krb5_wrap: Add a talloc_ctx to smb_krb5_principal_get_realm()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

8 files changed, 50 insertions, 67 deletions

diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index e64773d6d56..d8ca6d97115 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -270,14 +270,14 @@ static int cli_credentials_set_from_ccache(struct cli_credentials *cred,
 		return ENOMEM;
 	}
 
-	realm = smb_krb5_principal_get_realm(ccache->smb_krb5_context->krb5_context,
-					     princ);
+	realm = smb_krb5_principal_get_realm(
+		cred, ccache->smb_krb5_context->krb5_context, princ);
 	krb5_free_principal(ccache->smb_krb5_context->krb5_context, princ);
 	if (realm == NULL) {
 		return ENOMEM;
 	}
 	ok = cli_credentials_set_realm(cred, realm, obtained);
-	SAFE_FREE(realm);
+	TALLOC_FREE(realm);
 	if (!ok) {
 		return ENOMEM;
 	}
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index a6ff97640ca..e8abfac1d8d 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2780,24 +2780,25 @@ krb5_error_code smb_krb5_make_pac_checksum(TALLOC_CTX *mem_ctx,
 /**
  * @brief Get realm of a principal
  *
+ * @param[in] mem_ctx   The talloc ctx to put the result on
+ *
  * @param[in] context   The library context
  *
  * @param[in] principal The principal to get the realm from.
  *
- * @return An allocated string with the realm or NULL if an error occurred.
- *
- * The caller must free the realm string with free() if not needed anymore.
+ * @return A talloced string with the realm or NULL if an error occurred.
  */
-char *smb_krb5_principal_get_realm(krb5_context context,
+char *smb_krb5_principal_get_realm(TALLOC_CTX *mem_ctx,
+				   krb5_context context,
 				   krb5_const_principal principal)
 {
 #ifdef HAVE_KRB5_PRINCIPAL_GET_REALM /* Heimdal */
-	return strdup(discard_const_p(char, krb5_principal_get_realm(context, principal)));
+	return talloc_strdup(mem_ctx,
+			     krb5_principal_get_realm(context, principal));
 #elif defined(krb5_princ_realm) /* MIT */
-	krb5_data *realm;
-	realm = discard_const_p(krb5_data,
-				krb5_princ_realm(context, principal));
-	return strndup(realm->data, realm->length);
+	const krb5_data *realm;
+	realm = krb5_princ_realm(context, principal);
+	return talloc_strndup(mem_ctx, realm->data, realm->length);
 #else
 #error UNKNOWN_GET_PRINC_REALM_FUNCTIONS
 #endif
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index fb3cb5f2ad8..4d0148fd047 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -298,7 +298,8 @@ krb5_error_code smb_krb5_make_pac_checksum(TALLOC_CTX *mem_ctx,
 					   uint32_t *sig_type,
 					   DATA_BLOB *sig_blob);
 
-char *smb_krb5_principal_get_realm(krb5_context context,
+char *smb_krb5_principal_get_realm(TALLOC_CTX *mem_ctx,
+				   krb5_context context,
 				   krb5_const_principal principal);
 
 void smb_krb5_principal_set_type(krb5_context context,
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 94dd8eefc92..a4a781963a3 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -217,7 +217,7 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
     }
 	krb5_get_init_creds_opt_set_address_list(opts, addr->addrs);
 
-    realm = smb_krb5_principal_get_realm(context, princ);
+    realm = smb_krb5_principal_get_realm(NULL, context, princ);
 
     /* We have to obtain an INITIAL changepw ticket for changing password */
     if (asprintf(&chpw_princ, "kadmin/changepw@%s", realm) == -1) {
@@ -225,12 +225,12 @@ static ADS_STATUS ads_krb5_chg_password(const char *kdc_host,
 	krb5_get_init_creds_opt_free(context, opts);
 	smb_krb5_free_addresses(context, addr);
 	krb5_free_context(context);
-	free(realm);
+	TALLOC_FREE(realm);
 	DEBUG(1,("ads_krb5_chg_password: asprintf fail\n"));
 	return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
     }
 
