summaryrefslogtreecommitdiff
path: root/source4/lib/tls
Commit message (Collapse)AuthorAgeFilesLines
* s4:lib/tls: fix the developer build without gnutls supportStefan Metzmacher2018-01-101-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* s4/lib/tls: Use SHA256 to sign the TLS certificatesAndrew Bartlett2017-08-151-3/+6
| | | | | | | | | | | The use of SHA-1 has been on the "do not" list for a while now, so make our self-signed certificates use SHA256 using the new gnutls_x509_crt_sign2 provided since GNUTLS 1.2.0 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12953
* s4:tls: Do not use deprecated GnuTLS typesAndreas Schneider2017-05-092-14/+16
| | | | | | | | Those have been deprecated with GnuTLS 1.0.20 in 2004. I think it is safe to use them now ;) Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* build:wafsamba: Remove ambiguous 'if x in conf.env' constructsThomas Nagy2017-02-211-2/+2
| | | | | | | | | | | | | | | | | | | Configuration values such as HAVE_STDDEF_H can be set to 0 to indicate a test failure. Waf 1.5 has a few bugs that prevent configuration tests from setting such values consistently on failures. Consequently, conditions such as 'if conf.env.VARNAME' must be used to indicate that config test successes are expected. Note that conf.env.VARNAME always returns an empty list (False value) when no variable is defined so there are no risk of raising AttributeError/KeyError exceptions. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Uri Simchoni <uri@samba.org> Autobuild-User(master): Uri Simchoni <uri@samba.org> Autobuild-Date(master): Tue Feb 21 13:47:07 CET 2017 on sn-devel-144
* tls: Fix warning Wunused-variableLukas Slebodnik2016-09-211-2/+2
| | | | | | | | | | | | | | | | | | | | | | | The variable error_pos is used only with enabled ENABLE_GNUTLS There are warnings if compiled witout gnutls ../source4/lib/tls/tls_tstream.c: In function ‘_tstream_tls_connect_send’: ../source4/lib/tls/tls_tstream.c:1053:14: warning: unused variable ‘error_pos’ [-Wunused-variable] const char *error_pos; ^~~~~~~~~ ../source4/lib/tls/tls_tstream.c: In function ‘_tstream_tls_accept_send’: ../source4/lib/tls/tls_tstream.c:1333:14: warning: unused variable ‘error_pos’ [-Wunused-variable] const char *error_pos; ^~~~~~~~~ Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Sep 21 00:01:09 CEST 2016 on sn-devel-144
* CVE-2016-2113: s4:lib/tls: implement infrastructure to do peer verificationStefan Metzmacher2016-04-123-0/+277
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2113: s4:lib/tls: create better certificates and sign the host cert ↵Stefan Metzmacher2016-04-121-9/+9
| | | | | | | | | | | | with the ca cert The generated ca cert (in ca.pem) was completely useless, it could be replaced by cert.pem. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11752 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* waf: Check for GnuTLS 3.4.7Andreas Schneider2015-12-101-6/+20
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* tls: increase Diffie-Hellman group size to 2048 bitsBjörn Jacke2015-09-032-2/+2
| | | | | | | | | | | 1024 bits is already the minimum accepted size of current TLS libraries. 2048 is recommended for servers, see https://weakdh.org/ Signed-off-by: Bjoern Jacke <bj@sernet.de> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Sep 3 03:47:48 CEST 2015 on sn-devel-104
* lib/tls: Ensure SSLv3 is disabled in the web server by defaultAndrew Bartlett2015-08-311-1/+14
| | | | | | | | By calling gnutls_priority_set_direct() the behaviour should now match the LDAP server BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
* lib/tls: Remove unused tls_init_client codeAndrew Bartlett2015-08-312-80/+0
| | | | | | | | This is unused as the callers have now been migrated to tls_tstream BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
* lib/tls: Add new 'tls priority' optionAndrew Bartlett2015-07-202-4/+29
| | | | | | | | | | This adds a new option to the smb.conf to allow administrators to disable TLS protocols in GnuTLS without changing the code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11076 Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* Remove support for OpenPGP certificates in our TLS client and serverAndrew Bartlett2015-07-201-2/+0
| | | | | | | | We do not provide parameters to configure these, and OpenPGP for TLS (RFC 6091) is not used in AD Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4:lib/tls: ignore non-existing ca and crl files in tstream_tls_params_client()Stefan Metzmacher2015-06-231-2/+2
