From 015e4d2dc2776d7d56edd51a1b9cad510f24e537 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 14 Mar 2019 17:42:34 +0100 Subject: [PATCH] libcli:smb: Use smb2_signing_key for smb2_signing_check_pdu() Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- libcli/smb/smb2_signing.c | 34 +++++++++++++++++----------------- libcli/smb/smb2_signing.h | 2 +- libcli/smb/smbXcli_base.c | 8 ++++---- source3/smbd/smb2_server.c | 2 +- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c index 38169b50f62..62b53ccbe48 100644 --- a/libcli/smb/smb2_signing.c +++ b/libcli/smb/smb2_signing.c @@ -138,7 +138,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key, return NT_STATUS_OK; } -NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key, +NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key, enum protocol_types protocol, const struct iovec *vector, int count) @@ -169,7 +169,7 @@ NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key, return NT_STATUS_OK; } - if (signing_key.length == 0) { + if (!smb2_signing_key_valid(signing_key)) { /* we don't have the session key yet */ return NT_STATUS_OK; } @@ -180,7 +180,9 @@ NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key, struct aes_cmac_128_context ctx; uint8_t key[AES_BLOCK_SIZE] = {0}; - memcpy(key, signing_key.data, MIN(signing_key.length, 16)); + memcpy(key, + signing_key->blob.data, + MIN(signing_key->blob.length, 16)); aes_cmac_128_init(&ctx, key); aes_cmac_128_update(&ctx, hdr, SMB2_HDR_SIGNATURE); @@ -194,39 +196,37 @@ NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key, ZERO_ARRAY(key); } else { - gnutls_hmac_hd_t hmac_hnd = NULL; uint8_t digest[gnutls_hash_get_len(GNUTLS_MAC_SHA256)]; int rc; - rc = gnutls_hmac_init(&hmac_hnd, - GNUTLS_MAC_SHA256, - signing_key.data, - MIN(signing_key.length, 16)); - if (rc < 0) { - return NT_STATUS_NO_MEMORY; + if (signing_key->hmac_hnd == NULL) { + rc = gnutls_hmac_init(&signing_key->hmac_hnd, + GNUTLS_MAC_SHA256, + signing_key->blob.data, + MIN(signing_key->blob.length, 16)); + if (rc < 0) { + return NT_STATUS_NO_MEMORY; + } } - rc = gnutls_hmac(hmac_hnd, hdr, SMB2_HDR_SIGNATURE); + rc = gnutls_hmac(signing_key->hmac_hnd, hdr, SMB2_HDR_SIGNATURE); if (rc < 0) { - gnutls_hmac_deinit(hmac_hnd, NULL); return NT_STATUS_INTERNAL_ERROR; } - rc = gnutls_hmac(hmac_hnd, zero_sig, 16); + rc = gnutls_hmac(signing_key->hmac_hnd, zero_sig, 16); if (rc < 0) { - gnutls_hmac_deinit(hmac_hnd, NULL); return NT_STATUS_INTERNAL_ERROR; } for (i = 1; i < count; i++) { - rc = gnutls_hmac(hmac_hnd, + rc = gnutls_hmac(signing_key->hmac_hnd, vector[i].iov_base, vector[i].iov_len); if (rc < 0) { - gnutls_hmac_deinit(hmac_hnd, NULL); return NT_STATUS_INTERNAL_ERROR; } } - gnutls_hmac_deinit(hmac_hnd, digest); + gnutls_hmac_output(signing_key->hmac_hnd, digest); memcpy(res, digest, 16); ZERO_ARRAY(digest); } diff --git a/libcli/smb/smb2_signing.h b/libcli/smb/smb2_signing.h index 7bc0a0263eb..646567c9d75 100644 --- a/libcli/smb/smb2_signing.h +++ b/libcli/smb/smb2_signing.h @@ -40,7 +40,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key, struct iovec *vector, int count); -NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key, +NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key, enum protocol_types protocol, const struct iovec *vector, int count); diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index ebc293ea4a8..2d74e2490bc 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -3698,7 +3698,7 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn, uint16_t credits = SVAL(inhdr, SMB2_HDR_CREDIT); uint32_t new_credits; struct smbXcli_session *session = NULL; - const struct smb2_signing_key *signing_key = NULL; + struct smb2_signing_key *signing_key = NULL; bool was_encrypted = false; new_credits = conn->smb2.cur_credits; @@ -3915,7 +3915,7 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn, if (signing_key) { NTSTATUS signing_status; - signing_status = smb2_signing_check_pdu(signing_key->blob, + signing_status = smb2_signing_check_pdu(signing_key, state->conn->protocol, &cur[1], 3); if (!NT_STATUS_IS_OK(signing_status)) { @@ -6074,7 +6074,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session, } if (check_signature) { - status = smb2_signing_check_pdu(session->smb2_channel.signing_key->blob, + status = smb2_signing_check_pdu(session->smb2_channel.signing_key, session->conn->protocol, recv_iov, 3); if (!NT_STATUS_IS_OK(status)) { @@ -6237,7 +6237,7 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session, } ZERO_STRUCT(channel_key); - status = smb2_signing_check_pdu(session->smb2_channel.signing_key->blob, + status = smb2_signing_check_pdu(session->smb2_channel.signing_key, session->conn->protocol, recv_iov, 3); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c index 563918bcd11..71c1c3dc9cf 100644 --- a/source3/smbd/smb2_server.c +++ b/source3/smbd/smb2_server.c @@ -2483,7 +2483,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req) req->do_signing = true; } - status = smb2_signing_check_pdu(signing_key->blob, + status = smb2_signing_check_pdu(signing_key, xconn->protocol, SMBD_SMB2_IN_HDR_IOV(req), SMBD_SMB2_NUM_IOV_PER_REQ - 1);