summaryrefslogtreecommitdiff
path: root/auth
diff options
context:
space:
mode:
authorAndreas Schneider <asn@samba.org>2019-05-22 09:17:37 +0200
committerAndreas Schneider <asn@cryptomilk.org>2019-06-27 12:54:23 +0000
commitba96534eb3b895d1424e25b82dcb1f7f374f5959 (patch)
tree6b84c15f7b50a13e1fe261e7a21e186e25322547 /auth
parent6148cd9c977bd5e3c69e9b7e0e7bee9032b5aa45 (diff)
downloadsamba-ba96534eb3b895d1424e25b82dcb1f7f374f5959.tar.gz
auth:gensec: Return NTSTATUS for netsec_do_seal()
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'auth')
-rw-r--r--auth/gensec/schannel.c51
1 files changed, 33 insertions, 18 deletions
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index c1833ed5fa1..8ba1eafc76d 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -213,11 +213,11 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state,
return NT_STATUS_OK;
}
-static void netsec_do_seal(struct schannel_state *state,
- const uint8_t seq_num[8],
- uint8_t confounder[8],
- uint8_t *data, uint32_t length,
- bool forward)
+static NTSTATUS netsec_do_seal(struct schannel_state *state,
+ const uint8_t seq_num[8],
+ uint8_t confounder[8],
+ uint8_t *data, uint32_t length,
+ bool forward)
{
if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
AES_KEY key;
@@ -266,7 +266,7 @@ static void netsec_do_seal(struct schannel_state *state,
digest2);
if (rc < 0) {
ZERO_ARRAY(digest2);
- return;
+ return NT_STATUS_INTERNAL_ERROR;
}
rc = gnutls_hmac_fast(GNUTLS_MAC_MD5,
@@ -278,7 +278,7 @@ static void netsec_do_seal(struct schannel_state *state,
ZERO_ARRAY(digest2);
if (rc < 0) {
- return;
+ return NT_STATUS_INTERNAL_ERROR;
}
rc = gnutls_cipher_init(&cipher_hnd,
@@ -287,14 +287,14 @@ static void netsec_do_seal(struct schannel_state *state,
NULL);
if (rc < 0) {
ZERO_ARRAY(_sealing_key);
- return;
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
rc = gnutls_cipher_encrypt(cipher_hnd,
confounder,
8);
if (rc < 0) {
ZERO_ARRAY(_sealing_key);
- return;
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
rc = gnutls_cipher_encrypt(cipher_hnd,
data,
@@ -302,9 +302,11 @@ static void netsec_do_seal(struct schannel_state *state,
gnutls_cipher_deinit(cipher_hnd);
ZERO_ARRAY(_sealing_key);
if (rc < 0) {
- return;
+ return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
}
}
+
+ return NT_STATUS_OK;
}
/*******************************************************************
@@ -471,10 +473,16 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
SETUP_SEQNUM(state, seq_num, !state->initiator);
if (do_unseal) {
- netsec_do_seal(state, seq_num,
- confounder,
- data, length,
- false);
+ status = netsec_do_seal(state,
+ seq_num,
+ confounder,
+ data,
+ length,
+ false);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("netsec_do_seal failed: %s\n", nt_errstr(status));
+ return NT_STATUS_ACCESS_DENIED;
+ }
}
if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
@@ -592,10 +600,17 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
}
if (do_seal) {
- netsec_do_seal(state, seq_num,
- confounder,
- data, length,
- true);
+ status = netsec_do_seal(state,
+ seq_num,
+ confounder,
+ data,
+ length,
+ true);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_WARNING("netsec_do_seal failed: %s\n",
+ nt_errstr(status));
+ return status;
+ }
}
status = netsec_do_seq_num(state, checksum, checksum_length, seq_num);