summaryrefslogtreecommitdiff
path: root/usr
diff options
context:
space:
mode:
authorMatt Barden <mbarden@tintri.com>2021-05-24 20:47:24 -0400
committerGordon Ross <gwr@racktopsystems.com>2022-09-18 11:07:42 -0400
commitc585f97b10d318e825698eb51d4671fef5b4d21f (patch)
tree9acf9ad2a30823c04a55d2cd30592403745dbe79 /usr
parentba55de6b420021ddc0b5990dd680795ee33d4f94 (diff)
downloadillumos-gate-c585f97b10d318e825698eb51d4671fef5b4d21f.tar.gz
14870 Netlogon client stops using SecureRPC after RPC call error
Reviewed by: Prashanth Badari <prbadari@tintri.com> Reviewed by: Gordon Ross <gordon.w.ross@gmail.com> Approved by: Patrick Mooney <pmooney@pfmooney.com>
Diffstat (limited to 'usr')
-rw-r--r--usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c30
-rw-r--r--usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c27
2 files changed, 41 insertions, 16 deletions
diff --git a/usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c b/usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c
index f56838303f..ebf454da5c 100644
--- a/usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c
+++ b/usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c
@@ -21,7 +21,7 @@
/*
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2020 Tintri by DDN, Inc. All rights reserved.
+ * Copyright 2021 Tintri by DDN, Inc. All rights reserved.
*/
/*
@@ -457,8 +457,11 @@ netr_gen_skey128(netr_info_t *netr_info)
}
rc = smb_auth_ntlm_hash((char *)netr_info->password, ntlmhash);
- if (rc != SMBAUTH_SUCCESS)
+ if (rc != SMBAUTH_SUCCESS) {
+ explicit_bzero(&netr_info->password,
+ sizeof (netr_info->password));
return (SMBAUTH_FAILURE);
+ }
bzero(zerobuf, NETR_SESSKEY_ZEROBUF_SZ);
@@ -467,8 +470,10 @@ netr_gen_skey128(netr_info_t *netr_info)
mechanism.ulParameterLen = 0;
rv = SUNW_C_GetMechSession(mechanism.mechanism, &hSession);
- if (rv != CKR_OK)
- return (SMBAUTH_FAILURE);
+ if (rv != CKR_OK) {
+ rc = SMBAUTH_FAILURE;
+ goto errout;
+ }
rv = C_DigestInit(hSession, &mechanism);
if (rv != CKR_OK)
@@ -499,6 +504,11 @@ netr_gen_skey128(netr_info_t *netr_info)
netr_info->session_key.len = NETR_SESSKEY128_SZ;
cleanup:
(void) C_CloseSession(hSession);
+
+errout:
+ explicit_bzero(&netr_info->password, sizeof (netr_info->password));
+ explicit_bzero(ntlmhash, sizeof (ntlmhash));
+
return (rc);
}
@@ -563,8 +573,10 @@ netr_gen_skey64(netr_info_t *netr_info)
rc = smb_auth_ntlm_hash((char *)netr_info->password, md4hash);
- if (rc != SMBAUTH_SUCCESS)
- return (SMBAUTH_FAILURE);
+ if (rc != SMBAUTH_SUCCESS) {
+ rc = SMBAUTH_FAILURE;
+ goto out;
+ }
data[0] = LE_IN32(&client_challenge[0]) + LE_IN32(&server_challenge[0]);
data[1] = LE_IN32(&client_challenge[1]) + LE_IN32(&server_challenge[1]);
@@ -574,13 +586,17 @@ netr_gen_skey64(netr_info_t *netr_info)
(unsigned char *)le_data, 8);
if (rc != SMBAUTH_SUCCESS)
- return (rc);
+ goto out;
netr_info->session_key.len = NETR_SESSKEY64_SZ;
rc = smb_auth_DES(netr_info->session_key.key,
netr_info->session_key.len, &md4hash[9], NETR_DESKEY_LEN, buffer,
8);
+out:
+ explicit_bzero(&netr_info->password, sizeof (netr_info->password));
+ explicit_bzero(md4hash, sizeof (md4hash));
+ explicit_bzero(buffer, sizeof (buffer));
return (rc);
}
diff --git a/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c b/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c
index e82722b257..024fda129e 100644
--- a/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c
+++ b/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c
@@ -21,7 +21,7 @@
/*
* Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2020 Tintri by DDN, Inc. All rights reserved.
