1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

libcli/smb: let smb2_signing_decrypt_pdu() cope with gnutls_aead_cipher_decrypt() ptext_len bug

The initial implementation of gnutls_aead_cipher_decrypt() had a bug and
used:
    *ptext_len = ctext_len;
instead of:
    *ptext_len = ctext_len - tag_size;

This got fixed with gnutls 3.5.2.

As we only require gnutls 3.4.7 we need to cope with this...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb  2 18:29:08 UTC 2022 on sn-devel-184
This commit is contained in:
Stefan Metzmacher 2022-01-31 20:33:43 +01:00
parent 99182af4ab
commit 735f3d7dde
2 changed files with 18 additions and 0 deletions

View File

@ -1257,6 +1257,21 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR); status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
goto out; goto out;
} }
#ifdef HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG
/*
* Note that gnutls before 3.5.2 had a bug and returned
* *ptext_len = ctext_len, instead of
* *ptext_len = ctext_len - tag_size
*/
if (ptext_size != ctext_size) {
TALLOC_FREE(ptext);
TALLOC_FREE(ctext);
rc = GNUTLS_E_SHORT_MEMORY_BUFFER;
status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
goto out;
}
ptext_size -= tag_size;
#endif /* HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG */
if (ptext_size != m_total) { if (ptext_size != m_total) {
TALLOC_FREE(ptext); TALLOC_FREE(ptext);
TALLOC_FREE(ctext); TALLOC_FREE(ctext);

View File

@ -44,6 +44,9 @@ if (gnutls_version > parse_version('3.6.10')):
if (gnutls_version > parse_version('3.6.14')): if (gnutls_version > parse_version('3.6.14')):
conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM', 1) conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM', 1)
if (gnutls_version < parse_version('3.5.2')):
conf.DEFINE('HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG', 1)
# Check if gnutls has fips mode support # Check if gnutls has fips mode support
# gnutls_fips140_mode_enabled() is available since 3.3.0 # gnutls_fips140_mode_enabled() is available since 3.3.0
fragment = ''' fragment = '''