lib:crypto: Use gnutls_cipher_decrypt3() if possible

author Andreas Schneider <asn@samba.org>

Wed, 10 Sep 2025 08:12:02 +0000 (10:12 +0200)

committer Andreas Schneider <asn@cryptomilk.org>

Fri, 26 Sep 2025 18:38:57 +0000 (18:38 +0000)
author Andreas Schneider <asn@samba.org>
Wed, 10 Sep 2025 08:12:02 +0000 (10:12 +0200)
committer Andreas Schneider <asn@cryptomilk.org>
Fri, 26 Sep 2025 18:38:57 +0000 (18:38 +0000)
diff --git a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c

index 935ca475d8b88e43badcd90e80e3ce1b52244ffd..97f09f827ba621bfa68ca6c137e6cd5861043f33 100644 (file)
--- a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
+++ b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
@@ -313,8 +313,10 @@ samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt(TALLOC_CTX *mem_ctx,
         uint8_t version_byte = SAMR_AES_VERSION_BYTE;
         uint8_t version_byte_len = SAMR_AES_VERSION_BYTE_LEN;
         uint8_t auth_data[hmac_size];
+#ifndef HAVE_GNUTLS_CIPHER_ENCRYPT3
         uint8_t padding;
         size_t i;
+#endif
         NTSTATUS status;
         bool equal;
         int rc;
@@ -391,6 +393,20 @@ samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt(TALLOC_CTX *mem_ctx,
                                                 NT_STATUS_DECRYPTION_FAILED);
         }
  
+#ifdef HAVE_GNUTLS_CIPHER_ENCRYPT3
+       rc = gnutls_cipher_decrypt3(cipher_hnd,
+                                   ciphertext->data,
+                                   ciphertext->length,
+                                   pplaintext->data,
+                                   &pplaintext->length,
+                                   GNUTLS_CIPHER_PADDING_PKCS7);
+       gnutls_cipher_deinit(cipher_hnd);
+       if (rc < 0) {
+               data_blob_clear_free(pplaintext);
+               return gnutls_error_to_ntstatus(rc,
+                                               NT_STATUS_DECRYPTION_FAILED);
+       }
+#else /* HAVE_GNUTLS_CIPHER_ENCRYPT3 */
         rc = gnutls_cipher_decrypt2(cipher_hnd,
                                     ciphertext->data,
                                     ciphertext->length,
@@ -430,6 +446,7 @@ samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt(TALLOC_CTX *mem_ctx,
         }
  
         pplaintext->length -= padding;
+#endif /* HAVE_GNUTLS_CIPHER_ENCRYPT3 */
  
         return NT_STATUS_OK;
  }
author	Andreas Schneider <asn@samba.org>
	Wed, 10 Sep 2025 08:12:02 +0000 (10:12 +0200)
committer	Andreas Schneider <asn@cryptomilk.org>
	Fri, 26 Sep 2025 18:38:57 +0000 (18:38 +0000)