samba.git/source4/lib/tls, branch master Unnamed repository; edit this file 'description' to name the repository. build: Require GnuTLS if building with Active Directory 2015-02-25T00:08:12+00:00 Garming Sam garming@catalyst.net.nz 2015-02-13T03:49:58+00:00 a1f1db277a2c452b63b9fe2d67cabfe0df60223d Without GnuTLS, we don't have ldaps:// support and we are unable to readily create RSA keys of the correct length for the BackupKey protocol. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Without GnuTLS, we don't have ldaps:// support and we are unable to
readily create RSA keys of the correct length for the BackupKey
protocol.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:lib/tls: explicitly use allow_warnings=True 2014-04-02T07:03:46+00:00 Stefan Metzmacher metze@samba.org 2014-02-26T06:35:22+00:00 bb187cc1e94040ad06d0af507a51284baa297aac Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Revert "s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600" 2014-03-28T11:37:17+00:00 Stefan Metzmacher metze@samba.org 2014-03-28T09:24:56+00:00 a2c34798782a1e4783c258d4e1950a2150d70e18 This reverts commit 05c1fe50556e2330e23b7efb38e653428b9bdadf. This was discussed here: https://bugzilla.samba.org/show_bug.cgi?id=10392#c11 This generated warnings like: invalid permissions on file '/memdisk/metze/W/b138235/samba/bin/ab/promoted_dc/private/tls/key.pem': has 0600 should be 0400'. I think we need a better way. Maybe file_check_permissions() should get allow_perms and deny_perms. And we would call it with allow_perms = 0400 and deny_perms = 0177. And bits in none of them are ignored. For now we revert this and wait for a better fix. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Mar 28 12:37:17 CET 2014 on sn-devel-104 
This reverts commit 05c1fe50556e2330e23b7efb38e653428b9bdadf.

This was discussed here:
https://bugzilla.samba.org/show_bug.cgi?id=10392#c11

This generated warnings like:
invalid permissions on file
'/memdisk/metze/W/b138235/samba/bin/ab/promoted_dc/private/tls/key.pem': has
0600 should be 0400'.

I think we need a better way. Maybe file_check_permissions()
should get allow_perms and deny_perms. And we would call it
with allow_perms = 0400 and deny_perms = 0177. And bits in none
of them are ignored.

For now we revert this and wait for a better fix.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Mar 28 12:37:17 CET 2014 on sn-devel-104
s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600 2014-01-31T00:27:03+00:00 Michael Brown michael@netdirect.ca 2014-01-22T03:23:12+00:00 05c1fe50556e2330e23b7efb38e653428b9bdadf Bug: https://bugzilla.samba.org/show_bug.cgi?id=10392 Signed-off-by: Michael Brown <michael@netdirect.ca> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Jan 31 01:27:03 CET 2014 on sn-devel-104 
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10392

Signed-off-by: Michael Brown <michael@netdirect.ca>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Fri Jan 31 01:27:03 CET 2014 on sn-devel-104
tls: Fix CID 242014 Uninitialized scalar variable 2013-11-13T08:01:55+00:00 Volker Lendecke vl@samba.org 2013-11-11T21:32:50+00:00 91b04f708f790447552dc196e2bc0d2ae2e4379d Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
tls: Fix some noblank line endings 2013-11-13T08:01:55+00:00 Volker Lendecke vl@samba.org 2013-11-11T21:26:34+00:00 2be1eeab7f66a4b606001959c79c6d09b6be87f3 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
CVE-2013-4476: s4:libtls: check for safe permissions of tls private key file (key.pem) 2013-11-11T12:07:16+00:00 Björn Baumbach bb@sernet.de 2013-10-29T16:53:59+00:00 22af043d2f20760f27150d7d469c7c7b944c6b55 If the tls key is not owned by root or has not mode 0600 samba will not start up. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Björn Baumbach <bb@sernet.de> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Mon Nov 11 13:07:16 CET 2013 on sn-devel-104 
If the tls key is not owned by root or has not mode 0600 samba will not
start up.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Björn Baumbach <bb@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(master): Mon Nov 11 13:07:16 CET 2013 on sn-devel-104
CVE-2013-4476: s4:libtls: Create tls private key file (key.pem) with mode 0600 2013-11-11T10:14:36+00:00 Björn Baumbach bb@sernet.de 2013-10-29T16:52:39+00:00 e0248cde8dcd82f348218665f5edd6b30cd3ef1f Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234 Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
s4-lib/tls: Try socket_send() multiple times to send partial packets 2012-07-18T09:23:55+00:00 Andrew Bartlett abartlet@samba.org 2012-07-18T05:28:50+00:00 d0d05f8474ed1882d373f042aba2c0209247678a This works around an artificial limitation in socket_wrapper that breaks some versions of GnuTLS when we return a short write. Instead, keep pushing until the OS will not take it. The correct solution will be to use tls_tstream, but the client code for this is not yet tested and needs the ldap client layer changed to use it. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jul 18 11:23:55 CEST 2012 on sn-devel-104 
This works around an artificial limitation in socket_wrapper that breaks
some versions of GnuTLS when we return a short write.

Instead, keep pushing until the OS will not take it.

The correct solution will be to use tls_tstream, but the client code
for this is not yet tested and needs the ldap client layer changed
to use it.

Andrew Bartlett

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Jul 18 11:23:55 CEST 2012 on sn-devel-104
s4:lib/tls - include GNUTLS headers consistently using <...> 2012-02-17T23:43:58+00:00 Matthias Dieter Wallnöfer mdw@samba.org 2012-02-17T21:58:07+00:00 32c82fe69b588fe18674c0bda49cd7fc0f73f50a These are system-specific. Reviewed-by: Jelmer Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat Feb 18 00:43:58 CET 2012 on sn-devel-104 
These are system-specific.

Reviewed-by: Jelmer

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Feb 18 00:43:58 CET 2012 on sn-devel-104