diff options
author | Andreas Schneider <asn@samba.org> | 2019-03-01 17:55:02 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2019-08-21 09:57:30 +0000 |
commit | 58c781dc93e24895b2c4b97fa311c66af30e278e (patch) | |
tree | 89b7008860390a3253a6a6eb16ed535c7c2f19ce /auth | |
parent | fefd95091cc52f5e2655fa392312a8b1fa1d35fd (diff) | |
download | samba-58c781dc93e24895b2c4b97fa311c66af30e278e.tar.gz |
auth:gensec: Use GnuTLS AES128 CFB8 in netsec_do_seq_num()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'auth')
-rw-r--r-- | auth/gensec/schannel.c | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c index 8ba1eafc76d..bbaf3e5fe0b 100644 --- a/auth/gensec/schannel.c +++ b/auth/gensec/schannel.c @@ -147,6 +147,45 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state, uint8_t seq_num[8]) { if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { +#ifdef HAVE_GNUTLS_AES_CFB8 + gnutls_cipher_hd_t cipher_hnd = NULL; + gnutls_datum_t key = { + .data = state->creds->session_key, + .size = sizeof(state->creds->session_key), + }; + uint32_t iv_size = + gnutls_cipher_get_iv_size(GNUTLS_CIPHER_AES_128_CFB8); + uint8_t _iv[iv_size]; + gnutls_datum_t iv = { + .data = _iv, + .size = iv_size, + }; + int rc; + + ZERO_ARRAY(_iv); + + memcpy(iv.data + 0, checksum, 8); + memcpy(iv.data + 8, checksum, 8); + + rc = gnutls_cipher_init(&cipher_hnd, + GNUTLS_CIPHER_AES_128_CFB8, + &key, + &iv); + if (rc < 0) { + DBG_ERR("ERROR: gnutls_cipher_init: %s\n", + gnutls_strerror(rc)); + return NT_STATUS_INTERNAL_ERROR; + } + + rc = gnutls_cipher_encrypt(cipher_hnd, seq_num, 8); + gnutls_cipher_deinit(cipher_hnd); + if (rc < 0) { + DBG_ERR("ERROR: gnutls_cipher_encrypt: %s\n", + gnutls_strerror(rc)); + return NT_STATUS_INTERNAL_ERROR; + } + +#else /* NOT HAVE_GNUTLS_AES_CFB8 */ AES_KEY key; uint8_t iv[AES_BLOCK_SIZE]; @@ -156,6 +195,7 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state, memcpy(iv+8, checksum, 8); aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT); +#endif /* HAVE_GNUTLS_AES_CFB8 */ } else { static const uint8_t zeros[4]; uint8_t _sequence_key[16]; |