From 015e4d2dc2776d7d56edd51a1b9cad510f24e537 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 14 Mar 2019 17:42:34 +0100
Subject: libcli:smb: Use smb2_signing_key for smb2_signing_check_pdu()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 libcli/smb/smb2_signing.c  | 34 +++++++++++++++++-----------------
 libcli/smb/smb2_signing.h  |  2 +-
 libcli/smb/smbXcli_base.c  |  8 ++++----
 source3/smbd/smb2_server.c |  2 +-
 4 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index 38169b50f62..62b53ccbe48 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -138,7 +138,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
 	return NT_STATUS_OK;
 }
 
-NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
+NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
 				enum protocol_types protocol,
 				const struct iovec *vector,
 				int count)
@@ -169,7 +169,7 @@ NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
 		return NT_STATUS_OK;
 	}
 
-	if (signing_key.length == 0) {
+	if (!smb2_signing_key_valid(signing_key)) {
 		/* we don't have the session key yet */
 		return NT_STATUS_OK;
 	}
@@ -180,7 +180,9 @@ NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
 		struct aes_cmac_128_context ctx;
 		uint8_t key[AES_BLOCK_SIZE] = {0};
 
-		memcpy(key, signing_key.data, MIN(signing_key.length, 16));
+		memcpy(key,
+		       signing_key->blob.data,
+		       MIN(signing_key->blob.length, 16));
 
 		aes_cmac_128_init(&ctx, key);
 		aes_cmac_128_update(&ctx, hdr, SMB2_HDR_SIGNATURE);
@@ -194,39 +196,37 @@ NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
 
 		ZERO_ARRAY(key);
 	} else {
-		gnutls_hmac_hd_t hmac_hnd = NULL;
 		uint8_t digest[gnutls_hash_get_len(GNUTLS_MAC_SHA256)];
 		int rc;
 
-		rc = gnutls_hmac_init(&hmac_hnd,
-				      GNUTLS_MAC_SHA256,
-				      signing_key.data,
-				      MIN(signing_key.length, 16));
-		if (rc < 0) {
-			return NT_STATUS_NO_MEMORY;
+		if (signing_key->hmac_hnd == NULL) {
+			rc = gnutls_hmac_init(&signing_key->hmac_hnd,
+					      GNUTLS_MAC_SHA256,
+					      signing_key->blob.data,
+					      MIN(signing_key->blob.length, 16));
+			if (rc < 0) {
+				return NT_STATUS_NO_MEMORY;
+			}
 		}
 
-		rc = gnutls_hmac(hmac_hnd, hdr, SMB2_HDR_SIGNATURE);
+		rc = gnutls_hmac(signing_key->hmac_hnd, hdr, SMB2_HDR_SIGNATURE);
 		if (rc < 0) {
-			gnutls_hmac_deinit(hmac_hnd, NULL);
 			return NT_STATUS_INTERNAL_ERROR;
 		}
-		rc = gnutls_hmac(hmac_hnd, zero_sig, 16);
+		rc = gnutls_hmac(signing_key->hmac_hnd, zero_sig, 16);
 		if (rc < 0) {
-			gnutls_hmac_deinit(hmac_hnd, NULL);
 			return NT_STATUS_INTERNAL_ERROR;
 		}
 
 		for (i = 1; i < count; i++) {
-			rc = gnutls_hmac(hmac_hnd,
+			rc = gnutls_hmac(signing_key->hmac_hnd,
 					 vector[i].iov_base,
 					 vector[i].iov_len);
 			if (rc < 0) {
-				gnutls_hmac_deinit(hmac_hnd, NULL);
 				return NT_STATUS_INTERNAL_ERROR;
 			}
 		}
-		gnutls_hmac_deinit(hmac_hnd, digest);
+		gnutls_hmac_output(signing_key->hmac_hnd, digest);
 		memcpy(res, digest, 16);
 		ZERO_ARRAY(digest);
 	}
diff --git a/libcli/smb/smb2_signing.h b/libcli/smb/smb2_signing.h
index 7bc0a0263eb..646567c9d75 100644
--- a/libcli/smb/smb2_signing.h
+++ b/libcli/smb/smb2_signing.h
@@ -40,7 +40,7 @@ NTSTATUS smb2_signing_sign_pdu(struct smb2_signing_key *signing_key,
 			       struct iovec *vector,
 			       int count);
 
-NTSTATUS smb2_signing_check_pdu(DATA_BLOB signing_key,
+NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
 				enum protocol_types protocol,
 				const struct iovec *vector,
 				int count);
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index ebc293ea4a8..2d74e2490bc 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -3698,7 +3698,7 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
 		uint16_t credits = SVAL(inhdr, SMB2_HDR_CREDIT);
 		uint32_t new_credits;
 		struct smbXcli_session *session = NULL;
-		const struct smb2_signing_key *signing_key = NULL;
+		struct smb2_signing_key *signing_key = NULL;
 		bool was_encrypted = false;
 
 		new_credits = conn->smb2.cur_credits;
@@ -3915,7 +3915,7 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
 		if (signing_key) {
 			NTSTATUS signing_status;
 
-			signing_status = smb2_signing_check_pdu(signing_key->blob,
+			signing_status = smb2_signing_check_pdu(signing_key,
 								state->conn->protocol,
 								&cur[1], 3);
 			if (!NT_STATUS_IS_OK(signing_status)) {
@@ -6074,7 +6074,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
 	}
 
 	if (check_signature) {
-		status = smb2_signing_check_pdu(session->smb2_channel.signing_key->blob,
+		status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
 						session->conn->protocol,
 						recv_iov, 3);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -6237,7 +6237,7 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
 	}
 	ZERO_STRUCT(channel_key);
 
-	status = smb2_signing_check_pdu(session->smb2_channel.signing_key->blob,
+	status = smb2_signing_check_pdu(session->smb2_channel.signing_key,
 					session->conn->protocol,
 					recv_iov, 3);
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/smbd/smb2_server.c b/source3/smbd/smb2_server.c
index 563918bcd11..71c1c3dc9cf 100644
--- a/source3/smbd/smb2_server.c
+++ b/source3/smbd/smb2_server.c
@@ -2483,7 +2483,7 @@ NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
 			req->do_signing = true;
 		}
 
-		status = smb2_signing_check_pdu(signing_key->blob,
+		status = smb2_signing_check_pdu(signing_key,
 						xconn->protocol,
 						SMBD_SMB2_IN_HDR_IOV(req),
 						SMBD_SMB2_NUM_IOV_PER_REQ - 1);
-- 
cgit v1.2.1