-    free(realm);
+    TALLOC_FREE(realm);
     password = SMB_STRDUP(oldpw);
     ret = krb5_get_init_creds_password(context, &creds, princ, password,
 					   kerb_prompter, NULL, 
diff --git a/source4/dsdb/samdb/cracknames.c b/source4/dsdb/samdb/cracknames.c
index 1f8cad75579..3360d9a48a5 100644
--- a/source4/dsdb/samdb/cracknames.c
+++ b/source4/dsdb/samdb/cracknames.c
@@ -57,7 +57,6 @@ static WERROR dns_domain_from_principal(TALLOC_CTX *mem_ctx, struct smb_krb5_con
 	krb5_error_code ret;
 	krb5_principal principal;
 	/* perhaps it's a principal with a realm, so return the right 'domain only' response */
-	char *realm;
 	ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, name, 
 				    KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, &principal);
 	if (ret) {
@@ -65,11 +64,9 @@ static WERROR dns_domain_from_principal(TALLOC_CTX *mem_ctx, struct smb_krb5_con
 		return WERR_OK;
 	}
 
-	realm = smb_krb5_principal_get_realm(smb_krb5_context->krb5_context, principal);
-
-	info1->dns_domain_name	= talloc_strdup(mem_ctx, realm);
+	info1->dns_domain_name = smb_krb5_principal_get_realm(
+		mem_ctx, smb_krb5_context->krb5_context, principal);
 	krb5_free_principal(smb_krb5_context->krb5_context, principal);
-	free(realm);
 
 	W_ERROR_HAVE_NO_MEMORY(info1->dns_domain_name);
 
@@ -290,8 +287,8 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 		return WERR_OK;
 	}
 
-	realm = smb_krb5_principal_get_realm(smb_krb5_context->krb5_context,
-					     principal);
+	realm = smb_krb5_principal_get_realm(
+		mem_ctx, smb_krb5_context->krb5_context, principal);
 
 	ldb_ret = ldb_search(sam_ctx, mem_ctx, &domain_res,
 			     samdb_partitions_dn(sam_ctx, mem_ctx),
@@ -302,7 +299,7 @@ static WERROR DsCrackNameUPN(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx,
 			     ldb_binary_encode_string(mem_ctx, realm),
 			     LDB_OID_COMPARATOR_AND,
 			     SYSTEM_FLAG_CR_NTDS_DOMAIN);
-	free(realm);
+	TALLOC_FREE(realm);
 
 	if (ldb_ret != LDB_SUCCESS) {
 		DEBUG(2, ("DsCrackNameUPN domain ref search failed: %s\n", ldb_errstring(sam_ctx)));
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 969f4f6b556..f62a633c6c7 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1030,7 +1030,8 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 		entry_ex->entry.flags.invalid = 0;
 		entry_ex->entry.flags.server = 1;
 
-		realm = smb_krb5_principal_get_realm(context, principal);
+		realm = smb_krb5_principal_get_realm(
+			mem_ctx, context, principal);
 		if (realm == NULL) {
 			ret = ENOMEM;
 			goto out;
@@ -1048,7 +1049,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 			entry_ex->entry.flags.change_pw = 1;
 		}
 
