gensec: Remove mem_ctx from calls that do not return memory
authorAndrew Bartlett <abartlet@samba.org>
Thu, 21 Jul 2011 09:10:15 +0000 (19:10 +1000)
committerAndrew Bartlett <abartlet@samba.org>
Wed, 3 Aug 2011 08:48:01 +0000 (18:48 +1000)
Signed-off-by: Andrew Tridgell <tridge@samba.org>
12 files changed:
auth/gensec/gensec.c
auth/gensec/gensec.h
libcli/auth/schannel_proto.h
libcli/auth/schannel_sign.c
source3/librpc/rpc/dcerpc_helpers.c
source4/auth/gensec/gensec_gssapi.c
source4/auth/gensec/schannel.c
source4/auth/gensec/spnego.c
source4/auth/ntlmssp/ntlmssp_sign.c
source4/librpc/rpc/dcerpc.c
source4/rpc_server/dcesrv_auth.c
source4/torture/auth/ntlmssp.c

index 390913d..4736e73 100644 (file)
@@ -31,7 +31,6 @@
   wrappers for the gensec function pointers
 */
 _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
-                             TALLOC_CTX *mem_ctx,
                              uint8_t *data, size_t length,
                              const uint8_t *whole_pdu, size_t pdu_length,
                              const DATA_BLOB *sig)
@@ -43,14 +42,13 @@ _PUBLIC_ NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
-       return gensec_security->ops->unseal_packet(gensec_security, mem_ctx,
+       return gensec_security->ops->unseal_packet(gensec_security,
                                                   data, length,
                                                   whole_pdu, pdu_length,
                                                   sig);
 }
 
 _PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
-                            TALLOC_CTX *mem_ctx,
                             const uint8_t *data, size_t length,
                             const uint8_t *whole_pdu, size_t pdu_length,
                             const DATA_BLOB *sig)
@@ -62,7 +60,7 @@ _PUBLIC_ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
-       return gensec_security->ops->check_packet(gensec_security, mem_ctx, data, length, whole_pdu, pdu_length, sig);
+       return gensec_security->ops->check_packet(gensec_security, data, length, whole_pdu, pdu_length, sig);
 }
 
 _PUBLIC_ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
index b897419..852618c 100644 (file)
@@ -104,11 +104,11 @@ struct gensec_security_ops {
        size_t   (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
        size_t   (*max_input_size)(struct gensec_security *gensec_security);
        size_t   (*max_wrapped_size)(struct gensec_security *gensec_security);
-       NTSTATUS (*check_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
+       NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
                                 const uint8_t *data, size_t length,
                                 const uint8_t *whole_pdu, size_t pdu_length,
                                 const DATA_BLOB *sig);
-       NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
+       NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
                                  uint8_t *data, size_t length,
                                  const uint8_t *whole_pdu, size_t pdu_length,
                                  const DATA_BLOB *sig);
@@ -241,12 +241,10 @@ struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_se
 NTSTATUS gensec_init(void);
 size_t gensec_max_input_size(struct gensec_security *gensec_security);
 NTSTATUS gensec_unseal_packet(struct gensec_security *gensec_security,
-                             TALLOC_CTX *mem_ctx,
                              uint8_t *data, size_t length,
                              const uint8_t *whole_pdu, size_t pdu_length,
                              const DATA_BLOB *sig);
 NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
-                            TALLOC_CTX *mem_ctx,
                             const uint8_t *data, size_t length,
                             const uint8_t *whole_pdu, size_t pdu_length,
                             const DATA_BLOB *sig);
index e454c3d..e3aeb5a 100644 (file)
@@ -29,7 +29,6 @@ struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx,
                                             const char *private_dir);
 
 NTSTATUS netsec_incoming_packet(struct schannel_state *state,
-                               TALLOC_CTX *mem_ctx,
                                bool do_unseal,
                                uint8_t *data, size_t length,
                                const DATA_BLOB *sig);
index eb605f4..29a97b9 100644 (file)
@@ -139,7 +139,6 @@ static void netsec_do_sign(struct schannel_state *state,
 }
 
