summaryrefslogtreecommitdiffstats
path: root/source4/lib/tls
Commit message (Collapse)AuthorAgeFilesLines
* s4:lib/tls: explicitly use allow_warnings=TrueStefan Metzmacher2014-04-021-0/+1
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Revert "s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600"Stefan Metzmacher2014-03-281-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 05c1fe50556e2330e23b7efb38e653428b9bdadf. This was discussed here: https://bugzilla.samba.org/show_bug.cgi?id=10392#c11 This generated warnings like: invalid permissions on file '/memdisk/metze/W/b138235/samba/bin/ab/promoted_dc/private/tls/key.pem': has 0600 should be 0400'. I think we need a better way. Maybe file_check_permissions() should get allow_perms and deny_perms. And we would call it with allow_perms = 0400 and deny_perms = 0177. And bits in none of them are ignored. For now we revert this and wait for a better fix. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Mar 28 12:37:17 CET 2014 on sn-devel-104
* s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600Michael Brown2014-01-311-2/+3
| | | | | | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10392 Signed-off-by: Michael Brown <michael@netdirect.ca> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Jan 31 01:27:03 CET 2014 on sn-devel-104
* tls: Fix CID 242014 Uninitialized scalar variableVolker Lendecke2013-11-131-0/+1
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* tls: Fix some noblank line endingsVolker Lendecke2013-11-131-33/+32
| | | | | Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2013-4476: s4:libtls: check for safe permissions of tls private key file ↵Björn Baumbach2013-11-112-0/+33
| | | | | | | | | | | | | | | | | | (key.pem) If the tls key is not owned by root or has not mode 0600 samba will not start up. Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Björn Baumbach <bb@sernet.de> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Karolin Seeger <kseeger@samba.org> Autobuild-Date(master): Mon Nov 11 13:07:16 CET 2013 on sn-devel-104
* CVE-2013-4476: s4:libtls: Create tls private key file (key.pem) with mode 0600Björn Baumbach2013-11-111-1/+1
| | | | | | | Bug: https://bugzilla.samba.org/show_bug.cgi?id=10234 Signed-off-by: Björn Baumbach <bb@sernet.de> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4-lib/tls: Try socket_send() multiple times to send partial packetsAndrew Bartlett2012-07-181-13/+26
| | | | | | | | | | | | | | | | This works around an artificial limitation in socket_wrapper that breaks some versions of GnuTLS when we return a short write. Instead, keep pushing until the OS will not take it. The correct solution will be to use tls_tstream, but the client code for this is not yet tested and needs the ldap client layer changed to use it. Andrew Bartlett Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jul 18 11:23:55 CEST 2012 on sn-devel-104
* s4:lib/tls - include GNUTLS headers consistently using <...>Matthias Dieter Wallnöfer2012-02-183-4/+4
| | | | | | | | | These are system-specific. Reviewed-by: Jelmer Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat Feb 18 00:43:58 CET 2012 on sn-devel-104
* s4-lib/tls: remove unused tls_support()Andrew Bartlett2012-02-102-15/+0
| | | | | | Found by callcatcher: http://www.skynet.ie/~caolan/Packages/callcatcher.html Andrew Bartlett
* s4:lib/tls - call "gnutls_transport_set_lowat" only on GNUTLS < 3.0Matthias Dieter Wallnöfer2011-11-302-0/+8
| | | | | | | | | | | | | | | | This function call together with the lowat feature has been removed in release 3.0 as described in this mailing list post: http://old.nabble.com/gnutls_transport_set_lowat-deprecated-td32554230.html. Since we do not make any use of lowat (esprimed by each function call) we are free to simply omit it on v3.0 and later. This addresses bug #8537. Reviewed by: abartlet + metze Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Wed Nov 30 20:11:14 CET 2011 on sn-devel-104
* s4:lib: use tevent_ fns names instead of legcay event_ onesSimo Sorce2011-08-131-10/+10
|
* build: provide tevent-util as a public libraryAndrew Bartlett2011-08-081-1/+1
| | | | | | | This is needed so that OpenChange can get at _tevent_req_nterr(), which is referenced by generated PIDL output. Andrew Bartlett
* s4:lib/tls/wscript - exclude known broken GNUTLS releasesMatthias Dieter Wallnöfer2011-03-101-2/+2
| | | | | | | This definitely fixes bug #7218. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Mar 10 11:58:27 CET 2011 on sn-devel-104
* s4:tls_tstream: also use a dynamic buffer for the pull sideStefan Metzmacher2011-01-181-3/+12
| | | | | | | | | Maybe that fixes the remaining issues with some gnutls versions. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Jan 18 17:26:08 CET 2011 on sn-devel-104
* s4:tls_tstream: fix partial reads, so that the gnutls layer doesn't read the ↵Stefan Metzmacher2011-01-181-1/+6
| | | | | | same data twice metze
* tls_tstream: use a dynamic buffer for the push caseStefan Metzmacher2010-12-041-6/+21
