auth:gensec: Use GnuTLS SHA256 HMAC for schannel

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 441801bac477b33cd18b53bc8178952e26329c36..eea83d302ee70f888e3541f35047f9d9c766a437 100644 (file)
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -36,6 +36,9 @@
 #include "lib/crypto/crypto.h"
 #include "libds/common/roles.h"
 
 #include "lib/crypto/crypto.h"
 #include "libds/common/roles.h"
 

+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+

 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 


@@ -223,11 +226,16 @@ static void netsec_do_sign(struct schannel_state *state,
                           uint8_t *checksum)
 {
        if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
                           uint8_t *checksum)
 {
        if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {

-               struct HMACSHA256Context ctx;
-
-               hmac_sha256_init(state->creds->session_key,
-                                sizeof(state->creds->session_key),
-                                &ctx);
+               gnutls_hmac_hd_t hmac_hnd = NULL;
+               int rc;
+
+               rc = gnutls_hmac_init(&hmac_hnd,
+                                     GNUTLS_MAC_SHA256,
+                                     state->creds->session_key,
+                                     sizeof(state->creds->session_key));
+               if (rc < 0) {
+                       return;
+               }

 
                if (confounder) {
                        SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
 
                if (confounder) {
                        SSVAL(header, 0, NL_SIGN_HMAC_SHA256);


@@ -235,20 +243,36 @@ static void netsec_do_sign(struct schannel_state *state,
                        SSVAL(header, 4, 0xFFFF);
                        SSVAL(header, 6, 0x0000);
 
                        SSVAL(header, 4, 0xFFFF);
                        SSVAL(header, 6, 0x0000);
 

-                       hmac_sha256_update(header, 8, &ctx);
-                       hmac_sha256_update(confounder, 8, &ctx);
+                       rc = gnutls_hmac(hmac_hnd, header, 8);
+                       if (rc < 0) {
+                               gnutls_hmac_deinit(hmac_hnd, NULL);
+                               return;
+                       }
+                       rc = gnutls_hmac(hmac_hnd, confounder, 8);
+                       if (rc < 0) {
+                               gnutls_hmac_deinit(hmac_hnd, NULL);
+                               return;
+                       }

                } else {
                        SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
                        SSVAL(header, 2, NL_SEAL_NONE);
                        SSVAL(header, 4, 0xFFFF);
                        SSVAL(header, 6, 0x0000);
 
                } else {
                        SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
                        SSVAL(header, 2, NL_SEAL_NONE);
                        SSVAL(header, 4, 0xFFFF);
                        SSVAL(header, 6, 0x0000);
 

-                       hmac_sha256_update(header, 8, &ctx);
+                       rc = gnutls_hmac(hmac_hnd, header, 8);
+                       if (rc < 0) {
+                               gnutls_hmac_deinit(hmac_hnd, NULL);
+                               return;
+                       }

                }
 
                }
 

-               hmac_sha256_update(data, length, &ctx);
+               rc = gnutls_hmac(hmac_hnd, data, length);
+               if (rc < 0) {
+                       gnutls_hmac_deinit(hmac_hnd, NULL);
+                       return;
+               }

 
 

-               hmac_sha256_final(checksum, &ctx);
+               gnutls_hmac_deinit(hmac_hnd, checksum);

        } else {
                uint8_t packet_digest[16];
                static const uint8_t zeros[4];
        } else {
                uint8_t packet_digest[16];
                static const uint8_t zeros[4];