From 8b5c3ae97f0e30e8df78e81c53b4ba02365a299d Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Fri, 23 Aug 2019 09:12:21 +0200

Subject: [PATCH 137/187] libcli:smb: Use gnutls_aead_cipher_decryptv2() for

 AES GCM or CCM

This is a new call which has been added with GnuTLS 3.6.10 and will

recuduce memory allocations and copying of data.

Signed-off-by: Andreas Schneider <asn@samba.org>

Reviewed-by: Simo Sorce <idra@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>

Autobuild-Date(master): Tue Oct  8 14:12:44 UTC 2019 on sn-devel-184

(cherry picked from commit 4a24d9499757dea377b4e3d8beb7f2c10fd5c5d0)

---

 libcli/smb/smb2_signing.c | 29 +++++++++++++++++++++++++++--

 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c

index ac0f6f4d29f..166ab9d83ff 100644

--- a/libcli/smb/smb2_signing.c

+++ b/libcli/smb/smb2_signing.c

@@ -588,13 +588,12 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,

 {

 	uint8_t *tf;

 	uint16_t flags;

-	int i;

 	size_t a_total;

 	ssize_t m_total;

 	uint32_t msg_size = 0;

 	uint32_t iv_size = 0;

 	uint32_t key_size = 0;

-	uint32_t tag_size = 0;

+	size_t tag_size = 0;

 	uint8_t _key[16] = {0};

 	gnutls_cipher_algorithm_t algo = 0;

 	gnutls_datum_t key;

@@ -680,12 +679,37 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,

 		}

 	}

+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2

+	{

+		giovec_t auth_iov[1];

+

+		auth_iov[0] = (giovec_t) {

+			.iov_base = tf + SMB2_TF_NONCE,

+			.iov_len  = a_total,

+		};

+

+		rc = gnutls_aead_cipher_decryptv2(decryption_key->cipher_hnd,

+						  iv.data,

+						  iv.size,

+						  auth_iov,

+						  1,

+						  &vector[1],

+						  count - 1,

+						  tf + SMB2_TF_SIGNATURE,

+						  tag_size);

+		if (rc < 0) {

+			status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);

+			goto out;

+		}

+	}

+#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */

 	{

 		size_t ctext_size = m_total + tag_size;

 		uint8_t *ctext = NULL;

 		size_t ptext_size = m_total;

 		uint8_t *ptext = NULL;

 		size_t len = 0;

+		int i;

 		/* GnuTLS doesn't have a iovec API for decryption yet */

@@ -751,6 +775,7 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,

 		TALLOC_FREE(ptext);

 		TALLOC_FREE(ctext);

 	}

+#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */

 	DBG_INFO("Decrypted SMB2 message\n");

-- 

2.23.0