auth:gensec: Use GnuTLS SHA256 HMAC for schannel
authorAndreas Schneider <asn@samba.org>
Thu, 11 Oct 2018 12:51:18 +0000 (14:51 +0200)
committerAndrew Bartlett <abartlet@samba.org>
Tue, 30 Apr 2019 23:18:28 +0000 (23:18 +0000)
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
auth/gensec/schannel.c

index 441801b..eea83d3 100644 (file)
@@ -36,6 +36,9 @@
 #include "lib/crypto/crypto.h"
 #include "libds/common/roles.h"
 
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 
@@ -223,11 +226,16 @@ static void netsec_do_sign(struct schannel_state *state,
                           uint8_t *checksum)
 {
        if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-               struct HMACSHA256Context ctx;
-
-               hmac_sha256_init(state->creds->session_key,
-                                sizeof(state->creds->session_key),
-                                &ctx);
+               gnutls_hmac_hd_t hmac_hnd = NULL;
+               int rc;
+
+               rc = gnutls_hmac_init(&hmac_hnd,
+                                     GNUTLS_MAC_SHA256,
+                                     state->creds->session_key,
+                                     sizeof(state->creds->session_key));
+               if (rc < 0) {
+                       return;
+               }
 
                if (confounder) {
                        SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
@@ -235,20 +243,36 @@ static void netsec_do_sign(struct schannel_state *state,
                        SSVAL(header, 4, 0xFFFF);
                        SSVAL(header, 6, 0x0000);
 
-                       hmac_sha256_update(header, 8, &ctx);
-                       hmac_sha256_update(confounder, 8, &ctx);
+                       rc = gnutls_hmac(hmac_hnd, header, 8);
+                       if (rc < 0) {
+                               gnutls_hmac_deinit(hmac_hnd, NULL);
+                               return;
+                       }
+                       rc = gnutls_hmac(hmac_hnd, confounder, 8);
+                       if (rc < 0) {
+                               gnutls_hmac_deinit(hmac_hnd, NULL);
+                               return;
+                       }
                } else {
                        SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
                        SSVAL(header, 2, NL_SEAL_NONE);
                        SSVAL(header, 4, 0xFFFF);
                        SSVAL(header, 6, 0x0000);
 
-                       hmac_sha256_update(header, 8, &ctx);
+                       rc = gnutls_hmac(hmac_hnd, header, 8);
+                       if (rc < 0) {
+                               gnutls_hmac_deinit(hmac_hnd, NULL);
+                               return;
+                       }
                }
 
-               hmac_sha256_update(data, length, &ctx);
+               rc = gnutls_hmac(hmac_hnd, data, length);
+               if (rc < 0) {
+                       gnutls_hmac_deinit(hmac_hnd, NULL);
+                       return;
+               }
 
-               hmac_sha256_final(checksum, &ctx);
+               gnutls_hmac_deinit(hmac_hnd, checksum);
        } else {
                uint8_t packet_digest[16];
                static const uint8_t zeros[4];