From 1cea29c39874ec0c04b95966cb0889cee475f26c Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 24 May 2024 17:16:14 +0200
Subject: [PATCH] credentials: Protect the cred's nt hash with
 talloc_keep_secret

This avoids the need for an explict ZERO_STRUCT before TALLOC_FREE

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 auth/credentials/credentials.c | 5 +++++
 auth/ntlmssp/ntlmssp_client.c  | 1 -
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index d57096c5707..aade70cd2c1 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -604,6 +604,7 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
 			if (nt_hash == NULL) {
 				return false;
 			}
+			talloc_keep_secret(nt_hash);
 
 			converted = strhex_to_str((char *)nt_hash->hash,
 						  sizeof(nt_hash->hash),
@@ -739,6 +740,7 @@ _PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credential
 	if (nt_hash == NULL) {
 		return NULL;
 	}
+	talloc_keep_secret(nt_hash);
 
 	if (password_is_nt_hash) {
 		size_t password_len = strlen(password);
@@ -763,6 +765,7 @@ return_hash:
 	if (nt_hash == NULL) {
 		return NULL;
 	}
+	talloc_keep_secret(nt_hash);
 
 	*nt_hash = *cred->nt_hash;
 
@@ -788,6 +791,7 @@ _PUBLIC_ struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_creden
 		if (!nt_hash) {
 			return NULL;
 		}
+		talloc_keep_secret(nt_hash);
 
 		*nt_hash = *cred->old_nt_hash;
 
@@ -800,6 +804,7 @@ _PUBLIC_ struct samr_Password *cli_credentials_get_old_nt_hash(struct cli_creden
 		if (!nt_hash) {
 			return NULL;
 		}
+		talloc_keep_secret(nt_hash);
 
 		E_md4hash(old_password, nt_hash->hash);
 
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index d8dc1d2940b..a50ff661f5f 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -416,7 +416,6 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
 		nt_hash = cli_credentials_get_nt_hash(gensec_security->credentials,
 						      mem_ctx);
 		if (nt_hash != NULL) {
-			ZERO_STRUCTP(nt_hash);
 			TALLOC_FREE(nt_hash);
 			ntlmssp_state->use_ccache = false;
 		}
-- 
2.47.2