From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 23 Nov 2023 06:49:23 +0000 (+1300)
Subject: libcli/smb: Add ‘algorithm’ parameter to smb2_key_derivation()
X-Git-Tag: talloc-2.4.2~456
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=30be2446ed1e6a7d0c7c42322d1dfa065ad026d0;p=thirdparty%2Fsamba.git

libcli/smb: Add ‘algorithm’ parameter to smb2_key_derivation()

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index 719bd90988e..ab654e74f2b 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -261,6 +261,7 @@ static NTSTATUS smb2_signing_key_create(TALLOC_CTX *mem_ctx,
 	status = smb2_key_derivation(key->blob.data, in_key_length,
 				     d->label.data, d->label.length,
 				     d->context.data, d->context.length,
+				     GNUTLS_MAC_SHA256,
 				     key->blob.data, out_key_length);
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(key);
@@ -649,12 +650,13 @@ NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
 NTSTATUS smb2_key_derivation(const uint8_t *KI, size_t KI_len,
 			     const uint8_t *Label, size_t Label_len,
 			     const uint8_t *Context, size_t Context_len,
+			     const gnutls_mac_algorithm_t algorithm,
 			     uint8_t *KO, size_t KO_len)
 {
 	gnutls_hmac_hd_t hmac_hnd = NULL;
 	uint8_t buf[4];
 	static const uint8_t zero = 0;
-	const size_t digest_len = gnutls_hmac_get_len(GNUTLS_MAC_SHA256);
+	const size_t digest_len = gnutls_hmac_get_len(algorithm);
 	uint8_t digest[digest_len];
 	uint32_t i = 1;
 	uint32_t L = KO_len * 8;
@@ -676,11 +678,10 @@ NTSTATUS smb2_key_derivation(const uint8_t *KI, size_t KI_len,
 
 	/*
 	 * a simplified version of
-	 * "NIST Special Publication 800-108" section 5.1
-	 * using hmac-sha256.
+	 * "NIST Special Publication 800-108" section 5.1.
 	 */
 	rc = gnutls_hmac_init(&hmac_hnd,
-			      GNUTLS_MAC_SHA256,
+			      algorithm,
 			      KI,
 			      KI_len);
 	if (rc < 0) {
diff --git a/libcli/smb/smb2_signing.h b/libcli/smb/smb2_signing.h
index a0c11090725..e298db11a9b 100644
--- a/libcli/smb/smb2_signing.h
+++ b/libcli/smb/smb2_signing.h
@@ -21,6 +21,8 @@
 #ifndef _LIBCLI_SMB_SMB2_SIGNING_H_
 #define _LIBCLI_SMB_SMB2_SIGNING_H_
 
+#include <gnutls/gnutls.h>
+
 #include "lib/util/data_blob.h"
 
 #include "libcli/smb/smb_constants.h"
@@ -93,6 +95,7 @@ NTSTATUS smb2_signing_check_pdu(struct smb2_signing_key *signing_key,
 NTSTATUS smb2_key_derivation(const uint8_t *KI, size_t KI_len,
 			     const uint8_t *Label, size_t Label_len,
 			     const uint8_t *Context, size_t Context_len,
+			     const gnutls_mac_algorithm_t algorithm,
 			     uint8_t *KO, size_t KO_len);
 
 NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index c2dece8ca0a..9390f8634b0 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -6672,6 +6672,7 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
 		status = smb2_key_derivation(channel_key, sizeof(channel_key),
 					     d->label.data, d->label.length,
 					     d->context.data, d->context.length,
+					     GNUTLS_MAC_SHA256,
 					     session->smb2_channel.signing_key->blob.data,
 					     session->smb2_channel.signing_key->blob.length);
 		if (!NT_STATUS_IS_OK(status)) {