credentials: Protect the cred's nt hash with talloc_keep_secret

author Volker Lendecke <vl@samba.org>

Fri, 24 May 2024 15:16:14 +0000 (17:16 +0200)

committer Jeremy Allison <jra@samba.org>

Mon, 24 Jun 2024 16:21:32 +0000 (16:21 +0000)
author Volker Lendecke <vl@samba.org>
Fri, 24 May 2024 15:16:14 +0000 (17:16 +0200)
committer Jeremy Allison <jra@samba.org>
Mon, 24 Jun 2024 16:21:32 +0000 (16:21 +0000)
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c

index d57096c57070d6b3740e64e24205d523396577d7..aade70cd2c131e49d4249fcef364724401bf3aca 100644 (file)
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -604,6 +604,7 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
                         if (nt_hash == NULL) {
                                 return false;
                         }
+                       talloc_keep_secret(nt_hash);
  
                         converted = strhex_to_str((char *)nt_hash->hash,
                                                   sizeof(nt_hash->hash),
@@ -739,6 +740,7 @@ _PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credential
         if (nt_hash == NULL) {
                 return NULL;
         }
+       talloc_keep_secret(nt_hash);
  
         if (password_is_nt_hash) {
                 size_t password_len = strlen(password);
@@ -763,6 +765,7 @@ return_hash:
         if (nt_hash == NULL) {
                 return NULL;
         }
+       talloc_keep_secret(nt_hash);
  
         *nt_hash = *cred->nt_hash;
  
@@ -788,6 +791,7 @@ _PUBLIC_ struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_creden
                 if (!nt_hash) {
                         return NULL;
                 }
+               talloc_keep_secret(nt_hash);
  
                 *nt_hash = *cred->old_nt_hash;
  
@@ -800,6 +804,7 @@ _PUBLIC_ struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_creden
                 if (!nt_hash) {
                         return NULL;
                 }
+               talloc_keep_secret(nt_hash);
  
                 E_md4hash(old_password, nt_hash->hash);
  
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c

index d8dc1d2940bfc37232069767c33be40bf931d609..a50ff661f5f60d86786d466278c067706edba3e2 100644 (file)
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -416,7 +416,6 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
                 nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials,
                                                       mem_ctx);
                 if (nt_hash != NULL) {
-                       ZERO_STRUCTP(nt_hash);
                         TALLOC_FREE(nt_hash);
                         ntlmssp_state->use_ccache = false;
                 }
author	Volker Lendecke <vl@samba.org>
	Fri, 24 May 2024 15:16:14 +0000 (17:16 +0200)
committer	Jeremy Allison <jra@samba.org>
	Mon, 24 Jun 2024 16:21:32 +0000 (16:21 +0000)
auth/credentials/credentials.c		patch \| blob \| blame \| history
auth/ntlmssp/ntlmssp_client.c		patch \| blob \| blame \| history