sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-24 02:04:21 +03:00
Code

libcli:smb: Return NSTATUS for smb2_signing_check_pdu()

Browse Source 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andreas Schneider 2019-06-11 12:03:33 +02:00 committed by Andreas Schneider
parent 1f4bd1c365
commit d61601d44f
4 changed files with 94 additions and 56 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
libcli/smb/smb2_signing.c
View File

@ -24,6 +24,7 @@
#include "../lib/crypto/crypto.h"
#include "lib/util/iov_buf.h"
#include "libcli/util/gnutls_error.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
@ -241,10 +242,10 @@ NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
return NT_STATUS_OK;
}
void smb2_key_derivation(const uint8_t *KI, size_t KI_len,
const uint8_t *Label, size_t Label_len,
const uint8_t *Context, size_t Context_len,
uint8_t KO[16])
NTSTATUS smb2_key_derivation(const uint8_t *KI, size_t KI_len,
const uint8_t *Label, size_t Label_len,
const uint8_t *Context, size_t Context_len,
uint8_t KO[16])
{
gnutls_hmac_hd_t hmac_hnd = NULL;
uint8_t buf[4];
@ -263,36 +264,41 @@ void smb2_key_derivation(const uint8_t *KI, size_t KI_len,
GNUTLS_MAC_SHA256,
KI,
KI_len);
if (rc != 0) {
return;
if (rc < 0) {
return gnutls_error_to_ntstatus(rc,
NT_STATUS_HMAC_NOT_SUPPORTED);
}
RSIVAL(buf, 0, i);
rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf));
if (rc < 0) {
gnutls_hmac_deinit(hmac_hnd, NULL);
return;
return gnutls_error_to_ntstatus(rc,
NT_STATUS_HMAC_NOT_SUPPORTED);
}
rc = gnutls_hmac(hmac_hnd, Label, Label_len);
if (rc < 0) {
gnutls_hmac_deinit(hmac_hnd, NULL);
return;
return gnutls_error_to_ntstatus(rc,
NT_STATUS_HMAC_NOT_SUPPORTED);
}
rc = gnutls_hmac(hmac_hnd, &zero, 1);
if (rc < 0) {
gnutls_hmac_deinit(hmac_hnd, NULL);
return;
return gnutls_error_to_ntstatus(rc,
NT_STATUS_HMAC_NOT_SUPPORTED);
}
rc = gnutls_hmac(hmac_hnd, Context, Context_len);
if (rc < 0) {
gnutls_hmac_deinit(hmac_hnd, NULL);
return;
return gnutls_error_to_ntstatus(rc,
NT_STATUS_HMAC_NOT_SUPPORTED);
}
RSIVAL(buf, 0, L);
rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf));
if (rc < 0) {
gnutls_hmac_deinit(hmac_hnd, NULL);
return;
return gnutls_error_to_ntstatus(rc,
NT_STATUS_HMAC_NOT_SUPPORTED);
}
gnutls_hmac_deinit(hmac_hnd, digest);
@ -300,6 +306,8 @@ void smb2_key_derivation(const uint8_t *KI, size_t KI_len,
memcpy(KO, digest, 16);
ZERO_ARRAY(digest);
return NT_STATUS_OK;
}
NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key,

8
libcli/smb/smb2_signing.h
View File

@ -45,10 +45,10 @@ NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
const struct iovec *vector,
int count);
void smb2_key_derivation(const uint8_t *KI, size_t KI_len,
const uint8_t *Label, size_t Label_len,
const uint8_t *Context, size_t Context_len,
uint8_t KO[16]);
NTSTATUS smb2_key_derivation(const uint8_t *KI, size_t KI_len,
const uint8_t *Label, size_t Label_len,
const uint8_t *Context, size_t Context_len,
uint8_t KO[16]);
NTSTATUS smb2_signing_encrypt_pdu(DATA_BLOB encryption_key,
uint16_t cipher_id,

55
libcli/smb/smbXcli_base.c
View File

@ -6096,10 +6096,13 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
if (conn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.signing;
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
session->smb2->signing_key->blob.data);
status = smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
session->smb2->signing_key->blob.data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
session->smb2->encryption_key =
@ -6113,10 +6116,13 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
if (conn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.encryption;
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
session->smb2->encryption_key.data);
status = smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
session->smb2->encryption_key.data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
session->smb2->decryption_key =
@ -6130,10 +6136,13 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
if (conn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.decryption;
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
session->smb2->decryption_key.data);
status = smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
session->smb2->decryption_key.data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
session->smb2->application_key =
@ -6147,10 +6156,13 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
if (conn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.application;
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
session->smb2->application_key.data);
status = smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
session->smb2->application_key.data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
ZERO_STRUCT(session_key);
@ -6348,10 +6360,13 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
if (conn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.signing;
smb2_key_derivation(channel_key, sizeof(channel_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
session->smb2_channel.signing_key->blob.data);
status = smb2_key_derivation(channel_key, sizeof(channel_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
session->smb2_channel.signing_key->blob.data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
ZERO_STRUCT(channel_key);

55
source3/smbd/smb2_sesssetup.c
View File

@ -360,10 +360,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
if (xconn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.signing;
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
x->global->signing_key->blob.data);
status = smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
x->global->signing_key->blob.data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
if (xconn->protocol >= PROTOCOL_SMB2_24) {
@ -377,10 +380,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
return NT_STATUS_NO_MEMORY;
}
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
x->global->decryption_key_blob.data);
status = smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
x->global->decryption_key_blob.data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
if (xconn->protocol >= PROTOCOL_SMB2_24) {
@ -395,10 +401,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
return NT_STATUS_NO_MEMORY;
}
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
x->global->encryption_key_blob.data);
status = smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
x->global->encryption_key_blob.data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/*
* CCM and GCM algorithms must never have their
@ -438,10 +447,13 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
if (xconn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.application;
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
x->global->application_key.data);
status = smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
x->global->application_key.data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
if (xconn->protocol >= PROTOCOL_SMB3_00 && lp_debug_encryption()) {
@ -748,10 +760,13 @@ static NTSTATUS smbd_smb2_bind_auth_return(struct smbXsrv_session *session,
if (xconn->protocol >= PROTOCOL_SMB2_24) {
struct _derivation *d = &derivation.signing;
smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
c->signing_key->blob.data);
status = smb2_key_derivation(session_key, sizeof(session_key),
d->label.data, d->label.length,
d->context.data, d->context.length,
c->signing_key->blob.data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
ZERO_STRUCT(session_key);