Remove rudundent check and fallback for AES CFB8 as we now require GnuTLS 3.6.13

This allows us to remove a lot of conditionally compiled code and so
know with more certaintly that our tests are covering our codepaths.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 872e7d185e68be93209615ccf185bdfb7feaf333..4f5db9fc32ec246da88e1ad62d49106643aff573 100644 (file)
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -35,10 +35,6 @@
 #include "auth/gensec/gensec_toplevel_proto.h"
 #include "libds/common/roles.h"
 
-#ifndef HAVE_GNUTLS_AES_CFB8
-#include "lib/crypto/aes.h"
-#endif
-
 #include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
@@ -150,7 +146,6 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state,
                                  uint8_t seq_num[8])
 {
        if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-#ifdef HAVE_GNUTLS_AES_CFB8
                gnutls_cipher_hd_t cipher_hnd = NULL;
                gnutls_datum_t key = {
                        .data = state->creds->session_key,
@@ -186,17 +181,6 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state *state,
                                                        NT_STATUS_CRYPTO_SYSTEM_INVALID);
                }
 
-#else /* NOT HAVE_GNUTLS_AES_CFB8 */
-               AES_KEY key;
-               uint8_t iv[AES_BLOCK_SIZE];
-
-               AES_set_encrypt_key(state->creds->session_key, 128, &key);
-               ZERO_STRUCT(iv);
-               memcpy(iv+0, checksum, 8);
-               memcpy(iv+8, checksum, 8);
-
-               aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
-#endif /* HAVE_GNUTLS_AES_CFB8 */
        } else {
                static const uint8_t zeros[4];
                uint8_t _sequence_key[16];
@@ -261,7 +245,6 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state,
                               bool forward)
 {
        if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-#ifdef HAVE_GNUTLS_AES_CFB8
                gnutls_cipher_hd_t cipher_hnd = NULL;
                uint8_t sess_kf0[16] = {0};
                gnutls_datum_t key = {
@@ -354,29 +337,6 @@ static NTSTATUS netsec_do_seal(struct schannel_state *state,
                        }
                }
                gnutls_cipher_deinit(cipher_hnd);
-#else /* NOT HAVE_GNUTLS_AES_CFB8 */
-               AES_KEY key;
-               uint8_t iv[AES_BLOCK_SIZE];
-               uint8_t sess_kf0[16];
-               int i;
-
-               for (i = 0; i < 16; i++) {
-                       sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
-               }
-
-               AES_set_encrypt_key(sess_kf0, 128, &key);
-               ZERO_STRUCT(iv);
-               memcpy(iv+0, seq_num, 8);
-               memcpy(iv+8, seq_num, 8);
-
-               if (forward) {
-                       aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
-                       aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
-               } else {
-                       aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
-                       aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
-               }
-#endif /* HAVE_GNUTLS_AES_CFB8 */
        } else {
                gnutls_cipher_hd_t cipher_hnd;
                uint8_t _sealing_key[16];

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index a7f56e75e9e7568bc4956ef8d56ad0e3afd8fa01..02e6fc6852b084a47a94c4c422c40ea83a6c7395 100644 (file)
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -26,10 +26,6 @@
 #include "../libcli/security/dom_sid.h"
 #include "lib/util/util_str_escape.h"
 
-#ifndef HAVE_GNUTLS_AES_CFB8
-#include "lib/crypto/aes.h"
-#endif
-
 #include "lib/crypto/gnutls_helpers.h"
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
@@ -404,7 +400,6 @@ NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds
                                    uint8_t *data,
                                    size_t len)
 {
-#ifdef HAVE_GNUTLS_AES_CFB8
        gnutls_cipher_hd_t cipher_hnd = NULL;
        gnutls_datum_t key = {
                .data = creds->session_key,
@@ -435,15 +430,6 @@ NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds
                return gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
        }
 
