Provisioning fails on 4.8.0 on FreeBSD

Timur I. Bakeyev timur at
Thu Mar 22 04:27:15 UTC 2018

On 20 March 2018 at 14:37, Timur I. Bakeyev <timur at> wrote:

> Hi, Garming!
> Thanks a lot for the analysis, I'l try to do my best to locate the source
> of this error. But I wouldn't mind if someone else will look there as well
> :)
> On 18 March 2018 at 22:07, Garming Sam <garming at> wrote:
>> Hi,
>> The last time I encountered such an error with GnuTLS, it meant that
>> there needed to be a back-off with the correct size.
>> a) Perform crypto with fixed buffer size which may be too small
>> b) GnuTLS returns too short, but returns the size required
>> c) Resize the buffer to the correct length and retry
>> There might be some assumption we're making about the sizes that is not
>> the same and/or a bug.
>> The gnutls_aead_cipher_encrypt was only recently introduced and should
>> be simple to find. If you want to check if the rest proceeds, past this
>> error, it should also be possible to disable the module, but I would try
>> to see if there is a simple solution to this error first.

> > ERROR(ldb): uncaught exception - gnutls_aead_cipher_encrypt 'failed
>> > GNUTLS_E_SHORT_MEMORY_BUFFER - The given memory buffer is too short to
>> hold
>> > parameters.

Ok, finally I've nailed it. Here is a small, but essential patch, that
fixes the issue.

The key part here, besides mixed up block and tag sizes(both happen to be
16) is
that last parameter must be initialized with the buffer size.


the length of encrypted data (initially must hold the maximum available
size, including space for tag)

Please, review and commit.

With regards,
Timur Bakeyev.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch-source4__dsdb__samdb__ldb_modules__encrypted_secrets.c
Type: application/octet-stream
Size: 832 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list