diff options
author | Matt Barden <mbarden@tintri.com> | 2021-05-24 20:47:24 -0400 |
---|---|---|
committer | Gordon Ross <gwr@racktopsystems.com> | 2022-09-18 11:07:42 -0400 |
commit | c585f97b10d318e825698eb51d4671fef5b4d21f (patch) | |
tree | 9acf9ad2a30823c04a55d2cd30592403745dbe79 /usr | |
parent | ba55de6b420021ddc0b5990dd680795ee33d4f94 (diff) | |
download | illumos-gate-c585f97b10d318e825698eb51d4671fef5b4d21f.tar.gz |
14870 Netlogon client stops using SecureRPC after RPC call error
Reviewed by: Prashanth Badari <prbadari@tintri.com>
Reviewed by: Gordon Ross <gordon.w.ross@gmail.com>
Approved by: Patrick Mooney <pmooney@pfmooney.com>
Diffstat (limited to 'usr')
-rw-r--r-- | usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c | 30 | ||||
-rw-r--r-- | usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c | 27 |
2 files changed, 41 insertions, 16 deletions
diff --git a/usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c b/usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c index f56838303f..ebf454da5c 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c +++ b/usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c @@ -21,7 +21,7 @@ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2020 Tintri by DDN, Inc. All rights reserved. + * Copyright 2021 Tintri by DDN, Inc. All rights reserved. */ /* @@ -457,8 +457,11 @@ netr_gen_skey128(netr_info_t *netr_info) } rc = smb_auth_ntlm_hash((char *)netr_info->password, ntlmhash); - if (rc != SMBAUTH_SUCCESS) + if (rc != SMBAUTH_SUCCESS) { + explicit_bzero(&netr_info->password, + sizeof (netr_info->password)); return (SMBAUTH_FAILURE); + } bzero(zerobuf, NETR_SESSKEY_ZEROBUF_SZ); @@ -467,8 +470,10 @@ netr_gen_skey128(netr_info_t *netr_info) mechanism.ulParameterLen = 0; rv = SUNW_C_GetMechSession(mechanism.mechanism, &hSession); - if (rv != CKR_OK) - return (SMBAUTH_FAILURE); + if (rv != CKR_OK) { + rc = SMBAUTH_FAILURE; + goto errout; + } rv = C_DigestInit(hSession, &mechanism); if (rv != CKR_OK) @@ -499,6 +504,11 @@ netr_gen_skey128(netr_info_t *netr_info) netr_info->session_key.len = NETR_SESSKEY128_SZ; cleanup: (void) C_CloseSession(hSession); + +errout: + explicit_bzero(&netr_info->password, sizeof (netr_info->password)); + explicit_bzero(ntlmhash, sizeof (ntlmhash)); + return (rc); } @@ -563,8 +573,10 @@ netr_gen_skey64(netr_info_t *netr_info) rc = smb_auth_ntlm_hash((char *)netr_info->password, md4hash); - if (rc != SMBAUTH_SUCCESS) - return (SMBAUTH_FAILURE); + if (rc != SMBAUTH_SUCCESS) { + rc = SMBAUTH_FAILURE; + goto out; + } data[0] = LE_IN32(&client_challenge[0]) + LE_IN32(&server_challenge[0]); data[1] = LE_IN32(&client_challenge[1]) + LE_IN32(&server_challenge[1]); @@ -574,13 +586,17 @@ netr_gen_skey64(netr_info_t *netr_info) (unsigned char *)le_data, 8); if (rc != SMBAUTH_SUCCESS) - return (rc); + goto out; netr_info->session_key.len = NETR_SESSKEY64_SZ; rc = smb_auth_DES(netr_info->session_key.key, netr_info->session_key.len, &md4hash[9], NETR_DESKEY_LEN, buffer, 8); +out: + explicit_bzero(&netr_info->password, sizeof (netr_info->password)); + explicit_bzero(md4hash, sizeof (md4hash)); + explicit_bzero(buffer, sizeof (buffer)); return (rc); } diff --git a/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c b/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c index e82722b257..024fda129e 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c +++ b/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c @@ -21,7 +21,7 @@ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2020 Tintri by DDN, Inc. All rights reserved. + * Copyright 2021 Tintri by DDN, Inc. All rights reserved. */ /* @@ -49,7 +49,7 @@ uint32_t netlogon_logon(smb_logon_t *, smb_token_t *, smb_domainex_t *); static uint32_t netr_server_samlogon(mlsvc_handle_t *, netr_info_t *, char *, smb_logon_t *, smb_token_t *); -static void netr_invalidate_chain(void); +static void netr_invalidate_chain(netr_info_t *); static void netr_interactive_samlogon(netr_info_t *, smb_logon_t *, struct netr_logon_info1 *); static void netr_network_samlogon(ndr_heap_t *, netr_info_t *, @@ -280,7 +280,7 @@ reauth: */ if (!did_renego) { did_renego = B_TRUE; - netr_invalidate_chain(); + netr_invalidate_chain(&netr_global_info); syslog(LOG_ERR, "%s: open failed (%s); " "renegotiating...", __func__, xlate_nt_status(status)); @@ -315,7 +315,7 @@ netlogon_logon(smb_logon_t *user_info, smb_token_t *token, smb_domainex_t *di) "\\\\%s", di->d_dci.dc_name); if (strncasecmp(netr_global_info.server, server, strlen(server)) != 0) - netr_invalidate_chain(); + netr_invalidate_chain(&netr_global_info); } reauth: @@ -586,7 +586,7 @@ netr_server_samlogon(mlsvc_handle_t *netr_handle, netr_info_t *netr_info, rc = ndr_rpc_call(netr_handle, opnum, rpc_arg); if (rc != 0) { - bzero(netr_info, sizeof (netr_info_t)); + netr_invalidate_chain(netr_info); status = NT_STATUS_INVALID_PARAMETER; } else if (*rpc_status != 0) { status = NT_SC_VALUE(*rpc_status); @@ -774,7 +774,7 @@ netr_validate_chain(netr_info_t *netr_info, struct netr_authenticator *auth) * If the validation fails, destroy the credential chain. * This should trigger a new authentication chain. */ - bzero(netr_info, sizeof (netr_info_t)); + netr_invalidate_chain(netr_info); return (NT_STATUS_INSUFFICIENT_LOGON_INFO); } @@ -784,7 +784,7 @@ netr_validate_chain(netr_info_t *netr_info, struct netr_authenticator *auth) * If the validation fails, destroy the credential chain. * This should trigger a new authentication chain. */ - bzero(netr_info, sizeof (netr_info_t)); + netr_invalidate_chain(netr_info); result = NT_STATUS_UNSUCCESSFUL; } else { /* @@ -807,9 +807,18 @@ netr_validate_chain(netr_info_t *netr_info, struct netr_authenticator *auth) * on the next attempt. */ static void -netr_invalidate_chain(void) +netr_invalidate_chain(netr_info_t *netr_info) { - netr_global_info.flags &= ~NETR_FLG_VALID; + if ((netr_info->flags & NETR_FLG_VALID) == 0) + return; + + netr_info->flags &= ~NETR_FLG_VALID; + explicit_bzero(&netr_info->session_key, + sizeof (netr_info->session_key)); + explicit_bzero(&netr_info->client_credential, + sizeof (netr_info->client_credential)); + explicit_bzero(&netr_info->server_credential, + sizeof (netr_info->server_credential)); } /* |