Merge pull request #59 from gasbytes/samba-libs

samba-libs and dynamic AAD allocation (AES-GCM)

Author: SparkiDev

.github/workflows/deb.yml

@@ -43,7 +43,7 @@ jobs:
             'CFLAGS=-DWOLFSSL_PUBLIC_ASN -DHAVE_FFDHE_3072 -DHAVE_FFDHE_4096 -DWOLFSSL_DH_EXTRA -DWOLFSSL_PSS_SALT_LEN_DISCOVER -DWOLFSSL_PUBLIC_MP -DWOLFSSL_RSA_KEY_CHECK -DHAVE_FFDHE_Q -DHAVE_FFDHE_6144 -DHAVE_FFDHE_8192 -DWOLFSSL_ECDSA_DETERMINISTIC_K -DWOLFSSL_VALIDATE_ECC_IMPORT -DRSA_MIN_SIZE=1024'
           make -j"$(nproc)"
           sudo make deb
-          sudo dpkg -i libwolfssl_*.deb libwolfssl-dev_*.deb
+          sudo dpkg -i ../libwolfssl_*.deb ../libwolfssl-dev_*.deb ../libwolfssl-dbgsym_*.deb
 
       - name: Build .deb set (gnutls-wolfssl non-FIPS)
         run: dpkg-buildpackage -us -uc -b

.github/workflows/samba-libs.yml

@@ -0,0 +1,102 @@
+name: Samba-libs Test
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build_samba_libs:
+    timeout-minutes: 60
+    strategy:
+      matrix:
+        os: [ ubuntu-latest ]
+        samba_ref: [ 'master' ]
+      fail-fast: false
+    runs-on: ${{ matrix.os }}
+    container:
+      image: debian:bookworm
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up build tool-chain
+        run: |
+          apt-get update
+          apt-get install -y sudo wget build-essential pkg-config \
+               git \
+               libacl1-dev libldap2-dev libpam0g-dev \
+               attr krb5-user dnsutils \
+               gnulib autopoint gperf gtk-doc-tools nettle-dev clang \
+               libtasn1-bin libtasn1-6-dev libunistring-dev libp11-kit-dev libunbound-dev \
+               liblmdb-dev libparse-yapp-perl libgpgme11-dev libjansson-dev libarchive-dev \
+               libdbus-1-dev python3-dnspython python3-markdown libpopt-dev heimdal-dev \
+               libtirpc-dev
+          apt-get install -y \
+             libkrb5-dev libsasl2-dev libssl-dev libcap-dev \
+             libcups2-dev libavahi-client-dev libavahi-common-dev liburing-dev \
+             gdb libgpgme-dev
+          apt-get install -y acl attr autoconf bind9utils bison build-essential \
+               debhelper dnsutils docbook-xml docbook-xsl flex gdb libjansson-dev krb5-user \
+               libacl1-dev libaio-dev libarchive-dev libattr1-dev libblkid-dev libbsd-dev \
+               libcap-dev libcups2-dev libgpgme-dev libjson-perl \
+               libldap2-dev libncurses5-dev libpam0g-dev libparse-yapp-perl \
+               libpopt-dev libreadline-dev nettle-dev perl pkg-config \
+               python3-dev python3-dbg python3-cryptography python3-dnspython python3-gpg python3-markdown \
+               xsltproc zlib1g-dev liblmdb-dev lmdb-utils python3-pyasn1 python3-iso8601
+
+      - name: Restore cached gnutls-wolfssl
+        id: cache-gnutls
+        uses: actions/cache@v4
+        with:
+          path: |
+            /opt/gnutls
+            /opt/wolfssl
+            /opt/wolfssl-gnutls-wrapper
+          key: gnutls-wolfssl-${{ runner.os }}-${{ hashFiles('setup.sh', 'wolfssl-gnutls-wrapper/**', 'wolfssl/**', 'gnutls/**') }}
+          restore-keys: |
+            gnutls-wolfssl-${{ runner.os }}-
+
+      - name: Build GnuTLS with wolfSSL provider using setup.sh script
+        if: steps.cache-gnutls.outputs.cache-hit != 'true'
+        run: |
+          echo "Running setup.sh..."
+          GNUTLS_INSTALL=/opt/gnutls WOLFSSL_INSTALL=/opt/wolfssl ./setup.sh
+
+      - name: Verify provider artefacts exist
+        run: |
+          test -d /opt/wolfssl                   || exit 1
+          test -d /opt/gnutls                    || exit 1
+          test -d /opt/wolfssl-gnutls-wrapper/lib || exit 1
+
+      - name: Clone Samba
+        run: |
+          git clone https://gitlab.com/samba-team/samba.git samba
+          cd samba
+          if [ "${{ matrix.samba_ref }}" != "master" ]; then
+            git checkout ${{ matrix.samba_ref }}
+          fi
+
+      - name: Configure & build Samba-libs
+        working-directory: samba
+        run: |
+          export PKG_CONFIG_PATH="${PKG_CONFIG_PATH:+$PKG_CONFIG_PATH:}/opt/gnutls/lib/pkgconfig"
+          export CPPFLAGS="-I/opt/gnutls/include ${CPPFLAGS:-}"
+          export LDFLAGS="-L/opt/gnutls/lib -L/usr/lib/x86_64-linux-gnu -Wl,-rpath,/opt/gnutls/lib ${LDFLAGS:-}"
+          export LD_LIBRARY_PATH="/opt/gnutls/lib:/usr/lib/x86_64-linux-gnu:${LD_LIBRARY_PATH:-}"
+          ./configure --enable-selftest
+          make -j"$(nproc)"
+
+      - name: Run quick-tests
+        working-directory: samba
+        run: |
+          export PKG_CONFIG_PATH="${PKG_CONFIG_PATH:+$PKG_CONFIG_PATH:}/opt/gnutls/lib/pkgconfig"
+          export CPPFLAGS="-I/opt/gnutls/include ${CPPFLAGS:-}"
+          export LDFLAGS="-L/opt/gnutls/lib -L/usr/lib/x86_64-linux-gnu -Wl,-rpath,/opt/gnutls/lib ${LDFLAGS:-}"
+          export LD_LIBRARY_PATH="/opt/gnutls/lib:/usr/lib/x86_64-linux-gnu:${LD_LIBRARY_PATH:-}"
+          make quicktest -j"$(nproc)"

