From ac505bb247d1f63d6c22d380e4db5a5f84cd2ff1 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 16 Aug 2019 16:08:57 +1200
Subject: [PATCH 106/187] s4-rpc_server/backupkey: consistently check error
 codes from GnuTLS

This uses the new gnutls_error_to_werror()

This should resolve Coverity 1452111 as forwarded by Volker.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 2d54559aad9af81cf21d223dad28b48184c59f44)
---
 .../rpc_server/backupkey/dcesrv_backupkey.c   | 146 +++++++++++-------
 source4/rpc_server/wscript_build              |   2 +-
 2 files changed, 92 insertions(+), 56 deletions(-)

diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index a826ae083f4..cea6a28e4e2 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -42,6 +42,8 @@
 #include <gnutls/crypto.h>
 #include <gnutls/abstract.h>
 
+#include "lib/crypto/gnutls_helpers.h"
+
 #define DCESRV_INTERFACE_BACKUPKEY_BIND(context, iface) \
 	dcesrv_interface_backupkey_bind(context, iface)
 static NTSTATUS dcesrv_interface_backupkey_bind(struct dcesrv_connection_context *context,
@@ -1439,15 +1441,23 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
 	 * BACKUPKEY_BACKUP_GUID, it really is the whole key
 	 */
 
-	gnutls_hmac_init(&hmac_hnd,
-			 GNUTLS_MAC_SHA1,
-			 server_key.key,
-			 sizeof(server_key.key));
-	gnutls_hmac(hmac_hnd,
+	rc = gnutls_hmac_init(&hmac_hnd,
+			      GNUTLS_MAC_SHA1,
+			      server_key.key,
+			      sizeof(server_key.key));
+	if (rc != GNUTLS_E_SUCCESS) {
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+	}
+
+	rc = gnutls_hmac(hmac_hnd,
 		    decrypt_request.r2,
 		    sizeof(decrypt_request.r2));
-	gnutls_hmac_output(hmac_hnd, symkey);
 
+	if (rc != GNUTLS_E_SUCCESS) {
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+	}
+
+	gnutls_hmac_output(hmac_hnd, symkey);
 	dump_data_pw("symkey: \n", symkey, sizeof(symkey));
 
 	/* rc4 decrypt sid and secret using sym key */
@@ -1462,9 +1472,7 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
 				&cipher_key,
 				NULL);
 	if (rc != GNUTLS_E_SUCCESS) {
-		DBG_ERR("gnutls_cipher_init failed - %s\n",
-			gnutls_strerror(rc));
-		return WERR_INVALID_PARAMETER;
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
 	}
 	rc = gnutls_cipher_encrypt2(cipher_hnd,
 				    encrypted_blob.data,
@@ -1473,9 +1481,7 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
 				    encrypted_blob.length);
 	gnutls_cipher_deinit(cipher_hnd);
 	if (rc != GNUTLS_E_SUCCESS) {
-		DBG_ERR("gnutls_cipher_encrypt2 failed - %s\n",
-			gnutls_strerror(rc));
-		return WERR_INVALID_PARAMETER;
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
 	}
 
 	ndr_err = ndr_pull_struct_blob_all(&encrypted_blob, mem_ctx, &rc4payload,
@@ -1494,9 +1500,13 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
 	 * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
 	 * BACKUPKEY_BACKUP_GUID, it really is the whole key
 	 */
-	gnutls_hmac(hmac_hnd,
-		    rc4payload.r3,
-		    sizeof(rc4payload.r3));
+	rc = gnutls_hmac(hmac_hnd,
+			 rc4payload.r3,
+			 sizeof(rc4payload.r3));
+	if (rc != GNUTLS_E_SUCCESS) {
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+	}
+
 	gnutls_hmac_deinit(hmac_hnd, mackey);
 
 	dump_data_pw("mackey: \n", mackey, sizeof(mackey));
@@ -1507,20 +1517,31 @@ static WERROR bkrp_server_wrap_decrypt_data(struct dcesrv_call_state *dce_call,
 		return WERR_INTERNAL_ERROR;
 	}
 
-	gnutls_hmac_init(&hmac_hnd,
-			 GNUTLS_MAC_SHA1,
-			 mackey,
-			 sizeof(mackey));
+	rc = gnutls_hmac_init(&hmac_hnd,
+			      GNUTLS_MAC_SHA1,
+			      mackey,
+			      sizeof(mackey));
+	if (rc != GNUTLS_E_SUCCESS) {
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+	}
+
 	/* SID field */
-	gnutls_hmac(hmac_hnd,
-		    sid_blob.data,
-		    sid_blob.length);
+	rc = gnutls_hmac(hmac_hnd,
+			 sid_blob.data,
+			 sid_blob.length);
+	if (rc != GNUTLS_E_SUCCESS) {
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+	}
+
 	/* Secret field */
-	gnutls_hmac(hmac_hnd,
-		    rc4payload.secret_data.data,
-		    rc4payload.secret_data.length);
-	gnutls_hmac_deinit(hmac_hnd, mac);
+	rc = gnutls_hmac(hmac_hnd,
+			 rc4payload.secret_data.data,
+			 rc4payload.secret_data.length);
+	if (rc != GNUTLS_E_SUCCESS) {
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+	}
 
+	gnutls_hmac_deinit(hmac_hnd, mac);
 	dump_data_pw("mac: \n", mac, sizeof(mac));
 	dump_data_pw("rc4payload.mac: \n", rc4payload.mac, sizeof(rc4payload.mac));
 