 NTSTATUS netsec_incoming_packet(struct schannel_state *state,
-                               TALLOC_CTX *mem_ctx,
                                bool do_unseal,
                                uint8_t *data, size_t length,
                                const DATA_BLOB *sig)
index 7520d76..b53587d 100644 (file)
@@ -553,7 +553,7 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
        case DCERPC_AUTH_LEVEL_PRIVACY:
                /* Data portion is encrypted. */
                return netsec_incoming_packet(auth_state,
-                                               mem_ctx, true,
+                                               true,
                                                data->data,
                                                data->length,
                                                auth_token);
@@ -561,7 +561,7 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
        case DCERPC_AUTH_LEVEL_INTEGRITY:
                /* Data is signed. */
                return netsec_incoming_packet(auth_state,
-                                               mem_ctx, false,
+                                               false,
                                                data->data,
                                                data->length,
                                                auth_token);
index 6ecd29b..4dd8098 100644 (file)
@@ -1038,7 +1038,6 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
 }
 
 static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_security, 
-                                           TALLOC_CTX *mem_ctx, 
                                            uint8_t *data, size_t length, 
                                            const uint8_t *whole_pdu, size_t pdu_length,
                                            const DATA_BLOB *sig)
@@ -1053,7 +1052,7 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
 
        dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
 
-       in = data_blob_talloc(mem_ctx, NULL, sig->length + length);
+       in = data_blob_talloc(gensec_security, NULL, sig->length + length);
 
        memcpy(in.data, sig->data, sig->length);
        memcpy(in.data + sig->length, data, length);
@@ -1067,9 +1066,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
                              &output_token, 
                              &conf_state,
                              &qop_state);
+       talloc_free(in.data);
        if (GSS_ERROR(maj_stat)) {
+               char *error_string = gssapi_error_string(NULL, maj_stat, min_stat, gensec_gssapi_state->gss_oid);
                DEBUG(1, ("gensec_gssapi_unseal_packet: GSS UnWrap failed: %s\n", 
-                         gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+                         error_string));
+               talloc_free(error_string);
                return NT_STATUS_ACCESS_DENIED;
        }
 
@@ -1128,7 +1130,6 @@ static NTSTATUS gensec_gssapi_sign_packet(struct gensec_security *gensec_securit
 }
 
 static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_security, 
-                                          TALLOC_CTX *mem_ctx, 
                                           const uint8_t *data, size_t length, 
                                           const uint8_t *whole_pdu, size_t pdu_length, 
                                           const DATA_BLOB *sig)
@@ -1159,8 +1160,10 @@ static NTSTATUS gensec_gssapi_check_packet(struct gensec_security *gensec_securi
                              &input_token,
                              &qop_state);
        if (GSS_ERROR(maj_stat)) {
-               DEBUG(1, ("GSS VerifyMic failed: %s\n",
-                         gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+               char *error_string = gssapi_error_string(NULL, maj_stat, min_stat, gensec_gssapi_state->gss_oid);
+               DEBUG(1, ("GSS VerifyMic failed: %s\n", error_string));
+               talloc_free(error_string);
+
                return NT_STATUS_ACCESS_DENIED;
        }
 
index 2e3f021..8f9aa92 100644 (file)
@@ -290,7 +290,6 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
   unseal a packet
 */
 static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
-                                      TALLOC_CTX *mem_ctx,
                                       uint8_t *data, size_t length,
                                       const uint8_t *whole_pdu, size_t pdu_length,
                                       const DATA_BLOB *sig)
@@ -299,7 +298,7 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
                talloc_get_type(gensec_security->private_data,
                                struct schannel_state);
 
