego.in.secblob); c->status = state->gensec_status; @@ -443,7 +443,7 @@ static NTSTATUS session_setup_spnego(struct composite_context *c, smbcli_temp_set_signing(session->transport); - status = gensec_client_start(session, &session->gensec, c->event_ctx, + status = gensec_client_start(session, &session->gensec, io->in.gensec_settings); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status))); @@ -500,10 +500,12 @@ static NTSTATUS session_setup_spnego(struct composite_context *c, if ((const void *)chosen_oid == (const void *)GENSEC_OID_SPNEGO) { status = gensec_update(session->gensec, state, + c->event_ctx, session->transport->negotiate.secblob, &state->setup.spnego.in.secblob); } else { status = gensec_update(session->gensec, state, + c->event_ctx, data_blob(NULL, 0), &state->setup.spnego.in.secblob); diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c index fb2f4fb6806f..b3f4f2fdb05a 100644 --- a/source4/librpc/rpc/dcerpc_auth.c +++ b/source4/librpc/rpc/dcerpc_auth.c @@ -132,6 +132,7 @@ static void bind_auth_next_step(struct composite_context *c) */ c->status = gensec_update(sec->generic_state, state, + state->pipe->conn->event_ctx, sec->auth_info->credentials, &state->credentials); data_blob_free(&sec->auth_info->credentials); @@ -255,7 +256,6 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx, sec = &p->conn->security_state; c->status = gensec_client_start(p, &sec->generic_state, - p->conn->event_ctx, gensec_settings); if (!NT_STATUS_IS_OK(c->status)) { DEBUG(1, ("Failed to start GENSEC client mode: %s\n", @@ -334,6 +334,7 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx, */ c->status = gensec_update(sec->generic_state, state, + p->conn->event_ctx, sec->auth_info->credentials, &state->credentials); if (!NT_STATUS_IS_OK(c->status) && diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index ee7a86ab853e..c891cc62b7ab 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -113,7 +113,7 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe } status = gensec_update(dce_conn->auth_state.gensec_security, - call, + call, call->event_ctx, dce_conn->auth_state.auth_info->credentials, &dce_conn->auth_state.auth_info->credentials); @@ -171,7 +171,7 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call) /* Pass the extra data we got from the client down to gensec for processing */ status = gensec_update(dce_conn->auth_state.gensec_security, - call, + call, call->event_ctx, dce_conn->auth_state.auth_info->credentials, &dce_conn->auth_state.auth_info->credentials); if (NT_STATUS_IS_OK(status)) { @@ -250,7 +250,7 @@ NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_pack } status = gensec_update(dce_conn->auth_state.gensec_security, - call, + call, call->event_ctx, dce_conn->auth_state.auth_info->credentials, &dce_conn->auth_state.auth_info->credentials); diff --git a/source4/smb_server/smb/negprot.c b/source4/smb_server/smb/negprot.c index 378330ff28f7..739881dadcff 100644 --- a/source4/smb_server/smb/negprot.c +++ b/source4/smb_server/smb/negprot.c @@ -392,7 +392,7 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice) if (NT_STATUS_IS_OK(nt_status)) { /* Get and push the proposed OID list into the packets */ - nt_status = gensec_update(gensec_security, req, null_data_blob, &blob); + nt_status = gensec_update(gensec_security, req, req->smb_conn->connection->event.ctx, null_data_blob, &blob); if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { DEBUG(1, ("Failed to get SPNEGO to give us the first token: %s\n", nt_errstr(nt_status))); diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c index bc896aa92408..dd69c9fc7ece 100644 --- a/source4/smb_server/smb2/negprot.c +++ b/source4/smb_server/smb2/negprot.c @@ -79,7 +79,7 @@ static NTSTATUS smb2srv_negprot_secblob(struct smb2srv_request *req, DATA_BLOB * return nt_status; } - nt_status = gensec_update(gensec_security, req, null_data_blob, &blob); + nt_status = gensec_update(gensec_security, req, req->smb_conn->connection->event.ctx, null_data_blob, &blob); if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { DEBUG(0, ("Failed to get SPNEGO to give us the first token: %s\n", nt_errstr(nt_status))); smbsrv_terminate_connection(req->smb_conn, "Failed to start SPNEGO - no first token\n"); diff --git a/source4/torture/auth/ntlmssp.c b/source4/torture/auth/ntlmssp.c index c98985c97c3a..db2f2db314c5 100644 --- a/source4/torture/auth/ntlmssp.c +++ b/source4/torture/auth/ntlmssp.c @@ -36,7 +36,7 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx) torture_assert_ntstatus_ok(tctx, gensec_client_start(mem_ctx, &gensec_security, - tctx->ev, lpcfg_gensec_settings(tctx, tctx->lp_ctx)), + lpcfg_gensec_settings(tctx, tctx->lp_ctx)), "gensec client start"); gensec_set_credentials(gensec_security, cmdline_credentials); @@ -93,7 +93,7 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx) torture_assert_ntstatus_ok(tctx, gensec_client_start(mem_ctx, &gensec_security, - tctx->ev, lpcfg_gensec_settings(tctx, tctx->lp_ctx)), + lpcfg_gensec_settings(tctx, tctx->lp_ctx)), "Failed to start GENSEC for NTLMSSP"); gensec_set_credentials(gensec_security, cmdline_credentials); diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 88a40b4fe4d8..22fcd73cb4d9 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -85,7 +85,7 @@ static bool test_PACVerify(struct torture_context *tctx, return false; } - status = gensec_client_start(tctx, &gensec_client_context, tctx->ev, + status = gensec_client_start(tctx, &gensec_client_context, lpcfg_gensec_settings(tctx, tctx->lp_ctx)); torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); @@ -97,7 +97,7 @@ static bool test_PACVerify(struct torture_context *tctx, status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI"); torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); - status = gensec_server_start(tctx, tctx->ev, + status = gensec_server_start(tctx, lpcfg_gensec_settings(tctx, tctx->lp_ctx), NULL, &gensec_server_context); torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); @@ -112,12 +112,12 @@ static bool test_PACVerify(struct torture_context *tctx, do { /* Do a client-server update dance */ - status = gensec_update(gensec_client_context, tmp_ctx, server_to_client, &client_to_server); + status = gensec_update(gensec_client_context, tmp_ctx, tctx->ev, server_to_client, &client_to_server); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {; torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed"); } - status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client); + status = gensec_update(gensec_server_context, tmp_ctx, tctx->ev, client_to_server, &server_to_client); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {; torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed"); } @@ -424,7 +424,7 @@ static bool test_S2U4Self(struct torture_context *tctx, /* First, do a normal Kerberos connection */ - status = gensec_client_start(tctx, &gensec_client_context, tctx->ev, + status = gensec_client_start(tctx, &gensec_client_context, lpcfg_gensec_settings(tctx, tctx->lp_ctx)); torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); @@ -436,7 +436,7 @@ static bool test_S2U4Self(struct torture_context *tctx, status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI"); torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); - status = gensec_server_start(tctx, tctx->ev, + status = gensec_server_start(tctx, lpcfg_gensec_settings(tctx, tctx->lp_ctx), NULL, &gensec_server_context); torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); @@ -451,12 +451,12 @@ static bool test_S2U4Self(struct torture_context *tctx, do { /* Do a client-server update dance */ - status = gensec_update(gensec_client_context, tmp_ctx, server_to_client, &client_to_server); + status = gensec_update(gensec_client_context, tmp_ctx, tctx->ev, server_to_client, &client_to_server); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {; torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed"); } - status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client); + status = gensec_update(gensec_server_context, tmp_ctx, tctx->ev, client_to_server, &server_to_client); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {; torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed"); } @@ -480,7 +480,7 @@ static bool test_S2U4Self(struct torture_context *tctx, cli_credentials_get_principal(cmdline_credentials, tmp_ctx), talloc_asprintf(tmp_ctx, "host/%s", test_machine_name)); - status = gensec_client_start(tctx, &gensec_client_context, tctx->ev, + status = gensec_client_start(tctx, &gensec_client_context, lpcfg_gensec_settings(tctx, tctx->lp_ctx)); torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); @@ -493,7 +493,7 @@ static bool test_S2U4Self(struct torture_context *tctx, status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI"); torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); - status = gensec_server_start(tctx, tctx->ev, + status = gensec_server_start(tctx, lpcfg_gensec_settings(tctx, tctx->lp_ctx), NULL, &gensec_server_context); torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); @@ -508,12 +508,12 @@ static bool test_S2U4Self(struct torture_context *tctx, do { /* Do a client-server update dance */ - status = gensec_update(gensec_client_context, tmp_ctx, server_to_client, &client_to_server); + status = gensec_update(gensec_client_context, tmp_ctx, tctx->ev, server_to_client, &client_to_server); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {; torture_assert_ntstatus_ok(tctx, status, "gensec_update (client) failed"); } - status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client); + status = gensec_update(gensec_server_context, tmp_ctx, tctx->ev, client_to_server, &server_to_client); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {; torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed"); } diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index c0a06bd33670..cc92c170b651 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -449,7 +449,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, case NTLMSSP_CLIENT_1: /* setup the client side */ - nt_status = gensec_client_start(NULL, &state->gensec_state, ev, + nt_status = gensec_client_start(NULL, &state->gensec_state, lpcfg_gensec_settings(NULL, lp_ctx)); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); @@ -481,7 +481,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, exit(1); } - if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, + if (!NT_STATUS_IS_OK(gensec_server_start(state, lpcfg_gensec_settings(state, lp_ctx), auth_context, &state->gensec_state))) { talloc_free(mem_ctx); @@ -632,7 +632,7 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, return; } - nt_status = gensec_update(state->gensec_state, mem_ctx, in, &out); + nt_status = gensec_update(state->gensec_state, mem_ctx, ev, in, &out); /* don't leak 'bad password'/'no such user' info to the network client */ nt_status = nt_status_squash(nt_status); -- 2.34.1