@@ -1657,26 +1678,34 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call,
 	 * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
 	 * BACKUPKEY_BACKUP_GUID, it really is the whole key
 	 */
-	gnutls_hmac_init(&hmac_hnd,
-			 GNUTLS_MAC_SHA1,
-			 server_key.key,
-			 sizeof(server_key.key));
-	gnutls_hmac(hmac_hnd,
-		    server_side_wrapped.r2,
-		    sizeof(server_side_wrapped.r2));
-	gnutls_hmac_output(hmac_hnd, symkey);
+	rc = gnutls_hmac_init(&hmac_hnd,
+			      GNUTLS_MAC_SHA1,
+			      server_key.key,
+			      sizeof(server_key.key));
+	if (rc != GNUTLS_E_SUCCESS) {
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+	}
 
+	rc = gnutls_hmac(hmac_hnd,
+			 server_side_wrapped.r2,
+			 sizeof(server_side_wrapped.r2));
+	if (rc != GNUTLS_E_SUCCESS) {
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+	}
+	gnutls_hmac_output(hmac_hnd, symkey);
 	dump_data_pw("symkey: \n", symkey, sizeof(symkey));
 
 	/*
 	 * This is *not* the leading 64 bytes, as indicated in MS-BKRP 3.1.4.1.1
 	 * BACKUPKEY_BACKUP_GUID, it really is the whole key
 	 */
-	gnutls_hmac(hmac_hnd,
-		    rc4payload.r3,
-		    sizeof(rc4payload.r3));
+	rc = gnutls_hmac(hmac_hnd,
+			 rc4payload.r3,
+			 sizeof(rc4payload.r3));
+	if (rc != GNUTLS_E_SUCCESS) {
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+	}
 	gnutls_hmac_deinit(hmac_hnd, mackey);
-
 	dump_data_pw("mackey: \n", mackey, sizeof(mackey));
 
 	ndr_err = ndr_push_struct_blob(&sid_blob, mem_ctx, caller_sid,
@@ -1688,20 +1717,31 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call,
 	rc4payload.secret_data.data = r->in.data_in;
 	rc4payload.secret_data.length = r->in.data_in_len;
 
-	gnutls_hmac_init(&hmac_hnd,
-			 GNUTLS_MAC_SHA1,
-			 mackey,
-			 sizeof(mackey));
+	rc = gnutls_hmac_init(&hmac_hnd,
+			      GNUTLS_MAC_SHA1,
+			      mackey,
+			      sizeof(mackey));
+	if (rc != GNUTLS_E_SUCCESS) {
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+	}
+
 	/* SID field */
-	gnutls_hmac(hmac_hnd,
-		    sid_blob.data,
-		    sid_blob.length);
+	rc = gnutls_hmac(hmac_hnd,
+			 sid_blob.data,
+			 sid_blob.length);
+	if (rc != GNUTLS_E_SUCCESS) {
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+	}
+
 	/* Secret field */
-	gnutls_hmac(hmac_hnd,
-		    rc4payload.secret_data.data,
-		    rc4payload.secret_data.length);
-	gnutls_hmac_deinit(hmac_hnd, rc4payload.mac);
+	rc = gnutls_hmac(hmac_hnd,
+			 rc4payload.secret_data.data,
+			 rc4payload.secret_data.length);
+	if (rc != GNUTLS_E_SUCCESS) {
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
+	}
 
+	gnutls_hmac_deinit(hmac_hnd, rc4payload.mac);
 	dump_data_pw("rc4payload.mac: \n", rc4payload.mac, sizeof(rc4payload.mac));
 
 	rc4payload.sid = *caller_sid;
@@ -1721,9 +1761,7 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call,
 				&cipher_key,
 				NULL);
 	if (rc != GNUTLS_E_SUCCESS) {
-		DBG_ERR("gnutls_cipher_init failed - %s\n",
-			gnutls_strerror(rc));
-		return WERR_INVALID_PARAMETER;
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
 	}
 	rc = gnutls_cipher_encrypt2(cipher_hnd,
 				    encrypted_blob.data,
@@ -1732,9 +1770,7 @@ static WERROR bkrp_server_wrap_encrypt_data(struct dcesrv_call_state *dce_call,
 				    encrypted_blob.length);
 	gnutls_cipher_deinit(cipher_hnd);
 	if (rc != GNUTLS_E_SUCCESS) {
-		DBG_ERR("gnutls_cipher_encrypt2 failed - %s\n",
-			gnutls_strerror(rc));
-		return WERR_INVALID_PARAMETER;
+		return gnutls_error_to_werror(rc, WERR_INTERNAL_ERROR);
 	}
 
 	/* create server wrap structure */
diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
index a5c1c1d9a2c..18ec5aef894 100644
--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
@@ -124,7 +124,7 @@ bld.SAMBA_MODULE('dcerpc_backupkey',
 		 autoproto='backupkey/proto.h',
 		 subsystem='dcerpc_server',
 		 init_function='dcerpc_server_backupkey_init',
-		 deps='samdb DCERPC_COMMON NDR_BACKUPKEY RPC_NDR_BACKUPKEY gnutls',
+		 deps='samdb DCERPC_COMMON NDR_BACKUPKEY RPC_NDR_BACKUPKEY gnutls GNUTLS_HELPERS',
 		 )
 
 
-- 
2.23.0