libcli/smb: let smb2_signing_decrypt_pdu() cope with gnutls_aead_cipher_decrypt(...

The initial implementation of gnutls_aead_cipher_decrypt() had a bug and
used:
    *ptext_len = ctext_len;
instead of:
    *ptext_len = ctext_len - tag_size;

This got fixed with gnutls 3.5.2.

As we only require gnutls 3.4.7 we need to cope with this...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14968

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Feb  2 18:29:08 UTC 2022 on sn-devel-184

(cherry picked from commit 735f3d7dde3daf5d0af2e8a1de60422b88663992)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Mon Feb 14 10:34:10 UTC 2022 on sn-devel-184

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index c808f0bda155e69977dad44f0f2d86c46befce92..7411a3314aab0a03142b1148fab805753669fb95 100644 (file)
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -779,6 +779,21 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
                        status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
                        goto out;
                }
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG
+               /*
+                * Note that gnutls before 3.5.2 had a bug and returned
+                * *ptext_len = ctext_len, instead of
+                * *ptext_len = ctext_len - tag_size
+                */
+               if (ptext_size != ctext_size) {
+                       TALLOC_FREE(ptext);
+                       TALLOC_FREE(ctext);
+                       rc = GNUTLS_E_SHORT_MEMORY_BUFFER;
+                       status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
+                       goto out;
+               }
+               ptext_size -= tag_size;
+#endif /* HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG */
                if (ptext_size != m_total) {
                        TALLOC_FREE(ptext);
                        TALLOC_FREE(ctext);

diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls
index 2ec217fb9dc57806f1ef12988482473e9e171461..64f39b6a1def224cd8210528cd71d229d7317ff7 100644 (file)
--- a/wscript_configure_system_gnutls
+++ b/wscript_configure_system_gnutls
@@ -35,6 +35,9 @@ conf.CHECK_FUNCS_IN('gnutls_set_default_priority_append', 'gnutls')
 if (parse_version(gnutls_version) > parse_version('3.6.14')):
     conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls')
 
+if (parse_version(gnutls_version) < parse_version('3.5.2')):
+    conf.DEFINE('HAVE_GNUTLS_AEAD_CIPHER_DECRYPT_PTEXT_LEN_BUG', 1)
+
 # Check if we have support for crypto policies
 if conf.CHECK_FUNCS_IN('gnutls_get_system_config_file', 'gnutls'):
     conf.DEFINE('HAVE_GNUTLS_CRYPTO_POLICIES', 1)