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4:lib/tls: fix tstream_tls_connect_send() defineStefan Metzmacher2015-06-231-1/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4:lib/tls: fix build with gnutls 3.4Evangelos Foutras2015-04-292-8/+2
| | | | | | | | | | | | | gnutls_certificate_type_set_priority() was removed in GnuTLS 3.4.0. Use gnutls_priority_set_direct instead. BUG: https://bugzilla.samba.org/show_bug.cgi?id=8780 Signed-off-by: Björn Jacke <bj@sernet.de> Reviewed-By: Jelmer Vernooij <jelmer@samba.org> Autobuild-User(master): Björn Jacke <bj@sernet.de> Autobuild-Date(master): Wed Apr 29 22:29:02 CEST 2015 on sn-devel-104
* s4:lib/tls: remove allow_warnings=TrueStefan Metzmacher2015-03-201-1/+0
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4:lib/tls: add tls_cert_generate() prototype to tls.hStefan Metzmacher2015-03-203-2/+6
| | | | | | | This avoids compiler warnings... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* Transition to waf 1.8: wrapped conf.check_cfgThomas Nagy2015-03-161-2/+2
| | | | | | | | Reviewed-By: Jelmer Vernooij <jelmer@samba.org> (forward ported to current master by abartlet) Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* lib/tls: Fix behaviour of --disable-gnutls and remove link to gcryptAndrew Bartlett2015-03-122-7/+19
| | | | | | | | | | We no longer link against gcrypt if gnutls > 3.0.0 is found, as these versions use libnettle. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11135 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* build: Require GnuTLS if building with Active DirectoryGarming Sam2015-02-251-0/+3
| | | | | | | | | Without GnuTLS, we don't have ldaps:// support and we are unable to readily create RSA keys of the correct length for the BackupKey protocol. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s4:lib/tls: explicitly use allow_warnings=TrueStefan Metzmacher2014-04-021-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Revert "s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600"Stefan Metzmacher2014-03-281-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 05c1fe50556e2330e23b7efb38e653428b9bdadf. This was discussed here: https://bugzilla.samba.org/show_bug.cgi?id=10392#c11 This generated warnings like: invalid permissions on file '/memdisk/metze/W/b138235/samba/bin/ab/promoted_dc/private/tls/key.pem': has 0600 should be 0400'. I think we need a better way. Maybe file_check_permissions() should get allow_perms and deny_perms. And we would call it with allow_perms = 0400 and deny_perms = 0177. And bits in none of them are ignored. For now we revert this and wait for a better fix. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Mar 28 12:37:17 CET 2014 on sn-devel-104
* s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600Michael Brown2014-01-311-2/+3
| | | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10392 Signed-off-by: Michael Brown <michael@netdirect.ca> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Jan 31 01:27:03 CET 2014 on sn-devel-104
* tls: Fix CID 242014 Uninitialized scalar variableVolker Lendecke2013-11-131-0/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* tls: Fix some noblank line endingsVolker Lendecke2013-11-131-33/+32
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2013-4476: s4:libtls: check for safe permissions of tls private key file ↵Björn Baumbach2013-11-112-0/+33
| | | | | | | | | | | | | | | | | | (key.pem) If the tls key is not owned by root or has not mode 0600 samba will not start up. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Björn Baumbach <bb@sernet.de> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Mon Nov 11 13:07:16 CET 2013 on sn-devel-104
* CVE-2013-4476: s4:libtls: Create tls private key file (key.pem) with mode 0600Björn Baumbach2013-11-111-1/+1
| | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234 Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-lib/tls: Try socket_send() multiple times to send partial packetsAndrew Bartlett2012-07-181-13/+26
| | | | | | | | | | | | | | | | This works around an artificial limitation in socket_wrapper that breaks some versions of GnuTLS when we return a short write. Instead, keep pushing until the OS will not take it. The correct solution will be to use tls_tstream, but the client code for this is not yet tested and needs the ldap client layer changed to use it. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jul 18 11:23:55 CEST 2012 on sn-devel-104
* s4:lib/tls - include GNUTLS headers consistently using <...>Matthias Dieter Wallnöfer2012-02-183-4/+4
