libcli:smb: Use gnutls_aead_cipher_decryptv2() for AES GCM or CCM

This is a new call which has been added with GnuTLS 3.6.10 and will
recuduce memory allocations and copying of data.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Oct  8 14:12:44 UTC 2019 on sn-devel-184

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index ac0f6f4d29fb29b7ecb18c59f08398d82378a3de..166ab9d83ffbee7509caec1245b09013f4b9abc2 100644 (file)
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -588,13 +588,12 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
 {
        uint8_t *tf;
        uint16_t flags;
-       int i;
        size_t a_total;
        ssize_t m_total;
        uint32_t msg_size = 0;
        uint32_t iv_size = 0;
        uint32_t key_size = 0;
-       uint32_t tag_size = 0;
+       size_t tag_size = 0;
        uint8_t _key[16] = {0};
        gnutls_cipher_algorithm_t algo = 0;
        gnutls_datum_t key;
@@ -680,12 +679,37 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
                }
        }
 
+#ifdef HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2
+       {
+               giovec_t auth_iov[1];
+
+               auth_iov[0] = (giovec_t) {
+                       .iov_base = tf + SMB2_TF_NONCE,
+                       .iov_len  = a_total,
+               };
+
+               rc = gnutls_aead_cipher_decryptv2(decryption_key->cipher_hnd,
+                                                 iv.data,
+                                                 iv.size,
+                                                 auth_iov,
+                                                 1,
+                                                 &vector[1],
+                                                 count - 1,
+                                                 tf + SMB2_TF_SIGNATURE,
+                                                 tag_size);
+               if (rc < 0) {
+                       status = gnutls_error_to_ntstatus(rc, NT_STATUS_INTERNAL_ERROR);
+                       goto out;
+               }
+       }
+#else /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
        {
                size_t ctext_size = m_total + tag_size;
                uint8_t *ctext = NULL;
                size_t ptext_size = m_total;
                uint8_t *ptext = NULL;
                size_t len = 0;
+               int i;
 
                /* GnuTLS doesn't have a iovec API for decryption yet */
 
@@ -751,6 +775,7 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
                TALLOC_FREE(ptext);
                TALLOC_FREE(ctext);
        }
+#endif /* HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2 */
 
        DBG_INFO("Decrypted SMB2 message\n");