]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
s3:smbd: Use smb2_signing_key structure for the encryption key
authorAndreas Schneider <asn@samba.org>
Thu, 14 Mar 2019 09:02:27 +0000 (10:02 +0100)
committerAndreas Schneider <asn@cryptomilk.org>
Wed, 21 Aug 2019 09:57:32 +0000 (09:57 +0000)
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
source3/librpc/idl/smbXsrv.idl
source3/smbd/smb2_server.c
source3/smbd/smb2_sesssetup.c

index 72017bc3e15edc5eb95f111d4aa703922daa1258..f7acb2198fb409e1b9482a08850533c2b68057ab 100644 (file)
@@ -229,6 +229,7 @@ interface smbXsrv
                [noprint] DATA_BLOB                     signing_key_blob;
                [ignore] smb2_signing_key               *signing_key;
                [noprint] DATA_BLOB                     encryption_key_blob;
+               [ignore] smb2_signing_key               *encryption_key;
                [noprint] DATA_BLOB                     decryption_key_blob;
                [noprint] DATA_BLOB                     application_key;
                [range(1, 1024)] uint32                 num_channels;
index c0c4a0272d1a510c3ba7ffccda0711fa5040d7ea..b708fdb90b91045f55592296806ddc502a39e150 100644 (file)
@@ -1737,9 +1737,9 @@ static void smbd_smb2_request_pending_timer(struct tevent_context *ev,
 
        if (req->do_encryption) {
                struct smbXsrv_session *x = req->session;
-               DATA_BLOB encryption_key = x->global->encryption_key_blob;
+               struct smb2_signing_key *encryption_key = x->global->encryption_key;
 
-               status = smb2_signing_encrypt_pdu(encryption_key,
+               status = smb2_signing_encrypt_pdu(encryption_key->blob,
                                        xconn->smb2.server.cipher,
                                        &state->vector[1+SMBD_SMB2_TF_IOV_OFS],
                                        SMBD_SMB2_NUM_IOV_PER_REQ);
@@ -2852,9 +2852,10 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req)
            (firsttf->iov_len == 0) &&
            (req->first_key.length == 0) &&
            (req->session != NULL) &&
-           (req->session->global->encryption_key_blob.length != 0))
+           smb2_signing_key_valid(req->session->global->encryption_key))
        {
-               DATA_BLOB encryption_key = req->session->global->encryption_key_blob;
+               struct smb2_signing_key *encryption_key =
+                       req->session->global->encryption_key;
                uint8_t *tf;
                uint64_t session_id = req->session->global->session_wire_id;
                uint64_t nonce_high;
@@ -2878,7 +2879,8 @@ static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req)
                 * we are sure that we do not change
                 * the header again.
                 */
-               req->first_key = data_blob_dup_talloc(req, encryption_key);
+               req->first_key = data_blob_dup_talloc(req,
+                                                     encryption_key->blob);
                if (req->first_key.data == NULL) {
                        return NT_STATUS_NO_MEMORY;
                }
@@ -3414,9 +3416,10 @@ static NTSTATUS smbd_smb2_send_break(struct smbXsrv_connection *xconn,
        }
 
        if (do_encryption) {
-               DATA_BLOB encryption_key = session->global->encryption_key_blob;
+               struct smb2_signing_key *encryption_key =
+                       session->global->encryption_key;
 
-               status = smb2_signing_encrypt_pdu(encryption_key,
+               status = smb2_signing_encrypt_pdu(encryption_key->blob,
                                        xconn->smb2.server.cipher,
                                        &state->vector[1+SMBD_SMB2_TF_IOV_OFS],
                                        SMBD_SMB2_NUM_IOV_PER_REQ);
index 591d5c37160fb49d125ba18bc8e2c5f02066cf37..c2725825d7ab43e7ae1092b1a31077b2d5be7131 100644 (file)
@@ -394,18 +394,28 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
                struct _derivation *d = &derivation.encryption;
                size_t nonce_size;
 
-               x->global->encryption_key_blob = data_blob_talloc(x->global,
-                                                            session_key,
-                                                            sizeof(session_key));
-               if (x->global->encryption_key_blob.data == NULL) {
+               x->global->encryption_key =
+                       talloc_zero(x->global, struct smb2_signing_key);
+               if (x->global->encryption_key == NULL) {
+                       ZERO_STRUCT(session_key);
+                       return NT_STATUS_NO_MEMORY;
+               }
+
+               x->global->encryption_key->blob =
+                       x->global->encryption_key_blob =
+                               data_blob_talloc(x->global->encryption_key,
+                                                session_key,
+                                                sizeof(session_key));
+               if (!smb2_signing_key_valid(x->global->encryption_key)) {
                        ZERO_STRUCT(session_key);
                        return NT_STATUS_NO_MEMORY;
                }
+               talloc_keep_secret(x->global->encryption_key->blob.data);
 
                status = smb2_key_derivation(session_key, sizeof(session_key),
                                             d->label.data, d->label.length,
                                             d->context.data, d->context.length,
-                                            x->global->encryption_key_blob.data);
+                                            x->global->encryption_key->blob.data);
                if (!NT_STATUS_IS_OK(status)) {
                        return status;
                }
@@ -477,8 +487,8 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
                dump_data(0, x->global->decryption_key_blob.data,
                          x->global->decryption_key_blob.length);
                DEBUGADD(0, ("ServerOut Key "));
-               dump_data(0, x->global->encryption_key_blob.data,
-                         x->global->encryption_key_blob.length);
+               dump_data(0, x->global->encryption_key->blob.data,
+                         x->global->encryption_key->blob.length);
        }
 
        ZERO_STRUCT(session_key);