libcli:smb: Use smb2_signing_key for smb2_signing_check_pdu()
authorAndreas Schneider <asn@samba.org>
Thu, 14 Mar 2019 16:42:34 +0000 (17:42 +0100)
committerAndrew Bartlett <abartlet@samba.org>
Tue, 30 Apr 2019 23:18:28 +0000 (23:18 +0000)
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/smb/smb2_signing.c
libcli/smb/smb2_signing.h
libcli/smb/smbXcli_base.c
source3/smbd/smb2_server.c

index 38169b5..62b53cc 100644 (file)
@@ -138,7 +138,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
        return NT_STATUS_OK;
 }
 
-NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
+NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
                                enum protocol_types protocol,
                                const struct iovec *vector,
                                int count)
@@ -169,7 +169,7 @@ NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
                return NT_STATUS_OK;
        }
 
-       if (signing_key.length == 0) {
+       if (!smb2_signing_key_valid(signing_key)) {
                /* we don't have the session key yet */
                return NT_STATUS_OK;
        }
@@ -180,7 +180,9 @@ NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
                struct aes_cmac_128_context ctx;
                uint8_t key[AES_BLOCK_SIZE] = {0};
 
-               memcpy(key, signing_key.data, MIN(signing_key.length, 16));
+               memcpy(key,
+                      signing_key->blob.data,
+                      MIN(signing_key->blob.length, 16));
 
                aes_cmac_128_init(&ctx, key);
                aes_cmac_128_update(&ctx, hdr, SMB2_HDR_SIGNATURE);
@@ -194,39 +196,37 @@ NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
 
                ZERO_ARRAY(key);
        } else {
-               gnutls_hmac_hd_t hmac_hnd = NULL;
                uint8_t digest[gnutls_hash_get_len(GNUTLS_MAC_SHA256)];
                int rc;
 
-               rc = gnutls_hmac_init(&hmac_hnd,
-                                     GNUTLS_MAC_SHA256,
-                                     signing_key.data,
-                                     MIN(signing_key.length, 16));
-               if (rc < 0) {
-                       return NT_STATUS_NO_MEMORY;
+               if (signing_key->hmac_hnd == NULL) {
+                       rc = gnutls_hmac_init(&signing_key->hmac_hnd,
+                                             GNUTLS_MAC_SHA256,
+                                             signing_key->blob.data,
+                                             MIN(signing_key->blob.length, 16));
+                       if (rc < 0) {
+                               return NT_STATUS_NO_MEMORY;
+                       }
                }
 
-               rc = gnutls_hmac(hmac_hnd, hdr, SMB2_HDR_SIGNATURE);
+               rc = gnutls_hmac(signing_key->hmac_hnd, hdr, SMB2_HDR_SIGNATURE);
                if (rc < 0) {
-                       gnutls_hmac_deinit(hmac_hnd, NULL);
                        return NT_STATUS_INTERNAL_ERROR;
                }
-               rc = gnutls_hmac(hmac_hnd, zero_sig, 16);
+               rc = gnutls_hmac(signing_key->hmac_hnd, zero_sig, 16);
                if (rc < 0) {
-                       gnutls_hmac_deinit(hmac_hnd, NULL);
                        return NT_STATUS_INTERNAL_ERROR;
                }
 
                for (i = 1; i < count; i++) {
-                       rc = gnutls_hmac(hmac_hnd,
+                       rc = gnutls_hmac(signing_key->hmac_hnd,
                                         vector[i].iov_base,
                                         vector[i].iov_len);
                        if (rc < 0) {
-                               gnutls_hmac_deinit(hmac_hnd, NULL);
                                return NT_STATUS_INTERNAL_ERROR;
                        }
                }
-               gnutls_hmac_deinit(hmac_hnd, digest);
+               gnutls_hmac_output(signing_key->hmac_hnd, digest);
                memcpy(res, digest, 16);
                ZERO_ARRAY(digest);
        }
index 7bc0a02..646567c 100644 (file)
@@ -40,7 +40,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
                               struct iovec *vector,
                               int count);
 
-NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
+NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
                                enum protocol_types protocol,
                                const struct iovec *vector,
                                int count);
index ebc293e..2d74e24 100644 (file)
@@ -3698,7 +3698,7 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
                uint16_t credits = SVAL(inhdr, SMB2_HDR_CREDIT);
                uint32_t new_credits;
                struct smbXcli_session *session = NULL;
-               const struct smb2_signing_key *signing_key = NULL;
+               struct smb2_signing_key *signing_key = NULL;
                bool was_encrypted = false;
 
                new_credits = conn->smb2.cur_credits;
@@ -3915,7 +3915,7 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
                if (signing_key) {
                        NTSTATUS signing_status;
 
-                       signing_status = smb2_signing_check_pdu(signing_key->blob,
+                       signing_status = smb2_signing_check_pdu(signing_key,
                                                                state->conn->protocol,
                                                                &cur[1], 3);
                        if (!NT_STATUS_IS_OK(signing_status)) {
@@ -6074,7 +6074,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
        }
 
        if (check_signature) {
-               status = smb2_signing_check_pdu(session->smb2_channel.signing_key->blob,
+               status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
                                                session->conn->protocol,
                                                recv_iov, 3);
                if (!NT_STATUS_IS_OK(status)) {
@@ -6237,7 +6237,7 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
        }
        ZERO_STRUCT(channel_key);
 
-       status = smb2_signing_check_pdu(session->smb2_channel.signing_key->blob,
+       status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
                                        session->conn->protocol,
                                        recv_iov, 3);
        if (!NT_STATUS_IS_OK(status)) {
index 563918b..71c1c3d 100644 (file)
@@ -2483,7 +2483,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
                        req->do_signing = true;
                }
 
-               status = smb2_signing_check_pdu(signing_key->blob,
+               status = smb2_signing_check_pdu(signing_key,
                                                xconn->protocol,
                                                SMBD_SMB2_IN_HDR_IOV(req),
                                                SMBD_SMB2_NUM_IOV_PER_REQ - 1);