From 51428329cc78c3c7e051c41f55f07daa1ed1f9c1 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 24 Jan 2020 16:34:42 +0100
Subject: [PATCH] libcli:smb: Improve check for
 gnutls_aead_cipher_(en|de)cryptv2

This is available since version 3.6.10, but 3.6.10 has a bug which got fixed
in 3.6.11, see:

    https://gitlab.com/gnutls/gnutls/-/merge_requests/1085

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14250

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Feb  4 06:44:00 UTC 2020 on sn-devel-184

(cherry picked from commit d459ca04fc46a52276a860e73ae9ec8f813c260e)
---
 libcli/smb/smb2_signing.c       |  7 ++-----
 wscript_configure_system_gnutls | 15 +++++++++++++--
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/libcli/smb/smb2_signing.c b/libcli/smb/smb2_signing.c
index 7561a7a858d..7b33a42526e 100644
--- a/libcli/smb/smb2_signing.c
+++ b/libcli/smb/smb2_signing.c
@@ -478,9 +478,7 @@ NTSTATUS smb2_signing_encrypt_pdu(struct smb2_signing_key *encryption_key,
 	       0,
 	       16 - iv_size);
 
-/* gnutls_aead_cipher_encryptv2() has a bug in version 3.6.10 */
-#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2) && \
-    GNUTLS_VERSION_NUMBER > 0x03060a
+#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2)
 	{
 		uint8_t tag[tag_size];
 		giovec_t auth_iov[1];
@@ -682,8 +680,7 @@ NTSTATUS smb2_signing_decrypt_pdu(struct smb2_signing_key *decryption_key,
 	}
 
 /* gnutls_aead_cipher_encryptv2() has a bug in version 3.6.10 */
-#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2) && \
-    GNUTLS_VERSION_NUMBER > 0x03060a
+#if defined(HAVE_GNUTLS_AEAD_CIPHER_ENCRYPTV2)
 	{
 		giovec_t auth_iov[1];
 
diff --git a/wscript_configure_system_gnutls b/wscript_configure_system_gnutls
index f6d9ac3c65e..b2b955f3c90 100644
--- a/wscript_configure_system_gnutls
+++ b/wscript_configure_system_gnutls
@@ -1,5 +1,8 @@
 from waflib import Options
 
+def parse_version(v):
+    return tuple(map(int, (v.split("."))))
+
 gnutls_min_required_version = "3.4.7"
 
 gnutls_required_version = gnutls_min_required_version
@@ -9,14 +12,22 @@ conf.CHECK_CFG(package='gnutls',
                      msg='Checking for GnuTLS >= %s' % gnutls_required_version,
                      mandatory=True)
 
+gnutls_version = conf.cmd_and_log(conf.env.PKGCONFIG + ['--modversion', 'gnutls']).strip()
+
 # Define gnutls as a system library
 conf.SET_TARGET_TYPE('gnutls', 'SYSLIB')
 
 # Check for gnutls_pkcs7_get_embedded_data_oid (>= 3.5.5) required by libmscat
 conf.CHECK_FUNCS_IN('gnutls_pkcs7_get_embedded_data_oid', 'gnutls')
 
-# Check for gnutls_aead_cipher_encryptv2 (>= 3.6.10)
-conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls')
+# Check for gnutls_aead_cipher_encryptv2
+#
+# This is available since version 3.6.10, but 3.6.10 has a bug which got fixed
+# in 3.6.11, see:
+#
+#     https://gitlab.com/gnutls/gnutls/-/merge_requests/1085
+if (parse_version('3.6.10') != parse_version(gnutls_version)):
+    conf.CHECK_FUNCS_IN('gnutls_aead_cipher_encryptv2', 'gnutls')
 
 if conf.CHECK_VALUEOF('GNUTLS_CIPHER_AES_128_CFB8', headers='gnutls/gnutls.h'):
     conf.DEFINE('HAVE_GNUTLS_AES_CFB8', 1)
-- 
2.25.0