From: Andreas Schneider <asn@samba.org>
Date: Wed, 10 Oct 2018 13:37:18 +0000 (+0200)
Subject: libcli:auth: Use GnuTLS SHA256 HMAC for credentials
X-Git-Tag: tdb-1.4.1~262
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8bed91c999f86c010a68dc9415d0f0688cff5555;p=thirdparty%2Fsamba.git

libcli:auth: Use GnuTLS SHA256 HMAC for credentials

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index fcd5e34cc9b..1a446a6e585 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -26,6 +26,9 @@
 #include "libcli/auth/libcli_auth.h"
 #include "../libcli/security/dom_sid.h"
 
+#include <gnutls/gnutls.h>
+#include <gnutls/crypto.h>
+
 static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds,
 				      const struct netr_Credential *in,
 				      struct netr_Credential *out)
@@ -102,22 +105,38 @@ static void netlogon_creds_init_hmac_sha256(struct netlogon_creds_CredentialStat
 					    const struct netr_Credential *server_challenge,
 					    const struct samr_Password *machine_password)
 {
-	struct HMACSHA256Context ctx;
-	uint8_t digest[SHA256_DIGEST_LENGTH];
+	gnutls_hmac_hd_t hmac_hnd = NULL;
+	uint8_t digest[gnutls_hash_get_len(GNUTLS_MAC_SHA256)];
+	int rc;
 
 	ZERO_ARRAY(creds->session_key);
 
-	hmac_sha256_init(machine_password->hash,
-			 sizeof(machine_password->hash),
-			 &ctx);
-	hmac_sha256_update(client_challenge->data, 8, &ctx);
-	hmac_sha256_update(server_challenge->data, 8, &ctx);
-	hmac_sha256_final(digest, &ctx);
+	rc = gnutls_hmac_init(&hmac_hnd,
+			      GNUTLS_MAC_SHA256,
+			      machine_password->hash,
+			      sizeof(machine_password->hash));
+	if (rc < 0) {
+		return;
+	}
+	rc = gnutls_hmac(hmac_hnd,
+			 client_challenge->data,
+			 8);
+	if (rc < 0) {
+		gnutls_hmac_deinit(hmac_hnd, NULL);
+		return;
+	}
+	rc  = gnutls_hmac(hmac_hnd,
+			  server_challenge->data,
+			  8);
+	if (rc < 0) {
+		gnutls_hmac_deinit(hmac_hnd, NULL);
+		return;
+	}
+	gnutls_hmac_deinit(hmac_hnd, digest);
 
 	memcpy(creds->session_key, digest, sizeof(creds->session_key));
 
-	ZERO_STRUCT(digest);
-	ZERO_STRUCT(ctx);
+	ZERO_ARRAY(digest);
 }
 
 static void netlogon_creds_first_step(struct netlogon_creds_CredentialState *creds,
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index d319d9b879e..96dcf981a3e 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -18,7 +18,7 @@ bld.SAMBA_SUBSYSTEM('NTLM_CHECK',
 
 bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
 	source='credentials.c session.c smbencrypt.c smbdes.c',
-	public_deps='MSRPC_PARSE',
+	public_deps='MSRPC_PARSE gnutls',
 	public_headers='credentials.h:domain_credentials.h'
 	)