wolfssl-gnutls-wrapper/src/cipher.c

@@ -31,7 +31,7 @@ enum {
 /** Maximum AES key size. */
 #define MAX_AES_KEY_SIZE    AES_256_KEY_SIZE
 /** Maximum authentication data. */
-#define MAX_AUTH_DATA       1024
+#define MAX_AUTH_DATA       4096
 /** Maximum plaintext to encrypt for GCM  */
 #define MAX_AES_GCM_PLAINTEXT ((1ULL << 36) - 32)
 /** Maximum RSA-PSS signature size */
@@ -82,10 +82,14 @@ struct wolfssl_cipher_ctx {
     size_t iv_size;
 
     /* For GCM mode. */
-    /** Authentication data to use. */
-    unsigned char auth_data[MAX_AUTH_DATA];
-    /** Size of authentication data to use. */
+    /** Authentication data to use (static, maximum 4096 bytes). */
+    unsigned char auth_data_static[MAX_AUTH_DATA];
+    /** Authentication data to use (allocated dynamically). */
+    unsigned char *auth_data_heap;
+    /** Size of authentication data to use (static). */
     size_t auth_data_size;
+    /** Size of authentication data to use (heap). */
+    size_t auth_alloc;
     /** Calculated authentication tag. */
     unsigned char tag[GCM_TAG_SIZE];
     /** Size of calculated authentication tag. */
@@ -240,6 +244,7 @@ int wolfssl_cipher_init(gnutls_cipher_algorithm_t algorithm, void **_ctx,
     ctx->tag_set_ext = 0;
     ctx->algorithm = 0;
     ctx->data_size = 0;
+    ctx->auth_data_heap = NULL;
 
     ctx->algorithm = algorithm;
     ctx->mode = get_cipher_mode(algorithm);
@@ -671,12 +676,47 @@ int wolfssl_cipher_auth(void *_ctx, const void *auth_data,
         return GNUTLS_E_INVALID_REQUEST;
     }
 