-       return netsec_incoming_packet(state, mem_ctx, true,
+       return netsec_incoming_packet(state, true,
                                      discard_const_p(uint8_t, data),
                                      length, sig);
 }
@@ -308,7 +307,6 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
   check the signature on a packet
 */
 static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
-                                     TALLOC_CTX *mem_ctx,
                                      const uint8_t *data, size_t length,
                                      const uint8_t *whole_pdu, size_t pdu_length,
                                      const DATA_BLOB *sig)
@@ -317,7 +315,7 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
                talloc_get_type(gensec_security->private_data,
                                struct schannel_state);
 
-       return netsec_incoming_packet(state, mem_ctx, false,
+       return netsec_incoming_packet(state, false,
                                      discard_const_p(uint8_t, data),
                                      length, sig);
 }
index 3611d31..c48e87e 100644 (file)
@@ -96,7 +96,6 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
   wrappers for the spnego_*() functions
 */
 static NTSTATUS gensec_spnego_unseal_packet(struct gensec_security *gensec_security, 
-                                           TALLOC_CTX *mem_ctx, 
                                            uint8_t *data, size_t length, 
                                            const uint8_t *whole_pdu, size_t pdu_length, 
                                            const DATA_BLOB *sig)
@@ -109,14 +108,12 @@ static NTSTATUS gensec_spnego_unseal_packet(struct gensec_security *gensec_secur
        }
        
        return gensec_unseal_packet(spnego_state->sub_sec_security, 
-                                   mem_ctx, 
                                    data, length, 
                                    whole_pdu, pdu_length,
                                    sig); 
 }
 
 static NTSTATUS gensec_spnego_check_packet(struct gensec_security *gensec_security, 
-                                          TALLOC_CTX *mem_ctx, 
                                           const uint8_t *data, size_t length, 
                                           const uint8_t *whole_pdu, size_t pdu_length, 
                                           const DATA_BLOB *sig)
@@ -129,7 +126,6 @@ static NTSTATUS gensec_spnego_check_packet(struct gensec_security *gensec_securi
        }
        
        return gensec_check_packet(spnego_state->sub_sec_security, 
-                                  mem_ctx, 
                                   data, length, 
                                   whole_pdu, pdu_length,
                                   sig);
@@ -922,7 +918,6 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                if (NT_STATUS_IS_OK(nt_status) && spnego.negTokenTarg.mechListMIC.length > 0) {
                        new_spnego = true;
                        nt_status = gensec_check_packet(spnego_state->sub_sec_security,
-                                                       out_mem_ctx,
                                                        spnego_state->mech_types.data,
                                                        spnego_state->mech_types.length,
                                                        spnego_state->mech_types.data,
@@ -1029,7 +1024,6 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
                        }
                        if (NT_STATUS_IS_OK(nt_status) && spnego.negTokenTarg.mechListMIC.length > 0) {
                                nt_status = gensec_check_packet(spnego_state->sub_sec_security,
-                                                               out_mem_ctx,
                                                                spnego_state->mech_types.data,
                                                                spnego_state->mech_types.length,
                                                                spnego_state->mech_types.data,
index 95466b0..72cd154 100644 (file)
@@ -45,7 +45,6 @@ NTSTATUS gensec_ntlmssp_sign_packet(struct gensec_security *gensec_security,
 }
 