+ * Copyright 2021 Tintri by DDN, Inc. All rights reserved.
*/
/*
@@ -49,7 +49,7 @@
uint32_t netlogon_logon(smb_logon_t *, smb_token_t *, smb_domainex_t *);
static uint32_t netr_server_samlogon(mlsvc_handle_t *, netr_info_t *, char *,
smb_logon_t *, smb_token_t *);
-static void netr_invalidate_chain(void);
+static void netr_invalidate_chain(netr_info_t *);
static void netr_interactive_samlogon(netr_info_t *, smb_logon_t *,
struct netr_logon_info1 *);
static void netr_network_samlogon(ndr_heap_t *, netr_info_t *,
@@ -280,7 +280,7 @@ reauth:
*/
if (!did_renego) {
did_renego = B_TRUE;
- netr_invalidate_chain();
+ netr_invalidate_chain(&netr_global_info);
syslog(LOG_ERR, "%s: open failed (%s); "
"renegotiating...",
__func__, xlate_nt_status(status));
@@ -315,7 +315,7 @@ netlogon_logon(smb_logon_t *user_info, smb_token_t *token, smb_domainex_t *di)
"\\\\%s", di->d_dci.dc_name);
if (strncasecmp(netr_global_info.server,
server, strlen(server)) != 0)
- netr_invalidate_chain();
+ netr_invalidate_chain(&netr_global_info);
}
reauth:
@@ -586,7 +586,7 @@ netr_server_samlogon(mlsvc_handle_t *netr_handle, netr_info_t *netr_info,
rc = ndr_rpc_call(netr_handle, opnum, rpc_arg);
if (rc != 0) {
- bzero(netr_info, sizeof (netr_info_t));
+ netr_invalidate_chain(netr_info);
status = NT_STATUS_INVALID_PARAMETER;
} else if (*rpc_status != 0) {
status = NT_SC_VALUE(*rpc_status);
@@ -774,7 +774,7 @@ netr_validate_chain(netr_info_t *netr_info, struct netr_authenticator *auth)
* If the validation fails, destroy the credential chain.
* This should trigger a new authentication chain.
*/
- bzero(netr_info, sizeof (netr_info_t));
+ netr_invalidate_chain(netr_info);
return (NT_STATUS_INSUFFICIENT_LOGON_INFO);
}
@@ -784,7 +784,7 @@ netr_validate_chain(netr_info_t *netr_info, struct netr_authenticator *auth)
* If the validation fails, destroy the credential chain.
* This should trigger a new authentication chain.
*/
- bzero(netr_info, sizeof (netr_info_t));
+ netr_invalidate_chain(netr_info);
result = NT_STATUS_UNSUCCESSFUL;
} else {
/*
@@ -807,9 +807,18 @@ netr_validate_chain(netr_info_t *netr_info, struct netr_authenticator *auth)
* on the next attempt.
*/
static void
-netr_invalidate_chain(void)
+netr_invalidate_chain(netr_info_t *netr_info)
{
- netr_global_info.flags &= ~NETR_FLG_VALID;
+ if ((netr_info->flags & NETR_FLG_VALID) == 0)
+ return;
+
+ netr_info->flags &= ~NETR_FLG_VALID;
+ explicit_bzero(&netr_info->session_key,
+ sizeof (netr_info->session_key));
+ explicit_bzero(&netr_info->client_credential,
+ sizeof (netr_info->client_credential));
+ explicit_bzero(&netr_info->server_credential,
+ sizeof (netr_info->server_credential));
}
/*