diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-09-23 16:22:14 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2022-10-05 04:23:32 +0000 |
commit | c52f5ee84ba5b8e7c9d2c67151cf3a6b9a7a780b (patch) | |
tree | d7270fe1f895b74c7548f97f137eeb51a9279a42 /lib/crypto | |
parent | 01b6c87c4faa8c484a4064872cd1cd918fa05da8 (diff) | |
download | samba-c52f5ee84ba5b8e7c9d2c67151cf3a6b9a7a780b.tar.gz |
lib:crypto: Change error return to SMB_ASSERT()
Getting an HMAC too long to fit our array is a programming error. It
should always be 64 bytes exactly.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'lib/crypto')
-rw-r--r-- | lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c index e0877a03f52..2e37dcd23aa 100644 --- a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c +++ b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c @@ -113,6 +113,12 @@ samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt(TALLOC_CTX *mem_ctx, NTSTATUS status; int rc; + /* + * We don't want to overflow 'pauth_tag', which is 64 bytes in + * size. + */ + SMB_ASSERT(hmac_size == 64); + if (plaintext->length == 0 || cek->length == 0 || key_salt->length == 0 || mac_salt->length == 0 || iv->length == 0) { return NT_STATUS_INVALID_PARAMETER; @@ -124,14 +130,6 @@ samba_gnutls_aead_aes_256_cbc_hmac_sha512_encrypt(TALLOC_CTX *mem_ctx, * TODO: Use gnutls_cipher_encrypt3() */ - if (hmac_size > 64) { - /* - * We don't want to overflow 'pauth_tag', which is 64 bytes in - * size. - */ - return NT_STATUS_INVALID_BUFFER_SIZE; - } - if (plaintext->length + aes_block_size < plaintext->length) { return NT_STATUS_INVALID_BUFFER_SIZE; } |