libcli:smb: Use smb2_signing_key for smb2_signing_sign_pdu()

This caches the gnutls hmac handle in the struct so we only allocate it
once.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

3 files changed, 20 insertions, 18 deletions

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index 72c98d6a610..38169b50f62 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -50,7 +50,7 @@ bool smb2_signing_key_valid(const struct smb2_signing_key *key)
 	return true;
 }
 
-NTSTATUS smb2_signing_sign_pdu(DATA_BLOB signing_key,
+NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
 			       enum protocol_types protocol,
 			       struct iovec *vector,
 			       int count)
@@ -79,9 +79,9 @@ NTSTATUS smb2_signing_sign_pdu(DATA_BLOB signing_key,
 		return NT_STATUS_OK;
 	}
 
-	if (signing_key.length == 0) {
-		DEBUG(2,("Wrong session key length %u for SMB2 signing\n",
-			 (unsigned)signing_key.length));
+	if (!smb2_signing_key_valid(signing_key)) {
+		DBG_WARNING("Wrong session key length %zu for SMB2 signing\n",
+			    signing_key->blob.length);
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
@@ -93,7 +93,9 @@ NTSTATUS smb2_signing_sign_pdu(DATA_BLOB signing_key,
 		struct aes_cmac_128_context ctx;
 		uint8_t key[AES_BLOCK_SIZE] = {0};
 
-		memcpy(key, signing_key.data, MIN(signing_key.length, 16));
+		memcpy(key,
+		       signing_key->blob.data,
+		       MIN(signing_key->blob.length, 16));
 
 		aes_cmac_128_init(&ctx, key);
 		for (i=0; i < count; i++) {
@@ -105,28 +107,28 @@ NTSTATUS smb2_signing_sign_pdu(DATA_BLOB signing_key,
 
 		ZERO_ARRAY(key);
 	} else {
-		gnutls_hmac_hd_t hmac_hnd = NULL;
 		uint8_t digest[gnutls_hmac_get_len(GNUTLS_MAC_SHA256)];
 		int rc;
 
-		rc = gnutls_hmac_init(&hmac_hnd,
-				      GNUTLS_MAC_SHA256,
-				      signing_key.data,
-				      MIN(signing_key.length, 16));
-		if (rc < 0) {
-			return NT_STATUS_NO_MEMORY;
+		if (signing_key->hmac_hnd == NULL) {
+			rc = gnutls_hmac_init(&signing_key->hmac_hnd,
+					      GNUTLS_MAC_SHA256,
+					      signing_key->blob.data,
+					      MIN(signing_key->blob.length, 16));
+			if (rc < 0) {
+				return NT_STATUS_NO_MEMORY;
+			}
 		}
 
 		for (i = 0; i < count; i++) {
-			rc = gnutls_hmac(hmac_hnd,
+			rc = gnutls_hmac(signing_key->hmac_hnd,
 					 vector[i].iov_base,
 					 vector[i].iov_len);
 			if (rc < 0) {
-				gnutls_hmac_deinit(hmac_hnd, NULL);
 				return NT_STATUS_NO_MEMORY;
 			}
 		}
-		gnutls_hmac_deinit(hmac_hnd, digest);
+		gnutls_hmac_output(signing_key->hmac_hnd, digest);
 		memcpy(res, digest, sizeof(res));
 	}
 	DEBUG(5,("signed SMB2 message\n"));
diff --git a/libcli/smb/smb2_signing.h b/libcli/smb/smb2_signing.h
index 73621daf90e..7bc0a0263eb 100644
--- a/libcli/smb/smb2_signing.h
+++ b/libcli/smb/smb2_signing.h
@@ -35,7 +35,7 @@ int smb2_signing_key_destructor(struct smb2_signing_key *key);
 
 bool smb2_signing_key_valid(const struct smb2_signing_key *key);
 
-NTSTATUS smb2_signing_sign_pdu(DATA_BLOB signing_key,
+NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
 			       enum protocol_types protocol,
 			       struct iovec *vector,
 			       int count);
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 7261609c967..ebc293ea4a8 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3190,7 +3190,7 @@ NTSTATUS smb2cli_req_compound_submit(struct tevent_req **reqs,
 		uint16_t charge;
 		uint16_t credits;
 		uint64_t mid;
-		const struct smb2_signing_key *signing_key = NULL;
+		struct smb2_signing_key *signing_key = NULL;
 
 		if (!tevent_req_is_in_progress(reqs[i])) {
 			return NT_STATUS_INTERNAL_ERROR;
@@ -3323,7 +3323,7 @@ skip_credits:
 		if (signing_key != NULL) {
 			NTSTATUS status;
 
-			status = smb2_signing_sign_pdu(signing_key->blob,
+			status = smb2_signing_sign_pdu(signing_key,
 						       state->session->conn->protocol,
 						       &iov[hdr_iov], num_iov - hdr_iov);
 			if (!NT_STATUS_IS_OK(status)) {