libcli/smb: let smb2_signing_decrypt_pdu() cope with gnutls_aead_cipher_decrypt(...

author Stefan Metzmacher <metze@samba.org>

Mon, 31 Jan 2022 19:33:43 +0000 (20:33 +0100)

committer Stefan Metzmacher <metze@samba.org>

Wed, 2 Feb 2022 18:29:08 +0000 (18:29 +0000)
author Stefan Metzmacher <metze@samba.org>
Mon, 31 Jan 2022 19:33:43 +0000 (20:33 +0100)
committer Stefan Metzmacher <metze@samba.org>
Wed, 2 Feb 2022 18:29:08 +0000 (18:29 +0000)
diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c

index b6add1b5c280d556364465053b60711bab8e5d91..6efb87801cb3f417c022229fdc61e19636126e25 100644 (file)
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -1257,6 +1257,21 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
                         status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
                         goto out;
                 }
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG
+               /*
+                * Note that gnutls before 3.5.2 had a bug and returned
+                * *ptext_len = ctext_len, instead of
+                * *ptext_len = ctext_len - tag_size
+                */
+               if (ptext_size != ctext_size) {
+                       TALLOC_FREE(ptext);
+                       TALLOC_FREE(ctext);
+                       rc = GNUTLS_E_SHORT_MEMORY_BUFFER;
+                       status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
+                       goto out;
+               }
+               ptext_size -= tag_size;
+#endif /* HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG */
                 if (ptext_size != m_total) {
                         TALLOC_FREE(ptext);
                         TALLOC_FREE(ctext);
diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls

index 62fe3d5ddda40bfd6301d621f36ca675f1de728e..c6eb9df7b642127cc90f805c8184062b7bb0e642 100644 (file)
--- a/wscript_configure_system_gnutls
+++ b/wscript_configure_system_gnutls
@@ -44,6 +44,9 @@ if (gnutls_version > parse_version('3.6.10')):
          if (gnutls_version > parse_version('3.6.14')):
              conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM', 1)
  
+if (gnutls_version < parse_version('3.5.2')):
+    conf.DEFINE('HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG', 1)
+
  # Check if gnutls has fips mode support
  # gnutls_fips140_mode_enabled() is available since 3.3.0
  fragment = '''
author	Stefan Metzmacher <metze@samba.org>
	Mon, 31 Jan 2022 19:33:43 +0000 (20:33 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Wed, 2 Feb 2022 18:29:08 +0000 (18:29 +0000)
libcli/smb/smb2_signing.c		patch \| blob \| history
wscript_configure_system_gnutls		patch \| blob \| history