diff options
| author | Stefan Metzmacher <metze@samba.org> | 2008-07-28 15:49:46 +0200 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2008-07-28 16:15:23 +0200 |
| commit | 2d2911c7885dc832700185e62160bc18f8abfa04 (patch) | |
| tree | 5e731d3ecd33b9e28dedcdeb6cd5526d7c672719 /source4 | |
| parent | 0251096a89d9740f6bf2dfcf41594957424f887d (diff) | |
| download | samba-2d2911c7885dc832700185e62160bc18f8abfa04.tar.gz samba-2d2911c7885dc832700185e62160bc18f8abfa04.tar.bz2 samba-2d2911c7885dc832700185e62160bc18f8abfa04.zip | |
libcli/smb2: the session key for SMB2 signing is truncated to 16 bytes
To make that work (as a client) with aes128 and aes256 krb5 keys
we need to use gsskrb5_get_subkey().
metze
(This used to be commit 0c6d988f2083067e1ac7b07a492f88cefd3ba906)
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/libcli/smb2/session.c | 4 | ||||
| -rw-r--r-- | source4/libcli/smb2/signing.c | 9 |
2 files changed, 6 insertions, 7 deletions
diff --git a/source4/libcli/smb2/session.c b/source4/libcli/smb2/session.c index 6c573bf6d5..31b3e942e9 100644 --- a/source4/libcli/smb2/session.c +++ b/source4/libcli/smb2/session.c @@ -188,8 +188,8 @@ static void session_request_handler(struct smb2_request *req) } if (session->transport->signing_required) { - if (session->session_key.length != 16) { - DEBUG(2,("Wrong session key length %u for SMB2 signing\n", + if (session->session_key.length == 0) { + DEBUG(0,("Wrong session key length %u for SMB2 signing\n", (unsigned)session->session_key.length)); composite_error(c, NT_STATUS_ACCESS_DENIED); return; diff --git a/source4/libcli/smb2/signing.c b/source4/libcli/smb2/signing.c index fb2c22db4e..0d655d1a86 100644 --- a/source4/libcli/smb2/signing.c +++ b/source4/libcli/smb2/signing.c @@ -46,7 +46,7 @@ NTSTATUS smb2_sign_message(struct smb2_request_buffer *buf, DATA_BLOB session_ke return NT_STATUS_OK; } - if (session_key.length != 16) { + if (session_key.length == 0) { DEBUG(2,("Wrong session key length %u for SMB2 signing\n", (unsigned)session_key.length)); return NT_STATUS_ACCESS_DENIED; @@ -57,10 +57,9 @@ NTSTATUS smb2_sign_message(struct smb2_request_buffer *buf, DATA_BLOB session_ke SIVAL(buf->hdr, SMB2_HDR_FLAGS, IVAL(buf->hdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_SIGNED); ZERO_STRUCT(m); - hmac_sha256_init(session_key.data, 16, &m); + hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m); hmac_sha256_update(buf->buffer+NBT_HDR_SIZE, buf->size-NBT_HDR_SIZE, &m); hmac_sha256_final(res, &m); - DEBUG(5,("signed SMB2 message of size %u\n", (unsigned)buf->size - NBT_HDR_SIZE)); memcpy(buf->hdr + SMB2_HDR_SIGNATURE, res, 16); @@ -95,7 +94,7 @@ NTSTATUS smb2_check_signature(struct smb2_request_buffer *buf, DATA_BLOB session return NT_STATUS_OK; } - if (session_key.length != 16) { + if (session_key.length == 0) { DEBUG(2,("Wrong session key length %u for SMB2 signing\n", (unsigned)session_key.length)); return NT_STATUS_ACCESS_DENIED; @@ -106,7 +105,7 @@ NTSTATUS smb2_check_signature(struct smb2_request_buffer *buf, DATA_BLOB session memset(buf->hdr + SMB2_HDR_SIGNATURE, 0, 16); ZERO_STRUCT(m); - hmac_sha256_init(session_key.data, 16, &m); + hmac_sha256_init(session_key.data, MIN(session_key.length, 16), &m); hmac_sha256_update(buf->hdr, buf->size-NBT_HDR_SIZE, &m); hmac_sha256_final(res, &m); |