| | | | | | | | | These are system-specific. Reviewed-by: Jelmer Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat Feb 18 00:43:58 CET 2012 on sn-devel-104
* s4-lib/tls: remove unused tls_support()Andrew Bartlett2012-02-102-15/+0
| | | | | | Found by callcatcher: http://www.skynet.ie/~caolan/Packages/callcatcher.html Andrew Bartlett
* s4:lib/tls - call "gnutls_transport_set_lowat" only on GNUTLS < 3.0Matthias Dieter Wallnöfer2011-11-302-0/+8
| | | | | | | | | | | | | | | | This function call together with the lowat feature has been removed in release 3.0 as described in this mailing list post: http://old.nabble.com/gnutls_transport_set_lowat-deprecated-td32554230.html. Since we do not make any use of lowat (esprimed by each function call) we are free to simply omit it on v3.0 and later. This addresses bug #8537. Reviewed by: abartlet + metze Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Wed Nov 30 20:11:14 CET 2011 on sn-devel-104
* s4:lib: use tevent_ fns names instead of legcay event_ onesSimo Sorce2011-08-131-10/+10
|
* build: provide tevent-util as a public libraryAndrew Bartlett2011-08-081-1/+1
| | | | | | | This is needed so that OpenChange can get at _tevent_req_nterr(), which is referenced by generated PIDL output. Andrew Bartlett
* s4:lib/tls/wscript - exclude known broken GNUTLS releasesMatthias Dieter Wallnöfer2011-03-101-2/+2
| | | | | | | This definitely fixes bug #7218. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Mar 10 11:58:27 CET 2011 on sn-devel-104
* s4:tls_tstream: also use a dynamic buffer for the pull sideStefan Metzmacher2011-01-181-3/+12
| | | | | | | | | Maybe that fixes the remaining issues with some gnutls versions. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Jan 18 17:26:08 CET 2011 on sn-devel-104
* s4:tls_tstream: fix partial reads, so that the gnutls layer doesn't read the ↵Stefan Metzmacher2011-01-181-1/+6
| | | | | | same data twice metze
* tls_tstream: use a dynamic buffer for the push caseStefan Metzmacher2010-12-041-6/+21
| | | | | | | | | Some versions of gnutls doesn't handle EAGAIN correctly, so we better allow sending buffers without a low size limitation, the limit is now UINT16_MAX (0xFFFF) and we allocate the buffer with talloc each time. metze
* tls_tstream: increase the buffer sizeMatthieu Patou2010-12-041-1/+1
| | | | | | | | | | | | | | | | The problem is that with certain version of gnutls are not working properly if the server is sending in different packet things like (at least) * Certificate * Server Key exchange * Client certificate Somehow it really expect this to be done in one packet as some structures used _gnutls_send_handshake are reinitialized at every packet exchange and intermediate steps didn't expect it Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s4:lib/tls/tls_tstream.c - quiet warning on Solaris "cc" by castsMatthias Dieter Wallnöfer2010-11-291-2/+2
|
* s4: Remove the old perl/m4/make/mk-based build system.Jelmer Vernooij2010-10-312-53/+0
| | | | | | | | The new waf-based build system now has all the same functionality, and the old build system has been broken for quite some time. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
* tls: Inform the user if the cert/ca/private key can't be savedMatthieu Patou2010-10-271-3/+12
| | | | | | | | Most of the time this problem is due to a missing <private>/tls dir. Should close bug 7640. Autobuild-User: Matthieu Patou <mat@samba.org> Autobuild-Date: Wed Oct 27 20:08:54 UTC 2010 on sn-devel-104
* waf: Remove lib prefix from libraries manually.Jelmer Vernooij2010-10-261-1/+1
|
* s4: Rename LIBSAMBA-* to libsamba-*Jelmer Vernooij2010-10-241-1/+1
|
* tls: add missing dependency on util_tevent.Jelmer Vernooij2010-10-101-1/+1
|
* s4:lib/tls: buffer writes in tstream_tls_push_function()Stefan Metzmacher2010-10-081-10/+76
| | | | | | | | | | | | This works arround bugs in gnutls_handshake(), which diesn't handle EAGAIN correctly, when they use the push function. Thanks to Marcel.Ritter@rrze.uni-erlangen.de and Matthieu Patou <mat@samba.org> for the debugging work on bug #7218. metze
* s4:lib/tls: make more clear what the immediate event is forStefan Metzmacher2010-10-081-6/+6
| | | | metze
* s4:lib/tls: fix enabled logic in tstream_tls_params_server()Stefan Metzmacher2010-10-082-2/+12
| | | | metze
* s4:lib/tls: add gnutls backend for tstreamStefan Metzmacher2010-09-283-3/+1298
| | | | | | | metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
* s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell2010-07-161-8/+8
| | | | | | | this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status