|
|
b6b438 |
From d693c836b1d5f37d9dae8a6dbefc7b731863eacb Mon Sep 17 00:00:00 2001
|
|
|
b6b438 |
From: Andreas Schneider <asn@samba.org>
|
|
|
b6b438 |
Date: Wed, 27 Feb 2019 14:40:30 +0100
|
|
|
b6b438 |
Subject: [PATCH 119/187] libcli:smb: Use GnuTLS AES128 CMAC in
|
|
|
b6b438 |
smb2_signing_sign_pdu()
|
|
|
b6b438 |
|
|
|
b6b438 |
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
|
b6b438 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
b6b438 |
|
|
|
b6b438 |
Adapted by Andrew Bartlett to followup from earlier patch to
|
|
|
b6b438 |
allow compile without GnuTLS over the whole series.
|
|
|
b6b438 |
|
|
|
b6b438 |
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
b6b438 |
(cherry picked from commit ee11e3ffd8d801cb5988bb73dbccd1e2f0cbe7b0)
|
|
|
b6b438 |
---
|
|
|
b6b438 |
libcli/smb/smb2_signing.c | 33 +++++++++++++++++++++++++++++++++
|
|
|
b6b438 |
1 file changed, 33 insertions(+)
|
|
|
b6b438 |
|
|
|
b6b438 |
diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
|
|
|
b6b438 |
index 01027d55fbe..b7c0be528b7 100644
|
|
|
b6b438 |
--- a/libcli/smb/smb2_signing.c
|
|
|
b6b438 |
+++ b/libcli/smb/smb2_signing.c
|
|
|
b6b438 |
@@ -24,6 +24,11 @@
|
|
|
b6b438 |
#include "../lib/crypto/crypto.h"
|
|
|
b6b438 |
#include "lib/util/iov_buf.h"
|
|
|
b6b438 |
|
|
|
b6b438 |
+#ifndef HAVE_GNUTLS_AES_CMAC
|
|
|
b6b438 |
+#include "lib/crypto/aes.h"
|
|
|
b6b438 |
+#include "lib/crypto/aes_cmac_128.h"
|
|
|
b6b438 |
+#endif
|
|
|
b6b438 |
+
|
|
|
b6b438 |
#include "lib/crypto/gnutls_helpers.h"
|
|
|
b6b438 |
#include <gnutls/gnutls.h>
|
|
|
b6b438 |
#include <gnutls/crypto.h>
|
|
|
b6b438 |
@@ -96,6 +101,33 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
|
|
|
b6b438 |
SIVAL(hdr, SMB2_HDR_FLAGS, IVAL(hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED);
|
|
|
b6b438 |
|
|
|
b6b438 |
if (protocol >= PROTOCOL_SMB2_24) {
|
|
|
b6b438 |
+#ifdef HAVE_GNUTLS_AES_CMAC
|
|
|
b6b438 |
+ gnutls_datum_t key = {
|
|
|
b6b438 |
+ .data = signing_key->blob.data,
|
|
|
b6b438 |
+ .size = MIN(signing_key->blob.length, 16),
|
|
|
b6b438 |
+ };
|
|
|
b6b438 |
+ int rc;
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+ if (signing_key->hmac_hnd == NULL) {
|
|
|
b6b438 |
+ rc = gnutls_hmac_init(&signing_key->hmac_hnd,
|
|
|
b6b438 |
+ GNUTLS_MAC_AES_CMAC_128,
|
|
|
b6b438 |
+ key.data,
|
|
|
b6b438 |
+ key.size);
|
|
|
b6b438 |
+ if (rc < 0) {
|
|
|
b6b438 |
+ return NT_STATUS_NO_MEMORY;
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+ for (i = 0; i < count; i++) {
|
|
|
b6b438 |
+ rc = gnutls_hmac(signing_key->hmac_hnd,
|
|
|
b6b438 |
+ vector[i].iov_base,
|
|
|
b6b438 |
+ vector[i].iov_len);
|
|
|
b6b438 |
+ if (rc < 0) {
|
|
|
b6b438 |
+ return NT_STATUS_INTERNAL_ERROR;
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
+ gnutls_hmac_output(signing_key->hmac_hnd, res);
|
|
|
b6b438 |
+#else /* NOT HAVE_GNUTLS_AES_CMAC */
|
|
|
b6b438 |
struct aes_cmac_128_context ctx;
|
|
|
b6b438 |
uint8_t key[AES_BLOCK_SIZE] = {0};
|
|
|
b6b438 |
|
|
|
b6b438 |
@@ -112,6 +144,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
|
|
|
b6b438 |
aes_cmac_128_final(&ctx, res);
|
|
|
b6b438 |
|
|
|
b6b438 |
ZERO_ARRAY(key);
|
|
|
b6b438 |
+#endif /* HAVE_GNUTLS_AES_CMAC */
|
|
|
b6b438 |
} else {
|
|
|
b6b438 |
uint8_t digest[gnutls_hmac_get_len(GNUTLS_MAC_SHA256)];
|
|
|
b6b438 |
int rc;
|
|
|
b6b438 |
--
|
|
|
b6b438 |
2.23.0
|
|
|
b6b438 |
|