From 11299ccee304e5632197506689ffbb282b7eb11f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 10 Sep 2025 10:12:02 +0200
Subject: [PATCH] lib:crypto: Use gnutls_cipher_decrypt3() if possible

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Sep 26 18:38:57 UTC 2025 on atb-devel-224
---
 .../gnutls_aead_aes_256_cbc_hmac_sha512.c       | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
index 935ca475d8b..97f09f827ba 100644
--- a/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
+++ b/lib/crypto/gnutls_aead_aes_256_cbc_hmac_sha512.c
@@ -313,8 +313,10 @@ samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt(TALLOC_CTX *mem_ctx,
 	uint8_t version_byte = SAMR_AES_VERSION_BYTE;
 	uint8_t version_byte_len = SAMR_AES_VERSION_BYTE_LEN;
 	uint8_t auth_data[hmac_size];
+#ifndef HAVE_GNUTLS_CIPHER_ENCRYPT3
 	uint8_t padding;
 	size_t i;
+#endif
 	NTSTATUS status;
 	bool equal;
 	int rc;
@@ -391,6 +393,20 @@ samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt(TALLOC_CTX *mem_ctx,
 						NT_STATUS_DECRYPTION_FAILED);
 	}
 
+#ifdef HAVE_GNUTLS_CIPHER_ENCRYPT3
+	rc = gnutls_cipher_decrypt3(cipher_hnd,
+				    ciphertext->data,
+				    ciphertext->length,
+				    pplaintext->data,
+				    &pplaintext->length,
+				    GNUTLS_CIPHER_PADDING_PKCS7);
+	gnutls_cipher_deinit(cipher_hnd);
+	if (rc < 0) {
+		data_blob_clear_free(pplaintext);
+		return gnutls_error_to_ntstatus(rc,
+						NT_STATUS_DECRYPTION_FAILED);
+	}
+#else /* HAVE_GNUTLS_CIPHER_ENCRYPT3 */
 	rc = gnutls_cipher_decrypt2(cipher_hnd,
 				    ciphertext->data,
 				    ciphertext->length,
@@ -430,6 +446,7 @@ samba_gnutls_aead_aes_256_cbc_hmac_sha512_decrypt(TALLOC_CTX *mem_ctx,
 	}
 
 	pplaintext->length -= padding;
+#endif /* HAVE_GNUTLS_CIPHER_ENCRYPT3 */
 
 	return NT_STATUS_OK;
 }
-- 
2.47.3