sq auth/ntlmssp: implement client side channel bindings

author Stefan Metzmacher <metze@samba.org>

Wed, 26 Feb 2020 10:49:23 +0000 (11:49 +0100)

committer Stefan Metzmacher <metze@samba.org>

Wed, 26 Feb 2020 14:23:10 +0000 (15:23 +0100)
author Stefan Metzmacher <metze@samba.org>
Wed, 26 Feb 2020 10:49:23 +0000 (11:49 +0100)
committer Stefan Metzmacher <metze@samba.org>
Wed, 26 Feb 2020 14:23:10 +0000 (15:23 +0100)
diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c

index ceb3bb20af5e09d71c380c4efc7cc796771bdf24..14d69fc9dfdfde83e7873e039db8bd7478c8a9d6 100644 (file)
--- a/auth/ntlmssp/ntlmssp_util.c
+++ b/auth/ntlmssp/ntlmssp_util.c
@@ -231,11 +231,7 @@ NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security,
         const struct gensec_channel_bindings *cb =
                 gensec_security->channel_bindings;
         gnutls_hash_hd_t hash_hnd = NULL;
-       uint8_t header[32];
-       uint32_t next_offset = sizeof(header);
-       uint32_t initiator_address_offset = 0;
-       uint32_t acceptor_address_offset = 0;
-       uint32_t application_data_offset = 0;
+       uint8_t uint32buf[4];
         int rc;
  
         if (cb == NULL) {
@@ -248,35 +244,19 @@ NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security,
                 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
         }
  
-       if (cb->initiator_address.length > 0) {
-               initiator_address_offset = next_offset;
-               next_offset += cb->initiator_address.length;
-       }
-       if (cb->acceptor_address.length > 0) {
-               acceptor_address_offset = next_offset;
-               next_offset += cb->acceptor_address.length;
-       }
-       if (cb->application_data.length > 0) {
-               application_data_offset = next_offset;
-               next_offset += cb->application_data.length;
+       SIVAL(uint32buf, 0, cb->initiator_addrtype);
+       rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+       if (rc < 0) {
+               gnutls_hash_deinit(hash_hnd, NULL);
+               return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
         }
-
-       SIVAL(header,  0, cb->initiator_addrtype);
-       SIVAL(header,  4, cb->initiator_address.length);
-       SIVAL(header,  8, initiator_address_offset);
-       SIVAL(header, 12, cb->acceptor_addrtype);
-       SIVAL(header, 16, cb->acceptor_address.length);
-       SIVAL(header, 20, acceptor_address_offset);
-       SIVAL(header, 24, cb->application_data.length);
-       SIVAL(header, 28, application_data_offset);
-
-       rc = gnutls_hash(hash_hnd, header, sizeof(header));
+       SIVAL(uint32buf, 0, cb->initiator_address.length);
+       rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
         if (rc < 0) {
                 gnutls_hash_deinit(hash_hnd, NULL);
                 return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
         }
-
-       if (initiator_address_offset != 0) {
+       if (cb->initiator_address.length > 0) {
                 rc = gnutls_hash(hash_hnd,
                                  cb->initiator_address.data,
                                  cb->initiator_address.length);
@@ -285,8 +265,19 @@ NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security,
                         return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
                 }
         }
-
-       if (acceptor_address_offset != 0) {
+       SIVAL(uint32buf, 0, cb->acceptor_addrtype);
+       rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+       if (rc < 0) {
+               gnutls_hash_deinit(hash_hnd, NULL);
+               return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+       }
+       SIVAL(uint32buf, 0, cb->acceptor_address.length);
+       rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+       if (rc < 0) {
+               gnutls_hash_deinit(hash_hnd, NULL);
+               return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+       }
+       if (cb->acceptor_address.length > 0) {
                 rc = gnutls_hash(hash_hnd,
                                  cb->acceptor_address.data,
                                  cb->acceptor_address.length);
@@ -295,8 +286,13 @@ NTSTATUS ntlmssp_hash_channel_bindings(struct gensec_security *gensec_security,
                         return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
                 }
         }
-
-       if (application_data_offset != 0) {
+       SIVAL(uint32buf, 0, cb->application_data.length);
+       rc = gnutls_hash(hash_hnd, uint32buf, sizeof(uint32buf));
+       if (rc < 0) {
+               gnutls_hash_deinit(hash_hnd, NULL);
+               return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+       }
+       if (cb->application_data.length > 0) {
                 rc = gnutls_hash(hash_hnd,
                                  cb->application_data.data,
                                  cb->application_data.length);
author	Stefan Metzmacher <metze@samba.org>
	Wed, 26 Feb 2020 10:49:23 +0000 (11:49 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Wed, 26 Feb 2020 14:23:10 +0000 (15:23 +0100)