-		SAFE_FREE(realm);
+		TALLOC_FREE(realm);
 
 		entry_ex->entry.flags.client = 0;
 		entry_ex->entry.flags.forwardable = 1;
@@ -1655,8 +1656,8 @@ static krb5_error_code samba_kdc_lookup_client(krb5_context context,
 		}
 
 		num_comp = krb5_princ_size(context, fallback_principal);
-		fallback_realm = smb_krb5_principal_get_realm(context,
-							      fallback_principal);
+		fallback_realm = smb_krb5_principal_get_realm(
+			mem_ctx, context, fallback_principal);
 		if (fallback_realm == NULL) {
 			krb5_free_principal(context, fallback_principal);
 			return ENOMEM;
@@ -1669,7 +1670,7 @@ static krb5_error_code samba_kdc_lookup_client(krb5_context context,
 						context, fallback_principal, 0);
 			if (fallback_account == NULL) {
 				krb5_free_principal(context, fallback_principal);
-				SAFE_FREE(fallback_realm);
+				TALLOC_FREE(fallback_realm);
 				return ENOMEM;
 			}
 
@@ -1687,7 +1688,7 @@ static krb5_error_code samba_kdc_lookup_client(krb5_context context,
 			with_dollar = talloc_asprintf(mem_ctx, "%s$",
 						     fallback_account);
 			if (with_dollar == NULL) {
-				SAFE_FREE(fallback_realm);
+				TALLOC_FREE(fallback_realm);
 				return ENOMEM;
 			}
 			TALLOC_FREE(fallback_account);
@@ -1698,11 +1699,11 @@ static krb5_error_code samba_kdc_lookup_client(krb5_context context,
 						      with_dollar, NULL);
 			TALLOC_FREE(with_dollar);
 			if (ret != 0) {
-				SAFE_FREE(fallback_realm);
+				TALLOC_FREE(fallback_realm);
 				return ret;
 			}
 		}
-		SAFE_FREE(fallback_realm);
+		TALLOC_FREE(fallback_realm);
 
 		if (fallback_principal != NULL) {
 			char *fallback_string = NULL;
@@ -1774,17 +1775,13 @@ static krb5_error_code samba_kdc_fetch_krbtgt(krb5_context context,
 	krb5_error_code ret;
 	struct ldb_message *msg = NULL;
 	struct ldb_dn *realm_dn = ldb_get_default_basedn(kdc_db_ctx->samdb);
-	char *realm_from_princ, *realm_from_princ_malloc;
+	char *realm_from_princ;
 	char *realm_princ_comp = smb_krb5_principal_get_comp_string(mem_ctx, context, principal, 1);
 
-	realm_from_princ_malloc = smb_krb5_principal_get_realm(context, principal);
-	if (realm_from_princ_malloc == NULL) {
-		/* can't happen */
-		return SDB_ERR_NOENTRY;
-	}
-	realm_from_princ = talloc_strdup(mem_ctx, realm_from_princ_malloc);
-	free(realm_from_princ_malloc);
+	realm_from_princ = smb_krb5_principal_get_realm(
+		mem_ctx, context, principal);
 	if (realm_from_princ == NULL) {
+		/* can't happen */
 		return SDB_ERR_NOENTRY;
 	}
 
@@ -2118,7 +2115,6 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
 	TALLOC_CTX *frame = talloc_stackframe();
 	NTSTATUS status;
 	krb5_error_code ret;
-	char *_realm = NULL;
 	bool check_realm = false;
 	const char *realm = NULL;
 	struct dsdb_trust_routing_table *trt = NULL;
@@ -2145,8 +2141,8 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
 		return 0;
 	}
 
-	_realm = smb_krb5_principal_get_realm(context, principal);
-	if (_realm == NULL) {
+	realm = smb_krb5_principal_get_realm(frame, context, principal);
+	if (realm == NULL) {
 		TALLOC_FREE(frame);
 		return ENOMEM;
 	}
@@ -2154,23 +2150,15 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
 	/*
 	 * The requested realm needs to be our own
 	 */
-	ok = lpcfg_is_my_domain_or_realm(kdc_db_ctx->lp_ctx, _realm);
+	ok = lpcfg_is_my_domain_or_realm(kdc_db_ctx->lp_ctx, realm);
 	if (!ok) {
 		/*
 		 * The request is not for us...
 		 */
-		SAFE_FREE(_realm);
 		TALLOC_FREE(frame);
 		return SDB_ERR_NOENTRY;
 	}
 
