From 6aa30669a1825333a4ad985ce331fd9e2b7fe9da Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 15 May 2019 08:33:18 +0200
Subject: auth:gensec: Use GnuTLS HMAC MD5 and MD5 in netsec_do_sign()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 auth/gensec/schannel.c | 60 +++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 49 insertions(+), 11 deletions(-)

(limited to 'auth')

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 5c1afa8810b..7a15e17a9c6 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -321,32 +321,70 @@ static NTSTATUS netsec_do_sign(struct schannel_state *state,
 	} else {
 		uint8_t packet_digest[16];
 		static const uint8_t zeros[4];
-		MD5_CTX ctx;
+		gnutls_hash_hd_t hash_hnd = NULL;
+		int rc;
 
-		MD5Init(&ctx);
-		MD5Update(&ctx, zeros, 4);
+		rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
+		if (rc < 0) {
+			if (rc == GNUTLS_E_UNWANTED_ALGORITHM) {
+				return NT_STATUS_HASH_NOT_SUPPORTED;
+			}
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		rc = gnutls_hash(hash_hnd, zeros, sizeof(zeros));
+		if (rc < 0) {
+			gnutls_hash_deinit(hash_hnd, NULL);
+			return NT_STATUS_INTERNAL_ERROR;
+		}
 		if (confounder) {
 			SSVAL(header, 0, NL_SIGN_HMAC_MD5);
 			SSVAL(header, 2, NL_SEAL_RC4);
 			SSVAL(header, 4, 0xFFFF);
 			SSVAL(header, 6, 0x0000);
 
-			MD5Update(&ctx, header, 8);
-			MD5Update(&ctx, confounder, 8);
+			rc = gnutls_hash(hash_hnd, header, 8);
+			if (rc < 0) {
+				gnutls_hash_deinit(hash_hnd, NULL);
+				return NT_STATUS_INTERNAL_ERROR;
+			}
+			rc = gnutls_hash(hash_hnd, confounder, 8);
+			if (rc < 0) {
+				gnutls_hash_deinit(hash_hnd, NULL);
+				return NT_STATUS_INTERNAL_ERROR;
+			}
 		} else {
 			SSVAL(header, 0, NL_SIGN_HMAC_MD5);
 			SSVAL(header, 2, NL_SEAL_NONE);
 			SSVAL(header, 4, 0xFFFF);
 			SSVAL(header, 6, 0x0000);
 
-			MD5Update(&ctx, header, 8);
+			rc = gnutls_hash(hash_hnd, header, 8);
+			if (rc < 0) {
+				gnutls_hash_deinit(hash_hnd, NULL);
+				return NT_STATUS_INTERNAL_ERROR;
+			}
+		}
+		rc = gnutls_hash(hash_hnd, data, length);
+		if (rc < 0) {
+			gnutls_hash_deinit(hash_hnd, NULL);
+			return NT_STATUS_INTERNAL_ERROR;
 		}
-		MD5Update(&ctx, data, length);
-		MD5Final(packet_digest, &ctx);
+		gnutls_hash_deinit(hash_hnd, packet_digest);
 
-		hmac_md5(state->creds->session_key,
-			 packet_digest, sizeof(packet_digest),
-			 checksum);
+		rc = gnutls_hmac_fast(GNUTLS_MAC_MD5,
+				      state->creds->session_key,
+				      sizeof(state->creds->session_key),
+				      packet_digest,
+				      sizeof(packet_digest),
+				      checksum);
+		ZERO_ARRAY(packet_digest);
+		if (rc < 0) {
+			if (rc == GNUTLS_E_UNWANTED_ALGORITHM) {
+				return NT_STATUS_HASH_NOT_SUPPORTED;
+			}
+			return NT_STATUS_INTERNAL_ERROR;
+		}
 	}
 
 	return NT_STATUS_OK;
-- 
cgit v1.2.1