mirror of
https://github.com/samba-team/samba.git
synced 2025-08-30 17:49:30 +03:00
libcli:smb: Use smb2_signing_key for smb2_signing_check_pdu()
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andreas Schneider
committed by
Andrew Bartlett
Andrew Bartlett
parent
dcf37228e1
commit
015e4d2dc2
@ -138,7 +138,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
|
|||||||
return NT_STATUS_OK;
|
return NT_STATUS_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
|
NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
|
||||||
enum protocol_types protocol,
|
enum protocol_types protocol,
|
||||||
const struct iovec *vector,
|
const struct iovec *vector,
|
||||||
int count)
|
int count)
|
||||||
@ -169,7 +169,7 @@ NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
|
|||||||
return NT_STATUS_OK;
|
return NT_STATUS_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (signing_key.length == 0) {
|
if (!smb2_signing_key_valid(signing_key)) {
|
||||||
/* we don't have the session key yet */
|
/* we don't have the session key yet */
|
||||||
return NT_STATUS_OK;
|
return NT_STATUS_OK;
|
||||||
}
|
}
|
||||||
@ -180,7 +180,9 @@ NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
|
|||||||
struct aes_cmac_128_context ctx;
|
struct aes_cmac_128_context ctx;
|
||||||
uint8_t key[AES_BLOCK_SIZE] = {0};
|
uint8_t key[AES_BLOCK_SIZE] = {0};
|
||||||
|
|
||||||
memcpy(key, signing_key.data, MIN(signing_key.length, 16));
|
memcpy(key,
|
||||||
|
signing_key->blob.data,
|
||||||
|
MIN(signing_key->blob.length, 16));
|
||||||
|
|
||||||
aes_cmac_128_init(&ctx, key);
|
aes_cmac_128_init(&ctx, key);
|
||||||
aes_cmac_128_update(&ctx, hdr, SMB2_HDR_SIGNATURE);
|
aes_cmac_128_update(&ctx, hdr, SMB2_HDR_SIGNATURE);
|
||||||
@ -194,39 +196,37 @@ NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
|
|||||||
|
|
||||||
ZERO_ARRAY(key);
|
ZERO_ARRAY(key);
|
||||||
} else {
|
} else {
|
||||||
gnutls_hmac_hd_t hmac_hnd = NULL;
|
|
||||||
uint8_t digest[gnutls_hash_get_len(GNUTLS_MAC_SHA256)];
|
uint8_t digest[gnutls_hash_get_len(GNUTLS_MAC_SHA256)];
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
rc = gnutls_hmac_init(&hmac_hnd,
|
if (signing_key->hmac_hnd == NULL) {
|
||||||
GNUTLS_MAC_SHA256,
|
rc = gnutls_hmac_init(&signing_key->hmac_hnd,
|
||||||
signing_key.data,
|
GNUTLS_MAC_SHA256,
|
||||||
MIN(signing_key.length, 16));
|
signing_key->blob.data,
|
||||||
if (rc < 0) {
|
MIN(signing_key->blob.length, 16));
|
||||||
return NT_STATUS_NO_MEMORY;
|
if (rc < 0) {
|
||||||
|
return NT_STATUS_NO_MEMORY;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = gnutls_hmac(hmac_hnd, hdr, SMB2_HDR_SIGNATURE);
|
rc = gnutls_hmac(signing_key->hmac_hnd, hdr, SMB2_HDR_SIGNATURE);
|
||||||
if (rc < 0) {
|
if (rc < 0) {
|
||||||
gnutls_hmac_deinit(hmac_hnd, NULL);
|
|
||||||
return NT_STATUS_INTERNAL_ERROR;
|
return NT_STATUS_INTERNAL_ERROR;
|
||||||
}
|
}
|
||||||
rc = gnutls_hmac(hmac_hnd, zero_sig, 16);
|
rc = gnutls_hmac(signing_key->hmac_hnd, zero_sig, 16);
|
||||||
if (rc < 0) {
|
if (rc < 0) {
|
||||||
gnutls_hmac_deinit(hmac_hnd, NULL);
|
|
||||||
return NT_STATUS_INTERNAL_ERROR;
|
return NT_STATUS_INTERNAL_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 1; i < count; i++) {
|
for (i = 1; i < count; i++) {
|
||||||
rc = gnutls_hmac(hmac_hnd,
|
rc = gnutls_hmac(signing_key->hmac_hnd,
|
||||||
vector[i].iov_base,
|
vector[i].iov_base,
|
||||||
vector[i].iov_len);
|
vector[i].iov_len);
|
||||||
