From 279d31dfa642126ce7670292390e02b2e33ea36e Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Tue, 17 Sep 2019 22:37:06 +0200

Subject: [PATCH 133/187] auth/gensec: fix AES schannel seal and unseal

Workaround bug present in gnutls 3.6.8:

gnutls_cipher_decrypt() uses an optimization

internally that breaks decryption when processing

buffers with their length not being a multiple

of the blocksize.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

(cherry picked from commit f988756599c2f7253989f2ca1dea2975dd89e6ea)

---

 auth/gensec/schannel.c | 47 +++++++++++++++++++++++++++---------------

 selftest/knownfail     |  1 -

 2 files changed, 30 insertions(+), 18 deletions(-)

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c

index 9f2611e5f04..ea2a8b201ce 100644

--- a/auth/gensec/schannel.c

+++ b/auth/gensec/schannel.c

@@ -306,11 +306,6 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state,

 				return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);

 			}

-			/*

-			 * Looks like we have to reuse the initial IV which is

-			 * cryptographically wrong!

-			 */

-			gnutls_cipher_set_iv(cipher_hnd, iv.data, iv.size);

 			rc = gnutls_cipher_encrypt(cipher_hnd,

 						   data,

 						   length);

@@ -319,26 +314,44 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state,

 				return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);

 			}

 		} else {

-			rc = gnutls_cipher_decrypt(cipher_hnd,

-						   confounder,

-						   8);

-			if (rc < 0) {

-				gnutls_cipher_deinit(cipher_hnd);

-				return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);

-			}

 			/*

-			 * Looks like we have to reuse the initial IV which is

-			 * cryptographically wrong!

+			 * Workaround bug present in gnutls 3.6.8:

+			 *

+			 * gnutls_cipher_decrypt() uses an optimization

+			 * internally that breaks decryption when processing

+			 * buffers with their length not being a multiple

+			 * of the blocksize.

 			 */

-			gnutls_cipher_set_iv(cipher_hnd, iv.data, iv.size);

+

+			uint8_t tmp[16] = { 0, };

+			uint32_t tmp_dlength = MIN(length, sizeof(tmp) - 8);

+

+			memcpy(tmp, confounder, 8);

+			memcpy(tmp + 8, data, tmp_dlength);

+

 			rc = gnutls_cipher_decrypt(cipher_hnd,

-						   data,

-						   length);

+						   tmp,

+						   8 + tmp_dlength);

 			if (rc < 0) {

+				ZERO_STRUCT(tmp);

 				gnutls_cipher_deinit(cipher_hnd);

 				return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);

 			}

+

+			memcpy(confounder, tmp, 8);

+			memcpy(data, tmp + 8, tmp_dlength);

+			ZERO_STRUCT(tmp);

+

+			if (length > tmp_dlength) {

+				rc = gnutls_cipher_decrypt(cipher_hnd,

+							   data + tmp_dlength,

+							   length - tmp_dlength);

+				if (rc < 0) {

+					gnutls_cipher_deinit(cipher_hnd);

+					return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);

+				}

+			}

 		}

 		gnutls_cipher_deinit(cipher_hnd);

 #else /* NOT HAVE_GNUTLS_AES_CFB8 */

diff --git a/selftest/knownfail b/selftest/knownfail

index 95db97a44e0..7b54b77a708 100644

--- a/selftest/knownfail

+++ b/selftest/knownfail

@@ -374,4 +374,3 @@

 ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\)

 ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)

 ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)

-^samba.unittests.schannel.torture_schannel_seal_aes

-- 

2.23.0