krb5_wrap: Add a talloc_ctx to smb_krb5_principal_get_realm()
authorVolker Lendecke <vl@samba.org>
Tue, 20 Nov 2018 16:45:11 +0000 (17:45 +0100)
committerJeremy Allison <jra@samba.org>
Wed, 28 Nov 2018 16:44:15 +0000 (17:44 +0100)
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
auth/credentials/credentials_krb5.c
lib/krb5_wrap/krb5_samba.c
lib/krb5_wrap/krb5_samba.h
source3/libads/krb5_setpw.c
source4/dsdb/samdb/cracknames.c
source4/kdc/db-glue.c
source4/kdc/kpasswd-service-mit.c
source4/kdc/mit_samba.c

index e64773d..d8ca6d9 100644 (file)
@@ -270,14 +270,14 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
                return ENOMEM;
        }
 
-       realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
-                                            princ);
+       realm = smb_krb5_principal_get_realm(
+               cred, ccache->smb_krb5_context->krb5_context, princ);
        krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
        if (realm == NULL) {
                return ENOMEM;
        }
        ok = cli_credentials_set_realm(cred, realm, obtained);
-       SAFE_FREE(realm);
+       TALLOC_FREE(realm);
        if (!ok) {
                return ENOMEM;
        }
index a6ff976..e8abfac 100644 (file)
@@ -2780,24 +2780,25 @@ krb5_error_code smb_krb5_make_pac_checksum(TALLOC_CTX *mem_ctx,
 /**
  * @brief Get realm of a principal
  *
+ * @param[in] mem_ctx   The talloc ctx to put the result on
+ *
  * @param[in] context   The library context
  *
  * @param[in] principal The principal to get the realm from.
  *
- * @return An allocated string with the realm or NULL if an error occurred.
- *
- * The caller must free the realm string with free() if not needed anymore.
+ * @return A talloced string with the realm or NULL if an error occurred.
  */
-char *smb_krb5_principal_get_realm(krb5_context context,
+char *smb_krb5_principal_get_realm(TALLOC_CTX *mem_ctx,
+                                  krb5_context context,
                                   krb5_const_principal principal)
 {
 #ifdef HAVE_KRB5_PRINCIPAL_GET_REALM /* Heimdal */
-       return strdup(discard_const_p(char, krb5_principal_get_realm(context, principal)));
+       return talloc_strdup(mem_ctx,
+                            krb5_principal_get_realm(context, principal));
 #elif defined(krb5_princ_realm) /* MIT */
-       krb5_data *realm;
-       realm = discard_const_p(krb5_data,
-                               krb5_princ_realm(context, principal));
-       return strndup(realm->data, realm->length);
+       const krb5_data *realm;
+       realm = krb5_princ_realm(context, principal);
+       return talloc_strndup(mem_ctx, realm->data, realm->length);
 #else
 #error UNKNOWN_GET_PRINC_REALM_FUNCTIONS
 #endif
index fb3cb5f..4d0148f 100644 (file)
@@ -298,7 +298,8 @@ krb5_error_code smb_krb5_make_pac_checksum(TALLOC_CTX *mem_ctx,
                                           uint32_t *sig_type,
                                           DATA_BLOB *sig_blob);
 
-char *smb_krb5_principal_get_realm(krb5_context context,
+char *smb_krb5_principal_get_realm(TALLOC_CTX *mem_ctx,
+                                  krb5_context context,
                                   krb5_const_principal principal);
 
 void smb_krb5_principal_set_type(krb5_context context,
index 94dd8ee..a4a7819 100644 (file)
@@ -217,7 +217,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
     }
        krb5_get_init_creds_opt_set_address_list(opts, addr->addrs);
 
-    realm = smb_krb5_principal_get_realm(context, princ);
+    realm = smb_krb5_principal_get_realm(NULL, context, princ);
 
     /* We have to obtain an INITIAL changepw ticket for changing password */
     if (asprintf(&chpw_princ, "kadmin/changepw@%s", realm) == -1) {
@@ -225,12 +225,12 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
        krb5_get_init_creds_opt_free(context, opts);
        smb_krb5_free_addresses(context, addr);
        krb5_free_context(context);
-       free(realm);
+       TALLOC_FREE(realm);
        DEBUG(1,("ads_krb5_chg_password: asprintf fail\n"));
        return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
     }
 
-    free(realm);
+    TALLOC_FREE(realm);
     password = SMB_STRDUP(oldpw);
     ret = krb5_get_init_creds_password(context, &creds, princ, password,
                                           kerb_prompter, NULL, 
index 1f8cad7..3360d9a 100644 (file)
@@ -57,7 +57,6 @@ static WERROR dns_domain_from_principal(TALLOC_CTX *mem_ctx, struct smb_krb5_con
        krb5_error_code ret;
        krb5_principal principal;
        /* perhaps it's a principal with a realm, so return the right 'domain only' response */
-       char *realm;
        ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name, 
                                    KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, &principal);
        if (ret) {
@@ -65,11 +64,9 @@ static WERROR dns_domain_from_principal(TALLOC_CTX *mem_ctx, struct smb_krb5_con
                return WERR_OK;
        }
 
