[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Wed Nov 16 09:59:01 UTC 2022


The branch, master has been updated
       via  0fd7b13ebc3 s4:lib:tls: Don't negotiate session resumption with session tickets
      from  f0ca9546102 s3: smbd: In synthetic_pathref() change DBG_ERR -> DBG_NOTICE to avoid spamming the logs.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 0fd7b13ebc38779a18ba4a22f7b17dc2628907cc
Author: Noel Power <noel.power at suse.com>
Date:   Fri Nov 4 16:56:49 2022 +0000

    s4:lib:tls: Don't negotiate session resumption with session tickets
    
    tls_tstream can't properly handle 'New Session Ticket' messages
    sent 'after' the client sends the 'Finished' message.
    
    This is needed because some servers (at least elasticsearch) wait till
    they get 'Finished' messgage from the client before sending the
    "New Ticket" message.
    
    Without this patch what typcially happens is when the application code
    sends data it then tries to read the response, but, instead of the
    response to the request it actually recieves the "New Session Ticket"
    instead. The "New Session Ticket" message gets processed by the upper layer
    logic e.g.
       tstream_tls_readv_send
           ->tstream_tls_readv_crypt_next
               ->tstream_tls_retry_read
                   ->gnutls_record_recv
    
    instead of the core gnutls routines.
    
    This results in the response processing failing due to the
    currently 'unexpected' New Ticket message.
    
    In order to avoid this scenario we can ensure the client doesn't
    negotiate resumption with session tickets.
    
    Signed-off-by: Noel Power <noel.power at suse.com>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Wed Nov 16 09:58:45 UTC 2022 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 source4/lib/tls/tls_tstream.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c
index d984addeec5..f1bfe474d6e 100644
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -995,6 +995,7 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx,
 	const char *error_pos;
 	struct tstream_tls *tlss;
 	int ret;
+	unsigned int flags = GNUTLS_CLIENT;
 
 	req = tevent_req_create(mem_ctx, &state,
 				struct tstream_tls_connect_state);
@@ -1028,7 +1029,18 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
-	ret = gnutls_init(&tlss->tls_session, GNUTLS_CLIENT);
+#ifdef GNUTLS_NO_TICKETS
+	/*
+	 * tls_tstream can't properly handle 'New Session Ticket' messages
+	 * sent 'after' the client sends the 'Finished' message.
+	 * GNUTLS_NO_TICKETS was introduced in GnuTLS 3.5.6.  This flag is to
+	 * indicate the session Flag session should not use resumption with
+	 * session tickets.
+	 */
+	flags |= GNUTLS_NO_TICKETS;
+#endif
+
+	ret = gnutls_init(&tlss->tls_session, flags);
 	if (ret != GNUTLS_E_SUCCESS) {
 		DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
 		tevent_req_error(req, EINVAL);


-- 
Samba Shared Repository



More information about the samba-cvs mailing list