-    /* Check authentication data will fit in cache. */
-    if (ctx->auth_data_size + auth_size > sizeof(ctx->auth_data)) {
-        WGW_ERROR("Auth data too big: %ld + %ld > %ld", ctx->auth_data_size,
-            auth_size, sizeof(ctx->auth_data));
-        return GNUTLS_E_SHORT_MEMORY_BUFFER;
-    }
+	/* Check authentication data will fit in the static cache,
+	 * switch to heap if it doesn't. */
+	if (ctx->auth_data_heap == NULL &&
+			ctx->auth_data_size + auth_size > sizeof(ctx->auth_data_static)) {
+		WGW_LOG("Auth data too big: %ld + %ld > %ld", ctx->auth_data_size,
+				auth_size, sizeof(ctx->auth_data_static));
+		WGW_LOG("Switching to dynamic allocation");
+
+		size_t new_sz = sizeof(ctx->auth_data_static);
+		while (new_sz < ctx->auth_data_size + auth_size)
+			new_sz *= 2;
+
+		ctx->auth_data_heap = gnutls_malloc(new_sz);
+		if (!ctx->auth_data_heap) {
+			WGW_ERROR("gnutls_malloc failed for auth_data_heap");
+			return GNUTLS_E_MEMORY_ERROR;
+		}
+		ctx->auth_alloc = new_sz;
+		XMEMCPY(ctx->auth_data_heap, ctx->auth_data_static,
+				ctx->auth_data_size);
+		WGW_LOG("Spilled AAD to heap (%zu bytes)", new_sz);
+	}
+
+	/* We are already storing in the heap, we check
+	 * if we need to grow it. */
+	if (ctx->auth_data_heap &&
+			ctx->auth_data_size + auth_size > ctx->auth_alloc) {
+		WGW_LOG("New auth data too big, reallocating");
+		size_t new_sz = ctx->auth_alloc;
+		while (new_sz < ctx->auth_data_size + auth_size)
+			new_sz *= 2;
+
+		unsigned char *p = gnutls_realloc(ctx->auth_data_heap, new_sz);
+		if (!p) {
+			WGW_ERROR("gnutls_realloc failed for auth_data_heap");
+			return GNUTLS_E_MEMORY_ERROR;
+		}
+		ctx->auth_data_heap = p;
+		ctx->auth_alloc     = new_sz;
+		WGW_LOG("Grew AAD heap to %zu bytes", new_sz);
+	}
 
     /* Streaming must be a multiple of block size except for last. */
     if ((ctx->auth_data_size % AES_BLOCK_SIZE) != 0) {
@@ -685,8 +725,11 @@ int wolfssl_cipher_auth(void *_ctx, const void *auth_data,
     }
 
     /* Store AAD for later use in encrypt/decrypt operations. */
-    XMEMCPY(ctx->auth_data + ctx->auth_data_size, auth_data, auth_size);
-    ctx->auth_data_size += auth_size;
+	unsigned char *dst = ctx->auth_data_heap ?
+		ctx->auth_data_heap : ctx->auth_data_static;
+
+	XMEMCPY(dst + ctx->auth_data_size, auth_data, auth_size);
+	ctx->auth_data_size += auth_size;
 
     WGW_LOG("AAD added successfully");
     return 0;
@@ -751,7 +794,7 @@ int wolfssl_cipher_encrypt(void *_ctx, const void *src, size_t src_size,
         unsigned char* ptr;
         unsigned char* encr;
 
-        WGW_LOG("Caching platintext");
+        WGW_LOG("Caching plaintext");
 
         ctx->enc = 1;
 
@@ -782,11 +825,13 @@ int wolfssl_cipher_encrypt(void *_ctx, const void *src, size_t src_size,
             WGW_ERROR("realloc of gmac data failed");
             return GNUTLS_E_INVALID_REQUEST;
         }
+		unsigned char *aad = ctx->auth_data_heap ?
+			ctx->auth_data_heap : ctx->auth_data_static;
 
