1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

libcli/smb: let smb2_signing_decrypt_pdu() cope with gnutls_aead_cipher_decrypt() ptext_len bug

The initial implementation of gnutls_aead_cipher_decrypt() had a bug and
used:
    *ptext_len = ctext_len;
instead of:
    *ptext_len = ctext_len - tag_size;

This got fixed with gnutls 3.5.2.

As we only require gnutls 3.4.7 we need to cope with this...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb  2 18:29:08 UTC 2022 on sn-devel-184

(cherry picked from commit 735f3d7dde)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Mon Feb 14 10:34:10 UTC 2022 on sn-devel-184
This commit is contained in:
Stefan Metzmacher 2022-01-31 20:33:43 +01:00 committed by Jule Anger
parent bbd4cd045a
commit 77fac5ed24
2 changed files with 18 additions and 0 deletions

View File

@ -779,6 +779,21 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
goto out;
}
#ifdef HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG
/*
* Note that gnutls before 3.5.2 had a bug and returned
* *ptext_len = ctext_len, instead of
* *ptext_len = ctext_len - tag_size
*/
if (ptext_size != ctext_size) {
TALLOC_FREE(ptext);
TALLOC_FREE(ctext);
rc = GNUTLS_E_SHORT_MEMORY_BUFFER;
status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
goto out;
}
ptext_size -= tag_size;
#endif /* HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG */
if (ptext_size != m_total) {
TALLOC_FREE(ptext);
TALLOC_FREE(ctext);

View File

@ -35,6 +35,9 @@ conf.CHECK_FUNCS_IN('gnutls_set_default_priority_append', 'gnutls')
if (parse_version(gnutls_version) > parse_version('3.6.14')):
conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls')
if (parse_version(gnutls_version) < parse_version('3.5.2')):
conf.DEFINE('HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG', 1)
# Check if we have support for crypto policies
if conf.CHECK_FUNCS_IN('gnutls_get_system_config_file', 'gnutls'):
conf.DEFINE('HAVE_GNUTLS_CRYPTO_POLICIES', 1)