The branch, master has been updated via 3522cddf9cf libcli/smb: Remove unused fallback case for ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM from 7c8fbf15b99 build: We don't need SEEKDIR_RETURNS_VOID
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 3522cddf9cf68dd0e2cefa0ee5ed36c4beea0229 Author: Andrew Bartlett <abart...@samba.org> Date: Sat Jul 1 08:02:36 2023 +1200 libcli/smb: Remove unused fallback case for ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM We now require a GnuTLS version that is not impacted for AES-GCM (fixed in 3.6.11, we require 3.6.13). Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Tue Jul 4 07:42:35 UTC 2023 on atb-devel-224 ----------------------------------------------------------------------- Summary of changes: libcli/smb/smb2_signing.c | 70 ----------------------------------------- wscript_configure_system_gnutls | 7 ++--- 2 files changed, 2 insertions(+), 75 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c index 223a1234dcb..83e26ac0c6f 100644 --- a/libcli/smb/smb2_signing.c +++ b/libcli/smb/smb2_signing.c @@ -319,7 +319,6 @@ static NTSTATUS smb2_signing_gmac(gnutls_aead_cipher_hd_t cipher_hnd, { size_t tag_size = _tag_size; int rc; -#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM rc = gnutls_aead_cipher_encryptv2(cipher_hnd, iv, iv_size, @@ -331,58 +330,6 @@ static NTSTATUS smb2_signing_gmac(gnutls_aead_cipher_hd_t cipher_hnd, } return NT_STATUS_OK; -#else /* ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM */ - TALLOC_CTX *tmp_ctx = NULL; - size_t atext_size = 0; - uint8_t *atext = NULL; - size_t len = 0; - size_t i; - - /* - * If we come from python bindings, we don't have a stackframe - * around, so use the NULL context. - * - * This is fine as we make sure we free the memory. - */ - if (talloc_stackframe_exists()) { - tmp_ctx = talloc_tos(); - } - - for (i=0; i < auth_iovcnt; i++) { - atext_size += auth_iov[i].iov_len; - } - - atext = talloc_size(tmp_ctx, atext_size); - if (atext == NULL) { - return NT_STATUS_NO_MEMORY; - } - - for (i = 0; i < auth_iovcnt; i++) { - memcpy(atext + len, - auth_iov[i].iov_base, - auth_iov[i].iov_len); - - len += auth_iov[i].iov_len; - if (len > atext_size) { - TALLOC_FREE(atext); - return NT_STATUS_INTERNAL_ERROR; - } - } - - rc = gnutls_aead_cipher_encrypt(cipher_hnd, - iv, iv_size, - atext, - atext_size, - tag_size, - NULL, 0, - tag, &tag_size); - TALLOC_FREE(atext); - if (rc < 0) { - return gnutls_error_to_ntstatus(rc, NT_STATUS_HMAC_NOT_SUPPORTED); - } - - return NT_STATUS_OK; -#endif /* ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM */ } static NTSTATUS smb2_signing_calc_signature(struct smb2_signing_key *signing_key, @@ -786,9 +733,7 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, struct iovec *vector, int count) { -#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 bool use_encryptv2 = false; -#endif uint16_t cipher_id; uint8_t *tf; size_t a_total; @@ -839,9 +784,7 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, case SMB2_ENCRYPTION_AES128_GCM: algo = GNUTLS_CIPHER_AES_128_GCM; iv_size = gnutls_cipher_get_iv_size(algo); -#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM use_encryptv2 = true; -#endif break; case SMB2_ENCRYPTION_AES256_CCM: algo = GNUTLS_CIPHER_AES_256_CCM; @@ -853,9 +796,7 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, case SMB2_ENCRYPTION_AES256_GCM: algo = GNUTLS_CIPHER_AES_256_GCM; iv_size = gnutls_cipher_get_iv_size(algo); -#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM use_encryptv2 = true; -#endif break; default: return NT_STATUS_INVALID_PARAMETER; @@ -896,7 +837,6 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, 0, 16 - iv_size); -#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 if (use_encryptv2) { uint8_t tag[tag_size]; giovec_t auth_iov[1]; @@ -922,7 +862,6 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key, memcpy(tf + SMB2_TF_SIGNATURE, tag, tag_size); } else -#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ { size_t ptext_size = m_total; uint8_t *ptext = NULL; @@ -1016,9 +955,7 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, struct iovec *vector, int count) { -#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 bool use_encryptv2 = false; -#endif uint16_t cipher_id; uint8_t *tf; uint16_t flags; @@ -1079,9 +1016,7 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, case SMB2_ENCRYPTION_AES128_GCM: algo = GNUTLS_CIPHER_AES_128_GCM; iv_size = gnutls_cipher_get_iv_size(algo); -#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM use_encryptv2 = true; -#endif break; case SMB2_ENCRYPTION_AES256_CCM: algo = GNUTLS_CIPHER_AES_256_CCM; @@ -1093,9 +1028,7 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, case SMB2_ENCRYPTION_AES256_GCM: algo = GNUTLS_CIPHER_AES_256_GCM; iv_size = gnutls_cipher_get_iv_size(algo); -#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM use_encryptv2 = true; -#endif break; default: return NT_STATUS_INVALID_PARAMETER; @@ -1132,8 +1065,6 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, } } -/* gnutls_aead_cipher_encryptv2() has a bug in version 3.6.10 */ -#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 if (use_encryptv2) { giovec_t auth_iov[1]; @@ -1156,7 +1087,6 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key, goto out; } } else -#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */ { size_t ctext_size = m_total + tag_size; uint8_t *ctext = NULL; diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls index 9eb7fa59b8e..9e9abcce17d 100644 --- a/wscript_configure_system_gnutls +++ b/wscript_configure_system_gnutls @@ -32,11 +32,8 @@ conf.SET_TARGET_TYPE('gnutls', 'SYSLIB') # # 3.6.10 - 3.6.14 have a severe memory leak with AES-CCM # https://gitlab.com/gnutls/gnutls/-/merge_requests/1278 -if (gnutls_version > parse_version('3.6.10')): - if conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls'): - conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM', 1) - if (gnutls_version > parse_version('3.6.14')): - conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM', 1) +if (gnutls_version > parse_version('3.6.14')): + conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM', 1) # Check if gnutls has fips mode support # gnutls_fips140_mode_enabled() is available since 3.3.0 -- Samba Shared Repository