-       realm = smb_krb5_principal_get_realm(smb_krb5_context->krb5_context, principal);
-
-       info1->dns_domain_name  = talloc_strdup(mem_ctx, realm);
+       info1->dns_domain_name = smb_krb5_principal_get_realm(
+               mem_ctx, smb_krb5_context->krb5_context, principal);
        krb5_free_principal(smb_krb5_context->krb5_context, principal);
-       free(realm);
 
        W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
 
@@ -290,8 +287,8 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
                return WERR_OK;
        }
 
-       realm = smb_krb5_principal_get_realm(smb_krb5_context->krb5_context,
-                                            principal);
+       realm = smb_krb5_principal_get_realm(
+               mem_ctx, smb_krb5_context->krb5_context, principal);
 
        ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
                             samdb_partitions_dn(sam_ctx, mem_ctx),
@@ -302,7 +299,7 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
                             ldb_binary_encode_string(mem_ctx, realm),
                             LDB_OID_COMPARATOR_AND,
                             SYSTEM_FLAG_CR_NTDS_DOMAIN);
-       free(realm);
+       TALLOC_FREE(realm);
 
        if (ldb_ret != LDB_SUCCESS) {
                DEBUG(2, ("DsCrackNameUPN domain ref search failed: %s\n", ldb_errstring(sam_ctx)));
index 969f4f6..f62a633 100644 (file)
@@ -1030,7 +1030,8 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
                entry_ex->entry.flags.invalid = 0;
                entry_ex->entry.flags.server = 1;
 
-               realm = smb_krb5_principal_get_realm(context, principal);
+               realm = smb_krb5_principal_get_realm(
+                       mem_ctx, context, principal);
                if (realm == NULL) {
                        ret = ENOMEM;
                        goto out;
@@ -1048,7 +1049,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
                        entry_ex->entry.flags.change_pw = 1;
                }
 
-               SAFE_FREE(realm);
+               TALLOC_FREE(realm);
 
                entry_ex->entry.flags.client = 0;
                entry_ex->entry.flags.forwardable = 1;
@@ -1655,8 +1656,8 @@ static krb5_error_code samba_kdc_lookup_client(krb5_context context,
                }
 
                num_comp = krb5_princ_size(context, fallback_principal);
-               fallback_realm = smb_krb5_principal_get_realm(context,
-                                                             fallback_principal);
+               fallback_realm = smb_krb5_principal_get_realm(
+                       mem_ctx, context, fallback_principal);
                if (fallback_realm == NULL) {
                        krb5_free_principal(context, fallback_principal);
                        return ENOMEM;
@@ -1669,7 +1670,7 @@ static krb5_error_code samba_kdc_lookup_client(krb5_context context,
                                                context, fallback_principal, 0);
                        if (fallback_account == NULL) {
                                krb5_free_principal(context, fallback_principal);
-                               SAFE_FREE(fallback_realm);
+                               TALLOC_FREE(fallback_realm);
                                return ENOMEM;
                        }
 
@@ -1687,7 +1688,7 @@ static krb5_error_code samba_kdc_lookup_client(krb5_context context,
                        with_dollar = talloc_asprintf(mem_ctx, "%s$",
                                                     fallback_account);
                        if (with_dollar == NULL) {
-                               SAFE_FREE(fallback_realm);
+                               TALLOC_FREE(fallback_realm);
                                return ENOMEM;
                        }
                        TALLOC_FREE(fallback_account);
@@ -1698,11 +1699,11 @@ static krb5_error_code samba_kdc_lookup_client(krb5_context context,
                                                      with_dollar, NULL);
                        TALLOC_FREE(with_dollar);
                        if (ret != 0) {
-                               SAFE_FREE(fallback_realm);
+                               TALLOC_FREE(fallback_realm);
                                return ret;
                        }
                }
-               SAFE_FREE(fallback_realm);
+               TALLOC_FREE(fallback_realm);
 
                if (fallback_principal != NULL) {
                        char *fallback_string = NULL;
@@ -1774,17 +1775,13 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
        krb5_error_code ret;
        struct ldb_message *msg = NULL;
        struct ldb_dn *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
-       char *realm_from_princ, *realm_from_princ_malloc;
+       char *realm_from_princ;
        char *realm_princ_comp = smb_krb5_principal_get_comp_string(mem_ctx, context, principal, 1);
 