if (rc < 0) {
|
if (rc < 0) {
|
||||||
gnutls_hmac_deinit(hmac_hnd, NULL);
|
|
||||||
return NT_STATUS_INTERNAL_ERROR;
|
return NT_STATUS_INTERNAL_ERROR;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
gnutls_hmac_deinit(hmac_hnd, digest);
|
gnutls_hmac_output(signing_key->hmac_hnd, digest);
|
||||||
memcpy(res, digest, 16);
|
memcpy(res, digest, 16);
|
||||||
ZERO_ARRAY(digest);
|
ZERO_ARRAY(digest);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -40,7 +40,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
|
|||||||
struct iovec *vector,
|
struct iovec *vector,
|
||||||
int count);
|
int count);
|
||||||
|
|
||||||
NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
|
NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
|
||||||
enum protocol_types protocol,
|
enum protocol_types protocol,
|
||||||
const struct iovec *vector,
|
const struct iovec *vector,
|
||||||
int count);
|
int count);
|
||||||
|
|||||||
@ -3698,7 +3698,7 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
|
|||||||
uint16_t credits = SVAL(inhdr, SMB2_HDR_CREDIT);
|
uint16_t credits = SVAL(inhdr, SMB2_HDR_CREDIT);
|
||||||
uint32_t new_credits;
|
uint32_t new_credits;
|
||||||
struct smbXcli_session *session = NULL;
|
struct smbXcli_session *session = NULL;
|
||||||
const struct smb2_signing_key *signing_key = NULL;
|
struct smb2_signing_key *signing_key = NULL;
|
||||||
bool was_encrypted = false;
|
bool was_encrypted = false;
|
||||||
|
|
||||||
new_credits = conn->smb2.cur_credits;
|
new_credits = conn->smb2.cur_credits;
|
||||||
@ -3915,7 +3915,7 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
|
|||||||
if (signing_key) {
|
if (signing_key) {
|
||||||
NTSTATUS signing_status;
|
NTSTATUS signing_status;
|
||||||
|
|
||||||
signing_status = smb2_signing_check_pdu(signing_key->blob,
|
signing_status = smb2_signing_check_pdu(signing_key,
|
||||||
state->conn->protocol,
|
state->conn->protocol,
|
||||||
&cur[1], 3);
|
&cur[1], 3);
|
||||||
if (!NT_STATUS_IS_OK(signing_status)) {
|
if (!NT_STATUS_IS_OK(signing_status)) {
|
||||||
@ -6074,7 +6074,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (check_signature) {
|
if (check_signature) {
|
||||||
status = smb2_signing_check_pdu(session->smb2_channel.signing_key->blob,
|
status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
|
||||||
session->conn->protocol,
|
session->conn->protocol,
|
||||||
recv_iov, 3);
|
recv_iov, 3);
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
@ -6237,7 +6237,7 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
|
|||||||
}
|
}
|
||||||
ZERO_STRUCT(channel_key);
|
ZERO_STRUCT(channel_key);
|
||||||
|
|
||||||
status = smb2_signing_check_pdu(session->smb2_channel.signing_key->blob,
|
status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
|
||||||
session->conn->protocol,
|
session->conn->protocol,
|
||||||
recv_iov, 3);
|
recv_iov, 3);
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
|||||||
@ -2483,7 +2483,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
|
|||||||
req->do_signing = true;
|
req->do_signing = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
status = smb2_signing_check_pdu(signing_key->blob,
|
status = smb2_signing_check_pdu(signing_key,
|
||||||
xconn->protocol,
|
xconn->protocol,
|
||||||
SMBD_SMB2_IN_HDR_IOV(req),
|
SMBD_SMB2_IN_HDR_IOV(req),
|
||||||
SMBD_SMB2_NUM_IOV_PER_REQ - 1);
|
SMBD_SMB2_NUM_IOV_PER_REQ - 1);
|
||||||
|
|||||||
Reference in New Issue
Block a user