diff options
Diffstat (limited to 'usr/src/lib')
| -rw-r--r-- | usr/src/lib/libshare/nfs/libshare_nfs.c | 9 | ||||
| -rw-r--r-- | usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c | 30 | ||||
| -rw-r--r-- | usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c | 27 |
3 files changed, 48 insertions, 18 deletions
diff --git a/usr/src/lib/libshare/nfs/libshare_nfs.c b/usr/src/lib/libshare/nfs/libshare_nfs.c index 57118ce038..7c630e37a2 100644 --- a/usr/src/lib/libshare/nfs/libshare_nfs.c +++ b/usr/src/lib/libshare/nfs/libshare_nfs.c @@ -24,6 +24,7 @@ * Copyright (c) 2012, Joyent, Inc. All rights reserved. * Copyright (c) 2014, 2016 by Delphix. All rights reserved. * Copyright 2018 Nexenta Systems, Inc. + * Copyright 2022 RackTop Systems. */ /* @@ -2521,8 +2522,12 @@ struct proto_option_defs { #define PROTO_OPT_MOUNTD_PORT 17 {"mountd_port", "mountd_port", PROTO_OPT_MOUNTD_PORT, - OPT_TYPE_NUMBER, 0, SVC_MOUNTD, 1, UINT16_MAX}, -#define PROTO_OPT_STATD_PORT 18 + OPT_TYPE_NUMBER, 0, SVC_NFSD|SVC_MOUNTD, 1, UINT16_MAX}, +#define PROTO_OPT_MOUNTD_REMOTE_DUMP 18 + {"mountd_remote_dump", + "mountd_remote_dump", PROTO_OPT_MOUNTD_REMOTE_DUMP, + OPT_TYPE_BOOLEAN, B_FALSE, SVC_NFSD|SVC_MOUNTD, B_FALSE, B_TRUE}, +#define PROTO_OPT_STATD_PORT 19 {"statd_port", "statd_port", PROTO_OPT_STATD_PORT, OPT_TYPE_NUMBER, 0, SVC_STATD, 1, UINT16_MAX}, diff --git a/usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c b/usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c index f56838303f..ebf454da5c 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c +++ b/usr/src/lib/smbsrv/libmlsvc/common/netr_auth.c @@ -21,7 +21,7 @@ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2020 Tintri by DDN, Inc. All rights reserved. + * Copyright 2021 Tintri by DDN, Inc. All rights reserved. */ /* @@ -457,8 +457,11 @@ netr_gen_skey128(netr_info_t *netr_info) } rc = smb_auth_ntlm_hash((char *)netr_info->password, ntlmhash); - if (rc != SMBAUTH_SUCCESS) + if (rc != SMBAUTH_SUCCESS) { + explicit_bzero(&netr_info->password, + sizeof (netr_info->password)); return (SMBAUTH_FAILURE); + } bzero(zerobuf, NETR_SESSKEY_ZEROBUF_SZ); @@ -467,8 +470,10 @@ netr_gen_skey128(netr_info_t *netr_info) mechanism.ulParameterLen = 0; rv = SUNW_C_GetMechSession(mechanism.mechanism, &hSession); - if (rv != CKR_OK) - return (SMBAUTH_FAILURE); + if (rv != CKR_OK) { + rc = SMBAUTH_FAILURE; + goto errout; + } rv = C_DigestInit(hSession, &mechanism); if (rv != CKR_OK) @@ -499,6 +504,11 @@ netr_gen_skey128(netr_info_t *netr_info) netr_info->session_key.len = NETR_SESSKEY128_SZ; cleanup: (void) C_CloseSession(hSession); + +errout: + explicit_bzero(&netr_info->password, sizeof (netr_info->password)); + explicit_bzero(ntlmhash, sizeof (ntlmhash)); + return (rc); } @@ -563,8 +573,10 @@ netr_gen_skey64(netr_info_t *netr_info) rc = smb_auth_ntlm_hash((char *)netr_info->password, md4hash); - if (rc != SMBAUTH_SUCCESS) - return (SMBAUTH_FAILURE); + if (rc != SMBAUTH_SUCCESS) { + rc = SMBAUTH_FAILURE; + goto out; + } data[0] = LE_IN32(&client_challenge[0]) + LE_IN32(&server_challenge[0]); data[1] = LE_IN32(&client_challenge[1]) + LE_IN32(&server_challenge[1]); @@ -574,13 +586,17 @@ netr_gen_skey64(netr_info_t *netr_info) (unsigned char *)le_data, 8); if (rc != SMBAUTH_SUCCESS) - return (rc); + goto out; netr_info->session_key.len = NETR_SESSKEY64_SZ; rc = smb_auth_DES(netr_info->session_key.key, netr_info->session_key.len, &md4hash[9], NETR_DESKEY_LEN, buffer, 8); +out: + explicit_bzero(&netr_info->password, sizeof (netr_info->password)); + explicit_bzero(md4hash, sizeof (md4hash)); + explicit_bzero(buffer, sizeof (buffer)); return (rc); } diff --git a/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c b/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c index e82722b257..024fda129e 100644 --- a/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c +++ b/usr/src/lib/smbsrv/libmlsvc/common/netr_logon.c @@ -21,7 +21,7 @@ /* * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved. - * Copyright 2020 Tintri by DDN, Inc. All rights reserved. + * Copyright 2021 Tintri by DDN, Inc. All rights reserved. */ /* @@ -49,7 +49,7 @@ uint32_t netlogon_logon(smb_logon_t *, smb_token_t *, smb_domainex_t *); static uint32_t netr_server_samlogon(mlsvc_handle_t *, netr_info_t *, char *, smb_logon_t *, smb_token_t *); -static void netr_invalidate_chain(void); +static void netr_invalidate_chain(netr_info_t *); static void netr_interactive_samlogon(netr_info_t *, smb_logon_t *, struct netr_logon_info1 *); static void netr_network_samlogon(ndr_heap_t *, netr_info_t *, @@ -280,7 +280,7 @@ reauth: */ if (!did_renego) { did_renego = B_TRUE; - netr_invalidate_chain(); + netr_invalidate_chain(&netr_global_info); syslog(LOG_ERR, "%s: open failed (%s); " "renegotiating...", __func__, xlate_nt_status(status)); @@ -315,7 +315,7 @@ netlogon_logon(smb_logon_t *user_info, smb_token_t *token, smb_domainex_t *di) "\\\\%s", di->d_dci.dc_name); if (strncasecmp(netr_global_info.server, server, strlen(server)) != 0) - netr_invalidate_chain(); + netr_invalidate_chain(&netr_global_info); } reauth: @@ -586,7 +586,7 @@ netr_server_samlogon(mlsvc_handle_t *netr_handle, netr_info_t *netr_info, rc = ndr_rpc_call(netr_handle, opnum, rpc_arg); if (rc != 0) { - bzero(netr_info, sizeof (netr_info_t)); + netr_invalidate_chain(netr_info); status = NT_STATUS_INVALID_PARAMETER; } else if (*rpc_status != 0) { status = NT_SC_VALUE(*rpc_status); @@ -774,7 +774,7 @@ netr_validate_chain(netr_info_t *netr_info, struct netr_authenticator *auth) * If the validation fails, destroy the credential chain. * This should trigger a new authentication chain. */ - bzero(netr_info, sizeof (netr_info_t)); + netr_invalidate_chain(netr_info); return (NT_STATUS_INSUFFICIENT_LOGON_INFO); } @@ -784,7 +784,7 @@ netr_validate_chain(netr_info_t *netr_info, struct netr_authenticator *auth) * If the validation fails, destroy the credential chain. * This should trigger a new authentication chain. */ - bzero(netr_info, sizeof (netr_info_t)); + netr_invalidate_chain(netr_info); result = NT_STATUS_UNSUCCESSFUL; } else { /* @@ -807,9 +807,18 @@ netr_validate_chain(netr_info_t *netr_info, struct netr_authenticator *auth) * on the next attempt. */ static void -netr_invalidate_chain(void) +netr_invalidate_chain(netr_info_t *netr_info) { - netr_global_info.flags &= ~NETR_FLG_VALID; + if ((netr_info->flags & NETR_FLG_VALID) == 0) + return; + + netr_info->flags &= ~NETR_FLG_VALID; + explicit_bzero(&netr_info->session_key, + sizeof (netr_info->session_key)); + explicit_bzero(&netr_info->client_credential, + sizeof (netr_info->client_credential)); + explicit_bzero(&netr_info->server_credential, + sizeof (netr_info->server_credential)); } /* |