[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Wed Nov 16 09:59:01 UTC 2022
The branch, master has been updated
via 0fd7b13ebc3 s4:lib:tls: Don't negotiate session resumption with session tickets
from f0ca9546102 s3: smbd: In synthetic_pathref() change DBG_ERR -> DBG_NOTICE to avoid spamming the logs.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0fd7b13ebc38779a18ba4a22f7b17dc2628907cc
Author: Noel Power <noel.power at suse.com>
Date: Fri Nov 4 16:56:49 2022 +0000
s4:lib:tls: Don't negotiate session resumption with session tickets
tls_tstream can't properly handle 'New Session Ticket' messages
sent 'after' the client sends the 'Finished' message.
This is needed because some servers (at least elasticsearch) wait till
they get 'Finished' messgage from the client before sending the
"New Ticket" message.
Without this patch what typcially happens is when the application code
sends data it then tries to read the response, but, instead of the
response to the request it actually recieves the "New Session Ticket"
instead. The "New Session Ticket" message gets processed by the upper layer
logic e.g.
tstream_tls_readv_send
->tstream_tls_readv_crypt_next
->tstream_tls_retry_read
->gnutls_record_recv
instead of the core gnutls routines.
This results in the response processing failing due to the
currently 'unexpected' New Ticket message.
In order to avoid this scenario we can ensure the client doesn't
negotiate resumption with session tickets.
Signed-off-by: Noel Power <noel.power at suse.com>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Wed Nov 16 09:58:45 UTC 2022 on sn-devel-184
-----------------------------------------------------------------------
Summary of changes:
source4/lib/tls/tls_tstream.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c
index d984addeec5..f1bfe474d6e 100644
--- a/source4/lib/tls/tls_tstream.c
+++ b/source4/lib/tls/tls_tstream.c
@@ -995,6 +995,7 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx,
const char *error_pos;
struct tstream_tls *tlss;
int ret;
+ unsigned int flags = GNUTLS_CLIENT;
req = tevent_req_create(mem_ctx, &state,
struct tstream_tls_connect_state);
@@ -1028,7 +1029,18 @@ struct tevent_req *_tstream_tls_connect_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- ret = gnutls_init(&tlss->tls_session, GNUTLS_CLIENT);
+#ifdef GNUTLS_NO_TICKETS
+ /*
+ * tls_tstream can't properly handle 'New Session Ticket' messages
+ * sent 'after' the client sends the 'Finished' message.
+ * GNUTLS_NO_TICKETS was introduced in GnuTLS 3.5.6. This flag is to
+ * indicate the session Flag session should not use resumption with
+ * session tickets.
+ */
+ flags |= GNUTLS_NO_TICKETS;
+#endif
+
+ ret = gnutls_init(&tlss->tls_session, flags);
if (ret != GNUTLS_E_SUCCESS) {
DEBUG(0,("TLS %s - %s\n", __location__, gnutls_strerror(ret)));
tevent_req_error(req, EINVAL);
--
Samba Shared Repository
More information about the samba-cvs
mailing list