-#else /* NOT HAVE_GNUTLS_AES_CFB8 */
-       AES_KEY key;
-       uint8_t iv[AES_BLOCK_SIZE] = {0};
-
-       AES_set_encrypt_key(creds->session_key, 128, &key);
-
-       aes_cfb8_encrypt(data, data, len, &key, iv, AES_ENCRYPT);
-#endif /* HAVE_GNUTLS_AES_CFB8 */
-
        return NT_STATUS_OK;
 }
 
@@ -452,7 +438,6 @@ NTSTATUS netlogon_creds_aes_encrypt(struct netlogon_creds_CredentialState *creds
 */
 NTSTATUS netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len)
 {
-#ifdef HAVE_GNUTLS_AES_CFB8
        gnutls_cipher_hd_t cipher_hnd = NULL;
        gnutls_datum_t key = {
                .data = creds->session_key,
@@ -485,15 +470,6 @@ NTSTATUS netlogon_creds_aes_decrypt(struct netlogon_creds_CredentialState *creds
                                                NT_STATUS_CRYPTO_SYSTEM_INVALID);
        }
 
-#else /* NOT HAVE_GNUTLS_AES_CFB8 */
-       AES_KEY key;
-       uint8_t iv[AES_BLOCK_SIZE] = {0};
-
-       AES_set_encrypt_key(creds->session_key, 128, &key);
-
-       aes_cfb8_encrypt(data, data, len, &key, iv, AES_DECRYPT);
-#endif /* HAVE_GNUTLS_AES_CFB8 */
-
        return NT_STATUS_OK;
 }
 

diff --git a/libcli/auth/tests/test_gnutls.c b/libcli/auth/tests/test_gnutls.c
index da7a3b41dd117c7bfb4de094958da7ae6f51a736..860f8b3f69cda3ee512d2fac30853141e73bc9b7 100644 (file)
--- a/libcli/auth/tests/test_gnutls.c
+++ b/libcli/auth/tests/test_gnutls.c
@@ -30,7 +30,6 @@
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
 
-#if defined(HAVE_GNUTLS_AES_CFB8) && GNUTLS_VERSION_NUMBER > 0x03060a
 static void torture_gnutls_aes_128_cfb_flags(void **state,
                                        const DATA_BLOB session_key,
                                        const DATA_BLOB seq_num_initial,
@@ -132,11 +131,9 @@ static void torture_gnutls_aes_128_cfb_flags(void **state,
        assert_memory_equal(io.data, clear_initial.data, clear_initial.length);
        assert_memory_equal(confounder, confounder_initial.data, confounder_initial.length);
 }
-#endif
 
 static void torture_gnutls_aes_128_cfb(void **state)
 {
-#if defined(HAVE_GNUTLS_AES_CFB8) && GNUTLS_VERSION_NUMBER > 0x03060a
        const uint8_t _session_key[16] = {
                0x8E, 0xE8, 0x27, 0x85, 0x83, 0x41, 0x3C, 0x8D,
                0xC9, 0x54, 0x70, 0x75, 0x8E, 0xC9, 0x69, 0x91
@@ -225,7 +222,6 @@ static void torture_gnutls_aes_128_cfb(void **state)
                                            clear_initial_trunc,
                                            crypt_expected_trunc);
        }
-#endif
 }
 
 static void torture_gnutls_des_crypt56(void **state)

diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls
index 53c04a2816077c048887c290f5558086998cdd69..36cd7575ea8fb43103d1210a85eb903988cc74b0 100644 (file)
--- a/wscript_configure_system_gnutls
+++ b/wscript_configure_system_gnutls
@@ -64,11 +64,6 @@ conf.CHECK_CODE(fragment,
                 msg='Checking for gnutls fips mode support')
 del os.environ['GNUTLS_FORCE_FIPS_MODE']
 
-if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h', lib='gnutls'):
-    conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1)
-else:
-    Logs.warn('No gnutls support for AES CFB8')
-
 if conf.CHECK_VALUEOF('GNUTLS_MAC_AES_CMAC_128', headers='gnutls/gnutls.h', lib='gnutls'):
     conf.DEFINE('HAVE_GNUTLS_AES_CMAC', 1)
 else: