lib:crypto: Add ‘FixedData’ parameter to samba_gnutls_sp800_108_derive_key()

author Joseph Sutton <josephsutton@catalyst.net.nz>

Wed, 29 Nov 2023 02:46:30 +0000 (15:46 +1300)

committer Andrew Bartlett <abartlet@samba.org>

Thu, 30 Nov 2023 00:02:33 +0000 (00:02 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Wed, 29 Nov 2023 02:46:30 +0000 (15:46 +1300)
committer Andrew Bartlett <abartlet@samba.org>
Thu, 30 Nov 2023 00:02:33 +0000 (00:02 +0000)
diff --git a/lib/crypto/gnutls_helpers.h b/lib/crypto/gnutls_helpers.h

index c0b76047a0c35537d48cca910c1e0d22431c3c13..0362d5ee78220b1e6fe8ee34f98f42e7bd5583bb 100644 (file)
--- a/lib/crypto/gnutls_helpers.h
+++ b/lib/crypto/gnutls_helpers.h
@@ -197,6 +197,11 @@ bool samba_gnutls_weak_crypto_allowed(void);
   *
   * @param KI_len        The length of the key‐derivation key.
   *
+ * @param FixedData     If non‐NULL, specifies fixed data to be used in place of
+ *                      that constructed from the Label and Context parameters.
+ *
+ * @param FixedData_len The length of the fixed data, if it is present.
+ *
   * @param Label         A label that identifies the purpose for the derived key.
   *                      Ignored if FixedData is non‐NULL.
   *
@@ -218,6 +223,8 @@ bool samba_gnutls_weak_crypto_allowed(void);
  NTSTATUS samba_gnutls_sp800_108_derive_key(
         const uint8_t *KI,
         size_t KI_len,
+       const uint8_t *FixedData,
+       size_t FixedData_len,
         const uint8_t *Label,
         size_t Label_len,
         const uint8_t *Context,
diff --git a/lib/crypto/gnutls_sp800_108.c b/lib/crypto/gnutls_sp800_108.c

index 505c0664db32859fb959316b091e8336e8b2a1ff..dc04354d3d226922fa783ecb024726fc2f628ae6 100644 (file)
--- a/lib/crypto/gnutls_sp800_108.c
+++ b/lib/crypto/gnutls_sp800_108.c
@@ -27,6 +27,8 @@
  
  static NTSTATUS samba_gnutls_sp800_108_derive_key_part(
         const gnutls_hmac_hd_t hmac_hnd,
+       const uint8_t *FixedData,
+       const size_t FixedData_len,
         const uint8_t *Label,
         const size_t Label_len,
         const uint8_t *Context,
@@ -45,26 +47,34 @@ static NTSTATUS samba_gnutls_sp800_108_derive_key_part(
                 return gnutls_error_to_ntstatus(rc,
                                                 NT_STATUS_HMAC_NOT_SUPPORTED);
         }
-       rc = gnutls_hmac(hmac_hnd, Label, Label_len);
-       if (rc < 0) {
-               return gnutls_error_to_ntstatus(rc,
-                                               NT_STATUS_HMAC_NOT_SUPPORTED);
-       }
-       rc = gnutls_hmac(hmac_hnd, &zero, 1);
-       if (rc < 0) {
-               return gnutls_error_to_ntstatus(rc,
-                                               NT_STATUS_HMAC_NOT_SUPPORTED);
-       }
-       rc = gnutls_hmac(hmac_hnd, Context, Context_len);
-       if (rc < 0) {
-               return gnutls_error_to_ntstatus(rc,
-                                               NT_STATUS_HMAC_NOT_SUPPORTED);
-       }
-       RSIVAL(buf, 0, L);
-       rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf));
-       if (rc < 0) {
-               return gnutls_error_to_ntstatus(rc,
-                                               NT_STATUS_HMAC_NOT_SUPPORTED);
+       if (FixedData != NULL) {
+               rc = gnutls_hmac(hmac_hnd, FixedData, FixedData_len);
+               if (rc < 0) {
+                       return gnutls_error_to_ntstatus(
+                               rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+               }
+       } else {
+               rc = gnutls_hmac(hmac_hnd, Label, Label_len);
+               if (rc < 0) {
+                       return gnutls_error_to_ntstatus(
+                               rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+               }
+               rc = gnutls_hmac(hmac_hnd, &zero, 1);
+               if (rc < 0) {
+                       return gnutls_error_to_ntstatus(
+                               rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+               }
+               rc = gnutls_hmac(hmac_hnd, Context, Context_len);
+               if (rc < 0) {
+                       return gnutls_error_to_ntstatus(
+                               rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+               }
+               RSIVAL(buf, 0, L);
+               rc = gnutls_hmac(hmac_hnd, buf, sizeof(buf));
+               if (rc < 0) {
+                       return gnutls_error_to_ntstatus(
+                               rc, NT_STATUS_HMAC_NOT_SUPPORTED);
+               }
         }
  
         gnutls_hmac_output(hmac_hnd, digest);
@@ -87,6 +97,11 @@ static size_t ceiling_div(const size_t a, const size_t b)
   *
   * @param KI_len        The length of the key‐derivation key.
   *
+ * @param FixedData     If non‐NULL, specifies fixed data to be used in place of
+ *                      that constructed from the Label and Context parameters.
+ *
+ * @param FixedData_len The length of the fixed data, if it is present.
+ *
   * @param Label         A label that identifies the purpose for the derived key.
   *                      Ignored if FixedData is non‐NULL.
   *
@@ -108,6 +123,8 @@ static size_t ceiling_div(const size_t a, const size_t b)
  NTSTATUS samba_gnutls_sp800_108_derive_key(
         const uint8_t *KI,
         size_t KI_len,
+       const uint8_t *FixedData,
+       size_t FixedData_len,
         const uint8_t *Label,
         size_t Label_len,
         const uint8_t *Context,
@@ -164,6 +181,8 @@ NTSTATUS samba_gnutls_sp800_108_derive_key(
              KO_idx += digest_len, ++i)
         {
                 status = samba_gnutls_sp800_108_derive_key_part(hmac_hnd,
+                                                               FixedData,
+                                                               FixedData_len,
                                                                 Label,
                                                                 Label_len,
                                                                 Context,
@@ -180,6 +199,8 @@ NTSTATUS samba_gnutls_sp800_108_derive_key(
                 /* Get the last little bit. */
                 uint8_t digest[digest_len];
                 status = samba_gnutls_sp800_108_derive_key_part(hmac_hnd,
+                                                               FixedData,
+                                                               FixedData_len,
                                                                 Label,
                                                                 Label_len,
                                                                 Context,
diff --git a/lib/crypto/tests/test_gnutls_sp800_108.c b/lib/crypto/tests/test_gnutls_sp800_108.c

index fda295938c00e34ce74001aa03ca257a068276b4..19c5d399a7939541dbb8cf96589301213d14e96a 100644 (file)
--- a/lib/crypto/tests/test_gnutls_sp800_108.c
+++ b/lib/crypto/tests/test_gnutls_sp800_108.c
@@ -61,6 +61,8 @@ static void test_sp800_108_sha256(void **state)
  
         status = samba_gnutls_sp800_108_derive_key(key,
                                                    sizeof key,
+                                                  NULL,
+                                                  0,
                                                    label,
                                                    sizeof label,
                                                    context,
@@ -100,6 +102,8 @@ static void test_sp800_108_sha512(void **state)
  
         status = samba_gnutls_sp800_108_derive_key(key,
                                                    sizeof key,
+                                                  NULL,
+                                                  0,
                                                    label,
                                                    sizeof label,
                                                    context,
diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c

index 87337874c40473daf24a9cbdb27b5fc53a732f7b..94ff51f2e931d583a76e2114cdcbf7da12c5e976 100644 (file)
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -260,6 +260,8 @@ static NTSTATUS smb2_signing_key_create(TALLOC_CTX *mem_ctx,
  
         status = samba_gnutls_sp800_108_derive_key(key->blob.data,
                                                    in_key_length,
+                                                  NULL,
+                                                  0,
                                                    d->label.data,
                                                    d->label.length,
                                                    d->context.data,
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c

index 73b505fc7fdf1e5343c1d5dac94edf23fa09a5e3..a52a615857f0ee3df58f1e62284d67992af45846 100644 (file)
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -6672,6 +6672,8 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
                 status = samba_gnutls_sp800_108_derive_key(
                         channel_key,
                         sizeof(channel_key),
+                       NULL,
+                       0,
                         d->label.data,
                         d->label.length,
                         d->context.data,
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Wed, 29 Nov 2023 02:46:30 +0000 (15:46 +1300)
committer	Andrew Bartlett <abartlet@samba.org>
	Thu, 30 Nov 2023 00:02:33 +0000 (00:02 +0000)
lib/crypto/gnutls_helpers.h		patch \| blob \| blame \| history
lib/crypto/gnutls_sp800_108.c		patch \| blob \| blame \| history
lib/crypto/tests/test_gnutls_sp800_108.c		patch \| blob \| blame \| history
libcli/smb/smb2_signing.c		patch \| blob \| blame \| history
libcli/smb/smbXcli_base.c		patch \| blob \| blame \| history