         /* Do encryption with the data we have. */
         ret = wc_AesGcmEncrypt(&ctx->cipher.aes_ctx, encr,
             ctx->data, ctx->data_size, ctx->iv, ctx->iv_size,
-            ctx->tag, ctx->tag_size, ctx->auth_data, ctx->auth_data_size);
+            ctx->tag, ctx->tag_size, aad, ctx->auth_data_size);
         if (ret != 0) {
             WGW_WOLFSSL_ERROR("wc_AesGcmEncrypt", ret);
             gnutls_free(encr);
@@ -894,7 +939,7 @@ int wolfssl_cipher_decrypt(void *_ctx, const void *src, size_t src_size,
         unsigned char* ptr;
         unsigned char* decr;
 
-        WGW_LOG("Caching platintext");
+        WGW_LOG("Caching plaintext");
 
         ctx->enc = 1;
 
@@ -922,14 +967,18 @@ int wolfssl_cipher_decrypt(void *_ctx, const void *src, size_t src_size,
         }
 
         WGW_LOG("wc_AesGcmDecrypt");
+
+        unsigned char *aad = ctx->auth_data_heap ?
+            ctx->auth_data_heap : ctx->auth_data_static;
+
         /* If caller hasn't set tag then we are creating it. */
         if (!ctx->tag_set_ext) {
             /* Encrypt the ciphertext to get the plaintext.
              * Tag will have been created on plaintext which is of no use.
              */
             ret = wc_AesGcmEncrypt(&ctx->cipher.aes_ctx, decr, ctx->data,
                 ctx->data_size, ctx->iv, ctx->iv_size,
-                ctx->tag, ctx->tag_size, ctx->auth_data, ctx->auth_data_size);
+                ctx->tag, ctx->tag_size, aad, ctx->auth_data_size);
             if (ret != 0) {
                 WGW_WOLFSSL_ERROR("wc_AesGcmEncrypt", ret);
                 gnutls_free(decr);
@@ -938,7 +987,7 @@ int wolfssl_cipher_decrypt(void *_ctx, const void *src, size_t src_size,
             /* Encrypt the plaintext to create the tag. */
             ret = wc_AesGcmEncrypt(&ctx->cipher.aes_ctx, decr, decr,
                 ctx->data_size, ctx->iv, ctx->iv_size,
-                ctx->tag, ctx->tag_size, ctx->auth_data, ctx->auth_data_size);
+                ctx->tag, ctx->tag_size, aad, ctx->auth_data_size);
             if (ret != 0) {
                 WGW_WOLFSSL_ERROR("wc_AesGcmEncrypt", ret);
                 gnutls_free(decr);
@@ -950,7 +999,7 @@ int wolfssl_cipher_decrypt(void *_ctx, const void *src, size_t src_size,
         /* Do decryption with cipehtext, IV, authentication data and tag. */
         ret = wc_AesGcmDecrypt(&ctx->cipher.aes_ctx, decr,
             ctx->data, ctx->data_size, ctx->iv, ctx->iv_size,
-            ctx->tag, ctx->tag_size, ctx->auth_data, ctx->auth_data_size);
+            ctx->tag, ctx->tag_size, aad, ctx->auth_data_size);
         if (ret != 0) {
             WGW_WOLFSSL_ERROR("wc_AesGcmEncrypt", ret);
             gnutls_free(decr);
@@ -1044,9 +1093,12 @@ void wolfssl_cipher_tag(void *_ctx, void *tag, size_t tag_size)
         if (ctx->mode == GCM) {
             WGW_LOG("wc_AesGcmEncrypt");
 
+            unsigned char *aad = ctx->auth_data_heap ?
+                ctx->auth_data_heap : ctx->auth_data_static;
+
             /* Do authentication with no plaintext. */
             ret = wc_AesGcmEncrypt(&ctx->cipher.aes_ctx, NULL, NULL, 0, ctx->iv,
-                ctx->iv_size, ctx->tag, ctx->tag_size, ctx->auth_data,
+                ctx->iv_size, ctx->tag, ctx->tag_size, aad,
                 ctx->auth_data_size);
             if (ret != 0) {
                 WGW_WOLFSSL_ERROR("wc_AesGcmEncrypt", ret);
@@ -1264,6 +1316,9 @@ void wolfssl_cipher_deinit(void *_ctx)
         ctx->initialized = 0;
         ctx->enc_initialized = 0;
         ctx->dec_initialized = 0;
+        if (ctx->auth_data_heap) {
+            gnutls_free(ctx->auth_data_heap);
+        }
     }
 
     gnutls_free(ctx);