-	realm = talloc_strdup(frame, _realm);
-	SAFE_FREE(_realm);
-	if (realm == NULL) {
-		TALLOC_FREE(frame);
-		return ENOMEM;
-	}
-
 	if (smb_krb5_principal_get_type(context, principal) == KRB5_NT_ENTERPRISE_PRINCIPAL) {
 		char *principal_string = NULL;
 		krb5_principal enterprise_principal = NULL;
@@ -2196,16 +2184,11 @@ static krb5_error_code samba_kdc_lookup_realm(krb5_context context,
 			return ret;
 		}
 
-		enterprise_realm = smb_krb5_principal_get_realm(context,
-							enterprise_principal);
+		enterprise_realm = smb_krb5_principal_get_realm(
+			frame, context, enterprise_principal);
 		krb5_free_principal(context, enterprise_principal);
 		if (enterprise_realm != NULL) {
-			realm = talloc_strdup(frame, enterprise_realm);
-			SAFE_FREE(enterprise_realm);
-			if (realm == NULL) {
-				TALLOC_FREE(frame);
-				return ENOMEM;
-			}
+			realm = enterprise_realm;
 		}
 	}
 
diff --git a/source4/kdc/kpasswd-service-mit.c b/source4/kdc/kpasswd-service-mit.c
index 1546b16b369..9a014c058fe 100644
--- a/source4/kdc/kpasswd-service-mit.c
+++ b/source4/kdc/kpasswd-service-mit.c
@@ -143,7 +143,8 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
 		return KRB5_KPASSWD_HARDERROR;
 	}
 
-	target_realm = smb_krb5_principal_get_realm(context, target_principal);
+	target_realm = smb_krb5_principal_get_realm(
+		mem_ctx, context, target_principal);
 	code = krb5_unparse_name_flags(context,
 				       target_principal,
 				       KRB5_PRINCIPAL_UNPARSE_NO_REALM,
@@ -157,7 +158,7 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
 	if ((target_name != NULL && target_realm == NULL) ||
 	    (target_name == NULL && target_realm != NULL)) {
 		krb5_free_principal(context, target_principal);
-		SAFE_FREE(target_realm);
+		TALLOC_FREE(target_realm);
 		SAFE_FREE(target_name);
 
 		ok = kpasswd_make_error_reply(mem_ctx,
@@ -174,11 +175,11 @@ static krb5_error_code kpasswd_set_password(struct kdc_server *kdc,
 	}
 
 	if (target_name != NULL && target_realm != NULL) {
-		SAFE_FREE(target_realm);
+		TALLOC_FREE(target_realm);
 		SAFE_FREE(target_name);
 	} else {
 		krb5_free_principal(context, target_principal);
-		SAFE_FREE(target_realm);
+		TALLOC_FREE(target_realm);
 		SAFE_FREE(target_name);
 
 		return kpasswd_change_password(kdc,
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index eacca0903ec..54dcd545ea1 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -272,8 +272,8 @@ fetch_referral_principal:
 		 * We just redo the lookup in the database with the referral
 		 * principal and return success.
 		 */
-		dest_realm = smb_krb5_principal_get_realm(ctx->context,
-							  sentry.entry.principal);
+		dest_realm = smb_krb5_principal_get_realm(
+			ctx, ctx->context, sentry.entry.principal);
 		sdb_free_entry(&sentry);
 		if (dest_realm == NULL) {
 			ret = KRB5_KDB_NOENTRY;
@@ -286,7 +286,7 @@ fetch_referral_principal:
 					      KRB5_TGS_NAME,
 					      dest_realm,
 					      NULL);
-		SAFE_FREE(dest_realm);
+		TALLOC_FREE(dest_realm);
 		if (ret != 0) {
 			goto done;
 		}