Bug 13352 - gnutls_aead_cipher_encrypt used for encrypted secrets can fail with short buffer
Summary: gnutls_aead_cipher_encrypt used for encrypted secrets can fail with short buffer
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.8.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2018-03-22 21:27 UTC by Garming Sam
Modified: 2018-04-10 07:30 UTC (History)
5 users (show)

See Also:

Pass allocated buffer size as the last parameter to the gnutls_aead_cipher_encrypt() (1.46 KB, patch)
2018-03-22 21:36 UTC, Timur Bakeyev
no flags Details
Backport for 4.8 (1.79 KB, patch)
2018-03-25 20:59 UTC, Garming Sam
garming: review? (abartlet)
gary: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Garming Sam 2018-03-22 21:27:24 UTC
Discovered by Timur Bakeyev, when building on FreeBSD.

Administrator password will be set randomly!
Looking up IPv4 addresses
Looking up IPv6 addresses
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint
on local domainSIDs

Adding DomainDN: DC=domain,DC=freebsd
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers and extended rights
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
ERROR(ldb): uncaught exception - gnutls_aead_cipher_encrypt 'failed
GNUTLS_E_SHORT_MEMORY_BUFFER - The given memory buffer is too short to hold

  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 500, in run
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
line 2276, in provision
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1870, in provision_fill
    next_rid=next_rid, dc_rid=dc_rid)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1524, in fill_samdb
    "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
  File "/usr/local/lib/python2.7/site-packages/samba/provision/common.py",
line 55, in setup_add_ldif
    ldb.add_ldif(data, controls)
  File "/usr/local/lib/python2.7/site-packages/samba/__init__.py", line
229, in add_ldif
    self.add(msg, controls)
Comment 1 Garming Sam 2018-03-22 21:28:39 UTC
There appears to have been a mix up in the block and tag sizes.
Comment 2 Garming Sam 2018-03-22 21:32:59 UTC
(In reply to Garming Sam from comment #1)

And the correct buffer size needed to be sent to the gnutls_aead_cipher_encrypt function.
Comment 3 Timur Bakeyev 2018-03-22 21:36:43 UTC
Created attachment 14075 [details]
Pass allocated buffer size as the last parameter to the gnutls_aead_cipher_encrypt()
Comment 4 Timur Bakeyev 2018-03-22 21:42:02 UTC
(In reply to Garming Sam from comment #1)

Dumping those values showed that coincidentally both tag and block sizes are 16 bytes, which possibly explained, why it wasn't noticed immediately. But for large enough blocks of data - in the given example it's a machine password, which can be up to 512 bytes and total allocated buffer exceeded 2Kb the last call parameter has to be properly initialized with the buffer size. for small chunks of data, seems, default value of 0 was good enough.
Comment 5 Garming Sam 2018-03-25 20:59:11 UTC
Created attachment 14081 [details]
Backport for 4.8
Comment 6 Karolin Seeger 2018-04-04 10:17:56 UTC
Pushed to autobuild-v4-8-test.
Comment 7 Karolin Seeger 2018-04-10 07:30:04 UTC
(In reply to Karolin Seeger from comment #6)
Pushed to v4-8-test.
Closing out bug report.