From 79754f04bbfcc36977377c98d8dd6addc93af892 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Pavel=20Filipensk=C3=BD?= Date: Sat, 20 Aug 2022 09:38:55 +0200 Subject: [PATCH] s3:passdb: Zero secrets_domain_info1_password created via secrets_domain_info_password_create() MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Zero out these members of struct secrets_domain_info1_password: DATA_BLOB cleartext_blob; struct samr_Password nt_hash; struct secrets_domain_info1_kerberos_key *keys; Signed-off-by: Pavel Filipenský Reviewed-by: Andreas Schneider --- source3/passdb/machine_account_secrets.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c index 1cf34bbf5c9..494059b2849 100644 --- a/source3/passdb/machine_account_secrets.c +++ b/source3/passdb/machine_account_secrets.c @@ -1077,6 +1077,7 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor TALLOC_FREE(keys); return ENOMEM; } + talloc_keep_secret(arc4_b.data); #ifdef HAVE_ADS if (salt_principal == NULL) { @@ -1151,6 +1152,7 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor TALLOC_FREE(salt_data); return ENOMEM; } + talloc_keep_secret(aes_256_b.data); krb5_ret = smb_krb5_create_key_from_string(krb5_ctx, NULL, @@ -1177,6 +1179,7 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor TALLOC_FREE(salt_data); return ENOMEM; } + talloc_keep_secret(aes_128_b.data); krb5_free_context(krb5_ctx); no_kerberos: @@ -1248,10 +1251,12 @@ static NTSTATUS secrets_domain_info_password_create(TALLOC_CTX *mem_ctx, TALLOC_FREE(p); return status; } + talloc_keep_secret(p->cleartext_blob.data); mdfour(p->nt_hash.hash, p->cleartext_blob.data, p->cleartext_blob.length); + talloc_set_destructor(p, password_nt_hash_destructor); ret = secrets_domain_info_kerberos_keys(p, salt_principal); if (ret != 0) { NTSTATUS status = krb5_to_nt_status(ret); -- 2.34.1