From ead89447a92dcc78de9d6cacbaf7ab0c3b57fbb8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 5 Mar 2021 17:50:47 +0100
Subject: [PATCH] smbXsrv_session: let smbXsrv_session_global_verify_record()
 use talloc_keep_secret() for keys

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14512

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 source3/smbd/smbXsrv_session.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c
index dd7f6fa5e2d..c3aa0ee26cb 100644
--- a/source3/smbd/smbXsrv_session.c
+++ b/source3/smbd/smbXsrv_session.c
@@ -872,6 +872,23 @@ static void smbXsrv_session_global_verify_record(struct db_record *db_rec,
 
 	global = global_blob.info.info0;
 
+#define __BLOB_KEEP_SECRET(__blob) do { \
+	if ((__blob).length != 0) { \
+		talloc_keep_secret((__blob).data); \
+	} \
+} while(0)
+	{
+		uint32_t i;
+		__BLOB_KEEP_SECRET(global->application_key);
+		__BLOB_KEEP_SECRET(global->signing_key_blob);
+		__BLOB_KEEP_SECRET(global->encryption_key_blob);
+		__BLOB_KEEP_SECRET(global->decryption_key_blob);
+		for (i = 0; i < global->num_channels; i++) {
+			__BLOB_KEEP_SECRET(global->channels[i].signing_key_blob);
+		}
+	}
+#undef __BLOB_KEEP_SECRET
+
 	exists = serverid_exists(&global->channels[0].server_id);
 	if (!exists) {
 		struct server_id_buf idbuf;
-- 
2.47.3