{
size_t tag_size = _tag_size;
int rc;
-#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2)
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
rc = gnutls_aead_cipher_encryptv2(cipher_hnd,
iv, iv_size,
}
return NT_STATUS_OK;
-#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
+#else /* ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM */
TALLOC_CTX *tmp_ctx = NULL;
size_t atext_size = 0;
uint8_t *atext = NULL;
}
return NT_STATUS_OK;
-#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
+#endif /* ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM */
}
static NTSTATUS smb2_signing_calc_signature(struct smb2_signing_key *signing_key,
struct iovec *vector,
int count)
{
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
+ bool use_encryptv2 = false;
+#endif
uint16_t cipher_id;
uint8_t *tf;
size_t a_total;
case SMB2_ENCRYPTION_AES128_CCM:
algo = GNUTLS_CIPHER_AES_128_CCM;
iv_size = SMB2_AES_128_CCM_NONCE_SIZE;
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM
+ use_encryptv2 = true;
+#endif
break;
case SMB2_ENCRYPTION_AES128_GCM:
algo = GNUTLS_CIPHER_AES_128_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
+ use_encryptv2 = true;
+#endif
break;
case SMB2_ENCRYPTION_AES256_CCM:
algo = GNUTLS_CIPHER_AES_256_CCM;
iv_size = SMB2_AES_128_CCM_NONCE_SIZE;
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM
+ use_encryptv2 = true;
+#endif
break;
case SMB2_ENCRYPTION_AES256_GCM:
algo = GNUTLS_CIPHER_AES_256_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
+ use_encryptv2 = true;
+#endif
break;
default:
return NT_STATUS_INVALID_PARAMETER;
0,
16 - iv_size);
-#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2)
- {
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
+ if (use_encryptv2) {
uint8_t tag[tag_size];
giovec_t auth_iov[1];
}
memcpy(tf + SMB2_TF_SIGNATURE, tag, tag_size);
- }
-#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
+ } else
+#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
{
size_t ptext_size = m_total;
uint8_t *ptext = NULL;
TALLOC_FREE(ptext);
TALLOC_FREE(ctext);
}
-#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
DBG_INFO("Encrypted SMB2 message\n");
struct iovec *vector,
int count)
{
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
+ bool use_encryptv2 = false;
+#endif
uint16_t cipher_id;
uint8_t *tf;
uint16_t flags;
case SMB2_ENCRYPTION_AES128_CCM:
algo = GNUTLS_CIPHER_AES_128_CCM;
iv_size = SMB2_AES_128_CCM_NONCE_SIZE;
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM
+ use_encryptv2 = true;
+#endif
break;
case SMB2_ENCRYPTION_AES128_GCM:
algo = GNUTLS_CIPHER_AES_128_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
+ use_encryptv2 = true;
+#endif
break;
case SMB2_ENCRYPTION_AES256_CCM:
algo = GNUTLS_CIPHER_AES_256_CCM;
iv_size = SMB2_AES_128_CCM_NONCE_SIZE;
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM
+ use_encryptv2 = true;
+#endif
break;
case SMB2_ENCRYPTION_AES256_GCM:
algo = GNUTLS_CIPHER_AES_256_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
+#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
+ use_encryptv2 = true;
+#endif
break;
default:
return NT_STATUS_INVALID_PARAMETER;
}
/* gnutls_aead_cipher_encryptv2() has a bug in version 3.6.10 */
-#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2)
- {
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
+ if (use_encryptv2) {
giovec_t auth_iov[1];
auth_iov[0] = (giovec_t) {
status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
goto out;
}
- }
-#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
+ } else
+#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
{
size_t ctext_size = m_total + tag_size;
uint8_t *ctext = NULL;
TALLOC_FREE(ptext);
TALLOC_FREE(ctext);
}
-#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
DBG_INFO("Decrypted SMB2 message\n");
msg='Checking for GnuTLS >= %s' % gnutls_required_version,
mandatory=True)
-gnutls_version = conf.cmd_and_log(conf.env.PKGCONFIG + ['--modversion', 'gnutls']).strip()
+gnutls_version_str = conf.cmd_and_log(conf.env.PKGCONFIG + ['--modversion', 'gnutls']).strip()
+gnutls_version = parse_version(gnutls_version_str)
# Define gnutls as a system library
conf.SET_TARGET_TYPE('gnutls', 'SYSLIB')
#
# 3.6.10 - 3.6.14 have a severe memory leak with AES-CCM
# https://gitlab.com/gnutls/gnutls/-/merge_requests/1278
-if (parse_version(gnutls_version) > parse_version('3.6.14')):
- conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls')
+if (gnutls_version > parse_version('3.6.10')):
+ if conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls'):
+ conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM', 1)
+ if (gnutls_version > parse_version('3.6.14')):
+ conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM', 1)
# Check if gnutls has fips mode support
# gnutls_fips140_mode_enabled() is available since 3.3.0