| | | | | | | | | Some versions of gnutls doesn't handle EAGAIN correctly, so we better allow sending buffers without a low size limitation, the limit is now UINT16_MAX (0xFFFF) and we allocate the buffer with talloc each time. metze
* tls_tstream: increase the buffer sizeMatthieu Patou2010-12-041-1/+1
| | | | | | | | | | | | | | | | The problem is that with certain version of gnutls are not working properly if the server is sending in different packet things like (at least) * Certificate * Server Key exchange * Client certificate Somehow it really expect this to be done in one packet as some structures used _gnutls_send_handshake are reinitialized at every packet exchange and intermediate steps didn't expect it Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s4:lib/tls/tls_tstream.c - quiet warning on Solaris "cc" by castsMatthias Dieter Wallnöfer2010-11-291-2/+2
|
* s4: Remove the old perl/m4/make/mk-based build system.Jelmer Vernooij2010-10-312-53/+0
| | | | | | | | The new waf-based build system now has all the same functionality, and the old build system has been broken for quite some time. Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Oct 31 02:01:44 UTC 2010 on sn-devel-104
* tls: Inform the user if the cert/ca/private key can't be savedMatthieu Patou2010-10-271-3/+12
| | | | | | | | Most of the time this problem is due to a missing <private>/tls dir. Should close bug 7640. Autobuild-User: Matthieu Patou <mat@samba.org> Autobuild-Date: Wed Oct 27 20:08:54 UTC 2010 on sn-devel-104
* waf: Remove lib prefix from libraries manually.Jelmer Vernooij2010-10-261-1/+1
|
* s4: Rename LIBSAMBA-* to libsamba-*Jelmer Vernooij2010-10-241-1/+1
|
* tls: add missing dependency on util_tevent.Jelmer Vernooij2010-10-101-1/+1
|
* s4:lib/tls: buffer writes in tstream_tls_push_function()Stefan Metzmacher2010-10-081-10/+76
| | | | | | | | | | | | This works arround bugs in gnutls_handshake(), which diesn't handle EAGAIN correctly, when they use the push function. Thanks to Marcel.Ritter@rrze.uni-erlangen.de and Matthieu Patou <mat@samba.org> for the debugging work on bug #7218. metze
* s4:lib/tls: make more clear what the immediate event is forStefan Metzmacher2010-10-081-6/+6
| | | | metze
* s4:lib/tls: fix enabled logic in tstream_tls_params_server()Stefan Metzmacher2010-10-082-2/+12
| | | | metze
* s4:lib/tls: add gnutls backend for tstreamStefan Metzmacher2010-09-283-3/+1298
| | | | | | | metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Tue Sep 28 02:29:42 UTC 2010 on sn-devel-104
* s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell2010-07-161-8/+8
| | | | | | | this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4-waf: mark the wscript files as python so vim/emacs knows how to highlight ↵Andrew Tridgell2010-04-061-0/+2
| | | | them
* s4-waf: disable_gnutls is goneAndrew Tridgell2010-04-061-1/+1
|
* build: need to mark disabled libraries as DISABLEDAndrew Tridgell2010-04-061-2/+4
|
* build: honor both --enable-gnutls and --disable-gnutlsAndrew Tridgell2010-04-061-5/+12
| | | | | This shows how we can do the dual-boolean rules we use so much with autoconf
* build: add cflags from pkg_config results to header/function testsAndrew Tridgell2010-04-061-4/+8
| | | | | | | | | When we find a package with pkg_config we may need to use the resulting ccflags and ldflags in later tests. Support this by adding lib= options to CHECK_FUNC and CHECK_HEADER This gets gnutls on FreeBSD working
* build: configure fixes for opensolarisAndrew Tridgell2010-04-061-0/+7
|
* build: updated configure checks or new syntaxAndrew Tridgell2010-04-061-6/+3
|
* build: fixed gnutls checkAndrew Tridgell2010-04-061-1/+1
|
* build: nearly there on samba4 buildAndrew Tridgell2010-04-061-1/+3
|
* build: check for libgpg-errorAndrew Tridgell2010-04-061-1/+3
|
* build: gcrypt functionsAndrew Tridgell2010-04-061-1/+1
|
* build: more config checksAndrew Tridgell2010-04-061-0/+3
|
* build: waf build for lib/tlsAndrew Tridgell2010-04-061-0/+27
|
* s4:tls: fix the build on SolarisBrian Lu2009-12-151-0/+3
| | | | Signed-off-by: Stefan Metzmacher <metze@samba.org>
* s4: Changes the old occurences of "lp_realm" in "lp_dnsdomain" where neededMatthias Dieter Wallnöfer2009-10-141-1/+2
| | | | | | For KERBEROS applications the realm should be upcase (function "lp_realm") but for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch implements the use of both in the right way.
* raise the debug level for a common messageAndrew Tridgell2009-08-121-1/+1
| | | | | when a client disconnects we expect this to happen, so don't print an error each time
* s4:tls: avoid using talloc_reference() in tls_init_client()Stefan Metzmacher2009-07-311-6/+2
| | | | metze
* s4:tls: avoid using talloc_reference() in tls_init_server()Stefan Metzmacher2009-07-311-8/+1
| | | | metze
* s4:tls Enable GnuTLS back to version 1.4 (an into the future)Andrew Bartlett2009-07-281-1/+1
| | | | | | We think we have the bug fixed. Andrew Bartlett
* Fixed some uninitialised variablesMatthias Dieter Wallnöfer2009-06-191-2/+1
| | | | I tried hard to not change the program logic. Should fix bug #6439.
* Make S4 build on OpenSolaris.Jeremy Allison2009-02-242-1/+3
| | | | Jeremy.
generated by cgit (git 2.34.1) at 2025-07-17 00:05:56 +0000