 NTSTATUS gensec_ntlmssp_check_packet(struct gensec_security *gensec_security,
-                                    TALLOC_CTX *sig_mem_ctx,
                                     const uint8_t *data, size_t length,
                                     const uint8_t *whole_pdu, size_t pdu_length,
                                     const DATA_BLOB *sig)
@@ -87,7 +86,6 @@ NTSTATUS gensec_ntlmssp_seal_packet(struct gensec_security *gensec_security,
   wrappers for the ntlmssp_*() functions
 */
 NTSTATUS gensec_ntlmssp_unseal_packet(struct gensec_security *gensec_security,
-                                     TALLOC_CTX *sig_mem_ctx,
                                      uint8_t *data, size_t length,
                                      const uint8_t *whole_pdu, size_t pdu_length,
                                      const DATA_BLOB *sig)
index 110da57..496cc0b 100644 (file)
@@ -708,7 +708,6 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX
        switch (c->security_state.auth_info->auth_level) {
        case DCERPC_AUTH_LEVEL_PRIVACY:
                status = gensec_unseal_packet(c->security_state.generic_state, 
-                                             mem_ctx, 
                                              raw_packet->data + DCERPC_REQUEST_LENGTH,
                                              pkt->u.response.stub_and_verifier.length, 
                                              raw_packet->data,
@@ -721,7 +720,6 @@ static NTSTATUS ncacn_pull_request_auth(struct dcecli_connection *c, TALLOC_CTX
                
        case DCERPC_AUTH_LEVEL_INTEGRITY:
                status = gensec_check_packet(c->security_state.generic_state, 
-                                            mem_ctx, 
                                             pkt->u.response.stub_and_verifier.data, 
                                             pkt->u.response.stub_and_verifier.length, 
                                             raw_packet->data,
index 1e6aa24..0802cd4 100644 (file)
@@ -328,7 +328,6 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
        switch (dce_conn->auth_state.auth_info->auth_level) {
        case DCERPC_AUTH_LEVEL_PRIVACY:
                status = gensec_unseal_packet(dce_conn->auth_state.gensec_security,
-                                             call,
                                              full_packet->data + hdr_size,
                                              pkt->u.request.stub_and_verifier.length, 
                                              full_packet->data,
@@ -341,7 +340,6 @@ bool dcesrv_auth_request(struct dcesrv_call_state *call, DATA_BLOB *full_packet)
 
        case DCERPC_AUTH_LEVEL_INTEGRITY:
                status = gensec_check_packet(dce_conn->auth_state.gensec_security,
-                                            call,
                                             pkt->u.request.stub_and_verifier.data, 
                                             pkt->u.request.stub_and_verifier.length,
                                             full_packet->data,
index 93529ee..c98985c 100644 (file)
@@ -78,14 +78,14 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx)
                                   "data mismatch");
 
        torture_assert_ntstatus_equal(tctx, 
-                                     gensec_ntlmssp_check_packet(gensec_security, gensec_security,
+                                     gensec_ntlmssp_check_packet(gensec_security,
                                                                  data.data, data.length, data.data, data.length, &sig),
                                      NT_STATUS_ACCESS_DENIED, "Check of just signed packet (should fail, wrong end)");
 
        ntlmssp_state->session_key = data_blob(NULL, 0);
 
        torture_assert_ntstatus_equal(tctx, 
-                                     gensec_ntlmssp_check_packet(gensec_security, gensec_security,
+                                     gensec_ntlmssp_check_packet(gensec_security,
                                                                  data.data, data.length, data.data, data.length, &sig),
                                      NT_STATUS_NO_USER_SESSION_KEY, "Check of just signed packet without a session key should fail");
 
@@ -135,14 +135,14 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx)
                                   "data mismatch");
 
        torture_assert_ntstatus_equal(tctx, 
-                                     gensec_ntlmssp_check_packet(gensec_security, gensec_security,
+                                     gensec_ntlmssp_check_packet(gensec_security,
                                                                  data.data, data.length, data.data, data.length, &sig),
                                      NT_STATUS_ACCESS_DENIED, "Check of just signed packet (should fail, wrong end)");
 
        sig.length /= 2;
 
        torture_assert_ntstatus_equal(tctx, 
-                                     gensec_ntlmssp_check_packet(gensec_security, gensec_security,
+                                     gensec_ntlmssp_check_packet(gensec_security,
                                                                  data.data, data.length, data.data, data.length, &sig),
                                      NT_STATUS_ACCESS_DENIED, "Check of just signed packet with short sig");