The branch, master has been updated
via 3522cddf9cf libcli/smb: Remove unused fallback case for
ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
from 7c8fbf15b99 build: We don't need SEEKDIR_RETURNS_VOID
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3522cddf9cf68dd0e2cefa0ee5ed36c4beea0229
Author: Andrew Bartlett <abart...@samba.org>
Date: Sat Jul 1 08:02:36 2023 +1200
libcli/smb: Remove unused fallback case for
ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
We now require a GnuTLS version that is not impacted for AES-GCM
(fixed in 3.6.11, we require 3.6.13).
Signed-off-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Tue Jul 4 07:42:35 UTC 2023 on atb-devel-224
-----------------------------------------------------------------------
Summary of changes:
libcli/smb/smb2_signing.c | 70 -----------------------------------------
wscript_configure_system_gnutls | 7 ++---
2 files changed, 2 insertions(+), 75 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index 223a1234dcb..83e26ac0c6f 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -319,7 +319,6 @@ static NTSTATUS smb2_signing_gmac(gnutls_aead_cipher_hd_t
cipher_hnd,
{
size_t tag_size = _tag_size;
int rc;
-#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
rc = gnutls_aead_cipher_encryptv2(cipher_hnd,
iv, iv_size,
@@ -331,58 +330,6 @@ static NTSTATUS smb2_signing_gmac(gnutls_aead_cipher_hd_t
cipher_hnd,
}
return NT_STATUS_OK;
-#else /* ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM */
- TALLOC_CTX *tmp_ctx = NULL;
- size_t atext_size = 0;
- uint8_t *atext = NULL;
- size_t len = 0;
- size_t i;
-
- /*
- * If we come from python bindings, we don't have a stackframe
- * around, so use the NULL context.
- *
- * This is fine as we make sure we free the memory.
- */
- if (talloc_stackframe_exists()) {
- tmp_ctx = talloc_tos();
- }
-
- for (i=0; i < auth_iovcnt; i++) {
- atext_size += auth_iov[i].iov_len;
- }
-
- atext = talloc_size(tmp_ctx, atext_size);
- if (atext == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- for (i = 0; i < auth_iovcnt; i++) {
- memcpy(atext + len,
- auth_iov[i].iov_base,
- auth_iov[i].iov_len);
-
- len += auth_iov[i].iov_len;
- if (len > atext_size) {
- TALLOC_FREE(atext);
- return NT_STATUS_INTERNAL_ERROR;
- }
- }
-
- rc = gnutls_aead_cipher_encrypt(cipher_hnd,
- iv, iv_size,
- atext,
- atext_size,
- tag_size,
- NULL, 0,
- tag, &tag_size);
- TALLOC_FREE(atext);
- if (rc < 0) {
- return gnutls_error_to_ntstatus(rc,
NT_STATUS_HMAC_NOT_SUPPORTED);
- }
-
- return NT_STATUS_OK;
-#endif /* ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM */
}
static NTSTATUS smb2_signing_calc_signature(struct smb2_signing_key
*signing_key,
@@ -786,9 +733,7 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key
*encryption_key,
struct iovec *vector,
int count)
{
-#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
bool use_encryptv2 = false;
-#endif
uint16_t cipher_id;
uint8_t *tf;
size_t a_total;
@@ -839,9 +784,7 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key
*encryption_key,
case SMB2_ENCRYPTION_AES128_GCM:
algo = GNUTLS_CIPHER_AES_128_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
-#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
use_encryptv2 = true;
-#endif
break;
case SMB2_ENCRYPTION_AES256_CCM:
algo = GNUTLS_CIPHER_AES_256_CCM;
@@ -853,9 +796,7 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key
*encryption_key,
case SMB2_ENCRYPTION_AES256_GCM:
algo = GNUTLS_CIPHER_AES_256_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
-#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
use_encryptv2 = true;
-#endif
break;
default:
return NT_STATUS_INVALID_PARAMETER;
@@ -896,7 +837,6 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key
*encryption_key,
0,
16 - iv_size);
-#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
if (use_encryptv2) {
uint8_t tag[tag_size];
giovec_t auth_iov[1];
@@ -922,7 +862,6 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key
*encryption_key,
memcpy(tf + SMB2_TF_SIGNATURE, tag, tag_size);
} else
-#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
{
size_t ptext_size = m_total;
uint8_t *ptext = NULL;
@@ -1016,9 +955,7 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key
*decryption_key,
struct iovec *vector,
int count)
{
-#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
bool use_encryptv2 = false;
-#endif
uint16_t cipher_id;
uint8_t *tf;
uint16_t flags;
@@ -1079,9 +1016,7 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key
*decryption_key,
case SMB2_ENCRYPTION_AES128_GCM:
algo = GNUTLS_CIPHER_AES_128_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
-#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
use_encryptv2 = true;
-#endif
break;
case SMB2_ENCRYPTION_AES256_CCM:
algo = GNUTLS_CIPHER_AES_256_CCM;
@@ -1093,9 +1028,7 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key
*decryption_key,
case SMB2_ENCRYPTION_AES256_GCM:
algo = GNUTLS_CIPHER_AES_256_GCM;
iv_size = gnutls_cipher_get_iv_size(algo);
-#ifdef ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM
use_encryptv2 = true;
-#endif
break;
default:
return NT_STATUS_INVALID_PARAMETER;
@@ -1132,8 +1065,6 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key
*decryption_key,
}
}
-/* gnutls_aead_cipher_encryptv2() has a bug in version 3.6.10 */
-#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
if (use_encryptv2) {
giovec_t auth_iov[1];
@@ -1156,7 +1087,6 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key
*decryption_key,
goto out;
}
} else
-#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
{
size_t ctext_size = m_total + tag_size;
uint8_t *ctext = NULL;
diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls
index 9eb7fa59b8e..9e9abcce17d 100644
--- a/wscript_configure_system_gnutls
+++ b/wscript_configure_system_gnutls
@@ -32,11 +32,8 @@ conf.SET_TARGET_TYPE('gnutls', 'SYSLIB')
#
# 3.6.10 - 3.6.14 have a severe memory leak with AES-CCM
# https://gitlab.com/gnutls/gnutls/-/merge_requests/1278
-if (gnutls_version > parse_version('3.6.10')):
- if conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls'):
- conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_GCM', 1)
- if (gnutls_version > parse_version('3.6.14')):
- conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM', 1)
+if (gnutls_version > parse_version('3.6.14')):
+ conf.DEFINE('ALLOW_GNUTLS_AEAD_CIPHER_ENCRYPTV2_AES_CCM', 1)
# Check if gnutls has fips mode support
# gnutls_fips140_mode_enabled() is available since 3.3.0
--
Samba Shared Repository
