diff options
author | Andreas Schneider <asn@samba.org> | 2019-05-22 09:17:37 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2019-06-27 12:54:23 +0000 |
commit | ba96534eb3b895d1424e25b82dcb1f7f374f5959 (patch) | |
tree | 6b84c15f7b50a13e1fe261e7a21e186e25322547 /auth | |
parent | 6148cd9c977bd5e3c69e9b7e0e7bee9032b5aa45 (diff) | |
download | samba-ba96534eb3b895d1424e25b82dcb1f7f374f5959.tar.gz |
auth:gensec: Return NTSTATUS for netsec_do_seal()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'auth')
-rw-r--r-- | auth/gensec/schannel.c | 51 |
1 files changed, 33 insertions, 18 deletions
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c index c1833ed5fa1..8ba1eafc76d 100644 --- a/auth/gensec/schannel.c +++ b/auth/gensec/schannel.c @@ -213,11 +213,11 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state, return NT_STATUS_OK; } -static void netsec_do_seal(struct schannel_state *state, - const uint8_t seq_num[8], - uint8_t confounder[8], - uint8_t *data, uint32_t length, - bool forward) +static NTSTATUS netsec_do_seal(struct schannel_state *state, + const uint8_t seq_num[8], + uint8_t confounder[8], + uint8_t *data, uint32_t length, + bool forward) { if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { AES_KEY key; @@ -266,7 +266,7 @@ static void netsec_do_seal(struct schannel_state *state, digest2); if (rc < 0) { ZERO_ARRAY(digest2); - return; + return NT_STATUS_INTERNAL_ERROR; } rc = gnutls_hmac_fast(GNUTLS_MAC_MD5, @@ -278,7 +278,7 @@ static void netsec_do_seal(struct schannel_state *state, ZERO_ARRAY(digest2); if (rc < 0) { - return; + return NT_STATUS_INTERNAL_ERROR; } rc = gnutls_cipher_init(&cipher_hnd, @@ -287,14 +287,14 @@ static void netsec_do_seal(struct schannel_state *state, NULL); if (rc < 0) { ZERO_ARRAY(_sealing_key); - return; + return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); } rc = gnutls_cipher_encrypt(cipher_hnd, confounder, 8); if (rc < 0) { ZERO_ARRAY(_sealing_key); - return; + return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); } rc = gnutls_cipher_encrypt(cipher_hnd, data, @@ -302,9 +302,11 @@ static void netsec_do_seal(struct schannel_state *state, gnutls_cipher_deinit(cipher_hnd); ZERO_ARRAY(_sealing_key); if (rc < 0) { - return; + return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID); } } + + return NT_STATUS_OK; } /******************************************************************* @@ -471,10 +473,16 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state, SETUP_SEQNUM(state, seq_num, !state->initiator); if (do_unseal) { - netsec_do_seal(state, seq_num, - confounder, - data, length, - false); + status = netsec_do_seal(state, + seq_num, + confounder, + data, + length, + false); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("netsec_do_seal failed: %s\n", nt_errstr(status)); + return NT_STATUS_ACCESS_DENIED; + } } if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) { @@ -592,10 +600,17 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state, } if (do_seal) { - netsec_do_seal(state, seq_num, - confounder, - data, length, - true); + status = netsec_do_seal(state, + seq_num, + confounder, + data, + length, + true); + if (!NT_STATUS_IS_OK(status)) { + DBG_WARNING("netsec_do_seal failed: %s\n", + nt_errstr(status)); + return status; + } } status = netsec_do_seq_num(state, checksum, checksum_length, seq_num); |