-       realm_from_princ_malloc = smb_krb5_principal_get_realm(context, principal);
-       if (realm_from_princ_malloc == NULL) {
-               /* can't happen */
-               return SDB_ERR_NOENTRY;
-       }
-       realm_from_princ = talloc_strdup(mem_ctx, realm_from_princ_malloc);
-       free(realm_from_princ_malloc);
+       realm_from_princ = smb_krb5_principal_get_realm(
+               mem_ctx, context, principal);
        if (realm_from_princ == NULL) {
+               /* can't happen */
                return SDB_ERR_NOENTRY;
        }
 
@@ -2118,7 +2115,6 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
        TALLOC_CTX *frame = talloc_stackframe();
        NTSTATUS status;
        krb5_error_code ret;
-       char *_realm = NULL;
        bool check_realm = false;
        const char *realm = NULL;
        struct dsdb_trust_routing_table *trt = NULL;
@@ -2145,8 +2141,8 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
                return 0;
        }
 
-       _realm = smb_krb5_principal_get_realm(context, principal);
-       if (_realm == NULL) {
+       realm = smb_krb5_principal_get_realm(frame, context, principal);
+       if (realm == NULL) {
                TALLOC_FREE(frame);
                return ENOMEM;
        }
@@ -2154,23 +2150,15 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
        /*
         * The requested realm needs to be our own
         */
-       ok = lpcfg_is_my_domain_or_realm(kdc_db_ctx->lp_ctx, _realm);
+       ok = lpcfg_is_my_domain_or_realm(kdc_db_ctx->lp_ctx, realm);
        if (!ok) {
                /*
                 * The request is not for us...
                 */
-               SAFE_FREE(_realm);
                TALLOC_FREE(frame);
                return SDB_ERR_NOENTRY;
        }
 
-       realm = talloc_strdup(frame, _realm);
-       SAFE_FREE(_realm);
-       if (realm == NULL) {
-               TALLOC_FREE(frame);
-               return ENOMEM;
-       }
-
        if (smb_krb5_principal_get_type(context, principal) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
                char *principal_string = NULL;
                krb5_principal enterprise_principal = NULL;
@@ -2196,16 +2184,11 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
                        return ret;
                }
 
-               enterprise_realm = smb_krb5_principal_get_realm(context,
-                                                       enterprise_principal);
+               enterprise_realm = smb_krb5_principal_get_realm(
+                       frame, context, enterprise_principal);
                krb5_free_principal(context, enterprise_principal);
                if (enterprise_realm != NULL) {
-                       realm = talloc_strdup(frame, enterprise_realm);
-                       SAFE_FREE(enterprise_realm);
-                       if (realm == NULL) {
-                               TALLOC_FREE(frame);
-                               return ENOMEM;
-                       }
+                       realm = enterprise_realm;
                }
        }
 
index 1546b16..9a014c0 100644 (file)
@@ -143,7 +143,8 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
                return KRB5_KPASSWD_HARDERROR;
        }
 
-       target_realm = smb_krb5_principal_get_realm(context, target_principal);
+       target_realm = smb_krb5_principal_get_realm(
+               mem_ctx, context, target_principal);
        code = krb5_unparse_name_flags(context,
                                       target_principal,
                                       KRB5_PRINCIPAL_UNPARSE_NO_REALM,
@@ -157,7 +158,7 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
        if ((target_name != NULL && target_realm == NULL) ||
            (target_name == NULL && target_realm != NULL)) {
                krb5_free_principal(context, target_principal);
-               SAFE_FREE(target_realm);
+               TALLOC_FREE(target_realm);
                SAFE_FREE(target_name);
 
                ok = kpasswd_make_error_reply(mem_ctx,
@@ -174,11 +175,11 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
        }
 
        if (target_name != NULL && target_realm != NULL) {
-               SAFE_FREE(target_realm);
+               TALLOC_FREE(target_realm);
                SAFE_FREE(target_name);
        } else {
                krb5_free_principal(context, target_principal);
-               SAFE_FREE(target_realm);
+               TALLOC_FREE(target_realm);
                SAFE_FREE(target_name);
 
                return kpasswd_change_password(kdc,
index eacca09..54dcd54 100644 (file)
@@ -272,8 +272,8 @@ fetch_referral_principal:
                 * We just redo the lookup in the database with the referral
                 * principal and return success.
                 */
-               dest_realm = smb_krb5_principal_get_realm(ctx->context,
-                                                         sentry.entry.principal);
+               dest_realm = smb_krb5_principal_get_realm(
+                       ctx, ctx->context, sentry.entry.principal);
                sdb_free_entry(&sentry);
                if (dest_realm == NULL) {
                        ret = KRB5_KDB_NOENTRY;
@@ -286,7 +286,7 @@ fetch_referral_principal:
                                              KRB5_TGS_NAME,
                                              dest_realm,
                                              NULL);
-               SAFE_FREE(dest_realm);
+               TALLOC_FREE(dest_realm);
                if (ret != 0) {
                        goto done;
                }